d47b7fa3aefaeb13c5b2e64d2cefbd28547a174f9b9c2e9088e3cd62bb7a043d

Analysis

max time kernel
142s
max time network
129s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
24-12-2023 14:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

011de65380c475d38c3dde775aa3c45e.exe
Size

367KB
MD5

011de65380c475d38c3dde775aa3c45e
SHA1

17c8d50703ff8381e718885d59ff5f6c780d8255
SHA256

d47b7fa3aefaeb13c5b2e64d2cefbd28547a174f9b9c2e9088e3cd62bb7a043d
SHA512

83eb5da955bffc33f9a1e036a12324cf89bde1873d3e877f0029344fe967836aa8ad4cba0f1230b4fd9ca94c94ff9078a29bcd3e25afdbff1d89d03815c2484a
SSDEEP

6144:7sHh8ML8tJC3Qxi7TJMRfMnGkwJrQUQ1ms3TX8LMaQ+SpLYlArz6YHXGt5:7sB8M8to3tWMGkwJ81n9J+Sp0lAy6e5

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2212	G_Server2007.exe

Drops file in System32 directory 43 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-2845162440\msapplication.xml	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{D78848C1-A26D-11EE-8CEC-72515687562C}.dat	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{D78848CC-A26D-11EE-8CEC-72515687562C}.dat	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\Low	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{D78848C1-A26D-11EE-8CEC-72515687562C}.dat	IEXPLORE.EXE
File opened for modification	C:\Windows\System32\config\systemprofile\Favorites\Links	IEXPLORE.EXE
File opened for modification	C:\Windows\System32\config\systemprofile\Favorites\Links\desktop.ini	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk	ie4uinit.exe
File opened for modification	C:\Windows\system32\config\systemprofile\Favorites	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IECompatCache\Low	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Virtualized	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\PrivacIE\Low	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~\Suggested Sites~.feed-ms	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\favicon[1].ico	IEXPLORE.EXE
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\FeedsStore.feedsdb-ms	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ieonline.microsoft[1]	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IECompatUACache\Low	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\Favorites\Links\Suggested Sites.url	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-2845162440\msapplication.xml	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\UserData\Low	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\Favorites\Links\Suggested Sites.url	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\Favorites\desktop.ini	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\Low	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\DNTException\Low	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~\Suggested Sites~.feed-ms	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\FeedsStore.feedsdb-ms	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	IEXPLORE.EXE
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	ie4uinit.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch	ie4uinit.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\TabRoaming	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{D78848C3-A26D-11EE-8CEC-72515687562C}.dat	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~	IEXPLORE.EXE

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\G_Server2007.exe	011de65380c475d38c3dde775aa3c45e.exe
File opened for modification	C:\Windows\G_Server2007.exe	011de65380c475d38c3dde775aa3c45e.exe
File created	C:\Windows\G_Server2007.DLL	G_Server2007.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\AppDataLow\Software\Microsoft\Internet Explorer	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\F12	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\DefaultScope = "{0633EE93-D776-472f-A0FF-E1416B8B2E3A}"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\iexplore\Type = "3"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\AppDataLow	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\LinksBar\LinksFolderMigrate = 4035049a7a36da01	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Favorites	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\MAO Settings\DiscardLoadTimes = 604ef8997a36da01	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{6C48D062-E9A6-48ED-BF12-72AC95E7AD25}\WpadDecisionReason = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{6C48D062-E9A6-48ED-BF12-72AC95E7AD25}\WpadNetworkName = "Network 3"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore\LoadTimeArray = 00000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Favorites\Links	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories\{00021493-0000-0000-C000-000000000046}\Enum\Implementing = 1c00000001000000e7070c00000018000f0005001200440302000000e11a542af65b6546a8a3cfa9672e4291644ea2ef78b0d01189e400c04fc9e26e	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories\{00021494-0000-0000-C000-000000000046}\Enum\Implementing = 1c00000001000000e7070c00000018000f0005001200a20300000000	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Passport	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\c2-7e-ec-6f-a0-b7	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\Flags = "1024"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\URL = "http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE11SR"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}\iexplore\Blocked = "2"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{2A541AE1-5BF6-4665-A8A3-CFA9672E4291}\VerCache = 0086a9a807ccca010086a9a807ccca01000000009093660000000e00e803991200000e000000991209040000	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Passport\LowDAMap	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@ieframe.dll,-12512 = "Bing"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories64\{00021493-0000-0000-C000-000000000046}\Enum	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\c2-7e-ec-6f-a0-b7\WpadDecisionReason = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories\{00021493-0000-0000-C000-000000000046}	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories64\{00021493-0000-0000-C000-000000000046}\Enum\Implementing = 1c00000001000000e7070c00000018000f0005001600030002000000e11a542af65b6546a8a3cfa9672e4291644ea2ef78b0d01189e400c04fc9e26e	IEXPLORE.EXE

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2212	G_Server2007.exe
Token: SeDebugPrivilege	2608	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 8 IoCs

pid	Process
3048	IEXPLORE.EXE
3048	IEXPLORE.EXE
3048	IEXPLORE.EXE
3048	IEXPLORE.EXE
3048	IEXPLORE.EXE
3048	IEXPLORE.EXE
3048	IEXPLORE.EXE
3048	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
3048	IEXPLORE.EXE
3048	IEXPLORE.EXE
2608	IEXPLORE.EXE
2608	IEXPLORE.EXE
2212	G_Server2007.exe
2212	G_Server2007.exe
2608	IEXPLORE.EXE
2608	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2212 wrote to memory of 3048	2212	G_Server2007.exe	30
PID 2212 wrote to memory of 3048	2212	G_Server2007.exe	30
PID 2212 wrote to memory of 3048	2212	G_Server2007.exe	30
PID 2212 wrote to memory of 3048	2212	G_Server2007.exe	30
PID 3048 wrote to memory of 3060	3048	IEXPLORE.EXE	28
PID 3048 wrote to memory of 3060	3048	IEXPLORE.EXE	28
PID 3048 wrote to memory of 3060	3048	IEXPLORE.EXE	28
PID 3048 wrote to memory of 2608	3048	IEXPLORE.EXE	29
PID 3048 wrote to memory of 2608	3048	IEXPLORE.EXE	29
PID 3048 wrote to memory of 2608	3048	IEXPLORE.EXE	29
PID 3048 wrote to memory of 2608	3048	IEXPLORE.EXE	29

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\011de65380c475d38c3dde775aa3c45e.exe
"C:\Users\Admin\AppData\Local\Temp\011de65380c475d38c3dde775aa3c45e.exe"
1⤵
- Drops file in Windows directory
PID:2360

C:\Windows\System32\ie4uinit.exe
"C:\Windows\System32\ie4uinit.exe" -ShowQLIcon
1⤵
- Drops file in System32 directory
PID:3060

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3048 CREDAT:275457 /prefetch:2
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2608

C:\Program Files\Internet Explorer\IEXPLORE.EXE
"C:\Program Files\Internet Explorer\IEXPLORE.EXE" about:blank
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3048

C:\Windows\G_Server2007.exe
C:\Windows\G_Server2007.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2212

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\G_Server2007.DLL

Filesize
577KB

MD5
c5b6bf4c0c8d6ec82c7b4b1ec4b4c726

SHA1
a6e1a98eecefe9f1bf8bdaa14648a3384494be6c

SHA256
c329bb6281de68340405d5ee9639905078a3d6c3a71f822c5e4bcc5c889204f7

SHA512
ad10c490d0a6d985b8b26a09d30935a218c00e06c9f0279c716d95c2cc41ec22d8417bbaeedcd3bf76ca535560963199c4c91729eaacb024ba40f2e69f39a145

Download Submit
C:\Windows\G_Server2007.exe

Filesize
45KB

MD5
dada68101fbf6d3e9250add70193ccec

SHA1
beb20492d87d98f132af755c94fdc88b484cbabd

SHA256
148adc70cf3ee49777595b4389759f8b3656f4b5270dc9dc036843e2d45d1419

SHA512
5736a2e0254c2aae47f4969256da1ffc91b44e25359823365bfac2a4faf2313f3c70f387fb12579ede184fc4a4d088d3f1298aa8cf429b63ac4b8e1e671c4e64

Download Submit
C:\Windows\G_Server2007.exe

Filesize
29KB

MD5
31f2f53ef1f2fbe1300c63abc583a8e4

SHA1
3064ac538440eec62cf1de2c41f0bfb244ce31ea

SHA256
99abb2835d20154851276f40c668bbbd6c319352526fca279ed2b9431cd7f0ea

SHA512
e8095e7daee4f4968ab725c7ce09d6febf09e5e07be29f8ba349a7f8b1fa7fabc3d8b864384e59e77b24e4c9f923e4b68dc0f6092c2ea1e8ccef9dafef36c5cd

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
252B

MD5
4ca22c9ed0b0acec160f04739da2f723

SHA1
12056d80d8c93b22c30728da93828403228debb4

SHA256
4235d7e0bccf98064125725b7dceb065e09fa4f41e5e52f12564fa7d2e186729

SHA512
7a4873bb0eb3d04d14e88fa2352628b74546ff66f011aaa14267733d743583add6482070316962ddbf49a1c4da34f55fa7ca77558650835582d2b6ab5c62ad04

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ff984048e49278286086f3f3742e8c7c

SHA1
f351340f3f3adb13343a3f8f3f2e14c9dd413f7e

SHA256
aeca9309058dbda89b8e734cc798eec94188208f26bf54c1729ea25fd072801f

SHA512
fabb1694617375e48012e155f45c5bec9992142d59d152bd5d6cca96e8daeecc32168f29e1269ead52d96d05f5fc6fa95aecbb55563292a8bd84961a2e536ef6

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
7a640e239bb43edd1a39375e7d68f41d

SHA1
33959c666ec355dc6dde6d6a77cbda87c4050935

SHA256
6f97a21263cd6d74a668bcdc97f20168a9a340a12c8cd06ca64c605bf49c4a92

SHA512
2fae914232d847c76de93bcb91ec4ce94890e55c11d4ba8414e6835bb4280384119a2c49c322e84c8f3cb23b3d0ea69b95aab8735ab0a1afad85921ec2454a21

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
01d930f1f48b6f73d576ccdd1748f060

SHA1
d9fb76ecaa1a2663639189fdf8827ece2ecebd8b

SHA256
4dce42482e114f837095632f860d4659eae73436437f07c1ed79b4bb76f45c05

SHA512
53572688cfe5d08f023d24b46d0c9e5b175145a8fcb473674752c1a22ccc5ce7b07359bdde868cfee104ed2317d58bc2ab2209ed746c0a6f05dd9e6378e9a5e4

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
cfb848c891e1adda865370d3858891cf

SHA1
9675e53472e7eafa7c22f415ced30e05e9f63cea

SHA256
8852870c0e1328e329051b3437872dbf573c047afb539739f6e4d0d09a081b3b

SHA512
246952c7b70890c7fa3a7686c80157a645f61cdff7c8ebcbd6ec508661b799aab834aa34a81bd01610fbe23229330ffd9dc9e4e80c33db8d384cdc7b09213f92

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
178947c516d3a91370772a22152a7d1c

SHA1
34d51df58db25480607f1299367de29fd722c8c7

SHA256
58cd191dd5e0c4b6917ed56a7fefc5a7a183768a51e0d4541cf77daa1cea776c

SHA512
78b4bae8b8b844f8641f54be2d768d2369cc313b18053be0b7d73af6162d8be17abcd9dca9662eec5b8a0e170a58b606cf0b884463cabe51d07c0e550a6a46a6

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
9ed7b40df30f611e5379df8fed233b58

SHA1
986ebfd085ecd4aaa18c0ba6f08c7a1e47adf0f1

SHA256
0f30ba6426673d64c755cfd65ee0040aec3d621d13ce0443266072dec68f6d52

SHA512
f9ff5d460fdbcff1816deb5aaced88e5ddc72022022fefd6e9db0233f9156d50a1410132cce74b82554433a35e3f2487aa6dff7827696726093f007a60f5ee38

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e8ad28b3a32dcb3db22f98ddb03ad535

SHA1
f737215ede204b7115f95c1d79e64e72999fcd55

SHA256
da763eba51e9e62ea3a784b7d5c4a9031cb9fae3dadfeb7e74157efcca473f97

SHA512
989daf127db9e127ff662ec4707ef97fca5b2842bc0521187800514dde79d044eea0ad0e311765e19d3c907bfd53b9bc8941a8aa18de31e6e1176d35047f8b5c

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
66d2fc96e0c283864f888cdf6427a63e

SHA1
65ae2b6da4bbd9d924caed9b092be425a8e34d75

SHA256
30186af470f07d7f58de853e8a53b609ff6e064af152736d21dde836e9878d87

SHA512
1a7de22611d9a388aa7a96dd24bfe9976657814b8546da1b5ce9aaa8106fc0697a20d63a51aab72ff23bd48d327aaf59b178d6db8c62ee53e34b95750f61589f

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
54528067f7b101efe379c95887dd039d

SHA1
8d7c11314c28fe6dd5a8ef62db54d74133f58a2d

SHA256
b536912a8edaf84e6e01a478c4ef44a9442fcb165fc4f95c60af93ed25b1632c

SHA512
d7ba3e1c655689161afabb20c2d54bfafca92b0a8189de19fbf050d2ac610b36c899c02d78840e43f3ab5d455e04b06b8efac48d7ae2db2513c1a6293bab39ba

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
bcfc9ab9560671a14fac50bdb8c4a3f4

SHA1
7e8d488c875450f9eed1ee3f46c39aa7c0dd5057

SHA256
94ed1a53462609beca2ca0d7877a2caeb934e71d290119b7ee29085acc1372c2

SHA512
275a5dee5451669edb82a1c0403c1578c5cb8309ad80809373f8306a97bd928d26f00a6feb361f7c584fb9b6b2b61ea554451e51833467cdd6f74e9c6ece8350

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
54b3f5a6d638f306fa3db7f4356fa623

SHA1
5004f04772d89e359fbbedb2309edccea7b2b5c9

SHA256
3b68665fcc234d5a0fbe82b2dc5b60359dbe8c83bf112bd6a9efa1fc47bfb554

SHA512
84942679185fb5156a53aae370b251140fcca600e7826d2c4140bf7e13f3f888038e12f734a18eed566740036ca16b883db99bf758c59cacfa36bfb5121dc6da

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico

Filesize
4KB

MD5
da597791be3b6e732f0bc8b20e38ee62

SHA1
1125c45d285c360542027d7554a5c442288974de

SHA256
5b2c34b3c4e8dd898b664dba6c3786e2ff9869eff55d673aa48361f11325ed07

SHA512
d8dc8358727590a1ed74dc70356aedc0499552c2dc0cd4f7a01853dd85ceb3aead5fbdc7c75d7da36db6af2448ce5abdff64cebdca3533ecad953c061a9b338e

Download Submit
C:\Windows\System32\config\systemprofile\Favorites\Links\Suggested Sites.url

Filesize
129B

MD5
2578ef0db08f1e1e7578068186a1be0f

SHA1
87dca2f554fa51a98726f0a7a9ac0120be0c4572

SHA256
bdc63d9fd191114227a6e0ac32aaf4de85b91fc602fcb8555c0f3816ac8620b3

SHA512
b42be0e6f438362d107f0f3a7e4809753cf3491ab15145f9ffa4def413606243f4dfffc0449687bd1bb01c653e9339e26b97c286382743d14a2f0ed52e72f7ee

Download Submit
C:\Windows\System32\config\systemprofile\Favorites\Links\Suggested Sites.url

Filesize
236B

MD5
11cede0563d1d61930e433cd638d6419

SHA1
366b26547292482b871404b33930cefca8810dbd

SHA256
e3ab045d746a0821cfb0c34aee9f98ce658caab2c99841464c68d49ab2cd85d9

SHA512
d9a4cdd3d3970d1f3812f7b5d21bb9ae1f1347d0ddfe079a1b5ef15ec1367778056b64b865b21dd52692134771655461760db75309c78dc6f372cc4d0ab7c752

Download Submit
C:\Windows\System32\config\systemprofile\Favorites\Links\desktop.ini

Filesize
80B

MD5
3c106f431417240da12fd827323b7724

SHA1
2345cc77576f666b812b55ea7420b8d2c4d2a0b5

SHA256
e469ed17b4b54595b335dc51817a52b81fcf13aad7b7b994626f84ec097c5d57

SHA512
c7391b6b9c4e00494910303e8a6c4dca5a5fc0c461047ef95e3be1c8764928af344a29e2e7c92819174894b51ae0e69b5e11a9dc7cb093f984553d34d5e737bb

Download Submit
C:\Windows\System32\config\systemprofile\Favorites\desktop.ini

Filesize
402B

MD5
881dfac93652edb0a8228029ba92d0f5

SHA1
5b317253a63fecb167bf07befa05c5ed09c4ccea

SHA256
a45e345556901cd98b9bf8700b2a263f1da2b2e53dbdf69b9e6cfab6e0bd3464

SHA512
592b24deb837d6b82c692da781b8a69d9fa20bbaa3041d6c651839e72f45ac075a86cb967ea2df08fa0635ae28d6064a900f5d15180b9037bb8ba02f9e8e1810

Download Submit
C:\Windows\Temp\Cab30E6.tmp

Filesize
29KB

MD5
d59a6b36c5a94916241a3ead50222b6f

SHA1
e274e9486d318c383bc4b9812844ba56f0cff3c6

SHA256
a38d01d3f024e626d579cf052ac3bd4260bb00c34bc6085977a5f4135ab09b53

SHA512
17012307955fef045e7c13bf0613bd40df27c29778ba6572640b76c18d379e02dc478e855c9276737363d0ad09b9a94f2adaa85da9c77ebb3c2d427aa68e2489

Download Submit
C:\Windows\Temp\Tar36F5.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Windows\Temp\www1BDA.tmp

Filesize
195B

MD5
a1fd5255ed62e10721ac426cd139aa83

SHA1
98a11bdd942bb66e9c829ae0685239212e966b9e

SHA256
d3b6eea852bacee54fbf4f3d77c6ec6d198bd59258968528a0231589f01b32f4

SHA512
51399b4eac1883f0e52279f6b9943d5a626de378105cadff2b3c17473edf0835d67437ae8e8d0e25e5d4b88f924fa3ac74d808123ec2b7f98eff1b248a1ab370

Download Submit
C:\Windows\Temp\www1BDB.tmp

Filesize
216B

MD5
2ce792bc1394673282b741a25d6148a2

SHA1
5835c389ea0f0c1423fa26f98b84a875a11d19b1

SHA256
992031e95ad1e0f4305479e8d132c1ff14ed0eb913da33f23c576cd89f14fa48

SHA512
cdcc4d9967570018ec7dc3d825ff96b4817fecfbd424d30b74ba9ab6cc16cb035434f680b3d035f7959ceb0cc9e3c56f8dc78b06adb1dd2289930cc9acc87749

Download Submit
memory/2212-688-0x0000000000400000-0x000000000055A000-memory.dmp

Filesize
1.4MB

Download
memory/2212-93-0x000000007772F000-0x0000000077730000-memory.dmp

Filesize
4KB

Download
memory/2212-90-0x0000000002350000-0x00000000023E7000-memory.dmp

Filesize
604KB

Download
memory/2212-6-0x0000000000400000-0x000000000055A000-memory.dmp

Filesize
1.4MB

Download
memory/2360-2-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download
memory/2360-8-0x0000000000400000-0x000000000055A000-memory.dmp

Filesize
1.4MB

Download
memory/2360-0-0x0000000000400000-0x000000000055A000-memory.dmp

Filesize
1.4MB

Download
memory/2360-1-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download