0d6870a3d1b27ae23c9e2c413fb2b367b69323ead81bf38524a54cc17e8a809b

Analysis

max time kernel
182s
max time network
266s
platform
windows7_x64
resource
win7-20220331-en
submitted
13-04-2022 00:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

onlinedocumentation.url
Size

61B
MD5

878dd1f05f73ef7c4701564992f85953
SHA1

6a761b0e64d50b36c70047c36efc24b88a6f71f5
SHA256

b6bd8bad56285a8317351e36c40986946d44ee6d1fce6e4d84c5e736079bc32c
SHA512

c8bb9f1e801f417d885c1013751c6b1a57e01c284a44be447892b99fcf700d096f2bacac87b2ca580a8a3417b8b730c4a79968355a0f1b747ae4a02940ec0a9c

Score

6^/10

evasion trojan

Malware Config

Signatures

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

rundll32.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe

Modifies Internet Explorer settings 1 TTPs 35 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002ac970f6e21c8045b4ad45959768992c000000000200000000001066000000010000200000009aea84f27a4435d1977664443069c3ac1148e8e3293a87dc8d53ef8bec88a509000000000e80000000020000200000005f92e35e696ccb14c6484f166e677000f77c2dd25ede901ff1d3f481c7dfb004200000007ddbd70ca397a98be0c22ce0fcb45d085a62e20d3da90b1c255303653495c64340000000f5f0da248656f304f84a1c17ade9bb4b60d66b69b8fedff56a5cbdc7a7e9c1fe2a04904865863e486d38c3bc3257b34c2313d245763cf6686bd49cd455a441ea	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "356583374"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002ac970f6e21c8045b4ad45959768992c00000000020000000000106600000001000020000000ed677688b6f5f0062d39a501207fb9b4201f881502de06dd9667121b695561cf000000000e80000000020000200000007d24dba97dab44265d0662f033b83df60cff42012de39ffcfd6c4788fc2a836390000000fd274203784ce0dd1962d2542a999d28cfcad1b6d50bd4a95f848215556b9f861a5f733e41df227592a8166ee779cb6713ad77d0fe251fb87a7c679cc246ee5e7106f5783b5d1e76503a35f7f06a74d883d39ea7cc82a74d5546f2daa87f18c51509e460f6c639302ff282c1eecd9ba76ff84c2e7f0e38d33258f6de6be3199999c78d7aebcaa8988b1a61cd5fae779c40000000237a56a8c8583e6c052cd7e03149a6c2b26043233641705b781ce51e6fb2e4f6e4884f14c9750ea2f5e5a2fb6578e7c6b6ed18613a231cc2977c45fbfbebd3c1	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{DCF251C1-BAD4-11EC-8834-5EAB9B0DB1FA} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = c0b0cfbee14ed801	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe

NTFS ADS 3 IoCs

Processes:

IEXPLORE.EXE

description	ioc	process
File created	C:\Users\Admin\AppData\Local\Temp\onlinedocumentation.url\:favicon:$DATA	IEXPLORE.EXE
File created	C:\Users\Admin\AppData\Local\Temp\onlinedocumentation.url:favicon	IEXPLORE.EXE
File created	C:\Users\Admin\AppData\Local\Temp\wwwB98.tmp\:favicon:$DATA	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

968 iexplore.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

968 iexplore.exe
968 iexplore.exe
324 IEXPLORE.EXE
324 IEXPLORE.EXE
324 IEXPLORE.EXE
324 IEXPLORE.EXE

pid	process
968	iexplore.exe

pid	process
968	iexplore.exe
968	iexplore.exe
324	IEXPLORE.EXE
324	IEXPLORE.EXE
324	IEXPLORE.EXE
324	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

iexplore.exe

description	pid	process	target process
PID 968 wrote to memory of 324	968	iexplore.exe	IEXPLORE.EXE
PID 968 wrote to memory of 324	968	iexplore.exe	IEXPLORE.EXE
PID 968 wrote to memory of 324	968	iexplore.exe	IEXPLORE.EXE
PID 968 wrote to memory of 324	968	iexplore.exe	IEXPLORE.EXE

C:\Windows\System32\rundll32.exe
"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL C:\Users\Admin\AppData\Local\Temp\onlinedocumentation.url
1⤵
- Checks whether UAC is enabled
PID:864

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:968

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:968 CREDAT:275457 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- NTFS ADS
- Suspicious use of SetWindowsHookEx
PID:324

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
5c46ed3e5b0d6ffaaaadcdbfd51d4af6

SHA1
3991823a937f6c0fe144a1f9dfe0e38fb02d89c7

SHA256
c1004c2c5db4d2d1c3010c484c78ec61ec3444a902b00ff9404945fd03761c34

SHA512
6d03a8a04c3b8e2a82525918150fc82faadb338f43d10896941241ce01fea8fa1a0664db896fbf5ace9eccb09bb91172f7d709db5b6868006634fa578f5b2497

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\b1rou5u\imagestore.dat
Filesize
11KB

MD5
f0b51af0e1eb18f5a976f85008a64e30

SHA1
4184740f898324087aaaaff84b29f6cf9657a2e9

SHA256
b4d2250d929e6c5265793bdf1e65c514b65a6711a925b7112b02cc21f72965ba

SHA512
9ad025d27651b97d5fd5856634a41b308f9fa0abf18407677ba4fee9dbd7e9524f772aa6525f66780ac820a2081c32ef2ac3e3769d991c1ee6b4456cdf668782

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\0R4KDLBL.txt
Filesize
607B

MD5
e97a22bd4250ad7c979d885aa11cdf27

SHA1
5b82a41fbf1511e4db309280cc6c2fbae788a429

SHA256
7bec60bc24859b59d39856f99dca6f62b2d291dfde5e2420549d7966dc6d26e2

SHA512
7b279fbc3e198ddc1e6a938a39cb20eb9e93553920738d0695544099d2eef6912443f0708c7589b85567569b11f73fdec3e6a101a1a03a3f7f218a32a4c4808a

Download Submit
memory/864-54-0x000007FEFBEF1000-0x000007FEFBEF3000-memory.dmp

Filesize
8KB

Download
memory/864-55-0x0000000000140000-0x0000000000150000-memory.dmp

Filesize
64KB

Download