Analysis
-
max time kernel
121s -
max time network
141s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
03/04/2024, 12:39
Static task
static1
Behavioral task
behavioral1
Sample
Administrator-DELLXPS1456- 2024-04-03 13-52-24.html.exe
Resource
win7-20240221-en
General
-
Target
Administrator-DELLXPS1456- 2024-04-03 13-52-24.html.exe
-
Size
67KB
-
MD5
ceb9e6829d00ad6e8f25b30d77aba83f
-
SHA1
865128c3a9baee65deeab14f1fdc9a68969df6f4
-
SHA256
664582c7357c0ea9f0f6ab524867e1cce887251b11e917ba5c9d81247e57bcb1
-
SHA512
18703d353319cbd049dfe3d19469eef2ef26615e44101eca43d1c7da515553d2c98e8098e5d2cfbf1c32984d77846dec320223ea4b8189ca9f64d570e7ea0ca2
-
SSDEEP
1536:j+wPW51r8EHsL71ELMt/RYKiq4vo/1oHHbwr/Ye2WcMX6F8:j+wIiEH+u4/O1HHbwse2SXE8
Malware Config
Signatures
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 4 IoCs
description ioc Process File created C:\Users\Admin\AppData\Local\097d62ff5171105c287702e3de189a1d\Admin@KXIPPCKF_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini Administrator-DELLXPS1456- 2024-04-03 13-52-24.html.exe File created C:\Users\Admin\AppData\Local\097d62ff5171105c287702e3de189a1d\Admin@KXIPPCKF_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini Administrator-DELLXPS1456- 2024-04-03 13-52-24.html.exe File created C:\Users\Admin\AppData\Local\097d62ff5171105c287702e3de189a1d\Admin@KXIPPCKF_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini Administrator-DELLXPS1456- 2024-04-03 13-52-24.html.exe File created C:\Users\Admin\AppData\Local\097d62ff5171105c287702e3de189a1d\Admin@KXIPPCKF_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini Administrator-DELLXPS1456- 2024-04-03 13-52-24.html.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 10 icanhazip.com -
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 Administrator-DELLXPS1456- 2024-04-03 13-52-24.html.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier Administrator-DELLXPS1456- 2024-04-03 13-52-24.html.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 524 schtasks.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\SearchScopes iexplore.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = d00c5610c485da01 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "418309846" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{3B37E4A1-F1B7-11EE-8D50-4A4F109F65B0} = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000112dd71d930ff24b8b2b71a2c228122b000000000200000000001066000000010000200000001fde5f6063c4efae486fa74888c14b3a8643363c904d44663a9c73c0731bddd4000000000e8000000002000020000000ffcaee9e82bd6fa64636a7fb547bbba4141e45a6a3adafccf3f6615bfd2d7e9890000000db549af57438972eb599ed6751f881a214e5075e682dc19d4d11ab68139b389948b8c2f81a04779c6d0c5f37472363e9599b63aa8600bf9f7b97f9127763e0c194a891eaa77412adc1612ae47520a60df5854376329e481dfbea36835a6c8f9d2076c108b02ae82d3ac498f5fa827310dd7fe2782498868391f45fb5f8bfdce5f7738fecd5e7395311ee77cb1897150740000000aad0bba009f08ac4fcb05a995d37659f46cfa8df43ccf7c8cd513d029c6d1070ce31f4ba497f2d85de57d1b1b1c71b840ffa0ef44be1dce92f1d3e897c4032ea iexplore.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000112dd71d930ff24b8b2b71a2c228122b00000000020000000000106600000001000020000000b63dc8e5e3b2e11dfcd2b5c6ad9cba45c8c195ddb4e7ef1088389f45d0d7e2aa000000000e8000000002000020000000642b9432a225604cd221259de321960e8bcdb7d5c319322e9fa7905d11c7934820000000bc790daf6df622fe83eefca671b45c24c0d5e3e0cd3043734b00508effa6b4bb40000000cf659caa7471dc664c4e361286325b9cdef1ebc8241eeb3c6e790b9be4c9be91372240334c915c245554162c81cb275ca77ec6dfde0960bfc78adaf9afc65014 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 Administrator-DELLXPS1456- 2024-04-03 13-52-24.html.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 Administrator-DELLXPS1456- 2024-04-03 13-52-24.html.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 Administrator-DELLXPS1456- 2024-04-03 13-52-24.html.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 Administrator-DELLXPS1456- 2024-04-03 13-52-24.html.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
pid Process 2224 Administrator-DELLXPS1456- 2024-04-03 13-52-24.html.exe 2224 Administrator-DELLXPS1456- 2024-04-03 13-52-24.html.exe 2224 Administrator-DELLXPS1456- 2024-04-03 13-52-24.html.exe 2224 Administrator-DELLXPS1456- 2024-04-03 13-52-24.html.exe 2224 Administrator-DELLXPS1456- 2024-04-03 13-52-24.html.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2224 Administrator-DELLXPS1456- 2024-04-03 13-52-24.html.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2168 iexplore.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 2168 iexplore.exe 2168 iexplore.exe 704 IEXPLORE.EXE 704 IEXPLORE.EXE 704 IEXPLORE.EXE 704 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 37 IoCs
description pid Process procid_target PID 2224 wrote to memory of 1416 2224 Administrator-DELLXPS1456- 2024-04-03 13-52-24.html.exe 31 PID 2224 wrote to memory of 1416 2224 Administrator-DELLXPS1456- 2024-04-03 13-52-24.html.exe 31 PID 2224 wrote to memory of 1416 2224 Administrator-DELLXPS1456- 2024-04-03 13-52-24.html.exe 31 PID 2224 wrote to memory of 2168 2224 Administrator-DELLXPS1456- 2024-04-03 13-52-24.html.exe 33 PID 2224 wrote to memory of 2168 2224 Administrator-DELLXPS1456- 2024-04-03 13-52-24.html.exe 33 PID 2224 wrote to memory of 2168 2224 Administrator-DELLXPS1456- 2024-04-03 13-52-24.html.exe 33 PID 2224 wrote to memory of 1964 2224 Administrator-DELLXPS1456- 2024-04-03 13-52-24.html.exe 34 PID 2224 wrote to memory of 1964 2224 Administrator-DELLXPS1456- 2024-04-03 13-52-24.html.exe 34 PID 2224 wrote to memory of 1964 2224 Administrator-DELLXPS1456- 2024-04-03 13-52-24.html.exe 34 PID 2224 wrote to memory of 524 2224 Administrator-DELLXPS1456- 2024-04-03 13-52-24.html.exe 37 PID 2224 wrote to memory of 524 2224 Administrator-DELLXPS1456- 2024-04-03 13-52-24.html.exe 37 PID 2224 wrote to memory of 524 2224 Administrator-DELLXPS1456- 2024-04-03 13-52-24.html.exe 37 PID 2168 wrote to memory of 704 2168 iexplore.exe 39 PID 2168 wrote to memory of 704 2168 iexplore.exe 39 PID 2168 wrote to memory of 704 2168 iexplore.exe 39 PID 2168 wrote to memory of 704 2168 iexplore.exe 39 PID 2224 wrote to memory of 2436 2224 Administrator-DELLXPS1456- 2024-04-03 13-52-24.html.exe 40 PID 2224 wrote to memory of 2436 2224 Administrator-DELLXPS1456- 2024-04-03 13-52-24.html.exe 40 PID 2224 wrote to memory of 2436 2224 Administrator-DELLXPS1456- 2024-04-03 13-52-24.html.exe 40 PID 2436 wrote to memory of 2936 2436 cmd.exe 42 PID 2436 wrote to memory of 2936 2436 cmd.exe 42 PID 2436 wrote to memory of 2936 2436 cmd.exe 42 PID 2436 wrote to memory of 2908 2436 cmd.exe 43 PID 2436 wrote to memory of 2908 2436 cmd.exe 43 PID 2436 wrote to memory of 2908 2436 cmd.exe 43 PID 2436 wrote to memory of 2988 2436 cmd.exe 44 PID 2436 wrote to memory of 2988 2436 cmd.exe 44 PID 2436 wrote to memory of 2988 2436 cmd.exe 44 PID 2224 wrote to memory of 2952 2224 Administrator-DELLXPS1456- 2024-04-03 13-52-24.html.exe 45 PID 2224 wrote to memory of 2952 2224 Administrator-DELLXPS1456- 2024-04-03 13-52-24.html.exe 45 PID 2224 wrote to memory of 2952 2224 Administrator-DELLXPS1456- 2024-04-03 13-52-24.html.exe 45 PID 2952 wrote to memory of 980 2952 cmd.exe 47 PID 2952 wrote to memory of 980 2952 cmd.exe 47 PID 2952 wrote to memory of 980 2952 cmd.exe 47 PID 2952 wrote to memory of 1892 2952 cmd.exe 48 PID 2952 wrote to memory of 1892 2952 cmd.exe 48 PID 2952 wrote to memory of 1892 2952 cmd.exe 48 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Administrator-DELLXPS1456- 2024-04-03 13-52-24.html.exe"C:\Users\Admin\AppData\Local\Temp\Administrator-DELLXPS1456- 2024-04-03 13-52-24.html.exe"1⤵
- Drops desktop.ini file(s)
- Checks processor information in registry
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2224 -
C:\Windows\system32\schtasks.exe"schtasks.exe" /query /TN WinTask2⤵PID:1416
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\p.html2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2168 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2168 CREDAT:275457 /prefetch:23⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:704
-
-
-
C:\Windows\system32\schtasks.exe"schtasks.exe" /query /TN WinTask2⤵PID:1964
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /tn WinTask /tr C:\Users\Admin\AppData\Local\Temp\Administrator-DELLXPS1456- 2024-04-03 13-52-24.html.exe /sc minute /mo 52⤵
- Creates scheduled task(s)
PID:524
-
-
C:\Windows\system32\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All2⤵
- Suspicious use of WriteProcessMemory
PID:2436 -
C:\Windows\system32\chcp.comchcp 650013⤵PID:2936
-
-
C:\Windows\system32\netsh.exenetsh wlan show profile3⤵PID:2908
-
-
C:\Windows\system32\findstr.exefindstr All3⤵PID:2988
-
-
-
C:\Windows\system32\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid2⤵
- Suspicious use of WriteProcessMemory
PID:2952 -
C:\Windows\system32\chcp.comchcp 650013⤵PID:980
-
-
C:\Windows\system32\netsh.exenetsh wlan show networks mode=bssid3⤵PID:1892
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
68KB
MD529f65ba8e88c063813cc50a4ea544e93
SHA105a7040d5c127e68c25d81cc51271ffb8bef3568
SHA2561ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5d927ef74d91459e68559709a1cbcb2e9
SHA1c00d2e878406bcdae16c1b007ac12c3e52fa6d10
SHA256f2f440daed912edeea67a414a3916b9596cb22187316decb26fb4c95c14a0737
SHA5121ab5c426e04ab5ebb09c037fe9d629fd6a6878bac1a363684530d7987a74e3c7f38356aea999fd4af0a29090cc4856380dd84a755836ff82092cc762c37b18a2
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5aaf740f54c5daf0d754d3235f1acde3f
SHA1dd0e55c9a8e269d3731b5371b444fccd0a6fc3ba
SHA25620082b35c3662bdf003d9d309340ca1b163ce78944cda08a9690596ff49396cf
SHA51296dd923508705c0ff6f463e8936ac3d6713d401630ace86bb73ef18ca088e51760c4bc78f6f972363c6f6eca9b1b0e858f3d5eef990463f9f27b91fbc87d84b5
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD51089e1625413bba2adac11d7074f3cdf
SHA121df76fe55735c53ee3186d5b78fa6bca2a84860
SHA2561e7492b985fb765083bd1441673ecb0f3617f9b99c6ccda350913d3e2ecfbe20
SHA51287a138fc6faa89fd1dbc7d8bf08b75cb6045ac2bc0107732e28d45c55f9c73b96d8639a6bfb4388fe678f7e9f73bc865ed55df6d974728618a9c8ef9006744dd
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD57562fa342b71ce9805e6de69f058252b
SHA15b83c23e9c04cecf4bef4ffc3bf773ac21351711
SHA256d5e71c47e4666d64487677a6a0c2143bbe83f8fc96c3a022a8dcc5e1322d29e4
SHA512f8be9b8b437be5a1cb754e6d41fd04866d5d2bdfc16bda75f89939a059d38cec0ba10392e340ef3f1f85a6a1002869b2655f7405bfa177a58c4c8d2055649051
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD576c1eab2ba83b756b2100aa690121599
SHA19e1137136fbac47ebaad1ac393147e8be1a57c1d
SHA2569cee9e4cdc7d55bc34bfe04257784c8c7d028fd075e98f25b33911949705ff0c
SHA512e79d1d792e17729e5320b33b9557889c78c03d606eec69995c76ad9800b8c699d72803d0677f2400a6bdf87609b28c99ccd6438f8a5494c5be7fdf78023784b1
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5ff1951f609e2673f1236db8e6a7825d8
SHA172ebab5d1f1725ead54ccfaba76c2a4ca0bdb1fc
SHA2566265d44f6788038b98d2439c8c7bf94c4d3b17a6b9fa7ef7f5ff672e5f3ce116
SHA512151644c8860fc5fb152b7321bc5b9fcfce1246360d617d06f0e6ebd56826e91e32caf5f6618835524a0e6d81977dc19a62809165cf123ed6e6fb5efab798b005
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5661946c92f6fb769f380321d70c9f2cc
SHA1b37b8e7296d91e8a2eb908e4576e9faacc661f5e
SHA2565fc0ffd7ab5a2ce63ad358e6bce8f5e1860cf8a212cbece629bba66cc7ff94b8
SHA5127634f84480f6b7efeb1bae9afa78dcdcae40dc7ce8fa0a70419637b8a976f17bdf21b82d9e244b40b68b7c8451f86c3619e0d230b3acf009aab8b34e9b2b81a0
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD56170dabde20f72b922059b220c128247
SHA1475bc6ccbfa1816a2d2532b717c8720aa14f35a6
SHA2569b13e01332a2cf7e0de074a34b013498208c3340628319e4bf5de34823016734
SHA5126867036b4bd391d2671833e0df63f43040d5d4c3a7ecd3c0938fc3ae5bc83572eed906c6ea333e1db12049748479fe4cad86f3114e012f16db200a08ae9408b0
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD53e8ed89657992ea4d7a6fe60b5033c25
SHA1c4d734a6abdfe79de7d5521fff1ed0e2046fbabc
SHA2569018dde0e18d2a632ecb4f8c337cf9cac42c7ae08cd46440d19b4d7426c87783
SHA5122c48f3557689f62de40c9b7ab0a42b9a7f9e5aa6686634623fc38932e80d28588e90e51e7f5b7d4da5357dbaa2abf6afc88980466bec888e898d76681b979544
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5cc763fd760465eb2657c3778ad704651
SHA1bfbfa12de895aa6a7a9141b26f300cb752e11500
SHA25644628e2307a4e3d55c7cd0ab815ba01079408826126eb2ee128f2e542d8a04aa
SHA512879fef2e5ee2807a88727840da411e519995e5bd0b228275f602d64e361ed1101841a441d9dc2e9e9421c13e6663082ea232fb2a6978c0cab152c77bc1aa29ad
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5a06c095c3c0f5fd5f35d2bdccf60a399
SHA184954dd6bbdaa0ea695f97ba8af4c740dfcb5965
SHA256c7f79d1fe16dbc760097763b62de91417be0b1f84981f00a569bbe9ebf2c2efc
SHA512c7a71eb72d4d29670544c3d479863542a4149a48d0c8f27b4c12dff7ba86f489b044058ff5cbc287be3e5a980642588e07ac28f22fd6b2d84cbda9afb8653553
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD56f3faab57d8defb6bedd625ab2ca3c67
SHA1587aa6e78f3e0ce0a82386d2b06fe59a5b41f0f7
SHA256963918af698513fb664b278185020a96947fff34ff1630ca6b2e5f4305e3a7bb
SHA51276e0c8cd762ffb05453228089a39e3bffc004d9db99d6e6361d90f6b87b785e7c0a485d26973ebe561b2eb4453a74d60eae113cd247968b64eefeba706e5c29e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5b127cc470578836517f849159477ad2e
SHA1a8ad426949b1ddfe1e5fb5353b39ec648db23683
SHA256b1cfd21ebaf3ffbf860795b121c5fbd35fb55f93c1c7410811ce278b05213815
SHA5128f3549effcfc0b1e4d6f4387c8117387ab76bee02534b72f5cb534c83b4a94b3a087f6f82da5f4cf7b806b4402cee4bb732e0f3a357648629ae3f89c116a32db
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD515929ff7e5a008fc50ed477f491edd75
SHA1fa858987792caa3492a0a3e41b8c99b48f4c171f
SHA25611d8d9e77371d323e1cc4effa421f4a1dd4cf5183a45522f9c9a0d9f64efd8e0
SHA512643d8fe29dec6d8ba9f12b828a280e6a4ca150cc6ffbed1767963df2d0093056c51bf1bad1873ec0edc25e5d31df3c3a14b54b3442ab73394a37988424d89c76
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD57f1e173ca8cc67f9564fe84231a1813b
SHA1bf5d3165a2074c0b48223502e4c6487755d7797b
SHA256a155f1a09bfbbdafb9f5927d419c675a992363249bca24d8c499dffa54959d93
SHA51211183322850aeb0d9ee12ef0650de2e1824275e0840df1d97531432bcfd344a506525a6c6aea035b56851892a1b96d93b1a3fe5b4cc84b64ab23ded6639cb8c8
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5cd771579a25fe4dfa92f7cc9d277b5ab
SHA120fb69c6bd6cd00924570ec8ea07a30e99a4b39c
SHA256f3690b27768fc6d79a01d65e36234f34d63ead75e90c8fedabc6a6f99c06144c
SHA51240965382e2799f10d466ecda8769c36774930177ab60ef658d92a964120d39760a8fc308b55174069cb4bed74d63c3548304945739abe196d068c28533425a4c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD541363db289579b9743ba4f9b2523e212
SHA171c88822b504650bdd73da2d78ac0bd6da17dfd1
SHA256574fb6c48ddb8b76b02d7b0d0cca78159384120ea1f93cdfffc0821855a1004d
SHA5123d0dff2a4358e9b243d92d375dc96a62efd5491ac802cb52312beef715170b54974d7a0c7346051b7c1b3e7a0a11b81d7cff2a7a4ca362d2f065a5cf177e82eb
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5e918172d627972896e5b52b4d5a74f0a
SHA12da4a7025367b1e77f79f30df3dd30f3d420158e
SHA25642e5d6da29c5a56b1a506e5feddb51361d4bcbf5b09cc37c03df43a82056ce2c
SHA51204d7359d01030477c06e1dfba6f51a6fe3897366ee0647b33fb99ba472daf3a0d12c4e6452b88258ee5cf5f87d629b3d92550923052a5d69fd9e0d8c27be62ff
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5823088f30e51f93d8ca12419e186a742
SHA1978de4857a52d407343ca914ee3ade247b1dbd5d
SHA25665ebecb440c101a82d002ae75d0eff1f8b0e4c04fa895fcf348c5e03097345db
SHA5121eb40854123441c22cf245516a03a13e96db3681e69034a83d97dbe051de740cc414efa3c72cf7c5a41eb97ef51a73a60256355058d1a883ca3038be372dfe45
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5cd835199d3ef2e0290c6a321181ca0d0
SHA184665ed34ea44e9376f1c6b486f0ac4029d7d476
SHA2565eb5d4cc257d03fb7b08f99ac88e03071b1ac8ed6a2a7fc083120d32d5cb5d05
SHA51206484030cb956f05d36e32f1d791fdebac51efe893f78882e49a78e26db22ef8bbc14ad17cddc9e78c191f801e324dabf653516168583fbcfcdced5585a190e9
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD51ed39b93688de9cf5495935e4cf66b3e
SHA16dce2849849565074bd71527c6089f91a379c177
SHA256659f3e5f7f77fb316d6d69117eb8672f320523048adc63cfebb7e719abcd55e6
SHA5127f13754476f382ff7f1e68a5d232f3fb93cabedcbde291e4bd35b587f2ed4ac1bb078488f6212239eac38b130f71154d4df356fcd79be8a11727ab6edc1872f0
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5230df3a8a9e09469a8b533432116ed1d
SHA117a1f5b8d7abe89a59dfe18ca2ced2e7fe63cbef
SHA2562545b0823df7f09e51c4e3dd9552c8ecdef5c99e7c9d7a5488412fd5380e8370
SHA512338d72e7e5509f4db1e41bce365b9c9d0ad346c0930fbb9cf922443c7f30ce33c1ed87d029ad257b9f68eef1b49fa5b149874170245f316465829938b085550a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD557b4a29af590f62438454fb7213059d4
SHA1db5a7eabf3392e118137cb47f48670bbe6caae0e
SHA256a12dd0280e16ee9af66661349e900b0b6530decb806b4e2febea3a1be26b5552
SHA5124dc5da26397ae509b4eeef0a9a861f2d658902f8ef1953b7a727435e5c6c16b60e7767c288d81a465b2e8739241bfb46dd13d98a70e191c967613def4c0bebcc
-
C:\Users\Admin\AppData\Local\097d62ff5171105c287702e3de189a1d\Admin@KXIPPCKF_en-US\Browsers\Firefox\Bookmarks.txt
Filesize105B
MD52e9d094dda5cdc3ce6519f75943a4ff4
SHA15d989b4ac8b699781681fe75ed9ef98191a5096c
SHA256c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142
SHA512d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7
-
C:\Users\Admin\AppData\Local\097d62ff5171105c287702e3de189a1d\Admin@KXIPPCKF_en-US\System\Process.txt
Filesize1KB
MD53be8cfc821015526c4f3072cb78cfc0f
SHA1d05786c140502847cc5cf79b2e9a53927b4a89cd
SHA256e85b305cc03365ebe8a4e82b16aba50e600c029db697129304140c729ebf2a19
SHA512ca8d75e8140b0f8d09ebbaa5e96683a1d96671ce919ccfa57190f2674074eb6aa59a9b2b0e35a46b655dae54b51913c3949b6c8ee474c8c40d81a12adbeb2b6e
-
C:\Users\Admin\AppData\Local\097d62ff5171105c287702e3de189a1d\Admin@KXIPPCKF_en-US\System\Process.txt
Filesize1KB
MD55fc26762483518049ab2bc92bb3c7c78
SHA11033f8f2dbeb23cc058beeeddab61a4134f6e56d
SHA25617d39f2e2c9b932ec47cddfb3dc12b042270c1629cc9c8290a77b7df976d6278
SHA5122bcb950bc6187a1c8c0b79dc930d79d03cce511a83b86eea5444ed6888a755b312cebf7be2cd6cf1759e86f3868676b32ad4c58dd45c7452539a58bbbad3165c
-
Filesize
65KB
MD5ac05d27423a85adc1622c714f2cb6184
SHA1b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA5126d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d
-
Filesize
177KB
MD5435a9ac180383f9fa094131b173a2f7b
SHA176944ea657a9db94f9a4bef38f88c46ed4166983
SHA25667dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA5121a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a
-
Filesize
23KB
MD54e4349147d3cbbd440f7f3fac5866fa6
SHA1563cf45b4395e64993a84665efcb49b3775505b1
SHA256732efd30bfed7196474ada4a5ffabc01f116bb2b3c68c099991f291ab0c6e325
SHA5127f2e285507d699b1362babcff71b56e1ddd56fb819a27007f492b2276a10648aef6e5880306a60e2d0265b57b999dfabfae0cb7909a64cf9eebc21f8fcb1a440