Analysis
-
max time kernel
149s -
max time network
140s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
-
submitted
29/05/2024, 18:32
General
-
Target
InternetSecurityGuard.exe
-
Size
6.1MB
-
MD5
04155ed507699b4e37532e8371192c0b
-
SHA1
a14107131237dbb0df750e74281c462a2ea61016
-
SHA256
b6371644b93b9d3b9b32b2f13f8265f9c23ddecc1e9c5a0291bbf98aa0fc3b77
-
SHA512
6de59ebbc9b96c8a19d530caa13aa8129531ebd14b3b6c6bbb758426b59ed5ab12483bfa232d853af2e661021231b4b3fcc6c53e187eeba38fa523f673115371
-
SSDEEP
98304:hvOOFJ+Z8eAgy7SH9s76RSvyqJOBgECfMfYv+85JH0DVczt8A:hvOOFJ+ggr9s76R+wcMAv+IHCczt8
Malware Config
Signatures
-
Checks for common network interception software 1 TTPs
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
-
Enumerates VirtualBox registry keys 2 TTPs 1 IoCs
-
Blocks application from running via registry modification 18 IoCs
Adds application to list of disallowed applications.
-
Drops file in Drivers directory 4 IoCs
-
Sets file execution options in registry 2 TTPs 64 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unexpected DNS network traffic destination 36 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Checks for any installed AV software in registry 1 TTPs 1 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies Internet Explorer settings 1 TTPs 11 IoCs
-
Modifies data under HKEY_USERS 6 IoCs
-
Modifies registry class 15 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of FindShellTrayWindow 2 IoCs
-
Suspicious use of SendNotifyMessage 2 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\InternetSecurityGuard.exe"C:\Users\Admin\AppData\Local\Temp\InternetSecurityGuard.exe"1⤵
- Enumerates VirtualBox registry keys
- Blocks application from running via registry modification
- Drops file in Drivers directory
- Sets file execution options in registry
- Adds Run key to start application
- Checks for any installed AV software in registry
- Enumerates connected drives
- Writes to the Master Boot Record (MBR)
- Modifies Internet Explorer settings
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Wbem\mofcomp.exemofcomp "C:\Users\Admin\AppData\Local\Temp\11.mof"2⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\netsh.exenetsh "firewall" add allowedprogram "C:\Users\Admin\AppData\Local\Temp\InternetSecurityGuard.exe" "Internet Security Guard" ENABLE2⤵
-
-
C:\Windows\SysWOW64\nslookup.exenslookup -q=txt iorzzdjlpw1376xg.com 8.8.8.82⤵
-
-
C:\Windows\SysWOW64\nslookup.exenslookup -q=txt iorzzdjlpw1376xg.net 8.8.8.82⤵
-
-
C:\Windows\SysWOW64\nslookup.exenslookup -q=txt iorzzdjlpw1376xg.com 208.67.222.2222⤵
-
-
C:\Windows\SysWOW64\nslookup.exenslookup -q=txt iorzzdjlpw1376xg.net 208.67.222.2222⤵
-
-
C:\Windows\SysWOW64\nslookup.exenslookup -q=txt iorzzdjlpw1376xg.com 8.8.4.42⤵
-
-
C:\Windows\SysWOW64\nslookup.exenslookup -q=txt iorzzdjlpw1376xg.net 8.8.4.42⤵
-
-
C:\Windows\SysWOW64\nslookup.exenslookup -q=txt iorzzdjlpw1376xg.com 208.67.220.2202⤵
-
-
C:\Windows\SysWOW64\nslookup.exenslookup -q=txt iorzzdjlpw1376xg.net 208.67.220.2202⤵
-
-
C:\Windows\SysWOW64\nslookup.exenslookup -q=txt imntwyzbfg1344nv.com 8.8.8.82⤵
-
-
C:\Windows\SysWOW64\nslookup.exenslookup -q=txt imntwyzbfg1344nv.net 8.8.8.82⤵
-
-
C:\Windows\SysWOW64\nslookup.exenslookup -q=txt imntwyzbfg1344nv.com 208.67.222.2222⤵
-
-
C:\Windows\SysWOW64\nslookup.exenslookup -q=txt imntwyzbfg1344nv.net 208.67.222.2222⤵
-
-
C:\Windows\SysWOW64\nslookup.exenslookup -q=txt imntwyzbfg1344nv.com 8.8.4.42⤵
-
-
C:\Windows\SysWOW64\nslookup.exenslookup -q=txt imntwyzbfg1344nv.net 8.8.4.42⤵
-
-
C:\Windows\SysWOW64\nslookup.exenslookup -q=txt imntwyzbfg1344nv.com 208.67.220.2202⤵
-
-
C:\Windows\SysWOW64\nslookup.exenslookup -q=txt imntwyzbfg1344nv.net 208.67.220.2202⤵
-
-
C:\Windows\SysWOW64\nslookup.exenslookup -q=txt dgnua528bdeijpy.com 8.8.8.82⤵
-
-
C:\Windows\SysWOW64\nslookup.exenslookup -q=txt dgnua528bdeijpy.net 8.8.8.82⤵
-
-
C:\Windows\SysWOW64\nslookup.exenslookup -q=txt dgnua528bdeijpy.com 208.67.222.2222⤵
-
-
C:\Windows\SysWOW64\nslookup.exenslookup -q=txt dgnua528bdeijpy.net 208.67.222.2222⤵
-
-
C:\Windows\SysWOW64\nslookup.exenslookup -q=txt dgnua528bdeijpy.com 8.8.4.42⤵
-
-
C:\Windows\SysWOW64\nslookup.exenslookup -q=txt dgnua528bdeijpy.net 8.8.4.42⤵
-
-
C:\Windows\SysWOW64\nslookup.exenslookup -q=txt dgnua528bdeijpy.com 208.67.220.2202⤵
-
-
C:\Windows\SysWOW64\nslookup.exenslookup -q=txt dgnua528bdeijpy.net 208.67.220.2202⤵
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Pre-OS Boot
1Bootkit
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Defense Evasion
Modify Registry
3Pre-OS Boot
1Bootkit
1Virtualization/Sandbox Evasion
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
196B
MD56e86650ad96258b23f022605c5f202d5
SHA1321290e91871cb653441e3c87ee8b20ab5f008a0
SHA2568c39246796530ee7588fc16486335d00d5b7273ebb26efe5833e4cfc2bcfe223
SHA512e8a7bdf4bd2fba233a1a6cdf977d57dcb37ae46bc52bf29b4d23c6294e769069e146bcb5f56c4edbc3f93d38a226a9349f604b54156696ccdef41106cc05060c
-
Filesize
379B
MD55f3cf864d94872cbc6b433b4e9f46395
SHA14ea53c0a8b3efc633a30ce9d4a6b9567126caf7a
SHA2561acc6a438f1132104d0aa8091a7da5baecad39cd42727448a1819a9056f78293
SHA512ea28ccd290fb7f1e09a3bd7c5c8b5ab9be0759030100f233eefb5bf72d4ecbc51b1a2a153e315568dfe1bcaacb2ef7ab366bbc17bfd4bb9c8d0268f9a763bbbc
-
Filesize
913B
MD5a31468d0fdc78b8772a871d63d0875b9
SHA1d28c0b7fe314624055c82a22d524cca00b2ee18d
SHA25600978622ea15ab809078e249822d9b1017453d7a97c85e43900240021b6ac540
SHA512a0eda9368909aba2bebf2ad09d08882ae105f9ba627986d09e157fcca4f9730cbd787265ef9d8773ad95c72f2c56a9ca4c59de5fb8e4783e8be76d601c507c70
-
Filesize
1KB
MD50f98c3c3ab9bd51a257b54c1ed495174
SHA1b94a1355b607011c37a60edd2a32dfa14443c0ca
SHA2564ac92d33a92d5961474ce8ffa88ec835223cc3444ebd1606c038d04b3bc48444
SHA5127eb0c90001b5844b1e1174aab8c20d7a60828b51428bdf480395f883ff4fd5768b03af9d8a50cdfd8682ef3e061647bad85525d1b043fa5ae059f0f9f77592a7
-
Filesize
1KB
MD50e9df17a64eb0f673fea9eefa758b2eb
SHA10f9c0755f8ee3ab03ebdc50f79c721e08e1c69db
SHA256572c1e4c73c5a517fca24477735b5cae15a461ef497b950ec3b236757bfb7304
SHA51248187379a2aea1d3aa23f9daa9eb7b53b22b269d544636048e8bad029746b9c193e68a09037cdf21de341145acd46487b74cc921e371348ce3acee8b5e2f18df
-
Filesize
2KB
MD544dd2849bbcf7624de3e6b88598876f7
SHA13d05b31e97117568ed46ddf41b706aebf9c5834f
SHA25608681a8e04ce4400aeb9395ee48ecfb562d7a2ae2caf7212c5b24f56cc9a965d
SHA5127f710377c056fb437aa0619f2902725a1802cbbdc737cb18d8c208ba5d7f6750be375ce3c18c7393b414760f03c0d95234db88f21f38136acd7881aa96c97e06
-
Filesize
2KB
MD5f66d8671d5ca87b5072620b571bbc55d
SHA19c489b30587652790c60d8fd853e373a6e54eea1
SHA25643f0163dcf0884f8d65d884e1ea21bb642906cecc3b16d4e4b9cb377977c321d
SHA512e2c95fb7e91611a0468980c8eb5005e043e2b9ce0045f2bd29832bf5921c6eeba643abf456298e2ecb9b777a45ccfb437f56e1e47adba0edd7195bcc75a0d558
-
Filesize
3KB
MD53bec2d7a4348d19d179b1b61ccd2b388
SHA195abf782c216ad74d14f17d4025d2bfe39055f4a
SHA2561d9e45a3373181ce09f24b7bca0f907068517ec55edfa4c2589de913e5a862dc
SHA5127dd33193a6a96fc0d233621776e8ff7d3ba321c33acab9f23cc6b5fb0475be87b2b19d4bf61ffbe05144e5dc7a48c7b9d7a8f80e4e6fc7e23cbea98305ab5a58
-
Filesize
4KB
MD5b5f8863392d954027a4ecb5593dff95e
SHA1390f4f878f2ee7004b84abcc8be62fdb678bb872
SHA2566c2f5652887958eb952bb201b77bd4c938af6e5c43f31cd8bcad3e6c1389bade
SHA512b587a6224cd83aed72b9168a9cfe5215a1a17352f5594de56b6554081b4040b33095a299c261400a87f1db28c24b106d4a7242cab906b1ea32ff2f3f09ab207d
-
Filesize
6KB
MD5bf54e30f32dd46411cc26196066e7afd
SHA194912481614dbd11e0a18a3216c9b4e56dac0035
SHA256844f84bd352761f27ad3d895cea7953a0b23e8e7f38339f7108014ef987ae5dd
SHA5124eca2c5363e069b920f220e025b99659344fedaba8c04b81106efa389ec84d49a49c92dc75329152fc0181c5f7e9a6af1341a8029d50115131c2436237c25a49
-
Filesize
6KB
MD58fc203e1edc250fe9934bb356236508e
SHA1423b97164bf533416525bc66ba21adfa8577388a
SHA256285d8e50f7f4beccc05f5b8576b9d34533743c4986d02f5ac2c3b32d7262e7d4
SHA51206061c62f3a7ce4da807910a40211bbfec5ba712dd9df4e64f5f593fcc72fbe4ab8e2f14ff99164da3446adcc79b9491cc1c537ca0288acdb2a271f9970e106e
-
Filesize
7KB
MD598c18d487574b19661fa2017c2f90d99
SHA1a557e59ce9ff0b6ab6495a541e116b1186552250
SHA256287446e2cf0f10cb084b7e8746273b1232178ecdd770105c8c3576056af0521c
SHA5122346ff8ac3471db4cfef0461c6966cac16a9e2c66d1d32037e65e7b345a4117756ad2592bd01dfc561ce54d033db91f74ac4eb621ed5ea67a0160c7f542ac311
-
Filesize
7KB
MD5318eeb9b827cdfee67c0b95e36d5692d
SHA1940e07b984d24de1e364e1d773464c2abb14ecea
SHA2561ac3c9401db6e870e89c3803c3067b09e1a574274ee6f1d8f697fbef92055014
SHA512f02049e12f74e06b4baa2caa6764afdd8c47ec51c2f4156fbbd174ece7867e04f1e19d9f21010e181240ed1c76139dc0a0eebecfacc860de036461f8d043230b
-
Filesize
8KB
MD5fb0c0ae400b8cf755caf8e93aed9a9cd
SHA11cca1282f75410c05099514c00778240a4e4814a
SHA256c386f7c4b131e1d3bb05bfc5eccba595a394c1b18a7c65988d0cd0ca34d93198
SHA512dbd2b3708478c6d9ed25fae0b08dc90b71d203e7c0ee81ccf334ba27a2ac55bec95abd6209f38108e9d643777354dd43ab0c9667c3ccba61a54169637077d88f
-
Filesize
9KB
MD502d061ff167a5c966f8de2277df0219c
SHA17e6c59851f51467771e5c25bfa68bc1a02e9dafa
SHA25631c69182bb8adadee928a6342bf6a12d2fffb0a14a959bea4084580e41d7304b
SHA5125d1f2edd279ce408dce3726c27012e171dbd96cd48ea5af3e1f8be6351ccf1c4d50e608479902162c12ee555ceffe94f13bea0ff723e329aa021155492e110b8
-
Filesize
9KB
MD5144dc658301772e69f2cc1fc55e092e2
SHA18e323e738fea4db285d340770a197a9f73363afe
SHA25660ab78038194f684e19f6ef8d9570abf56bf10a2b1de61f7427b3ededdb74a90
SHA512769d406328fa47313bced91f7e21df440c30a58467b6878b5d326285a9f86b766c226809826d4d53e4ef081f707c03f114769e15bda4971256f2ff6f3c930fcd
-
Filesize
10KB
MD569615b164c57c23f8e59d4a60a5945d5
SHA124440bfed9242aeb1b81b6d1483bbf7900759ad1
SHA256410d23ca9835184ba99a3af3c671a3a51d8986e0424eba4a7444494a15f12876
SHA51291c693c2a6e40be8eee2529097d00682264b5ae013974f4a6eb8f42fe228ab2c8120f67cd413a2bfe424c816d754bdb8c3e870a2e9456bce6394ca2703b4202d
-
Filesize
11KB
MD5ed53ab2a20e9eee26c94b21241e8bcc7
SHA16dc314bd022198489e28b6b408cc3e9fa745c24a
SHA256ae80efa9d2ed8537dfc62962a8f19db138ab4c2c04a3613d3cb4f873e0ca07cf
SHA51220d18753f53ee0115b85a0a8386922ece0c4e7946c0d85a8799fee2afe0ee940b42100caff8a7049b356c04196e5f401cd0130419a244155af0fb28baaef715d
-
Filesize
12KB
MD500bc2080d014b895764972dfac791730
SHA133b3317f93f9ca4131ae92c20205fd12739302dd
SHA256d63b755168dad432da02cfb367d5fe7bb828b8d40c4d75f4d28f7db9208feb25
SHA5127545e5c5af7a25e66f828ff1048306782552d84bdd893f7b02af99bd44097a749bb063865d8339c6e1b2f779ad9707516d7a4aaeb1a460585fc91c847cb6e7d5
-
Filesize
13KB
MD5d57676f0c22fe956bd01b40c4ce09e0d
SHA117e733b8a1f0dd68d99337d4339c77bf40bc2b31
SHA256dc4777eb81689ee54737ee9fcc9e9cec2154057343e7895f292a80ea1d612d30
SHA5122987de5d58a01cd1879bcdf52e3497a3a480350eae4f67505542464a677065f45f930d5853654d727bda08b9827faa413b3e6432f0eb48aeb6b6102a50de272e
-
Filesize
14KB
MD5ed41628cbaeac1f08dee0c040bee0315
SHA15a0e23964226dedc2990b6ba04b0c1a638824a35
SHA2563a4497c3c253fe1464864c92716fc55b72798a15a2eaefde03b63fdf85d614e8
SHA5128dfd406ac79f7342025424c1b14b0bdaaa1f468ff4c9c122bca3849e3eda82f21a234581b6be243cb2985bfb8362802859b60d86fbe9132102c2c493330af2f4
-
Filesize
15KB
MD5cbb5c958dbbfd0c0e1d15c4084c8255a
SHA14ce39b1803b478056fb712b011e4f065d4903124
SHA256a68dbf9955d33cfd5abe6cb98fb3d659184a114484d4dadcccf136a8e20217f5
SHA51265daec94768d1e63d1e6b3492b73ad1f3414792d7faf760bbce7db8881acd68212fe4731766f16bb3296d6eae433512c5f7fa12c7abe7c2742e813c713595e77
-
Filesize
16KB
MD5995527fe7c298cbd9ff58bfb78637710
SHA1ef62f19cd87ce536cf709ec7d2b501e8a4de7676
SHA256949bbd6312fa2ed96f996564741c26a2daf749e152955a30b64628881c1a202a
SHA512563c91ce46e1c9b4f7fb663465d502f62ab64480ae720997dfac6408c18cd3b70bc55d0ffae28e7dc870d6099945a0d3931579254a91255912cf4702263a7e52
-
Filesize
16KB
MD59b611f957bdd9d6ff7e94c9229edb92b
SHA1db9adba132687e27c8f937df5f45d4b9ff8c5ac0
SHA256afb2ba6071a14956eaacb9de85d1c9d97171271bf88491edc5119ccaa09de6b0
SHA5129670a37a64c56f2ac8f0375d636dd61eb83c4a4210423ee5996659f2721aa33ce71f232f899f088a3a5765fb45dddd33aaabb1b2bc9516aa34bc8c1a8e926d2a
-
Filesize
16KB
MD522655a9f9cd019412d29f7545188c439
SHA1e28a542c95d5a0b8e74fedb6f6351a3673c5cdc6
SHA25685ec4fd660cdb5d59a037f9a1b44900c85089f3d826d2b4363f30075a14b628a
SHA5127a84f4dae441b189bd1bf01dc20b766fb03664200e73a3a6b26d42175c8b0f7716c36209ede3e1406c0c7dac3821deffcb13e3d1d7433409cd506b6f5232433a
-
Filesize
185B
MD5b8224e5293d4fad1927c751cc00c80e7
SHA1270b8c752c7e93ec5485361fe6ef7b37f0b4513b
SHA256c47da9be4fc4d757add73c49654c9179067af547d0cc758d6356e2955bbfcb61
SHA5128fed9a509e46319529145fa2159251e43040d26080af84e44badaab1dd339c767ff75a2c473bc0abfb448b03beb96718ee34ba6bc150ed3085322878b55a22f2
-
Filesize
6.1MB
MD504155ed507699b4e37532e8371192c0b
SHA1a14107131237dbb0df750e74281c462a2ea61016
SHA256b6371644b93b9d3b9b32b2f13f8265f9c23ddecc1e9c5a0291bbf98aa0fc3b77
SHA5126de59ebbc9b96c8a19d530caa13aa8129531ebd14b3b6c6bbb758426b59ed5ab12483bfa232d853af2e661021231b4b3fcc6c53e187eeba38fa523f673115371
-
Filesize
344B
MD53754f8f8abad5bad797085d0717a9766
SHA148d92f36cb721b390e216aa03b27b41f25c563fc
SHA2563c77f5f888d417a7a31284cb8c5e3bdb4d926c4a274cecac8a8b2920659d5927
SHA512c59f322ece53c757767e52fe9bfbc3526a13afe9ec7503e3d1cae683eeb55cbb808a1bce720fd58f97f286756d314124bcf797c2167275e08ed93ba759bf3985
-
Filesize
6KB
MD5f351ce6c94317496997ceb54e7214212
SHA126267c426df12d30d7172800fda256c9503a491f
SHA25687b226912676379b54db5d37bc615faf31a0b3706f48e5345cbf36ab198e63bc
SHA5123ad072a9c30ef2c7365bd22d4ba70e9021e18bdf24a170e4f648c6b89377ed866bfa73dba0cbab5574770d3af29953e6673b636ce4961b6f917dfcb8d99478ea
-
Filesize
1KB
MD5008fba141529811128b8cd5f52300f6e
SHA11a350b35d82cb4bd7a924b6840c36a678105f793
SHA256ab0e454a786ef19a3ae1337f10f47354ffa9521ea5026e9e11174eca22d86e84
SHA51280189560b6cf180a9c1ecafc90018b48541687f52f5d49b54ca25e040b3264da053e3d4dbb0cd38caaf496e23e516de18f500b333e3cda1fd1b25c6e9632defc
-
Filesize
6.1MB
-
Filesize
6.1MB
-
Filesize
6.1MB
-
Filesize
4KB
-
Filesize
6.1MB
-
Filesize
6.1MB
-
Filesize
6.1MB
-
Filesize
6.1MB
-
Filesize
4KB
-
Filesize
6.1MB
-
Filesize
6.1MB
-
Filesize
6.1MB
-
Filesize
6.1MB
-
Filesize
6.1MB
-
Filesize
6.1MB
-
Filesize
6.1MB