Analysis
-
max time kernel
44s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
06/01/2024, 12:08
Static task
static1
Behavioral task
behavioral1
Sample
46315b54912739075d98433897e86ecd.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
46315b54912739075d98433897e86ecd.exe
Resource
win10v2004-20231215-en
General
-
Target
46315b54912739075d98433897e86ecd.exe
-
Size
367KB
-
MD5
46315b54912739075d98433897e86ecd
-
SHA1
34d12821cca2589b80d9b5d2c235375563b1b6a0
-
SHA256
a55b2334334dd206aceea6719cf7ec3bac9b325d84f0607e65f4a3f88b57161e
-
SHA512
db233bd3bcb55f9504fec776da6df83bac98f6915133ce3dc62aa29de313b9c247dfdbd1164f435ecce337357402e2fc9b05250e7d3f86f316047742ebc51eef
-
SSDEEP
6144:R/kFr0H89gBk+0AS7qHcrymVwAiO2QVmJYtXbwp0UsaIJT+vybUxGknqwwc2j:R/kpj9wen7q8rzRVmetXbw6UsZWybcn2
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 4708 winupgrade.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\ime\winupgrade.exe 46315b54912739075d98433897e86ecd.exe File opened for modification C:\Windows\ime\winupgrade.exe 46315b54912739075d98433897e86ecd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Main winupgrade.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Enable Browser Extensions = "no" winupgrade.exe -
Modifies data under HKEY_USERS 5 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\SoftWare\Microsoft\Internet Explorer\New Windows winupgrade.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\New Windows\PopupMgr = "no" winupgrade.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Main winupgrade.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Main\Enable Browser Extensions = "no" winupgrade.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Main\Play_Background_Sounds = "no" winupgrade.exe -
Modifies registry class 34 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command winupgrade.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell winupgrade.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\http\shell winupgrade.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\open\command winupgrade.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\file winupgrade.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell winupgrade.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\https\shell winupgrade.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\InternetShortcut\shell\open winupgrade.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\InternetShortcut\shell\Open\command winupgrade.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\file\shell winupgrade.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\LocalServer32 winupgrade.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID winupgrade.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\InternetShortcut\shell\open\command winupgrade.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\InternetShortcut winupgrade.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\ = "open" winupgrade.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\file\shell\open winupgrade.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\ = "open" winupgrade.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\file\shell\ = "open" winupgrade.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open\command\ = "\"C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\" \"%1\"" winupgrade.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046} winupgrade.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open\command\ = "\"C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\" \"%1\"" winupgrade.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\open\command\ = "\"C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\" \"%1\"" winupgrade.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\ = "open" winupgrade.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\open\command winupgrade.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\open\command\ = "\"C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\" \"%1\"" winupgrade.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\file\shell\open\command\ = "\"C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\" \"%1\"" winupgrade.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open\command winupgrade.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\ = "open" winupgrade.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command\ = "\"C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\" \"%1\"" winupgrade.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\ = "open" winupgrade.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell winupgrade.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\InternetShortcut\shell winupgrade.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open\command winupgrade.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\file\shell\open\command winupgrade.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 2136 46315b54912739075d98433897e86ecd.exe 2136 46315b54912739075d98433897e86ecd.exe 2136 46315b54912739075d98433897e86ecd.exe 2136 46315b54912739075d98433897e86ecd.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 2136 wrote to memory of 1572 2136 46315b54912739075d98433897e86ecd.exe 25 PID 2136 wrote to memory of 1572 2136 46315b54912739075d98433897e86ecd.exe 25 PID 2136 wrote to memory of 1572 2136 46315b54912739075d98433897e86ecd.exe 25 PID 1572 wrote to memory of 4540 1572 net.exe 27 PID 1572 wrote to memory of 4540 1572 net.exe 27 PID 1572 wrote to memory of 4540 1572 net.exe 27 PID 2136 wrote to memory of 3812 2136 46315b54912739075d98433897e86ecd.exe 95 PID 2136 wrote to memory of 3812 2136 46315b54912739075d98433897e86ecd.exe 95 PID 2136 wrote to memory of 3812 2136 46315b54912739075d98433897e86ecd.exe 95
Processes
-
C:\Users\Admin\AppData\Local\Temp\46315b54912739075d98433897e86ecd.exe"C:\Users\Admin\AppData\Local\Temp\46315b54912739075d98433897e86ecd.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2136 -
C:\Windows\SysWOW64\net.exenet stop McShield2⤵
- Suspicious use of WriteProcessMemory
PID:1572 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop McShield3⤵PID:4540
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ieflux.exe_deleteme.bat2⤵PID:3812
-
-
C:\Windows\ime\winupgrade.exeC:\Windows\ime\winupgrade.exe1⤵
- Executes dropped EXE
- Modifies Internet Explorer settings
- Modifies data under HKEY_USERS
- Modifies registry class
PID:4708
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
64B
MD5bfcaeabfbce998e551827934f9cab4ad
SHA13a91d41d9d42b737bdb82f59b3867d3b4ef27035
SHA2561813f05035373247df14aeb946d7a38183cd78e9d6ed1f637b45eaff537b382a
SHA5125a393fc6e5cd0004b8c559b5dbbbc6903c4df29e27df3a4fe26bb8ad40b860f51d10152d7ebf002de6772448411edf3838626c34ce5d2265aa6a9703809831db
-
Filesize
154KB
MD50d03e19c0e8ca2a3ab00e64f0fbcea62
SHA12dff19447151629b38045bd4446fe5995e7f7d3f
SHA2569bded95ed2f49f7a3f25fcdd1db957129be600963e0f9e7269cba731cf231c0b
SHA512f2b84a05aa5f95c3d9a0b2535498cee591725376628cf6c10f366fd2e5eb9bc59d6c7bb59139a00fcaa2996108c499083727a7b0ed3098d9351159ddf2f1374f
-
Filesize
178KB
MD5fc92a4fec697cb8c86bb2f4fa0e480c2
SHA1d968409a6a767ddcccc3cc511a98e6032c123d79
SHA25679977fe63a97890102bffbfc8c482d74c742e6d8e3f4c41422757befbce41aff
SHA512f785416ee2784aab132304b117644f25674d7d044a417965816c83b7c7c34fbba40de27afe12fc75f257ff6b98c28bcb1df7d70ebf79514d72d320615443fdb7