Analysis
-
max time kernel
117s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
05/03/2024, 00:28
Behavioral task
behavioral1
Sample
b3539ef19c283d0c8fc86e19ee189789.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
b3539ef19c283d0c8fc86e19ee189789.exe
Resource
win10v2004-20240226-en
General
-
Target
b3539ef19c283d0c8fc86e19ee189789.exe
-
Size
75KB
-
MD5
b3539ef19c283d0c8fc86e19ee189789
-
SHA1
e8b4cd1651d0a598d8438d8c418fa495b2fe9dfc
-
SHA256
6c42936a3622c445249955ded10f6ecf2a9bcbfadd9aa825d58f842b4871e453
-
SHA512
d6281650bb03cabf057ad0927d2af6b612fe77f2e7c1e192847e9c922c63069548d38001d212c2739641a7fe9449b9e7f755cd8949416a66f7c295e3bd635338
-
SSDEEP
1536:D6fAkH51RDm+4ljVokwZR3t8pk4X9wucneMcyi8uUNXEk:651RDm+45VonZhkHwucnyEV
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 1980 cmd.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\960c6fd92b.dll b3539ef19c283d0c8fc86e19ee189789.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\PageSetup IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\DomainSuggestion IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Zoom IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\SearchScopes IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "415760404" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\GPU IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\IntelliForms IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\LowRegistry IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Toolbar IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\IETld\LowMic IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\InternetRegistry IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{585A4881-DA87-11EE-A4DC-6EC9990C2B7A} = "0" IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2804 IEXPLORE.EXE -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 2804 IEXPLORE.EXE 2804 IEXPLORE.EXE 2696 IEXPLORE.EXE 2696 IEXPLORE.EXE 2696 IEXPLORE.EXE 2696 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 13 IoCs
description pid Process procid_target PID 1888 wrote to memory of 2804 1888 b3539ef19c283d0c8fc86e19ee189789.exe 29 PID 1888 wrote to memory of 2804 1888 b3539ef19c283d0c8fc86e19ee189789.exe 29 PID 1888 wrote to memory of 2804 1888 b3539ef19c283d0c8fc86e19ee189789.exe 29 PID 1888 wrote to memory of 2804 1888 b3539ef19c283d0c8fc86e19ee189789.exe 29 PID 1888 wrote to memory of 2804 1888 b3539ef19c283d0c8fc86e19ee189789.exe 29 PID 1888 wrote to memory of 1980 1888 b3539ef19c283d0c8fc86e19ee189789.exe 30 PID 1888 wrote to memory of 1980 1888 b3539ef19c283d0c8fc86e19ee189789.exe 30 PID 1888 wrote to memory of 1980 1888 b3539ef19c283d0c8fc86e19ee189789.exe 30 PID 1888 wrote to memory of 1980 1888 b3539ef19c283d0c8fc86e19ee189789.exe 30 PID 2804 wrote to memory of 2696 2804 IEXPLORE.EXE 32 PID 2804 wrote to memory of 2696 2804 IEXPLORE.EXE 32 PID 2804 wrote to memory of 2696 2804 IEXPLORE.EXE 32 PID 2804 wrote to memory of 2696 2804 IEXPLORE.EXE 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\b3539ef19c283d0c8fc86e19ee189789.exe"C:\Users\Admin\AppData\Local\Temp\b3539ef19c283d0c8fc86e19ee189789.exe"1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1888 -
C:\Program Files\Internet Explorer\IEXPLORE.EXE"C:\Program Files\Internet Explorer\IEXPLORE.EXE"2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2804 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2804 CREDAT:275457 /prefetch:23⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2696
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\$$30689.bat2⤵
- Deletes itself
PID:1980
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
67KB
MD5753df6889fd7410a2e9fe333da83a429
SHA13c425f16e8267186061dd48ac1c77c122962456e
SHA256b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78
SHA5129d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5568d18d8515b04ddf512063afb4a2950
SHA1e1cbe9276319dfc6099e8dbdbae5beb49ea9e248
SHA256535451b7d4a4e0504b559a8f9b2253dacfb444cb6c811e7e5f994ade3313a06f
SHA5128e9deff8711f1c9d27a530dd43ac8eee9e0bb088fbcefc56c572bcbb81ea642fecfef605ebb1642349f5e4ed547cab9884d9725b4afa7dfe997461fd5067a481
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5d49e9de3519e77c1e04055fe70f9da9c
SHA18fc1f679636f89535101b34a4222b062b06fd4ac
SHA25661286f8dfd76264a58d6465fe6060697d1f13ad30e4c4aef098c5cffc7bc349b
SHA512f707fbc903bb8360952441c9d871ffb8e49a0cd8c66a13eccf2952df29b24cdfdf67cd68314d26314921ca85f3f5f888f4e6303105249c8a70d93533c87f8745
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5e5c50d1ad314eb14fd16a73da60319fa
SHA1980e20bbfe7e29364aa2f90bdeaef1b736dfd07d
SHA256b9898ebcc7b8bb1ce96570f1da2e588df9da3db8d915d94827a0db28804eee65
SHA5124897c3f3810fc09ce22333889a3a49669372584e0908d20833d35baa65a694c14ac32fc4b57c8bd29446fe24912044a964873b455e0521f0f64dab58bf272148
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5f65227a45af90fa03cecb993977d63d6
SHA18aa2dddbc9c1df720ce0ccba1b0b4ea8d80171ae
SHA25670690cda79372fa1e540f0f93a47b0a946359ae39506d9664df96a33cf789e45
SHA5124e3eaef93be6608b2b2f6881dce07089a8917cac7cad7b233628549c4c661fd8bcb2948d16ba989945a06d2a261aa219b6c4ac85f7fd5c549f1f34ec6b5ebc05
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD539b6e38bd856bacc9be993bcdbadf263
SHA1703ab8b08d6ea61278018289d9d5f09ca5e6c7c4
SHA256a49c140e7da8466a2c8ff59953b1f544b361c3a0377d7e4ea24088bcb30637e8
SHA512e02fe13fc46242059d1174e57a1e275a1904c6fd668e8ef6b20bcf589f24671b9342b9d9e90505e24fc02da4e638cf4df0d1562df47d99933833ad34dedcb860
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5dda5e00cd5eed9c3568c9abffe25c404
SHA15ff2d12dfa755ea9de60c974efe4225fd9182f03
SHA256226360947bc9b0ca472f47e65c3f5408e7f84b5ff9220321d5418cbad75028c5
SHA512902e80c25c3d22faeeca27bd4854f2d1460ffde550eb3a0590e74bca3b70614595c83ee30a2848a679b65073a26e8a1ab134298012f364c5ce4c88035cec88a3
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD51f4d045b47a9b7f550afb26254be37c8
SHA1272cc53bb49634cf0e75af78b3e1b86b7110a7ec
SHA256e3679ce0e55b70321b77112a3c279ebb27bba79f19974fc8fb6a312b23638887
SHA512894c76ce21e69b59852f3d11d38bdea8c89ebbe5cbe62610e01197b7c9f1bbf3b6c1a1c2ae24f9f8ad37d6e0d7df738a0d4cd033241c9ccba0342c819f131043
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD53cd06f3379b894fd90af87480568f150
SHA17b095ce6abbe86bd7be18c3642ab80f751920fdb
SHA25624d00b43b921d065ac3a0e3e045a00cf1d7f8711fabef0d08f6530879c35e0d7
SHA51257cb0a877c9a929516d621d645a4cfc09b71d8c73de4def338fef16c91bcc57863f7ca315a63aab33a2d6db6d97398eff587366902aa1602ad3ac5646263b820
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5c890fb08b372c704b0c7022171d87266
SHA104f3738685e09fd8f214ebff6e3064127b619e2a
SHA25665746b3c9db04d475427d13de6914567b56ad0e9accfb4208e14a227e6fdb99e
SHA512dc250e5f5ccde1b6af7db61e1523508dfdc1790ca347308dd6d9eb835abef34df75ea54d68a4b69b156b000338d981bc11d195ef25d1f0c55c0628c819269961
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD51c204b2df53ca65d50d22463fb9f02f7
SHA1ae562c4094ac9a607cf587d04973409096b93528
SHA25636d35c405d6863d1e1ff2b446f1df9b571ff89182f0dbe141ed2ab20c4d6c6f0
SHA5120fc67c8009f06d15166c24195cb5b940c2306571d9fd0112d22ae1d2b786999a8c69f991903c4684dd03761d1f0daa55b1b292274c806d51cfebc760e59c52ce
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD56fcddc9e6363f75552293c01a7c58048
SHA12437687309c7b2610bf056dddede534639bfa1b8
SHA25603abd60c01b245caaf83e92f208917608dc2439ddcc07175cf3ad5b8d666371c
SHA512421e897dab149da6279b52bed37be68787efa6d52af80275cfe8fd2d4d5661675cf55fcd2402a848fd82d38f242d26b24bbd406fd863fdb0b5c3368cd06afb2b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD50a0245f756083947d3ac910ba3c955ad
SHA1f6583b47588f80ec0f61e669bf48c77f4a32885c
SHA256f488c521e7ab114d56d79681da26f7b4b285551d091ad2ccad02418378b67e2b
SHA51224de0ec707f7a50edcb15d5b5b78a3680a7db53ea9caddb9092da899c1cd54f3962eb4fb1e61d981d03796684d33d2c1b22ead7d729e26d225194026326f5759
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD579dacf68a69d507ed9dfcb0f638fa881
SHA1bd288813d8e947de3952c529e269e6c5a27bed61
SHA256835e46ead014a7f785fe59d090f48a48d99c0f2e860d44094b748a6d2fd4b11f
SHA512d563b88f6eed964283aa8e96601c24c14b4b47fe2406169c05c02a1978c14ba198ffb979d55c5dbc0bde385810c366c75efb91b1c95c2aa98bd679e80f64ca2b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5c85464031f2cdd930d052040eb19addd
SHA194519e142abbd40241f6440ffb3002f389817b0f
SHA2560a25fd0623720ddaa57fcf13d2cc6177ef244038c8ca3f09879397fbc7aa370c
SHA51231afff99798ff9941dd286999265a6a0d1338094a9fdc405174d3605699b2a7fab0000a4f74fbd3c8e7e1f66b43f8584fea51688c3f955273e12f2a5dc430849
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD56f89ad4e81c137f0b3a48f16f9cd6f16
SHA118d7ab2950f55241bcd9f53f1bd06433fe9d161e
SHA2561566c10695b50a58a7a80b9cc5173bdc0178931909abe864207ed51cc9070568
SHA512e81d284441dc0632b6a04cabf9b8ccc63ebcccf42f6895c621b5d45b792508b555962e248d6deffb12681aa5912c289e86cd7d5c9e54ddcfc6087586ee50ef56
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD55b7111c6dd315fc6f90ed519a161cb70
SHA19069c5c69ec73bcd63b0a2e45a521327a3d724c2
SHA256e2cd4a6cc1c38a9ac6a0ab67c391b554b174d1416d00fdcbd884c710cdfc5d9d
SHA512713d2327c6fdf478fc3c6f1c572c060c186f4e38bb3e77d39885c4620af61bfec380ea514b802bcd038eccb2ea1beee2feaef85a0a705fadd6379ebe1a418fd7
-
Filesize
181B
MD59ff639d0580cfc3c5aab34867d3d35dd
SHA1ea150cf0608bab1651d0b226a5e4a1d7b90d8b42
SHA2561491bbb1c506651714a246b9f51aeea213d336f7da33cafb507d715f9d91c90f
SHA512fe077c16c84c60f23452cbf57232e086126d1bb281a73a93fa6617f1344827d32f20ac048a533d2a7fbfe76f6e46e9660aaf9e272bc735bd9e359537417142d5
-
Filesize
65KB
MD5ac05d27423a85adc1622c714f2cb6184
SHA1b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA5126d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d
-
Filesize
175KB
MD5dd73cead4b93366cf3465c8cd32e2796
SHA174546226dfe9ceb8184651e920d1dbfb432b314e
SHA256a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22
SHA512ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63