Analysis
-
max time kernel
156s -
max time network
173s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
31/12/2023, 00:16
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
215ca84e60f21a4413e3ce5d24533e58.exe
Resource
win7-20231215-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
215ca84e60f21a4413e3ce5d24533e58.exe
Resource
win10v2004-20231215-en
windows10-2004-x64
8 signatures
150 seconds
General
-
Target
215ca84e60f21a4413e3ce5d24533e58.exe
-
Size
37KB
-
MD5
215ca84e60f21a4413e3ce5d24533e58
-
SHA1
e3c8cbfc0045a2f9035b4fd1a674739151eafa14
-
SHA256
c2c89583aed470465e582aa40a11102f9257e60a99b7f5c7370a485f9ad7d659
-
SHA512
72ad140fa233c40fd68d6fd02f1dd487bc9e0834062348c4844d8a598907998f920e04dfd7190ab05a3a6df8b324cad41fc7128f052462474001dec584d2f8a4
-
SSDEEP
768:De+yQkCn+pRT8Pp2MSsHn+YWI7iFPnv79qfK6IZyXwBaR1FOlkh0y1aTPY:EQxn+pp8Q3KnfWI2FPnTwf/IZyH1uczT
Score
8/10
Malware Config
Signatures
-
Adds policy Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run 215ca84e60f21a4413e3ce5d24533e58.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\dlnajjbdfa = "C:\\Windows\\system\\llwzjy081125.exe" 215ca84e60f21a4413e3ce5d24533e58.exe -
Sets file execution options in registry 2 TTPs 6 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DrRtp.exe 215ca84e60f21a4413e3ce5d24533e58.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DrRtp.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" 215ca84e60f21a4413e3ce5d24533e58.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360tray.exe 215ca84e60f21a4413e3ce5d24533e58.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360tray.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" 215ca84e60f21a4413e3ce5d24533e58.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QQDoctor.exe 215ca84e60f21a4413e3ce5d24533e58.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QQDoctor.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" 215ca84e60f21a4413e3ce5d24533e58.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\system\llwzjy081125.exe 215ca84e60f21a4413e3ce5d24533e58.exe File opened for modification C:\Windows\system\llwzjy081125.exe 215ca84e60f21a4413e3ce5d24533e58.exe File opened for modification C:\Windows\system\mvjaj32dla.dll 215ca84e60f21a4413e3ce5d24533e58.exe File created C:\Windows\system\mvjaj32dla.dll 215ca84e60f21a4413e3ce5d24533e58.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Software\Microsoft\Internet Explorer\VersionManager iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "731029296" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31080290" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "731029296" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Software\Microsoft\Internet Explorer\MINIE iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Check_Associations = "no" 215ca84e60f21a4413e3ce5d24533e58.exe Key created \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{5CD2ADE4-AB55-11EE-B6AD-42E20219F0C2} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Software\Microsoft\Internet Explorer\Recovery\PendingDelete iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31080290" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingDelete\C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{5CD2ADE6-AB55-11EE-B6AD-42E20219F0C2}.dat = "0" iexplore.exe -
Suspicious behavior: EnumeratesProcesses 16 IoCs
pid Process 1928 215ca84e60f21a4413e3ce5d24533e58.exe 1928 215ca84e60f21a4413e3ce5d24533e58.exe 1928 215ca84e60f21a4413e3ce5d24533e58.exe 1928 215ca84e60f21a4413e3ce5d24533e58.exe 1928 215ca84e60f21a4413e3ce5d24533e58.exe 1928 215ca84e60f21a4413e3ce5d24533e58.exe 1928 215ca84e60f21a4413e3ce5d24533e58.exe 1928 215ca84e60f21a4413e3ce5d24533e58.exe 1928 215ca84e60f21a4413e3ce5d24533e58.exe 1928 215ca84e60f21a4413e3ce5d24533e58.exe 1928 215ca84e60f21a4413e3ce5d24533e58.exe 1928 215ca84e60f21a4413e3ce5d24533e58.exe 1928 215ca84e60f21a4413e3ce5d24533e58.exe 1928 215ca84e60f21a4413e3ce5d24533e58.exe 1928 215ca84e60f21a4413e3ce5d24533e58.exe 1928 215ca84e60f21a4413e3ce5d24533e58.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
description pid Process Token: SeDebugPrivilege 1928 215ca84e60f21a4413e3ce5d24533e58.exe Token: SeDebugPrivilege 1928 215ca84e60f21a4413e3ce5d24533e58.exe Token: SeDebugPrivilege 1928 215ca84e60f21a4413e3ce5d24533e58.exe Token: SeDebugPrivilege 1928 215ca84e60f21a4413e3ce5d24533e58.exe Token: SeDebugPrivilege 1928 215ca84e60f21a4413e3ce5d24533e58.exe Token: SeDebugPrivilege 1928 215ca84e60f21a4413e3ce5d24533e58.exe Token: SeDebugPrivilege 1928 215ca84e60f21a4413e3ce5d24533e58.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1588 iexplore.exe 1588 iexplore.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 1928 wrote to memory of 1588 1928 215ca84e60f21a4413e3ce5d24533e58.exe 95 PID 1928 wrote to memory of 1588 1928 215ca84e60f21a4413e3ce5d24533e58.exe 95 PID 1588 wrote to memory of 3288 1588 iexplore.exe 97 PID 1588 wrote to memory of 3288 1588 iexplore.exe 97 PID 1588 wrote to memory of 3288 1588 iexplore.exe 97 PID 1928 wrote to memory of 1588 1928 215ca84e60f21a4413e3ce5d24533e58.exe 95 PID 1928 wrote to memory of 2396 1928 215ca84e60f21a4413e3ce5d24533e58.exe 98 PID 1928 wrote to memory of 2396 1928 215ca84e60f21a4413e3ce5d24533e58.exe 98 PID 1928 wrote to memory of 2396 1928 215ca84e60f21a4413e3ce5d24533e58.exe 98
Processes
-
C:\Users\Admin\AppData\Local\Temp\215ca84e60f21a4413e3ce5d24533e58.exe"C:\Users\Admin\AppData\Local\Temp\215ca84e60f21a4413e3ce5d24533e58.exe"1⤵
- Adds policy Run key to start application
- Sets file execution options in registry
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1928 -
C:\program files\internet explorer\iexplore.exe"C:\program files\internet explorer\iexplore.exe"2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1588 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1588 CREDAT:17410 /prefetch:23⤵PID:3288
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c del "C:\Users\Admin\AppData\Local\Temp\215ca84e60f21a4413e3ce5d24533e58.exe"2⤵PID:2396
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
86B
MD5f5670a19bb2c9f925287e60ec0cd3f2e
SHA1c14377ae67a6150e75801d5d9cedceb8aab1cb87
SHA2561d7b5eaea755a8fbe3ee6361d5d65e998aa0e8c0f758d42c74c6fd18514977dc
SHA5124d3e41d6aac37a21ff1fad1d7e18e659c2506359a991596c742979adfe881014520f5ff5feb98b0ce5a31b488fdd76c70852189bedc6d8866e407ffb5e24ad36