806ee394d2831e991707792ce5e53b0795e5993f07cd6d732cfeb7a496ce220e

Analysis

max time kernel
121s
max time network
139s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
04/10/2024, 23:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

pubring.gpg
Size

1KB
MD5

7026ecf7ec95bd247ff60161046efff0
SHA1

d50a280aca21290cf2f427d89bd7a00944fb6951
SHA256

806ee394d2831e991707792ce5e53b0795e5993f07cd6d732cfeb7a496ce220e
SHA512

10fa0304f7174cbd91c0d895e6a8548c81c64a667182da7c1bbb0c9fcdd9e6f94e225e4dc4075c8b1afb2efa2ecc1ecccbf5c8c5a115ffe48411d1d2fe3c8752

Score

3^/10

discovery

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\PhishingFilter	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\PhishingFilter\ClientSupported_MigrationTime = 909d4767b216db01	iexplore.exe

Modifies Internet Explorer settings 1 TTPs 28 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{A4CE1271-82A5-11EF-83AF-F2DF7204BD4F} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "434245213"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe

Modifies registry class 11 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_Classes\Local Settings	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\gpg_auto_file\	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\gpg_auto_file\shell\open	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\gpg_auto_file\shell\open\command	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\gpg_auto_file\shell\open\command\ = "\"C:\\Program Files\\Internet Explorer\\iexplore.exe\" %1"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\gpg_auto_file\shell\open\command\DelegateExecute = "{17FE9752-0B5A-4665-84CD-569794602F5C}"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\gpg_auto_file	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\.gpg	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\.gpg\ = "gpg_auto_file"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\gpg_auto_file\shell	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\gpg_auto_file\shell\open\CommandId = "IE.File"	rundll32.exe

Suspicious use of FindShellTrayWindow 7 IoCs

pid	Process
2832	iexplore.exe
2832	iexplore.exe
2832	iexplore.exe
2832	iexplore.exe
2832	iexplore.exe
2832	iexplore.exe
2832	iexplore.exe

Suspicious use of SetWindowsHookEx 16 IoCs

pid	Process
2832	iexplore.exe
2832	iexplore.exe
3056	IEXPLORE.EXE
3056	IEXPLORE.EXE
2832	iexplore.exe
2832	iexplore.exe
3056	IEXPLORE.EXE
3056	IEXPLORE.EXE
2832	iexplore.exe
2832	iexplore.exe
3056	IEXPLORE.EXE
3056	IEXPLORE.EXE
2832	iexplore.exe
2832	iexplore.exe
3056	IEXPLORE.EXE
3056	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 2664 wrote to memory of 2880	2664	cmd.exe	32
PID 2664 wrote to memory of 2880	2664	cmd.exe	32
PID 2664 wrote to memory of 2880	2664	cmd.exe	32
PID 2880 wrote to memory of 2832	2880	rundll32.exe	33
PID 2880 wrote to memory of 2832	2880	rundll32.exe	33
PID 2880 wrote to memory of 2832	2880	rundll32.exe	33
PID 2832 wrote to memory of 3056	2832	iexplore.exe	34
PID 2832 wrote to memory of 3056	2832	iexplore.exe	34
PID 2832 wrote to memory of 3056	2832	iexplore.exe	34
PID 2832 wrote to memory of 3056	2832	iexplore.exe	34
PID 2832 wrote to memory of 2360	2832	iexplore.exe	36
PID 2832 wrote to memory of 2360	2832	iexplore.exe	36
PID 2832 wrote to memory of 2360	2832	iexplore.exe	36
PID 2832 wrote to memory of 1236	2832	iexplore.exe	37
PID 2832 wrote to memory of 1236	2832	iexplore.exe	37
PID 2832 wrote to memory of 1236	2832	iexplore.exe	37
PID 2832 wrote to memory of 2028	2832	iexplore.exe	38
PID 2832 wrote to memory of 2028	2832	iexplore.exe	38
PID 2832 wrote to memory of 2028	2832	iexplore.exe	38

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\pubring.gpg
1⤵
- Suspicious use of WriteProcessMemory
PID:2664
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\pubring.gpg
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2880
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\pubring.gpg
    3⤵
    - Modifies Internet Explorer Phishing Filter
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2832
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2832 CREDAT:275457 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:3056
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\pubring.gpg
      4⤵
      PID:2360
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\pubring.gpg
      4⤵
      PID:1236
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\pubring.gpg
      4⤵
      PID:2028

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d6d2bef9c0ecd8c8ea5bbd3c1dbc734f

SHA1
cb98eeb17c23f1bd388c76bec4def51c2bf6a790

SHA256
4eabb80ca1cc2105f2cdadaa3a02426e6638694313cd31b8ce8b4885056458bc

SHA512
8bedf983ec93aa619656303dbb10681c9c3fa73c52ee9ce1a930ce9284e7246f73e75c0ea586ed8d1fd6bc02acbdb471708553330c737277f83c4d9fc82abb24

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e0713dc6823f092e219db04b435d6311

SHA1
ced20ecb81b7148050896d8eaf374e8351ee4c93

SHA256
d25c5c9b2b25a770bcde4abde87e1d056a865d9b635779d6600c101a650c410e

SHA512
ad1c1faa38bdf123b0508977805e50f72ac4fd70d022cc689637e6442fb23af57f3bc329a08e5d053b563fa6837393cd614b00287a64eed5e569bf969d7f6435

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ad5dffd293d40fba18c91169859cf558

SHA1
4dbab40fa2fea15eb87ddf89461a166ac22cfa7e

SHA256
fff9cc70052f8e589909abb8fb315697df357fabdff6bcb08bc8517f541178bf

SHA512
b832203913f9f25d624f501d8affae90f16c6b0c8e571699ef5d3fcace178967211cb90ddece22bbae266f5fbbfd91d3d23a1f3fc29f71307062251e1082c8d6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
17afaec82e44aff12e55edead0d4e7fe

SHA1
93152f23b239ffcf9d5da0ca912c2b6afbcdca50

SHA256
9c785efe3e51cf13207ef7277c00ddb3c8e9f5fab8508655f8a5957726fbb461

SHA512
521f77fd267806b3edf09e06278259e4575ba2a0c4abd1261ce7ce3224b0b001e11030a95e70c0208717a849ecd0f05475cf680fc6b8b3f46996f9c57851d925

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
875ca5a1d225500777eaa40bbdc16a8b

SHA1
bbfca2952d415928719af3f62019ae6447969617

SHA256
4d5f160565ab2fe314be677deaae1dd3fb17cf27240ff293b963f741391aec03

SHA512
2c235f1fb9def6ea121a50acb15aa192f4675324c0f019f38ecb1bb3f3f1f904617c38a641482ed5765012dfa8297b9635568f6eaaae83ed443d9870f83aa8db

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
48badcb55e6846145160658129710bfa

SHA1
f555cae8d733c4f62270e3a2573cfbf278704b76

SHA256
2c9689cd1ccb7d5f8bcafb2fc966bcc76bcbd1cacbde28ba096fa266a1356f24

SHA512
3cf23e73b08701954d4aee2c111173497d0ec78e7cc3ce45a3ee649bef30dc6547d2242484c8582170d96d8934d00a067feead1eb7b11d4010dd195b3dfbbe19

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2e498661397668201e48eb9c3d24ae26

SHA1
d24c35e1a99dee037d622eaa6df22f0b12fe998b

SHA256
45c12a7165bd50f52808e566eca16fe37feac404921d9f28c39aaf687e1d41aa

SHA512
fe942e04769b8da5f7eee023eacc4f026a2be1209f4594ea8a080c6b4dca14dae8d3cc0eb8643a42ed944cc38935f38eec1fcd7afb8e334bae08c8f9e7e25f90

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab6B7.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar717.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads