fa7465ff52d0725c0ce446ca4f1686a3912c5117e7e37d87c5c4c013ec629599

General

Target

go.exe
Size

2.5MB
MD5

f7508239b937b2427649be8f77718f60
SHA1

ae85ece228d81f1b4cc8203bab4a8a2e45c2dc05
SHA256

fa7465ff52d0725c0ce446ca4f1686a3912c5117e7e37d87c5c4c013ec629599
SHA512

005a8cb1408d1049cf7926309bc7bf17689588b8804defd99dbfced6c36795faab4559320dc71d59f5259c7858bdb032d88c83c56f6cde2e9d9f0d28f8f1a66f

Score

7^/10

spyware

Malware Config

Signatures

Makes http(s) request 35 IoCs

Contacts server via http/https, possibly for C2 communication.

Processes:

description	flow	ioc
HTTP URL	13	https://www.google.com/images/branding/googlelogo/2x/googlelogo_color_272x92dp.png
HTTP URL	9	http://ocsp.pki.goog/gsr2/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBTgXIsxbvr2lBkPpoIEVRE6gHlCnAQUm%2BIHV2ccHsBqBt5ZtJot39wZhi4CDQHjtJqhjYqpgSVpULg%3D
HTTP URL	10	http://ocsp.pki.goog/gts1o1/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRCRjDCJxnb3nDwj%2Fxz5aZfZjgXvAQUmNH4bhDrz5vsYJ8YkBug630J%2FSsCEDRK%2F8FyaXbFAgAAAABiBxA%3D
HTTP URL	12	https://www.google.com/images/searchbox/desktop_searchbox_sprites302_hr.png
HTTP URL	12	https://www.google.com/images/hpp/Chrome_Owned_96x96.png
HTTP URL	9	http://ocsp.pki.goog/gts1o1/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRCRjDCJxnb3nDwj%2Fxz5aZfZjgXvAQUmNH4bhDrz5vsYJ8YkBug630J%2FSsCEQDE9U%2B0StibRggAAAAAOMpn
HTTP URL	10	http://ocsp.pki.goog/gsr2/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBTgXIsxbvr2lBkPpoIEVRE6gHlCnAQUm%2BIHV2ccHsBqBt5ZtJot39wZhi4CDQHjtJqhjYqpgSVpULg%3D
HTTP URL	12	https://www.google.com/
HTTP URL	9	http://ocsp.pki.goog/gts1o1/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRCRjDCJxnb3nDwj%2Fxz5aZfZjgXvAQUmNH4bhDrz5vsYJ8YkBug630J%2FSsCEDRK%2F8FyaXbFAgAAAABiBxA%3D
HTTP URL	18	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEAiIzVJfGSRETRSlgpHeuVI%3D
HTTP URL	23	https://www.gstatic.com/og/_/js/k=og.og2.en_US.FEloGPIUxuU.O/rt=j/m=def,aswid/exm=in,fot/d=1/ed=1/rs=AA2YrTuN33-IXpCG8rHIcuxpKxOOp1ywRQ
HTTP URL	13	https://www.google.com/gen_204?atyp=csi&ei=f_6xXo-PO8K8kwWYi5DYBQ&s=webhp&t=all&bl=7gJn&imn=2&adh=&ima=1&imad=0&ime=1&imex=1&imeh=1&imea=0&imeb=0&wh=626&scp=0&rt=xjsls.21575,iml.21090,aft.21090,prt.21700,xjses.22969,xjsee.24060,xjs.24061,dcl.24119,ol.25697,wsrt.142,cst.0,dnst.0,rqst.2758,rspt.2758,rqstt.142,unt.94,cstt.142,dit.24273&zx=1588730551701
HTTP URL	18	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAH9o%2BtuynXIiEOLckvPvJE%3D
HTTP URL	26	https://apis.google.com/_/scs/abc-static/_/js/k=gapi.gapi.en.jw7XZHvcak8.O/m=gapi_iframes,googleapis_client,plusone/rt=j/sv=1/d=1/ed=1/rs=AHpOoo-L1iz4xVj0PCdm2On38RCj6aYemA/cb=gapi.loaded_0
HTTP URL	28	https://adservice.google.com/adsid/google/ui
HTTP URL	34	https://ieonline.microsoft.com/iedomainsuggestions/ie11/suggestions.en-US
HTTP URL	9	http://ocsp.pki.goog/gts1o1/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRCRjDCJxnb3nDwj%2Fxz5aZfZjgXvAQUmNH4bhDrz5vsYJ8YkBug630J%2FSsCEA%2BEPZLn97gkAgAAAABjmRQ%3D
HTTP URL	12	https://www.google.com/gen_204?atyp=i&zx=1588730552769&ogsr=1&ei=f_6xXo3xO8-vkwWOzb2wBw&ct=7&cad=i&id=19017379&loc=webhp&prid=1&ogd=ca&ogprm=up&vis=1
HTTP URL	13	https://www.google.com/favicon.ico
HTTP URL	13	https://www.google.com/gen_204?s=webhp&t=aft&atyp=csi&ei=f_6xXo-PO8K8kwWYi5DYBQ&rt=wsrt.142,aft.21090,prt.21700&bl=7gJn&ima=1&imad=0&imn=2
HTTP URL	20	http://crl.verisign.com/pca3.crl
HTTP URL	9	http://ocsp.pki.goog/gts1o1/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRCRjDCJxnb3nDwj%2Fxz5aZfZjgXvAQUmNH4bhDrz5vsYJ8YkBug630J%2FSsCEH7mS5j6VrGeCAAAAAA4yjo%3D
HTTP URL	10	http://ocsp.pki.goog/gts1o1/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRCRjDCJxnb3nDwj%2Fxz5aZfZjgXvAQUmNH4bhDrz5vsYJ8YkBug630J%2FSsCEH7mS5j6VrGeCAAAAAA4yjo%3D
HTTP URL	12	https://www.google.com/xjs/_/js/k=xjs.s.en_GB.54hb1NAaVhw.O/ck=xjs.s.YyQAsrDL7fs.L.I11.O/am=AkAAAACwBGDWDQDgfxAAgAvKOAAAQICQCDYWSCMSEgIQgC0sAEA/d=1/exm=Fkg7bd,HcFEGb,IvlUe,MC8mtf,OF7gzc,RMhBfe,T4BAC,TJw5qb,TbaHGc,Y33vzc,cdos,cr,csi,d,hsm,iDPoPb,jsa,mvYTse,tg8oTe,uz938c,vWNDde,ws9Tlc,yQ43ff/ed=1/dg=2/ct=zgms/rs=ACT90oGx5q0vOLeF33rXITSBD53yrJ5aJA/m=RqxLvf,aa,abd,async,dvl,foot,lu,m,mUpTid,mu,sb_wiz,sf,xz7cCd?xjs=s1
HTTP URL	10	http://ocsp.pki.goog/gts1o1/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRCRjDCJxnb3nDwj%2Fxz5aZfZjgXvAQUmNH4bhDrz5vsYJ8YkBug630J%2FSsCEA%2BEPZLn97gkAgAAAABjmRQ%3D
HTTP URL	13	https://www.google.com/images/nav_logo299.png
HTTP URL	18	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8sEMlbBsCTf7jUSfg%2BhWk%3D
HTTP URL	31	https://play.google.com/log?format=json&hasfast=true
HTTP URL	12	https://www.google.com/xjs/_/js/k=xjs.s.en_GB.54hb1NAaVhw.O/ck=xjs.s.YyQAsrDL7fs.L.I11.O/m=Fkg7bd,HcFEGb,IvlUe,MC8mtf,OF7gzc,RMhBfe,T4BAC,TJw5qb,TbaHGc,Y33vzc,cdos,cr,hsm,iDPoPb,jsa,mvYTse,tg8oTe,uz938c,vWNDde,ws9Tlc,yQ43ff,d,csi/am=AkAAAACwBGDWDQDgfxAAgAvKOAAAQICQCDYWSCMSEgIQgC0sAEA/d=1/dg=2/ct=zgms/rs=ACT90oGx5q0vOLeF33rXITSBD53yrJ5aJA
HTTP URL	12	https://www.google.com/gen_204?atyp=csi&ei=f_6xXo-PO8K8kwWYi5DYBQ&s=jsa&jsi=s,t.0,et.focus,n.iDPoPb,cn.1&zx=1588730553805
HTTP URL	13	https://www.google.com/xjs/_/js/k=xjs.s.en_GB.54hb1NAaVhw.O/ck=xjs.s.YyQAsrDL7fs.L.I11.O/am=AkAAAACwBGDWDQDgfxAAgAvKOAAAQICQCDYWSCMSEgIQgC0sAEA/d=1/exm=Fkg7bd,HcFEGb,IvlUe,MC8mtf,OF7gzc,RMhBfe,RqxLvf,T4BAC,TJw5qb,TbaHGc,Y33vzc,aa,abd,async,cdos,cr,csi,d,dvl,foot,hsm,iDPoPb,jsa,lu,m,mUpTid,mu,mvYTse,sb_wiz,sf,tg8oTe,uz938c,vWNDde,ws9Tlc,xz7cCd,yQ43ff/ed=1/dg=2/ct=zgms/rs=ACT90oGx5q0vOLeF33rXITSBD53yrJ5aJA/m=OG6ZHd,T7XTS,URQPYc,eN4qad,o02Jie,pB6Zqd,zbML3c?xjs=s2
HTTP URL	18	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQQX6Z6gAidtSefNc6DC0OInqPHDQQUD4BhHIIxYdUvKOeNRji0LOHG2eICEAd1LOvlIi%2FPXH0gOJhMUZg%3D
HTTP URL	6	https://google.com/
HTTP URL	10	http://ocsp.pki.goog/gts1o1/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRCRjDCJxnb3nDwj%2Fxz5aZfZjgXvAQUmNH4bhDrz5vsYJ8YkBug630J%2FSsCEQDE9U%2B0StibRggAAAAAOMpn
HTTP URL	15	https://ssl.gstatic.com/gb/images/i1_1967ca6a.png

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

Checks whether UAC is enabled 2 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	iexplore.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	IEXPLORE.EXE

Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

1172 NOTEPAD.EXE

pid	process
1172	NOTEPAD.EXE

Modifies Internet Explorer settings 1 TTPs 52 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007cf8d5bd09b0364592b95b96ab31238800000000020000000000106600000001000020000000304b6832b9e6265cc4bcfda096264d269550de87b372dc50404ea55334af9167000000000e8000000002000020000000d65f4e2cd9221532e0403ee602c2db643b3a17ceb0682239c7c283ceed911c7020000000b655fe1e5d3ef8b4c20cf9a213b06cd8729b39ee82b2ba2a29a2a9e19a6ff60240000000815531ddfae989bc4173d9023df8ba6a0f5a141ba475e348b3e049ebdc84f155b95b08aee441eb89813c5f033e6ddfc7b899ce96e38ef5e1391d9b5297918948	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\DOMStorage\google.com	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\DOMStorage\google.com\NumberOfSubdomains = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.google.com\ = "6"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Enable = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Factor = "20"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.google.com\ = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "295495478"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007cf8d5bd09b0364592b95b96ab312388000000000200000000001066000000010000200000001c366f08fd1936aee2d7e99de05c57c8245e37ca69ebb4aa262ba531d8e58e19000000000e8000000002000020000000a3984e47c8d6b8647828b7804440d764ead1019f0008a9f47d69b4ad30a36d1f900000003661e413e35b8568a6bc23c7c9f364afa92b010751d5a36e1088c6a69e2adcba416c177dd1976b98c2632820aaac3f01b628edb5c4e60a965d72dffa8b4d037622217a382b526dae4f3c45c9f95d7fabaa0ce2117f5d2ecd77f868a3751e89a78cc3871d1a0be3110799d2b50fbc969ca0d726eb6da0a2ff29d6187efac16a10a4ad25201124585038b74a5b17451d7740000000196e4645fc1c4275fe6a17e5653f5748e26b9a58525bd7a3b622be0cf0b3ec88b92ae012975a155797321ffc7d3c2be005657444b360a5cddb6e61498ce203b6	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\International\CpMRU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "6"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Size = "10"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{79FC7291-8F3D-11EA-A1E3-76502A98C7F3} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.google.com	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\DOMStorage\google.com\Total = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\DOMStorage\google.com\Total = "6"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\International\CpMRU\InitHits = "100"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 906abd664a23d601	iexplore.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

go.exerundll32.exerundll32.exeiexplore.exe

description	pid	process	target process
PID 1832 wrote to memory of 1548	1832	go.exe	rundll32.exe
PID 1832 wrote to memory of 1548	1832	go.exe	rundll32.exe
PID 1832 wrote to memory of 1548	1832	go.exe	rundll32.exe
PID 1548 wrote to memory of 1924	1548	rundll32.exe	iexplore.exe
PID 1548 wrote to memory of 1924	1548	rundll32.exe	iexplore.exe
PID 1548 wrote to memory of 1924	1548	rundll32.exe	iexplore.exe
PID 1832 wrote to memory of 1880	1832	go.exe	rundll32.exe
PID 1832 wrote to memory of 1880	1832	go.exe	rundll32.exe
PID 1832 wrote to memory of 1880	1832	go.exe	rundll32.exe
PID 1880 wrote to memory of 1172	1880	rundll32.exe	NOTEPAD.EXE
PID 1880 wrote to memory of 1172	1880	rundll32.exe	NOTEPAD.EXE
PID 1880 wrote to memory of 1172	1880	rundll32.exe	NOTEPAD.EXE
PID 1924 wrote to memory of 108	1924	iexplore.exe	IEXPLORE.EXE
PID 1924 wrote to memory of 108	1924	iexplore.exe	IEXPLORE.EXE
PID 1924 wrote to memory of 108	1924	iexplore.exe	IEXPLORE.EXE
PID 1924 wrote to memory of 108	1924	iexplore.exe	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

1924 iexplore.exe
1924 iexplore.exe
108 IEXPLORE.EXE
108 IEXPLORE.EXE
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

1924 iexplore.exe

pid	process
1924	iexplore.exe
1924	iexplore.exe
108	IEXPLORE.EXE
108	IEXPLORE.EXE

pid	process
1924	iexplore.exe

C:\Users\Admin\AppData\Local\Temp\go.exe
"C:\Users\Admin\AppData\Local\Temp\go.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1832

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe url.dll,FileProtocolHandler https://google.com/
2⤵
- Suspicious use of WriteProcessMemory
PID:1548

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://google.com/
3⤵
- Checks whether UAC is enabled
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
- Suspicious use of SetWindowsHookEx
- Suspicious use of FindShellTrayWindow
PID:1924

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1924 CREDAT:275457 /prefetch:2
4⤵
- Checks whether UAC is enabled
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:108

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe url.dll,FileProtocolHandler C:\Users\Admin/Desktop/LEEME.txt
2⤵
- Suspicious use of WriteProcessMemory
PID:1880

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\LEEME.txt
3⤵
- Opens file in notepad (likely ransom note)
PID:1172

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\ntg0b04\imagestore.dat

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\SG0AOPG4.txt

Download Submit
C:\Users\Admin\Desktop\LEEME.txt

Download Submit

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads