df07d9e692f2bd5d895c928e66df94064057e61987b493a774aab807c7e05980

Analysis

max time kernel
143s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
25-01-2024 23:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

malpedia.bib
Size

5.1MB
MD5

b885fc47e502881c5b5bbc1e96a30621
SHA1

03650923661f551e61608bfff6cd7d07d564fecd
SHA256

df07d9e692f2bd5d895c928e66df94064057e61987b493a774aab807c7e05980
SHA512

d207847277a7413ac70f4fbe6370c29b2eb39c0c7a9e4e15c61eb1b7258e30c6f841800059d472216130687dd438e7677e06f306b0df43365a517aa56c85411a
SSDEEP

49152:Lx3rUQznDncPAdABarrMERsucSbtrKusKknAiQuMAskAnh8:a

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1307628306"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = f0a40a51e84fda01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1307628306"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1323879656"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31084520"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{797C93B3-BBDB-11EE-B7F4-76CF25FE979C} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31084520"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 90b1cc50e84fda01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d228e40a7820b94dbd5c7b6846f2f5ad000000000200000000001066000000010000200000008cba8c1f43899855fa87b79df29fd65c1370123053ef1473a75f88c5f37de637000000000e8000000002000020000000ec1916d62eb316801023684ee0a1b3d6c468328b58ba5e77abd0b4059474e94e20000000f584eb7402995380cdf0da11d30793c80c718555b0a66d2ad2aa7e61458945e64000000019236888258f37bb708a4c54001b824aa1bf5e64ef3563f6ac8dd5266010fa1cd7d179ca6c70b72514efd0002a019ee25774f3d612a1aa71d70b3aafb50b9903	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d228e40a7820b94dbd5c7b6846f2f5ad000000000200000000001066000000010000200000002f4cfb88a8f57565a8eb6c3953cff2ab1c7cabcc086ed861734c63e8c9c329c4000000000e80000000020000200000002ff3843fc5ef9158d65d08eabf190cc1aa11e80607abf268442c06776f4bed2720000000f51bc42fcc4cef3d724013f903e1cf591bc3893cd63c162d5344c04c9e34b6f640000000f15f9fe440995200286862e0ac60436059a8ac3a36187bc26d38a309ff3ab7340c145b74a17b6a8a23448cec383b01e7d795ba89e856cbf6d8a5a7354f0427c0	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\Software\Microsoft\Internet Explorer\IESettingSync	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31084520"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000_Classes\Local Settings	OpenWith.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4052	OpenWith.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2992	iexplore.exe

Suspicious use of SetWindowsHookEx 31 IoCs

pid	Process
4052	OpenWith.exe
4052	OpenWith.exe
4052	OpenWith.exe
4052	OpenWith.exe
4052	OpenWith.exe
4052	OpenWith.exe
4052	OpenWith.exe
4052	OpenWith.exe
4052	OpenWith.exe
4052	OpenWith.exe
4052	OpenWith.exe
4052	OpenWith.exe
4052	OpenWith.exe
4052	OpenWith.exe
4052	OpenWith.exe
4052	OpenWith.exe
4052	OpenWith.exe
4052	OpenWith.exe
4052	OpenWith.exe
4052	OpenWith.exe
4052	OpenWith.exe
4052	OpenWith.exe
4052	OpenWith.exe
4052	OpenWith.exe
4052	OpenWith.exe
2992	iexplore.exe
2992	iexplore.exe
1828	IEXPLORE.EXE
1828	IEXPLORE.EXE
1828	IEXPLORE.EXE
1828	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 4052 wrote to memory of 2992	4052	OpenWith.exe	99
PID 4052 wrote to memory of 2992	4052	OpenWith.exe	99
PID 2992 wrote to memory of 1828	2992	iexplore.exe	101
PID 2992 wrote to memory of 1828	2992	iexplore.exe	101
PID 2992 wrote to memory of 1828	2992	iexplore.exe	101

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\malpedia.bib
1⤵
- Modifies registry class
PID:4180

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4052
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\malpedia.bib
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2992
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2992 CREDAT:17410 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:1828

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
471B

MD5
1d7f25dc2d6699e79619c31ff8908f6c

SHA1
de3c1be6c3f3e7f6eadbe715ae575794e5bf1221

SHA256
845c8a47772a9c534cf13a177c83c40db250a6dbbd0a369401ea884b8d058d6e

SHA512
7a6e1765a31821e79b766ea0675ed17d735a40766d5fcd6cc305a8d33b8257d11e492d4ad8626f2909e1c2c2d93e8d04ed133effd0a3ec29324ec3ca36a22a1e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
404B

MD5
de4b63eda426394290b9215b102b65ac

SHA1
5f40d2f610a02db38d2a496b4002a340175e1326

SHA256
90eb4ac9542376e2fb10579a854a374dc44f6112a2590d87dbd8fbdcafa08fde

SHA512
81d0275ed33c8d21ec10b183bfeefe4e0d16e05dd8bd17fd2deaa2a2408c726dd5a5ee9a972ec56cb7ca3f72cf7bca85076b01cc07d83f39bb2477fb5c878aa5

Download Submit