d638abd2e0c80c8ace2de8dc015b3a208916e6c4bd6a081a6fc2c09f8a77bc15

Analysis

max time kernel
4294203s
max time network
151s
platform
windows7_x64
resource
win7-20220310-en
submitted
23-03-2022 21:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1.exe

Score

6^/10

Malware Config

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "354837881"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 90bce0cb013fd801	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{CDCD1B20-AAF4-11EC-93A9-DE776D964FC9} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004dda8e4cddf84341b86bc814e98354e5000000000200000000001066000000010000200000003909c3fc26d1b250e776525fdc8202bea2766e86d5f49951e135eca16ee438d8000000000e80000000020000200000002028980020d29460e4e249973e95ba79fbca2b4b999c0ecd8cd13b6ebb8a4d47900000007e7c8429b9a3cbb7068815c5c3520bf13df63db7e9ebb65956ee371f21095a369a5e89f7e24b6e4104cdee73a0185eb4de7c62d7aa990cd64333e5b46b9d2269b14a8e2b0f2d683bc5e4e653d82ff85e66a43ef7bda6e4abfb19ce4593994037d8de051111f83af70d6cf3e131cb6b7c20e5fd80671835cfe6d3ca802c8340faa63ee22b7897a2e205b5a1da9d5808ca40000000c4e5985da664f600f8c4c653429f221c62d523dd8180b04c77aa47a8a9af337d07538f2227877748e963ee519ba15e82c357b8d9c481a99382f3ab0521b93692	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004dda8e4cddf84341b86bc814e98354e50000000002000000000010660000000100002000000097c7300cd667569ebad87c48304fd99241ab66391c909df31ed3c49acb3e9142000000000e800000000200002000000061d4bd701fae3363fdbde1d3ace829e14de947fd2f03b106edd66904b9beed3e200000005e826e1d0d870c43af5375f45c2e123250167f29d1e7750fea3fa5b780b6864240000000de4788159ee77443446d419a5694ce1cccb4491070f7a8fe91de03b46a2941b7b001a8644f4ab2bc31eb6228f2e87ab747a869ceb55fb1a630f840da9d3909dd	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
436	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
436	iexplore.exe
436	iexplore.exe
788	IEXPLORE.EXE
788	IEXPLORE.EXE
788	IEXPLORE.EXE
788	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 1684 wrote to memory of 752	1684	1.exe	28
PID 1684 wrote to memory of 752	1684	1.exe	28
PID 1684 wrote to memory of 752	1684	1.exe	28
PID 1684 wrote to memory of 752	1684	1.exe	28
PID 752 wrote to memory of 436	752	cmd.exe	30
PID 752 wrote to memory of 436	752	cmd.exe	30
PID 752 wrote to memory of 436	752	cmd.exe	30
PID 436 wrote to memory of 788	436	iexplore.exe	33
PID 436 wrote to memory of 788	436	iexplore.exe	33
PID 436 wrote to memory of 788	436	iexplore.exe	33
PID 436 wrote to memory of 788	436	iexplore.exe	33

C:\Users\Admin\AppData\Local\Temp\1.exe
"C:\Users\Admin\AppData\Local\Temp\1.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1684
- C:\Windows\system32\cmd.exe
  "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\EA30.tmp\EA41.tmp\EA42.bat C:\Users\Admin\AppData\Local\Temp\1.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:752
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" https://iplogger.org/2bB2s6
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:436
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:436 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:788

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Web Service

T1102

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\EA30.tmp\EA41.tmp\EA42.bat

Filesize
49B

MD5
76688da2afa9352238f6016e6be4cb97

SHA1
36fd1260f078209c83e49e7daaee3a635167a60f

SHA256
e365685ea938b12790a195383434d825f46c41c80469ce11b9765305780bff7a

SHA512
34659bf4de5c2cbd7cdc7309a48880ac2e1f19e0a4da0c1d4cc45658a81f9f4e7a9293be48e853de812a6b94e1caa3356a715a1a0c14d37b7ae99ba5888bd1df

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\LEOVIYJY.txt

Filesize
608B

MD5
b2de67bb177af61709866debe79cd932

SHA1
4b7a510c0d7d270feb6676e5421288d90ed9b69c

SHA256
ad2a6242494b2debd2b1ea700788f60a3121a38bee11cf4ced665978d9bd7f0c

SHA512
106f0154eb94d9767b805ee460d46bd7570b595f57cbecafda923b8c3f2805262101ff4210e07d248b0f7a04261a511726e4597b541c25c9e8f3994a9433235d

Download Submit
memory/752-57-0x000007FEFB5A1000-0x000007FEFB5A3000-memory.dmp

Filesize
8KB

Download
memory/1684-54-0x00000000750C1000-0x00000000750C3000-memory.dmp

Filesize
8KB

Download