52a48acf59027468c7f859b78c51196e42b47c9e65d17466ff1995f71a6cff91

General

Target

iview456_x64_setup.exe
Size

3.7MB
MD5

a6c1653bdb69aaf72198794e2000f5f1
SHA1

ce73fcf0f88cb56dea79ba643784461a97068bfc
SHA256

52a48acf59027468c7f859b78c51196e42b47c9e65d17466ff1995f71a6cff91
SHA512

68592719c7d98c53d13f9225d7d35f472662e289dab3e9015dfb2d4ac51c18006896ccc3f3fb7829a15377cf9e0a7f55fdd9f4f0efc7a38d0f32c9ab43b469ae

Score

8^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

i_view64.exe

pid process

4376 i_view64.exe

pid	process
4376	i_view64.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

iview456_x64_setup.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Control Panel\International\Geo\Nation	iview456_x64_setup.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 69 IoCs

Processes:

iview456_x64_setup.exe

description	ioc	process
File created	C:\Program Files\IrfanView\Toolbars\gnome-colors-wise_32.txt	iview456_x64_setup.exe
File created	C:\Program Files\IrfanView\Plugins\Icons.dll	iview456_x64_setup.exe
File created	C:\Program Files\IrfanView\Plugins\Effects.dll	iview456_x64_setup.exe
File created	C:\Program Files\IrfanView\i_options.txt	iview456_x64_setup.exe
File created	C:\Program Files\IrfanView\iv_uninstall.exe	iview456_x64_setup.exe
File opened for modification	C:\Program Files\IrfanView\瑈汭琯畨扭慮汩⹳瑨汭	iview456_x64_setup.exe
File created	C:\Program Files\IrfanView\Html\frame.html	iview456_x64_setup.exe
File opened for modification	C:\Program Files\IrfanView\汐杵湩⽳汓摩獥潨⹷硥e	iview456_x64_setup.exe
File opened for modification	C:\Program Files\IrfanView\汐杵湩⽳晅敦瑣⹳汤le	iview456_x64_setup.exe
File created	C:\Program Files\IrfanView\Plugins\Paint.dll	iview456_x64_setup.exe
File created	C:\Program Files\IrfanView\Languages\IP_Deutsch.lng	iview456_x64_setup.exe
File opened for modification	C:\Program Files\IrfanView\潔汯慢獲术潮敭挭汯牯⵳楷敳㍟⸲湰g	iview456_x64_setup.exe
File opened for modification	C:\Program Files\IrfanView\瑈汭猯楬敤桳睯栮浴le	iview456_x64_setup.exe
File created	C:\Program Files\IrfanView\Toolbars\Samuel_16.png	iview456_x64_setup.exe
File opened for modification	C:\Program Files\IrfanView\汐杵湩⽳潔汯⹳汤l档氮杮	iview456_x64_setup.exe
File created	C:\Program Files\IrfanView\Plugins\Stub_Plugin.exe	iview456_x64_setup.exe
File created	C:\Program Files\IrfanView\Languages\Deutsch.dll	iview456_x64_setup.exe
File opened for modification	C:\Program Files\IrfanView\汐杵湩⽳楖敤⹯汤l꼕h	iview456_x64_setup.exe
File opened for modification	C:\Program Files\IrfanView\癩畟楮獮慴汬攮數氀le	iview456_x64_setup.exe
File created	C:\Program Files\IrfanView\Toolbars\Samuel_16.txt	iview456_x64_setup.exe
File created	C:\Program Files\IrfanView\Toolbars\gnome-colors-human_48.txt	iview456_x64_setup.exe
File opened for modification	C:\Program Files\IrfanView\汐杵湩⽳灊彧牴湡晳牯⹭汤l㍟⸲硴t	iview456_x64_setup.exe
File opened for modification	C:\Program Files\IrfanView\彩档湡敧⹳硴t⹳汤le	iview456_x64_setup.exe
File created	C:\Program Files\IrfanView\i_view32.chm	iview456_x64_setup.exe
File opened for modification	C:\Program Files\IrfanView\潔汯慢獲术潮敭挭汯牯⵳畨慭彮㠴瀮杮	iview456_x64_setup.exe
File opened for modification	C:\Program Files\IrfanView\汐杵湩⽳瑓扵偟畬楧⹮硥el㍟⸲硴t	iview456_x64_setup.exe
File created	C:\Program Files\IrfanView\Toolbars\gnome-colors-wise_32.png	iview456_x64_setup.exe
File opened for modification	C:\Program Files\IrfanView\彩楶睥㐶攮數攀挭汯牯⵳楷敳㍟⸲硴t	iview456_x64_setup.exe
File created	C:\Program Files\IrfanView\Plugins\Video.dll	iview456_x64_setup.exe
File opened for modification	C:\Program Files\IrfanView\彩扡畯⹴硴t瑣⹳汤le	iview456_x64_setup.exe
File opened for modification	C:\Program Files\IrfanView\彩慬杮慵敧⹳硴t汤le	iview456_x64_setup.exe
File opened for modification	C:\Program Files\IrfanView\彩汰杵湩⹳硴tt汤le	iview456_x64_setup.exe
File opened for modification	C:\Program Files\IrfanView\彩楶睥㈳挮浨洀l瑨汭	iview456_x64_setup.exe
File opened for modification	C:\Program Files\IrfanView\潔汯慢獲䜯潲扳牥彧㐲瀮杮翹	iview456_x64_setup.exe
File created	C:\Program Files\IrfanView\Plugins\Jpg_transform.dll	iview456_x64_setup.exe
File created	C:\Program Files\IrfanView\Html\copy_files.txt	iview456_x64_setup.exe
File opened for modification	C:\Program Files\IrfanView\瑈汭振灯役楦敬⹳硴tlel㍟⸲硴t	iview456_x64_setup.exe
File opened for modification	C:\Program Files\IrfanView\汐杵湩⽳捌獭搮汬⸀硴tel㍟⸲硴t	iview456_x64_setup.exe
File opened for modification	C:\Program Files\IrfanView\汐杵湩⽳敒楧湯慃瑰牵⹥汤l翹	iview456_x64_setup.exe
File opened for modification	C:\Program Files\IrfanView\慌杮慵敧⽳敄瑵捳⹨汤lel㍟⸲硴t	iview456_x64_setup.exe
File opened for modification	C:\Program Files\IrfanView\i_view64.ini	iview456_x64_setup.exe
File opened for modification	C:\Program Files\IrfanView\潔汯慢獲䜯潲扳牥彧㐲琮瑸翹	iview456_x64_setup.exe
File opened for modification	C:\Program Files\IrfanView\汐杵湩⽳敍慴慤慴搮汬⸀汤l㍟⸲硴t	iview456_x64_setup.exe
File created	C:\Program Files\IrfanView\Html\slideshow.html	iview456_x64_setup.exe
File opened for modification	C:\Program Files\IrfanView\慌杮慵敧⽳偉䑟略獴档氮杮	iview456_x64_setup.exe
File created	C:\Program Files\IrfanView\Plugins\Tools.dll	iview456_x64_setup.exe
File opened for modification	C:\Program Files\IrfanView\潔汯慢獲术潮敭挭汯牯⵳畨慭彮㠴琮瑸	iview456_x64_setup.exe
File created	C:\Program Files\IrfanView\i_languages.txt	iview456_x64_setup.exe
File created	C:\Program Files\IrfanView\Html\thumbnails.html	iview456_x64_setup.exe
File opened for modification	C:\Program Files\IrfanView\瑈汭是慲敭栮浴l瑨汭	iview456_x64_setup.exe
File created	C:\Program Files\IrfanView\i_view64.exe	iview456_x64_setup.exe
File created	C:\Program Files\IrfanView\Plugins\Metadata.dll	iview456_x64_setup.exe
File opened for modification	C:\Program Files\IrfanView\汐杵湩⽳捉湯⹳汤l꼕h	iview456_x64_setup.exe
File opened for modification	C:\Program Files\IrfanView\彩灯楴湯⹳硴tt汤le	iview456_x64_setup.exe
File opened for modification	C:\Program Files\IrfanView\潔汯慢獲匯浡敵彬㘱瀮杮	iview456_x64_setup.exe
File created	C:\Program Files\IrfanView\Toolbars\Grosberg_24.txt	iview456_x64_setup.exe
File created	C:\Program Files\IrfanView\Plugins\RegionCapture.dll	iview456_x64_setup.exe
File created	C:\Program Files\IrfanView\Toolbars\gnome-colors-human_48.png	iview456_x64_setup.exe
File opened for modification	C:\Program Files\IrfanView\潔汯慢獲匯浡敵彬㘱琮瑸	iview456_x64_setup.exe
File opened for modification	C:\Program Files\IrfanView\汐杵湩⽳慐湩⹴汤l琮瑸	iview456_x64_setup.exe
File created	C:\Program Files\IrfanView\Plugins\Lcms.dll	iview456_x64_setup.exe
File created	C:\Program Files\IrfanView\#readme_zip_users.txt	iview456_x64_setup.exe
File created	C:\Program Files\IrfanView\i_plugins.txt	iview456_x64_setup.exe
File created	C:\Program Files\IrfanView\Toolbars\Grosberg_24.png	iview456_x64_setup.exe

Drops file in Windows directory 1 IoCs

Processes:

MicrosoftEdge.exe

description ioc process

File opened for modification C:\Windows\Debug\ESE.TXT MicrosoftEdge.exe
Modifies Control Panel 1 IoCs
evasion

Processes:

MicrosoftEdge.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Control Panel\Colors MicrosoftEdge.exe

description	ioc	process
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Control Panel\Colors	MicrosoftEdge.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

Processes:

MicrosoftEdge.exebrowser_broker.exeMicrosoftEdgeCP.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdgeCP.exe

Modifies registry class 732 IoCs

Processes:

iview456_x64_setup.exeMicrosoftEdge.exeMicrosoftEdgeCP.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IrfanView.bmp\DefaultIcon\ = "C:\\Program Files\\IrfanView\\i_view64.exe,0"	iview456_x64_setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IrfanView.pcd	iview456_x64_setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IrfanView.pcx\shell\open\command	iview456_x64_setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IrfanView.rle\shell\open	iview456_x64_setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IrfanView.swf\shell\open\command	iview456_x64_setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IrfanView.mpe\shell\open\command\ = "\"C:\\Program Files\\IrfanView\\i_view64.exe\" \"%1\""	iview456_x64_setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\i_view64.exe\shell	iview456_x64_setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IrfanView.crw	iview456_x64_setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IrfanView.iff\DefaultIcon\ = "C:\\Program Files\\IrfanView\\i_view64.exe,0"	iview456_x64_setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IrfanView.mov	iview456_x64_setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IrfanView.wav\shell\open\command	iview456_x64_setup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VersionHigh = "0"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IrfanView.djvu\ = "IrfanView DJVU File"	iview456_x64_setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IrfanView.gif\shell	iview456_x64_setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IrfanView.jpm\DefaultIcon	iview456_x64_setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IrfanView.rle\shell	iview456_x64_setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IrfanView.wbmp\shell\open	iview456_x64_setup.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 4731fb1d1ec6d601	MicrosoftEdge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IrfanView	iview456_x64_setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IrfanView.jpm\shell\open\command	iview456_x64_setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IrfanView.pbm\shell\open	iview456_x64_setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IrfanView.pcd\shell\open\command\ = "\"C:\\Program Files\\IrfanView\\i_view64.exe\" \"%1\""	iview456_x64_setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IrfanView.wmf	iview456_x64_setup.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\ChromeMigration\MigrationTime = 6c3a3b6c55add601	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\DetectPhoneNumberCompleted = "1"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = f4e3cd1d1ec6d601	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\Active = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IrfanView.dds\shell	iview456_x64_setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IrfanView.djvu\shell	iview456_x64_setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IrfanView.jpg\ = "IrfanView JPG File"	iview456_x64_setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IrfanView.wbmp	iview456_x64_setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IrfanView.rmi\shell\open\command	iview456_x64_setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IrfanView.xbm\shell\open	iview456_x64_setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IrfanView.xpm\shell	iview456_x64_setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IrfanView.aif\shell	iview456_x64_setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IrfanView\shell	iview456_x64_setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IrfanView.hdp\ = "IrfanView HDP File"	iview456_x64_setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IrfanView.jls\shell\open\command\ = "\"C:\\Program Files\\IrfanView\\i_view64.exe\" \"%1\""	iview456_x64_setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IrfanView.pcx\shell\open	iview456_x64_setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IrfanView.png\shell\open\command\ = "\"C:\\Program Files\\IrfanView\\i_view64.exe\" \"%1\""	iview456_x64_setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IrfanView.flv\ = "IrfanView FLV File"	iview456_x64_setup.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\OnlineHistory	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\OnlineHistory\UUID = "{53538AE9-0F58-4F5A-879C-B1B164C7D182}"	MicrosoftEdge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IrfanView.dcm\shell\open	iview456_x64_setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IrfanView.dds\ = "IrfanView DDS File"	iview456_x64_setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IrfanView.pcd\DefaultIcon	iview456_x64_setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IrfanView.aif\ = "IrfanView AIF File"	iview456_x64_setup.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IrfanView.pbm\shell\open\command\ = "\"C:\\Program Files\\IrfanView\\i_view64.exe\" \"%1\""	iview456_x64_setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IrfanView.pcd\shell\open	iview456_x64_setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IrfanView.tga\DefaultIcon\ = "C:\\Program Files\\IrfanView\\i_view64.exe,0"	iview456_x64_setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IrfanView.avi\ = "IrfanView AVI File"	iview456_x64_setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IrfanView.wav\DefaultIcon	iview456_x64_setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shell\Browse with &IrfanView\ = "Browse with &IrfanView"	iview456_x64_setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IrfanView.b3d	iview456_x64_setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IrfanView.clp\shell\open\command\ = "\"C:\\Program Files\\IrfanView\\i_view64.exe\" \"%1\""	iview456_x64_setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IrfanView.gif\shell\open\command	iview456_x64_setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IrfanView.mng\shell\open\command\ = "\"C:\\Program Files\\IrfanView\\i_view64.exe\" \"%1\""	iview456_x64_setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IrfanView.pgm\shell	iview456_x64_setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IrfanView.bmp\ = "IrfanView BMP File"	iview456_x64_setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IrfanView.ecw\shell\open	iview456_x64_setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IrfanView.mng\shell\open	iview456_x64_setup.exe

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

MicrosoftEdgeCP.exe

pid process

4432 MicrosoftEdgeCP.exe

pid	process
4432	MicrosoftEdgeCP.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

Processes:

MicrosoftEdge.exeMicrosoftEdgeCP.exe

description	pid	process
Token: SeDebugPrivilege	1528	MicrosoftEdge.exe
Token: SeDebugPrivilege	1528	MicrosoftEdge.exe
Token: SeDebugPrivilege	1528	MicrosoftEdge.exe
Token: SeDebugPrivilege	1528	MicrosoftEdge.exe
Token: SeDebugPrivilege	2300	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	2300	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	2300	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	2300	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	1528	MicrosoftEdge.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

i_view64.exe

pid process

4376 i_view64.exe
Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

iview456_x64_setup.exeMicrosoftEdge.exeMicrosoftEdgeCP.exe

pid process

4636 iview456_x64_setup.exe
4636 iview456_x64_setup.exe
1528 MicrosoftEdge.exe
4432 MicrosoftEdgeCP.exe
4432 MicrosoftEdgeCP.exe

pid	process
4376	i_view64.exe

pid	process
4636	iview456_x64_setup.exe
4636	iview456_x64_setup.exe
1528	MicrosoftEdge.exe
4432	MicrosoftEdgeCP.exe
4432	MicrosoftEdgeCP.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

iview456_x64_setup.exeMicrosoftEdgeCP.exe

description	pid	process	target process
PID 4636 wrote to memory of 4376	4636	iview456_x64_setup.exe	i_view64.exe
PID 4636 wrote to memory of 4376	4636	iview456_x64_setup.exe	i_view64.exe
PID 4432 wrote to memory of 2300	4432	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4432 wrote to memory of 2300	4432	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4432 wrote to memory of 2300	4432	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4432 wrote to memory of 2300	4432	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4432 wrote to memory of 2300	4432	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4432 wrote to memory of 2300	4432	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4432 wrote to memory of 2300	4432	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe

C:\Users\Admin\AppData\Local\Temp\iview456_x64_setup.exe
"C:\Users\Admin\AppData\Local\Temp\iview456_x64_setup.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4636

C:\Program Files\IrfanView\i_view64.exe
"C:\Program Files\IrfanView\i_view64.exe"
2⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
PID:4376

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1528

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
PID:1792

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4432

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:2300

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\IrfanView\Toolbars\Samuel_16.png
MD5
49b9e25c8f622c2344e00665a40aed59

SHA1
5f977c67185297c2ed29c0ca32230e4f4ace7555

SHA256
07a1b34d2a6e259a515d179caa01df67e7a2ded0522919df80abb6281e73a4cd

SHA512
0c771762ae53ac8e610e2b1f58920c683fa8167c546eb99b37e055b10daafb347e4bcc91c00aecb5d8d4b2122437f4e8f99014f91acfc19d8922a4458dd4b47c

Download Submit
C:\Program Files\IrfanView\i_view64.exe
MD5
ad5fafa2f5af3e8cc61ed221d36a3241

SHA1
b9c013048d989a1a0fcf6da79d5247c96e93dfe4

SHA256
2eb7144c44db31c0ee0c4392afef4f7c8dbece3c81b3835fb8d414a66615311a

SHA512
7edaf5ba92715a044516f999a02e72b5990f69f84e7460ea63dae729b1e5292855aa4e45738f0dfd5e9b7ec87f50689c55c53cf19d3b4975e7e06751f4950541

Download Submit
C:\Program Files\IrfanView\i_view64.exe
MD5
ad5fafa2f5af3e8cc61ed221d36a3241

SHA1
b9c013048d989a1a0fcf6da79d5247c96e93dfe4

SHA256
2eb7144c44db31c0ee0c4392afef4f7c8dbece3c81b3835fb8d414a66615311a

SHA512
7edaf5ba92715a044516f999a02e72b5990f69f84e7460ea63dae729b1e5292855aa4e45738f0dfd5e9b7ec87f50689c55c53cf19d3b4975e7e06751f4950541

Download Submit
C:\Program Files\IrfanView\i_view64.ini
MD5
25a92f802d3ffd5519f7dab35c0aec3f

SHA1
dcbf6d35f41452515fa4a0402da6a8fd89bc0ac0

SHA256
668c0ba227f3b0c95419dbb9328311961346dfa42ab17da4f13e9777ddecf58a

SHA512
0928c2c9dc3136a83d90598afb5b51887950a671dd23e34a7a6a4ac5fa5c3497e13d00fe39527f13e2e9ef9088d2c7553a682589f5ac70e7cb593376276e2427

Download Submit
C:\Users\Admin\AppData\Roaming\IrfanView\i_view64.ini
MD5
514b9ecbdc05d377276528ea232c4df0

SHA1
6641e509e2d5e54ea50f93e4256470cd61925a65

SHA256
d317839a5b34985617a3069c469f5b1e0f8ba1bdd149268371919d42b2e7e09b

SHA512
42e5c248f186efb053ebbe835dba1ce37cbc8a81ab7179b9d19f63d728bc803cb0105bb6b8589dadec3719c75bf70704bbce3a121eb87a92f9abd215a475b9bc

Download Submit
memory/4376-3-0x0000000000000000-mapping.dmp

Download
memory/4376-8-0x0000011654BD0000-0x0000011654BD1000-memory.dmp

Filesize
4KB

Download
memory/4636-2-0x0000019338D80000-0x0000019338E81000-memory.dmp

Filesize
1.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads