c1a45bdc92603be48874c52d1a57b578db278ca01c99d46d98b188d4548838ed

Analysis

max time kernel
148s
max time network
147s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
25/12/2023, 00:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1d142a2d0c9a9a2820323464be875332.exe
Size

416KB
MD5

1d142a2d0c9a9a2820323464be875332
SHA1

1708e85304e77337f53f08289e5af0d4357906ec
SHA256

c1a45bdc92603be48874c52d1a57b578db278ca01c99d46d98b188d4548838ed
SHA512

aa9afd9b014b6526cc611b263640ce8bfd8ff1eeef67bdc874522dec9ba8f42fa4fca4e55c0d59037dc65eaa1137f5011cf30ba4f8a3b5646c5240fd89045061
SSDEEP

12288:qxgZBoUuPlYjX6iRTSzDChhWCr7tR+wKlCpBU:RLoUuNYjX6cyChtntCld

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2812	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2356	SVCHOST.EXE

Drops file in System32 directory 43 IoCs

description	ioc	Process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{A3CFA671-A3CD-11EE-8495-CEEF1DCBEAFA}.dat	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\Favorites\Links\Suggested Sites.url	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-2845162440\msapplication.xml	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico	IEXPLORE.EXE
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch	ie4uinit.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\Low	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\DNTException\Low	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Virtualized	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{A3CFA673-A3CD-11EE-8495-CEEF1DCBEAFA}.dat	IEXPLORE.EXE
File opened for modification	C:\Windows\System32\config\systemprofile\Favorites\Links	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\Favorites\Links\Suggested Sites.url	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-2845162440\msapplication.xml	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\FeedsStore.feedsdb-ms	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ieonline.microsoft[1]	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\PrivacIE\Low	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IECompatUACache\Low	IEXPLORE.EXE
File opened for modification	C:\Windows\System32\config\systemprofile\Favorites\Links\desktop.ini	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\UserData\Low	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{A3CFA671-A3CD-11EE-8495-CEEF1DCBEAFA}.dat	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~\Suggested Sites~.feed-ms	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\Favorites	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\Low	IEXPLORE.EXE
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\TabRoaming	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{A3CFA67C-A3CD-11EE-8495-CEEF1DCBEAFA}.dat	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\favicon[1].ico	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\Favorites\desktop.ini	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~\Suggested Sites~.feed-ms	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\FeedsStore.feedsdb-ms	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk	ie4uinit.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	ie4uinit.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IECompatCache\Low	IEXPLORE.EXE

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SVCHOST.DLL	SVCHOST.EXE
File created	C:\Windows\uninstal.bat	1d142a2d0c9a9a2820323464be875332.exe
File created	C:\Windows\SVCHOST.EXE	1d142a2d0c9a9a2820323464be875332.exe
File opened for modification	C:\Windows\SVCHOST.EXE	1d142a2d0c9a9a2820323464be875332.exe
File created	C:\Windows\SVCHOST.DLL	SVCHOST.EXE

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1992	2356	WerFault.exe	28

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Suggested Sites\DataStreamEnabledState = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories\{00021493-0000-0000-C000-000000000046}\Enum	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\AppDataLow\Software\Microsoft	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}\VerCache = 0086a9a807ccca010086a9a807ccca01000000009093660000000e00e803991200000e000000991209040000	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C7288216-B859-480E-AE6F-6710CF1FA1A7}\WpadDecision = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories\{00021493-0000-0000-C000-000000000046}\Enum\Implementing = 1c00000001000000e7070c0002001a00090003002300ef0002000000e11a542af65b6546a8a3cfa9672e4291644ea2ef78b0d01189e400c04fc9e26e	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\iexplore	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\iexplore\LoadTimeArray = 00000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Recovery	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\iexplore	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Main\ImageStoreRandomFolder = "9ay4f9q"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\LinksBar	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\F12	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Passport\LowDAMap	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\windows\CurrentVersion\Internet Settings\Zones	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\Flags = "1024"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Setup\UrlHistoryMigrationTime = 1004d866da37da01	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories64\{00021493-0000-0000-C000-000000000046}\Enum	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Main	SVCHOST.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\iexplore\Count = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "409743525"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories64\{00021493-0000-0000-C000-000000000046}	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\AppDataLow\Software	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\DisplayName = "Bing"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}\iexplore\Time = e7070c0002001a00090003002600be02	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Connection Wizard	SVCHOST.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{2A541AE1-5BF6-4665-A8A3-CFA9672E4291}\Version = "*"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}\iexplore\Type = "3"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}\iexplore\Flags = "0"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore\LoadTimeArray = 00000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\iexplore\Type = "3"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories\{00021494-0000-0000-C000-000000000046}\Enum	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 8 IoCs

pid	Process
2316	IEXPLORE.EXE
2316	IEXPLORE.EXE
2316	IEXPLORE.EXE
2316	IEXPLORE.EXE
2316	IEXPLORE.EXE
2316	IEXPLORE.EXE
2316	IEXPLORE.EXE
2316	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2316	IEXPLORE.EXE
2316	IEXPLORE.EXE
2744	IEXPLORE.EXE
2744	IEXPLORE.EXE
2744	IEXPLORE.EXE
2744	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 2356 wrote to memory of 2316	2356	SVCHOST.EXE	29
PID 2356 wrote to memory of 2316	2356	SVCHOST.EXE	29
PID 2356 wrote to memory of 2316	2356	SVCHOST.EXE	29
PID 2356 wrote to memory of 2316	2356	SVCHOST.EXE	29
PID 2208 wrote to memory of 2812	2208	1d142a2d0c9a9a2820323464be875332.exe	30
PID 2208 wrote to memory of 2812	2208	1d142a2d0c9a9a2820323464be875332.exe	30
PID 2208 wrote to memory of 2812	2208	1d142a2d0c9a9a2820323464be875332.exe	30
PID 2208 wrote to memory of 2812	2208	1d142a2d0c9a9a2820323464be875332.exe	30
PID 2208 wrote to memory of 2812	2208	1d142a2d0c9a9a2820323464be875332.exe	30
PID 2208 wrote to memory of 2812	2208	1d142a2d0c9a9a2820323464be875332.exe	30
PID 2208 wrote to memory of 2812	2208	1d142a2d0c9a9a2820323464be875332.exe	30
PID 2316 wrote to memory of 2816	2316	IEXPLORE.EXE	31
PID 2316 wrote to memory of 2816	2316	IEXPLORE.EXE	31
PID 2316 wrote to memory of 2816	2316	IEXPLORE.EXE	31
PID 2316 wrote to memory of 2744	2316	IEXPLORE.EXE	33
PID 2316 wrote to memory of 2744	2316	IEXPLORE.EXE	33
PID 2316 wrote to memory of 2744	2316	IEXPLORE.EXE	33
PID 2316 wrote to memory of 2744	2316	IEXPLORE.EXE	33
PID 2356 wrote to memory of 2316	2356	SVCHOST.EXE	29

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\1d142a2d0c9a9a2820323464be875332.exe
"C:\Users\Admin\AppData\Local\Temp\1d142a2d0c9a9a2820323464be875332.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2208
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\uninstal.bat
  2⤵
  - Deletes itself
  PID:2812

C:\Windows\SVCHOST.EXE
C:\Windows\SVCHOST.EXE
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:2356
- C:\Program Files\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files\Internet Explorer\IEXPLORE.EXE" about:blank
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2316
- - C:\Windows\System32\ie4uinit.exe
    "C:\Windows\System32\ie4uinit.exe" -ShowQLIcon
    3⤵
    - Drops file in System32 directory
    PID:2816
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2316 CREDAT:275457 /prefetch:2
    3⤵
    - Drops file in System32 directory
    - Modifies data under HKEY_USERS
    - Suspicious use of SetWindowsHookEx
    PID:2744
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2356 -s 224
  2⤵
  - Program crash
  PID:1992

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SVCHOST.EXE

Filesize
416KB

MD5
1d142a2d0c9a9a2820323464be875332

SHA1
1708e85304e77337f53f08289e5af0d4357906ec

SHA256
c1a45bdc92603be48874c52d1a57b578db278ca01c99d46d98b188d4548838ed

SHA512
aa9afd9b014b6526cc611b263640ce8bfd8ff1eeef67bdc874522dec9ba8f42fa4fca4e55c0d59037dc65eaa1137f5011cf30ba4f8a3b5646c5240fd89045061

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
252B

MD5
5acdaa542014704d0e945fbed9f395f7

SHA1
ad1b315edfbf7af3a1d9bc7e1608695e4cc19fb6

SHA256
7421f4eee2a57e07a218e9d3b3e6fe09b049cb8ff5f5fa9ebe7f04c2e18e1da4

SHA512
41b0802947370c0ea846ec5dc4b6affdd32c4ca7547fe45fa891310cc76239ad25e18b6cd43e9a95dae26b6f61504ca1a73eb7650519a39e4515508676d4e3d5

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
63a23047c8cab22f091d210772a4b772

SHA1
5239f6f7b44c5ac9ea60f4af4760a5d5821ca173

SHA256
bbf4e4b30862acfed3301b2fc05becedc28c2bcf2d91e0de3b2ebacd73197f44

SHA512
ef22cc9d45c2dd65a5529991173fcf3d30570435971d0b1af710fd4b82fe71ca6e6d5b218d1e31a76a47c1713404bba45ba03403115ee5abb7a1f8f96e6c4083

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
48fc1da8e0058ae4e09696671f9ea33d

SHA1
f9d472f7432c37c0aaa7025b4ad525e1fb6b17fd

SHA256
2f7761e20d8d448c0baf9092f3c745bd500819f750ee9ea9063dafb77913cfaf

SHA512
c8c5a61a1708cdc047eafa613081df28b9b1705a6df4566b175875bdc520a782c744a7d44d0c0f87d4a1d61afdb67ce360be2baa477f313554a53c9ff92feeee

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
6bf74a7435373489687ec08c16c622bb

SHA1
95ce2ce7c278fdfad2f0cd3b8591a9ec6ffd85b8

SHA256
e58f2704056b7d0e257947a8da8e6997be8f3317935a3b4934ce23873524ec21

SHA512
7ff164ec564ead29977db167b1c5397a1ba846e6ace874b3abfddfb695289455c6cf88bac6a476b64df53360d397dad61b1e5cbf8136b388777d1c07681ce48e

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ad39f427c4e02df32213c63a0a945f70

SHA1
c99db71ec4d3aedacef100fbca407b341879b0d1

SHA256
9d2a37680c982a077551476f37d1e65b2a7d70589af1d1b055a7a2d7820564f9

SHA512
8ea54f8a729deea9f1cd5511e3ab7612a73113a9a89e5b87352af316a00bf3c7f389dbcc4fc9e228c8f10376564f9761e1c1e3f06e2b5b9c848bc39accb536d9

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
9d186b3e45bc06d4f34d63a40cb2c779

SHA1
c8b2d41dc7b9659f91acdc9056d4a0f275e69817

SHA256
e8f048936d8f55a80eb5d62dd7f296aedae430443845788138810a5a739f8095

SHA512
44beb30cb8e40a01ebe897defafe6b09df075fa8f62b19350cdf269d43064cc4d397b8b56ecb63563ca7fdf349387854dd591e21da425d6772a0910d55121f4c

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
26a156fdc9e5b5bceac4cd5668ecdb36

SHA1
c4225717289d92a191b375e8def63be608f8abc5

SHA256
57a8f727b67192c5c7781ebfbce938bc6358e64b801af483866053a70a945166

SHA512
b8c7defa55e2c178bdfa07101b862af2e4bc51c0d72f9fbd2df1fda4aeffdd1b9b332b0824f8ac23a222e3a7a594a4ccebfacf8187b4ddcf661d8fa9678f3e7b

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
052325278a3131c364949697c42d551c

SHA1
f1a33c4a408ebcd76e6cd9a8028a23bbcbd34aa7

SHA256
ffc935b45a7ebb71526b2fb9b56ec1f3b8acdb18334b9433346686563d13a7b7

SHA512
235b4fd5eac127eb6a4a78d52b9486d50fd5a901a5746373a56eb769fb73461c0447ae324c873e44e5e16e037acb6da7529edfed3101c53974d62ec94d8a4a4c

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
38b19d55c66ff08c226a5ea969f00289

SHA1
886fa2bb3841c69045f55d95cca729ea000c93b1

SHA256
e3b6396e30d495b650ef575a7ff1fe3f673e2b16934a714a06989904b5bab579

SHA512
836defd21b7feedfb2aff580fa4d2cf0a2b07fb7c1aedcc957fb3bffc1bb73ab3c92560ea75f154bfb0927a758e80d7bc29d824de77cf37a52a0805c55b212b2

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
4d0208767c26f528d55cf7c0f2926100

SHA1
e38aa6464ed762e369faa4af745caa845fdd55e1

SHA256
33d9875ff628838629e90adad0a0cf2a54669bf3a009ddb9616293ccb7869eb1

SHA512
c0fc200749331ed44e0fe41813dc9c20f6ed1479f16f53ad1b809b5918c9d32a576daba5ee1b8e63f4c0959f649c03e058a8fec8aa637329bb51a7875cb5cf98

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
0a8a03906ab35a69ec58f2e1de2c3d92

SHA1
53860fc248a767d71180acbf1504e4205295df7e

SHA256
6a1baa80ce940d918393214f3417ed2f6331895a657f7cc8363d157de71be356

SHA512
760e6265b3dadfa834f2369915ec93b75960ef2df50bd54aa138cd00e0db80945c6f2545d0ade0bc7ea23c79a34572a41bfa83dac8725a27847feeaeb31061b0

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
0f6aafee8a2300879e449eaf525729aa

SHA1
76051a702dfeb29c69461a781e7335e794424a77

SHA256
ca2edcf8d2cfe5ba0589173857cf9af06b3cad111f8bedeec2ea27535d41d08a

SHA512
7eeb3465a88f9b247c92c3ac4cbb4a34e8245ca6d244d3284df5b8790d90f0eb47b2587c196fa75dbb6adedfb41bcbfeb8047e6b20eb3b86e83bac12487cde57

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
8b221fd14e9214a237d153076e36fb5f

SHA1
be9517fe3fc69b6fcb8c39dc6af2baf1060cbf43

SHA256
7a54a8ed98c28b17877a2b1ce8db113d8ba5e93dc08b6025b14f41b6fd6e17f2

SHA512
8dd31dfb67528f4b955b692d5b5e59fa509f18ec3f1a4019608c429d5c993d5a14242e3c0be674d94375aedd5acf89f636d2e65e07bcca86320b3a56f7e86f40

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f21fe2a494f4f374d5eab5b3299820e3

SHA1
aae64021ff262b9a91bda110f0e38ea06e41865d

SHA256
cd58c93b25b0ce5061d9821fe5390b0681061b03840432b1782c45f3ee23af1c

SHA512
44442bf95299cccbc800b2eb26511df737c8b9857ada7ba7fe3479bbe7e9b0d5dfda1e172aaba291131804bc3f0686bef71fc876de8e2faf0fdf73b9c2a19cf1

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
6b5663c4f2377b49244ec8550a6c0cfc

SHA1
90b10305bcb061fb5b6cab1c59b844cd9a00650c

SHA256
70eb65d2281da7ff3eed3526e7c844cb969b75e7e2180f27442bf4fc4aad7232

SHA512
ed1aa6e6dd0d894de6746ea140d51d6855ad8abbe00bcd5d09c93b98c61c94a43f1f2fa89137f6ead45115e6dfa0f44a0adac1342c3360de2e5a3627765f5e30

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
3699a6bbb442d12553e1fcb5ff80b77d

SHA1
987d28eaceb0fa91b45e52096d53b4bb31e930f8

SHA256
6700ec216c18b95bd5da4b17dedcf4dfd86d467f68610030bb64a2bac37a0a10

SHA512
a81d372954c007ba11cfa0a2cab22a6722c52e8d6ebfb7510ddf1e799c82e21bb6edf917d172b54f496a638c647597caaaff52ee440498c5455ada338f3c0035

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico

Filesize
4KB

MD5
da597791be3b6e732f0bc8b20e38ee62

SHA1
1125c45d285c360542027d7554a5c442288974de

SHA256
5b2c34b3c4e8dd898b664dba6c3786e2ff9869eff55d673aa48361f11325ed07

SHA512
d8dc8358727590a1ed74dc70356aedc0499552c2dc0cd4f7a01853dd85ceb3aead5fbdc7c75d7da36db6af2448ce5abdff64cebdca3533ecad953c061a9b338e

Download Submit
C:\Windows\System32\config\systemprofile\Favorites\Links\Suggested Sites.url

Filesize
129B

MD5
2578ef0db08f1e1e7578068186a1be0f

SHA1
87dca2f554fa51a98726f0a7a9ac0120be0c4572

SHA256
bdc63d9fd191114227a6e0ac32aaf4de85b91fc602fcb8555c0f3816ac8620b3

SHA512
b42be0e6f438362d107f0f3a7e4809753cf3491ab15145f9ffa4def413606243f4dfffc0449687bd1bb01c653e9339e26b97c286382743d14a2f0ed52e72f7ee

Download Submit
C:\Windows\System32\config\systemprofile\Favorites\Links\Suggested Sites.url

Filesize
236B

MD5
11cede0563d1d61930e433cd638d6419

SHA1
366b26547292482b871404b33930cefca8810dbd

SHA256
e3ab045d746a0821cfb0c34aee9f98ce658caab2c99841464c68d49ab2cd85d9

SHA512
d9a4cdd3d3970d1f3812f7b5d21bb9ae1f1347d0ddfe079a1b5ef15ec1367778056b64b865b21dd52692134771655461760db75309c78dc6f372cc4d0ab7c752

Download Submit
C:\Windows\System32\config\systemprofile\Favorites\Links\desktop.ini

Filesize
80B

MD5
3c106f431417240da12fd827323b7724

SHA1
2345cc77576f666b812b55ea7420b8d2c4d2a0b5

SHA256
e469ed17b4b54595b335dc51817a52b81fcf13aad7b7b994626f84ec097c5d57

SHA512
c7391b6b9c4e00494910303e8a6c4dca5a5fc0c461047ef95e3be1c8764928af344a29e2e7c92819174894b51ae0e69b5e11a9dc7cb093f984553d34d5e737bb

Download Submit
C:\Windows\System32\config\systemprofile\Favorites\desktop.ini

Filesize
402B

MD5
881dfac93652edb0a8228029ba92d0f5

SHA1
5b317253a63fecb167bf07befa05c5ed09c4ccea

SHA256
a45e345556901cd98b9bf8700b2a263f1da2b2e53dbdf69b9e6cfab6e0bd3464

SHA512
592b24deb837d6b82c692da781b8a69d9fa20bbaa3041d6c651839e72f45ac075a86cb967ea2df08fa0635ae28d6064a900f5d15180b9037bb8ba02f9e8e1810

Download Submit
C:\Windows\Temp\Cab8AD8.tmp

Filesize
29KB

MD5
d59a6b36c5a94916241a3ead50222b6f

SHA1
e274e9486d318c383bc4b9812844ba56f0cff3c6

SHA256
a38d01d3f024e626d579cf052ac3bd4260bb00c34bc6085977a5f4135ab09b53

SHA512
17012307955fef045e7c13bf0613bd40df27c29778ba6572640b76c18d379e02dc478e855c9276737363d0ad09b9a94f2adaa85da9c77ebb3c2d427aa68e2489

Download Submit
C:\Windows\Temp\Tar9A4A.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Windows\Temp\www7761.tmp

Filesize
195B

MD5
a1fd5255ed62e10721ac426cd139aa83

SHA1
98a11bdd942bb66e9c829ae0685239212e966b9e

SHA256
d3b6eea852bacee54fbf4f3d77c6ec6d198bd59258968528a0231589f01b32f4

SHA512
51399b4eac1883f0e52279f6b9943d5a626de378105cadff2b3c17473edf0835d67437ae8e8d0e25e5d4b88f924fa3ac74d808123ec2b7f98eff1b248a1ab370

Download Submit
C:\Windows\Temp\www77A1.tmp

Filesize
216B

MD5
2ce792bc1394673282b741a25d6148a2

SHA1
5835c389ea0f0c1423fa26f98b84a875a11d19b1

SHA256
992031e95ad1e0f4305479e8d132c1ff14ed0eb913da33f23c576cd89f14fa48

SHA512
cdcc4d9967570018ec7dc3d825ff96b4817fecfbd424d30b74ba9ab6cc16cb035434f680b3d035f7959ceb0cc9e3c56f8dc78b06adb1dd2289930cc9acc87749

Download Submit
C:\Windows\uninstal.bat

Filesize
190B

MD5
b8620d3c6f3b111695657f34db28e063

SHA1
a5ca534823d20c82280d421511671cdae9d18242

SHA256
dbd2692d4229b1d7a1d154c66056843586e10afc1f78ae392f5f4b9e9a976ecf

SHA512
90e110a42fe42ffa2c0e50d9386e0b386eaa09bbab42e8ed2b7f7c35a951cc5614b6064bc634be3f026b670ad294bf9efeb3cd737ab48cac4799d561ca4413ea

Download Submit
memory/2208-12-0x0000000013140000-0x00000000131BB000-memory.dmp

Filesize
492KB

Download
memory/2356-95-0x0000000013140000-0x00000000131BB000-memory.dmp

Filesize
492KB

Download