7db638a00ccfb9a079adf367cccbb5eadcd57f21b20da229eaf67b0e494eff5d

max time kernel
105s
max time network
115s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
11/07/2024, 21:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

grabber.rar
Size

2.1MB
MD5

5c151f898bee9f583f3ec30c62c128cc
SHA1

40f0df47bdc7a1ab0d7b19c3b52c752c23af7cc9
SHA256

7db638a00ccfb9a079adf367cccbb5eadcd57f21b20da229eaf67b0e494eff5d
SHA512

d83943ea6abd564976e23e93054b83f7c8285aec942efd62c890457793934431c8c898594e23c95d56d3c7674e5d4289048da2b99a03e9e1c170495e9fe2d1da
SSDEEP

24576:5nuzxukaWAvuQi+rVfJFBu7I2cJy/OwdvWJqTFqyhSW34uzxukaWAvuQi+LVfJF6:5yTauQ4/cImvWzDTauo4/cImvY

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 26 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{11A5BA61-3FD0-11EF-B3C2-F67F0CB12BFA} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_Classes\Local Settings	rundll32.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
3064	vlc.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3064	vlc.exe

Suspicious use of FindShellTrayWindow 11 IoCs

pid	Process
3064	vlc.exe
3064	vlc.exe
3064	vlc.exe
3064	vlc.exe
3064	vlc.exe
3064	vlc.exe
3064	vlc.exe
3064	vlc.exe
3064	vlc.exe
3064	vlc.exe
1476	iexplore.exe

Suspicious use of SendNotifyMessage 9 IoCs

pid	Process
3064	vlc.exe
3064	vlc.exe
3064	vlc.exe
3064	vlc.exe
3064	vlc.exe
3064	vlc.exe
3064	vlc.exe
3064	vlc.exe
3064	vlc.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
3064	vlc.exe
1476	iexplore.exe
1476	iexplore.exe
1184	IEXPLORE.EXE
1184	IEXPLORE.EXE
1184	IEXPLORE.EXE
1184	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 2544 wrote to memory of 2804	2544	cmd.exe	31
PID 2544 wrote to memory of 2804	2544	cmd.exe	31
PID 2544 wrote to memory of 2804	2544	cmd.exe	31
PID 2804 wrote to memory of 2876	2804	rundll32.exe	32
PID 2804 wrote to memory of 2876	2804	rundll32.exe	32
PID 2804 wrote to memory of 2876	2804	rundll32.exe	32
PID 2876 wrote to memory of 3064	2876	rundll32.exe	34
PID 2876 wrote to memory of 3064	2876	rundll32.exe	34
PID 2876 wrote to memory of 3064	2876	rundll32.exe	34
PID 1476 wrote to memory of 1184	1476	iexplore.exe	37
PID 1476 wrote to memory of 1184	1476	iexplore.exe	37
PID 1476 wrote to memory of 1184	1476	iexplore.exe	37
PID 1476 wrote to memory of 1184	1476	iexplore.exe	37

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\grabber.rar
1⤵
- Suspicious use of WriteProcessMemory
PID:2544
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\grabber.rar
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2804
- - C:\Windows\system32\rundll32.exe
    "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\grabber.rar
    3⤵
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2876
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Local\Temp\grabber.rar"
      4⤵
      Suspicious behavior: AddClipboardFormatListener
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of SetWindowsHookEx
      PID:3064

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1476
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1476 CREDAT:275457 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1184

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1cff37bf0310938104f5205bd8357fec

SHA1
3f5c4dd08ee981b08eaabdee0458caa03db8cc88

SHA256
51b7a5fddcb241d531b97e64517c09ac0b8547309899ca703a0f38732e7c44ff

SHA512
4515c7507b882dafb90398922eea657976dc89e839c5bc6caff9ad7dfad714593693d07064b2badc84b013114b0e495ca8575a80745ec8d1ca97bfb4342c0bbd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
91c80edc8f11e9ba2ef3fd6bb8a5abfd

SHA1
4ccb9cab66ec4236ed9cb8fd0833b0df5f50537e

SHA256
9b7c1d26c47109195577424b2f14cdfa38f2a0b886b29f9f42658dae87394830

SHA512
8669d8d0ffb6e13d6021a426af4bb15f50f4bd4faf7ba3e61212e483d8a01667a5f3913fabad7c3b5925476825de0fcb57dd9d18bf9cf62ebe63f340b1625692

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ad12a870dfc8f7ba6b46d453cbdf5d19

SHA1
787968ac1e6edfd2ed970ca768c99ebdaa491c83

SHA256
cd70225a7d3ea64557f744ad9fcfd1fbb2d837fbd15eac04cf2de3520da5e83c

SHA512
0784df01e7badffced13cfd3a2f98725fd8ff6d165a1d69948777607928f93c699adc2269bfe4b2e4faf52ff7a21dbb352b66a2f50c5a2b0ce35500bed61ab78

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cd4f0b0a97b0130924a712f55d25f307

SHA1
57e7d114702077dc0ec7ca85e5aed24228c2e6a9

SHA256
01b80f21c6fb039afb569fa7d278bd14dc5d3c7aed9760705bd0ac2032c7baa4

SHA512
3bd16c9bff0b33111e202c803875ac360e2c025fef8763446cf6aa2753e1cecc25dc4963f9285d519ef06376cf3f7fdac5261482ebe4853a55a59c464fb11746

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
79dbe74cbe76b60278d0667754075e0b

SHA1
8dbb5ed441472b407ca93a92aacae9aea41ca533

SHA256
363379548d15c31f2eff2a73ecb3630d7a88c4c8d22e9128205622c1d4410057

SHA512
21c860924e86772866ad9ef2c86ea4225b63508adc51eb10b8e22d73364f7d63d9de51893d091f8cd62bfc1823dc8f0dfb59214ca16bbb176500ce570549e847

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8bdbe49efa8e15290f57435604d5f6ad

SHA1
8b297ae6e08be6701f4d313ff2699fe4a8198802

SHA256
84d40bc8f8ee39ce5d2f85623c6b01107b97adc9d96a58aa8673d58013009ef5

SHA512
67101c11a960d1c197a6b5d83e571af328748c221c05f368d2d292cccaf39c1b3f12f9d07ad41ddadaff320056613681c1f6180e19c59bcc12cb1c2338943173

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
afe13aafe0df59533eeb31a049f42171

SHA1
0648046c09dcbe4ba6817907891a6950dde30788

SHA256
eca8061dad5560e9d0a8ef058a6f272b5aaf4c4fd07162c8e303858e10e459ba

SHA512
f8ff2caac8a47ceb8699b839b8c0bd1dc6b48b51ea1837712e8244bd492ae7e99dbbe1ed3530706caf467645cf0b002a7a2b7055750d4d11f666a7d06e9b3969

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cb45bdcc94474af3779eff768d16c698

SHA1
6e7c78c3fb14bea6a49892304547096dfbe496e4

SHA256
b2a951b45c57a69eae79e90f3956fd8d0263f4e5856b2ebca640103437237e03

SHA512
4522b1571ef669d4971c19f6f99cebe74a00c28062b570c0beed546787ec1e1285d9cb81900eaed8ab3b05b021574b0e37862af005a4b42153446c1b7175750d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab731E.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar73DF.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
memory/3064-52-0x000007FEF6C10000-0x000007FEF6C8C000-memory.dmp

Filesize
496KB

Download
memory/3064-57-0x000007FEF5360000-0x000007FEF5378000-memory.dmp

Filesize
96KB

Download
memory/3064-37-0x000007FEFB2B0000-0x000007FEFB2CD000-memory.dmp

Filesize
116KB

Download
memory/3064-38-0x000007FEFB290000-0x000007FEFB2A1000-memory.dmp

Filesize
68KB

Download
memory/3064-31-0x000007FEF6820000-0x000007FEF6AD6000-memory.dmp

Filesize
2.7MB

Download
memory/3064-39-0x000007FEF56F0000-0x000007FEF67A0000-memory.dmp

Filesize
16.7MB

Download
memory/3064-43-0x000007FEFB270000-0x000007FEFB288000-memory.dmp

Filesize
96KB

Download
memory/3064-48-0x000007FEF7A30000-0x000007FEF7A41000-memory.dmp

Filesize
68KB

Download
memory/3064-47-0x000007FEF7A50000-0x000007FEF7A6B000-memory.dmp

Filesize
108KB

Download
memory/3064-46-0x000007FEF7A70000-0x000007FEF7A81000-memory.dmp

Filesize
68KB

Download
memory/3064-45-0x000007FEF7810000-0x000007FEF7821000-memory.dmp

Filesize
68KB

Download
memory/3064-44-0x000007FEF7830000-0x000007FEF7841000-memory.dmp

Filesize
68KB

Download
memory/3064-49-0x000007FEF7A10000-0x000007FEF7A28000-memory.dmp

Filesize
96KB

Download
memory/3064-42-0x000007FEF7850000-0x000007FEF7871000-memory.dmp

Filesize
132KB

Download
memory/3064-50-0x000007FEF79E0000-0x000007FEF7A10000-memory.dmp

Filesize
192KB

Download
memory/3064-41-0x000007FEFB0F0000-0x000007FEFB131000-memory.dmp

Filesize
260KB

Download
memory/3064-51-0x000007FEF77A0000-0x000007FEF7807000-memory.dmp

Filesize
412KB

Download
memory/3064-40-0x000007FEF54E0000-0x000007FEF56EB000-memory.dmp

Filesize
2.0MB

Download
memory/3064-36-0x000007FEFB2D0000-0x000007FEFB2E1000-memory.dmp

Filesize
68KB

Download
memory/3064-53-0x000007FEF79C0000-0x000007FEF79D1000-memory.dmp

Filesize
68KB

Download
memory/3064-54-0x000007FEF53B0000-0x000007FEF5407000-memory.dmp

Filesize
348KB

Download
memory/3064-55-0x000007FEF67F0000-0x000007FEF6818000-memory.dmp

Filesize
160KB

Download
memory/3064-56-0x000007FEF5380000-0x000007FEF53A4000-memory.dmp

Filesize
144KB

Download
memory/3064-35-0x000007FEFB380000-0x000007FEFB397000-memory.dmp

Filesize
92KB

Download
memory/3064-58-0x000007FEF5330000-0x000007FEF5353000-memory.dmp

Filesize
140KB

Download
memory/3064-59-0x000007FEF5310000-0x000007FEF5321000-memory.dmp

Filesize
68KB

Download
memory/3064-60-0x000007FEF52F0000-0x000007FEF5302000-memory.dmp

Filesize
72KB

Download
memory/3064-61-0x000007FEF5220000-0x000007FEF5241000-memory.dmp

Filesize
132KB

Download
memory/3064-62-0x000007FEF5200000-0x000007FEF5213000-memory.dmp

Filesize
76KB

Download
memory/3064-63-0x000007FEF3680000-0x000007FEF3691000-memory.dmp

Filesize
68KB

Download
memory/3064-64-0x000007FEF3620000-0x000007FEF3677000-memory.dmp

Filesize
348KB

Download
memory/3064-65-0x000007FEF35F0000-0x000007FEF361F000-memory.dmp

Filesize
188KB

Download
memory/3064-66-0x000007FEF35D0000-0x000007FEF35E3000-memory.dmp

Filesize
76KB

Download
memory/3064-67-0x000007FEF35B0000-0x000007FEF35C1000-memory.dmp

Filesize
68KB

Download
memory/3064-69-0x000007FEF34C0000-0x000007FEF34D3000-memory.dmp

Filesize
76KB

Download
memory/3064-70-0x000007FEF34A0000-0x000007FEF34B1000-memory.dmp

Filesize
68KB

Download
memory/3064-71-0x000007FEF3480000-0x000007FEF3494000-memory.dmp

Filesize
80KB

Download
memory/3064-34-0x000007FEFB3A0000-0x000007FEFB3B1000-memory.dmp

Filesize
68KB

Download
memory/3064-32-0x000007FEFB600000-0x000007FEFB618000-memory.dmp

Filesize
96KB

Download
memory/3064-33-0x000007FEFB3C0000-0x000007FEFB3D7000-memory.dmp

Filesize
92KB

Download
memory/3064-29-0x000000013F5A0000-0x000000013F698000-memory.dmp

Filesize
992KB

Download
memory/3064-30-0x000007FEFB3E0000-0x000007FEFB414000-memory.dmp

Filesize
208KB

Download
memory/3064-72-0x000007FEF3460000-0x000007FEF3472000-memory.dmp

Filesize
72KB

Download
memory/3064-73-0x000007FEF3440000-0x000007FEF3454000-memory.dmp

Filesize
80KB

Download
memory/3064-68-0x000007FEF34E0000-0x000007FEF35A5000-memory.dmp

Filesize
788KB

Download
memory/3064-74-0x000007FEF3420000-0x000007FEF343E000-memory.dmp

Filesize
120KB

Download
memory/3064-75-0x000007FEF3400000-0x000007FEF3417000-memory.dmp

Filesize
92KB

Download

Resubmissions

Analysis