aaf5a4cef4f2d2c013ae6950cb5d795dd885b90f9be521102c51edd035b581bc

Analysis

max time kernel
128s
max time network
145s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
30-12-2023 21:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1c8a7390897be3ffe2903728e6433ceb.exe
Size

394KB
MD5

1c8a7390897be3ffe2903728e6433ceb
SHA1

a835de06ea0a43170aedb52904921983acbf1839
SHA256

aaf5a4cef4f2d2c013ae6950cb5d795dd885b90f9be521102c51edd035b581bc
SHA512

6d140686842437fad21a5ef1b2685de28241769689ab5745eb527a1b6554edef530fc86c5cfccd0c970f122d98d83f574a5080f3ec3042bf1787274da36683f4
SSDEEP

3072:MEsmBEsmBEsmBEsmBEsmBEsmBEsmBEsmBEsm4lQ23MxHSSP1w0VI51yHLHlBhyBJ:MZYZYZYZYZYZYZYZYZfeP1ZVI51yZAv

Score

8^/10

Malware Config

Signatures

Drops file in Drivers directory 6 IoCs

description	ioc	Process
File created	C:\WINDOWS\SysWOW64\drivers\gm.dls	1c8a7390897be3ffe2903728e6433ceb.exe
File created	C:\WINDOWS\SysWOW64\drivers\gm.dls	exc.exe
File created	C:\WINDOWS\SysWOW64\drivers\gmreadme.txt	1c8a7390897be3ffe2903728e6433ceb.exe
File created	C:\WINDOWS\SysWOW64\drivers\gmreadme.txt	exc.exe
File created	C:\WINDOWS\SysWOW64\drivers\wimmount.sys	1c8a7390897be3ffe2903728e6433ceb.exe
File created	C:\WINDOWS\SysWOW64\drivers\wimmount.sys	exc.exe

Manipulates Digital Signatures 2 IoCs

Attackers can apply techniques such as modifying certain DLL exports to make their binary seem valid.

description	ioc	Process
File created	C:\WINDOWS\SysWOW64\wintrust.dll	1c8a7390897be3ffe2903728e6433ceb.exe
File created	C:\WINDOWS\SysWOW64\wintrust.dll	exc.exe

Executes dropped EXE 1 IoCs

pid	Process
2524	exc.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\WINDOWS\SysWOW64\olethk32.dll	1c8a7390897be3ffe2903728e6433ceb.exe
File created	C:\WINDOWS\SysWOW64\DXPTaskRingtone.dll	1c8a7390897be3ffe2903728e6433ceb.exe
File created	C:\WINDOWS\SysWOW64\EventViewer_EventDetails.xsl	exc.exe
File created	C:\WINDOWS\SysWOW64\KBDGR1.DLL	exc.exe
File created	C:\WINDOWS\SysWOW64\KBDINKAN.DLL	1c8a7390897be3ffe2903728e6433ceb.exe
File opened for modification	C:\WINDOWS\SysWOW64\mfc100esn.dll	exc.exe
File opened for modification	C:\WINDOWS\SysWOW64\atl100.dll	exc.exe
File created	C:\WINDOWS\SysWOW64\fc.exe	1c8a7390897be3ffe2903728e6433ceb.exe
File created	C:\WINDOWS\SysWOW64\msv1_0.dll	exc.exe
File created	C:\WINDOWS\SysWOW64\Utilman.exe	exc.exe
File created	C:\WINDOWS\SysWOW64\pots.dll	exc.exe
File created	C:\WINDOWS\SysWOW64\diskperf.exe	1c8a7390897be3ffe2903728e6433ceb.exe
File created	C:\WINDOWS\SysWOW64\KBDSW.DLL	exc.exe
File opened for modification	C:\WINDOWS\SysWOW64\mfc140kor.dll	exc.exe
File created	C:\WINDOWS\SysWOW64\nshhttp.dll	exc.exe
File created	C:\WINDOWS\SysWOW64\ntprint.exe	exc.exe
File created	C:\WINDOWS\SysWOW64\sspicli.dll	exc.exe
File created	C:\WINDOWS\SysWOW64\ddraw.dll	1c8a7390897be3ffe2903728e6433ceb.exe
File opened for modification	C:\WINDOWS\SysWOW64\mfc100enu.dll	1c8a7390897be3ffe2903728e6433ceb.exe
File created	C:\WINDOWS\SysWOW64\msrd3x40.dll	1c8a7390897be3ffe2903728e6433ceb.exe
File created	C:\WINDOWS\SysWOW64\msvcp60.dll	exc.exe
File created	C:\WINDOWS\SysWOW64\sppwmi.dll	1c8a7390897be3ffe2903728e6433ceb.exe
File created	C:\WINDOWS\SysWOW64\hidserv.dll	exc.exe
File opened for modification	C:\WINDOWS\SysWOW64\mfc140esn.dll	1c8a7390897be3ffe2903728e6433ceb.exe
File created	C:\WINDOWS\SysWOW64\NlsData0013.dll	exc.exe
File created	C:\WINDOWS\SysWOW64\SyncHostps.dll	exc.exe
File created	C:\WINDOWS\SysWOW64\wmpdxm.dll	1c8a7390897be3ffe2903728e6433ceb.exe
File created	C:\WINDOWS\SysWOW64\EventViewer_EventDetails.xsl	1c8a7390897be3ffe2903728e6433ceb.exe
File created	C:\WINDOWS\SysWOW64\KBDHELA2.DLL	1c8a7390897be3ffe2903728e6433ceb.exe
File created	C:\WINDOWS\SysWOW64\NlsData0000.dll	1c8a7390897be3ffe2903728e6433ceb.exe
File created	C:\WINDOWS\SysWOW64\rdpcore.dll	1c8a7390897be3ffe2903728e6433ceb.exe
File created	C:\WINDOWS\SysWOW64\TCPSVCS.EXE	exc.exe
File created	C:\WINDOWS\SysWOW64\wshbth.dll	exc.exe
File created	C:\WINDOWS\SysWOW64\at.exe	1c8a7390897be3ffe2903728e6433ceb.exe
File created	C:\WINDOWS\SysWOW64\iac25_32.ax	1c8a7390897be3ffe2903728e6433ceb.exe
File opened for modification	C:\WINDOWS\SysWOW64\mapisvc.inf	1c8a7390897be3ffe2903728e6433ceb.exe
File created	C:\WINDOWS\SysWOW64\pscript.sep	exc.exe
File created	C:\WINDOWS\SysWOW64\rasdiag.dll	exc.exe
File created	C:\WINDOWS\SysWOW64\dpapimig.exe	1c8a7390897be3ffe2903728e6433ceb.exe
File created	C:\WINDOWS\SysWOW64\dsrole.dll	1c8a7390897be3ffe2903728e6433ceb.exe
File opened for modification	C:\WINDOWS\SysWOW64\mfcm120u.dll	exc.exe
File created	C:\WINDOWS\SysWOW64\odbcji32.dll	exc.exe
File created	C:\WINDOWS\SysWOW64\C_1361.NLS	exc.exe
File created	C:\WINDOWS\SysWOW64\dnscmmc.dll	exc.exe
File created	C:\WINDOWS\SysWOW64\icardres.dll	1c8a7390897be3ffe2903728e6433ceb.exe
File opened for modification	C:\WINDOWS\SysWOW64\msvcr110_clr0400.dll	1c8a7390897be3ffe2903728e6433ceb.exe
File created	C:\WINDOWS\SysWOW64\defaultlocationcpl.dll	1c8a7390897be3ffe2903728e6433ceb.exe
File created	C:\WINDOWS\SysWOW64\Netplwiz.exe	exc.exe
File created	C:\WINDOWS\SysWOW64\pstorsvc.dll	exc.exe
File created	C:\WINDOWS\SysWOW64\Wpc.dll	1c8a7390897be3ffe2903728e6433ceb.exe
File created	C:\WINDOWS\SysWOW64\hnetmon.dll	1c8a7390897be3ffe2903728e6433ceb.exe
File opened for modification	C:\WINDOWS\SysWOW64\mfc120fra.dll	1c8a7390897be3ffe2903728e6433ceb.exe
File created	C:\WINDOWS\SysWOW64\resmon.exe	1c8a7390897be3ffe2903728e6433ceb.exe
File created	C:\WINDOWS\SysWOW64\srclient.dll	1c8a7390897be3ffe2903728e6433ceb.exe
File created	C:\WINDOWS\SysWOW64\apilogen.dll	1c8a7390897be3ffe2903728e6433ceb.exe
File created	C:\WINDOWS\SysWOW64\KBDBU.DLL	exc.exe
File opened for modification	C:\WINDOWS\SysWOW64\vcamp140.dll	1c8a7390897be3ffe2903728e6433ceb.exe
File created	C:\WINDOWS\SysWOW64\PkgMgr.exe	exc.exe
File created	C:\WINDOWS\SysWOW64\tlscsp.dll	1c8a7390897be3ffe2903728e6433ceb.exe
File created	C:\WINDOWS\SysWOW64\where.exe	1c8a7390897be3ffe2903728e6433ceb.exe
File created	C:\WINDOWS\SysWOW64\KBDROPR.DLL	1c8a7390897be3ffe2903728e6433ceb.exe
File created	C:\WINDOWS\SysWOW64\korwbrkr.dll	exc.exe
File created	C:\WINDOWS\SysWOW64\msdadiag.dll	exc.exe
File created	C:\WINDOWS\SysWOW64\msv1_0.dll	1c8a7390897be3ffe2903728e6433ceb.exe

Drops file in Windows directory 52 IoCs

description	ioc	Process
File created	C:\WINDOWS\twunk_16.exe	1c8a7390897be3ffe2903728e6433ceb.exe
File created	C:\WINDOWS\explorer.exe	1c8a7390897be3ffe2903728e6433ceb.exe
File opened for modification	C:\WINDOWS\msdfmap.ini	1c8a7390897be3ffe2903728e6433ceb.exe
File created	C:\WINDOWS\HelpPane.exe	1c8a7390897be3ffe2903728e6433ceb.exe
File created	C:\WINDOWS\notepad.exe	exc.exe
File opened for modification	C:\WINDOWS\PFRO.log	exc.exe
File created	C:\WINDOWS\splwow64.exe	exc.exe
File created	C:\WINDOWS\twunk_32.exe	exc.exe
File opened for modification	C:\WINDOWS\DtcInstall.log	1c8a7390897be3ffe2903728e6433ceb.exe
File created	C:\WINDOWS\fveupdate.exe	1c8a7390897be3ffe2903728e6433ceb.exe
File opened for modification	C:\WINDOWS\system.ini	exc.exe
File created	C:\WINDOWS\twain.dll	exc.exe
File opened for modification	C:\WINDOWS\Starter.xml	1c8a7390897be3ffe2903728e6433ceb.exe
File opened for modification	C:\WINDOWS\DtcInstall.log	exc.exe
File created	C:\WINDOWS\hh.exe	exc.exe
File opened for modification	C:\WINDOWS\setupact.log	1c8a7390897be3ffe2903728e6433ceb.exe
File created	C:\WINDOWS\twunk_32.exe	1c8a7390897be3ffe2903728e6433ceb.exe
File created	C:\WINDOWS\hh.exe	1c8a7390897be3ffe2903728e6433ceb.exe
File created	C:\WINDOWS\mib.bin	1c8a7390897be3ffe2903728e6433ceb.exe
File opened for modification	C:\WINDOWS\WindowsUpdate.log	exc.exe
File created	C:\WINDOWS\mib.bin	exc.exe
File opened for modification	C:\WINDOWS\setuperr.log	1c8a7390897be3ffe2903728e6433ceb.exe
File created	C:\WINDOWS\winhlp32.exe	exc.exe
File created	C:\WINDOWS\write.exe	exc.exe
File created	C:\WINDOWS\write.exe	1c8a7390897be3ffe2903728e6433ceb.exe
File created	C:\WINDOWS\winhlp32.exe	1c8a7390897be3ffe2903728e6433ceb.exe
File created	C:\WINDOWS\WMSysPr9.prx	1c8a7390897be3ffe2903728e6433ceb.exe
File opened for modification	C:\WINDOWS\msdfmap.ini	exc.exe
File created	C:\WINDOWS\notepad.exe	1c8a7390897be3ffe2903728e6433ceb.exe
File opened for modification	C:\WINDOWS\Starter.xml	exc.exe
File opened for modification	C:\WINDOWS\TSSysprep.log	exc.exe
File created	C:\WINDOWS\twain.dll	1c8a7390897be3ffe2903728e6433ceb.exe
File created	C:\WINDOWS\bfsvc.exe	1c8a7390897be3ffe2903728e6433ceb.exe
File created	C:\WINDOWS\bfsvc.exe	exc.exe
File created	C:\WINDOWS\twain_32.dll	1c8a7390897be3ffe2903728e6433ceb.exe
File created	C:\WINDOWS\twunk_16.exe	exc.exe
File opened for modification	C:\WINDOWS\win.ini	1c8a7390897be3ffe2903728e6433ceb.exe
File opened for modification	C:\WINDOWS\WindowsUpdate.log	1c8a7390897be3ffe2903728e6433ceb.exe
File created	C:\WINDOWS\fveupdate.exe	exc.exe
File created	C:\WINDOWS\twain_32.dll	exc.exe
File opened for modification	C:\WINDOWS\system.ini	1c8a7390897be3ffe2903728e6433ceb.exe
File opened for modification	C:\WINDOWS\Ultimate.xml	1c8a7390897be3ffe2903728e6433ceb.exe
File opened for modification	C:\WINDOWS\Ultimate.xml	exc.exe
File opened for modification	C:\WINDOWS\win.ini	exc.exe
File opened for modification	C:\WINDOWS\PFRO.log	1c8a7390897be3ffe2903728e6433ceb.exe
File opened for modification	C:\WINDOWS\setuperr.log	exc.exe
File opened for modification	C:\WINDOWS\TSSysprep.log	1c8a7390897be3ffe2903728e6433ceb.exe
File created	C:\WINDOWS\WMSysPr9.prx	exc.exe
File opened for modification	C:\WINDOWS\setupact.log	exc.exe
File created	C:\WINDOWS\splwow64.exe	1c8a7390897be3ffe2903728e6433ceb.exe
File created	C:\WINDOWS\explorer.exe	exc.exe
File created	C:\WINDOWS\HelpPane.exe	exc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 58 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{A4FECA61-A866-11EE-9BAD-F2B23B8A8DD7} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = d0718a7a733cda01	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000566b58630fb3a044b91770fce5e9b2d6000000000200000000001066000000010000200000001060309a1a52c71b40128ad688b82d70d5b1e4aae749c7ab06995873edd10d1e000000000e80000000020000200000005c85ea1ba4c4024a70aefe76693df761a017a5740644181cb88e700f125dc1a590000000490a4f454c6c5e3332b87bab1d2943854b0e3babb0a98133bc298f53adf6c6199b28abc9508a507c8362ea80dd8bee432b34a546d6b61cb23c9c85a917742a9209e14457aa27a3b4c9713c670741f95d7d40a5374f36104de6b0f5d25c6a4f15d0398f665f83bd8fb1e943c680e0077341bdbb9fe4af7e38cf157581152bad61fa3e778d521092cc387c903f4727083340000000f5010c9ee95946ea7e8e4b66e8936a2f758f11eb83a902909e53e7a5a6aaec1df6fce3419e8cee593da90ad3a9a89ec39cfb5ba36a4ca1a1712ddcde6076b64c	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000566b58630fb3a044b91770fce5e9b2d600000000020000000000106600000001000020000000f66b5abbb74ef97f8c8320b3ac1f86a314801944aa6ba999ae0c6957971121fe000000000e8000000002000020000000383ed33ba51d1dc63e550719cceeee104e333cbeda67cf48369b80018b8cd30020000000c5d93d311b87db8111d5b9f8b691fd3b5356db6a9f92cd56754489e32479e40c4000000005ed1e6e1e616585a0cb0ad44cde72f13d22ccf8a6d2f0c3b92cc2358df7f0c6b8f2168cae5e2ea941a5aae947b7209b68d96cfb52b36b30681819b8ee2d6ca3	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{A5012BC1-A866-11EE-9BAD-F2B23B8A8DD7} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2244	iexplore.exe
2068	iexplore.exe

Suspicious use of SetWindowsHookEx 14 IoCs

pid	Process
2244	iexplore.exe
2244	iexplore.exe
2068	iexplore.exe
2068	iexplore.exe
324	IEXPLORE.EXE
324	IEXPLORE.EXE
564	IEXPLORE.EXE
564	IEXPLORE.EXE
324	IEXPLORE.EXE
324	IEXPLORE.EXE
1828	IEXPLORE.EXE
1828	IEXPLORE.EXE
2400	IEXPLORE.EXE
2400	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2248 wrote to memory of 2524	2248	1c8a7390897be3ffe2903728e6433ceb.exe	17
PID 2248 wrote to memory of 2524	2248	1c8a7390897be3ffe2903728e6433ceb.exe	17
PID 2248 wrote to memory of 2524	2248	1c8a7390897be3ffe2903728e6433ceb.exe	17
PID 2248 wrote to memory of 2524	2248	1c8a7390897be3ffe2903728e6433ceb.exe	17
PID 2248 wrote to memory of 2244	2248	1c8a7390897be3ffe2903728e6433ceb.exe	31
PID 2248 wrote to memory of 2244	2248	1c8a7390897be3ffe2903728e6433ceb.exe	31
PID 2248 wrote to memory of 2244	2248	1c8a7390897be3ffe2903728e6433ceb.exe	31
PID 2248 wrote to memory of 2244	2248	1c8a7390897be3ffe2903728e6433ceb.exe	31
PID 2524 wrote to memory of 2068	2524	exc.exe	33
PID 2524 wrote to memory of 2068	2524	exc.exe	33
PID 2524 wrote to memory of 2068	2524	exc.exe	33
PID 2524 wrote to memory of 2068	2524	exc.exe	33
PID 2244 wrote to memory of 324	2244	iexplore.exe	34
PID 2244 wrote to memory of 324	2244	iexplore.exe	34
PID 2244 wrote to memory of 324	2244	iexplore.exe	34
PID 2244 wrote to memory of 324	2244	iexplore.exe	34
PID 2068 wrote to memory of 564	2068	iexplore.exe	35
PID 2068 wrote to memory of 564	2068	iexplore.exe	35
PID 2068 wrote to memory of 564	2068	iexplore.exe	35
PID 2068 wrote to memory of 564	2068	iexplore.exe	35
PID 2244 wrote to memory of 1828	2244	iexplore.exe	39
PID 2244 wrote to memory of 1828	2244	iexplore.exe	39
PID 2244 wrote to memory of 1828	2244	iexplore.exe	39
PID 2244 wrote to memory of 1828	2244	iexplore.exe	39
PID 2244 wrote to memory of 2400	2244	iexplore.exe	38
PID 2244 wrote to memory of 2400	2244	iexplore.exe	38
PID 2244 wrote to memory of 2400	2244	iexplore.exe	38
PID 2244 wrote to memory of 2400	2244	iexplore.exe	38

C:\Users\Admin\AppData\Local\Temp\1c8a7390897be3ffe2903728e6433ceb.exe
"C:\Users\Admin\AppData\Local\Temp\1c8a7390897be3ffe2903728e6433ceb.exe"
1⤵
- Drops file in Drivers directory
- Manipulates Digital Signatures
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2248
- C:\exc.exe
  "C:\exc.exe"
  2⤵
  - Drops file in Drivers directory
  - Manipulates Digital Signatures
  - Executes dropped EXE
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:2524
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" http://www.freeav.com/
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2068
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2068 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:564
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://www.freeav.com/
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2244
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2244 CREDAT:275457 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:324
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2244 CREDAT:1848326 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:2400
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2244 CREDAT:1913865 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:1828

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
b77a48bb0798212cb77f843eadcbde19

SHA1
25e47b8cb40f98de8759af9667c4199cdb0737c3

SHA256
5db1397bfcb842a30f063c1205ba8046521329cb72fac634243cfb924fc923f7

SHA512
256aa30de8377a8cb434d0bdf15ebc0536684a2f172893bcbc1f1ce6e466950728a63e11bfc8afdc1b4519fdab45eb4a51faced7c2d21dc7fae2771c0936ca8d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
140c5e59ff68b5e0afc275f61d5900ee

SHA1
0d0fa0ccde9b89f2a278d9117889df8dab8afae0

SHA256
74ea13ae4f881715f0637a4261f80603e2e284ce0ee00285edaa7098413ada42

SHA512
041794b574465f32fd938739913b32eb76db93e3571a0a137fa1630eb99ee8d1060bf8b6f7601bf7c30c32ec1719f02d943a7ffe9409174ca8425d9f0f483c66

Download Submit
memory/2248-8-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/2248-283-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/2248-622-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/2248-1401-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/2524-9-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/2524-284-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/2524-1402-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/2524-1988-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download