30b040107c6934062082db4dd5e5988e6737f45dd00725065cbfb88b849ec05f

Analysis

max time kernel
24s
max time network
76s
platform
windows10_x64
resource
win10v20201028
submitted
01-12-2020 22:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

productmanualsguide.ad89e6240e9a44989b04b561ca5d55ae.exe
Size

374KB
MD5

43a864f4a0b4723600be5aa8eda46937
SHA1

cb62a60a015f913a27dd59ff465a31341d27a5bd
SHA256

30b040107c6934062082db4dd5e5988e6737f45dd00725065cbfb88b849ec05f
SHA512

d20ee3a96788d5d5250ba9c818ad9495630cd119cf055c0f2b2f12074b0c64fe2ee80be2cb02c6dad390404d28bd9ff8aa8e1558dc685621efaf3cf16eb4119c

Score

8^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

SlimCleanerPlus.exe

pid process

1136 SlimCleanerPlus.exe
Loads dropped DLL 3 IoCs

Processes:

productmanualsguide.ad89e6240e9a44989b04b561ca5d55ae.exeRundll32.exe

pid process

4760 productmanualsguide.ad89e6240e9a44989b04b561ca5d55ae.exe
4760 productmanualsguide.ad89e6240e9a44989b04b561ca5d55ae.exe
808 Rundll32.exe
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

pid	process
1136	SlimCleanerPlus.exe

pid	process
4760	productmanualsguide.ad89e6240e9a44989b04b561ca5d55ae.exe
4760	productmanualsguide.ad89e6240e9a44989b04b561ca5d55ae.exe
808	Rundll32.exe

Modifies Internet Explorer settings 1 TTPs 13 IoCs

adware spyware

Modify Registry

T1112

Processes:

productmanualsguide.ad89e6240e9a44989b04b561ca5d55ae.exeiexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	productmanualsguide.ad89e6240e9a44989b04b561ca5d55ae.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main	productmanualsguide.ad89e6240e9a44989b04b561ca5d55ae.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPageShow = "1"	productmanualsguide.ad89e6240e9a44989b04b561ca5d55ae.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{B3808465-3421-11EB-BEBD-E625E128E840} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe

Modifies Internet Explorer start page 1 TTPs 1 IoCs

stealer

Modify Registry

T1112

Processes:

productmanualsguide.ad89e6240e9a44989b04b561ca5d55ae.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "https://hp.myway.com/productmanualsguide/ttab02/index.html?n=7868963A&p2=^CQW^xdm100^TTAB02^us&ptb=B0472A38-E8F6-4E08-8810-24437E5CCB06&si=1qa1&coid=ad89e6240e9a44989b04b561ca5d55ae"	productmanualsguide.ad89e6240e9a44989b04b561ca5d55ae.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

productmanualsguide.ad89e6240e9a44989b04b561ca5d55ae.exe

pid process

4760 productmanualsguide.ad89e6240e9a44989b04b561ca5d55ae.exe
4760 productmanualsguide.ad89e6240e9a44989b04b561ca5d55ae.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

1260 iexplore.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

1260 iexplore.exe
1260 iexplore.exe
1604 IEXPLORE.EXE
1604 IEXPLORE.EXE

pid	process
4760	productmanualsguide.ad89e6240e9a44989b04b561ca5d55ae.exe
4760	productmanualsguide.ad89e6240e9a44989b04b561ca5d55ae.exe

pid	process
1260	iexplore.exe

pid	process
1260	iexplore.exe
1260	iexplore.exe
1604	IEXPLORE.EXE
1604	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

productmanualsguide.ad89e6240e9a44989b04b561ca5d55ae.exeiexplore.exe

description	pid	process	target process
PID 4760 wrote to memory of 808	4760	productmanualsguide.ad89e6240e9a44989b04b561ca5d55ae.exe	Rundll32.exe
PID 4760 wrote to memory of 808	4760	productmanualsguide.ad89e6240e9a44989b04b561ca5d55ae.exe	Rundll32.exe
PID 4760 wrote to memory of 808	4760	productmanualsguide.ad89e6240e9a44989b04b561ca5d55ae.exe	Rundll32.exe
PID 4760 wrote to memory of 1136	4760	productmanualsguide.ad89e6240e9a44989b04b561ca5d55ae.exe	SlimCleanerPlus.exe
PID 4760 wrote to memory of 1136	4760	productmanualsguide.ad89e6240e9a44989b04b561ca5d55ae.exe	SlimCleanerPlus.exe
PID 4760 wrote to memory of 1136	4760	productmanualsguide.ad89e6240e9a44989b04b561ca5d55ae.exe	SlimCleanerPlus.exe
PID 1260 wrote to memory of 1604	1260	iexplore.exe	IEXPLORE.EXE
PID 1260 wrote to memory of 1604	1260	iexplore.exe	IEXPLORE.EXE
PID 1260 wrote to memory of 1604	1260	iexplore.exe	IEXPLORE.EXE

C:\Users\Admin\AppData\Local\Temp\productmanualsguide.ad89e6240e9a44989b04b561ca5d55ae.exe
"C:\Users\Admin\AppData\Local\Temp\productmanualsguide.ad89e6240e9a44989b04b561ca5d55ae.exe"
1⤵
- Loads dropped DLL
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4760

C:\Windows\SysWOW64\Rundll32.exe
"Rundll32.exe" "C:\Users\Admin\AppData\Local\ProductManualsGuideTooltab\TooltabExtension.dll",A -hp=https://hp.myway.com/productmanualsguide/ttab02/index.html -ua="(Windows NT 10.0; Win64; MSIE 11.0; Build 15063; SP 0)" -ul=https://anx.mindspark.com/anx.gif?anxa=%251&anxe=%252&anxt=B0472A38-E8F6-4E08-8810-24437E5CCB06&anxtv=2.8.1.1000&anxp=^CQW^xdm100^TTAB02^us&anxsi=1qa1&anxv=%253&anxd=2020-12-01&anxr=%254 -hu=SHOW
2⤵
- Loads dropped DLL
PID:808

C:\Users\Admin\AppData\Local\Temp\nsz5ED0.tmp\SlimCleanerPlus.exe
SI_MODE=toaster SI_DELAY=60 SI_LAUNCH=onreboot @P2_ORIGIN=^CQW^xdm100^TTAB02^us @P2=^SW2^xdm110 @UL_STUBID=ad89e6240e9a44989b04b561ca5d55ae
2⤵
- Executes dropped EXE
PID:1136

C:\Users\Admin\AppData\Local\Temp\DriverUpdate-setup.exe
"C:\Users\Admin\AppData\Local\Temp\DriverUpdate-setup.exe" SI_DELAY=60 SI_LAUNCH=onreboot
3⤵
PID:2728

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1260

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1260 CREDAT:82945 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1604

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1260 CREDAT:82948 /prefetch:2
2⤵
PID:2264

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1260 CREDAT:82957 /prefetch:2
2⤵
PID:3336

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8C2DCEDC56E0713BF463734BA647E7FF
MD5
22fad5c15c2378ca7221cf5efec41353

SHA1
938ce3b1c184aa0e44b9884b55d7343b4ad8d8df

SHA256
e2f6df91f8aa465cdea0fc716a59c42a5689c87f46c4428e0244bd2096b1325c

SHA512
d0ad6d571020775be35e4df5300207cd453ca9b4b88b9789c6d66b74efea95076589ec21dde2816339734346c13305b1fa047abe2590f613f58ebd3f474c74a2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_9487BC0D4381A7CDEB9A8CC43F66D27C
MD5
e8eea94d634dd4c9d83e55954cc85684

SHA1
0d99a5010f82a931bbf19a9431aed229c8942ae1

SHA256
8a692c32413df3a8d9fb9958597aacdff0f2c40e94bf8fddbfaa9950dd7a5841

SHA512
4366aa3b4190995bb2e7e64e01184cfbaf1fa77e4d18bc45dac0b5db25e265b40e1f1391c3250cf8bedc8d91c49acb8b65c78320b06bdcca58df4385d79ee96d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CEC145671AAF29B13C9D55336F4C7CF7
MD5
81116ad91c4ed74368c9d2653205ad41

SHA1
e59db6c7eacc11da6fcbda7577b7619ab0bd47a4

SHA256
68864ecc8a522d7a58b53a13af432b478581a74eb583b88f202fee1ff085186d

SHA512
0434fa3c3164f9d32f2ef9c0a6eca823882f3c3fb7f0a721328685ab02061ac11b848319b23e98ded42212197b2af64a70b5004d2c37a00b08e573386bacbaf6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E49827401028F7A0F97B5576C77A26CB_7CE95D8DCA26FE957E7BD7D76F353B08
MD5
cee3eca059c16d07a19aa566025c712b

SHA1
e39b0cce22e69557a89695f855a05ee943a520f9

SHA256
68f590ac54e33ca75e800fddffd7cbda704130b8c9526ae4fe50418ee207de96

SHA512
a9988b9b3d36e240d3422cd6361615fc0eed769275c4e5c85f257cc81605b6af43db019d08253057e111dbcda49fab3a74248c75ed3245320afd56aeb8f81fa1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_9487BC0D4381A7CDEB9A8CC43F66D27C
MD5
28b08fd2cdd43226b1e1a142f2d5de59

SHA1
541b8118d0df9e22d838d447490a26fc2b004d6a

SHA256
ceeb15b5e7c14cb3bbd8d726bb729c10d225002f947a80b190f11f6bc1388e6c

SHA512
5ffd917c65cb9e352ab7df2ee517da7ac3f06f1636ff462424c842ec68edb4545a1c76d567d862d0145aa77d75fc8cd424b67545e67ef8ea92e5b271ddf5f2ee

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CEC145671AAF29B13C9D55336F4C7CF7
MD5
a8d82846d5eb2f10c58dd8440ba698a8

SHA1
5017ed24fcc917fa30281bf85a7568caf109c536

SHA256
775583a26d24304b489401be546cbeeb0f92cfeb4aa01c2ed9a0dcd9bc96f21f

SHA512
252e11c1bf9afe3f5cf02970985027ca292002b3c5c3e3647e82c0d49edf6d7246160f992a828d9e1df6c77a4634240ce4f031f0e799e5fc5680a4de5193b5e6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E49827401028F7A0F97B5576C77A26CB_7CE95D8DCA26FE957E7BD7D76F353B08
MD5
6621741d297a0de8302f9bc3d36b24f0

SHA1
490328ec7a4adc06a4761fad6711d771c757018b

SHA256
050ea73f30c09b3e115a23be4fc6bfcb44b0bbc694f30f61b5ff83c4490e76cc

SHA512
5864ec83b43917541f82fc3457b3ba8a0befee825da5f800988322e567f14299acc4f68cebc42c98ee4aae22026a6c8fe29d45d96484f0e1b048831fd47b713f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\5H1L9A5A.cookie
MD5
26ee84dba5a4d6fce993909558fb59ad

SHA1
6932fea2ff7290378a3e0f84ade72311cede43ac

SHA256
5760f640c3fe6f2cb01b7ded5ef9e7a461aa8929711d79b598b9096a4ccf1906

SHA512
6fd71c8bc54624f0d2a91a09a8b8d571884e9072635cc2f13d1413ab80554d1b0a52920d2f9cc224d15b005fb94dac06257d0ca4756b1eea5c30d50b9dc62529

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\9TKTCD88.cookie
MD5
b6886078c38839bf497599041babca2c

SHA1
dcb1d3d1fc9fa354e838d19bc73166ec97837acc

SHA256
f800be0b11b343c3a6421bb06229fcdfb6004ebc8654e4ddcb7e79b2240a18de

SHA512
c2460261500a46fc018a4754242f2fa116f4b237cbe3209d9d2a0b95fe2ee8f9bc3c7787c3ea6b26c145558871aea0929ad0b22300b6102c8160df3a67d97faf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\OTJ8XFGL.cookie
MD5
e09907cda06982e8870b7f2a2f418224

SHA1
948a20ec438e08c430039bd9e9fe8352d89fbd87

SHA256
5b5e8e54d1f25d7a683f3fe1e04cd58c55a1bf18fb799cc25a247eb76efde203

SHA512
14ed24d3626c8e9e4e289e9e246040664bba9b642c280dfaa38a8db0a23934c156efe7da46b14063b901dabd7434c0fce191cebffa497de7cfa35d5e5cd79b16

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\RGNMM1K1.cookie
MD5
b79c46ad8586280abae24a1dd8849193

SHA1
26a8dc5363ad8f3cd718399b6feffa944890f06d

SHA256
616cbce699c0eee5105642876e069375b88e4aebcf71a291f1645c80a4504052

SHA512
0b3f1c92b2dbc57dd1da920c137420ebb1fdcbff099f0c2ac8a8793253d5cc2e9b0f5f368da932cb9e56f85c3dd48cc70b0d0f84d4b7e30dcc3ed927962c59d0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\XS2EZ6PN.cookie
MD5
0bcabb5829fe436341971e3c317f2469

SHA1
bd26e8947305ddfb1d030a1ff3790e432b60d897

SHA256
c0e3fa473826f2a51bada18a5e96527160746ff7cf6bfbe569126d28b3296c9e

SHA512
378a6d38f54fa97abf73de4db4cbead539ab5de1f6a36a78f08b0c221a1a27707ca041ca0d8aef541336f9b409030f26c23d89c23dde730c56ce4dfcc9d60d16

Download Submit
C:\Users\Admin\AppData\Local\ProductManualsGuideTooltab\TooltabExtension.dll
MD5
bc960383d1656e444bb0037a74bd5185

SHA1
64f5f422ecf4356dc28ac94fbe39d3337d6f658f

SHA256
8a9ce7852f05b574249e4f671d155297632aa563dd26b79695120801ac97e1fc

SHA512
91345f87d87c6688ea3ccf48657c1c8fc60daf9500139c0cdcbc36af842880bb363d434eeb5c37cf7e322cf7ed890a9327217fe0d31ca1de34dd8ec0683091ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\DriverUpdate-setup.exe
MD5
4a180837a36ac67415d38392b6e0d5e2

SHA1
824cad0006d30d819d0916fcbac0939aab8dcd58

SHA256
9eaf9f50ee00d7448fd41c1f569f272d9c275425c7699fbab2ca09402ad3b948

SHA512
60be8338d32e13b01b0f996f55c2231be83fd221d8ed5964a91834af6c724e06c64de1547630174e965f886023d2c257c703afd60926c80e24380713fac0d80a

Download Submit
C:\Users\Admin\AppData\Local\Temp\DriverUpdate-setup.exe
MD5
3ee7c8cb8774953089b5cac9216aca35

SHA1
8b70db2491309141440d720832886d5f0118d957

SHA256
89ffec8919dbe1689b3595660c12754f3d4ea503d62c91269db447992e7acb2b

SHA512
3cc235b2753291879b13a4f1a4c33cc2e32f1623fc2d85b86c78ccb1834d3efc1abefa3520f964b3cacc5637faa50d013cc3c297bb101109b117947368b5080a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsz5ED0.tmp\SlimCleanerPlus.exe
MD5
69484c39e6aa358b57617b6e6e300d5a

SHA1
f9665fae82d5f02250b25825e36de974593623f3

SHA256
7177c05a6f7a7759098d5f94b67a8a5c168a4718f5ac04bd4743bf34d1af8945

SHA512
0e7ee6f2243edf62d4af0b7bd034080d3a4c4d56e0efe44888ff097906479a13936dfed53b037d129f0785857560ed89ce97ad0d64d41306e71a5dd4e1a17f06

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsz5ED0.tmp\SlimCleanerPlus.exe
MD5
69484c39e6aa358b57617b6e6e300d5a

SHA1
f9665fae82d5f02250b25825e36de974593623f3

SHA256
7177c05a6f7a7759098d5f94b67a8a5c168a4718f5ac04bd4743bf34d1af8945

SHA512
0e7ee6f2243edf62d4af0b7bd034080d3a4c4d56e0efe44888ff097906479a13936dfed53b037d129f0785857560ed89ce97ad0d64d41306e71a5dd4e1a17f06

Download Submit
\Users\Admin\AppData\Local\ProductManualsGuideTooltab\TooltabExtension.dll
MD5
bc960383d1656e444bb0037a74bd5185

SHA1
64f5f422ecf4356dc28ac94fbe39d3337d6f658f

SHA256
8a9ce7852f05b574249e4f671d155297632aa563dd26b79695120801ac97e1fc

SHA512
91345f87d87c6688ea3ccf48657c1c8fc60daf9500139c0cdcbc36af842880bb363d434eeb5c37cf7e322cf7ed890a9327217fe0d31ca1de34dd8ec0683091ca

Download Submit
\Users\Admin\AppData\Local\Temp\nsz5ED0.tmp\System.dll
MD5
7399323923e3946fe9140132ac388132

SHA1
728257d06c452449b1241769b459f091aabcffc5

SHA256
5a1c20a3e2e2eb182976977669f2c5d9f3104477e98f74d69d2434e79b92fdc3

SHA512
d6f28ba761351f374ae007c780be27758aea7b9f998e2a88a542eede459d18700adffe71abcb52b8a8c00695efb7ccc280175b5eeb57ca9a645542edfabb64f1

Download Submit
\Users\Admin\AppData\Local\Temp\nsz5ED0.tmp\nsDialogs.dll
MD5
069a101bebdfb14e86993cf75b84daae

SHA1
37d0cbdea012a7a6811162465d77d4fe7355fc6f

SHA256
83207332e588690d6df3c0a50325c943e6fcc51a4af0ab74e357bd94c99c29b8

SHA512
3a03ab6bfc5bd766b252583fceb1aedc0a7ec967af38d453740f088b3a979ac006016c010ecd51d49c617adfa927310cd84bd7bf14919f2867f71961763530da

Download Submit
memory/808-4-0x0000000000000000-mapping.dmp

Download
memory/1136-7-0x0000000000000000-mapping.dmp

Download
memory/1604-9-0x0000000000000000-mapping.dmp

Download
memory/2264-10-0x0000000000000000-mapping.dmp

Download
memory/2728-14-0x0000000000000000-mapping.dmp

Download
memory/3336-23-0x0000000000000000-mapping.dmp

Download