Malware Analysis Report

2025-05-06 01:16

Sample ID 241109-1hrseasgre
Target 86a67fa07977747fbbd3a9aef2f0bc206f3fd171736d87079d219afb2468ecb9N
SHA256 86a67fa07977747fbbd3a9aef2f0bc206f3fd171736d87079d219afb2468ecb9
Tags
discovery persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

86a67fa07977747fbbd3a9aef2f0bc206f3fd171736d87079d219afb2468ecb9

Threat Level: Shows suspicious behavior

The file 86a67fa07977747fbbd3a9aef2f0bc206f3fd171736d87079d219afb2468ecb9N was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery persistence

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in Program Files directory

System Location Discovery: System Language Discovery

Program crash

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Modifies Internet Explorer settings

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-09 21:39

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-09 21:39

Reported

2024-11-09 21:41

Platform

win7-20240903-en

Max time kernel

117s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\86a67fa07977747fbbd3a9aef2f0bc206f3fd171736d87079d219afb2468ecb9N.exe"

Signatures

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Adobe_Reader = "c:\\users\\admin\\appdata\\local\\temp\\\\wmpscfgs.exe" C:\Users\Admin\AppData\Local\Temp\86a67fa07977747fbbd3a9aef2f0bc206f3fd171736d87079d219afb2468ecb9N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Adobe_Reader = "c:\\users\\admin\\appdata\\local\\temp\\\\wmpscfgs.exe" \??\c:\users\admin\appdata\local\temp\wmpscfgs.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created \??\c:\program files (x86)\microsoft office\office14\bcssync.exe \??\c:\users\admin\appdata\local\temp\wmpscfgs.exe N/A
File opened for modification \??\c:\program files (x86)\adobe\acrotray .exe \??\c:\users\admin\appdata\local\temp\wmpscfgs.exe N/A
File opened for modification \??\c:\program files (x86)\adobe\acrotray.exe \??\c:\users\admin\appdata\local\temp\wmpscfgs.exe N/A
File opened for modification \??\c:\program files (x86)\internet explorer\wmpscfgs.exe \??\c:\users\admin\appdata\local\temp\wmpscfgs.exe N/A
File created \??\c:\program files (x86)\microsoft office\office14\bcssync.exe C:\Users\Admin\AppData\Local\Temp\86a67fa07977747fbbd3a9aef2f0bc206f3fd171736d87079d219afb2468ecb9N.exe N/A
File created \??\c:\program files (x86)\adobe\acrotray .exe C:\Users\Admin\AppData\Local\Temp\86a67fa07977747fbbd3a9aef2f0bc206f3fd171736d87079d219afb2468ecb9N.exe N/A
File created \??\c:\program files (x86)\adobe\acrotray.exe C:\Users\Admin\AppData\Local\Temp\86a67fa07977747fbbd3a9aef2f0bc206f3fd171736d87079d219afb2468ecb9N.exe N/A
File created \??\c:\program files (x86)\internet explorer\wmpscfgs.exe C:\Users\Admin\AppData\Local\Temp\86a67fa07977747fbbd3a9aef2f0bc206f3fd171736d87079d219afb2468ecb9N.exe N/A
File created C:\Program Files (x86)\259445964.dat \??\c:\users\admin\appdata\local\temp\wmpscfgs.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\86a67fa07977747fbbd3a9aef2f0bc206f3fd171736d87079d219afb2468ecb9N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\users\admin\appdata\local\temp\wmpscfgs.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\wmpscfgs.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\users\admin\appdata\local\temp\wmpscfgs.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\wmpscfgs.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\MINIE C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000045c0dde48c11474f81d9a2c02be4ea22000000000200000000001066000000010000200000005d9934033b2cb5e4531ebe7890c3b978ac7845d0106d3579d2b29dad9a131527000000000e800000000200002000000010ef2d671f36bcf60b65c5ae66dfa1495adbc2e19664145001cde7217bfc79c590000000ffbc64f9ce4e1b544322f67e296a76f4c81a1e499aa86bd32f9bd8ee2fefb8f67cc5ad2542c1fd7ab56ce2cd3a0a924beb7a088b0f33cd54ef8ec12bf3b884efcfd2b1f66fb4f31a6a88406a29237324b903e2aedfe1e29f93b114c598ad5cb7907ab5d012b772cdb564b2eb29de6db0fbec0577e585d3706308446aeea9e44ce1f4676a46b2e4c81662ad2ed470977a40000000c600cc770ce2235027255a1fd33b9727bd615c7a5b552ce540a60bb99b92c3ea828bf96ffb29b7852bc812bfb6e837544acec25ee02e80830e9e5b5ff8a2dfb8 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{23C82211-9EE3-11EF-8B05-6E295C7D81A3} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = f09515fbef32db01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff5600000000000000dc04000065020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000045c0dde48c11474f81d9a2c02be4ea2200000000020000000000106600000001000020000000258ce815ae24da5a2fc114687cfd3e6aa67091a58b8c1284e9480254b9479363000000000e8000000002000020000000509327debd32dd40adf1644b3892ddbfa2ec504543743dc5b479a650783212e520000000342b4d267f8a2362a8b245a5458ff40fb865cd8f651e3a306ffc29ef547355a440000000e912fc7bffb0f4c578ef97c6afc215b56359494416e04ba8e72ad6a42bf2dfaff542f866ca88ded90fc267a51527098b53746d4928bf01a67101ba678ec64dac C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\86a67fa07977747fbbd3a9aef2f0bc206f3fd171736d87079d219afb2468ecb9N.exe N/A
Token: SeDebugPrivilege N/A \??\c:\users\admin\appdata\local\temp\wmpscfgs.exe N/A
Token: SeDebugPrivilege N/A \??\c:\users\admin\appdata\local\temp\wmpscfgs.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2828 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\86a67fa07977747fbbd3a9aef2f0bc206f3fd171736d87079d219afb2468ecb9N.exe \??\c:\users\admin\appdata\local\temp\wmpscfgs.exe
PID 2828 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\86a67fa07977747fbbd3a9aef2f0bc206f3fd171736d87079d219afb2468ecb9N.exe \??\c:\users\admin\appdata\local\temp\wmpscfgs.exe
PID 2828 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\86a67fa07977747fbbd3a9aef2f0bc206f3fd171736d87079d219afb2468ecb9N.exe \??\c:\users\admin\appdata\local\temp\wmpscfgs.exe
PID 2828 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\86a67fa07977747fbbd3a9aef2f0bc206f3fd171736d87079d219afb2468ecb9N.exe \??\c:\users\admin\appdata\local\temp\wmpscfgs.exe
PID 2828 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\86a67fa07977747fbbd3a9aef2f0bc206f3fd171736d87079d219afb2468ecb9N.exe C:\Program Files (x86)\Internet Explorer\wmpscfgs.exe
PID 2828 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\86a67fa07977747fbbd3a9aef2f0bc206f3fd171736d87079d219afb2468ecb9N.exe C:\Program Files (x86)\Internet Explorer\wmpscfgs.exe
PID 2828 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\86a67fa07977747fbbd3a9aef2f0bc206f3fd171736d87079d219afb2468ecb9N.exe C:\Program Files (x86)\Internet Explorer\wmpscfgs.exe
PID 2828 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\86a67fa07977747fbbd3a9aef2f0bc206f3fd171736d87079d219afb2468ecb9N.exe C:\Program Files (x86)\Internet Explorer\wmpscfgs.exe
PID 2900 wrote to memory of 2684 N/A C:\Program Files (x86)\Internet Explorer\wmpscfgs.exe C:\Windows\SysWOW64\WerFault.exe
PID 2900 wrote to memory of 2684 N/A C:\Program Files (x86)\Internet Explorer\wmpscfgs.exe C:\Windows\SysWOW64\WerFault.exe
PID 2900 wrote to memory of 2684 N/A C:\Program Files (x86)\Internet Explorer\wmpscfgs.exe C:\Windows\SysWOW64\WerFault.exe
PID 2900 wrote to memory of 2684 N/A C:\Program Files (x86)\Internet Explorer\wmpscfgs.exe C:\Windows\SysWOW64\WerFault.exe
PID 2840 wrote to memory of 2664 N/A \??\c:\users\admin\appdata\local\temp\wmpscfgs.exe \??\c:\users\admin\appdata\local\temp\wmpscfgs.exe
PID 2840 wrote to memory of 2664 N/A \??\c:\users\admin\appdata\local\temp\wmpscfgs.exe \??\c:\users\admin\appdata\local\temp\wmpscfgs.exe
PID 2840 wrote to memory of 2664 N/A \??\c:\users\admin\appdata\local\temp\wmpscfgs.exe \??\c:\users\admin\appdata\local\temp\wmpscfgs.exe
PID 2840 wrote to memory of 2664 N/A \??\c:\users\admin\appdata\local\temp\wmpscfgs.exe \??\c:\users\admin\appdata\local\temp\wmpscfgs.exe
PID 2840 wrote to memory of 2540 N/A \??\c:\users\admin\appdata\local\temp\wmpscfgs.exe C:\Program Files (x86)\Internet Explorer\wmpscfgs.exe
PID 2840 wrote to memory of 2540 N/A \??\c:\users\admin\appdata\local\temp\wmpscfgs.exe C:\Program Files (x86)\Internet Explorer\wmpscfgs.exe
PID 2840 wrote to memory of 2540 N/A \??\c:\users\admin\appdata\local\temp\wmpscfgs.exe C:\Program Files (x86)\Internet Explorer\wmpscfgs.exe
PID 2840 wrote to memory of 2540 N/A \??\c:\users\admin\appdata\local\temp\wmpscfgs.exe C:\Program Files (x86)\Internet Explorer\wmpscfgs.exe
PID 2252 wrote to memory of 1036 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2252 wrote to memory of 1036 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2252 wrote to memory of 1036 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2252 wrote to memory of 1036 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2540 wrote to memory of 2420 N/A C:\Program Files (x86)\Internet Explorer\wmpscfgs.exe C:\Windows\SysWOW64\WerFault.exe
PID 2540 wrote to memory of 2420 N/A C:\Program Files (x86)\Internet Explorer\wmpscfgs.exe C:\Windows\SysWOW64\WerFault.exe
PID 2540 wrote to memory of 2420 N/A C:\Program Files (x86)\Internet Explorer\wmpscfgs.exe C:\Windows\SysWOW64\WerFault.exe
PID 2540 wrote to memory of 2420 N/A C:\Program Files (x86)\Internet Explorer\wmpscfgs.exe C:\Windows\SysWOW64\WerFault.exe
PID 2252 wrote to memory of 2188 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2252 wrote to memory of 2188 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2252 wrote to memory of 2188 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2252 wrote to memory of 2188 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\86a67fa07977747fbbd3a9aef2f0bc206f3fd171736d87079d219afb2468ecb9N.exe

"C:\Users\Admin\AppData\Local\Temp\86a67fa07977747fbbd3a9aef2f0bc206f3fd171736d87079d219afb2468ecb9N.exe"

\??\c:\users\admin\appdata\local\temp\wmpscfgs.exe

c:\users\admin\appdata\local\temp\\wmpscfgs.exe

C:\Program Files (x86)\Internet Explorer\wmpscfgs.exe

C:\Program Files (x86)\Internet Explorer\wmpscfgs.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2900 -s 272

\??\c:\users\admin\appdata\local\temp\wmpscfgs.exe

c:\users\admin\appdata\local\temp\\wmpscfgs.exe

C:\Program Files (x86)\Internet Explorer\wmpscfgs.exe

C:\Program Files (x86)\Internet Explorer\wmpscfgs.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2252 CREDAT:275457 /prefetch:2

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2540 -s 272

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2252 CREDAT:734220 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.supernetforme.com udp
NL 185.107.56.193:80 www.supernetforme.com tcp
NL 185.107.56.193:80 www.supernetforme.com tcp
US 8.8.8.8:53 ww1.supernetforme.com udp
US 199.59.243.227:80 ww1.supernetforme.com tcp
US 199.59.243.227:80 ww1.supernetforme.com tcp
NL 94.75.229.248:80 tcp
NL 94.75.229.248:80 tcp
NL 94.75.229.248:80 tcp
NL 94.75.229.248:80 tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 8.8.8.8:53 www.superwebbysearch.com udp
NL 185.107.56.52:80 www.superwebbysearch.com tcp
NL 185.107.56.52:80 www.superwebbysearch.com tcp
US 8.8.8.8:53 ww1.superwebbysearch.com udp
US 199.59.243.227:80 ww1.superwebbysearch.com tcp
US 199.59.243.227:80 ww1.superwebbysearch.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

memory/2828-0-0x0000000000400000-0x0000000000DB7000-memory.dmp

memory/2828-1-0x000000007EBD0000-0x000000007EFA1000-memory.dmp

memory/2828-3-0x0000000010000000-0x0000000010010000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\wmpscfgs.exe

MD5 c94096d393e22f1e7196fe8209b68b6c
SHA1 4e2573385c30515b4a1a3809481cf54e439e7270
SHA256 c25911a716ad9056f9809247203fd78306b30785b4aaf725bec7e948800c112c
SHA512 5497b4f7e5100c9b14150a4a72058d40afacb6878e6c4a9305bcaa194eb6ec601ceeeba4999bc8e209b8371966db7ef5f4764088a9e8e470d9ff5d23e3f34bb3

memory/2828-25-0x0000000005330000-0x0000000005CE7000-memory.dmp

memory/2828-24-0x0000000000400000-0x0000000000DB7000-memory.dmp

\Program Files (x86)\Internet Explorer\wmpscfgs.exe

MD5 65bc661ffd1c7ca5a35e5ed9ab7321fb
SHA1 e08f99e186498e5dbb5124809426a6a3191497ee
SHA256 c4f71634bf7a8602f20cc1fc0641e23a9041d97258f627383a57682c0a374432
SHA512 4d27e91ad6e2cd60fe7fd4cbb97677afb693fca01406d7b238c30cd26bde76405aae8d9dd215a8624c84ab0afc202a124a6566cdac7a69d231aa655ad6a514b4

memory/2840-29-0x0000000000400000-0x0000000000DB7000-memory.dmp

memory/2900-30-0x0000000000400000-0x0000000000DB7000-memory.dmp

memory/2840-31-0x0000000010000000-0x0000000010010000-memory.dmp

memory/2900-38-0x0000000000400000-0x0000000000DB7000-memory.dmp

memory/2828-39-0x0000000005330000-0x0000000005CE7000-memory.dmp

memory/2840-40-0x0000000000400000-0x0000000000DB7000-memory.dmp

memory/2840-41-0x0000000000400000-0x0000000000DB7000-memory.dmp

\??\c:\program files (x86)\microsoft office\office14\bcssync.exe

MD5 a3067b7b1f55452a1ffc3ab171c24104
SHA1 a7b3a758dd93b7d83da490651bad0fd99544bf34
SHA256 418a9cff794af4e6cc4c477c8423b67ed961c3c3bb66b7481631db9fc4b97e0e
SHA512 9d1b03ad90e6bd66824a5da25ba3ee19ccb7b21c669855881188b611916a8213932ce7e22427b795079ddd721c8b9e096203e406b4d42b5a52093988f58ec836

\??\c:\program files (x86)\adobe\acrotray .exe

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/2840-61-0x0000000005020000-0x00000000059D7000-memory.dmp

\Program Files (x86)\Internet Explorer\wmpscfgs.exe

MD5 8bbabba3c35983bdb1e006a3d47bec59
SHA1 b6a969e25548c8b55fa3301d093270005b5d3c6b
SHA256 bbc185fbf79f5f38de0b4249f57d8119ef80f0748df774a86ef8abacaf4c448a
SHA512 3ad9758064a757f1563b1cef5348afa9f01602a3719bdc9b20da1bc7c6bb6418339ac2b58aebe767e309ca431817a21c0507ca429a3f9ef3ae9723be02aed991

memory/2840-65-0x0000000005020000-0x00000000059D7000-memory.dmp

memory/2840-64-0x0000000005020000-0x00000000059D7000-memory.dmp

memory/2840-67-0x0000000000400000-0x0000000000DB7000-memory.dmp

memory/2664-71-0x0000000000400000-0x0000000000DB7000-memory.dmp

memory/2840-76-0x0000000002AB0000-0x0000000002AB2000-memory.dmp

memory/2540-77-0x0000000000400000-0x0000000000DB7000-memory.dmp

memory/2840-86-0x0000000000400000-0x0000000000DB7000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CabDC9.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\TarDDC.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

memory/2840-517-0x0000000000400000-0x0000000000DB7000-memory.dmp

memory/2840-520-0x0000000000400000-0x0000000000DB7000-memory.dmp

memory/2840-521-0x0000000000400000-0x0000000000DB7000-memory.dmp

memory/2840-523-0x0000000000400000-0x0000000000DB7000-memory.dmp

memory/2840-524-0x0000000000400000-0x0000000000DB7000-memory.dmp

memory/2840-532-0x0000000000400000-0x0000000000DB7000-memory.dmp

memory/2840-533-0x0000000000400000-0x0000000000DB7000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\KIYAG1MM\bOyEOBcHs[1].js

MD5 ce07affa04803b8889da4add31fd43dc
SHA1 0fb5a8fcee96a30571493eab29d0e2a6555a16ff
SHA256 8c1495c44aec0fa67b5ea6caf921a72de269aff5387ae21fc97e22f94f4f7f3f
SHA512 f79974074d4f5f991d2acb486189d8c8668dc854c40dc586836359fc20d38c66d0f98303962c072e119a4ca0daf1156cb8ff476c9b3cebf785f37ae73b88567f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 042582d4eb848230185a6584d52bd6d4
SHA1 b283a0e7928eb0d2ae939f11e4e4206e3113ef1e
SHA256 00b5f3504835b65337eda6a34086e9a887e1cf9dd0c5001171ac9412f5434802
SHA512 9983a0cdc517478b9dc2f5fadc53e8747069acc5eb92fb15e3053eda04224f7d4ef4bca95d37915af5d29ebc4f2c8b33414501edcd0740aed5f3ad92e41372ff

memory/2840-567-0x0000000000400000-0x0000000000DB7000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 abdf48d55731e7a617fd398f41b58654
SHA1 9a7d701b8f638b9ce20d117832d1c19b6b861483
SHA256 7b5ee93a44e2bf9aade9f768d0654e2dc147ed028874484fb3a4d384140c328e
SHA512 83c52f2689334d5d65d89daf81b0b882e71a4a3aceba9ed802694ab09485ce09351b14e967bce69c60975dfd03ba900c52cb12cafa92c272bafa2425c2796e87

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2b9169233d91712c924ce2b2fc871f7a
SHA1 9911a8b5bdbdc1229415fdc6dc0e4bd2a1c198c1
SHA256 da0724621113a1a6e7d00b7ac0ad11f08bfdd8552f87a440241c61b873ce9fc5
SHA512 90a8f131ece771f8c28770efbcee4e44205e610a4d4df2d7562483c25b845f72ea17b1010bd0cd9052fd73e9f7b0904d0e423329f980649305ca9f76071ad878

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 473edf563d6137b35f56040de561dc66
SHA1 37f1503817e6c99921a4153792fc6836b4aeaaf1
SHA256 68aae998331309c94779c3ebe851d16904fd58818d6e15000478425d2b91889b
SHA512 11eafcb5b4cb7971ba9107db78ffcc3de5f8ba704d291603a1279d5ee29774a2c8027a0df032734933e18321ecbff5cf13f0c1b6c0837f36dc411ccf7dabf3a3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 07dbad2f1a76e5b0065b403d8849c499
SHA1 14da09e4a2f4bafbd5ee10e936d44b0b81ef1805
SHA256 16cf8ffb51862b1e4317e1e94d5f439b3189602565c45fd2127388145365d4d0
SHA512 bf6fe72eb085eefcffc7101b7e7a553cce5a3cddb4df86713bbcdb043b9c913636c3febf35491dbf22e98146ad60a0a57368469bf97b0107c47cd81c581f40e5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 086aa96ccf3da7d54aa66811025fd20a
SHA1 200d53190e40520a5c0cb221f109268a08348f39
SHA256 34f7957bdd6d2033c574aed897f149cc8cec7b9eb07e514c0e86966ff8dfaff9
SHA512 f0247f09fa04842cbbda7194aa5d57d99560c4cd6af4819fcc9290e4cf14fd79f6b9b9895b7193b3e206e3b9096f49eb73ab9f8e924af1a207131df60b63dc14

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f9b59866e0ed7bff4bc3ae50c3ce24d8
SHA1 f4cf3d331a94d672ad4d92c9b5d6ec2f02cb9465
SHA256 145449dc7fd3def0203a200bb8c6549158507d5323f66dd8f3f347fa0674f57f
SHA512 ae56c782310c5f74dadd30143a5db4a3814e025fa70018b1820769f9da3d3b7bbfca9c9ec8ca4a4ba5186f0b28ce96634e85f808ca4f64e28f56896f354af460

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c5f9624111e9f4037ab0b993d35e0a23
SHA1 ede85ca8a3e2dbaa36684269bb8bd4df5a337fa2
SHA256 56c483e71c102d2b1cef15c2de98eb275db3ad9cfbd7415dc08880aef8063269
SHA512 1c11385361eb63413359d2b5722031264d6d3d3480bd917d7c4f7803ff9448798d7dce4efb06fc6b821f9a8fe644ba0e7e0973dd53ef4176192987b2850e83d1

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d51f30f71cd67a1d08a4488c6639a1f1
SHA1 2cdd5efd69fed076b063c277883b5f69341f8075
SHA256 92696eac555da55748da8311592964d5799eb1479c34a5fe22235a590714b857
SHA512 51c0d383694d1946b93a70f3f52678d1806f307465a3e8d4fe3a20450518a816fc9946c6906d4c3af80438b1e94a7b65c2788ad3296ad14c2a780164a26d045b

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-09 21:39

Reported

2024-11-09 21:41

Platform

win10v2004-20241007-en

Max time kernel

114s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\86a67fa07977747fbbd3a9aef2f0bc206f3fd171736d87079d219afb2468ecb9N.exe"

Signatures

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\86a67fa07977747fbbd3a9aef2f0bc206f3fd171736d87079d219afb2468ecb9N.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created \??\c:\program files (x86)\adobe\acrotray .exe C:\Users\Admin\AppData\Local\Temp\86a67fa07977747fbbd3a9aef2f0bc206f3fd171736d87079d219afb2468ecb9N.exe N/A
File created \??\c:\program files (x86)\adobe\acrotray.exe C:\Users\Admin\AppData\Local\Temp\86a67fa07977747fbbd3a9aef2f0bc206f3fd171736d87079d219afb2468ecb9N.exe N/A
File created \??\c:\program files (x86)\internet explorer\wmpscfgs.exe C:\Users\Admin\AppData\Local\Temp\86a67fa07977747fbbd3a9aef2f0bc206f3fd171736d87079d219afb2468ecb9N.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\86a67fa07977747fbbd3a9aef2f0bc206f3fd171736d87079d219afb2468ecb9N.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\86a67fa07977747fbbd3a9aef2f0bc206f3fd171736d87079d219afb2468ecb9N.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\86a67fa07977747fbbd3a9aef2f0bc206f3fd171736d87079d219afb2468ecb9N.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\86a67fa07977747fbbd3a9aef2f0bc206f3fd171736d87079d219afb2468ecb9N.exe

"C:\Users\Admin\AppData\Local\Temp\86a67fa07977747fbbd3a9aef2f0bc206f3fd171736d87079d219afb2468ecb9N.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 2768 -ip 2768

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2768 -s 800

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 101.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 2.36.159.162.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 106.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 0.2.1.0.0.0.0.0.0.0.0.0.0.0.0.0.5.0.0.0.b.0.0.0.0.3.0.1.3.0.6.2.ip6.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 70.209.201.84.in-addr.arpa udp

Files

memory/2768-0-0x0000000000400000-0x0000000000DB7000-memory.dmp

memory/2768-1-0x000000007FA70000-0x000000007FE41000-memory.dmp

memory/2768-2-0x0000000010000000-0x0000000010010000-memory.dmp

memory/2768-8-0x0000000000400000-0x0000000000DB7000-memory.dmp

memory/2768-9-0x000000007FA70000-0x000000007FE41000-memory.dmp