Analysis
-
max time kernel
18s -
max time network
32s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
05-11-2024 17:40
Behavioral task
behavioral1
Sample
3ce1e74b919e7fe6922679092b30f874a84674d7edd0a0815374dc0d88d00604.dex
Resource
win7-20241023-en
Behavioral task
behavioral2
Sample
3ce1e74b919e7fe6922679092b30f874a84674d7edd0a0815374dc0d88d00604.dex
Resource
win10v2004-20241007-en
General
-
Target
3ce1e74b919e7fe6922679092b30f874a84674d7edd0a0815374dc0d88d00604.dex
-
Size
7.0MB
-
MD5
ad49458b8e8eb164537d1bf1de0c086b
-
SHA1
4fdf8ccc11478b0b3a8546902b82ca6c4b38c7f4
-
SHA256
3ce1e74b919e7fe6922679092b30f874a84674d7edd0a0815374dc0d88d00604
-
SHA512
f767e7b7ab176ca70be5ef1dabaa1f27b7c05b797e0ddd0d7ecbf45c876d94b692be9dc3fcb461ab81d5990fa12c960eadad822e1b44e152147b8a3a878798cb
-
SSDEEP
49152:L2dCjFLhTnIWe1RtK62VH9gMtFCYHTLKqTRscM7:qoj/TnIWutK62VXrnzL3ts37
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE -
Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Internet Explorer\PhishingFilter iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\PhishingFilter\ClientSupported_MigrationTime = d8a2561ed318db01 iexplore.exe -
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{124D4326-9B9D-11EF-AF2A-4E8E92B54298} = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Internet Explorer\MINIE iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\RepId\PublicId = "{66FB11DD-E5AE-4DE5-82FF-B48B5F63D664}" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Internet Explorer\GPU IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Internet Explorer\RepId iexplore.exe -
Modifies registry class 11 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\dex_auto_file\shell\open\command OpenWith.exe Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\dex_auto_file\shell\open\command\DelegateExecute = "{17FE9752-0B5A-4665-84CD-569794602F5C}" OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\.dex OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\dex_auto_file OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\dex_auto_file\shell\open OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\dex_auto_file\shell OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings cmd.exe Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\.dex\ = "dex_auto_file" OpenWith.exe Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\dex_auto_file\shell\open\command\ = "\"C:\\Program Files\\Internet Explorer\\iexplore.exe\" %1" OpenWith.exe Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\dex_auto_file\shell\open\CommandId = "IE.File" OpenWith.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3264 OpenWith.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 1240 iexplore.exe 1240 iexplore.exe -
Suspicious use of SetWindowsHookEx 21 IoCs
pid Process 3264 OpenWith.exe 3264 OpenWith.exe 3264 OpenWith.exe 3264 OpenWith.exe 3264 OpenWith.exe 3264 OpenWith.exe 3264 OpenWith.exe 3264 OpenWith.exe 3264 OpenWith.exe 3264 OpenWith.exe 3264 OpenWith.exe 3264 OpenWith.exe 3264 OpenWith.exe 3264 OpenWith.exe 3264 OpenWith.exe 3264 OpenWith.exe 3264 OpenWith.exe 1240 iexplore.exe 1240 iexplore.exe 4816 IEXPLORE.EXE 4816 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 5 IoCs
description pid Process procid_target PID 3264 wrote to memory of 1240 3264 OpenWith.exe 101 PID 3264 wrote to memory of 1240 3264 OpenWith.exe 101 PID 1240 wrote to memory of 4816 1240 iexplore.exe 104 PID 1240 wrote to memory of 4816 1240 iexplore.exe 104 PID 1240 wrote to memory of 4816 1240 iexplore.exe 104 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\3ce1e74b919e7fe6922679092b30f874a84674d7edd0a0815374dc0d88d00604.dex1⤵
- Modifies registry class
PID:4896
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3264 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\3ce1e74b919e7fe6922679092b30f874a84674d7edd0a0815374dc0d88d00604.dex2⤵
- Modifies Internet Explorer Phishing Filter
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1240 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1240 CREDAT:17410 /prefetch:23⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:4816
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\3ce1e74b919e7fe6922679092b30f874a84674d7edd0a0815374dc0d88d00604.dex3⤵PID:2900
-
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1240 CREDAT:17414 /prefetch:23⤵PID:4372
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\3ce1e74b919e7fe6922679092b30f874a84674d7edd0a0815374dc0d88d00604.dex3⤵PID:2056
-
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1240 CREDAT:82956 /prefetch:23⤵PID:2320
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\3ce1e74b919e7fe6922679092b30f874a84674d7edd0a0815374dc0d88d00604.dex3⤵PID:4904
-
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1240 CREDAT:17426 /prefetch:23⤵PID:4376
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
16KB
MD5a70bfcfc18f6346d83964eba1b7f98ee
SHA1ace2a3ba1d6e7ea752fc3d48b995b56145b29fcd
SHA2560976926ed3bbc2de16cc3e85dfcaa29ce5dc577720c878e4de0408e0ecf2e828
SHA51259b8ff23f020557c77a6b3472d40cc7c5a4f657259859ce7ad78da671de64c9b83f302cc06788b6e7e30d27cfb6e331287baed860405bae7712f7b3f5c0044ba