471f3fb1a953fab38be3081eb835574694bc72b94f239edc400d1ce3d7a8ecb0

Analysis

max time kernel
1200s
max time network
839s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22-11-2024 02:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

98aadc95c589e064a542802bbf0ef01ef00595c34d195f1a1e6443909846d2e7.exe
Size

151KB
MD5

993135dacbff2607839ee5a76ca06c61
SHA1

c1a9a8cdad293887214605ca0e47f3ddfa4e1a52
SHA256

98aadc95c589e064a542802bbf0ef01ef00595c34d195f1a1e6443909846d2e7
SHA512

69472dc86d5d3c44742b209fb0a57ab3afd8f93d0c5adfdcd48c2e4828828309101fcb9500813044712b1bc3e85e6a2ad3e5dde5f3818fb8772f0ff5d0b873ea
SSDEEP

3072:aMAr2Q8LH/r1GgDwheOj9Pm4uX2QZJiU8ypfoAWe:aMAaQ0D1VDwheuhJmJiU8y90

Score

10^/10

discovery persistence ransomware spyware stealer upx

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\How to restore files.hta

Ransom Note

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html> <head> <meta charset="windows-1251"> <title>GLOBE</title> <HTA:APPLICATION ICON="msiexec.exe" SINGLEINSTANCE="yes"> <script language="JScript"> window.moveTo(50, 50); window.resizeTo(screen.width - 100, screen.height - 100); </script> <style type="text/css"> body { font: 15px Tahoma, sans-serif; margin: 10px; line-height: 25px; background: #EDEDED; } .bold { font-weight: bold; } .mark { background: #D0D0E8; padding: 2px 5px; } .header { font-size: 30px; height: 50px; line-height: 50px; font-weight: bold; border-bottom: 10px solid #D0D0E8; } .info { background: #D0D0E8; border-left: 10px solid #00008B; } .alert { background: #FFE4E4; border-left: 10px solid #FF0000; } .private { border: 1px dashed #000; background: #FFFFEF; } .note { height: auto; padding-bottom: 1px; margin: 15px 0; } .note .title { font-weight: bold; text-indent: 10px; height: 30px; line-height: 30px; padding-top: 10px; } .note .mark { background: #A2A2B5; } .note ul { margin-top: 0; } .note pre { margin-left: 15px; line-height: 13px; font-size: 13px; } </style> </head> <body> <div class="header">YOUR FILES HAVE BEEN ENCRYPTED! </div> <div class="note private"> <div class="title">You personal ID</div> <pre>0183888474050587583565227225768717908977834349867004609688057603256712204224845899417709671471504307 3445304746561955759365679657965086783538757499900543459869926578050002284945320662368228187787250083 0746841418163366532583394056997106747414259934414604851314293645197216019694420413633747471005203701 4410808676856836937935811516378809330026780131992619201682729129487284685255468204568891205472358674 4034702920844013997088282824414176255171909865964206894752586170856066648224556842597185185000942180 0758300807727834924159635550609269712194543457075151851716462571725340697733621498745696964231124309 811632150657227379</pre> </div> <div class=bold>Your files have been been encrypted with a powerfull strain of a virus called ransomware.</div> <div> Your files are encrytped using rsa encryption, the same standard used by the military and banks. It is currently impossible to decrypt files encrypted with rsa encryption..</div> <div>Lucky for you, we can help. We are willing to sell you a decryptor UNIQUELY made for your computer (meaning someone else's decryptor will not work for you). Once you pay a small fee, we will instantly send you the software/info neccessary to decrypt all your files, quickly and easilly. </div> <div>In order to get in touch with us email us at <span class="mark">[email protected]</span>.In your email write your personal ID (its located at the up of the page, it is a string of random characters). Once we receive your personal ID, we will send you payment instructions. </div> <div>As proff we can decrypt you files we may decrypt 1 small file for test. </div> <div class="note info"> <div class="title">If you dont get answer from [email protected] in 10 hours</div> <ul> <li>Register here: <a href="http://bitmsg.me">http://bitmsg.me</a> (online sending message service Bitmessage)</li> <li>Write to adress <span class="mark">BM-2cUrKsazEKiamN9cZ17xQq9c5JpRpokca5</span> with you email and personal ID</li> </ul> </div> <div>When you payment will bee confirmed, You will get decrypter of files on you computer.</div> <div>After you run decrypter software all you files will be decryped and restored.</div> <div class="note alert"> <div class="title">IMPORTANT!</div> <ul> <li>Do not try restore files without our help, this is useless and you may lose data permanetly</li> <li>Decrypters of others clients are unique and work only on PC with they personal ID.</li> <li>We can not keep your decryption keys forever, meaning after 1 week after you have been infected, if you have not paid, we will not be able to decrypt your files. Email us as soon as you see this message, we know exactly when everyone has been encrypted and the longer you wait, the higher the payment gets. </li> </ul> </div> </body> </html>

Emails

class="mark">[email protected]</span>.In

[email protected]

Signatures

Renames multiple (4603) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Executes dropped EXE 3 IoCs

Processes:

msiscan.exe~wtmp001.exewmon.exe

pid process

2768 msiscan.exe
2180 ~wtmp001.exe
2472 wmon.exe

pid	process
2768	msiscan.exe
2180	~wtmp001.exe
2472	wmon.exe

Loads dropped DLL 6 IoCs

Processes:

98aadc95c589e064a542802bbf0ef01ef00595c34d195f1a1e6443909846d2e7.exemsiscan.exe~wtmp001.exe

pid	process
2888	98aadc95c589e064a542802bbf0ef01ef00595c34d195f1a1e6443909846d2e7.exe
2888	98aadc95c589e064a542802bbf0ef01ef00595c34d195f1a1e6443909846d2e7.exe
2768	msiscan.exe
2768	msiscan.exe
2180	~wtmp001.exe
2180	~wtmp001.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

msiscan.exemshta.exemshta.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\How to restore files = "mshta.exe \"C:\\Users\\Admin\\How to restore files.hta\""	msiscan.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\wmon = "C:\\Users\\Admin\\AppData\\Local\\wmon.exe"	mshta.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\{7EE83558-92B4-4741-8714-1DE414DEA489} = "C:\\Users\\Admin\\AppData\\Local\\msiscan.exe"	mshta.exe

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiscan.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	msiscan.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	msiscan.exe

UPX packed file 44 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral27/memory/2888-0-0x0000000000400000-0x000000000044B000-memory.dmp	upx
\Users\Admin\AppData\Local\msiscan.exe	upx
behavioral27/memory/2888-12-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral27/memory/2768-13-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral27/memory/2768-226-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral27/memory/2768-225-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral27/memory/2768-491-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral27/memory/2768-712-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral27/memory/2768-872-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral27/memory/2768-1017-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral27/memory/2768-1154-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral27/memory/2768-1283-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral27/memory/2768-1400-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral27/memory/2768-1542-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral27/memory/2768-1883-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral27/memory/2768-2279-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral27/memory/2768-2760-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral27/memory/2768-3122-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral27/memory/2768-3265-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral27/memory/2768-3424-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral27/memory/2768-3572-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral27/memory/2768-3737-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral27/memory/2768-3891-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral27/memory/2768-4049-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral27/memory/2768-4189-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral27/memory/2768-4334-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral27/memory/2768-4596-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral27/memory/2768-4860-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral27/memory/2768-5097-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral27/memory/2768-5769-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral27/memory/2768-6284-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral27/memory/2768-6920-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral27/memory/2768-7159-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral27/memory/2768-7352-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral27/memory/2768-7525-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral27/memory/2768-7683-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral27/memory/2768-7838-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral27/memory/2768-8002-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral27/memory/2768-8155-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral27/memory/2768-8288-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral27/memory/2768-8450-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral27/memory/2768-8686-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral27/memory/2768-8754-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral27/memory/2768-8768-0x0000000000400000-0x000000000044B000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

Processes:

msiscan.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\es-ES\js\slideShow.js.purge	msiscan.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.apache.batik.util.gui_1.7.0.v200903091627.jar.purge	msiscan.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_corner_bottom_left.png.purge	msiscan.exe
File opened for modification	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\as80.xsl.purge	msiscan.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0386267.JPG.purge	msiscan.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\SoftBlue\tab_on.gif.purge	msiscan.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\images\bg-dock.png.purge	msiscan.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\it-IT\gadget.xml.purge	msiscan.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\Ole DB\fr-FR\sqloledb.rll.mui.purge	msiscan.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.apache.commons.codec_1.6.0.v201305230611.jar.purge	msiscan.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Backgammon\fr-FR\How to restore files.hta	msiscan.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\it-IT\js\calendar.js.purge	msiscan.exe
File created	C:\Program Files (x86)\Windows Media Player\es-ES\mpvis.dll.mui.purge	msiscan.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\es-ES\css\settings.css.purge	msiscan.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\STS2\background.gif.purge	msiscan.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsImageTemplate.html.purge	msiscan.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_altgr.xml.purge	msiscan.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\How to restore files.hta	msiscan.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ui.nl_zh_4.4.0.v20140623020002.jar.purge	msiscan.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\fr-FR\css\calendar.css.purge	msiscan.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\de-DE\css\currency.css.purge	msiscan.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\TASKDECL.ICO.purge	msiscan.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\fr-FR\How to restore files.hta	msiscan.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01213K.JPG.purge	msiscan.exe
File opened for modification	C:\Program Files\Microsoft Games\Hearts\de-DE\Hearts.exe.mui.purge	msiscan.exe
File created	C:\Program Files\Windows Mail\ja-JP\How to restore files.hta	msiscan.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\ja-JP\css\How to restore files.hta	msiscan.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR47B.GIF.purge	msiscan.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\images\pause_down.png.purge	msiscan.exe
File opened for modification	C:\Program Files\7-Zip\Lang\af.txt.purge	msiscan.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ui.sdk.scheduler.nl_zh_4.4.0.v20140623020002.jar.purge	msiscan.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.osgi.nl_ja_4.4.0.v20140623020002.jar.purge	msiscan.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\ja-JP\gadget.xml.purge	msiscan.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGMN102.XML.purge	msiscan.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_divider_right.png.purge	msiscan.exe
File created	C:\Program Files\DVD Maker\en-US\DVDMaker.exe.mui.purge	msiscan.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Backgammon\it-IT\How to restore files.hta	msiscan.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\it-IT\slideShow.html.purge	msiscan.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1258.TXT.purge	msiscan.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SKY\How to restore files.hta	msiscan.exe
File created	C:\Program Files (x86)\Windows Defender\de-DE\MpAsDesc.dll.mui.purge	msiscan.exe
File opened for modification	C:\Program Files\Common Files\System\it-IT\wab32res.dll.mui.purge	msiscan.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\16_9-frame-background.png.purge	msiscan.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\es-ES\js\settings.js.purge	msiscan.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\EVRGREEN\PREVIEW.GIF.purge	msiscan.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\1px.gif.purge	msiscan.exe
File opened for modification	C:\Program Files\Windows Media Player\ja-JP\wmlaunch.exe.mui.purge	msiscan.exe
File created	C:\Program Files (x86)\Common Files\System\msadc\ja-JP\msdaprsr.dll.mui.purge	msiscan.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD14538_.GIF.purge	msiscan.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\rtscom.dll.mui.purge	msiscan.exe
File created	C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\How to restore files.hta	msiscan.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\Notes_content-background.png.purge	msiscan.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-jvm_ja.jar.purge	msiscan.exe
File opened for modification	C:\Program Files\Windows Media Player\Network Sharing\ConnectionManager.xml.purge	msiscan.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Shorthand.emf.purge	msiscan.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\TitleButtonIcon.png.purge	msiscan.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler-attach.xml.purge	msiscan.exe
File created	C:\Program Files (x86)\Common Files\System\Ole DB\it-IT\msdaorar.dll.mui.purge	msiscan.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\How to restore files.hta	msiscan.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\images\in_sidebar\bg_sidebar.png.purge	msiscan.exe
File opened for modification	C:\Program Files\Windows Journal\it-IT\MSPVWCTL.DLL.mui.purge	msiscan.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\fr-FR\gadget.xml.purge	msiscan.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Proof.fr\How to restore files.hta	msiscan.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\drag.png.purge	msiscan.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

cmd.exetaskkill.exemshta.exewmon.exemshta.exe~wtmp001.exemshta.exemshta.exe98aadc95c589e064a542802bbf0ef01ef00595c34d195f1a1e6443909846d2e7.exemsiscan.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	~wtmp001.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	98aadc95c589e064a542802bbf0ef01ef00595c34d195f1a1e6443909846d2e7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiscan.exe

Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

1620 taskkill.exe

pid	process
1620	taskkill.exe

Modifies Control Panel 3 IoCs

evasion

Processes:

msiscan.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Control Panel\Desktop	msiscan.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Control Panel\Desktop\TileWallpaper = "0"	msiscan.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Control Panel\Desktop\WallpaperStyle = "2"	msiscan.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

Processes:

mshta.exemshta.exemshta.exemshta.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

msiscan.exe

pid process

2768 msiscan.exe
2768 msiscan.exe
2768 msiscan.exe
2768 msiscan.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

taskkill.exe

description pid process

Token: SeDebugPrivilege 1620 taskkill.exe

pid	process
2768	msiscan.exe
2768	msiscan.exe
2768	msiscan.exe
2768	msiscan.exe

description	pid	process
Token: SeDebugPrivilege	1620	taskkill.exe

Suspicious use of WriteProcessMemory 36 IoCs

Processes:

98aadc95c589e064a542802bbf0ef01ef00595c34d195f1a1e6443909846d2e7.exemsiscan.exe~wtmp001.exewmon.execmd.exe

description	pid	process	target process
PID 2888 wrote to memory of 2768	2888	98aadc95c589e064a542802bbf0ef01ef00595c34d195f1a1e6443909846d2e7.exe	msiscan.exe
PID 2888 wrote to memory of 2768	2888	98aadc95c589e064a542802bbf0ef01ef00595c34d195f1a1e6443909846d2e7.exe	msiscan.exe
PID 2888 wrote to memory of 2768	2888	98aadc95c589e064a542802bbf0ef01ef00595c34d195f1a1e6443909846d2e7.exe	msiscan.exe
PID 2888 wrote to memory of 2768	2888	98aadc95c589e064a542802bbf0ef01ef00595c34d195f1a1e6443909846d2e7.exe	msiscan.exe
PID 2768 wrote to memory of 2620	2768	msiscan.exe	mshta.exe
PID 2768 wrote to memory of 2620	2768	msiscan.exe	mshta.exe
PID 2768 wrote to memory of 2620	2768	msiscan.exe	mshta.exe
PID 2768 wrote to memory of 2620	2768	msiscan.exe	mshta.exe
PID 2768 wrote to memory of 904	2768	msiscan.exe	mshta.exe
PID 2768 wrote to memory of 904	2768	msiscan.exe	mshta.exe
PID 2768 wrote to memory of 904	2768	msiscan.exe	mshta.exe
PID 2768 wrote to memory of 904	2768	msiscan.exe	mshta.exe
PID 2768 wrote to memory of 2180	2768	msiscan.exe	~wtmp001.exe
PID 2768 wrote to memory of 2180	2768	msiscan.exe	~wtmp001.exe
PID 2768 wrote to memory of 2180	2768	msiscan.exe	~wtmp001.exe
PID 2768 wrote to memory of 2180	2768	msiscan.exe	~wtmp001.exe
PID 2180 wrote to memory of 2472	2180	~wtmp001.exe	wmon.exe
PID 2180 wrote to memory of 2472	2180	~wtmp001.exe	wmon.exe
PID 2180 wrote to memory of 2472	2180	~wtmp001.exe	wmon.exe
PID 2180 wrote to memory of 2472	2180	~wtmp001.exe	wmon.exe
PID 2180 wrote to memory of 2148	2180	~wtmp001.exe	mshta.exe
PID 2180 wrote to memory of 2148	2180	~wtmp001.exe	mshta.exe
PID 2180 wrote to memory of 2148	2180	~wtmp001.exe	mshta.exe
PID 2180 wrote to memory of 2148	2180	~wtmp001.exe	mshta.exe
PID 2472 wrote to memory of 2520	2472	wmon.exe	mshta.exe
PID 2472 wrote to memory of 2520	2472	wmon.exe	mshta.exe
PID 2472 wrote to memory of 2520	2472	wmon.exe	mshta.exe
PID 2472 wrote to memory of 2520	2472	wmon.exe	mshta.exe
PID 2768 wrote to memory of 772	2768	msiscan.exe	cmd.exe
PID 2768 wrote to memory of 772	2768	msiscan.exe	cmd.exe
PID 2768 wrote to memory of 772	2768	msiscan.exe	cmd.exe
PID 2768 wrote to memory of 772	2768	msiscan.exe	cmd.exe
PID 772 wrote to memory of 1620	772	cmd.exe	taskkill.exe
PID 772 wrote to memory of 1620	772	cmd.exe	taskkill.exe
PID 772 wrote to memory of 1620	772	cmd.exe	taskkill.exe
PID 772 wrote to memory of 1620	772	cmd.exe	taskkill.exe

C:\Users\Admin\AppData\Local\Temp\98aadc95c589e064a542802bbf0ef01ef00595c34d195f1a1e6443909846d2e7.exe
"C:\Users\Admin\AppData\Local\Temp\98aadc95c589e064a542802bbf0ef01ef00595c34d195f1a1e6443909846d2e7.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2888
- C:\Users\Admin\AppData\Local\msiscan.exe
  "C:\Users\Admin\AppData\Local\msiscan.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Maps connected drives based on registry
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Modifies Control Panel
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2768
- - C:\Windows\SysWOW64\mshta.exe
    mshta.exe "javascript:o=new ActiveXObject('WScript.Shell');setInterval(function(){try{o.RegWrite('HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\{7EE83558-92B4-4741-8714-1DE414DEA489}','C:\\Users\\Admin\\AppData\\Local\\msiscan.exe');}catch(e){}},10);"
    3⤵
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    PID:2620
- - C:\Windows\SysWOW64\mshta.exe
    mshta.exe "C:\Users\Admin\How to restore files.hta"
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    PID:904
- - C:\Users\Admin\AppData\Local\Temp\~wtmp001.exe
    C:\Users\Admin\AppData\Local\Temp\~wtmp001.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2180
  - - C:\Users\Admin\AppData\Local\wmon.exe
      "C:\Users\Admin\AppData\Local\wmon.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2472
    - - C:\Windows\SysWOW64\mshta.exe
        
        mshta.exe "javascript:o=new ActiveXObject('WScript.Shell');setInterval(function(){try{o.RegWrite('HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\wmon','C:\\Users\\Admin\\AppData\\Local\\wmon.exe');}catch(e){}},10);"
        5⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        
        PID:2520
  - - C:\Windows\SysWOW64\mshta.exe
      mshta.exe "javascript:o=new ActiveXObject('Scripting.FileSystemObject');setInterval(function(){try{o.DeleteFile('C:\\Users\\Admin\\AppData\\Local\\Temp\\~wtmp001.exe');close()}catch(e){}},10);"
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      PID:2148
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C taskkill /PID 2620 /F
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:772
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /PID 2620 /F
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1620

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows\Caches\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000002.db.purge

Filesize
405KB

MD5
62b8f4566bf68bab6db8d110ddb0cef6

SHA1
56812afca274e27bdb22d6a59f0e8dfddd585c17

SHA256
3cf6e420e9251f1505d1b999d981f488c4f7aa83e9c4ae360026cc9ee62c003a

SHA512
75dd30956cd45c47d1b0f2e06d94d577830cadd7420748d8e389725cf43e17d597ae3b1ae2e0ab01e8924cec36ce24500f24fa34dcc94140798f5f6d931c0d3a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\How to restore files.hta

Filesize
4KB

MD5
501901da96ea73075c3cb2ce15f97d6d

SHA1
1bf1cc4f8739e59505b97762b95bc2d589fd015a

SHA256
ac1059b9d881d5e66934fb4e1d1d625647b30559e9694e963633935408a00221

SHA512
53e9b0bb3556aa96b2f3d47423e2f414e0c767c05fab8d0e6b68ee932443bfbfde317307d1da846655cded63e1bb94281c5a41978ff64d0e8cf1c226db7bf8d1

Download Submit
\Users\Admin\AppData\Local\Temp\~wtmp001.exe

Filesize
26KB

MD5
0f619a859872cee5c1fac8594f2ce9ad

SHA1
fae9e83196477b9fa770916026427c6e0a4438be

SHA256
866a90a9f3db2fde0311fdd46e69f54cf761c845e06ab73468ede4fe466ce2bd

SHA512
cb612d9d0b2c7ecca4379146076bd90d0ad374fea65e622883386455ef388d7957d48c537d3b0c0b4b965c99c3277bd6edfd11cf8cb5aedb460903e8956c5104

Download Submit
\Users\Admin\AppData\Local\msiscan.exe

Filesize
151KB

MD5
993135dacbff2607839ee5a76ca06c61

SHA1
c1a9a8cdad293887214605ca0e47f3ddfa4e1a52

SHA256
98aadc95c589e064a542802bbf0ef01ef00595c34d195f1a1e6443909846d2e7

SHA512
69472dc86d5d3c44742b209fb0a57ab3afd8f93d0c5adfdcd48c2e4828828309101fcb9500813044712b1bc3e85e6a2ad3e5dde5f3818fb8772f0ff5d0b873ea

Download Submit
memory/2180-8765-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/2180-8755-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/2472-8769-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/2768-4189-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2768-5097-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2768-1017-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2768-1154-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2768-1283-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2768-1400-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2768-1542-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2768-1883-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2768-2279-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2768-2760-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2768-3122-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2768-3265-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2768-3424-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2768-3572-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2768-3737-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2768-3891-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2768-4049-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2768-712-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2768-4334-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2768-4596-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2768-4860-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2768-872-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2768-5769-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2768-6284-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2768-6920-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2768-7159-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2768-7352-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2768-7525-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2768-7683-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2768-7838-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2768-8002-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2768-8155-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2768-8288-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2768-8450-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2768-491-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2768-8686-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2768-8754-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2768-225-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2768-226-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2768-8768-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2768-13-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2888-0-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2888-9-0x0000000002530000-0x000000000257B000-memory.dmp

Filesize
300KB

Download
memory/2888-12-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download