Analysis

  • max time kernel
    139s
  • max time network
    151s
  • platform
    windows7_x64
  • resource
    win7-20240319-en
  • resource tags

    arch:x64arch:x86image:win7-20240319-enlocale:en-usos:windows7-x64system
  • submitted
    26-03-2024 17:23

General

  • Target

    0ae6904ea53c09910c189650a607ebd0163002fa27bdbbf10cb6fc2a42f4bb1b.exe

  • Size

    80KB

  • MD5

    44d5751464a4e0ae855ad82c87bdbcf3

  • SHA1

    fd7835fca8e86e42cfe5fe2aab99e320fd90fd1f

  • SHA256

    0ae6904ea53c09910c189650a607ebd0163002fa27bdbbf10cb6fc2a42f4bb1b

  • SHA512

    b94de8b5debfa6bb0917301f127eb47b783252c6ea9e8b10a5c9be33e4720ff39b8d7c346edcfa556685b9199071e6cf93408143e91e55b7a59fe23589e3d23a

  • SSDEEP

    1536:wasQx7dBLwhrkISRd2u+nlB2p8yBVejX1eYS:wa4kvd2uA/A7BVejXMYS

Score
7/10

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Internet Explorer settings 1 TTPs 58 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0ae6904ea53c09910c189650a607ebd0163002fa27bdbbf10cb6fc2a42f4bb1b.exe
    "C:\Users\Admin\AppData\Local\Temp\0ae6904ea53c09910c189650a607ebd0163002fa27bdbbf10cb6fc2a42f4bb1b.exe"
    1⤵
    • Adds Run key to start application
    • Drops file in Windows directory
    • Suspicious use of WriteProcessMemory
    PID:1932
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" http://www.thesexsquare.com/2/
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2280
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2280 CREDAT:340993 /prefetch:2
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:2520
    • C:\Windows\WgaDisp.exe
      "C:\Windows\WgaDisp.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:2192
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" http://www.thesexsquare.com/2/
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:3016
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3016 CREDAT:275457 /prefetch:2
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:2440
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\_DelItW.bat" "
      2⤵
      • Deletes itself
      PID:3064

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    344B

    MD5

    d85794d10de2ccba8fc546eb291ca6d4

    SHA1

    b0072aeb3177bc93b02b263313f99706815f5730

    SHA256

    88806f3680c65be098ba894cdc9c8f6b3e3e591cbffd9e2fee8cfede3ca7bc24

    SHA512

    e009cbeaa758c1fcdd2f1453db17395cfbd05bfaf2c30f6262c1a49bffc57a39a1a7667cb0eb9879bf61a941e5f987a7bd7b23448ff4ec562946f3ae6f15705b

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    344B

    MD5

    eb0ecbb78349f3ed3e31f2295821106b

    SHA1

    072ff868d36fc3bfb1f53e97508e919f823e1a1f

    SHA256

    cb6c1f376cf4aa18dc0d7544c73bc11bd918de208243604752b8c5eb5cb1b4c3

    SHA512

    e04c5c4c0b45d6aea19d29a8d6eb58e2b9242618693e8bb4427094e3642c8d2624ef9169a7a3426ab9ea604d645630264908ee9bcfcfb4616db613c987c263e6

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    344B

    MD5

    279d01ae39926cb0380b3a7d408c8871

    SHA1

    af9653fe55ab1ee0b4bbb398c785c9f7ae9607da

    SHA256

    012113a242fa4d14336c48eea91e28ec9c93ca64faca3a39261e21a885310a70

    SHA512

    1f0a1a7e72131897ad837763636924fa048b4f1d86bcb468ab0b258f72770e903fef6f63c6f116d1e4e9fa347aaef4d9b362c2471b7250bbef2416012730b0a9

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    344B

    MD5

    1f2adee15177640c155138a1400efaca

    SHA1

    b73bc8a4cfd5dfbcce4318409f02931aa986b73b

    SHA256

    620b55e9ecc6d5aa41c73704476d61cbeabb6cb2707bae0a750f030fc28bce5b

    SHA512

    e1eb121f48b614ea1cfb2776a2ac76355d02287d64a1a2c27a4b76c3246aac56e1b2a3eed2c0d7f53408c937077b8430aea929c006ba224e53e018c7e4c56cf3

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    344B

    MD5

    7e676f9cc370ec07e4d9ebb2812ff513

    SHA1

    c114b1dde9e817aa970ffb0b7879da28df311b08

    SHA256

    5e97549ee3dbf5b302c4d903f56761dee3798b777920f08f12033765fc752c88

    SHA512

    5c3d71cffc02be3599fc0c2d1473bb70635cc3b891a9994bd272a8377ff49abebeead151b7aa149b65a1a8709b468fbc597fe5fc8822342b6238c6c3513c9b39

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    344B

    MD5

    b1faa0359d096e36348911bc98e62362

    SHA1

    5adeb09fa88b01608ff987c84dada633b9a733ae

    SHA256

    662d3953e53ae982589d2c1b460de23d9c8680c52bb1260176f7896df43e19b3

    SHA512

    06ad5c24915e81a5b8375d54a1c3460cd7c396f8aef7ffc006d9c26bc081381d750aa2a6ede0a5f6e86d0cc0a5c450f1a86a91b6c22af7855f77144cb679e021

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    344B

    MD5

    e3d82130b365bc6afd78e8ff5c4bb206

    SHA1

    a1d807a3b3ee5cf94876b09db14c5db417356366

    SHA256

    b11fa3ccf9af53759056f358962ab225132387c28052e5950261f7b679faf821

    SHA512

    e4412c8dc17af72b1ff39c8c8d4268f0bb668d13c5f0b4c1813a79a85e854727c3fadd61d99b528b9cf54189fa63835b20811cd80293b24b67c04352b9ffa9ab

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    344B

    MD5

    cb71de830c3c95afd44cd6c3bae363d3

    SHA1

    9be190057fbe6695fef3074934501f72571e0a98

    SHA256

    2d66c2981c681f704b46a4e13598286fe58aa99dda77feee804eb66b55feedb2

    SHA512

    bbcf57233c60464a12c9cf7c99713591133d25487a2e829f2ead4625635381648cbe216c961f90bcc5cb42b066e5daac81f666d2cf6d5622be6b85768b44cf23

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    344B

    MD5

    1032e42d04746ab1950390fbd00df6bf

    SHA1

    425befcc99d4eb831ecaf081ac07e598b71fbc9d

    SHA256

    fc72a4aa2f579aae22793a83dc938f7beb09ed358e030b92f2aba2c91c52c5c9

    SHA512

    dfd43112d224f11a1026419eda265e7517a534097706f09f87ca116d20f248a8b75bba3d71714584b8be459a7d58669b48a4123986b1d2123e1aaa83943de45d

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    344B

    MD5

    1611c8fe94fca01c963ddc599fe92908

    SHA1

    4db4867cfb6fe3c3bd2dd1b899e6e17eb7ebdba7

    SHA256

    5d244083e7094fe10ee8ea44977c54f5511cd21a4ee9545f1e80fcec715de8fc

    SHA512

    7566b1d380bb9cb179607dda44180c043712ff57f84d41e34179004747838a88d21add3d78537c8adf18d6c8a765dd3ed4727eaa670950588aae5145df1cd3cc

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    344B

    MD5

    7a32208810084f0702852f0e37a9ac83

    SHA1

    e587b677c5bba80c3074662496dbe1d67d40dc05

    SHA256

    87de52c68df3146bf92efb47326f9b1ba46cbeb431351e15693dfdf8737c61af

    SHA512

    9f913f7a1a539d449fea00d9cf9c21a22ff359341d1257f71e6cf6d4f7f4d4f9753e92cdd008c150db080f485dc20fcaf612846832d2243664278e17feea9943

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    344B

    MD5

    75098bd521efd06b5f392554f417a1a1

    SHA1

    678587707fef3e3bc3f5aebd74ce6a7f382af85b

    SHA256

    9cd6e47bdb7ce6049e92189fbb8d93420ef15b175e9768ac1e0615db32a1878b

    SHA512

    e34d8a8cbcea98bd7674823abd0120b04ae014f4ce6b585c5e592ef6a2bbb856dab88ec1f24351d26dbbcba370204b62617ca210c7b8037bf6701997bbce909d

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    344B

    MD5

    6a5ded91760614366a327daaa5dd4eb2

    SHA1

    57d3dc9157878e52105a0b7ada916f871dca2e57

    SHA256

    d530a8b047e50c40ac67eb7cf1d8067014b0d0c14933ec9c10ec32650df38215

    SHA512

    cf557f7e735ea196069e12cbbdc801d88b7da01bd5d97bc4ce5a45f6e8c8b14402e7153d1d037533e768d3e435bd8c0c49a6e08d6f66402ebc6c4d7f0dc4b49e

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    344B

    MD5

    90403f3f2cccab9efa93f1f96d0120b7

    SHA1

    76a3aff8acde03545d36dbc590b74bab00d4f9e1

    SHA256

    b7e22fa4d979620a427c8a71c34bd51bb270c44a1ef19e65156ebf6376b0f0ed

    SHA512

    a6d21b54cbbcc3ffe9f3498edc167c9e1a1e176a19ae20bbdac1d69e1655dba8c60ff88991880c9c83ed11413c8ed1d36cea056bd7e63b92fde161ceb48a6c5f

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    344B

    MD5

    7198bfaaffc34dc559d24f799817e159

    SHA1

    fcc0f83e5aed66897c161dc13cbf73126125f88d

    SHA256

    dfc4bf2b1d6eece4cd6de28c33c16157b69a0d16dd8fb375d80d8fe3eb90fbc9

    SHA512

    cbc335fe60d935abcc4f380b5307b143c49c65e20706bab297c23c739ef3d51cd6334cf71b7768798267e10e648f440c3a74a6d0252838152d532d9c3ca734a9

  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{8D80EFE1-EB95-11EE-B55D-7659DA376B3D}.dat

    Filesize

    5KB

    MD5

    08f9a1774a12fac403e6bd96bddd6707

    SHA1

    2771cea6fe426e3c55805eca8b412e8fb43969da

    SHA256

    1fbadb15467f6817489f9c0c82bd0f1c0ff7a164eacd73ce532ad165776994e6

    SHA512

    01fae8f01e145f795d64d3097bc084563a74a581d458ada22cd9eb9aded69bcd87025ffa4ca7c20e79a80fcf0460ff5828658895982409d32b814b0087b85d43

  • C:\Users\Admin\AppData\Local\Temp\Cab6C0F.tmp

    Filesize

    67KB

    MD5

    753df6889fd7410a2e9fe333da83a429

    SHA1

    3c425f16e8267186061dd48ac1c77c122962456e

    SHA256

    b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78

    SHA512

    9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444

  • C:\Users\Admin\AppData\Local\Temp\Tar6C31.tmp

    Filesize

    175KB

    MD5

    dd73cead4b93366cf3465c8cd32e2796

    SHA1

    74546226dfe9ceb8184651e920d1dbfb432b314e

    SHA256

    a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22

    SHA512

    ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63

  • C:\Users\Admin\AppData\Local\Temp\_DelItW.bat

    Filesize

    295B

    MD5

    8df2aa6e13bfc05e76bac470461df324

    SHA1

    5d22f091da048ae61585795b30e3a54bd3653453

    SHA256

    9ee1424f4e499ea83160c1a6602194c13c667b8775c027305c55516089dd3a41

    SHA512

    24ffd164deee1c70832a6d79924695077bc3627acbfff3567c5784f4f3b6a347186642bc6dc192db47aecd8f536be486eb8bb2f8a584f140b91b8153824819c4

  • C:\Windows\WgaDisp.exe

    Filesize

    80KB

    MD5

    7fdc02fb99668537c9da54257ca57bba

    SHA1

    0e37a96ff965884feca79071c7004689fa3b22e0

    SHA256

    400ced27fcb72b3532f274c6258263154d04f5fc52ee1a844fa3ce051c834533

    SHA512

    c15e15168632924dd21bbde7608bcc3e5a34bc3e77ab692910171680e98d34f806313a35085db19e8d36d1a98ea2bcd465c3214afff6433e87d9bb3c92bbc825