c0ded08b56e4ebc91b7af25fcc49a5c871678c4c17d204863cfebf4150ec6756

Analysis

max time kernel
104s
max time network
125s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
07/09/2024, 12:53

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

Virus.Hijack.ATA_virussign.com_cbe6a99c2f0d656b5588cc2af8b5a5c0.exe
Size

3.6MB
MD5

cbe6a99c2f0d656b5588cc2af8b5a5c0
SHA1

10ba4c226f046ada5bbedf578eae9825d18be498
SHA256

c0ded08b56e4ebc91b7af25fcc49a5c871678c4c17d204863cfebf4150ec6756
SHA512

aeb3a113a8b802179cf8649a73368d354ef4705269298d7d0a1b0d67f1f759de70e68e38aaa5619335a7703bb86f3190dbb9b867ba022f6d5f4f020be1428efc
SSDEEP

49152:cwVJ/qUQ5F5EexZD63Wb5wSSnebipRCoBRI17fMt6v77/lClNiuHL1jGgJ6OdoGr:3/257I6GnaipRT/md77AlDL1XsOdLVJ

Score

7^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
1720	wmpscfgs.exe
2336	wmpscfgs.exe
584	wmpscfgs.exe
776	wmpscfgs.exe

Loads dropped DLL 6 IoCs

pid	Process
2504	Virus.Hijack.ATA_virussign.com_cbe6a99c2f0d656b5588cc2af8b5a5c0.exe
2504	Virus.Hijack.ATA_virussign.com_cbe6a99c2f0d656b5588cc2af8b5a5c0.exe
2504	Virus.Hijack.ATA_virussign.com_cbe6a99c2f0d656b5588cc2af8b5a5c0.exe
2504	Virus.Hijack.ATA_virussign.com_cbe6a99c2f0d656b5588cc2af8b5a5c0.exe
1720	wmpscfgs.exe
1720	wmpscfgs.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Adobe_Reader = "c:\\users\\admin\\appdata\\local\\temp\\\\wmpscfgs.exe"	Virus.Hijack.ATA_virussign.com_cbe6a99c2f0d656b5588cc2af8b5a5c0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Adobe_Reader = "c:\\users\\admin\\appdata\\local\\temp\\\\wmpscfgs.exe"	wmpscfgs.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 20 IoCs

pid	Process
2504	Virus.Hijack.ATA_virussign.com_cbe6a99c2f0d656b5588cc2af8b5a5c0.exe
2504	Virus.Hijack.ATA_virussign.com_cbe6a99c2f0d656b5588cc2af8b5a5c0.exe
1720	wmpscfgs.exe
2336	wmpscfgs.exe
2336	wmpscfgs.exe
1720	wmpscfgs.exe
2336	wmpscfgs.exe
1720	wmpscfgs.exe
584	wmpscfgs.exe
776	wmpscfgs.exe
2336	wmpscfgs.exe
1720	wmpscfgs.exe
2336	wmpscfgs.exe
1720	wmpscfgs.exe
1720	wmpscfgs.exe
1720	wmpscfgs.exe
1720	wmpscfgs.exe
1720	wmpscfgs.exe
1720	wmpscfgs.exe
1720	wmpscfgs.exe

Drops file in Program Files directory 9 IoCs

description	ioc	Process
File opened for modification	\??\c:\program files (x86)\adobe\acrotray .exe	wmpscfgs.exe
File created	\??\c:\program files (x86)\adobe\acrotray.exe	Virus.Hijack.ATA_virussign.com_cbe6a99c2f0d656b5588cc2af8b5a5c0.exe
File created	C:\Program Files (x86)\259451690.dat	wmpscfgs.exe
File created	C:\Program Files (x86)\259452220.dat	wmpscfgs.exe
File created	\??\c:\program files (x86)\microsoft office\office14\bcssync.exe	wmpscfgs.exe
File opened for modification	\??\c:\program files (x86)\adobe\acrotray.exe	wmpscfgs.exe
File created	\??\c:\program files (x86)\microsoft office\office14\bcssync.exe	Virus.Hijack.ATA_virussign.com_cbe6a99c2f0d656b5588cc2af8b5a5c0.exe
File created	\??\c:\program files (x86)\adobe\acrotray .exe	Virus.Hijack.ATA_virussign.com_cbe6a99c2f0d656b5588cc2af8b5a5c0.exe
File created	\??\c:\program files (x86)\internet explorer\wmpscfgs.exe	Virus.Hijack.ATA_virussign.com_cbe6a99c2f0d656b5588cc2af8b5a5c0.exe

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Virus.Hijack.ATA_virussign.com_cbe6a99c2f0d656b5588cc2af8b5a5c0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpscfgs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpscfgs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpscfgs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpscfgs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 40 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff5600000000000000dc04000065020000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff6f00000019000000f50400007e020000	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "431876110"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000303eef0e2cd1a9499efdd285a56ddc5000000000020000000000106600000001000020000000d8a8c99f2980b0719709ad3aac595dc5c618339969f92a8f591a2d3da7dcc6e2000000000e800000000200002000000014c6b3dfab11b12993e79b2d220635b06fd74a8d4effa8dcee2c7c3e811d144390000000194506b4c18365eb74add2db0f57fec35e81ed21e26c4bbf3b4adf0cf7c8302172ccfb63b19b0471fdce1014a39e8e4da9150ba2bc80f6bc7432faa25f2dda31b975face5406233851ce9427585a6b6c01f4eb407c503f25e2f639f8d87064deb978cad838889d05b4e455b0cf4cd6ce8f4d5adf31d10881d79fb1de71a16e072cd307e02a6c26a4c5d0915a24fb0b8240000000d283c3529dc6f5d5b0928fcbfb50d1f19aaceab9a30fef4707fee0ea228fce424d79491744735b5270a44feece126ea43da6b0d56987c1fef2605c6b6314022e	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = e06b0c6c2601db01	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{A68FA341-6D19-11EF-86C1-D60C98DC526F} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000303eef0e2cd1a9499efdd285a56ddc50000000000200000000001066000000010000200000007fdbbf128e7fc2ef093e121f3f7769caf2f0372ef591ea34effd388a375984ce000000000e8000000002000020000000a1e3d71c0924cc03a0d8920affee9588bb1e80b6e3ce0b47e3e5889ff23fb07d20000000b4a849a5da32f45b404f9b8864af92a7c8ee363f68590ab1b409aa2a090d25d3400000001ad41c3452a55550d85f6075c7eda7d40b22cd1bfcd17e1f4c2f0e20d32d941feb28b5f02f88d9d17581d5317db5931824df9c19b82eb26236a1f23a975cc36c	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
2504	Virus.Hijack.ATA_virussign.com_cbe6a99c2f0d656b5588cc2af8b5a5c0.exe
1720	wmpscfgs.exe
1720	wmpscfgs.exe
2336	wmpscfgs.exe
2336	wmpscfgs.exe
584	wmpscfgs.exe
776	wmpscfgs.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	2504	Virus.Hijack.ATA_virussign.com_cbe6a99c2f0d656b5588cc2af8b5a5c0.exe
Token: SeDebugPrivilege	1720	wmpscfgs.exe
Token: SeDebugPrivilege	2336	wmpscfgs.exe
Token: SeDebugPrivilege	584	wmpscfgs.exe
Token: SeDebugPrivilege	776	wmpscfgs.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
2592	iexplore.exe
2592	iexplore.exe
2592	iexplore.exe
2592	iexplore.exe

Suspicious use of SetWindowsHookEx 21 IoCs

pid	Process
2504	Virus.Hijack.ATA_virussign.com_cbe6a99c2f0d656b5588cc2af8b5a5c0.exe
1720	wmpscfgs.exe
2336	wmpscfgs.exe
2592	iexplore.exe
2592	iexplore.exe
3048	IEXPLORE.EXE
3048	IEXPLORE.EXE
584	wmpscfgs.exe
776	wmpscfgs.exe
2592	iexplore.exe
2592	iexplore.exe
484	IEXPLORE.EXE
484	IEXPLORE.EXE
2592	iexplore.exe
2592	iexplore.exe
2740	IEXPLORE.EXE
2740	IEXPLORE.EXE
2592	iexplore.exe
2592	iexplore.exe
3048	IEXPLORE.EXE
3048	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2504 wrote to memory of 2336	2504	Virus.Hijack.ATA_virussign.com_cbe6a99c2f0d656b5588cc2af8b5a5c0.exe	30
PID 2504 wrote to memory of 2336	2504	Virus.Hijack.ATA_virussign.com_cbe6a99c2f0d656b5588cc2af8b5a5c0.exe	30
PID 2504 wrote to memory of 2336	2504	Virus.Hijack.ATA_virussign.com_cbe6a99c2f0d656b5588cc2af8b5a5c0.exe	30
PID 2504 wrote to memory of 2336	2504	Virus.Hijack.ATA_virussign.com_cbe6a99c2f0d656b5588cc2af8b5a5c0.exe	30
PID 2504 wrote to memory of 1720	2504	Virus.Hijack.ATA_virussign.com_cbe6a99c2f0d656b5588cc2af8b5a5c0.exe	31
PID 2504 wrote to memory of 1720	2504	Virus.Hijack.ATA_virussign.com_cbe6a99c2f0d656b5588cc2af8b5a5c0.exe	31
PID 2504 wrote to memory of 1720	2504	Virus.Hijack.ATA_virussign.com_cbe6a99c2f0d656b5588cc2af8b5a5c0.exe	31
PID 2504 wrote to memory of 1720	2504	Virus.Hijack.ATA_virussign.com_cbe6a99c2f0d656b5588cc2af8b5a5c0.exe	31
PID 2592 wrote to memory of 3048	2592	iexplore.exe	34
PID 2592 wrote to memory of 3048	2592	iexplore.exe	34
PID 2592 wrote to memory of 3048	2592	iexplore.exe	34
PID 2592 wrote to memory of 3048	2592	iexplore.exe	34
PID 1720 wrote to memory of 584	1720	wmpscfgs.exe	35
PID 1720 wrote to memory of 584	1720	wmpscfgs.exe	35
PID 1720 wrote to memory of 584	1720	wmpscfgs.exe	35
PID 1720 wrote to memory of 584	1720	wmpscfgs.exe	35
PID 1720 wrote to memory of 776	1720	wmpscfgs.exe	36
PID 1720 wrote to memory of 776	1720	wmpscfgs.exe	36
PID 1720 wrote to memory of 776	1720	wmpscfgs.exe	36
PID 1720 wrote to memory of 776	1720	wmpscfgs.exe	36
PID 2592 wrote to memory of 484	2592	iexplore.exe	38
PID 2592 wrote to memory of 484	2592	iexplore.exe	38
PID 2592 wrote to memory of 484	2592	iexplore.exe	38
PID 2592 wrote to memory of 484	2592	iexplore.exe	38
PID 2592 wrote to memory of 2740	2592	iexplore.exe	39
PID 2592 wrote to memory of 2740	2592	iexplore.exe	39
PID 2592 wrote to memory of 2740	2592	iexplore.exe	39
PID 2592 wrote to memory of 2740	2592	iexplore.exe	39

C:\Users\Admin\AppData\Local\Temp\Virus.Hijack.ATA_virussign.com_cbe6a99c2f0d656b5588cc2af8b5a5c0.exe
"C:\Users\Admin\AppData\Local\Temp\Virus.Hijack.ATA_virussign.com_cbe6a99c2f0d656b5588cc2af8b5a5c0.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2504
- \??\c:\users\admin\appdata\local\temp\wmpscfgs.exe
  c:\users\admin\appdata\local\temp\\wmpscfgs.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2336
- C:\Program Files (x86)\Internet Explorer\wmpscfgs.exe
  C:\Program Files (x86)\Internet Explorer\wmpscfgs.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1720
- - \??\c:\users\admin\appdata\local\temp\wmpscfgs.exe
    c:\users\admin\appdata\local\temp\\wmpscfgs.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:584
- - C:\Program Files (x86)\Internet Explorer\wmpscfgs.exe
    C:\Program Files (x86)\Internet Explorer\wmpscfgs.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:776

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2592
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2592 CREDAT:275457 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:3048
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2592 CREDAT:472069 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:484
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2592 CREDAT:734218 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2740

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
44b6cd3d8b570c29e326a9e571d11c1e

SHA1
0de02b76bb86b2faa651b9e6092dd53c5de57294

SHA256
7582cc88f4173581fbc59242ddcf8b00f7fa3a143826befe7823f4f46d9c7ae2

SHA512
bbd28ffc782cbfdaa2478a8631ef379919fe3ad59c89b081006ea830f5bd6a1a08edb1ba46b138dcd455db04847983f321372e662cbc00eaa5cffced2dcae5d6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
afeb436fe9a1935c83c0b2f2c1cedd63

SHA1
7f4fa384ebf8435134502786dd9602d19059d40b

SHA256
5a86c6bb2f51106af24d20bc0f2aca4b70d76631dc5d23ae8b4b36553ee094d2

SHA512
74e8c6359f662d0523264dd50f15fef7264d280240478b811250be964079a0befa6997b7fc87ff012361844e772d65c669f0871010727b0c0358026e5e9b5bb7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4cd1d68322615ce4199fead6dafc28f5

SHA1
75ea4ac0204f99fdb786c5a02563fd9e8fd75e2b

SHA256
9e2bfe5cb7e1e00d0bfaf243e8c643ad12a7c180e2ad16aaabd147ce3f7e52a7

SHA512
3dc92d10b985f795a62eb01604198b1a03f3042c8580c334a5555e7803419e84fc29f46622b5b5f9d817fda3c6bdcf2f095d651071f5f71c19f8866b8ee4d454

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
217ae15da2c64edf4372e84c43840787

SHA1
601c435c36a26556f11ab225b6344861315d097e

SHA256
8531d00a8b566f5451b167fc3aa6fced643e29462ed5bfc4ba883ad069a6d52d

SHA512
5ff97edb1af4a08d7e5789ef1b16e71c3dcef8ab95d7b9dd0d61b81ac86c68fdb4ba936d89ac4398a31517c0567fc083077a7555754bacc41a9aaf96f66b0456

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
204da7d62cf8f87650a7a8fae5ef694d

SHA1
78d6bd14411c1229a9e07026dce31ebb25727d28

SHA256
8842017f3288e6d2c38ca02872436fb1658f00bc3b87b43b8f683782bbc8cb7e

SHA512
ed7b004c20fd574fa53a730b63dd73ca6bee0d2c5f4833e40fa55e1e7bec4ac719f145156f5d7f44a2275c235bd1b85462699cf6269c022fef54fe713b71a008

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5e8992e76dba0278f3e0da038663a605

SHA1
4b384940d24ee67d0ddc6ffad610fec5acb33be9

SHA256
0c1046bed20f25144d20db88558c59571df43a62b1719fadffe3ba52a681a97b

SHA512
c81a363044ec255dd2b021887d3c97122da347078dd547dafdbce94db357f3cb230682699160a4397b293e690f96cc4bd4cba064d5bb38dc1b97db49b9cadb8d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e0926b9eb3309535a8720af6958ddd02

SHA1
929d74647b7bdf3731ed5d4f5ff6b9002dda415c

SHA256
9088f057029afabc72c6c7dd1ed6552dc45e6525fc79fa32d671fa0a7fda0cff

SHA512
9287a8d0105ff72019f4bb0e0bb735da0b5d9a35190b120a4ce00f6117054a2d0e692dbaf48704e51ab18e552563584b3d360f7458192f035ccaa3d07d90bd72

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
77310248f2cd926342090c2df7644f21

SHA1
c706685c0b89940d92f7d777e287c6f707bb1e61

SHA256
bfdb041f44870544ea1c5edef83cf08ee684d990545457ae6ff1f4ab5c21f71b

SHA512
92cf71b83741e7f8f748599a756e05e914c1b05e84d5e3f550b311967bb5c70cc11dd88de4b19328b76747211a800ae4ea8ea920205271a48eae094345240f3e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
334f4687cc62c85acaeec4078e2a8b8f

SHA1
8774b8278b2b691e6bd723033fecefc54026dadf

SHA256
cab4e68a4fba3d4936c2078cfe26e63b8a495dc42d00b2d75ce17ac9bfba2871

SHA512
b0f2c70c71ab2571387b7cf76981f109b576f4c29c4c6e1e698f7460f09eeb1b749da3ef288d08d09c7c520f8c709ce7eab0f9c88c8648ac42533f3b1fc0b935

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8de1ec861fd13eabc7f8a0c75bca4f88

SHA1
c85ec3caefb76620c2b2626da30fc83c18395a86

SHA256
4ec31db5ad119acf79e8f2f996e03c78d3ce6785b6c09b2f1daa4e8673a0de33

SHA512
67e06e55975f781139c116b6ec16e498c4bb1a79ef76d9f122a4ed42e44794afec8cd97bdab68fa6d1a724e7c1aae4f858dc994c8620eea63a5facded92ae065

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
042fecea5bfbe37698400e191bea18b2

SHA1
15543ecaf6a33deb23349361350a595853cde4b8

SHA256
07d4891d805bdaf73614fbbe1b7ebd81843eb533cb065d2f3a0095817addc0f3

SHA512
9f268dc38a11f71206b8460752d6f551055e12a64a9562dabedccc533f5d6a4b88462530cf6c877dd0b330b1fc76246355400ea6d5d85cd5d80eab5f80fc701c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
08cf29f416b74c80d3adea41804b3de9

SHA1
6a8502d55cead45867934e5ef60cdc7c1d7c39d9

SHA256
59e6adc9989aef58d08940fe92b40a88f8ddf2bd046bf2697ea9776abd40a430

SHA512
253b17b2924f3df517cead62232af300ec12855eed801571f82eeb34a1dc77daeb3ae66e559912de9039fbc0d9a23e081708bfbd5c157a309647060b000dcb5a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
21d3c67f5861a42e056787480f13dacf

SHA1
7c1cec290fb49b454fc89b4a857f896e6fb0f0ce

SHA256
1a44c2255760540753ecdbe6824bc7eaae4b5de113d14eaba41506772eb8378a

SHA512
81386886c7cda37db666486e2a8b09c166d26999799e3b59dd458c91b3e15b2dcca9892312026dc691a9fc16535775936a6087c984727f3ac01c031e302838f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\7CNUR30T\bgScmigzl[1].js

Filesize
33KB

MD5
e2ec36d427fa4a992d76c0ee5e8dfd4d

SHA1
47ec4ace4851c6c3a4fe23ad2c842885f6d973f2

SHA256
36488e81afcbc4d7018b8764c18032b10be21aa45521c9671fde0cc77f70b2d8

SHA512
d1ae29d19f65ce74b9b480c82b87315634ec2e96d199f5feb423918af9ad6e24c8b436e03904d452f71562f04c42acbb250256eed73bcd592a79c08911c74976

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab17B6.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar1867.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\wmpscfgs.exe

Filesize
3.7MB

MD5
e20d3b1964c45d6637c8521c72a97352

SHA1
04d204ea5ed81c5417904c346b496073417e9fe3

SHA256
e81063f2d129861c1a0e9417405729dded67d4cfbf6ed336a108aac62ff31b11

SHA512
6c9a4813e5c2f65fb34a16623e90b510683cb2ee40d89bae9bca1f529c41aa1c96c10328ee2b7f203e91a1d8c1edcebd4ab07157620d47142c19e599390eac55

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFADF29F5637718CAA.TMP

Filesize
16KB

MD5
f072511f7e8f831245d1358327885994

SHA1
5d0304774a6335504bde1b55f8ef4cdb10565d2d

SHA256
89a4bc765cc44c4a578b3a8ed72808332d3f6e7ebe6531e9dc0d366ab0553a8d

SHA512
60998001a1722fb24ba83218f6930559cda9ae9120c3b4b3621fafed092c61dc524171b3e58c845a11b64f05b935dfea315ef35eb358521699520946d82ea027

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\KP2BHW2O.txt

Filesize
107B

MD5
cb1e4cf59869278f7ceb2e227f26c717

SHA1
1e1d9f39c82b4e963e233bacb37aad2827d88216

SHA256
64dfec24c6bc49674594fae258d26b63be9bedaf2096345243770624ea193bb9

SHA512
a46883609004d9021d5dd3cb20ee2052471640d496ccee09297d8d1f47b681f9f3470fecba9c696bf0513d7853fd2bc9814ec90dce64f3b336d3d5fa554c98d7

Download Submit
\??\c:\program files (x86)\internet explorer\wmpscfgs.exe

Filesize
3.7MB

MD5
c845bb247a731d33cb96034b5e3185e0

SHA1
e8c5536bb08cbe72eca04ad7fbdc6bd03f8e54d9

SHA256
438f2176ce13138c55af02148b75cf6d69afa77c41f6e8cc2af49f9eca2652bc

SHA512
04562229ff4701048dea3c319fa83d774f3f916d739b70e897842530a13ed7404deb98dcbfbf932c0f8baef04b927c7d17b953f118c4de68daa09d22161c7582

Download Submit
\??\c:\program files (x86)\microsoft office\office14\bcssync.exe

Filesize
3.7MB

MD5
7f22f0ac823d770dab4163cc088e3b52

SHA1
24797b00e5fb7a24fbc51c0299eac25ce110330b

SHA256
c3fa3ddc30fb2b2843c7216d1ae57b3041015265a5a5efa34a00df05e0c2a353

SHA512
d75c17f5e2c9ca36a90d781787a5d6f2dbc925831f122c0a75cb51ff0f48403f359d116a48fc8863cb0868f981a2370ed82a62c663217d2d1fa81c479b47eda6

Download Submit
\Users\Admin\AppData\Local\Temp\wmpscfgs.exe

Filesize
3.7MB

MD5
0c3cd8535ff39553b0c61df50d5ea399

SHA1
9058bd094eb27d294117623e0dc23b012f0d54bc

SHA256
a0bf58ef2ef5990ad23b3afa4ef7e8bdc30a6de48eb08632d77c136302be222d

SHA512
45ed271fc645608f812db146c7fe8fc98b91533a115dd0543860517ca430fe74ab6e0ab52ced0abdd06396b07590b9159c0e1cb73a375d34fe4caeb440dc2e04

Download Submit
memory/584-88-0x0000000000400000-0x0000000000DD3000-memory.dmp

Filesize
9.8MB

Download
memory/776-92-0x0000000000400000-0x0000000000DD3000-memory.dmp

Filesize
9.8MB

Download
memory/1720-44-0x0000000000400000-0x0000000000DD3000-memory.dmp

Filesize
9.8MB

Download
memory/1720-29-0x0000000000400000-0x0000000000DD3000-memory.dmp

Filesize
9.8MB

Download
memory/1720-76-0x0000000002990000-0x0000000002992000-memory.dmp

Filesize
8KB

Download
memory/1720-1023-0x0000000000400000-0x0000000000DD3000-memory.dmp

Filesize
9.8MB

Download
memory/1720-74-0x00000000052A0000-0x0000000005C73000-memory.dmp

Filesize
9.8MB

Download
memory/1720-75-0x00000000052A0000-0x0000000005C73000-memory.dmp

Filesize
9.8MB

Download
memory/1720-1022-0x0000000000400000-0x0000000000DD3000-memory.dmp

Filesize
9.8MB

Download
memory/1720-1011-0x0000000000400000-0x0000000000DD3000-memory.dmp

Filesize
9.8MB

Download
memory/1720-1010-0x0000000000400000-0x0000000000DD3000-memory.dmp

Filesize
9.8MB

Download
memory/1720-997-0x0000000000400000-0x0000000000DD3000-memory.dmp

Filesize
9.8MB

Download
memory/1720-42-0x000000007EBD0000-0x000000007EFA1000-memory.dmp

Filesize
3.8MB

Download
memory/1720-41-0x0000000000400000-0x0000000000DD3000-memory.dmp

Filesize
9.8MB

Download
memory/1720-996-0x0000000000400000-0x0000000000DD3000-memory.dmp

Filesize
9.8MB

Download
memory/1720-35-0x0000000010000000-0x0000000010010000-memory.dmp

Filesize
64KB

Download
memory/1720-321-0x00000000052A0000-0x0000000005C73000-memory.dmp

Filesize
9.8MB

Download
memory/1720-30-0x000000007EBD0000-0x000000007EFA1000-memory.dmp

Filesize
3.8MB

Download
memory/1720-70-0x0000000000400000-0x0000000000DD3000-memory.dmp

Filesize
9.8MB

Download
memory/1720-556-0x0000000000400000-0x0000000000DD3000-memory.dmp

Filesize
9.8MB

Download
memory/1720-431-0x0000000000400000-0x0000000000DD3000-memory.dmp

Filesize
9.8MB

Download
memory/1720-555-0x0000000000400000-0x0000000000DD3000-memory.dmp

Filesize
9.8MB

Download
memory/1720-553-0x0000000000400000-0x0000000000DD3000-memory.dmp

Filesize
9.8MB

Download
memory/1720-541-0x0000000000400000-0x0000000000DD3000-memory.dmp

Filesize
9.8MB

Download
memory/1720-552-0x0000000000400000-0x0000000000DD3000-memory.dmp

Filesize
9.8MB

Download
memory/2336-43-0x0000000000400000-0x0000000000DD3000-memory.dmp

Filesize
9.8MB

Download
memory/2336-45-0x0000000000400000-0x0000000000DD3000-memory.dmp

Filesize
9.8MB

Download
memory/2336-430-0x0000000000400000-0x0000000000DD3000-memory.dmp

Filesize
9.8MB

Download
memory/2336-69-0x0000000000400000-0x0000000000DD3000-memory.dmp

Filesize
9.8MB

Download
memory/2336-32-0x0000000000400000-0x0000000000DD3000-memory.dmp

Filesize
9.8MB

Download
memory/2336-53-0x0000000000E70000-0x0000000000E72000-memory.dmp

Filesize
8KB

Download
memory/2336-545-0x0000000000400000-0x0000000000DD3000-memory.dmp

Filesize
9.8MB

Download
memory/2336-540-0x0000000000400000-0x0000000000DD3000-memory.dmp

Filesize
9.8MB

Download
memory/2504-2-0x0000000010000000-0x0000000010010000-memory.dmp

Filesize
64KB

Download
memory/2504-25-0x0000000000400000-0x0000000000DD3000-memory.dmp

Filesize
9.8MB

Download
memory/2504-23-0x000000007EBD0000-0x000000007EFA1000-memory.dmp

Filesize
3.8MB

Download
memory/2504-0-0x0000000000400000-0x0000000000DD3000-memory.dmp

Filesize
9.8MB

Download
memory/2504-40-0x0000000005440000-0x0000000005E13000-memory.dmp

Filesize
9.8MB

Download
memory/2504-1-0x000000007EBD0000-0x000000007EFA1000-memory.dmp

Filesize
3.8MB

Download
memory/2504-24-0x0000000005440000-0x0000000005E13000-memory.dmp

Filesize
9.8MB

Download
memory/2504-27-0x0000000005440000-0x0000000005E13000-memory.dmp

Filesize
9.8MB

Download