Overview

overview

1

Static

static

1

URLScan

urlscan

1

https://ci3.googleus...

windows10-2004-x64

1

Analysis

  • max time kernel
    9s
  • max time network
    13s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230703-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06-07-2023 09:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    https://ci3.googleusercontent.com/proxy/X9PN6nFGUuHaH_X34R9tnmTiaAsKRt180ga1cEjz7Xj4Uo1BkoUHrF542JfoV52NJyzs1msRqLW9_0LDyY1D84M22dPe98cm2oleuKsEGp_8_y9puhNF57KbpxZEROW6uWq1SSVnW3QyWlzS2T1-DhzDyUpALE075PuGxkfIbzacTg-gNwc_i-pLrUx8ysXSF5Bho0C0Uks9aRt8ag=s0-d-e1-ft#https://docs.google.com/uc?export=download&id=1jPr35CJM0b6ACZOV6P45s-XXT8gjHxQb&revid=0B9NJWQVr6u-_Y05Xc2sveHNEL1BINU9ZSDV3eVdMbTRRMFdnPQ

Score
1/10

Malware Config

Signatures

  • Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs
  • Modifies Internet Explorer settings 1 TTPs 15 IoCs
    adwarespyware
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Uses Volume Shadow Copy WMI provider

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" https://ci3.googleusercontent.com/proxy/X9PN6nFGUuHaH_X34R9tnmTiaAsKRt180ga1cEjz7Xj4Uo1BkoUHrF542JfoV52NJyzs1msRqLW9_0LDyY1D84M22dPe98cm2oleuKsEGp_8_y9puhNF57KbpxZEROW6uWq1SSVnW3QyWlzS2T1-DhzDyUpALE075PuGxkfIbzacTg-gNwc_i-pLrUx8ysXSF5Bho0C0Uks9aRt8ag=s0-d-e1-ft#https://docs.google.com/uc?export=download&id=1jPr35CJM0b6ACZOV6P45s-XXT8gjHxQb&revid=0B9NJWQVr6u-_Y05Xc2sveHNEL1BINU9ZSDV3eVdMbTRRMFdnPQ
    1⤵
    • Modifies Internet Explorer Phishing Filter
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3860
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3860 CREDAT:17410 /prefetch:2
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:712
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:3244

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\1Y0EG8YX\unnamed[1].png
      Filesize

      2KB

      MD5

      98cb56119c3f1190121fc3de78d535d7

      SHA1

      63aae26f107b0ffdab7feb208670057373ab749d

      SHA256

      35efa31984d7b5661e1f8f7814096fd78018ff475927a33d445605b2fa26394a

      SHA512

      dcfe420a9ad932da3d743eebd43a30c46e4aac31b9ca3befda6c86c26dc88f39524478742c57971dab9c5edddd6c6de1d94420842cc6fa4cd39d218721278505

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\PQKW7621\unnamed.png.40xgm7x.partial
      Filesize

      2KB

      MD5

      98cb56119c3f1190121fc3de78d535d7

      SHA1

      63aae26f107b0ffdab7feb208670057373ab749d

      SHA256

      35efa31984d7b5661e1f8f7814096fd78018ff475927a33d445605b2fa26394a

      SHA512

      dcfe420a9ad932da3d743eebd43a30c46e4aac31b9ca3befda6c86c26dc88f39524478742c57971dab9c5edddd6c6de1d94420842cc6fa4cd39d218721278505

      Download Submit