dada32cbd82318063d5af1f11e8a8a510102fa129d2caba30bf2c04810b1576c

Analysis

max time kernel
120s
max time network
150s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
21/08/2024, 16:41

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

b43a337eaf7202c3e2f9e344d42fb9d5_JaffaCakes118.exe
Size

1.7MB
MD5

b43a337eaf7202c3e2f9e344d42fb9d5
SHA1

c26f387ee032b6140c742273b40bc55cd65ade05
SHA256

dada32cbd82318063d5af1f11e8a8a510102fa129d2caba30bf2c04810b1576c
SHA512

5190c601ec41f025f66d12a22161430d8568bb4faf34691082ed09bde730777854a168334d704584d8392af50ddd3ba3ef96ec62eb1040f7dee7a71b8d1dcab0
SSDEEP

24576:mFxS0wzdHOzWJnUrdQnTkJ1Ru9SxT+mJDz6yd/9pnrwA/d6s:0SLzdHisCdIQ3Ru9g3Bm+lKUd

Score

8^/10

aspackv2 discovery evasion persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 12 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EC9E9B94-C859-CE2A-A501-BB3F4000CAC0}\Locale = "DE"	b43a337eaf7202c3e2f9e344d42fb9d5_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EC9E9B94-C859-CE2A-A501-BB3F4000CAC0}\Version = "6,5,5,3"	b43a337eaf7202c3e2f9e344d42fb9d5_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EC9E9B94-C859-CE2A-A501-BB3F4000CAC0}	expIorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EC9E9B94-C859-CE2A-A501-BB3F4000CAC0}\ = "shar"	expIorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EC9E9B94-C859-CE2A-A501-BB3F4000CAC0}\ComponentID = "shar"	expIorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EC9E9B94-C859-CE2A-A501-BB3F4000CAC0}\Locale = "DE"	expIorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EC9E9B94-C859-CE2A-A501-BB3F4000CAC0}	b43a337eaf7202c3e2f9e344d42fb9d5_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EC9E9B94-C859-CE2A-A501-BB3F4000CAC0}\ = "shar"	b43a337eaf7202c3e2f9e344d42fb9d5_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EC9E9B94-C859-CE2A-A501-BB3F4000CAC0}\StubPath = "C:\\Windows\\system32\\expIorer.exe"	expIorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EC9E9B94-C859-CE2A-A501-BB3F4000CAC0}\Version = "6,5,5,3"	expIorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EC9E9B94-C859-CE2A-A501-BB3F4000CAC0}\StubPath = "C:\\Windows\\system32\\expIorer.exe"	b43a337eaf7202c3e2f9e344d42fb9d5_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EC9E9B94-C859-CE2A-A501-BB3F4000CAC0}\ComponentID = "shar"	b43a337eaf7202c3e2f9e344d42fb9d5_JaffaCakes118.exe

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral1/files/0x000a0000000120f9-12.dat	aspack_v212_v242

Deletes itself 1 IoCs

pid	Process
2956	cmd.exe

Executes dropped EXE 3 IoCs

pid	Process
2644	ICQAwayReader.exe
2744	expIorer.exe
2516	ICQAwayReader.exe

Identifies Wine through registry keys 2 TTPs 2 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Wine	b43a337eaf7202c3e2f9e344d42fb9d5_JaffaCakes118.exe
Key opened	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Wine	expIorer.exe

Loads dropped DLL 2 IoCs

pid	Process
2064	b43a337eaf7202c3e2f9e344d42fb9d5_JaffaCakes118.exe
2064	b43a337eaf7202c3e2f9e344d42fb9d5_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Windows\\system32\\expIorer.exe"	b43a337eaf7202c3e2f9e344d42fb9d5_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Windows\\system32\\expIorer.exe"	expIorer.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\expIorer.exe	b43a337eaf7202c3e2f9e344d42fb9d5_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\win.com	b43a337eaf7202c3e2f9e344d42fb9d5_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\expIorer.exe	expIorer.exe
File created	C:\Windows\SysWOW64\expIorer.exe	expIorer.exe
File opened for modification	C:\Windows\SysWOW64\expIorer.exe.bat	b43a337eaf7202c3e2f9e344d42fb9d5_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\expIorer.exe	b43a337eaf7202c3e2f9e344d42fb9d5_JaffaCakes118.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\~temp.html	ICQAwayReader.exe
File opened for modification	C:\Windows\ICQAwayReader.exe	b43a337eaf7202c3e2f9e344d42fb9d5_JaffaCakes118.exe
File opened for modification	C:\Windows\ICQAwayReader.exe	expIorer.exe
File created	C:\Windows\~temp.html	ICQAwayReader.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b43a337eaf7202c3e2f9e344d42fb9d5_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ICQAwayReader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	expIorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ICQAwayReader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies Internet Explorer settings 1 TTPs 35 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002f8e41e3384fa749ac47329e409d990900000000020000000000106600000001000020000000c5834b3dedaa7067e21271610d89449333272e052d9e4d4b708d4fef1c4976f5000000000e8000000002000020000000e15b593edbd5b375531c8b2f88fa60aeab3797d773ec9138b7e9aa32bdccbd77900000002a0359662c80324c76fda9eb67e8f8a2999e599ac2c1bab01cc5d7514c939ba350760f4337c7101319f0c1160ac53aea874631803f72782057baea8b97647dde33d2e591bb021fea18817597368ce4dd94b30be4efcd636ab0190d61a59462f3fdaf84a52d93c504f287ded6689d384d0101d55c2fdf745d6eba5d1d48171cb2ebf837dee68acf360dfd1df200f5919840000000109b7e20913af846ca6ea5f1f9dea3de1d4bae3582e3eec58b5516c44aa7396d7b7d7a6420c85914cd900f35209b373c59cb14e9683aa833c560d9e98b009f23	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 90df1313e9f3da01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{49124281-5FDC-11EF-A6D9-6ED7993C8D5B} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002f8e41e3384fa749ac47329e409d990900000000020000000000106600000001000020000000a3d7aeaf35c4f7c19b9fe4c1195cd115906ca95a4e2a4df303f5f9a3d6f81462000000000e800000000200002000000056d7c07c87143d33724ed4f65110b95f9bf1673ca953172f0e2c242bed91e9e020000000e843c5e6f54cec25e96df2d9c4a3324b2af5439d8e747d7a4eeeade92922628e400000004e3b193f3dc9c5f39d26b4f5b93c8a45b576030a31f1cde7fac3675d3c069d4168725a817be4da088cc98037e6c11d4fdc3b9813d75b00ac76c9104718662c1c	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "430420387"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2064	b43a337eaf7202c3e2f9e344d42fb9d5_JaffaCakes118.exe
2064	b43a337eaf7202c3e2f9e344d42fb9d5_JaffaCakes118.exe
2744	expIorer.exe
2744	expIorer.exe
1896	iexplore.exe

Suspicious use of FindShellTrayWindow 5 IoCs

pid	Process
2516	ICQAwayReader.exe
2516	ICQAwayReader.exe
1896	iexplore.exe
2644	ICQAwayReader.exe
2644	ICQAwayReader.exe

Suspicious use of SendNotifyMessage 4 IoCs

pid	Process
2516	ICQAwayReader.exe
2516	ICQAwayReader.exe
2644	ICQAwayReader.exe
2644	ICQAwayReader.exe

Suspicious use of SetWindowsHookEx 14 IoCs

pid	Process
2064	b43a337eaf7202c3e2f9e344d42fb9d5_JaffaCakes118.exe
2644	ICQAwayReader.exe
2744	expIorer.exe
2516	ICQAwayReader.exe
1896	iexplore.exe
1896	iexplore.exe
1928	IEXPLORE.EXE
1928	IEXPLORE.EXE
1928	IEXPLORE.EXE
1928	IEXPLORE.EXE
3004	IEXPLORE.EXE
3004	IEXPLORE.EXE
3004	IEXPLORE.EXE
3004	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2064 wrote to memory of 2644	2064	b43a337eaf7202c3e2f9e344d42fb9d5_JaffaCakes118.exe	30
PID 2064 wrote to memory of 2644	2064	b43a337eaf7202c3e2f9e344d42fb9d5_JaffaCakes118.exe	30
PID 2064 wrote to memory of 2644	2064	b43a337eaf7202c3e2f9e344d42fb9d5_JaffaCakes118.exe	30
PID 2064 wrote to memory of 2644	2064	b43a337eaf7202c3e2f9e344d42fb9d5_JaffaCakes118.exe	30
PID 2064 wrote to memory of 2744	2064	b43a337eaf7202c3e2f9e344d42fb9d5_JaffaCakes118.exe	31
PID 2064 wrote to memory of 2744	2064	b43a337eaf7202c3e2f9e344d42fb9d5_JaffaCakes118.exe	31
PID 2064 wrote to memory of 2744	2064	b43a337eaf7202c3e2f9e344d42fb9d5_JaffaCakes118.exe	31
PID 2064 wrote to memory of 2744	2064	b43a337eaf7202c3e2f9e344d42fb9d5_JaffaCakes118.exe	31
PID 2744 wrote to memory of 2516	2744	expIorer.exe	32
PID 2744 wrote to memory of 2516	2744	expIorer.exe	32
PID 2744 wrote to memory of 2516	2744	expIorer.exe	32
PID 2744 wrote to memory of 2516	2744	expIorer.exe	32
PID 2064 wrote to memory of 2956	2064	b43a337eaf7202c3e2f9e344d42fb9d5_JaffaCakes118.exe	33
PID 2064 wrote to memory of 2956	2064	b43a337eaf7202c3e2f9e344d42fb9d5_JaffaCakes118.exe	33
PID 2064 wrote to memory of 2956	2064	b43a337eaf7202c3e2f9e344d42fb9d5_JaffaCakes118.exe	33
PID 2064 wrote to memory of 2956	2064	b43a337eaf7202c3e2f9e344d42fb9d5_JaffaCakes118.exe	33
PID 2516 wrote to memory of 1896	2516	ICQAwayReader.exe	36
PID 2516 wrote to memory of 1896	2516	ICQAwayReader.exe	36
PID 2516 wrote to memory of 1896	2516	ICQAwayReader.exe	36
PID 2516 wrote to memory of 1896	2516	ICQAwayReader.exe	36
PID 1896 wrote to memory of 1928	1896	iexplore.exe	37
PID 1896 wrote to memory of 1928	1896	iexplore.exe	37
PID 1896 wrote to memory of 1928	1896	iexplore.exe	37
PID 1896 wrote to memory of 1928	1896	iexplore.exe	37
PID 1896 wrote to memory of 3004	1896	iexplore.exe	39
PID 1896 wrote to memory of 3004	1896	iexplore.exe	39
PID 1896 wrote to memory of 3004	1896	iexplore.exe	39
PID 1896 wrote to memory of 3004	1896	iexplore.exe	39

C:\Users\Admin\AppData\Local\Temp\b43a337eaf7202c3e2f9e344d42fb9d5_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b43a337eaf7202c3e2f9e344d42fb9d5_JaffaCakes118.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Identifies Wine through registry keys
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2064
- C:\Windows\ICQAwayReader.exe
  "C:\Windows\ICQAwayReader.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:2644
- C:\Windows\SysWOW64\expIorer.exe
  C:\Windows\system32\expIorer.exe 1
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Adds Run key to start application
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2744
- - C:\Windows\ICQAwayReader.exe
    "C:\Windows\ICQAwayReader.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2516
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" http://www.firefox-browser.biz/
      4⤵
      Modifies Internet Explorer settings
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1896
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1896 CREDAT:275457 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:1928
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1896 CREDAT:209940 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:3004
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\system32\expIorer.exe.bat
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2956

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4ca201306cf004d1830acf27cd280126

SHA1
21ba12429f53979639cf6ee41d6752d1249e766a

SHA256
17e1c7811c68de839667bacc9ded94c1068fc3011ace2917a4b8d54a27807cdf

SHA512
1e158470c5d6c835c8da654b398a97a51a73e1b9c71b05ae94e88a7f015e101db354c0c58b308f5efe4dd4d60cb2ce59f6beea244d25a6af84fffe08cb75b314

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1370896b701b090630d760cd56963982

SHA1
bd4a8bc4497ceaa975cdf0c20b550e68556881d5

SHA256
4574abcb13f9a387fef82780877dcecfa787864ad633a557ee31f26d22624ae0

SHA512
5435e81e23fc845d3cc04d36c4472d173041785c49ed8b1486892dce640c8100f23cdda55406a8897134b691f43f1ccd3a17c8bac6820ea7104c4c55080575e7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b5ea92f7178c68bc8ad04b61f2d24a92

SHA1
4377ffd555f25734631c706f2465e14fdf28d941

SHA256
93e7af980e9f44e9d1d33521857d36976e078f5c6a7b699ffca7924e251dfc6e

SHA512
6c3d6e1b6f1db781f70358f2157a1e9afc32225a2bf717b7722cd628e9b4040253c8cbb51bde982477cfd53664c650b64ce5d1f9b3cc2b10da6eb6a96ca17ba8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ed219333147bbd1ec98473e804a3e5f0

SHA1
100819c0c9eefc0acd9189c26201da008a789ff7

SHA256
0ae60508c8aefb58c9b41c887fb77e96cfece4f11ca08d798d6616bccc785b12

SHA512
3413bbaa29e30e01ebb6747e66fc9ae2a8a3f99ae8aac96f6e897a7cd1950476ec2e885bdc873330f317ec4161140ebfc819a42f6bf7bdbc8aff8b72d6e79cae

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
01124fa80f2aeac37e78cc2155fbaffc

SHA1
fbee329b877a546f532c25e46af7fc9eaaf49cad

SHA256
1e4fcae39d4fbf28fbe7328fdc494b4a210d36642b8ae3991d17f4160e6ec613

SHA512
f4f3eeacb23a924b640d14ffe7c4d2e2477678d9cd7d6c692c93667415eca32349027e8d591843e852d7ab8dbea9c1f6498dff4958e5180a6dbd00107b00cb2e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6bf3cdbcf4791b6c34fa879be801a109

SHA1
872f274a95447e498266814f2f7a8cddf1cd4c62

SHA256
d055b4fc1e0ac488b2f896edabd88d6671f593b24abe8df5391c2393dbd2b6fa

SHA512
ad4b7e1d4124462dde51ed5f143961d70e74d22f55c04302793285ce4800c35422e0bf2c705ab6770a638bddf078409119c9c33978991535cace17853e915f4f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
299e324e490c3193b900bfce78d5f766

SHA1
6bfcf62601ddc300b97b264bbd315fa18e05be62

SHA256
5bb4d405b38fa3ca7beaf4cd9d624bab5f1488196b1c0c639dcbe6099c6aac87

SHA512
9c9c43f52291509dc7d4ec501b1e2aac96990521948a9c0eef81f46606dcf1bbe866d32547e403ccf3785874e12472800e0fa306d1b11ad0ad2b4796a0cf10c4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f35da65d563e607cd6794607ce7e0add

SHA1
5070c21626da69fb658a9f652a723f95f6097a70

SHA256
b05ae98ca9b204c28d1df06edbb2c7d9a046dcc7ce9af0ca8f4702b6d2357609

SHA512
9c134e26adec1c9fd9f489baa74a7374397da951c684ba38b7c1cd4bd2c84e465cacf380af1b734265ae39b0d70e38b6d766eee29451c0868ecec590a0a9cf9d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
99436cefa84a13290157f165790f3f94

SHA1
b074a58afde3f176d32a7f28acfc4e1413be21d3

SHA256
1d21811f6e919e356c79ce3052440ae457c7a92fdafa53aa93161e804ef64faa

SHA512
c5e2ceb79aff42ef70a0ae59a7787ed8647c2582f26478eb6f10be3509b49fbadd98e1f06ca606b84b3bb6260e5c55c27cbd84784c4e70184f2e7cdd7db898f4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4d1fcc7219febeb6fbed751f4b83ddee

SHA1
87a71665578ffcdf7b00073a0e25d12a3e0153fb

SHA256
d57eb3055e21cf9355c5f0f29d436b3dc7ac7cb3d71724c93250672fda6981ec

SHA512
891d7227e07b7b910165f96eaefd0d817151a1aed1d0f98d388df587b92209e10b4af17c063468a8711bd879a9b76cb449dd56423c3333d6479d21e6220642b2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3503adcc880cb8ce6028aff9f9228e47

SHA1
9df3886d40995e5a080272312b1fcb241871870a

SHA256
df1890f4d7ed07f049db747517e858f5616dedd4fa53fa3e6888cc8beb865d3f

SHA512
df2a26dda716ac11047ac0b9d0c0e3303468dde98fce3323db78c6d0ad065ae4effbffe4be4bb56cfd9c835136ca9ec901de923fd6c40ed2820938473473cf8c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
78a8f0bef99a1910bbe6efd157f848fc

SHA1
420a9bdc188cb80cfc3d08612593aafb747ab5a3

SHA256
e5fc3dcf5ca6bda9089b3f32ee8232ae5a3926f22ab6a5434995a2429637839e

SHA512
49d1c8f51e5e7b4272d02881ef80ba9762b1ee28f91145a20a78a839cd8767d27a81e43810b62f5c4fcca12d763dcb17478c8c80f9a2cd8321db8c883d203602

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d62d16e0cbf7e2f4912806f0b90f2742

SHA1
ff9e1eb8f6a6de951a654cb8b1b35b564bf73c45

SHA256
8a64316ff3f0b0325c85e81d097fecbab8d9729ecd4c8d946cbf9f2d94929035

SHA512
dcd4f2ed417f80e3f3c630b4d7178a3d5843bacccf1a614d738b0782bc0132249b9e8bdf1f5d9dcc6d4c3906de854580ed17a76177ea7b16a0301af80c090528

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
aef85563ca6236094fb8781d3979ed02

SHA1
15548c17cac33a1fcc3229848cc8640e4f7f7fbb

SHA256
aabc9ba1b34792e432ef25e7876071063cecc1d845074d5d44a7339ab9fcc935

SHA512
2449a29fb09e2a4f5e7d63b5333eaa126549616cde8561907c51759115230c691f04638deebe6094cdedbb10f62724aeba5f2f102605331e86bcd2870e5c0e0d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d62afed95cc8daf1e3a301bda611c09e

SHA1
99c8fff097ba51e8fcdf923929dc354566307c60

SHA256
25d0dde69f324ae3f7b1b15d6046660dcc1eb4fa0fc479cc8bbe4c3f0b31d2f1

SHA512
c586ffa3ae7b23e3337dc1f671f8b33513c6690c58592710a16588160f45618d095479de47a4a6851599f5568ca5f0d050b1048cfed65ff4884f6f8b99537554

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cdd9e128d6f8bc28b316b0ef0bfec508

SHA1
d7d25b58c7b853ae12a2b3d0dd064a3d4679af06

SHA256
26353340967aa8655f617c2474d377ab25ae6185cb3d2b4a526fe762a41c8060

SHA512
24d237d70fbc1c9c04e9c578009e6bcde6e90284202dffc955cf28e7db4d9802cb8726d4c43ff6da4f2361d9c2b7212274c8b3e517626ea6033994378ee66200

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabA02.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarA92.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Windows\ICQAwayReader.exe

Filesize
240KB

MD5
e6b7754c9f8c878449764e604c4a16a5

SHA1
dff1c7db949180d9bc435c23901a63707c23a586

SHA256
803136a62b579442434fca557b9c0406fe4ba153e8a815da2bfacacb90212367

SHA512
cf09e9ffc634f90467e9a18bd51de18575fa164068b86f7a4a9d3acfeaa31477895b381218c599f5ca9b99eae4822ea5aa3c22ee7e92ba98a9de7e7421d99dcd

Download Submit
C:\Windows\SysWOW64\expIorer.exe.bat

Filesize
209B

MD5
ba51ad179c216b9f32974ed4b1c09db5

SHA1
4db7eaec78e8c8a8c0dd8046fe0907581858b7f8

SHA256
2d2fc98db6e98c2e20fbef056b1ee91fc81cfd888f1757da29267c0126662c4d

SHA512
c4a7cdcec5103e1076a4e9bb95544bc23d0017e7e03ed57b42d1b74ec1d1326a4e795821817c2a74865f20eb00672b3a0fd464ff76f791b152bf37e2107c4d6d

Download Submit
\Windows\SysWOW64\expIorer.exe

Filesize
1.7MB

MD5
b43a337eaf7202c3e2f9e344d42fb9d5

SHA1
c26f387ee032b6140c742273b40bc55cd65ade05

SHA256
dada32cbd82318063d5af1f11e8a8a510102fa129d2caba30bf2c04810b1576c

SHA512
5190c601ec41f025f66d12a22161430d8568bb4faf34691082ed09bde730777854a168334d704584d8392af50ddd3ba3ef96ec62eb1040f7dee7a71b8d1dcab0

Download Submit
memory/2064-32-0x0000000000400000-0x0000000000572000-memory.dmp

Filesize
1.4MB

Download
memory/2064-46-0x0000000000401000-0x000000000043D000-memory.dmp

Filesize
240KB

Download
memory/2064-19-0x00000000052C0000-0x00000000053B4000-memory.dmp

Filesize
976KB

Download
memory/2064-28-0x00000000052C0000-0x0000000005432000-memory.dmp

Filesize
1.4MB

Download
memory/2064-59-0x0000000000400000-0x0000000000572000-memory.dmp

Filesize
1.4MB

Download
memory/2064-60-0x0000000000401000-0x000000000043D000-memory.dmp

Filesize
240KB

Download
memory/2064-16-0x00000000052C0000-0x00000000053B4000-memory.dmp

Filesize
976KB

Download
memory/2064-44-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2064-0-0x0000000000400000-0x0000000000572000-memory.dmp

Filesize
1.4MB

Download
memory/2064-4-0x0000000000401000-0x000000000043D000-memory.dmp

Filesize
240KB

Download
memory/2064-2-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2064-1-0x0000000001DA0000-0x0000000001E93000-memory.dmp

Filesize
972KB

Download
memory/2516-45-0x0000000000400000-0x00000000004F4000-memory.dmp

Filesize
976KB

Download
memory/2516-62-0x00000000032E0000-0x00000000032F0000-memory.dmp

Filesize
64KB

Download
memory/2516-64-0x0000000000400000-0x00000000004F4000-memory.dmp

Filesize
976KB

Download
memory/2644-21-0x0000000000400000-0x00000000004F4000-memory.dmp

Filesize
976KB

Download
memory/2644-499-0x0000000000400000-0x00000000004F4000-memory.dmp

Filesize
976KB

Download
memory/2644-69-0x0000000000400000-0x00000000004F4000-memory.dmp

Filesize
976KB

Download
memory/2744-51-0x0000000000400000-0x0000000000572000-memory.dmp

Filesize
1.4MB

Download
memory/2744-33-0x0000000000400000-0x0000000000572000-memory.dmp

Filesize
1.4MB

Download
memory/2744-31-0x0000000000400000-0x0000000000572000-memory.dmp

Filesize
1.4MB

Download
memory/2744-30-0x0000000000400000-0x0000000000572000-memory.dmp

Filesize
1.4MB

Download
memory/2744-36-0x0000000000400000-0x0000000000572000-memory.dmp

Filesize
1.4MB

Download