9321f161ad77d7aceacdfac498ee2f65dd2ef6dce819908bb44c424d406e9bb5

General

Target

9321f161ad77d7aceacdfac498ee2f65dd2ef6dce819908bb44c424d406e9bb5.exe
Size

552KB
MD5

d38579402cd392fcf267654b9f18f663
SHA1

c85f52559ffa3ba902a164f85a9c770d6b49da98
SHA256

9321f161ad77d7aceacdfac498ee2f65dd2ef6dce819908bb44c424d406e9bb5
SHA512

294add7ec0d57e57578a2b2eb06d492d69fde0e6a68d9c22ea66df7198d4f13925e063d83c9d70c6cc9674945177f73cb4676b326f13e96f06a09e59a3e1497a

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "353839098"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d8f8b5d2fcdd154fb512d53e64640bcc000000000200000000001066000000010000200000002fc07204cd8bb85e8977d7516e6ee6e8465d4eecefcfcea71a51d106af580ee5000000000e80000000020000200000009ec556be987fda71e765670b1b755ddb6930ea0bd528dd2ae3f884c53b6f7bfd20000000bd9f7b41b9d5c6853ca68824777cea118953f8d5f4da348f245ac42f6f43181640000000af9e99679b4d53d7655053b0258a6531b10b8e47ca8b7f88b169954d14e2e27353283ef06fe0083245a03accaa8104b5c73bbaa659079ac6b09afcdf5f7c7e65	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 80706b34ec35d801	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d8f8b5d2fcdd154fb512d53e64640bcc000000000200000000001066000000010000200000003b358f926f2c4fc80e40131a3899124ef6deb178b6f5fbc98a08ee88138b8ff6000000000e80000000020000200000005b1cb489577fe217d327c4dd7684667128853a5a185e04e0084baf05b3c85133900000001b9d72ef4e714565493138ee003c74aced25e4dc3954f92ffc50d56a275186dc631f0e6780604315e56312d7d3880673f11b4661f9aa7238ca1d11e4117461392a8ca5798f5c884d68b51c802ca16a370e6422a83eb3113955daf5f591a7a96e50ea5e403a71e831e26c0070cefa914d76cba5da31faf83697407092278e424a68d42b8b29ea7f9149d911c0ba4acce240000000c0ee9059ada24f9be3ee2361d8b56429c3fb317c8251a2a70b6884764a0c66e32e1fd7bd80ff4c9f1ffe54289f2fbf922282236670b7a45126311d5e3e272629	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{5BE29671-A1DF-11EC-AB39-466BF239C3DA} = "0"	iexplore.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

iexplore.exe

pid process

1952 iexplore.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

1952 iexplore.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

1952 iexplore.exe
1952 iexplore.exe
888 IEXPLORE.EXE
888 IEXPLORE.EXE
888 IEXPLORE.EXE
888 IEXPLORE.EXE

pid	process
1952	iexplore.exe

pid	process
1952	iexplore.exe

pid	process
1952	iexplore.exe
1952	iexplore.exe
888	IEXPLORE.EXE
888	IEXPLORE.EXE
888	IEXPLORE.EXE
888	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

9321f161ad77d7aceacdfac498ee2f65dd2ef6dce819908bb44c424d406e9bb5.exeiexplore.exe

description	pid	process	target process
PID 1040 wrote to memory of 1952	1040	9321f161ad77d7aceacdfac498ee2f65dd2ef6dce819908bb44c424d406e9bb5.exe	iexplore.exe
PID 1040 wrote to memory of 1952	1040	9321f161ad77d7aceacdfac498ee2f65dd2ef6dce819908bb44c424d406e9bb5.exe	iexplore.exe
PID 1040 wrote to memory of 1952	1040	9321f161ad77d7aceacdfac498ee2f65dd2ef6dce819908bb44c424d406e9bb5.exe	iexplore.exe
PID 1040 wrote to memory of 1952	1040	9321f161ad77d7aceacdfac498ee2f65dd2ef6dce819908bb44c424d406e9bb5.exe	iexplore.exe
PID 1952 wrote to memory of 888	1952	iexplore.exe	IEXPLORE.EXE
PID 1952 wrote to memory of 888	1952	iexplore.exe	IEXPLORE.EXE
PID 1952 wrote to memory of 888	1952	iexplore.exe	IEXPLORE.EXE
PID 1952 wrote to memory of 888	1952	iexplore.exe	IEXPLORE.EXE

C:\Users\Admin\AppData\Local\Temp\9321f161ad77d7aceacdfac498ee2f65dd2ef6dce819908bb44c424d406e9bb5.exe
"C:\Users\Admin\AppData\Local\Temp\9321f161ad77d7aceacdfac498ee2f65dd2ef6dce819908bb44c424d406e9bb5.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1040

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=9321f161ad77d7aceacdfac498ee2f65dd2ef6dce819908bb44c424d406e9bb5.exe&platform=0009&osver=5&isServer=0&shimver=4.0.30319.0
2⤵
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1952

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1952 CREDAT:275457 /prefetch:2
3⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:888

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5
676786189c96a6f7a9e2d33f4cc7bb9f

SHA1
632223cca257a5d50427e5906635f51a6062f9f0

SHA256
38411015ac1e71f4ac2b837df553a44e2d9fc955f7abc801f1de046a8e573e8c

SHA512
806b57c46efe92184a8c4c39b4d5a71637702094c37767b9c6d5f7c62ae48bcd7aa67cd108295be946afba37695f7b4263a446adc63d7b338b2674aa1fe243aa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\shpg9mq\imagestore.dat

MD5
0257a0ad046dedc5d8d58cb67ec913d4

SHA1
fd9baf892dcd47027b3b1397c0c83cf0ce86c86f

SHA256
15f4b90ee50dad23e20b17856bda4f8ab7b751f616a32124d4d96b5ac9d29744

SHA512
46ed85aa4c77e2e288cd3959ac8de51d2b942c64e8b8ddcb6053995369468b903ef1ab8703d21cd3a4e8c712bae7fde561562ce775c01d3d01fed46fc8b4d853

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\W3GKNKJC.txt

MD5
bd81ae3a885028760fde91a6dc91217e

SHA1
f591338af18459814ef479ba162eb118f38d255a

SHA256
a8b1362dfc768d7a711964a2c9835471dce5f73b8aa744ec60a6d36eb50c4edc

SHA512
022471b7d811835e8203ea0ac3d948951b64461c6ec7f5969b39bbf205650accc2e69225828e38ddb5ef7a8c5e7dcc77b6b5495547557ec64cc8a9e4afa67dd1

Download Submit
memory/1040-54-0x0000000075E61000-0x0000000075E63000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing