Overview
overview
7Static
static
3??????.url
windows7-x64
6??????.url
windows10-2004-x64
3GarenaPass...er.exe
windows7-x64
7GarenaPass...er.exe
windows10-2004-x64
7$PLUGINSDIR/inetc.dll
windows7-x64
3$PLUGINSDIR/inetc.dll
windows10-2004-x64
3GarenaPass...e.html
windows7-x64
1GarenaPass...e.html
windows10-2004-x64
1GarenaPass...se.rtf
windows7-x64
4GarenaPass...se.rtf
windows10-2004-x64
1Analysis
-
max time kernel
117s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
19-06-2024 17:08
Static task
static1
2 signatures
Behavioral task
behavioral1
Sample
??????.url
Resource
win7-20240508-en
windows7-x64
5 signatures
150 seconds
Behavioral task
behavioral2
Sample
??????.url
Resource
win10v2004-20240611-en
windows10-2004-x64
7 signatures
150 seconds
Behavioral task
behavioral3
Sample
GarenaPasswordDecryptor/GarenaPasswordDecryptor_Installer.exe
Resource
win7-20240611-en
windows7-x64
2 signatures
150 seconds
Behavioral task
behavioral4
Sample
GarenaPasswordDecryptor/GarenaPasswordDecryptor_Installer.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
2 signatures
150 seconds
Behavioral task
behavioral5
Sample
$PLUGINSDIR/inetc.dll
Resource
win7-20240508-en
windows7-x64
2 signatures
150 seconds
Behavioral task
behavioral6
Sample
$PLUGINSDIR/inetc.dll
Resource
win10v2004-20240508-en
windows10-2004-x64
2 signatures
150 seconds
Behavioral task
behavioral7
Sample
GarenaPasswordDecryptor/Readme.html
Resource
win7-20240611-en
windows7-x64
4 signatures
150 seconds
Behavioral task
behavioral8
Sample
GarenaPasswordDecryptor/Readme.html
Resource
win10v2004-20240508-en
windows10-2004-x64
6 signatures
150 seconds
Behavioral task
behavioral9
Sample
GarenaPasswordDecryptor/SecurityXploded_License.rtf
Resource
win7-20240508-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral10
Sample
GarenaPasswordDecryptor/SecurityXploded_License.rtf
Resource
win10v2004-20240611-en
windows10-2004-x64
4 signatures
150 seconds
General
-
Target
??????.url
-
Size
75B
-
MD5
64460f95f0f0cbc47a45f31d72780038
-
SHA1
6be2d40887313c6a760cc6d5d30d2d79c58879c4
-
SHA256
ab3afe9f268d5eb51dda69a2c09abc88c4a4155933b865876a951c13a4b0f76c
-
SHA512
76bb2d76643bc431358413ed7ac2c79a9ae98d63f6cbf013c0d1d3779052b1799102a77b4ac6eae7ccc7bc0760f870ad4ef3b5d978d58df07f0bcc0efb23d3d5
Malware Config
Signatures
-
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\SearchScopes iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000760f6fb6d7365248881a38bcea68cf8b00000000020000000000106600000001000020000000ba941045bd7e1a3c35040fb2faf31f81fd87b58afb2d2218192011a8011db1d0000000000e80000000020000200000001a0b3a68b6c9ac001b24a430cef7fcfb1e85ce58cc432a6c0e77009008abc45d20000000db0d61661db959c2827448983e92b8f880c0962790cc1da740934fbf5230be5740000000cfaad45d90aa98d0bdbb6843db2e97c3de8439bdcd59b73f81d786518557d79ff7874466d24c87af1fd6cbb65e645079f443d9da68b6ea6fa432dfb74701d22a iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 80d5257a6bc2da01 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000760f6fb6d7365248881a38bcea68cf8b0000000002000000000010660000000100002000000082ae429beedbbfff00e8a71bd51178039023997a7f52ce72bd94e796456a503d000000000e80000000020000200000003d4db77d4686f6c53d45a5e8d0770d1cffcf0d8b073a951cac82786baa5107ef90000000fd9c4e9a4ac9cfc8a769864b98c232daee0f15e28883bd5800b6c14e99ebb938f984bbe716d001ec9d3ffac78c522455a9b8f978feafa96bfd1a6423fcbd435c30353efee8d52f591d90eb3187efe6e4d623a435bd432e274d5f2f783c1d61e8bcb22b6fe7f7ee3b89b5671df1e4ad220b215be4ca132b590473f074308988f6415ead663a2ec09dce9787abe6416485400000008a1d09425fcf6f87efec24acc3c63eeb70e4294e7ef24a2cbac7a544245bc941bb904e2ca61848fb49bddb2f65453ce1656ec92897ba4a41e61dc572cdfb0715 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "424978812" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{94711081-2E5E-11EF-A4C2-6AD47596CE83} = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2600 iexplore.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 2600 iexplore.exe 2600 iexplore.exe 2612 IEXPLORE.EXE 2612 IEXPLORE.EXE 2612 IEXPLORE.EXE 2612 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2600 wrote to memory of 2612 2600 iexplore.exe 29 PID 2600 wrote to memory of 2612 2600 iexplore.exe 29 PID 2600 wrote to memory of 2612 2600 iexplore.exe 29 PID 2600 wrote to memory of 2612 2600 iexplore.exe 29
Processes
-
C:\Windows\System32\rundll32.exe"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL C:\Users\Admin\AppData\Local\Temp\______.url1⤵
- Checks whether UAC is enabled
PID:2044
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2600 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2600 CREDAT:275457 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2612
-