Analysis

  • max time kernel
    119s
  • max time network
    133s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    21-03-2024 17:57

General

  • Target

    dc425d638aaffd968f4d6c20d473d7d2.exe

  • Size

    194KB

  • MD5

    dc425d638aaffd968f4d6c20d473d7d2

  • SHA1

    154f0ca267d764cea5fd794c425bc516465a88f4

  • SHA256

    75e2c27c5d49e3236c834c602953faa2a9a6c86223227090be80f8c2671c64ed

  • SHA512

    c62a7e45556aec1b080a0ebf65cd13260eb58c3e5f732ec527d611c54f818ad0392cdbb5b48155003dae1ea8a3fbda54d51d4bb9e56d86c58305969cfdaf947a

  • SSDEEP

    3072:HNyah0mJB+ckpBVo3AtOqNFsqbinOMy31OBh7EcnJiYVfoQ9vPy2wxRc3LYql6CB:Hw5hB2Q4qN5jMy33ALVAQ9v6dA3LYC3x

Malware Config

Signatures

  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Installs/modifies Browser Helper Object 2 TTPs 4 IoCs

    BHOs are DLL modules which act as plugins for Internet Explorer.

  • Drops file in System32 directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Internet Explorer settings 1 TTPs 35 IoCs
  • Modifies registry class 10 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\dc425d638aaffd968f4d6c20d473d7d2.exe
    "C:\Users\Admin\AppData\Local\Temp\dc425d638aaffd968f4d6c20d473d7d2.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Installs/modifies Browser Helper Object
    • Drops file in System32 directory
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:868
    • C:\Windows\SysWOW64\regsvr32.exe
      "C:\Windows\system32\regsvr32.exe" /s "C:\Windows\system32\qxsjwegagyniix.dll"
      2⤵
      • Adds Run key to start application
      • Installs/modifies Browser Helper Object
      • Modifies registry class
      PID:2632
  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2600
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2600 CREDAT:275457 /prefetch:2
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:2652

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

    Filesize

    67KB

    MD5

    753df6889fd7410a2e9fe333da83a429

    SHA1

    3c425f16e8267186061dd48ac1c77c122962456e

    SHA256

    b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78

    SHA512

    9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    344B

    MD5

    4d69d56109bf678868241d7deb3da1fb

    SHA1

    469ecf1cbb31fe667e46d5c66ccfc91d501b662d

    SHA256

    127e4b8235cfb7be8ac7133bab619ff55def3fe8cce9561ec1520e3b86c913b4

    SHA512

    b408447181cd1e00982dcbc0bcffedd83cf9163f0463376b33f71e2a34401769a57baee0f561bf82728a2d53eae18fdcbecb6cc9038b839f43ac58b4bf36df50

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    344B

    MD5

    32a7641864269143db696207e62312fc

    SHA1

    3643c0363d9a45ac3d5f34f907ddaf6c849c6ce2

    SHA256

    320ed09cab1cf1e99a788ae96656199a1a6a46dae46aebe5cba0e3457bc75562

    SHA512

    9e7ae70f1312080582a8359cd080c1f806ac06f4b933d99f05b79ccbf7e1a0d30e94e87775382c469d0792fcf6f8c0f8921c6dd47172247310d87384569a5582

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    344B

    MD5

    9c1201aa3381a4afb9685f7f19cb2ab3

    SHA1

    683b669fdc0f6fd1be7f4334159cd358c0c41f16

    SHA256

    b0b69b6207e0f5757cea2c8a79bf8d2e6379c1ff32c53ec73ca91c036407b02e

    SHA512

    f0556bcf13dbdb599f5f44270f8e644c452aad6bbf294c1a4e65101b1bdda2938e870f4b650addb0132236c2a1c72270115e0f2486e881376375cf999048985f

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    344B

    MD5

    4df975404f01b74a22780abbe2c09ee3

    SHA1

    89753d604a2a45684c6b8921e7f15a3973134669

    SHA256

    6add5f9fb1d9ee845d0e018231c8ddf244ab9060d26dc4d3875c1463a806a97d

    SHA512

    ec40ecd6d1fe471cad678719fac39b56f87d7356e271e0bd973eea81926019cc5def437a83071c5cdb0fbf8012b0020dbe8dae429e8561c516b3b31df34bb318

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    344B

    MD5

    f7670bd6294817ef046d125aa94892c2

    SHA1

    8b2db1445256d2e5a7667a74cf4c4685a58bca37

    SHA256

    12fdb7ca7eefbaa71f467c2395e8425c7ea58055b7ee77632cc1cc6d6f3821df

    SHA512

    75a24ec6f659fd938a78f315bb1bd8878585950553ff8851a296bffb7b3e3f0599e6e80f08290b3a837d460f2b09e8984c95d40943a9c7b0574b0125c65f8dcf

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    344B

    MD5

    e8b3a8b0b6b44b0a80a518aec956ccfb

    SHA1

    e6c9136afccc49accbc5750133c62550ea7659e1

    SHA256

    be1d5bb9bc30a17a283ca5bcab871982e6257fb46e5b63aba1368ed79a043154

    SHA512

    2d141941aaac84b471aeb99630a3a4cb33faa2cab36485855735419eca95e5fe9ebb7f10bf129ef5c5c96f44c84238301c6aab491bae6f11c5efeea16d8f0e38

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    344B

    MD5

    08febe663e606f8679127d0386f11a1c

    SHA1

    88ad6d785471330c524018e93bdc69db2ee700f6

    SHA256

    dec5d5f923b6c939c765dd4f368001028c85504c6509ed4accf9323c19e6af55

    SHA512

    3728016f31a18fd0d74d25c50776016a5e2ac3b288ce75932a8c6e9718df3e807db9b100acd4445ccfcfc963bbe05a519267e96839652a447bd85b8381f6419c

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    344B

    MD5

    969b499ccc0de1393d0c71ce07998d85

    SHA1

    70a574da439c000bd5461fe07185bb7b890927fd

    SHA256

    ac0bcbe2523989c319a84ab20c33f870d3a49767ec9b30f5d7fb01394101adc4

    SHA512

    b7173f0c6289ee94d93751913344841de4d525367c390a56906962355bc14635275a7b49d8dc1f504bc8b205a2bb9c56b74a0fd028c224f330d95161f0b2b3f7

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    344B

    MD5

    7637c72a280cb343fcbbf98b6a310dc3

    SHA1

    adafe297c433bd7dfcb3f7cf6112ff2d936c6337

    SHA256

    f368f5eb3552f6deb2f5959b0b9cd981133d1acc1ebec9be662ef3b4313277e6

    SHA512

    9d6d635c75c0ce4886190244df09b47cb182511fdcae6a3293beeaca241925ad40ea2af9af3dbf0c7585a441b9f3489076cff43fdc81f23dbf86b9dcab077aee

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    344B

    MD5

    bd269f2bfaa83432126bd3efe31e49a7

    SHA1

    90965652732fd29e76967c22241b9e905b2b4d0c

    SHA256

    5f861c25a5ab09210914671bc260fd91f084eabe626ffefa21f4c1c46d19765a

    SHA512

    2821df294ece3e78699e7c60407c913fd9582a380128f065d297327e8547712564ff15297897a7d08f1695bdba382b1205fca783ff84cc829cfab575dd9d99e0

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    344B

    MD5

    fed9eaa420dd508aa2b3b07d86c78a99

    SHA1

    f49cf8fa839e33726805a04c723104cb80bb48e2

    SHA256

    2c33b4e6465cc4523aefe9494d5e99e34a24961c23446ead5dcdfb1e3deedcc0

    SHA512

    ff7967c333319eae7ef635922d60e212d6436994d010c7f1ed767f9035168edf0c1423ba736174355470adb443c343ef71b241a2842250bd7515873bd90686f4

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    344B

    MD5

    81484a6f6c4bad2e95a8b83f19fa86d2

    SHA1

    cf2b2b097efd01e444eb8e464f48442a9c3b05b1

    SHA256

    cee0ef2e84603e4fd48c45482770e092ef69f14e6c723dd4528bbc08d17cbed1

    SHA512

    d42b86bedcccbc4d33955c5435108f72838587e468d02e61f16729384f707ec3767006ac017a99f8dff0dc66a17baf4a55d562cbea8cf15716f30a9fabaa2839

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    344B

    MD5

    2a045380b6699c0bccc2d4e654dd1699

    SHA1

    f373ec443ce4aa81b63d33496d1eced7e65287d7

    SHA256

    440964fc7f517f352713de2527a46662f2239e3380457f08f9d389aa7f6d6610

    SHA512

    5b2a01875ca6691902dac437bc6fc82086f54916db8b298ba9c2edb1fdf5c47622e7b216eef00e9026530be9512a16735631e92c24f906e94cc1784f4e55468b

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    344B

    MD5

    d9e851907e15b2cf07070004954b5738

    SHA1

    9814df61b1b0293d6501e1e43599c6af8d8a7298

    SHA256

    b4db31d48028e97775b72ec3ecc593cffe564ef56e57beefa614706686313520

    SHA512

    860988872100edb3ebea77d4ee73d915167fa4a625de12a928316f05fe3b7c3f83cc7350f1651cb96c9b43cdbe9dc5fde5c6a9bac03117f7c5527bba96334045

  • C:\Users\Admin\AppData\Local\Temp\Cab3258.tmp

    Filesize

    65KB

    MD5

    ac05d27423a85adc1622c714f2cb6184

    SHA1

    b0fe2b1abddb97837ea0195be70ab2ff14d43198

    SHA256

    c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

    SHA512

    6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

  • C:\Users\Admin\AppData\Local\Temp\Tar33E6.tmp

    Filesize

    175KB

    MD5

    dd73cead4b93366cf3465c8cd32e2796

    SHA1

    74546226dfe9ceb8184651e920d1dbfb432b314e

    SHA256

    a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22

    SHA512

    ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63

  • \Users\Admin\AppData\Local\Temp\nso12C8.tmp\System.dll

    Filesize

    10KB

    MD5

    7e3c808299aa2c405dffa864471ddb7f

    SHA1

    b5de7804dd35ed7afd0c3b59d866f1a0749495e0

    SHA256

    91c47a9a54a3a8c359e89a8b4e133e6b7296586748ed3e8f4fe566abd6c81ddd

    SHA512

    599f61d5270227a68e5c4b8db41b5aa7bc17a4bbe91dd7336b410516fa6107f4f5bf0bbb3f6cc4b2e15b16bf9495fdc70832bab6262046cb136ad18f0c9b3738

  • \Users\Admin\AppData\Local\Temp\qxsjwegagyniix.dll

    Filesize

    380KB

    MD5

    9ea41d845f06f65cc4f18c0c60a4a69f

    SHA1

    c3d119060bb7273798571d790d49cc1a2c890204

    SHA256

    edbe235ae1344856534b60a92a08d69ce8ef18c4656853340acbad2f4e70326c

    SHA512

    12fc02282533df30cf6ca5ca5973d746d9a4064877287a7247cfd39cdcb4dbf132526188d6f97033777e38431e3c4c76d54a291163c8e4241f0bffc4513727e0

  • memory/868-9-0x0000000002750000-0x00000000027B4000-memory.dmp

    Filesize

    400KB

  • memory/2632-24-0x0000000000280000-0x0000000000282000-memory.dmp

    Filesize

    8KB