0096e8a3f0d0a2f1e4397bf726e5518974288810ad191fbd6a276e843988bd85

Analysis

max time kernel
66s
max time network
147s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
25/12/2023, 23:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4221985218b9b82f6d71d3a44d4c75c4.exe
Size

3.6MB
MD5

4221985218b9b82f6d71d3a44d4c75c4
SHA1

80a6008350af9ba2923cc08a58bae867d4b2d081
SHA256

0096e8a3f0d0a2f1e4397bf726e5518974288810ad191fbd6a276e843988bd85
SHA512

2cee327084f26569e8bbfbaa2fa0ab5d9881ccfccee00d8426c49ec85d5231c6fe55a2993f9bbc1011668f9146b31d16b9f52f57e88b0331b11d2e8ee6f5b570
SSDEEP

98304:u1vqjfSwkHQHaHgYziyGbpvMLuU5lFevYG/wbX7Jyz9gbi:uVqgHOVvqLz5lAvYwCYKbi

Score

6^/10

Malware Config

Signatures

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\t:	4221985218b9b82f6d71d3a44d4c75c4.exe
File opened (read-only)	\??\p:	4221985218b9b82f6d71d3a44d4c75c4.exe
File opened (read-only)	\??\r:	4221985218b9b82f6d71d3a44d4c75c4.exe
File opened (read-only)	\??\g:	4221985218b9b82f6d71d3a44d4c75c4.exe
File opened (read-only)	\??\i:	4221985218b9b82f6d71d3a44d4c75c4.exe
File opened (read-only)	\??\k:	4221985218b9b82f6d71d3a44d4c75c4.exe
File opened (read-only)	\??\l:	4221985218b9b82f6d71d3a44d4c75c4.exe
File opened (read-only)	\??\m:	4221985218b9b82f6d71d3a44d4c75c4.exe
File opened (read-only)	\??\n:	4221985218b9b82f6d71d3a44d4c75c4.exe
File opened (read-only)	\??\b:	4221985218b9b82f6d71d3a44d4c75c4.exe
File opened (read-only)	\??\e:	4221985218b9b82f6d71d3a44d4c75c4.exe
File opened (read-only)	\??\v:	4221985218b9b82f6d71d3a44d4c75c4.exe
File opened (read-only)	\??\w:	4221985218b9b82f6d71d3a44d4c75c4.exe
File opened (read-only)	\??\j:	4221985218b9b82f6d71d3a44d4c75c4.exe
File opened (read-only)	\??\q:	4221985218b9b82f6d71d3a44d4c75c4.exe
File opened (read-only)	\??\x:	4221985218b9b82f6d71d3a44d4c75c4.exe
File opened (read-only)	\??\y:	4221985218b9b82f6d71d3a44d4c75c4.exe
File opened (read-only)	\??\z:	4221985218b9b82f6d71d3a44d4c75c4.exe
File opened (read-only)	\??\a:	4221985218b9b82f6d71d3a44d4c75c4.exe
File opened (read-only)	\??\h:	4221985218b9b82f6d71d3a44d4c75c4.exe
File opened (read-only)	\??\u:	4221985218b9b82f6d71d3a44d4c75c4.exe
File opened (read-only)	\??\o:	4221985218b9b82f6d71d3a44d4c75c4.exe
File opened (read-only)	\??\s:	4221985218b9b82f6d71d3a44d4c75c4.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/memory/2548-0-0x0000000000400000-0x00000000004B1000-memory.dmp	autoit_exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 63 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{BB6AE3E1-A444-11EE-A497-46361BFF2467} = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000046332ab722508540bf00312f0a24f120000000000200000000001066000000010000200000007a2cd4f3dc9f54a2f8df9833f11f5ad47cd84c8f3f331113ba1ecedfcb741154000000000e80000000020000200000002b35da7dbb8721a839126a60b87dcef29d1ec46b7cf77fdf72d30e5fe5e4e14120000000f5bccd9da9e62ccc9c8e160f8ae5b604559ae68f105087e93b5a1542dbbb0332400000007ac6ed9814771d08118b25aff4537683554769a899ac309e73a2c07692be38088ae28520128d2320f680d74c698b23f9182bcbed8e0be2e98106f07735ada176	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000046332ab722508540bf00312f0a24f120000000000200000000001066000000010000200000007976c518bf9f453dcd95e5f6009eb5e7529dbe39fb39310cb36b42457d995384000000000e8000000002000020000000f227963db482132792df69276d0564ccee0c27c18bd8a39610f537065c025a5990000000fbe5c485dd8ebb448404322d5a3b4a4536b23931638e0521a53b9261d19ae27bf6153f600abe2657a22114b25590a5694e460ebf4d43fcacf289b4e539f6636542b960e9b84fadd179a739ef7d6fa856e2af5245065a572a4ce0b7deb5f5bdb09ab22a226c6d5477921591e07d14584c58841492861af3308f7f6a566f2fd63b51487172646c96c15cc54a7e46958579400000003237a71c89ef149b394c61a252cb9b614ec6cdf66dc73abfbf4ae6a6c13ed9d23f1231c8ccd0ef9b62026baa48eaa00910ae78a3fa7a45385542cccb7fde8603	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\FaviconPath = "C:\\Users\\Admin\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\Services\\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Main	4221985218b9b82f6d71d3a44d4c75c4.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\FaviconPath = "C:\\Users\\Admin\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\Services\\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 30a3df915138da01	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{BB6ABCD1-A444-11EE-A497-46361BFF2467} = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE

Modifies Internet Explorer start page 1 TTPs 1 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.ku122.com"	4221985218b9b82f6d71d3a44d4c75c4.exe

Suspicious use of FindShellTrayWindow 5 IoCs

pid	Process
2548	4221985218b9b82f6d71d3a44d4c75c4.exe
2548	4221985218b9b82f6d71d3a44d4c75c4.exe
2548	4221985218b9b82f6d71d3a44d4c75c4.exe
1684	IEXPLORE.EXE
3004	IEXPLORE.EXE

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
2548	4221985218b9b82f6d71d3a44d4c75c4.exe
2548	4221985218b9b82f6d71d3a44d4c75c4.exe
2548	4221985218b9b82f6d71d3a44d4c75c4.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
3004	IEXPLORE.EXE
3004	IEXPLORE.EXE
1684	IEXPLORE.EXE
1684	IEXPLORE.EXE
2676	IEXPLORE.EXE
2676	IEXPLORE.EXE
2568	IEXPLORE.EXE
2568	IEXPLORE.EXE
2568	IEXPLORE.EXE
2568	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2548 wrote to memory of 3008	2548	4221985218b9b82f6d71d3a44d4c75c4.exe	21
PID 2548 wrote to memory of 3008	2548	4221985218b9b82f6d71d3a44d4c75c4.exe	21
PID 2548 wrote to memory of 3008	2548	4221985218b9b82f6d71d3a44d4c75c4.exe	21
PID 2548 wrote to memory of 3008	2548	4221985218b9b82f6d71d3a44d4c75c4.exe	21
PID 2548 wrote to memory of 1092	2548	4221985218b9b82f6d71d3a44d4c75c4.exe	20
PID 2548 wrote to memory of 1092	2548	4221985218b9b82f6d71d3a44d4c75c4.exe	20
PID 2548 wrote to memory of 1092	2548	4221985218b9b82f6d71d3a44d4c75c4.exe	20
PID 2548 wrote to memory of 1092	2548	4221985218b9b82f6d71d3a44d4c75c4.exe	20
PID 3008 wrote to memory of 3004	3008	iexplore.exe	17
PID 3008 wrote to memory of 3004	3008	iexplore.exe	17
PID 3008 wrote to memory of 3004	3008	iexplore.exe	17
PID 3008 wrote to memory of 3004	3008	iexplore.exe	17
PID 1092 wrote to memory of 1684	1092	iexplore.exe	16
PID 1092 wrote to memory of 1684	1092	iexplore.exe	16
PID 1092 wrote to memory of 1684	1092	iexplore.exe	16
PID 1092 wrote to memory of 1684	1092	iexplore.exe	16
PID 3004 wrote to memory of 2568	3004	IEXPLORE.EXE	19
PID 3004 wrote to memory of 2568	3004	IEXPLORE.EXE	19
PID 3004 wrote to memory of 2568	3004	IEXPLORE.EXE	19
PID 3004 wrote to memory of 2568	3004	IEXPLORE.EXE	19
PID 1684 wrote to memory of 2676	1684	IEXPLORE.EXE	18
PID 1684 wrote to memory of 2676	1684	IEXPLORE.EXE	18
PID 1684 wrote to memory of 2676	1684	IEXPLORE.EXE	18
PID 1684 wrote to memory of 2676	1684	IEXPLORE.EXE	18

C:\Program Files\Internet Explorer\IEXPLORE.EXE
"C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://www.34wg.com
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1684
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1684 CREDAT:275457 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2676

C:\Program Files\Internet Explorer\IEXPLORE.EXE
"C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://www.baiasp.com
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3004
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3004 CREDAT:275457 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2568

C:\Program Files (x86)\Intern~1\iexplore.exe
"C:\Program Files (x86)\Intern~1\iexplore.exe" http://www.34wg.com
1⤵
- Suspicious use of WriteProcessMemory
PID:1092

C:\Program Files (x86)\Intern~1\iexplore.exe
"C:\Program Files (x86)\Intern~1\iexplore.exe" http://www.baiasp.com
1⤵
- Suspicious use of WriteProcessMemory
PID:3008

C:\Users\Admin\AppData\Local\Temp\4221985218b9b82f6d71d3a44d4c75c4.exe
"C:\Users\Admin\AppData\Local\Temp\4221985218b9b82f6d71d3a44d4c75c4.exe"
1⤵
- Enumerates connected drives
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2548

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
252B

MD5
b5016c193c961bb5341875f54da7c8c4

SHA1
3c37838fdd738fc4f4305308f877bddbd81801a5

SHA256
869db3c6e451c7f6c4daadc092935434fc9925dd2a9082825033a50858ac2265

SHA512
08cf9f01ad2313f6a9c2d77c078693bbd220877bc7e2741e3d5010d42b90448bc92c2f539309d48e2a7c58c310f81eff3852ef7e89e47a04913303c2309426f8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
80078d7ce0d2f7c8e4c4c4175d3b4cb8

SHA1
53403b58ded9572329ea709ec3199cb8ae9f7c21

SHA256
f87648eabe30286a5452c5f6b1d19acd9454d1849bec77b848185058b80c334e

SHA512
9175072207ed5eab40e64fc6d2164cec58d5fb7cf66382d69a7f9496587fcac8bea8533556189f0f6210770e500f7afcc950d85d1946287ab18aa08c68c9ea04

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
f4c9bf463fc6f5086d99a502c841e786

SHA1
60971e0dea53f12dc0d7c5624c14344d1be3c428

SHA256
dc3cccbb0df6f58d4a5353b9750e2980e5c6ddaea4aa4fca5346eaf50345e256

SHA512
d3c80d03c566ca357f8a430366e1f649a89519631453255f4f9b537688e061cd1a927d92cd7c6cae55168f6cfff0b8fe4ad64864b7ef0261ab538bcd83e88130

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico

Filesize
4KB

MD5
da597791be3b6e732f0bc8b20e38ee62

SHA1
1125c45d285c360542027d7554a5c442288974de

SHA256
5b2c34b3c4e8dd898b664dba6c3786e2ff9869eff55d673aa48361f11325ed07

SHA512
d8dc8358727590a1ed74dc70356aedc0499552c2dc0cd4f7a01853dd85ceb3aead5fbdc7c75d7da36db6af2448ce5abdff64cebdca3533ecad953c061a9b338e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{BB6ABCD1-A444-11EE-A497-46361BFF2467}.dat

Filesize
5KB

MD5
1ff938e19e843371643255f0c3b2d005

SHA1
5e951508d6b6657f43fd52ca30e4927121269882

SHA256
2938cf193aca3ebe83ad32a134b9602e24f494687ee155990f86ea726ddac0d8

SHA512
d2dbb603b857dd73a68b5c97ca4abce0b1e48a625dac47c7a661ba0ab3b7ab0456a2dce1e712c189679496ac4f367ad2184920d2598f35a0dd5f26361e8379bc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{BB6AE3E1-A444-11EE-A497-46361BFF2467}.dat

Filesize
5KB

MD5
8be7d25da5b6d11aaeac5252ddd2956d

SHA1
9db9ac86466cd6fe0ef9a65fd261d3b2b1feb27c

SHA256
55db10627e1ea127e762b7175f93c4b6650c408570318c7a4c75d5e4ac1bebdb

SHA512
fa5e7a9b8d671ba9a67dda50c67161e718dcd578d2baa437230d24530c145e754eac51197c85f0b264264e3bd331c726db3d3d319d6f1b5156b7f66022ccafc1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar3BFD.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
memory/2548-0-0x0000000000400000-0x00000000004B1000-memory.dmp

Filesize
708KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads