Analysis
-
max time kernel
142s -
max time network
137s -
platform
windows7_x64 -
resource
win7-20230831-en -
resource tags
arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system -
submitted
04-10-2023 21:58
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20230831-en
General
-
Target
file.exe
-
Size
356KB
-
MD5
3ef6d0d9ca0bc4b00d304ee370853a4c
-
SHA1
a188652de504e6e53a0f1560fcdd315a409d1ad1
-
SHA256
8765a0a92fa60c2a4d21ca073dcf805f320c2e3d07703b97638b38888fe25d23
-
SHA512
42b7375dca8da5c1cfa65bc0b8aef15155a5fea8ef1199ea0cd874693b3bd98d01d4cb4b38ed0fd7ef549ad8121ceea6c1d6c462d757793e3f21ceea0fcfbc5b
-
SSDEEP
6144:rUyuwgfYypdScEGyH2VXisEYvo1JwgeDsizp7qdq:rUyuwgfYgSiyWVXzEYvoXwgeDseH
Malware Config
Signatures
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2080 set thread context of 2340 2080 file.exe 29 -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\SearchScopes iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007832999c35766c4bae1b34334b3bf81200000000020000000000106600000001000020000000a43c214c0fc9a500856de778f73eba397283e8cc18765c6ca1f04a59d0807b3f000000000e80000000020000200000000f85f4081423efe620d19b2fc2127af4a59fa307026bad55ac660deffb0f10b52000000013954b0828e983c4c1c127e9696fa02166584fbae7a9eb9cc569d87930ba0a1f40000000f776f38c3984088f00fc1d8b962f0607ef08072d8d25aa199b97b91762e2acdc3daf39fbcbc0170512f801cc979b01bf76f8a01a831303d55af1cf8f79484cb1 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007832999c35766c4bae1b34334b3bf81200000000020000000000106600000001000020000000f0636ef0d2f668b08bf56faa20e7ad81736789341257d81ae4daca4419ec69da000000000e8000000002000020000000483c92ee31127af812b0df0b32e0237f276c00844e0587eb38d56485d79677ad90000000b1daa4c9beaf54b37ec2f6ef967b9f6bbac9537084bbfc888cfe35bd2e5e0e7ccd2f076fd64f1f5ddb5a156128cbada147bcbebcca445ac9a1ff3f296073dea22daa51f8244f19fe17e369ef550a452d43d74070485e74b00fb14d0f75be1202d4a9da1304fdd05faa26b8eb3f3f9b62a240777524eaef86706e31646b7890f0b0b068813742a44ca1989e1e9dab67ef400000004dad5f4476fe59219019e872d2d22f2aab8a9b5c2da69821f01dff5624e04ce89b7570110bedb4f65233c985ef78633570c93d50d91fc64dc7b48c0d98ffbdf5 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{389AE341-6301-11EE-A2FB-D2B3C10F014B} = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 00c8660e0ef7d901 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "402618607" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2080 file.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2616 iexplore.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2080 file.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2616 iexplore.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 2616 iexplore.exe 2616 iexplore.exe 2876 IEXPLORE.EXE 2876 IEXPLORE.EXE 2876 IEXPLORE.EXE 2876 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 2080 wrote to memory of 2872 2080 file.exe 28 PID 2080 wrote to memory of 2872 2080 file.exe 28 PID 2080 wrote to memory of 2872 2080 file.exe 28 PID 2080 wrote to memory of 2872 2080 file.exe 28 PID 2080 wrote to memory of 2340 2080 file.exe 29 PID 2080 wrote to memory of 2340 2080 file.exe 29 PID 2080 wrote to memory of 2340 2080 file.exe 29 PID 2080 wrote to memory of 2340 2080 file.exe 29 PID 2080 wrote to memory of 2340 2080 file.exe 29 PID 2080 wrote to memory of 2340 2080 file.exe 29 PID 2080 wrote to memory of 2340 2080 file.exe 29 PID 2080 wrote to memory of 2340 2080 file.exe 29 PID 2080 wrote to memory of 2340 2080 file.exe 29 PID 2340 wrote to memory of 2616 2340 aspnet_wp.exe 30 PID 2340 wrote to memory of 2616 2340 aspnet_wp.exe 30 PID 2340 wrote to memory of 2616 2340 aspnet_wp.exe 30 PID 2340 wrote to memory of 2616 2340 aspnet_wp.exe 30 PID 2616 wrote to memory of 2876 2616 iexplore.exe 32 PID 2616 wrote to memory of 2876 2616 iexplore.exe 32 PID 2616 wrote to memory of 2876 2616 iexplore.exe 32 PID 2616 wrote to memory of 2876 2616 iexplore.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2080 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess.exe"2⤵PID:2872
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2340 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=aspnet_wp.exe&platform=0009&osver=5&isServer=0&shimver=4.0.30319.03⤵
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2616 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2616 CREDAT:275457 /prefetch:24⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2876
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5c3658394596a97707e8ca666cdc37150
SHA19df35805b3d80cdddc5c86cefe78ee183dafffb9
SHA256c69e27e70564a7f12f9e023a5a904e64c40a4d843fd06fb2ac423eec2a6e4353
SHA512029fe4269dcdd37684bbfef0e2dcb66debd0b12972803dc1b0104d7a2e71b00cc9daff44e4550c00b815434250aa71406ade10e9d16a1b46ee4f725b717f6679
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5f0686258990267280e214ef807fcf0d8
SHA147c2c123ef43a69791fa141a4d2a1050f703805a
SHA2569fa46fdb9333f5901ccd57fd796de272f03ecd1ef2d790a163ae55a33a2ad45f
SHA51203476181134d6cad1de53604b025bb348174c3a4b6339b8d8bac1ecd30326f3e4b3e849a68355767f98bc736051044b89f02936367f5cc9e7da8cb9138d1e9db
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5f67508fc1da526ec704076dbe2e82612
SHA17dd1217d7d6df40d78b5e0d92e59a454898c93e0
SHA256f69034dc8e48e0973f7935389ccf6d1fe6d2bbe9cb365662f87baed7770d209a
SHA5122e1a35453f6a3c16c922dbedf012498ce29bbf2b2c7257e86598074022683379d30fc82b986f2b05ed6f04d998e87ded2a64e91e2dc77225fdae28730852efeb
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD50bb56be15b7fbfecfe8fb5da54e3fadf
SHA1878e299804a9a5a6e2e8835d6c712499b2d96665
SHA2561c13e3300f48939551daa00b3f6e60f041fbb6b36dddefd6ee511b2d7ef46055
SHA512f801f4e73f0900f65f32f30a2037c0a949f8dd5f33d604cf5a1cbd9643db700461bf466765a6acea81fdf3bf315aa3644f58ca7a549497942a7a982570639a07
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD58ce73842ade2333ed4a8c517027a976e
SHA154a8fe75f431260caab0b48399e264617aee2de8
SHA2562cb0e990388a2be8d295d044003c312b4510f544d26f38e072e61fa57c056500
SHA51248c4f4d1562b932b40311a54785a70c0dfd49248267ab8a9f610fc4715778693a15861080db9db66cad0ef0b22f70dc6300f3d68277d87674512036ff6147402
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5e76e76490360eff21cde774c69a73987
SHA1162b6d783e8e7221798e8acc1d495df6df8f5e56
SHA2561b9713c6580b2ddc82edb9ea438f758dd3ba62f9f41eb40760ae9a87028ca8d8
SHA512c782af31dd0aa9c5ef00c22f82df709c5093eae9d5b5448bb2aeeac4596b139281d74179c2a8ae5642d5e9b78287fa18006f127a3d09fa559e85027d510dfbb6
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD59b1f1bca2207e7ca8ce02158768cf7d0
SHA1ea275ce9275967130fe6fc1e07dfc82cedb0c2eb
SHA256eceb5dd639c115f726afbc1f07b75950124ec542b905d6bb6c5922f5c98cf3d2
SHA5122db0f86981f407d42f8ce94415ef75b81c6a278df8f1e69cab6ef7d00d1e1515ead448f1d7b43e21c55f76f5df2f9c2e1e186c1907098acc49fba5dd335d1d1b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5f9c390b04ec933422fc05273bb5a2c98
SHA11e60a761b9c062efd267385fe64888e8d933d50b
SHA2563be17abf552f4a75614bce09b258db0241fb5a28268adc33b060052fb627b8bf
SHA512ed16ae64c29db84e8846fbcdc73accc6238bb546daf1822b20b85e42f8e32a315fbecd985980cc985410205adf05d3164916c9137d7329483476ac17362446f2
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD543369c6dbaefb2a09f6c0e025d8e04f9
SHA18e3ec8f8d5e570db8a2d47fb4c2c9cf1999f6add
SHA2564f66b012d6c3c2ee911eed3d4720b643be942eb53c3582447ebcd585fe893dd8
SHA51268cf6c300d644deed1ea87608aa791089af8dd1ec08924428878c0d5fbb8ad9b5cbe68bba217b1c9ef31fb861c3451b648161dee6ac402c4d09e5b0130d5a1d0
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD57b78f50d7a96a30b940713846b98189e
SHA1a6829b97dad487df1d76033ae5b799593259eeed
SHA2566aac2302c9857f101a53c24fce68f1aed84c4367fdf4f739317add4779e9dcaa
SHA512cf51011b1d7f80ac1d1d44bab15537e0de36958e91910779c7f64c0ab1d31d7c6068a6f7091f4afce66514b8ad88c4f89b48812a1676e1566aff994ffaefa843
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5f6f7a23a341ad9d70bad7b8e60fd776b
SHA11171501aff2634900bcd66c49727eb0e9f1e3437
SHA256d55804ca5f2bbc2013a91c3a091008dab2eddb16a23cde67f414895c988b2788
SHA5122c99a998d28480225297f9767d5d38a6bac592449fcdb45ed3af47517c6f17b5c51c487e5835e5d9d4d30317f14b774967f9470f3491d709b0a87fe1127c14f5
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD58cecdea177b04ef802af3622c0923ac4
SHA1cf58d65d7cdabb89c1146361727ad9c78a453039
SHA25618ff201317fd03e8c7e290a1a5004eaefdc47cb8aac3e127a288f8b8f34f7a2c
SHA5125d1ee1648794b7d495cb902e99b8a1a0a89687b4e7122239685621c74d18b32a4305ba55114221b6fee1ee7847662e086c3f64575bf01a7f1110d1eed9ef2cb6
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD55ca6c514b1b7433ab14fcd02f1ff3e3f
SHA128d48a159461b782a4cc681a47c23692ec7c2851
SHA25694adaa3baded04f64490178e83a205d9ee31f1056e70d104459e4bdc7ca83c19
SHA512f8b085a70eedf6ce01f2db9bd3eeef3769aeab09c536553a3e8ed92f11cdb3b73baeea1ee122d13850a3d363328f438064a43dec6da928025fb93b7419d06499
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5eba0cb93c1fd19c4e053e5748fadce0d
SHA1b36870aa834902e6c85f56eb2db6d69a1553ef8c
SHA25690bf0e88418fbb73bdf7f330bdcc62a6a577dfbd9c7851948046908565b53e57
SHA512edd270e111fe665dfea278e62cc8178d87d9b6d54d17baf4b12364505acb133900be326197e8a8a20763eadc145482c134792adf3c76fcc637edd7eac17d40a3
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5b49571e8de7b0ac408ca0378365e34df
SHA1429f5052409661f00a6d4ddefe076e7a470d7110
SHA2562bc2aaae8afe9e3923991fe9a451de76eac99b682e053aa286fddb692eef5cb2
SHA512c6f3875ee81abb5a352f986e0b45468eb049bbd0deb50e707fb98a9950da26df6b670f579ee3f369c207f2c6a91cbb389f191960b30ee219b3856ff660b48f7a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD52d3dc06c601f06cc1b127440cb3daaa3
SHA13821353e232cf0cf36868a8807b9b950ae0b50d0
SHA25616bba4639072bbfb1e3b7558fac5dea3b9f3b844b2fa0b5539e978f552ed537c
SHA5129046095c9c758ba371423bb21a10cf187962d84368ab71f95579bb5a5c03bd64b911b1f6d2ea6623b70d64822b21440fad50816eb63c0542d7db19da97ff63dc
-
Filesize
61KB
MD5f3441b8572aae8801c04f3060b550443
SHA14ef0a35436125d6821831ef36c28ffaf196cda15
SHA2566720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf
SHA5125ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9
-
Filesize
163KB
MD59441737383d21192400eca82fda910ec
SHA1725e0d606a4fc9ba44aa8ffde65bed15e65367e4
SHA256bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5
SHA5127608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf