98785f9f46be062786928fa65c6eeb71b4d9ef271eb55b2bbefa7d3d1abe6bd8

General

Target

98785f9f46be062786928fa65c6eeb71b4d9ef271eb55b2bbefa7d3d1abe6bd8.exe
Size

4.1MB
MD5

dd4004638b24f15362923c9c1e779f86
SHA1

056a8998cb5a878d0a0acd1cb97b05b919e56bfd
SHA256

98785f9f46be062786928fa65c6eeb71b4d9ef271eb55b2bbefa7d3d1abe6bd8
SHA512

ebf24f770b1f29a057694ea267ca7a1ca97c798826d341687df2bbf7793c6c71d3826436593b9b31deea148ca14e7ed44842006840544ce58382dee79ab47d50

Score

6^/10

evasion trojan

Malware Config

Signatures

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

98785f9f46be062786928fa65c6eeb71b4d9ef271eb55b2bbefa7d3d1abe6bd8.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	98785f9f46be062786928fa65c6eeb71b4d9ef271eb55b2bbefa7d3d1abe6bd8.exe

Modifies Internet Explorer settings 1 TTPs 41 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE98785f9f46be062786928fa65c6eeb71b4d9ef271eb55b2bbefa7d3d1abe6bd8.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\International\CpMRU	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004863fcdc101a3947b120786fa95ba35b000000000200000000001066000000010000200000007173df5b956f05b8e1d2085cee0bf7ab07fc051b18c505cfaf5d6546abe0e059000000000e8000000002000020000000f9b94bd5da3a245440e7aabe287c0f65b8252d2bd8810f48fe28957cf3bf5985200000002b4cdda76eb65988109bd961ab04ee121ea8ea01905f6ef97e8479c4975d41c540000000cbf4ac96fdc750194aa6a172db21dad6afb575f66ebe6ec09905030b904ab0d7c81f54c869ab51acc48c5e07efe66287223d4c2ae243dce11e82544345a70284	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{E1F18B81-D88B-11EC-AB75-7E3B55B31640} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Size = "10"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Enable = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\International\CpMRU\InitHits = "100"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Factor = "20"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 50fb88c4986cd801	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004863fcdc101a3947b120786fa95ba35b000000000200000000001066000000010000200000003d4df939ad207bf7b1803cb7438e2d5f0599a73ca48eb6fa4396e7d11430c9a4000000000e8000000002000020000000cc1ae9067795005f0f7c97ec28a884ad3df22176ea15abb5d2456f518204a6cf9000000041e74454a938be1bdedb21e7bec887b2ec029b9d99d70ab4f7b333a348c655568a21a2c7b7d7280a425f89d6a86812c997b8fc7aaa872fd1faa9097ddc8a1160c3ef8e8c8046238dd940515307c2b746b46af70cd0a78721398846f4fc772299eb26498e1898abf69a44d1853a9054d8bf8f7b579ceef7ddd874c58128e579ae27923a95026b6779152284f3b18af23d400000000ceaa5166c101d2abc24cace0a7598950e5eeec76bca265dffd4f509058757f4a50d43a1007c6b99432bbca43364e99ae73c5e6e26b95afec9f85486d091df99	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "359850560"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main	98785f9f46be062786928fa65c6eeb71b4d9ef271eb55b2bbefa7d3d1abe6bd8.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

600 iexplore.exe

pid	process
600	iexplore.exe

Suspicious use of SetWindowsHookEx 8 IoCs

Processes:

98785f9f46be062786928fa65c6eeb71b4d9ef271eb55b2bbefa7d3d1abe6bd8.exeiexplore.exeIEXPLORE.EXE

pid	process
560	98785f9f46be062786928fa65c6eeb71b4d9ef271eb55b2bbefa7d3d1abe6bd8.exe
560	98785f9f46be062786928fa65c6eeb71b4d9ef271eb55b2bbefa7d3d1abe6bd8.exe
600	iexplore.exe
600	iexplore.exe
1476	IEXPLORE.EXE
1476	IEXPLORE.EXE
1476	IEXPLORE.EXE
1476	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

iexplore.exe

description	pid	process	target process
PID 600 wrote to memory of 1476	600	iexplore.exe	IEXPLORE.EXE
PID 600 wrote to memory of 1476	600	iexplore.exe	IEXPLORE.EXE
PID 600 wrote to memory of 1476	600	iexplore.exe	IEXPLORE.EXE
PID 600 wrote to memory of 1476	600	iexplore.exe	IEXPLORE.EXE
PID 600 wrote to memory of 1476	600	iexplore.exe	IEXPLORE.EXE
PID 600 wrote to memory of 1476	600	iexplore.exe	IEXPLORE.EXE
PID 600 wrote to memory of 1476	600	iexplore.exe	IEXPLORE.EXE

C:\Users\Admin\AppData\Local\Temp\98785f9f46be062786928fa65c6eeb71b4d9ef271eb55b2bbefa7d3d1abe6bd8.exe
"C:\Users\Admin\AppData\Local\Temp\98785f9f46be062786928fa65c6eeb71b4d9ef271eb55b2bbefa7d3d1abe6bd8.exe"
1⤵
- Checks whether UAC is enabled
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:560

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -startmediumtab -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:600

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:600 CREDAT:275457 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1476

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\ezmz917\imagestore.dat
Filesize
5KB

MD5
96a5b4b7462623727f2997d675a92f4c

SHA1
409af4f5e7b6696d470b5bce4fde970c69a8c238

SHA256
ce9174d87a4dcd1ce0efdb49ab5a2aa8fbacaf5a93185e3df59128fd734781a1

SHA512
e14207974083a017094695d68d44b8cd56ac386e62f2fd9bdc81f6869cf0a88e97301b57f3f07819f39afcb85c5a73bf0d34c21a8ae69f2236f6a492ef42a81b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\Y5BXLG21.txt
Filesize
606B

MD5
f04683224012d63bea0fb7fa568545cd

SHA1
d04556c55f98bc6b4e27402bdc0fc55c3f5ff6b3

SHA256
a5daceb23e76c488d7b4ed0ad5aedff088d195dea0639f2055ec8cd769749206

SHA512
e433399350ad4f79097158182bfbe9f29682732e6daea7a26245c55652a87bdf1a8960f85bd92d2f4e2233514caded8b982ce4c708f277658558b00ecdb214ec

Download Submit
memory/560-54-0x0000000075271000-0x0000000075273000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads