Analysis
-
max time kernel
148s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
09/03/2024, 17:00
Behavioral task
behavioral1
Sample
bc54f449dddb5d15b7a88925f553aaca.exe
Resource
win7-20240221-en
General
-
Target
bc54f449dddb5d15b7a88925f553aaca.exe
-
Size
191KB
-
MD5
bc54f449dddb5d15b7a88925f553aaca
-
SHA1
e98d1a38767acc69224c3ff32a6d7c641600d633
-
SHA256
8f0492ae01287477199227a50bb93edbece08aa065a0dfbcbaff95a898ac0799
-
SHA512
23e727eee3c5c52aa83c297ae7a0e08c628ac39e73536bb17c487b155b94f610b3027e5f648046b8c7d93bae3cda88868785d22a34fb1d2e63e6f96df7e7ffb5
-
SSDEEP
3072:FdTejYQcRkBtZy/kqtcGxekIQ8bqJLSjDexH0THKLW15Y5dyO5SDLm9qJV8Vd1vt:PWfUkBPyrtBxgQTMK0TKpxS3H8j0bm
Malware Config
Signatures
-
resource yara_rule behavioral1/memory/1652-0-0x0000000000400000-0x000000000056B000-memory.dmp upx behavioral1/memory/1652-493-0x0000000000400000-0x000000000056B000-memory.dmp upx -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA bc54f449dddb5d15b7a88925f553aaca.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = e094384d4372da01 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "416165471" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{78BA5631-DE36-11EE-8A46-EA263619F6CB} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\SearchScopes iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002dcc56832ee45b40af0f973e997a3e3e00000000020000000000106600000001000020000000b8059f1cd0783797d6efc8f2622cf82cb7d51899dd958ed371e50a04bb4a33c4000000000e8000000002000020000000ad33edb864704ae271bb30fbccd9acea03723bd9e39e9630a6d3811ab069bc2c20000000f826df088470ee1cceb39c1883af6ddafa18e9a691bae94feb121cb340cf6abf400000007e3772fea564cd4853fc8932a24bbed13b3b92583381d89ad81f8223ce8052c21e247c64a8101a77d4720688d51a4f3967c47c8815d43cc49b14dc9e2f0c54f8 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main bc54f449dddb5d15b7a88925f553aaca.exe Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002dcc56832ee45b40af0f973e997a3e3e0000000002000000000010660000000100002000000048d412abd5bbf0d3e18e92cb6e7646dc14e330d1068d641dd5bebbbca4bde014000000000e8000000002000020000000aba06f48f6722e566eb8bb809bad18b157048c761404cb5237fab8ffb82513cc90000000978f8d3a1aab0808898ec898fd9da728669804e20d25ef2b55616adb2dee9a868dfd88fa499400c8641dc4cf0df8d9cd8b73dde2c7da5a0f20f8cc8e59df06a08c6eb5c3a3914cc83ab9e686752cfffa97c2f621778d06c60df60f668a7bb59ae79b2236dfdd3642064b6f249bd133af232fffca44b96ee0b65b027d67fc90bdb1cb4540618edf732bb62f79da9ae9864000000075bbc5437676e48b32927745c90da1868de3c493854a0071be349d0384933f28c46b325bf2daace9b6ee21354db0f8283ace50ddef96481b4708f7f1dddb27be iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2592 iexplore.exe -
Suspicious use of SetWindowsHookEx 9 IoCs
pid Process 1652 bc54f449dddb5d15b7a88925f553aaca.exe 1652 bc54f449dddb5d15b7a88925f553aaca.exe 1652 bc54f449dddb5d15b7a88925f553aaca.exe 2592 iexplore.exe 2592 iexplore.exe 2860 IEXPLORE.EXE 2860 IEXPLORE.EXE 2860 IEXPLORE.EXE 2860 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1652 wrote to memory of 2592 1652 bc54f449dddb5d15b7a88925f553aaca.exe 28 PID 1652 wrote to memory of 2592 1652 bc54f449dddb5d15b7a88925f553aaca.exe 28 PID 1652 wrote to memory of 2592 1652 bc54f449dddb5d15b7a88925f553aaca.exe 28 PID 1652 wrote to memory of 2592 1652 bc54f449dddb5d15b7a88925f553aaca.exe 28 PID 2592 wrote to memory of 2860 2592 iexplore.exe 29 PID 2592 wrote to memory of 2860 2592 iexplore.exe 29 PID 2592 wrote to memory of 2860 2592 iexplore.exe 29 PID 2592 wrote to memory of 2860 2592 iexplore.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\bc54f449dddb5d15b7a88925f553aaca.exe"C:\Users\Admin\AppData\Local\Temp\bc54f449dddb5d15b7a88925f553aaca.exe"1⤵
- Checks whether UAC is enabled
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1652 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" http://d0.fenomen-games.com/files/MyTribeDEMO.exe2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2592 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2592 CREDAT:275457 /prefetch:23⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2860
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
67KB
MD5753df6889fd7410a2e9fe333da83a429
SHA13c425f16e8267186061dd48ac1c77c122962456e
SHA256b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78
SHA5129d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD50927d4adcf6b4c1e78dfffa5558ef658
SHA1ae36982aac6e59946ce96199671570ee0fe8736c
SHA2561173e0460a175041dda7cc3cd80c81c3b5d3191d4589a7dad55e3d6c6f839fba
SHA512d22e44868e679f2190d3c5d80cd44a84d6ab6ffd76e0527949d13135313a8d39a8ca144b4104166c3adea8ef17e443e0ed8dc1b6e515dca476e8ed3ffa0ea4f5
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD58b4723aa91920cacc68d0896a820b4dd
SHA11cd057ba1d5fe79de8c8455985a5585a939b6a4e
SHA256b4796406757c795e542c2f123d9fdb4288d8e23ec5ba6f5105d0d6d757071e24
SHA512b82553c3bd730b8606533d4f6f4e402ff4da90157671100deef4ab81afc8b0987c307a7edaacbee8a9786566613c31aaa7ce88e0b353cd4e23179f27c3ac77ee
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD57440506a8040ddb6ef7e958f9b3e2fd9
SHA1d5dee2970dd4bb5ede2f1aa7827c7d170402aa52
SHA256efc96cf0e7cc5c799e5a0674794b2e5e4ed235c21cfc3e314c4d1b5b4485de26
SHA512dab954aca850bb3ae23cbcc18479fc9b57ff46832c083f053a2fd5b672cf2b7553c86e1ffdabb6b17b032760dc81e9aba9f9151f1668e3fc0730340e18e58a0e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5022575682d44a2dafeefd68a72188b1b
SHA1cff19476d6a7dcbc7346cd517d1bb36c99f36a66
SHA256485f35d5a4a24da1283e41e12ca0e2a33cf13ea4028119505d27047ed3079275
SHA512c1f073e1f0519a572818626911ccc5a45b48896a10fd6291338cfebf3147c145d4103fc99da13608426c9e9997229cedb3d522c3b7e178bbd0f93a49b190aca5
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD53e6dc76c8e7b6239a01cfe509343c7e6
SHA12ea9382b521624660fb365c5a55d646239b5e1a8
SHA2566c4a98fcb20b3f6b4afd020aea1475eee9df59c50774d502869425092583bddd
SHA512df50ac9bc0bf160958f64169bcc1a68646a2069dc92e052cd5fc28eb8b4ea24fa9fb92001c5c1e6ba9d9181d87f7eeb31bfc7b1e8fdb73053f896616527f7337
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD520853b53e1f8da36725dc5461872a2c3
SHA1731e6f9caafd4a182413c43c1e18958e42d28d59
SHA2562289db5829fe7b93c13fd6a657980232b8e840a4a043206ba130d8559b1b357f
SHA512a95f3b6c6f9b0924a2c929a05cdd0aaa555b8b9a13fade0522300c6fa347e4f793ec32e7e37430f254faf5963d04f3ce59f8624e24bc27ad498e0b428587f032
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD522d837198875c52af230587316af0639
SHA167b1f316403e1f15012d96388837be31b54b8bc4
SHA2560b1507fe4e2f796ef88a055051099f303ad36d89a0014f9e9fbc1679ed85b6a5
SHA512ae94b4f487d926051aa9be6167d16a7fbb67ad845bdb3ceef25ce08cf14f098876a0c055448b048c6977b036194fc4595fea19e3dce8057652d95131801849fe
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD574f4ba06843a36d5d6096d5dafbffc78
SHA134fb6cefdf2b1075aa25b6db3ddb672e2611a792
SHA256051bb1ed8f957a646bc3b3ba6befcf7bfddc9cf92fa4d38e262cd72f5c6203c3
SHA51223a092fdd49306b01ccd98241fc36fd23dbf0375470a62a1cd0dadf1b808f21e24f5bdecf561c309f9e33966f544df7e91620a4e6974e9c342e34bbe5b911533
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD50f422b0baed2b98f7aa279ae225b531d
SHA14bc0b7786b703f5961514e77b1eca26a486fdc55
SHA2562a4182798a99d51b404a55dc53757cc8df811e1f1b82fa7d2fafc33e9bd80bd8
SHA5121753897f6c5c3faba64185bc3f8f6c82eae4a0f8fcf248962f3f1fde04e02c3e0f725d7d7db8d30ff60d92594c035f8362aed7fcb45c16dd0ef588e792e3baa0
-
Filesize
65KB
MD5ac05d27423a85adc1622c714f2cb6184
SHA1b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA5126d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d
-
Filesize
175KB
MD5dd73cead4b93366cf3465c8cd32e2796
SHA174546226dfe9ceb8184651e920d1dbfb432b314e
SHA256a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22
SHA512ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63