Analysis
-
max time kernel
147s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
03/04/2024, 10:17
Static task
static1
Behavioral task
behavioral1
Sample
4e87a0794bf73d06ac1ce4a37e33eb832ff4c89fb9e4266490c7cef9229d27a7.exe
Resource
win7-20240221-en
General
-
Target
4e87a0794bf73d06ac1ce4a37e33eb832ff4c89fb9e4266490c7cef9229d27a7.exe
-
Size
768KB
-
MD5
11cf5ca49a6c354eb005fb24bdf6b1f0
-
SHA1
c37b9b9fea73c95de363e8746ff305f4b23f0c28
-
SHA256
4e87a0794bf73d06ac1ce4a37e33eb832ff4c89fb9e4266490c7cef9229d27a7
-
SHA512
ac91cb1e00db5eab4dd2253f745703d95ea4fe086c4289da62088f40ea727e4b54205d230b4282d38df006c3aebb2522058e2737c90d426abf900368c9c6dbba
-
SSDEEP
6144:jLPkIupKPUWqUzHwlyLqZucfo/4dQSP8AEcmqRYn/nCrK8cI1WaWQ0vOKO5DBHQp:3kXoDOUAuao/Kl9a9bQ+ZE1Qyu9
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation 4e87a0794bf73d06ac1ce4a37e33eb832ff4c89fb9e4266490c7cef9229d27a7.exe -
Executes dropped EXE 6 IoCs
pid Process 1048 Kip1.exe 2760 Kip1.exe 2032 Kip1.exe 3860 Kip1.exe 4288 Kip1.exe 1008 Kip1.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 1048 set thread context of 2760 1048 Kip1.exe 101 PID 2032 set thread context of 3860 2032 Kip1.exe 107 PID 4288 set thread context of 1008 4288 Kip1.exe 111 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1928 schtasks.exe -
description ioc Process Set value (data) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004a6b2c30d55de341b3e799a3c014a78200000000020000000000106600000001000020000000f51996743e031495180ec441c3fa16928d49b1ba0a28027b95f70dc2a67387f8000000000e8000000002000020000000d2b7f9ff8ea3640d38a97faabffc3e1ba3b0faab7891289363b45397c7278e6120000000608ea290cd31b19b2b28f3021e589f79547c7af0b2033e428838224211ba1b93400000006d5fc3c421c0cf322bb0e87bc1b1aecc346cdc9ce6e3da73d8d40151348e6ccd0cffa6ed340b0a3bdc624ba1f1ae7d4861e1cd7db0419d4643c2471cc611d23e iexplore.exe Key created \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004a6b2c30d55de341b3e799a3c014a782000000000200000000001066000000010000200000007a0df9d9d8cb87e769e5329f02e19250d9b85d5df354c2597c71fd5f36e52fe4000000000e8000000002000020000000c419a9c24574977c0960da9b9105d3152476e62c2d64bb2f1226f25a9c3f8e3520000000b979f1273dbfde07c93dcbde918e63c61b73e7785506034e49c66d7e7470bdbb40000000b1a2ed81fb9f57155e5c8bae1a27854dd9077cbf51c2b5e6f29c0c69b4c4bdb7219330fd695a42278752ff4ea03e82801b457c0f9b66e505dbeefadbf15a573d iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 20f1a35bb085da01 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{735CFADE-F1A3-11EE-B49E-E27D0092C90A} = "0" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = a0d07638b085da01 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004a6b2c30d55de341b3e799a3c014a782000000000200000000001066000000010000200000005f6a0202da2069b4ed0a82ff0809c12a435319890d6ba6a597c280cc8846a7df000000000e8000000002000020000000cd7e420e834ac9bd607b367e0a1ded124fe034590f9541fd82ec19070fdb48e520000000d1dfc1571e6e342da383146941937d97ea92376bf3ad052dea86b3e85a5ff7af40000000d71bba1c6f51f084017905f486f0cb02baf59725a2630e55c0c681663c031c89ee9c13c6f7fb9c5db0fa9d82834641afe987d63f7286270f93821bf3328c7093 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "850755129" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{96939707-F1A3-11EE-B49E-E27D0092C90A} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004a6b2c30d55de341b3e799a3c014a7820000000002000000000010660000000100002000000072539fdb6080ac38c93e14f4e792591785c3879c1552234bd5d74c75014d90c5000000000e80000000020000200000006852a32faea53296925e5ec0606eae11773330f8e004c7c22be8016f445ae6d720000000319edfe77bea6c5eea81b391b3e5686587b011d01d94f46b160f03687130e4ac40000000e1e0a8c5e86e91c46a2726c11852148f93ae6abd40873251c546c0a668431894df28cc597d2176e5d53c62cf16f5ce7084e2993bb7dad23189f8afad4b462377 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Software\Microsoft\Internet Explorer\VersionManager iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004a6b2c30d55de341b3e799a3c014a7820000000002000000000010660000000100002000000083f7e887536af3c107e6eb6765b418476a8f53baaa6d5d9932d0b8708f7b6e15000000000e80000000020000200000007a29f90733ff565fe87c00dd324b2282edca3612b99feaed67d961414cd55bba200000008801a3c31eac8cd10a404d32017b467e9457171f18add9b5dc3e3b1f735981ef4000000056fbb817cd44ac2994525664bb8e2273c346c2e61cf5013c24214ce359436af0656391cd538755d9cd4078d851eeaf4db29ce115f7975ae03d6753a3c098d253 iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 50c52c5bb085da01 iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = c064c959b085da01 iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004a6b2c30d55de341b3e799a3c014a78200000000020000000000106600000001000020000000d343e84fd50e2180285b2b5862ba08a1514594537903346b8cd3bae002699507000000000e8000000002000020000000d7d1565ac7ac3eb0f199dac1e0b417c59f2eb13235bd4f7b967102b354a7c29f20000000ec1b0a43da55f18f6560117b73067264bf51420ce2bd53ddfc02b4598296b62740000000d3f81a1bcafb2c240c9f00f0424c492d03024dad7badf7a24ca99fca22f5d2d656fa493692f217c3b5a7bcbaeb163414984db0113722f40b143c40b875106308 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = e0941824b085da01 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Software\Microsoft\Internet Explorer\GPU IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004a6b2c30d55de341b3e799a3c014a78200000000020000000000106600000001000020000000cb799a0451070f06b7ce18897d8f9e1f93d942e5eb7e8fc7ffafbb85f8ce4e0a000000000e8000000002000020000000a89e571abd5c3093875911df7b26e69ef913d41aecbb2c143e284512118f53aa20000000852a3d4b2e1b820a8480a51c28851637879562b0dd75a6ca7fffa2a7849a7e0f400000001557c82447a27dc871b2c60bee89e16ad4dc3e11b6d8c5955df00740cb0bd43faeadcd8706dd01e08ff3ca35bfb25c684da08b7aabb21ab03c903e74fffb37bf iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004a6b2c30d55de341b3e799a3c014a7820000000002000000000010660000000100002000000065c4a48f8d2b30aeeda842f2cbe87e67dd4cba47cce058cb04d4879680fbe370000000000e8000000002000020000000ee6de227014d45cd18c85156e7931848f5770916031cde481ae8202feae8b50120000000e2b6174a2e586a0db388a4ed1020521a50f28a6d779a4e36c426f08694c513cf400000007b7d253aa57282da7dc2a1fdccc276b977614fc9a13d22a3497e24f64687f60ec4be526b65fb29a973cc747606e6178ce3ca523bc581c2617ac8bf0a9c65e804 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Software\Microsoft\Internet Explorer\MINIE iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "850755129" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 00a6b938b085da01 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{5E31B984-F1A3-11EE-B49E-E27D0092C90A} = "0" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 20354738b085da01 iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004a6b2c30d55de341b3e799a3c014a782000000000200000000001066000000010000200000007a498ca0c624b8a3b57e67f96ccde909848778542188dd9b32915a6f14ecb496000000000e8000000002000020000000483009992559600d2a85250d74ce5d994ccae04bf9f2a1593d26a80af916790c200000008f7478f8ab9c5bfaa7c306c1206f559e89d15940e866cf77725933e36d4be64a400000006f478622938006b7eb0769dee8b397f450fde898c99d160f444bc52f4b310e4e067bb704e8d2640c473d2b574f5e717d5354c66dd99e5ada21019a4fb633bd2c iexplore.exe Key created \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 50af5624b085da01 iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = f0382437b085da01 iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = d0ef595bb085da01 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Software\Microsoft\Internet Explorer\MINIE iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004a6b2c30d55de341b3e799a3c014a782000000000200000000001066000000010000200000003292be3fa219c97229277fc8ff4e071f8c6d896ad524ef2ad50a48f7e17ba322000000000e80000000020000200000006d62c46b5ed1a2dd82c7f52e0f46fe2d6bcd4e2a861fd0adb6525fc128162efa20000000d96208a678abb221f28f8d3e0ae71ceae40e1a937f99e5a796d6066c4fe070ca4000000095a642314cd8b9a03f382e5e60b877c9268ee08198f09aa0aac53fded2bcff6b0b37bd6765a439d9f326be89919493ac9653b323b7b8446f8be75f99feea7cf8 iexplore.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 2760 Kip1.exe 2760 Kip1.exe 3860 Kip1.exe 3860 Kip1.exe 1008 Kip1.exe 1008 Kip1.exe -
Suspicious use of FindShellTrayWindow 11 IoCs
pid Process 3564 4e87a0794bf73d06ac1ce4a37e33eb832ff4c89fb9e4266490c7cef9229d27a7.exe 3564 4e87a0794bf73d06ac1ce4a37e33eb832ff4c89fb9e4266490c7cef9229d27a7.exe 1048 Kip1.exe 1048 Kip1.exe 1704 iexplore.exe 2032 Kip1.exe 2032 Kip1.exe 452 iexplore.exe 4288 Kip1.exe 4288 Kip1.exe 3632 iexplore.exe -
Suspicious use of SendNotifyMessage 8 IoCs
pid Process 3564 4e87a0794bf73d06ac1ce4a37e33eb832ff4c89fb9e4266490c7cef9229d27a7.exe 3564 4e87a0794bf73d06ac1ce4a37e33eb832ff4c89fb9e4266490c7cef9229d27a7.exe 1048 Kip1.exe 1048 Kip1.exe 2032 Kip1.exe 2032 Kip1.exe 4288 Kip1.exe 4288 Kip1.exe -
Suspicious use of SetWindowsHookEx 16 IoCs
pid Process 3564 4e87a0794bf73d06ac1ce4a37e33eb832ff4c89fb9e4266490c7cef9229d27a7.exe 1048 Kip1.exe 1704 iexplore.exe 1704 iexplore.exe 3624 IEXPLORE.EXE 3624 IEXPLORE.EXE 2032 Kip1.exe 452 iexplore.exe 452 iexplore.exe 1552 IEXPLORE.EXE 1552 IEXPLORE.EXE 4288 Kip1.exe 3632 iexplore.exe 3632 iexplore.exe 1724 IEXPLORE.EXE 1724 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 48 IoCs
description pid Process procid_target PID 3564 wrote to memory of 1928 3564 4e87a0794bf73d06ac1ce4a37e33eb832ff4c89fb9e4266490c7cef9229d27a7.exe 95 PID 3564 wrote to memory of 1928 3564 4e87a0794bf73d06ac1ce4a37e33eb832ff4c89fb9e4266490c7cef9229d27a7.exe 95 PID 3564 wrote to memory of 1928 3564 4e87a0794bf73d06ac1ce4a37e33eb832ff4c89fb9e4266490c7cef9229d27a7.exe 95 PID 3564 wrote to memory of 3144 3564 4e87a0794bf73d06ac1ce4a37e33eb832ff4c89fb9e4266490c7cef9229d27a7.exe 98 PID 3564 wrote to memory of 3144 3564 4e87a0794bf73d06ac1ce4a37e33eb832ff4c89fb9e4266490c7cef9229d27a7.exe 98 PID 3564 wrote to memory of 3144 3564 4e87a0794bf73d06ac1ce4a37e33eb832ff4c89fb9e4266490c7cef9229d27a7.exe 98 PID 1048 wrote to memory of 2760 1048 Kip1.exe 101 PID 1048 wrote to memory of 2760 1048 Kip1.exe 101 PID 1048 wrote to memory of 2760 1048 Kip1.exe 101 PID 1048 wrote to memory of 2760 1048 Kip1.exe 101 PID 1048 wrote to memory of 2760 1048 Kip1.exe 101 PID 1048 wrote to memory of 2760 1048 Kip1.exe 101 PID 1048 wrote to memory of 2760 1048 Kip1.exe 101 PID 1048 wrote to memory of 2760 1048 Kip1.exe 101 PID 1048 wrote to memory of 2760 1048 Kip1.exe 101 PID 1048 wrote to memory of 2760 1048 Kip1.exe 101 PID 1048 wrote to memory of 2760 1048 Kip1.exe 101 PID 1704 wrote to memory of 3624 1704 iexplore.exe 104 PID 1704 wrote to memory of 3624 1704 iexplore.exe 104 PID 1704 wrote to memory of 3624 1704 iexplore.exe 104 PID 2032 wrote to memory of 3860 2032 Kip1.exe 107 PID 2032 wrote to memory of 3860 2032 Kip1.exe 107 PID 2032 wrote to memory of 3860 2032 Kip1.exe 107 PID 2032 wrote to memory of 3860 2032 Kip1.exe 107 PID 2032 wrote to memory of 3860 2032 Kip1.exe 107 PID 2032 wrote to memory of 3860 2032 Kip1.exe 107 PID 2032 wrote to memory of 3860 2032 Kip1.exe 107 PID 2032 wrote to memory of 3860 2032 Kip1.exe 107 PID 2032 wrote to memory of 3860 2032 Kip1.exe 107 PID 2032 wrote to memory of 3860 2032 Kip1.exe 107 PID 2032 wrote to memory of 3860 2032 Kip1.exe 107 PID 452 wrote to memory of 1552 452 iexplore.exe 109 PID 452 wrote to memory of 1552 452 iexplore.exe 109 PID 452 wrote to memory of 1552 452 iexplore.exe 109 PID 4288 wrote to memory of 1008 4288 Kip1.exe 111 PID 4288 wrote to memory of 1008 4288 Kip1.exe 111 PID 4288 wrote to memory of 1008 4288 Kip1.exe 111 PID 4288 wrote to memory of 1008 4288 Kip1.exe 111 PID 4288 wrote to memory of 1008 4288 Kip1.exe 111 PID 4288 wrote to memory of 1008 4288 Kip1.exe 111 PID 4288 wrote to memory of 1008 4288 Kip1.exe 111 PID 4288 wrote to memory of 1008 4288 Kip1.exe 111 PID 4288 wrote to memory of 1008 4288 Kip1.exe 111 PID 4288 wrote to memory of 1008 4288 Kip1.exe 111 PID 4288 wrote to memory of 1008 4288 Kip1.exe 111 PID 3632 wrote to memory of 1724 3632 iexplore.exe 113 PID 3632 wrote to memory of 1724 3632 iexplore.exe 113 PID 3632 wrote to memory of 1724 3632 iexplore.exe 113
Processes
-
C:\Users\Admin\AppData\Local\Temp\4e87a0794bf73d06ac1ce4a37e33eb832ff4c89fb9e4266490c7cef9229d27a7.exe"C:\Users\Admin\AppData\Local\Temp\4e87a0794bf73d06ac1ce4a37e33eb832ff4c89fb9e4266490c7cef9229d27a7.exe"1⤵
- Checks computer location settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3564 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /TN "Eburin" /TR "\"C:\ProgramData\Kip1.exe\""2⤵
- Creates scheduled task(s)
PID:1928
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /run /tn "Eburin"2⤵PID:3144
-
-
C:\ProgramData\Kip1.exeC:\ProgramData\Kip1.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1048 -
C:\ProgramData\Kip1.exeC:\ProgramData\Kip1.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2760
-
-
C:\Program Files (x86)\Internet Explorer\ielowutil.exe"C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding1⤵PID:3568
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1704 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1704 CREDAT:17410 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:3624
-
-
C:\ProgramData\Kip1.exeC:\ProgramData\Kip1.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2032 -
C:\ProgramData\Kip1.exeC:\ProgramData\Kip1.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3860
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:452 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:452 CREDAT:17410 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1552
-
-
C:\ProgramData\Kip1.exeC:\ProgramData\Kip1.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4288 -
C:\ProgramData\Kip1.exeC:\ProgramData\Kip1.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1008
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3632 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3632 CREDAT:17410 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1724
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
768KB
MD5b211348f8784ea450e1364c053046a6c
SHA170df9df1ffe20e7eac54e424c2e76242696904d2
SHA256ca11b8ffbc782df697f34a26df930970b1ced2efbf89a34c506ae80a1cdc43bf
SHA512b69d29cb50fbc3872a0e372c28747d56c94c094af7fe80168dfa48656e309aba32a7e9c7f26df6b5d2f2420592e6b079fc3df517298f2456e40aec2d8e36573a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize1KB
MD57058bba1fe7cf158f7b8352fe16dbb9e
SHA1272723ea31714b2d6b24f6869e243ddabe3c81a5
SHA2560a80c0abbfed56bbe08856d78f27cb0065c6c2c4d245468d163456aa807ca69b
SHA5123d754b4ee60018cd183cbe76d162e0f278670a7134fc710d2aa8c261d4d9594c3d7184a476fdf7242a6279fb76067d27055eb22dc70362e6cd2d1e3be6d89260
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\265C0DEB29181DD1891051371C5F863A_4AAAE8DA7A12C7A50B5920DE5F0F0D15
Filesize472B
MD5366e3b3c898c75d56e53f479ea317c72
SHA1ffe1032c77b966d535e6f2d123bf7ffdb07a285f
SHA2565ddffbff56d1be3ca45392d13d09add4595472fe63aa951e2c01c12c5cd671c9
SHA512342597a79602c28a21e11201d0cc704a7f28617e57008360083123bfb653cb4d545559804f721a7168242ec39bfcbeef08f24a2cb7b82b79ff35dbc5a3047378
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA
Filesize724B
MD5ac89a852c2aaa3d389b2d2dd312ad367
SHA18f421dd6493c61dbda6b839e2debb7b50a20c930
SHA2560b720e19270c672f9b6e0ec40b468ac49376807de08a814573fe038779534f45
SHA512c6a88f33688cc0c287f04005e07d5b5e4a8721d204aa429f93ade2a56aeb86e05d89a8f7a44c1e93359a185a4c5f418240c6cdbc5a21314226681c744cf37f36
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize410B
MD5b96180747867f3a28b508f6a573d0ad0
SHA14707fd28087000945afc14e0e86836a974d20aa6
SHA256ddbcb56442af4244493f41babed256f4a42e9ce87a0afe008a2291cb1efd5f3f
SHA51254decf47639b758ddeff695725429eaa1cd300fba5a4b673ab946b6aab18e4c57c98322ba7143a8138b3ff563704c0a5ad6823ac98be56f415018a2fac1e8834
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\265C0DEB29181DD1891051371C5F863A_4AAAE8DA7A12C7A50B5920DE5F0F0D15
Filesize402B
MD59b7bfe129ce053d02f2c458f00df3dad
SHA17f6f5d99aa3a81ff5761e949c6a2a35fd8556f28
SHA2567dff6fe786525dd022fda0e2a53af1683ebfed6ebb689c231eaa4fc1a2684751
SHA51231ed89164f1650cec655f215b4a2b8061d52d2725ad7016f57053b4d0848e992a7eb48d555d843df0648983744d47b5e7af3dc039d7750524e2ac1755bc81e64
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA
Filesize392B
MD55fdc94521c78d57b21977030735a68f0
SHA17f3cb3a6b89044fa0f8b006bffbc8ccd932f5549
SHA25654cc59370304e1cbfec3518ff3d8d4e675ed2d0bf811a7391dcc66ab8a14f3db
SHA5124f85f1ff50d3ec6e6aa4ee9abf56c4276f913cc356dcc97f0db19c1823b1eae2659b97216a92e6c681144f6b0c16118332cefae76268e56418a26b76f9aac127
-
Filesize
1KB
MD5dfeabde84792228093a5a270352395b6
SHA1e41258c9576721025926326f76063c2305586f76
SHA25677b138ab5d0a90ff04648c26addd5e414cc178165e3b54a4cb3739da0f58e075
SHA512e256f603e67335151bb709294749794e2e3085f4063c623461a0b3decbcca8e620807b707ec9bcbe36dcd7d639c55753da0495be85b4ae5fb6bfc52ab4b284fd
-
Filesize
11KB
MD59234071287e637f85d721463c488704c
SHA1cca09b1e0fba38ba29d3972ed8dcecefdef8c152
SHA25665cc039890c7ceb927ce40f6f199d74e49b8058c3f8a6e22e8f916ad90ea8649
SHA51287d691987e7a2f69ad8605f35f94241ab7e68ad4f55ad384f1f0d40dc59ffd1432c758123661ee39443d624c881b01dcd228a67afb8700fe5e66fc794a6c0384
-
Filesize
2KB
MD52dc61eb461da1436f5d22bce51425660
SHA1e1b79bcab0f073868079d807faec669596dc46c1
SHA256acdeb4966289b6ce46ecc879531f85e9c6f94b718aab521d38e2e00f7f7f7993
SHA512a88becb4fbddc5afc55e4dc0135af714a3eec4a63810ae5a989f2cecb824a686165d3cedb8cbd8f35c7e5b9f4136c29dea32736aabb451fe8088b978b493ac6d
-
Filesize
748B
MD5c4f558c4c8b56858f15c09037cd6625a
SHA1ee497cc061d6a7a59bb66defea65f9a8145ba240
SHA25639e7de847c9f731eaa72338ad9053217b957859de27b50b6474ec42971530781
SHA512d60353d3fbea2992d96795ba30b20727b022b9164b2094b922921d33ca7ce1634713693ac191f8f5708954544f7648f4840bcd5b62cb6a032ef292a8b0e52a44
-
Filesize
4KB
MD5d65ec06f21c379c87040b83cc1abac6b
SHA1208d0a0bb775661758394be7e4afb18357e46c8b
SHA256a1270e90cea31b46432ec44731bf4400d22b38eb2855326bf934fe8f1b169a4f
SHA5128a166d26b49a5d95aea49bc649e5ea58786a2191f4d2adac6f5fbb7523940ce4482d6a2502aa870a931224f215cb2010a8c9b99a2c1820150e4d365cab28299e
-
Filesize
8B
MD57b5b6c7bf41e6055abd4e74476e08575
SHA15c05d3a68f69258d236f6d9677cc0a42e399e7cc
SHA2562392619f397925a165cf31634781d68b006c396611c425f6c67f338356e47f8f
SHA51236ef55c7b0beaa825ab7b3a509bdd6154be0039bf5add56232ecda2237c277f4fed64235f809cca1dc2370da4664d8c2013a9f3ea8fb6972238ef0b10a6790e6
-
Filesize
16KB
MD58178f17a7ce5ad59a966505912214938
SHA133b9f94cc3bcf91dc5003873d6b3e1bf400db6c0
SHA256217bde5771b12ad081e395812d6a909ca478a73560bb2a1dfde02c71abc84775
SHA5121b9eed011650fb1abc60f77a1d864b18662d44ded998d024603b5cf1e924da4ca8b94f233a13bbda037d46fbc69bc08e6090bab6a8def5e5650210051cec4b11