Analysis
-
max time kernel
135s -
max time network
139s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
29-12-2023 20:55
Behavioral task
behavioral1
Sample
03c1cb575cc96f7cec79f4a5bfbfefb0.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
03c1cb575cc96f7cec79f4a5bfbfefb0.exe
Resource
win10v2004-20231215-en
General
-
Target
03c1cb575cc96f7cec79f4a5bfbfefb0.exe
-
Size
49KB
-
MD5
03c1cb575cc96f7cec79f4a5bfbfefb0
-
SHA1
0ca8caede6b77cf63741d0c20a2c8e0d18282a6b
-
SHA256
7df5129ca43c1ed2b48defc909ec75fc96d424bb04d9c48a4dd502da8ac38e5d
-
SHA512
54188a15c1fa56a028440506f09dfc89ba4e779371251e9ff23b5940e7de82160dca4b5c619db315cda3ed6ea5a343310e35f54b2471b9b1be0b15e67062c3e1
-
SSDEEP
768:V+Swax5Sa7lRSW84AxEdeVdRekDUsiOZpZmnABdRmUV/cQtAM1:V+SwraBRSuLEPB3JBdRzRc8
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{03194A71-A6C4-11EE-AB16-D6882E0F4692} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Key created \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\SearchScopes iexplore.exe Key created \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Key created \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Key created \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000580e1c8c6faee54b80ab28599b83677c00000000020000000000106600000001000020000000558b168712cf320b3b7768cca131b22e0bfe860194ce97458e130e4fbab884a4000000000e8000000002000020000000d252317f4b13b6923a874208ab43b60d07aa93f0069b058dda5049e6ff7a41ce200000003a36e9ab7d88209d936c3abd115c4b4669ffee969fe709a22ec343735c05c6b640000000b8a90088ec58f32acc9351b80eac9976d48282b84090839c984a333fa6bf76df4ce6005687e0e00663d7f89138927b6600f263ce1fdb8306f5622b1269a413f0 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000580e1c8c6faee54b80ab28599b83677c0000000002000000000010660000000100002000000023a285dc09229f819bcb5ac0ac4702a9d6e2fe6a4cdb613a9b9826dd8d0afc27000000000e800000000200002000000030e975bf013b7d254c54cd337295504341aac9ae20bbae7c2c537eb4ee5262b4900000004b5856ec92917947d81defd6a422ec07e72a30450f4ea747605ed045a195cfd71fc964b14cf86a365aebb3cca7915e19a238790290faff81adeb31f539a4f9385c0b4e622a3c8b52873f44c31b9218cf2b24d3ecda1eebbe38b3c75a6aa00c650f3e2ec27149f9aee8cff04683c0137b96e99d2a565e190a335d46b08e96b6147b8e9fe36209756b82dd406ea1d42f38400000006b79ad4329f2ae9661a3e8afa712ae69921ba155f2964299b18891249a37945790377c7ab8428f142756bf618fe59ef4c5cdb4b90e62aae022897ce77f7e1d22 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "410069004" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = a046ebd7d03ada01 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2648 iexplore.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 2648 iexplore.exe 2648 iexplore.exe 2804 IEXPLORE.EXE 2804 IEXPLORE.EXE 2804 IEXPLORE.EXE 2804 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1976 wrote to memory of 2648 1976 03c1cb575cc96f7cec79f4a5bfbfefb0.exe 28 PID 1976 wrote to memory of 2648 1976 03c1cb575cc96f7cec79f4a5bfbfefb0.exe 28 PID 1976 wrote to memory of 2648 1976 03c1cb575cc96f7cec79f4a5bfbfefb0.exe 28 PID 1976 wrote to memory of 2648 1976 03c1cb575cc96f7cec79f4a5bfbfefb0.exe 28 PID 2648 wrote to memory of 2804 2648 iexplore.exe 29 PID 2648 wrote to memory of 2804 2648 iexplore.exe 29 PID 2648 wrote to memory of 2804 2648 iexplore.exe 29 PID 2648 wrote to memory of 2804 2648 iexplore.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\03c1cb575cc96f7cec79f4a5bfbfefb0.exe"C:\Users\Admin\AppData\Local\Temp\03c1cb575cc96f7cec79f4a5bfbfefb0.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1976 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" http://www.oifotos.com.br/2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2648 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2648 CREDAT:275457 /prefetch:23⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2804
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD50358c032077c99bddf51371a592bb131
SHA159d1d50f39946111688d6465acc12f2af62d44a7
SHA256330f90a0e57bdca42779a16dec2419d5c462efac07d1a7600a9da39d77a1bc39
SHA51279c32c52f8454b8e507900af3c0e4fbb1aea944ccd228ff830d925ebea923378986ba4d776fe02538719c629fe7dddf2cd74520753e2d6c1cbe69dec5f2953f5
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD59331f2801becf87f8a32c138f4605acc
SHA18fe99775ea7e3fc19b489b0799f32338a25de353
SHA256390ed68ae0b89c95bef265ae6b38293f41eb4fa801d34efb4eaeef1b26cec8ad
SHA512200258bd2ed460d8ced75ae2f805d31fa1a2baebf1b6f27e4894642f3f723bd77dd72ad867d2c84d4c253a393065a1351448bd887836a2344d731b8530df3d8b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD550c17a562bab3eaef47f6f34541b005b
SHA1e2a1a0ae0eeb4585b43e83fd3f837ced0f86a544
SHA256993d614282241adb6463f1e8b7e015d985b53d63dcba8452ffd4aecd6a4ea0ec
SHA512babfb0d85255947b978078b42f48330d9d82aa5d4816159f9f9b23ef957d6a24db49c35bc96c58974f04eb86721be22cc6879cc7e0548a01295cb61945dcd226
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5a6a66024bfe56cd4ea9e888d06e4e176
SHA1f98e15de34cd4f3c3493b6fdd7e50dc6483c6165
SHA256c855c1b59cff64b92e647faeaaff26fb775a48c918330407188e71e557ca0dc6
SHA5125dc8d2b493beffc14d652f0c034706e18253d5f54ffea9dd4f0dfeeac8b2b47ff599c460f095d78112263d0faae7aa309c181fb98e9a655a8592292669dbf0d3
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD50f57b04abf1b4091472d5c000b22694d
SHA190d5f18a5bc0cf9d03c7839c8eded40268ff9803
SHA256632b149bb5abaf9fc57d7c3e58db3eccb846022b1492a5d3d682693491e3531d
SHA51275444ee93fa23abc7cd6ede60937c8948499551ea64a5bb50ecb4eb542523118bba7191bea390dfff0567adcf6b073addefe09b4054b2b681f8443c6554f2f13
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5310608ca1f2411aeb896a2f259ca07dc
SHA16e901d63f6551756db08610e584f71ebe5f390c9
SHA2566f1ed4708a56a1edf2583fe97be6cd5ce0128f9f529476da51043c5d79147e7d
SHA5124d8c75e5191930fae8b4c35a6a603194e4fe6ecf4e61211c8ef88c63023333fa6331f1b5177b2506a0bfbd81e99975e2f2b3d219e36140d31e1425a17fac559d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5dfc50fb58d970a890daf610970eb791e
SHA19e3a3f8492dd526f3a3d22b4908eb6ea1efe9a72
SHA25607dc2b68915e8552b124c16bfb7df64b781d021d497da05f81d6ee4476389121
SHA512d6a2dce829d45a3c102a1c4a8c30bb7b74faf157f0483a9a9733ba5dd694d1444a41ef118caaf9a675686dcb63b542fa90c9daea9af9ff18b656ef40d9c9a3fd
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD58576e4050c32c6dcddd7755459832e71
SHA19f89364559b829c12771fb7c2a49370908c223de
SHA2565d1fec9c3d81613301d3eb89400420a5ce7d70620a7a6804e29e96e69a07813a
SHA512fe3da7bc8c754aa38445a1e2a4e96fb17d4e32837e67809420cae559b4ac53a7596109cb3c2cce76985ca9e234dd4ec511b0b274fe43cbab2c46407ae4b0f258
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5e914db724fa3cdad9248cbc3f1ecdafd
SHA197dfa958569df8f28c8e71566bc8a5daee977c2a
SHA256e417afe141da98faa4a730fe152b265a59caa07de0aa7579a4c33b9b282158dd
SHA5129fba293807924dc373ddd5d1da7b8fb83af47f6c8d85c2998797b66ec3bd2114e4048567e3292cc54d00c296d06eaaf7a6845526b046b7f06021b78738c08720
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD524c9c84e395f79cdc5b28050085e82ca
SHA1ed7a72d400f27d7cc30aae8f22390cda6e1c280a
SHA25674b64cb39f2493ed6cb0f7ca7bf8f628afafdd7689e202f1240940c492739aa9
SHA512ae87a1078d24608f8291a80dd61d72bcacc23b0ac3ac99063b425dacf8d8d606596ce9d468ca32320f49198cee87c15af9a255c243dc578f013a33e5c55d433f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5fbb7f3f3f274f0f573e34846c5647269
SHA1d8e37ec01e1a6b31993b920d5bad07d7f7fa5c59
SHA256fb920e2f32c410ec886012ec737a6591667122ba5574e6419b27633717385b4a
SHA512405debf4b7c997c346c1a87b2c4d43023ee2b2a12aa9b1a7c33cd2fe3eb6e89670f274e4158f44f1ccd4fba30ea464ffe0cf02026a32c59fe3ac5f57832a8095
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5315901ece6d2fa2c585fb7ee7835c594
SHA1f6ec9d12fa4b479e239f4145c15d06d6dac82491
SHA2563fe119e69e3e76af13af0d908a587f8e075e5f0a33ebdba97eb7a14eb5469527
SHA51293245c6f629253e79bfda2d643c1a29b3c11c7fc775513b459b7c0362c4ff2997a1bf0a0bf7cb39d2f6559eaa4c015acafc89a73f3042035e0472cd8fbbd239b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5b16e71bc225972d0e4c403d72c437372
SHA10dca2411fac0e2a623265d7ff4538c4ed593cb62
SHA256e1de486bc20c2cfe29a5c0b8ecef9fb78bc4cf11a0c904ceab70b4e621afcf3a
SHA512c2dd4aaaecba410a0aa0d1b2719008bb346d461d35492041234bdba0354f36bd3c16262126b351353c8992ed8e4a6276e779d8db70af27821be4c4477c7c7756
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5d401b73756130d3d16ecb6308e184cef
SHA146ca0b6198f3ca08af7c04c1f63924f025755d17
SHA2563456bf3017be0b391ee65869e5346ddeb5d1a5f2bed944f4067af06278d46254
SHA512fac31d915131467ecadd8f52b445b201ff8fbf2e78acba135486e40f51db01f28401f59bfa6ae194d91ce33eaf8e117b73ce3fbf318f5edc683d8f8176b88fb4
-
Filesize
65KB
MD5ac05d27423a85adc1622c714f2cb6184
SHA1b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA5126d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d
-
Filesize
171KB
MD59c0c641c06238516f27941aa1166d427
SHA164cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA2564276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06