Analysis
-
max time kernel
66s -
max time network
55s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
02/03/2024, 16:30
Static task
static1
General
-
Target
-
Size
14KB
-
MD5
19dbec50735b5f2a72d4199c4e184960
-
SHA1
6fed7732f7cb6f59743795b2ab154a3676f4c822
-
SHA256
a3d5715a81f2fbeb5f76c88c9c21eeee87142909716472f911ff6950c790c24d
-
SHA512
aa8a6bbb1ec516d5d5acf8be6863a4c6c5d754cee12b3d374c3a6acb393376806edc422f0ffb661c210e5b9485da88521e4a0956a4b7b08a5467cfaacd90591d
-
SSDEEP
192:sIvxdXSQeWSg9JJS/lcIEiwqZKBkDFR43xWTM3LHn8f26gyr6yfFCj3r:sMVSaSEglcIqq3agmLc+6gyWqFCj
Malware Config
Signatures
-
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 [email protected] -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "21" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.google.com IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Internet Explorer\DOMStorage\google.com\NumberOfSubdomains = "1" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.google.com\ = "21" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Internet Explorer\SearchScopes iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Internet Explorer\DOMStorage IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Internet Explorer\DOMStorage\google.com IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Internet Explorer\DOMStorage\google.com\Total = "21" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{55530311-D8B2-11EE-A2A2-5A791E92BC44} = "0" iexplore.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2716 iexplore.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 2716 iexplore.exe 2716 iexplore.exe 2844 IEXPLORE.EXE 2844 IEXPLORE.EXE 2844 IEXPLORE.EXE 2844 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 40 IoCs
description pid Process procid_target PID 2892 wrote to memory of 2436 2892 [email protected] 28 PID 2892 wrote to memory of 2436 2892 [email protected] 28 PID 2892 wrote to memory of 2436 2892 [email protected] 28 PID 2892 wrote to memory of 2436 2892 [email protected] 28 PID 2892 wrote to memory of 2948 2892 [email protected] 29 PID 2892 wrote to memory of 2948 2892 [email protected] 29 PID 2892 wrote to memory of 2948 2892 [email protected] 29 PID 2892 wrote to memory of 2948 2892 [email protected] 29 PID 2892 wrote to memory of 2452 2892 [email protected] 30 PID 2892 wrote to memory of 2452 2892 [email protected] 30 PID 2892 wrote to memory of 2452 2892 [email protected] 30 PID 2892 wrote to memory of 2452 2892 [email protected] 30 PID 2892 wrote to memory of 2484 2892 [email protected] 31 PID 2892 wrote to memory of 2484 2892 [email protected] 31 PID 2892 wrote to memory of 2484 2892 [email protected] 31 PID 2892 wrote to memory of 2484 2892 [email protected] 31 PID 2892 wrote to memory of 2536 2892 [email protected] 32 PID 2892 wrote to memory of 2536 2892 [email protected] 32 PID 2892 wrote to memory of 2536 2892 [email protected] 32 PID 2892 wrote to memory of 2536 2892 [email protected] 32 PID 2892 wrote to memory of 2556 2892 [email protected] 33 PID 2892 wrote to memory of 2556 2892 [email protected] 33 PID 2892 wrote to memory of 2556 2892 [email protected] 33 PID 2892 wrote to memory of 2556 2892 [email protected] 33 PID 2556 wrote to memory of 2500 2556 [email protected] 34 PID 2556 wrote to memory of 2500 2556 [email protected] 34 PID 2556 wrote to memory of 2500 2556 [email protected] 34 PID 2556 wrote to memory of 2500 2556 [email protected] 34 PID 2556 wrote to memory of 2716 2556 [email protected] 36 PID 2556 wrote to memory of 2716 2556 [email protected] 36 PID 2556 wrote to memory of 2716 2556 [email protected] 36 PID 2556 wrote to memory of 2716 2556 [email protected] 36 PID 2716 wrote to memory of 2844 2716 iexplore.exe 39 PID 2716 wrote to memory of 2844 2716 iexplore.exe 39 PID 2716 wrote to memory of 2844 2716 iexplore.exe 39 PID 2716 wrote to memory of 2844 2716 iexplore.exe 39 PID 2716 wrote to memory of 2500 2716 iexplore.exe 41 PID 2716 wrote to memory of 2500 2716 iexplore.exe 41 PID 2716 wrote to memory of 2500 2716 iexplore.exe 41 PID 2716 wrote to memory of 2500 2716 iexplore.exe 41
Processes
-
C:\Users\Admin\AppData\Local\Temp\[email protected]"C:\Users\Admin\AppData\Local\Temp\[email protected]"1⤵
- Suspicious use of WriteProcessMemory
PID:2892 -
C:\Users\Admin\AppData\Local\Temp\[email protected]"C:\Users\Admin\AppData\Local\Temp\[email protected]" /watchdog2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2436
-
-
C:\Users\Admin\AppData\Local\Temp\[email protected]"C:\Users\Admin\AppData\Local\Temp\[email protected]" /watchdog2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2948
-
-
C:\Users\Admin\AppData\Local\Temp\[email protected]"C:\Users\Admin\AppData\Local\Temp\[email protected]" /watchdog2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2452
-
-
C:\Users\Admin\AppData\Local\Temp\[email protected]"C:\Users\Admin\AppData\Local\Temp\[email protected]" /watchdog2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2484
-
-
C:\Users\Admin\AppData\Local\Temp\[email protected]"C:\Users\Admin\AppData\Local\Temp\[email protected]" /watchdog2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2536
-
-
C:\Users\Admin\AppData\Local\Temp\[email protected]"C:\Users\Admin\AppData\Local\Temp\[email protected]" /main2⤵
- Writes to the Master Boot Record (MBR)
- Suspicious use of WriteProcessMemory
PID:2556 -
C:\Windows\SysWOW64\notepad.exe"C:\Windows\System32\notepad.exe" \note.txt3⤵PID:2500
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" http://google.co.ck/search?q=how+to+code+a+virus+in+visual+basic3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2716 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2716 CREDAT:275457 /prefetch:24⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2844
-
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2716 CREDAT:275478 /prefetch:24⤵PID:2500
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
67KB
MD5753df6889fd7410a2e9fe333da83a429
SHA13c425f16e8267186061dd48ac1c77c122962456e
SHA256b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78
SHA5129d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD57c2e280f9f756479cd13fcd888917241
SHA1603acd133289246f52ff48b064fe44674211d121
SHA256415394770bbd89afef1668268f604a82d36d85bb270a9027288ee97a8c7eaf87
SHA512ba2471013b042a0bd8efb97e92e2c7e76e1ecd670d41f97d1775dc2a0e79e513bd4acecf723780260d7236b138026aa496242be4143434582544a4c34ceab35a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5a01c8b7dd7ad98e668604998ee62e8c1
SHA1b952a83692fe63ed65bd1305981443baa1475a25
SHA25647afe2b555182f26f1bce438d9999cfbe3cc55fbd37f99c456ebc39a0058cfd7
SHA51244180fa74f0b0904318b999d57aaa9c9c532f0d2d5e7bf08e414b051c384af7a3de2f1a29340e6d7f9c95f5577d0c665ab538f66a484bef26a7501fc559dbcf8
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5d621c36f1497a3250f627dea0a5ca441
SHA10d205de154363f18bbbe4ab235c3414ddd0b12ea
SHA25631c9d8b4e307076b0b4dc594604dde951d5bcf13c8f47a140c492d94e37bbb76
SHA512327a9e59df1b3d3ce6cc2c5f19e0dea55a9ac87f5e44b724cbe34f7de6dbedfc00e71891d476e3ee6bf4f88403f72ea049a3c8ea501818408b1cbda43a44d957
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5eef2a8c458573e224ca98a9a2076329c
SHA198620654bc39ff4333740dc7c3261bbbf9d3bcd1
SHA256cd34b834775bb81f3eeb6da97dcd90dd92315323d32765e8d4d09b04a3669ba4
SHA5127d4fd6c81f2c3fa179fe05d8f9c527fae5e3d96aa1ba35f6c47ef923952fa89aaeac13f3dc5ac3ac0897b20be6f8f29394828e078129e6d867135e13485adc0b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD52bdaf2f19eb0e2cee35074913c0d4c86
SHA17103a46aee7c0cdd720fe9fbd3894091943f63ca
SHA2560a44d4dcc756b2215afd86f23d17204472d1bff89793175609690e8bd460fc21
SHA51287c5b0c3cbcadfd9da71495414582a3930dfa6393952e50ac8af3e25d4af37b05735ab0585fd6c41d0b6841b33818d47c7c03659ea3e5510b1f4c645b452e8f9
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD568d6975e5ad0e0645a0654a97a1366a2
SHA15aad069d90846cf3094bd73322f515b816573935
SHA256f02b1311197406d2923ced4dbe26c38984ae28d0e86526b04f8feadd0b844e1a
SHA5120a715e3bcb917227d9acec02aa1e3aa9a7548400b540abeb77d5d249c1ec344d258b739aa3d950ddc9754722315e7c129eb9eed9f0faad9397df296347de7390
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5dca715621d9ab9fa6d7464ee816018d8
SHA144a59b1156b8c6a311e7a94970b4f2f64846c3e6
SHA2565b27fd0ff81719ce915a2404d9588dfa2e82e735731fff4bdfde367d6be58c1d
SHA512370867262a4106a6d2dcd1965193e84aad9175bbe1f649b4b865b80bc1c01be56e7d0e5cca524f300dfd69b43636aad897de6ee0f83cca88d0e91031d6d0eb9b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5646090ca4a4cf840bebeeb575c22b7e7
SHA136c38188e175cda49b71103782da83e4c0299ac0
SHA2563293fe33d8400932b8dabe935fcc492bd353e1339fb47c7c66d64dc0a60cbe3e
SHA512437e6201bb9659a94d2da86b6300493217862efd7bd47b07d4f95d2fee8247da30a844f81cc0ab735442c42b09d015082740d86569a143444b7dbe8a73dba58e
-
Filesize
5KB
MD5f89edce68188e15339acff7446440a02
SHA1b5f6f7e75425af91ad8a4b8b6188f06510f99ecd
SHA256aabb09d1ea84b5db762242b128ecf705bca5cdab40898de39304d1012e240b51
SHA512188617bc280577d15f01139e9a8b2b0dacd82ba6ebb1fae13f931a2e3000fc4ec7d291d1beec2c5033905f923a6df0716afec8818c670ff97d0275572629383a
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8HPZEQOB\favicon[1].ico
Filesize5KB
MD5f3418a443e7d841097c714d69ec4bcb8
SHA149263695f6b0cdd72f45cf1b775e660fdc36c606
SHA2566da5620880159634213e197fafca1dde0272153be3e4590818533fab8d040770
SHA51282d017c4b7ec8e0c46e8b75da0ca6a52fd8bce7fcf4e556cbdf16b49fc81be9953fe7e25a05f63ecd41c7272e8bb0a9fd9aedf0ac06cb6032330b096b3702563
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\FF5J0ZJ9\recaptcha__en[1].js
Filesize491KB
MD5884d00314602d7cb55bbcd2e909f7310
SHA1dcb353b63aefc091523915f4562a819c31463611
SHA2562c6a3425cec9ba0cbcfcf1dbba2120a72ac369674a6d02e06bd3b0c16efbdcf7
SHA51250091f9e37dcf299bc8cf9cfeed4e71709011713ca0701be0ff79c4fb42699c9f9894cbc3a0819b3fece4f698c2201d403b987e6a76a259fbf58fb19e493b87c
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\KS3HRGDJ\styles__ltr[1].css
Filesize55KB
MD5eb4bc511f79f7a1573b45f5775b3a99b
SHA1d910fb51ad7316aa54f055079374574698e74b35
SHA2567859a62e04b0acb06516eb12454de6673883ecfaeaed6c254659bca7cd59c050
SHA512ec9bdf1c91b6262b183fd23f640eac22016d1f42db631380676ed34b962e01badda91f9cbdfa189b42fe3182a992f1b95a7353af41e41b2d6e1dab17e87637a0
-
Filesize
65KB
MD5ac05d27423a85adc1622c714f2cb6184
SHA1b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA5126d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d
-
Filesize
171KB
MD59c0c641c06238516f27941aa1166d427
SHA164cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA2564276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06
-
Filesize
175KB
MD5dd73cead4b93366cf3465c8cd32e2796
SHA174546226dfe9ceb8184651e920d1dbfb432b314e
SHA256a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22
SHA512ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63
-
Filesize
218B
MD5afa6955439b8d516721231029fb9ca1b
SHA1087a043cc123c0c0df2ffadcf8e71e3ac86bbae9
SHA2568e9f20f6864c66576536c0b866c6ffdcf11397db67fe120e972e244c3c022270
SHA5125da21a31fbc4e8250dffed30f66b896bdf007ac91948140334fe36a3f010e1bac3e70a07e9f3eb9da8633189091fd5cadcabbaacd3e01da0fe7ae28a11b3dddf