c1a7e79643cbaff1c236ac7f3faa64d85d0bf233022b4546a4d8fddb8b129f4c

General

Target

22d7b21fb4a318496a13c094b92672e7.exe
Size

93KB
MD5

22d7b21fb4a318496a13c094b92672e7
SHA1

63f72cfc54948d55b6dc61c7d4cc39be20d5d198
SHA256

c1a7e79643cbaff1c236ac7f3faa64d85d0bf233022b4546a4d8fddb8b129f4c
SHA512

37d4009a0824c127bca1ab044fbdb1eae1b64118cf040a4bbb122bf5b02b5afad119876d7420cb47d59c9f5a277385b49ee033fb2bfb2d73be30c179bb110ef8
SSDEEP

768:fg8Ly1J+QlPQpFrdvw4kKtZRIyl8nWNqePH2nKK3qkxxOha5++xoGer/ouDdQpOy:ohJ+/XxI4kKtZ1RpH2nKWyL+YrhCOTLC

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1752	msdrv.exe

Loads dropped DLL 2 IoCs

pid	Process
2076	22d7b21fb4a318496a13c094b92672e7.exe
2076	22d7b21fb4a318496a13c094b92672e7.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2076-5-0x0000000002180000-0x0000000002193000-memory.dmp	upx
behavioral1/memory/1752-16-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral1/memory/1752-14-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral1/files/0x000c00000001224a-13.dat	upx
behavioral1/memory/2076-2-0x0000000000400000-0x0000000000413000-memory.dmp	upx

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\msdrv.exe	msdrv.exe
File created	C:\Windows\SysWOW64\msdrv.exe	22d7b21fb4a318496a13c094b92672e7.exe
File opened for modification	C:\Windows\SysWOW64\msdrv.exe	22d7b21fb4a318496a13c094b92672e7.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 28 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{E97E5AD1-A8D3-11EE-B49B-CE253106968E} = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "410295752"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1752	msdrv.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2004	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2004	IEXPLORE.EXE
2004	IEXPLORE.EXE
2920	IEXPLORE.EXE
2920	IEXPLORE.EXE
2920	IEXPLORE.EXE
2920	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 2076 wrote to memory of 1752	2076	22d7b21fb4a318496a13c094b92672e7.exe	18
PID 2076 wrote to memory of 1752	2076	22d7b21fb4a318496a13c094b92672e7.exe	18
PID 2076 wrote to memory of 1752	2076	22d7b21fb4a318496a13c094b92672e7.exe	18
PID 2076 wrote to memory of 1752	2076	22d7b21fb4a318496a13c094b92672e7.exe	18
PID 1752 wrote to memory of 2004	1752	msdrv.exe	17
PID 1752 wrote to memory of 2004	1752	msdrv.exe	17
PID 1752 wrote to memory of 2004	1752	msdrv.exe	17
PID 1752 wrote to memory of 2004	1752	msdrv.exe	17
PID 1752 wrote to memory of 2004	1752	msdrv.exe	17
PID 2004 wrote to memory of 2920	2004	IEXPLORE.EXE	16
PID 2004 wrote to memory of 2920	2004	IEXPLORE.EXE	16
PID 2004 wrote to memory of 2920	2004	IEXPLORE.EXE	16
PID 2004 wrote to memory of 2920	2004	IEXPLORE.EXE	16

C:\Users\Admin\AppData\Local\Temp\22d7b21fb4a318496a13c094b92672e7.exe
"C:\Users\Admin\AppData\Local\Temp\22d7b21fb4a318496a13c094b92672e7.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2076
- C:\Windows\SysWOW64\msdrv.exe
  "C:\Windows\system32\msdrv.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1752

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2004 CREDAT:275457 /prefetch:2
1⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2920

C:\Program Files\Internet Explorer\IEXPLORE.EXE
"C:\Program Files\Internet Explorer\IEXPLORE.EXE" about:blank
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2004

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
13d9edf500291b5bd3483d7f68e2cabe

SHA1
c50b78d3c800a3a9811ff8f60031defd0b1cc01e

SHA256
7518629481dc909aa9e7f5dc2d498fe124e2b5a957b5184a5aa9e20e7727cc52

SHA512
c37cbf01342646dfe1ef529b1117025db03689943a2ec69bd2023c21522824b6b9202c3a5b3eab2319f252579ceec46df460380cb38b26c40cd042000d0189ff

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
071f2fb5c689f196717dbf06238d1b6f

SHA1
b7d7b54d645eedf4d158bc96df8ed841936bf2ed

SHA256
c26a0467bfcb6d500f6c59d8d550ea56f096c07d046f15092ac1459ebbb06d7e

SHA512
ae3e39f01671416baffc2c894cb4ff93d0fcdd90878632f2be1ab59cbbad701d5980171b8d8775b25d372d3823020fdf6867e8c8aa24d227d33a4caacfc01f67

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
56a14ec60ebfe0746d9c14383aeb8c6c

SHA1
89c2fffe81a0f0387510cd2d797888d54ab385f5

SHA256
2a371c5d8b6fd1c9c2b3e77a852f4ae6a7168b08ee1e06fd8c48debddedae3c0

SHA512
0e30e9332e7f9686f7439af3fa813a52c8ddf998b5c325933066a50b7e2026151e7658039ab288e73091ab515db26227bc510cb00da195779b68227969fb1b50

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
9333a363faf8151fc0b61e0c0843f929

SHA1
ac9a52c2e5f78f8b8d175faa183a0f8cf61686ff

SHA256
77eb89fa59f28026785004cc54f938d45b30445140a41d191a201cf2dfd2da93

SHA512
990943009af7feeef9803f726b7282a7974b9e501dc26cf34ffc6ecf642751825afa52234a1fc09301394d86a51cc8114216a2431a0a175d225ce2b7cf8e144b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
3f8b86fe25be72f4175370eb135cf3ff

SHA1
cd1c81b5fb65571010df5728810e9bf9df3ebf14

SHA256
91ff43fdfc6566411c46fadb370d8c79f80111b4389bed7d1b914d9d7afb68c6

SHA512
7ee5d2500152d5015d54f2225884a53cc79a43ec9f2eb2ca468c8ce53e1f954fae8227d9bd87403440a25d4ae1fadb79658083d5c0ad2960f171556ed97bae84

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
3a207d58144f3f488c7e0bc2dc9e85c5

SHA1
4d1130d27c81f809e610f4f2f2ddc0e5ddb6cb74

SHA256
cebf53f1754027340b4fcc4e612289a6f7e1bb84a19673d189d12e4934f58a48

SHA512
ce74881b2f73cc0e04e60dfb2bf8aa39bce06c02b5eec8f6010fc24c2df6a0a29394b11d3b8e72cd6c197c56768c4f698f46d7c71c4b7aaf9da324fca5d12421

Download Submit
C:\Windows\SysWOW64\msdrv.exe

Filesize
93KB

MD5
8305554eef697adf380ba1e209d543e4

SHA1
0ec0d3b701bfad029fd3157fc955bc7584036780

SHA256
7fe67aa05b02e458552da45d877c27179263a56843659dad5e4ba42864be3392

SHA512
83f75f8c20577d656bcec68c446dfad15a1166de27ed3b0419750878ed7a5fe7944f7af3064c7498c08afe6eb34a2673dc409b99df173918ecc84d7adfdb4fe7

Download Submit
memory/1752-14-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/1752-16-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2076-2-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2076-445-0x0000000002180000-0x0000000002193000-memory.dmp

Filesize
76KB

Download
memory/2076-5-0x0000000002180000-0x0000000002193000-memory.dmp

Filesize
76KB

Download

Analysis

Sharing