c9199ecc8f448d04fbcabcef7489779d93622f008b9d0b503b64fd02ccd26109

Analysis

max time kernel
136s
max time network
132s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
26/01/2024, 05:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7677b54d6a649a05f7e04e5d428b92fc.exe
Size

76KB
MD5

7677b54d6a649a05f7e04e5d428b92fc
SHA1

27557b9a640f32bd741c4a79c51b08ed62f736fa
SHA256

c9199ecc8f448d04fbcabcef7489779d93622f008b9d0b503b64fd02ccd26109
SHA512

bbe1a341e4e41f102f46845ee87329fe78fce974ff79911bd4ed3abfd32b3479e91fd4c619303c50c16600dbae2f1c25aa4723a2994c6479cc1679f725f9e261
SSDEEP

1536:bNOAO3OYZcDEvqpjhGSQ/RRhQGM5cHMMKDIDpL1cK6SFGeFJvaf:bNOASp+EcgnmG5mIDpLC9ScKCf

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 1 IoCs

pid	Process
2280	regsvr32.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\mscrss.exe	7677b54d6a649a05f7e04e5d428b92fc.exe
File opened for modification	C:\Windows\SysWOW64\mscrss.exe	7677b54d6a649a05f7e04e5d428b92fc.exe
File opened for modification	C:\Windows\SysWOW64\mscrss.dll	7677b54d6a649a05f7e04e5d428b92fc.exe
File opened for modification	C:\Windows\SysWOW64\RCX3FFD.tmp	7677b54d6a649a05f7e04e5d428b92fc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 28 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{54BA3101-BC09-11EE-BCDB-CE253106968E} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "412407745"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2152	7677b54d6a649a05f7e04e5d428b92fc.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2812	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2812	iexplore.exe
2812	iexplore.exe
2700	IEXPLORE.EXE
2700	IEXPLORE.EXE
2700	IEXPLORE.EXE
2700	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2152 wrote to memory of 2280	2152	7677b54d6a649a05f7e04e5d428b92fc.exe	28
PID 2152 wrote to memory of 2280	2152	7677b54d6a649a05f7e04e5d428b92fc.exe	28
PID 2152 wrote to memory of 2280	2152	7677b54d6a649a05f7e04e5d428b92fc.exe	28
PID 2152 wrote to memory of 2280	2152	7677b54d6a649a05f7e04e5d428b92fc.exe	28
PID 2152 wrote to memory of 2280	2152	7677b54d6a649a05f7e04e5d428b92fc.exe	28
PID 2152 wrote to memory of 2280	2152	7677b54d6a649a05f7e04e5d428b92fc.exe	28
PID 2152 wrote to memory of 2280	2152	7677b54d6a649a05f7e04e5d428b92fc.exe	28
PID 2152 wrote to memory of 2812	2152	7677b54d6a649a05f7e04e5d428b92fc.exe	29
PID 2152 wrote to memory of 2812	2152	7677b54d6a649a05f7e04e5d428b92fc.exe	29
PID 2152 wrote to memory of 2812	2152	7677b54d6a649a05f7e04e5d428b92fc.exe	29
PID 2152 wrote to memory of 2812	2152	7677b54d6a649a05f7e04e5d428b92fc.exe	29
PID 2812 wrote to memory of 2700	2812	iexplore.exe	30
PID 2812 wrote to memory of 2700	2812	iexplore.exe	30
PID 2812 wrote to memory of 2700	2812	iexplore.exe	30
PID 2812 wrote to memory of 2700	2812	iexplore.exe	30

C:\Users\Admin\AppData\Local\Temp\7677b54d6a649a05f7e04e5d428b92fc.exe
"C:\Users\Admin\AppData\Local\Temp\7677b54d6a649a05f7e04e5d428b92fc.exe"
1⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2152
- C:\Windows\SysWOW64\regsvr32.exe
  "C:\Windows\system32\regsvr32.exe" /s /c C:\Windows\system32\mscrss.dll
  2⤵
  - Loads dropped DLL
  PID:2280
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe"
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2812
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2812 CREDAT:275457 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:2700

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
68a916591a97754404d44028043a8b1b

SHA1
aefe7dabbbd4e5c1b590e81202adfef88c7d7494

SHA256
1d9732cedc4088436dff49aa8e2a164713f74d07b2569a144c97153244d471bf

SHA512
2e865c286b560ac73d41e38a502ec95751f677d451cc356685e67d3aa55c053b46973d8d2969c3c01b7770f66b6b8de7cd1662432565c10298e0459e583f277a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
abbad169c5879169fb4e4bd92c73db8f

SHA1
51ef5dcdb629dbb2b726906f356a509e512fd343

SHA256
c4cd1714d5819661648bc41a37f4ad7a6ed5f77c5237bb2d3bd2e8a42a2d740f

SHA512
0f508e5751df99750cde7e9d7a0a29f5d89bdaed4391a9f4a806ddb043d32f071d23b701cc73fda09f75d662b26e364bd1bf38c7958ce4638d4a981a2fa77ae2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
4ade03fbbd18e00486f633929dc5cd45

SHA1
9a1bda30276e8bfe74a7e86bdc05d09d975eea28

SHA256
f53abc2375af037174eac1a0c081fe63e04bd8834591aecbf376b7737b15f3de

SHA512
e780abf26b518393afee6c4bb4b3a52ed5829b48f52c20826c2dedc88e4cbac55bce41981755a875e16a84014d0750ff9fb9cb61f3b827e5c2fe7790db84a182

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
94cea23067ef9109244da56a5e42255e

SHA1
d4e3ce74b103d4702b97e8e034cd817e648fa534

SHA256
dad6849e17e0ed873b657a278a65f408af3b5c213869edeff60510007a6558f2

SHA512
ebbe0491f9ad76cd91f6eb45f4bec851f44b4a615419d62fc54792ed2207df1e917dfd8cdf03dad97273f31766f01269c83a7f595e50f87e178415f443b4fc17

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
0d432722d5964f74a530840d7cc3143c

SHA1
e31ce44d5c820f4d50e765f448fa8ca731b4da71

SHA256
d2cfd48e04f4acfcffa36b6d99889e9295602f5a7472475c8312f86f104cb9ce

SHA512
6fe7874764bce1585f81598a6f47f2584474cdddd7b27f2aae01f18f6db9046dcefc5102a6a47a859f001cbf27689293dedb83fce006448cc35406e45dd8d1db

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
94e2b0629eaa66ff7121559233ca48a4

SHA1
9a4916bfac461296ccd4aae9045044a4bc63f1fe

SHA256
b8ffa9641511eb2ff558ede29706b74e23d8c9c32e28581e654d7028444f9fbe

SHA512
d07fcd6b02aff15b8f93aebff832388775cf44f9491142e8b24bd2abf98b305f111e4d1d2a94ae1b6bbeda474c895966542304e088048028a612e12b3cab1fdb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
aaffaeb74e69c036aadb73fddee841df

SHA1
6b780055809ef2c360c04b49d38d09db2e96fe1d

SHA256
f3bc6b95a234eec923703c875f80492ad6694664540d3d5213855c12d32f540d

SHA512
8ffad844af13bbfb35b591339babf3d435728c3b8c004508db193b1868f9034e8dee653ef4d89dc809f03b009edfc4ab00fd5cd3a919bfc60fed01c0527762e6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
42e7527130cd3ba44b3672dd46ce02dd

SHA1
4f0a2cb0820f3b8db395c35519bde50807a46082

SHA256
4553acc786319e431df96eb7066371812fe30e487ea73da8b1da0191dd271522

SHA512
36388ce8263b0996249ce0087b530762b4aef56bcf77ec1967aac32f214edfed2c99cd4aae95e0d7afed798eb049314629a4d1b7934011ccbb11f1eedf482120

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f07c192152ab4b7470590db276ed5b63

SHA1
f2bb3f3356668e83846db45dce91676ba56e9f2f

SHA256
de560528c9f2d520e388525c72204a2c3553a4af4715d8060d90831d600a94e7

SHA512
6d67a29de9ad532e663df1b38a96a2cc6a279c102d4a4b603a3d863a2db5c307e4e6e6866035e407fd3adccd0f3018390998118b8af06756b8b9099fc3246576

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f33bc090e12ca0f3e264f5f3071d8d6c

SHA1
8b4cc1e28109b78f4e76fa8ac70dac30c56aa34d

SHA256
a0176c66430993939f6f8b69635d20888c53ce8e43c8c13cf9e6d061f9c6c54e

SHA512
fd882ee6de974b70f184784c58060f9fb56f026b5e4952a2c9ef65ab543813f4fb5964544f0b1e617abd43570cbc9a35b98d776f0e8f8aa2017750684e046c70

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a7a3fc933dd985aacdb00ef9d0e6baec

SHA1
682795587c016eb830703529d950661504de16e9

SHA256
c0aeffd377bd82c613ed761e60b45c4851b89c57b4fcf5b11c56afddd8706b6a

SHA512
563533c5720d89c031df358194874406cc5b668e343ab4fd449b0ee3fbc4922316a8a5373e1bc1a49cab7cb292ce8d7831cc2e92186712920b2391f0696fc360

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
49c9d78e3353d42885288306f686baaf

SHA1
1d93ac5888609ebcce82be9cc8d9d31873d202ed

SHA256
5a56f5f151b21b03fea066f79f8e16c370f83f8b3d4e12e9143bfc7d00edd572

SHA512
9c279f9051304ce45916f610c7235e02fff9dfdf356fac290970d62805110a46d2594a56429df0895322daf8f4e355209e315c02782a27d6e162328c2e92d0e2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
1ad921ea52f55a9f8b1816bc8956e86f

SHA1
fdc17a27a21f5d191ddd5baf31ca6ac99227e082

SHA256
9cd5f7f690a1eb44337a462bc9cf9e13d167fedf7dee79106d53826afecf54e4

SHA512
679174e3368d3cec490a45b692bca33e54d9d5b63a98cb642c1a0aaa3e0bf2c1de9238cb05e25beab78fef9b9c2bf450921eb2f77752398c767c662d2b8b3e9e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
2eec67655133674eb990bf32fdac0cd2

SHA1
7480f345054f3c044b27537796ce039fadb29eba

SHA256
79a4f2201e093e61e65760e47a33416ab1c4074412c20d89f0f120974f01c13c

SHA512
1db97bca4d5fd2de4fb7be20f7fc9e36b402880220fbd85c3adac254a2b2810c6fd4fb73b8b751762c4e3cb3a5e47dfb888323e0b33da6d62b54b3e767e8b331

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
84e7ccf29a3db6b7479ee5c34243ddbc

SHA1
4f7f536ba1488895d2d1087514945015d99fb50f

SHA256
c1a15391d0131e2a19da2f3ca23725945847ccd19959453146fea73ef6fb7564

SHA512
cfa9d6a538df400d8c2b8f8eb290d413ca221c46a10e4d4fc5a2b10387cc43e6b8e335615ce83a7e5649a272b407286a7f9f1b3eddae5e2750c6bac858d1a2bd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
52c9c800e34986928b16f26764e376de

SHA1
77c87a90f0e1c2e636ac04628d08664e9ff8b4c4

SHA256
d84f8c70a093612eaf8cd08a71a66daf1e24d5733e740d8f08878817ba2090f3

SHA512
c7d06658e048604eb5080927000b3a196e4ad4fe114b3f5eaa06b9eb3801c0fc7c81d291669ec78b639374475a3cc0f20b37dfe5ccd8f18ad426ade4d031e0d7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
efdfa6fdcb295b1636456f4f217d9587

SHA1
96902c6ce5cdcfd9bf90c2dc96c168ca2956c68d

SHA256
dde93923e40cef1bcbd86d26e28776ab68edcbe11f1c910e084cfccdb878098c

SHA512
c4c536bc3f7014baf421f1080660df04e5e8c7d1dc591fda99aa67363d40b2670ac4d2d238bed488f346fa049d955d8cd71d86dd9e723fcc7c197a4af4797d60

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab5AEE.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar5B9E.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Windows\SysWOW64\mscrss.dll

Filesize
78KB

MD5
08f4630083d62f434b711163b4092e9f

SHA1
54db118f337aea546748b3a0866255d48742a4f6

SHA256
2150501d80d1779550f285d437d461fe63841bd3b7f1b330b85d543972c2ebf1

SHA512
adb57b34dc4fc660be5ceffdad883fc3b03cdeb769125c1ddf593486c30952b6408b41f3e5aabd53d6f063c023a11b32010b974ebfc6924973cfa955744be13d

Download Submit
memory/2152-12-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2152-0-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download