472da789eb38296d93d4a4304787da6e20fc0ff451c5cb44f30c686c0f15ba40

Analysis

max time kernel
150s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
19/11/2024, 14:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SabtRayaneV3.exe
Size

876KB
MD5

c243073d537ac6acdca3f7ba693f471c
SHA1

e93c2d9cae0263af5dbde2689f81eab0378657b3
SHA256

472da789eb38296d93d4a4304787da6e20fc0ff451c5cb44f30c686c0f15ba40
SHA512

243c905efb64a99454190a2f2d401fc0dc9df2286a82c2e0d96b3c65b03a8cb65d2edae44260080a4b9c507883c9d31fef2834d193bdf135753612d96bf2e48b
SSDEEP

24576:jO/V6MZNH+y/YF0g0DWtWrnngnnnKnanxNn8w:ezvwF0/DWErnngnnnKnanzn8

Score

8^/10

discovery

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	SabtRayaneV3.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	SabtRayaneV3.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Gathers network information 2 TTPs 8 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
800	ipconfig.exe
4576	ipconfig.exe
2436	ipconfig.exe
2532	ipconfig.exe
4992	ipconfig.exe
1992	ipconfig.exe
1048	ipconfig.exe
4416	ipconfig.exe

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31144587"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2631924864"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000645c69dcf33f304d82964e308b3da4ad00000000020000000000106600000001000020000000eca83ddae254a3d807cd98c070b5976cb74d518f915a1701df0becd312498290000000000e8000000002000020000000b84f051d3ee7201b4ec4f5724fa2543a75c35e5d196a993f851b182d6e4fef96200000009733057a35ad4b191ecc5f23a04311181483a396a4b1c03e27233673e8c49ab340000000758af387f96fc1a424ed755cbf4a2858cb9a127b1009782dc1423eedddcc9c333d4124b8b2014fa39aee99865e6a1f98ed8b20fc0d4be3b6276e604f02b61fee	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff1a0000001a000000a00400007f020000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000645c69dcf33f304d82964e308b3da4ad00000000020000000000106600000001000020000000e84243997c46b2d61eed5af2b8795bb4ca7b07de282a1f33dec4c1621fb48389000000000e8000000002000020000000c4e59dc53b8e0764ed7db58bd3c8452b837f592a58c61a483adcb4bb8b880fb520000000cfe566cbbff527cceb39dc158b1896af438f1d744e5a6bb790232992dac68654400000007d1ac32217b6c8aa2ba8b3cd5fc799559af7d708d620a90cb4bcbe4cb0cce3711bc0d337c3f0783e8fc87bfe8500187d8c455686ccd3b10f97a5000c64bece46	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 0084239c8b3adb01	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2740831468"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2624581053"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3400000034000000ba04000099020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "438789867"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2624581053"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31144587"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 00fda6a98b3adb01	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff4e00000000000000d404000065020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31144587"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2896456454"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000645c69dcf33f304d82964e308b3da4ad00000000020000000000106600000001000020000000714bcda3e0e5dc9a335a762b0cfc720304e84a37c745a226b3b069115524f2a4000000000e800000000200002000000079f98da97f73084fb68ce1bfc61a64de45865884bdf58f2b42e367828b744bc6200000008fbd031d1b2cd7df3391d6cbbadfd646700783fe54c773345a3412953d04fdfb40000000f3d6e1b7e28364f46714203f1e6f9498fa7201ba448ebae703d4717461e6db9befbff283547b4ae79120a93adbe7ee35c51d6118193ad1355ffee7eb79444dc3	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31144587"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = e0276d978b3adb01	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000645c69dcf33f304d82964e308b3da4ad00000000020000000000106600000001000020000000dcb6b1a0d2af7e0d3e4ba828bfcf8b2b36689459118e9a67a9e9141a78e14789000000000e800000000200002000000002eb44d56ee3bc415fa922fbec4185de62e29af5284866dab078b5b9187747cc2000000056f4fad2048407e692872ea187cf261537ad654265a357e75b1b12ab1afb18da4000000000fc368795f2ae61d9d52fd3d76af2e1cbf29ad6a160a53306d156e343b7567d75c3cfc9c72b6c3b2332a4aa2b19988c432c87ad790285268fa212cca9f67595	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 705d639a8b3adb01	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000645c69dcf33f304d82964e308b3da4ad000000000200000000001066000000010000200000007028caec3bbebd57bb75b8baf6dc537fdc43b116b156db90d27348b084ffd1a2000000000e8000000002000020000000408248219559351f4ba4adef6993fb4d493ba817d1fac81e18abe8e36d8d57382000000045715c660e8ce15730818e1c42e541e56d0719cc411705ffac645d554d07945c4000000034be54cf613f373e29b06fec4312af8c792023d7be4472d2594e96486eb4168b5704c989e7878a60957803e1d1071f89b4543c4bd2a81ff41ae2eb70e219a1b7	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2691612422"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31144587"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3e0000003e000000c4040000a3020000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000645c69dcf33f304d82964e308b3da4ad0000000002000000000010660000000100002000000037b0c21c590dd211443e4c48d5c363fb1a6c587327a075d25bccfa3558e80a6a000000000e800000000200002000000039603255b5fd2d4c08cbd9d43f889108360f7c62754909db7782232954f8d95c20000000adc18bdbe75b30ddb7335e43a5a0caece1aa0aa57c8d008372c0a5c44bbb27ce400000003faaa3943a9c81dd14113a33921b435daf163af9fea3fdd0586f6e785074c10f9b6852f53d69e9ec01f44c44c428a162fa5e6a6eefc352ec0428e8722258135b	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 50f560a28b3adb01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 00f2529f8b3adb01	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31144587"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff5800000000000000de04000065020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	SabtRayaneV3.exe

Suspicious behavior: LoadsDriver 38 IoCs

pid	Process
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
656	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found

Suspicious use of FindShellTrayWindow 17 IoCs

pid	Process
4828	SabtRayaneV3.exe
4828	SabtRayaneV3.exe
3624	iexplore.exe
4828	SabtRayaneV3.exe
3624	iexplore.exe
4828	SabtRayaneV3.exe
3624	iexplore.exe
4828	SabtRayaneV3.exe
3624	iexplore.exe
4828	SabtRayaneV3.exe
3624	iexplore.exe
4828	SabtRayaneV3.exe
3624	iexplore.exe
4828	SabtRayaneV3.exe
3624	iexplore.exe
4828	SabtRayaneV3.exe
3624	iexplore.exe

Suspicious use of SendNotifyMessage 9 IoCs

pid	Process
4828	SabtRayaneV3.exe
4828	SabtRayaneV3.exe
4828	SabtRayaneV3.exe
4828	SabtRayaneV3.exe
4828	SabtRayaneV3.exe
4828	SabtRayaneV3.exe
4828	SabtRayaneV3.exe
4828	SabtRayaneV3.exe
4828	SabtRayaneV3.exe

Suspicious use of SetWindowsHookEx 41 IoCs

pid	Process
2396	rasphone.exe
3624	iexplore.exe
3624	iexplore.exe
2084	IEXPLORE.EXE
2084	IEXPLORE.EXE
2176	rasphone.exe
3624	iexplore.exe
3624	iexplore.exe
376	IEXPLORE.EXE
376	IEXPLORE.EXE
2228	rasphone.exe
3624	iexplore.exe
3624	iexplore.exe
3296	IEXPLORE.EXE
3296	IEXPLORE.EXE
4672	rasphone.exe
3624	iexplore.exe
3624	iexplore.exe
2208	IEXPLORE.EXE
2208	IEXPLORE.EXE
1460	rasphone.exe
3624	iexplore.exe
3624	iexplore.exe
376	IEXPLORE.EXE
376	IEXPLORE.EXE
5112	rasphone.exe
3624	iexplore.exe
3624	iexplore.exe
1792	IEXPLORE.EXE
1792	IEXPLORE.EXE
3956	rasphone.exe
3624	iexplore.exe
3624	iexplore.exe
3296	IEXPLORE.EXE
3296	IEXPLORE.EXE
4080	rasphone.exe
3624	iexplore.exe
3624	iexplore.exe
3520	IEXPLORE.EXE
3520	IEXPLORE.EXE
3596	rasphone.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4828 wrote to memory of 2636	4828	SabtRayaneV3.exe	84
PID 4828 wrote to memory of 2636	4828	SabtRayaneV3.exe	84
PID 2636 wrote to memory of 1972	2636	cmd.exe	86
PID 2636 wrote to memory of 1972	2636	cmd.exe	86
PID 4828 wrote to memory of 2396	4828	SabtRayaneV3.exe	87
PID 4828 wrote to memory of 2396	4828	SabtRayaneV3.exe	87
PID 4828 wrote to memory of 4992	4828	SabtRayaneV3.exe	99
PID 4828 wrote to memory of 4992	4828	SabtRayaneV3.exe	99
PID 4828 wrote to memory of 3348	4828	SabtRayaneV3.exe	101
PID 4828 wrote to memory of 3348	4828	SabtRayaneV3.exe	101
PID 4828 wrote to memory of 1928	4828	SabtRayaneV3.exe	104
PID 4828 wrote to memory of 1928	4828	SabtRayaneV3.exe	104
PID 4828 wrote to memory of 3624	4828	SabtRayaneV3.exe	106
PID 4828 wrote to memory of 3624	4828	SabtRayaneV3.exe	106
PID 4828 wrote to memory of 2176	4828	SabtRayaneV3.exe	107
PID 4828 wrote to memory of 2176	4828	SabtRayaneV3.exe	107
PID 3624 wrote to memory of 2084	3624	iexplore.exe	109
PID 3624 wrote to memory of 2084	3624	iexplore.exe	109
PID 3624 wrote to memory of 2084	3624	iexplore.exe	109
PID 4828 wrote to memory of 1992	4828	SabtRayaneV3.exe	112
PID 4828 wrote to memory of 1992	4828	SabtRayaneV3.exe	112
PID 4828 wrote to memory of 4244	4828	SabtRayaneV3.exe	114
PID 4828 wrote to memory of 4244	4828	SabtRayaneV3.exe	114
PID 4828 wrote to memory of 1284	4828	SabtRayaneV3.exe	116
PID 4828 wrote to memory of 1284	4828	SabtRayaneV3.exe	116
PID 4828 wrote to memory of 1612	4828	SabtRayaneV3.exe	118
PID 4828 wrote to memory of 1612	4828	SabtRayaneV3.exe	118
PID 4828 wrote to memory of 2228	4828	SabtRayaneV3.exe	119
PID 4828 wrote to memory of 2228	4828	SabtRayaneV3.exe	119
PID 3624 wrote to memory of 376	3624	iexplore.exe	120
PID 3624 wrote to memory of 376	3624	iexplore.exe	120
PID 3624 wrote to memory of 376	3624	iexplore.exe	120
PID 4828 wrote to memory of 1048	4828	SabtRayaneV3.exe	122
PID 4828 wrote to memory of 1048	4828	SabtRayaneV3.exe	122
PID 4828 wrote to memory of 4040	4828	SabtRayaneV3.exe	124
PID 4828 wrote to memory of 4040	4828	SabtRayaneV3.exe	124
PID 4828 wrote to memory of 3596	4828	SabtRayaneV3.exe	126
PID 4828 wrote to memory of 3596	4828	SabtRayaneV3.exe	126
PID 4828 wrote to memory of 4576	4828	SabtRayaneV3.exe	128
PID 4828 wrote to memory of 4576	4828	SabtRayaneV3.exe	128
PID 4828 wrote to memory of 4672	4828	SabtRayaneV3.exe	129
PID 4828 wrote to memory of 4672	4828	SabtRayaneV3.exe	129
PID 3624 wrote to memory of 3296	3624	iexplore.exe	130
PID 3624 wrote to memory of 3296	3624	iexplore.exe	130
PID 3624 wrote to memory of 3296	3624	iexplore.exe	130
PID 4828 wrote to memory of 4416	4828	SabtRayaneV3.exe	132
PID 4828 wrote to memory of 4416	4828	SabtRayaneV3.exe	132
PID 4828 wrote to memory of 3828	4828	SabtRayaneV3.exe	134
PID 4828 wrote to memory of 3828	4828	SabtRayaneV3.exe	134
PID 4828 wrote to memory of 3452	4828	SabtRayaneV3.exe	136
PID 4828 wrote to memory of 3452	4828	SabtRayaneV3.exe	136
PID 4828 wrote to memory of 4552	4828	SabtRayaneV3.exe	138
PID 4828 wrote to memory of 4552	4828	SabtRayaneV3.exe	138
PID 4828 wrote to memory of 1460	4828	SabtRayaneV3.exe	139
PID 4828 wrote to memory of 1460	4828	SabtRayaneV3.exe	139
PID 3624 wrote to memory of 2208	3624	iexplore.exe	140
PID 3624 wrote to memory of 2208	3624	iexplore.exe	140
PID 3624 wrote to memory of 2208	3624	iexplore.exe	140
PID 4828 wrote to memory of 800	4828	SabtRayaneV3.exe	142
PID 4828 wrote to memory of 800	4828	SabtRayaneV3.exe	142
PID 4828 wrote to memory of 1632	4828	SabtRayaneV3.exe	144
PID 4828 wrote to memory of 1632	4828	SabtRayaneV3.exe	144
PID 4828 wrote to memory of 3440	4828	SabtRayaneV3.exe	146
PID 4828 wrote to memory of 3440	4828	SabtRayaneV3.exe	146

C:\Users\Admin\AppData\Local\Temp\SabtRayaneV3.exe
"C:\Users\Admin\AppData\Local\Temp\SabtRayaneV3.exe"
1⤵
- Drops file in Drivers directory
- Checks computer location settings
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4828
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /c route delete 10.1.0.0
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2636
- - C:\Windows\system32\ROUTE.EXE
    route delete 10.1.0.0
    3⤵
    PID:1972
- C:\Windows\system32\rasphone.exe
  "C:\Windows\system32\rasphone.exe" -f "C:\Users\Admin\AppData\Local\Temp\SabtRayane.pbk"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:2396
- C:\Windows\SYSTEM32\ipconfig.exe
  "ipconfig" -all
  2⤵
  - Gathers network information
  PID:4992
- C:\Windows\SYSTEM32\route.exe
  "route" PRINT
  2⤵
  PID:3348
- C:\Windows\SYSTEM32\route.exe
  "route" PRINT
  2⤵
  PID:1928
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" https://newra.ssaa.ir/
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3624
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3624 CREDAT:17410 /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:2084
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3624 CREDAT:82950 /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:376
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3624 CREDAT:82956 /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:3296
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3624 CREDAT:82964 /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:2208
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3624 CREDAT:82978 /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:1792
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3624 CREDAT:82994 /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:3520
- C:\Windows\system32\rasphone.exe
  "C:\Windows\system32\rasphone.exe" -f "C:\Users\Admin\AppData\Local\Temp\SabtRayane.pbk"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:2176
- C:\Windows\SYSTEM32\ipconfig.exe
  "ipconfig" -all
  2⤵
  - Gathers network information
  PID:1992
- C:\Windows\SYSTEM32\route.exe
  "route" PRINT
  2⤵
  PID:4244
- C:\Windows\SYSTEM32\route.exe
  "route" PRINT
  2⤵
  PID:1284
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" https://newra.ssaa.ir/
  2⤵
  PID:1612
- C:\Windows\system32\rasphone.exe
  "C:\Windows\system32\rasphone.exe" -f "C:\Users\Admin\AppData\Local\Temp\SabtRayane.pbk"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:2228
- C:\Windows\SYSTEM32\ipconfig.exe
  "ipconfig" -all
  2⤵
  - Gathers network information
  PID:1048
- C:\Windows\SYSTEM32\route.exe
  "route" PRINT
  2⤵
  PID:4040
- C:\Windows\SYSTEM32\route.exe
  "route" PRINT
  2⤵
  PID:3596
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" https://newra.ssaa.ir/
  2⤵
  PID:4576
- C:\Windows\system32\rasphone.exe
  "C:\Windows\system32\rasphone.exe" -f "C:\Users\Admin\AppData\Local\Temp\SabtRayane.pbk"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:4672
- C:\Windows\SYSTEM32\ipconfig.exe
  "ipconfig" -all
  2⤵
  - Gathers network information
  PID:4416
- C:\Windows\SYSTEM32\route.exe
  "route" PRINT
  2⤵
  PID:3828
- C:\Windows\SYSTEM32\route.exe
  "route" PRINT
  2⤵
  PID:3452
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" https://newra.ssaa.ir/
  2⤵
  PID:4552
- C:\Windows\system32\rasphone.exe
  "C:\Windows\system32\rasphone.exe" -f "C:\Users\Admin\AppData\Local\Temp\SabtRayane.pbk"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:1460
- C:\Windows\SYSTEM32\ipconfig.exe
  "ipconfig" -all
  2⤵
  - Gathers network information
  PID:800
- C:\Windows\SYSTEM32\route.exe
  "route" PRINT
  2⤵
  PID:1632
- C:\Windows\SYSTEM32\route.exe
  "route" PRINT
  2⤵
  PID:3440
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" https://newra.ssaa.ir/
  2⤵
  - Modifies Internet Explorer settings
  PID:3412
- C:\Windows\system32\rasphone.exe
  "C:\Windows\system32\rasphone.exe" -f "C:\Users\Admin\AppData\Local\Temp\SabtRayane.pbk"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:5112
- C:\Windows\SYSTEM32\ipconfig.exe
  "ipconfig" -all
  2⤵
  - Gathers network information
  PID:4576
- C:\Windows\SYSTEM32\route.exe
  "route" PRINT
  2⤵
  PID:2612
- C:\Windows\SYSTEM32\route.exe
  "route" PRINT
  2⤵
  PID:368
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" https://newra.ssaa.ir/
  2⤵
  - Modifies Internet Explorer settings
  PID:3948
- C:\Windows\system32\rasphone.exe
  "C:\Windows\system32\rasphone.exe" -f "C:\Users\Admin\AppData\Local\Temp\SabtRayane.pbk"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:3956
- C:\Windows\SYSTEM32\ipconfig.exe
  "ipconfig" -all
  2⤵
  - Gathers network information
  PID:2436
- C:\Windows\SYSTEM32\route.exe
  "route" PRINT
  2⤵
  PID:2428
- C:\Windows\SYSTEM32\route.exe
  "route" PRINT
  2⤵
  PID:4672
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" https://newra.ssaa.ir/
  2⤵
  PID:1460
- C:\Windows\system32\rasphone.exe
  "C:\Windows\system32\rasphone.exe" -f "C:\Users\Admin\AppData\Local\Temp\SabtRayane.pbk"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:4080
- C:\Windows\SYSTEM32\ipconfig.exe
  "ipconfig" -all
  2⤵
  - Gathers network information
  PID:2532
- C:\Windows\SYSTEM32\route.exe
  "route" PRINT
  2⤵
  PID:3864
- C:\Windows\SYSTEM32\route.exe
  "route" PRINT
  2⤵
  PID:428
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" https://newra.ssaa.ir/
  2⤵
  - Modifies Internet Explorer settings
  PID:2420
- C:\Windows\system32\rasphone.exe
  "C:\Windows\system32\rasphone.exe" -f "C:\Users\Admin\AppData\Local\Temp\SabtRayane.pbk"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:3596

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
471B

MD5
11d14077869dba67110eb7f6cae1b120

SHA1
f05e6bb7204a6e0efff37eedf3447eedc5de7b84

SHA256
d59818a872b22bd33909691c19daaf807ac7042fc6897dea5ba296d02530f39e

SHA512
9b62bb5f3e777e67ce440ca88f81e5e215443ad2c679b076d10a0534e816853340589d8d8e5e36fc53d60efe4dd5c0537e0fdf011064d1f8ff2c2dbffc2c992d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
404B

MD5
ae87ac9d982641a4e2a697c64c1c7a01

SHA1
ad50cfd02d7491d9c4a5d2c1c12bfe9e72b02de4

SHA256
572d9d85434ab623387ebd8aa6d177ee8c03c0cf1982984aa714cba7c8388cbf

SHA512
a1480c805eb85209b0193be70ef7c539f5570977e2ce8ca6636ea6cda9b5029f71ecd5ae156697ba005532547d438a75b5ac5edae4020a2abfc0c321bc8315ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\84KCLP1T\errorPageStrings[1]

Filesize
4KB

MD5
d65ec06f21c379c87040b83cc1abac6b

SHA1
208d0a0bb775661758394be7e4afb18357e46c8b

SHA256
a1270e90cea31b46432ec44731bf4400d22b38eb2855326bf934fe8f1b169a4f

SHA512
8a166d26b49a5d95aea49bc649e5ea58786a2191f4d2adac6f5fbb7523940ce4482d6a2502aa870a931224f215cb2010a8c9b99a2c1820150e4d365cab28299e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\FQRZN8O7\dnserror[1]

Filesize
2KB

MD5
2dc61eb461da1436f5d22bce51425660

SHA1
e1b79bcab0f073868079d807faec669596dc46c1

SHA256
acdeb4966289b6ce46ecc879531f85e9c6f94b718aab521d38e2e00f7f7f7993

SHA512
a88becb4fbddc5afc55e4dc0135af714a3eec4a63810ae5a989f2cecb824a686165d3cedb8cbd8f35c7e5b9f4136c29dea32736aabb451fe8088b978b493ac6d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\H6N4U6J0\httpErrorPagesScripts[1]

Filesize
11KB

MD5
9234071287e637f85d721463c488704c

SHA1
cca09b1e0fba38ba29d3972ed8dcecefdef8c152

SHA256
65cc039890c7ceb927ce40f6f199d74e49b8058c3f8a6e22e8f916ad90ea8649

SHA512
87d691987e7a2f69ad8605f35f94241ab7e68ad4f55ad384f1f0d40dc59ffd1432c758123661ee39443d624c881b01dcd228a67afb8700fe5e66fc794a6c0384

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\H6N4U6J0\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\TTJXD3SW\NewErrorPageTemplate[1]

Filesize
1KB

MD5
dfeabde84792228093a5a270352395b6

SHA1
e41258c9576721025926326f76063c2305586f76

SHA256
77b138ab5d0a90ff04648c26addd5e414cc178165e3b54a4cb3739da0f58e075

SHA512
e256f603e67335151bb709294749794e2e3085f4063c623461a0b3decbcca8e620807b707ec9bcbe36dcd7d639c55753da0495be85b4ae5fb6bfc52ab4b284fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\TTJXD3SW\down[1]

Filesize
748B

MD5
c4f558c4c8b56858f15c09037cd6625a

SHA1
ee497cc061d6a7a59bb66defea65f9a8145ba240

SHA256
39e7de847c9f731eaa72338ad9053217b957859de27b50b6474ec42971530781

SHA512
d60353d3fbea2992d96795ba30b20727b022b9164b2094b922921d33ca7ce1634713693ac191f8f5708954544f7648f4840bcd5b62cb6a032ef292a8b0e52a44

Download Submit
C:\Users\Admin\AppData\Local\Temp\SabtRayane.pbk

Filesize
10KB

MD5
2495dbf84b46aeb737f2c38e662004e8

SHA1
61bbff2939892e39fc3211a9811a524548b23282

SHA256
21d41af91c17ba1d4d999a092e2da2a194096759e77759dedeebd004380a40ba

SHA512
0f910c26565baef4bdf8d8f71bb372b204e75bf611aa0d1e132be2f4095a6a4c8eaf593ec0137f31e8dac362e27246a2354aa83f8fb303bfef4f8cb61b0a356a

Download Submit
memory/4828-8-0x00007FF916680000-0x00007FF917141000-memory.dmp

Filesize
10.8MB

Download
memory/4828-0-0x00007FF916683000-0x00007FF916685000-memory.dmp

Filesize
8KB

Download
memory/4828-7-0x00007FF916683000-0x00007FF916685000-memory.dmp

Filesize
8KB

Download
memory/4828-2-0x00007FF916680000-0x00007FF917141000-memory.dmp

Filesize
10.8MB

Download
memory/4828-1-0x00000201DF790000-0x00000201DF872000-memory.dmp

Filesize
904KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads