472da789eb38296d93d4a4304787da6e20fc0ff451c5cb44f30c686c0f15ba40

Analysis

max time kernel
104s
max time network
136s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
19/11/2024, 14:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SabtRayaneV3.exe
Size

876KB
MD5

c243073d537ac6acdca3f7ba693f471c
SHA1

e93c2d9cae0263af5dbde2689f81eab0378657b3
SHA256

472da789eb38296d93d4a4304787da6e20fc0ff451c5cb44f30c686c0f15ba40
SHA512

243c905efb64a99454190a2f2d401fc0dc9df2286a82c2e0d96b3c65b03a8cb65d2edae44260080a4b9c507883c9d31fef2834d193bdf135753612d96bf2e48b
SSDEEP

24576:jO/V6MZNH+y/YF0g0DWtWrnngnnnKnanxNn8w:ezvwF0/DWErnngnnnKnanzn8

Score

8^/10

discovery

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	SabtRayaneV3.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Gathers network information 2 TTPs 11 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
1072	ipconfig.exe
2800	ipconfig.exe
1948	ipconfig.exe
2468	ipconfig.exe
2368	ipconfig.exe
592	ipconfig.exe
2900	ipconfig.exe
916	ipconfig.exe
2144	ipconfig.exe
2012	ipconfig.exe
2020	ipconfig.exe

Modifies Internet Explorer settings 1 TTPs 46 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff5600000000000000dc04000065020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff6f00000019000000f50400007e020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000878f858549c9c44093b2e91b2a3332a90000000002000000000010660000000100002000000059a88eee989aacd038799ce21b42d5596f0879da69ccb01fc8ce266fff0e336d000000000e80000000020000200000001713b66ca5227a599c42af0d871d55d5a835b89c6b47e45b51c6e63f0180f85020000000515fb3c6674f57cedd7cb08937f9b1b3a939438675fb086a4c9dd2a726405dab4000000016bdda80e285474d53d12c3333f8768a2ce9d87771be415f6843552221ce27d2fb87f94bf5dbb137962186b2571b3e441782df51b2c1fbb365ba3015fb25f38c	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{C37D7D31-A67E-11EF-A429-7A64CBF9805C} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 6028719f8b3adb01	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "438186752"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3200000032000000b804000097020000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff4b00000000000000d104000065020000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000878f858549c9c44093b2e91b2a3332a9000000000200000000001066000000010000200000005eeaeb414b41b451c5173a97a4dd080edf0379094aa121db056401347dc77bb4000000000e8000000002000020000000ac8118d12efe7d2f965ce5ea0a3e9f1ddf02436edad696a2638b77c0f386af9c90000000597b57e8d38b0ef3cb15d7708ba167c2eb21379622fa2d319c7542e1427817ec294697f7f5394f83777bf8ff9c95bc581fcb62940c6d433d62bffeaf453bfa7d82711e2bd5559631f4839e3b589234461d614d72b795fc8fc42b8c15f3ece9e37bf3c9c80bcdd3a8362207b9e0f7772eed2417bd723872bc1ff939f062fbaf697d59917c9aff9ddb26df9d77a3a127b840000000d0ca281f88c86d20e4b7337beddec048dfb7ae13e0ad4b5c8217f904641546df20992483ffbe81c0451a65b87dc54c9179c780251938d98f681641e9e6750af8	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff00000000000000008604000065020000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff6400000019000000ea0400007e020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff19000000190000009f0400007e020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 23 IoCs

pid	Process
2780	SabtRayaneV3.exe
2780	SabtRayaneV3.exe
2080	iexplore.exe
2780	SabtRayaneV3.exe
2080	iexplore.exe
2780	SabtRayaneV3.exe
2080	iexplore.exe
2780	SabtRayaneV3.exe
2080	iexplore.exe
2780	SabtRayaneV3.exe
2080	iexplore.exe
2780	SabtRayaneV3.exe
2080	iexplore.exe
2780	SabtRayaneV3.exe
2080	iexplore.exe
2780	SabtRayaneV3.exe
2080	iexplore.exe
2780	SabtRayaneV3.exe
2080	iexplore.exe
2780	SabtRayaneV3.exe
2080	iexplore.exe
2780	SabtRayaneV3.exe
2080	iexplore.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
2780	SabtRayaneV3.exe
2780	SabtRayaneV3.exe
2780	SabtRayaneV3.exe
2780	SabtRayaneV3.exe
2780	SabtRayaneV3.exe
2780	SabtRayaneV3.exe
2780	SabtRayaneV3.exe
2780	SabtRayaneV3.exe
2780	SabtRayaneV3.exe
2780	SabtRayaneV3.exe
2780	SabtRayaneV3.exe
2780	SabtRayaneV3.exe

Suspicious use of SetWindowsHookEx 58 IoCs

pid	Process
2968	rasphone.exe
2864	rasphone.exe
2080	iexplore.exe
2080	iexplore.exe
2748	IEXPLORE.EXE
2748	IEXPLORE.EXE
2080	iexplore.exe
2080	iexplore.exe
1804	rasphone.exe
2460	IEXPLORE.EXE
2460	IEXPLORE.EXE
2080	iexplore.exe
2080	iexplore.exe
1256	rasphone.exe
1956	IEXPLORE.EXE
1956	IEXPLORE.EXE
2080	iexplore.exe
2080	iexplore.exe
2668	rasphone.exe
2540	IEXPLORE.EXE
2540	IEXPLORE.EXE
2080	iexplore.exe
2080	iexplore.exe
1796	rasphone.exe
2748	IEXPLORE.EXE
2748	IEXPLORE.EXE
2080	iexplore.exe
2080	iexplore.exe
1544	rasphone.exe
1700	IEXPLORE.EXE
1700	IEXPLORE.EXE
2080	iexplore.exe
2080	iexplore.exe
576	rasphone.exe
2460	IEXPLORE.EXE
2460	IEXPLORE.EXE
2080	iexplore.exe
2080	iexplore.exe
2424	rasphone.exe
1132	IEXPLORE.EXE
1132	IEXPLORE.EXE
2080	iexplore.exe
2080	iexplore.exe
972	rasphone.exe
1956	IEXPLORE.EXE
1956	IEXPLORE.EXE
2080	iexplore.exe
2080	iexplore.exe
928	rasphone.exe
1984	IEXPLORE.EXE
1984	IEXPLORE.EXE
2080	iexplore.exe
2080	iexplore.exe
2832	rasphone.exe
2540	IEXPLORE.EXE
2540	IEXPLORE.EXE
2540	IEXPLORE.EXE
2540	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2780 wrote to memory of 3008	2780	SabtRayaneV3.exe	30
PID 2780 wrote to memory of 3008	2780	SabtRayaneV3.exe	30
PID 2780 wrote to memory of 3008	2780	SabtRayaneV3.exe	30
PID 3008 wrote to memory of 2232	3008	cmd.exe	32
PID 3008 wrote to memory of 2232	3008	cmd.exe	32
PID 3008 wrote to memory of 2232	3008	cmd.exe	32
PID 2780 wrote to memory of 2968	2780	SabtRayaneV3.exe	33
PID 2780 wrote to memory of 2968	2780	SabtRayaneV3.exe	33
PID 2780 wrote to memory of 2968	2780	SabtRayaneV3.exe	33
PID 2780 wrote to memory of 2144	2780	SabtRayaneV3.exe	34
PID 2780 wrote to memory of 2144	2780	SabtRayaneV3.exe	34
PID 2780 wrote to memory of 2144	2780	SabtRayaneV3.exe	34
PID 2780 wrote to memory of 2812	2780	SabtRayaneV3.exe	36
PID 2780 wrote to memory of 2812	2780	SabtRayaneV3.exe	36
PID 2780 wrote to memory of 2812	2780	SabtRayaneV3.exe	36
PID 2780 wrote to memory of 2896	2780	SabtRayaneV3.exe	38
PID 2780 wrote to memory of 2896	2780	SabtRayaneV3.exe	38
PID 2780 wrote to memory of 2896	2780	SabtRayaneV3.exe	38
PID 2780 wrote to memory of 2080	2780	SabtRayaneV3.exe	40
PID 2780 wrote to memory of 2080	2780	SabtRayaneV3.exe	40
PID 2780 wrote to memory of 2080	2780	SabtRayaneV3.exe	40
PID 2780 wrote to memory of 2864	2780	SabtRayaneV3.exe	41
PID 2780 wrote to memory of 2864	2780	SabtRayaneV3.exe	41
PID 2780 wrote to memory of 2864	2780	SabtRayaneV3.exe	41
PID 2080 wrote to memory of 2748	2080	iexplore.exe	42
PID 2080 wrote to memory of 2748	2080	iexplore.exe	42
PID 2080 wrote to memory of 2748	2080	iexplore.exe	42
PID 2080 wrote to memory of 2748	2080	iexplore.exe	42
PID 2780 wrote to memory of 1948	2780	SabtRayaneV3.exe	44
PID 2780 wrote to memory of 1948	2780	SabtRayaneV3.exe	44
PID 2780 wrote to memory of 1948	2780	SabtRayaneV3.exe	44
PID 2780 wrote to memory of 3000	2780	SabtRayaneV3.exe	46
PID 2780 wrote to memory of 3000	2780	SabtRayaneV3.exe	46
PID 2780 wrote to memory of 3000	2780	SabtRayaneV3.exe	46
PID 2780 wrote to memory of 3016	2780	SabtRayaneV3.exe	48
PID 2780 wrote to memory of 3016	2780	SabtRayaneV3.exe	48
PID 2780 wrote to memory of 3016	2780	SabtRayaneV3.exe	48
PID 2780 wrote to memory of 2204	2780	SabtRayaneV3.exe	50
PID 2780 wrote to memory of 2204	2780	SabtRayaneV3.exe	50
PID 2780 wrote to memory of 2204	2780	SabtRayaneV3.exe	50
PID 2080 wrote to memory of 2460	2080	iexplore.exe	51
PID 2080 wrote to memory of 2460	2080	iexplore.exe	51
PID 2080 wrote to memory of 2460	2080	iexplore.exe	51
PID 2080 wrote to memory of 2460	2080	iexplore.exe	51
PID 2780 wrote to memory of 1804	2780	SabtRayaneV3.exe	52
PID 2780 wrote to memory of 1804	2780	SabtRayaneV3.exe	52
PID 2780 wrote to memory of 1804	2780	SabtRayaneV3.exe	52
PID 2780 wrote to memory of 2468	2780	SabtRayaneV3.exe	53
PID 2780 wrote to memory of 2468	2780	SabtRayaneV3.exe	53
PID 2780 wrote to memory of 2468	2780	SabtRayaneV3.exe	53
PID 2780 wrote to memory of 1096	2780	SabtRayaneV3.exe	55
PID 2780 wrote to memory of 1096	2780	SabtRayaneV3.exe	55
PID 2780 wrote to memory of 1096	2780	SabtRayaneV3.exe	55
PID 2780 wrote to memory of 1728	2780	SabtRayaneV3.exe	57
PID 2780 wrote to memory of 1728	2780	SabtRayaneV3.exe	57
PID 2780 wrote to memory of 1728	2780	SabtRayaneV3.exe	57
PID 2780 wrote to memory of 2388	2780	SabtRayaneV3.exe	59
PID 2780 wrote to memory of 2388	2780	SabtRayaneV3.exe	59
PID 2780 wrote to memory of 2388	2780	SabtRayaneV3.exe	59
PID 2780 wrote to memory of 1256	2780	SabtRayaneV3.exe	60
PID 2780 wrote to memory of 1256	2780	SabtRayaneV3.exe	60
PID 2780 wrote to memory of 1256	2780	SabtRayaneV3.exe	60
PID 2080 wrote to memory of 1956	2080	iexplore.exe	61
PID 2080 wrote to memory of 1956	2080	iexplore.exe	61

C:\Users\Admin\AppData\Local\Temp\SabtRayaneV3.exe
"C:\Users\Admin\AppData\Local\Temp\SabtRayaneV3.exe"
1⤵
- Drops file in Drivers directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2780
- C:\Windows\system32\cmd.exe
  "cmd.exe" /c route delete 10.1.0.0
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3008
- - C:\Windows\system32\ROUTE.EXE
    route delete 10.1.0.0
    3⤵
    PID:2232
- C:\Windows\system32\rasphone.exe
  "C:\Windows\system32\rasphone.exe" -f "C:\Users\Admin\AppData\Local\Temp\SabtRayane.pbk"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:2968
- C:\Windows\system32\ipconfig.exe
  "ipconfig" -all
  2⤵
  - Gathers network information
  PID:2144
- C:\Windows\system32\route.exe
  "route" PRINT
  2⤵
  PID:2812
- C:\Windows\system32\route.exe
  "route" PRINT
  2⤵
  PID:2896
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" https://newra.ssaa.ir/
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2080
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2080 CREDAT:275457 /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:2748
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2080 CREDAT:406533 /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:2460
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2080 CREDAT:406538 /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:1956
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2080 CREDAT:275484 /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:2540
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2080 CREDAT:1455120 /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:1700
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2080 CREDAT:1651736 /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:1132
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2080 CREDAT:1782821 /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:1984
- C:\Windows\system32\rasphone.exe
  "C:\Windows\system32\rasphone.exe" -f "C:\Users\Admin\AppData\Local\Temp\SabtRayane.pbk"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:2864
- C:\Windows\system32\ipconfig.exe
  "ipconfig" -all
  2⤵
  - Gathers network information
  PID:1948
- C:\Windows\system32\route.exe
  "route" PRINT
  2⤵
  PID:3000
- C:\Windows\system32\route.exe
  "route" PRINT
  2⤵
  PID:3016
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" https://newra.ssaa.ir/
  2⤵
  PID:2204
- C:\Windows\system32\rasphone.exe
  "C:\Windows\system32\rasphone.exe" -f "C:\Users\Admin\AppData\Local\Temp\SabtRayane.pbk"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:1804
- C:\Windows\system32\ipconfig.exe
  "ipconfig" -all
  2⤵
  - Gathers network information
  PID:2468
- C:\Windows\system32\route.exe
  "route" PRINT
  2⤵
  PID:1096
- C:\Windows\system32\route.exe
  "route" PRINT
  2⤵
  PID:1728
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" https://newra.ssaa.ir/
  2⤵
  PID:2388
- C:\Windows\system32\rasphone.exe
  "C:\Windows\system32\rasphone.exe" -f "C:\Users\Admin\AppData\Local\Temp\SabtRayane.pbk"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:1256
- C:\Windows\system32\ipconfig.exe
  "ipconfig" -all
  2⤵
  - Gathers network information
  PID:2012
- C:\Windows\system32\route.exe
  "route" PRINT
  2⤵
  PID:1368
- C:\Windows\system32\route.exe
  "route" PRINT
  2⤵
  PID:928
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" https://newra.ssaa.ir/
  2⤵
  PID:2588
- C:\Windows\system32\rasphone.exe
  "C:\Windows\system32\rasphone.exe" -f "C:\Users\Admin\AppData\Local\Temp\SabtRayane.pbk"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:2668
- C:\Windows\system32\ipconfig.exe
  "ipconfig" -all
  2⤵
  - Gathers network information
  PID:2020
- C:\Windows\system32\route.exe
  "route" PRINT
  2⤵
  PID:1424
- C:\Windows\system32\route.exe
  "route" PRINT
  2⤵
  PID:864
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" https://newra.ssaa.ir/
  2⤵
  PID:1664
- C:\Windows\system32\rasphone.exe
  "C:\Windows\system32\rasphone.exe" -f "C:\Users\Admin\AppData\Local\Temp\SabtRayane.pbk"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:1796
- C:\Windows\system32\ipconfig.exe
  "ipconfig" -all
  2⤵
  - Gathers network information
  PID:2368
- C:\Windows\system32\route.exe
  "route" PRINT
  2⤵
  PID:2320
- C:\Windows\system32\route.exe
  "route" PRINT
  2⤵
  PID:868
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" https://newra.ssaa.ir/
  2⤵
  PID:1128
- C:\Windows\system32\rasphone.exe
  "C:\Windows\system32\rasphone.exe" -f "C:\Users\Admin\AppData\Local\Temp\SabtRayane.pbk"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:1544
- C:\Windows\system32\ipconfig.exe
  "ipconfig" -all
  2⤵
  - Gathers network information
  PID:592
- C:\Windows\system32\route.exe
  "route" PRINT
  2⤵
  PID:2144
- C:\Windows\system32\route.exe
  "route" PRINT
  2⤵
  PID:2904
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" https://newra.ssaa.ir/
  2⤵
  PID:1008
- C:\Windows\system32\rasphone.exe
  "C:\Windows\system32\rasphone.exe" -f "C:\Users\Admin\AppData\Local\Temp\SabtRayane.pbk"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:576
- C:\Windows\system32\ipconfig.exe
  "ipconfig" -all
  2⤵
  - Gathers network information
  PID:2900
- C:\Windows\system32\route.exe
  "route" PRINT
  2⤵
  PID:2456
- C:\Windows\system32\route.exe
  "route" PRINT
  2⤵
  PID:1264
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" https://newra.ssaa.ir/
  2⤵
  PID:1896
- C:\Windows\system32\rasphone.exe
  "C:\Windows\system32\rasphone.exe" -f "C:\Users\Admin\AppData\Local\Temp\SabtRayane.pbk"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:2424
- C:\Windows\system32\ipconfig.exe
  "ipconfig" -all
  2⤵
  - Gathers network information
  PID:916
- C:\Windows\system32\route.exe
  "route" PRINT
  2⤵
  PID:628
- C:\Windows\system32\route.exe
  "route" PRINT
  2⤵
  PID:944
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" https://newra.ssaa.ir/
  2⤵
  PID:1804
- C:\Windows\system32\rasphone.exe
  "C:\Windows\system32\rasphone.exe" -f "C:\Users\Admin\AppData\Local\Temp\SabtRayane.pbk"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:972
- C:\Windows\system32\ipconfig.exe
  "ipconfig" -all
  2⤵
  - Gathers network information
  PID:1072
- C:\Windows\system32\route.exe
  "route" PRINT
  2⤵
  PID:1012
- C:\Windows\system32\route.exe
  "route" PRINT
  2⤵
  PID:1628
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" https://newra.ssaa.ir/
  2⤵
  PID:1424
- C:\Windows\system32\rasphone.exe
  "C:\Windows\system32\rasphone.exe" -f "C:\Users\Admin\AppData\Local\Temp\SabtRayane.pbk"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:928
- C:\Windows\system32\ipconfig.exe
  "ipconfig" -all
  2⤵
  - Gathers network information
  PID:2800
- C:\Windows\system32\route.exe
  "route" PRINT
  2⤵
  PID:2888
- C:\Windows\system32\route.exe
  "route" PRINT
  2⤵
  PID:2736
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" https://newra.ssaa.ir/
  2⤵
  PID:2368
- C:\Windows\system32\rasphone.exe
  "C:\Windows\system32\rasphone.exe" -f "C:\Users\Admin\AppData\Local\Temp\SabtRayane.pbk"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:2832

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
59b0bc447acfdf7ad88cd2bb23743ae3

SHA1
72b3000fe42730312fcccdc4135137323790a479

SHA256
8d23290d1f0175e5fef8484629aa2b2d44d8e7243b6837faa0b772fefb5172be

SHA512
c55d243cfb3c41a4b3aa56fd3b719e8bd33a1b3877d4ead067b2c6dd432254fe3f89e4b27562043fd325b6fa19ab297446473539bd9fa61bc48660aadb3ef3a1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c4271ce867cc73af4b1f0271d82a2741

SHA1
6d2021f9918be992920fd44ebaf22457a84b5901

SHA256
ea5d16ec1f5901af592ebace9eead62aad42e5508a1f7a431721b8206ae0a1bd

SHA512
9e75b4bb3690929d3f9f18e329962858e38d3f078beef9945f28837a5002788978d4dddceb9805555211237447c01af25d09d6443eae126f6ae307b84a5392fa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bbb32fbd9b22090bcc75ebfb96ea3a7c

SHA1
7aab8d376ce09126652a02bfe62b6dbbfa05f101

SHA256
92483e0ce718535f48bd35179886a1a466b34f4ecd251879bcbb70b2712b5de5

SHA512
544a56640028c56e4820d494ed4a4f94c7cee51530beceaac52c07fc97fd80365d76fb11bd85799e53bec5a25bdb26627308594203238399ef1bdc16dcdb0337

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2bcf57d453d85035441e571bc6d7a749

SHA1
ab575e3195e76d2d878ca986cb1dafcace315b79

SHA256
694a35c438d0a585cd29b166b9a2529ef6ad5a5616112664b947269fb392d798

SHA512
ef13e958a4a9be07397f98da28277ba2491d2469da51b2deb3aeb256a94cc110d419c6c0c64d1f4431db0ae960c21f7fd4030b23fc864af606ed4a99d4a39fec

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
15b7e601e644c99eabcc2ea01b943aee

SHA1
36a52d28264cfc22b20796d9276a3d66221d5539

SHA256
ff515fb999300ab7322578870b8231fffec1484623ac39ba44792e2c5b32d93b

SHA512
d636955b1ab1e85f44093582d392aaa7f2ada5ef37a974d9dff84fdcb223adec3b1da9b36f406fb9e37f4ad782daf35cc36c1bca042c534e0837568c49c76d1f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e88293369d9805d6956675f9231754c0

SHA1
1017b384b567547dd92098bd6f68ac918ddbaa72

SHA256
ad8aca72f9ea0b0bd455d2e3f5a549b89068d871b23be67df648caecb19739ae

SHA512
10285f2081638cf0bfc4f1307bf47defd4aef59d61f665e522a9e94b20dfe591a1346fea48754a6e9912c7770bfa5ed2525597911ebab9d6f328eda848241710

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5ca616e7ac7d843195d808430f8bf33b

SHA1
4b8bdca8361813b1bc26f4a6a32680836e7a6012

SHA256
070b3ef560b88ac1a2c7e6c2ebf476db6f537c6289c1c3403a49ab16a358f84f

SHA512
c1de37025c0903bb56704aabdf6b774afbd5271d1fb1ac8b0fda16de4565c6859c9fd1381327aeedde23df6db84c5721104b6ff9ea569bdc367dbe9db8caeda1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
40f60bfdfdebcde27d12b9c066bb57a7

SHA1
cc937652b5db3f4060994e9471a9d4b4feabb6d8

SHA256
0b0afefa63be5aaef84d709482c0f778763c06119b661a5e0d55db08ed2289be

SHA512
70297e6477cbda4e5270f31b932e42b7b29ff6ecee5fa68d239cc4a7b3e3ef87d6be0def14f3b51d888037fe349e15a08cce3cc1fcd795e8c81f5114d3b87528

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
765302e159a936257a05ca61e1f3da10

SHA1
1f08c086020b06784b880e98210131d2ff42fed3

SHA256
3f2f700bfbb47f848edc9d63d571a6e377e08b34e5eb2f2099800e56ed9b1f86

SHA512
d9e74f625db06a9a3d10f47542011aa9124c79542983dffb0467086f2f14e1aa3519d6c1d95c89fc1d83d4390affd93d0cb375f10dc14a72cb53f423bc5d1b1b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\40WV1DY9\dnserror[1]

Filesize
1KB

MD5
73c70b34b5f8f158d38a94b9d7766515

SHA1
e9eaa065bd6585a1b176e13615fd7e6ef96230a9

SHA256
3ebd34328a4386b4eba1f3d5f1252e7bd13744a6918720735020b4689c13fcf4

SHA512
927dcd4a8cfdeb0f970cb4ee3f059168b37e1e4e04733ed3356f77ca0448d2145e1abdd4f7ce1c6ca23c1e3676056894625b17987cc56c84c78e73f60e08fc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8B420DKQ\errorPageStrings[1]

Filesize
2KB

MD5
e3e4a98353f119b80b323302f26b78fa

SHA1
20ee35a370cdd3a8a7d04b506410300fd0a6a864

SHA256
9466d620dc57835a2475f8f71e304f54aee7160e134ba160baae0f19e5e71e66

SHA512
d8e4d73c76804a5abebd5dbc3a86dcdb6e73107b873175a8de67332c113fb7c4899890bf7972e467866fa4cd100a7e2a10a770e5a9c41cbf23b54351b771dcee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BDDDRHWK\httpErrorPagesScripts[2]

Filesize
8KB

MD5
3f57b781cb3ef114dd0b665151571b7b

SHA1
ce6a63f996df3a1cccb81720e21204b825e0238c

SHA256
46e019fa34465f4ed096a9665d1827b54553931ad82e98be01edb1ddbc94d3ad

SHA512
8cbf4ef582332ae7ea605f910ad6f8a4bc28513482409fa84f08943a72cac2cf0fa32b6af4c20c697e1fac2c5ba16b5a64a23af0c11eefbf69625b8f9f90c8fa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LW44N8OS\NewErrorPageTemplate[1]

Filesize
1KB

MD5
cdf81e591d9cbfb47a7f97a2bcdb70b9

SHA1
8f12010dfaacdecad77b70a3e781c707cf328496

SHA256
204d95c6fb161368c795bb63e538fe0b11f9e406494bb5758b3b0d60c5f651bd

SHA512
977dcc2c6488acaf0e5970cef1a7a72c9f9dc6bb82da54f057e0853c8e939e4ab01b163eb7a5058e093a8bc44ecad9d06880fdc883e67e28ac67fee4d070a4cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabD201.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarD290.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
memory/2780-0-0x000007FEF5EA3000-0x000007FEF5EA4000-memory.dmp

Filesize
4KB

Download
memory/2780-7-0x000007FEF5EA0000-0x000007FEF688C000-memory.dmp

Filesize
9.9MB

Download
memory/2780-6-0x000007FEF5EA3000-0x000007FEF5EA4000-memory.dmp

Filesize
4KB

Download
memory/2780-5-0x000007FEF5EA0000-0x000007FEF688C000-memory.dmp

Filesize
9.9MB

Download
memory/2780-2-0x000007FEF5EA0000-0x000007FEF688C000-memory.dmp

Filesize
9.9MB

Download
memory/2780-1-0x00000000003D0000-0x00000000004B2000-memory.dmp

Filesize
904KB

Download