98785f9f46be062786928fa65c6eeb71b4d9ef271eb55b2bbefa7d3d1abe6bd8

General

Target

98785f9f46be062786928fa65c6eeb71b4d9ef271eb55b2bbefa7d3d1abe6bd8.exe
Size

4.1MB
MD5

dd4004638b24f15362923c9c1e779f86
SHA1

056a8998cb5a878d0a0acd1cb97b05b919e56bfd
SHA256

98785f9f46be062786928fa65c6eeb71b4d9ef271eb55b2bbefa7d3d1abe6bd8
SHA512

ebf24f770b1f29a057694ea267ca7a1ca97c798826d341687df2bbf7793c6c71d3826436593b9b31deea148ca14e7ed44842006840544ce58382dee79ab47d50

Score

6^/10

evasion trojan

Malware Config

Signatures

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

98785f9f46be062786928fa65c6eeb71b4d9ef271eb55b2bbefa7d3d1abe6bd8.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	98785f9f46be062786928fa65c6eeb71b4d9ef271eb55b2bbefa7d3d1abe6bd8.exe

Modifies Internet Explorer settings 1 TTPs 43 IoCs

adware spyware

Modify Registry

T1112

Processes:

IEXPLORE.EXEiexplore.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2831391445"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30960809"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = d0fac7b3a96cd801	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Internet Explorer\International\CpMRU\InitHits = "100"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000043099a93b0a2dd41b22bfbb30670caee00000000020000000000106600000001000020000000c3e505c2f6d4f1770696105396591f5662a57f7f98e5e792092d33520a8674c9000000000e80000000020000200000008bc22cce94272d760127fe6069ac745cf9eebbce94ee7b1e1b056fe552baede52000000077ff701d9a7b7b02ea57100ffaca2ce0ff1684e9632e796318b6faa35d04bf524000000039db07d71bcbc9d3e2bf0ea290bd8874cd691dad3be73556f68f27656b8fb380ffe94844a9991bd06d21e0c9e07c5b202b8aadd561c8f8e8b6e6dbf5f4534ebe	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Internet Explorer\IESettingSync	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30960809"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "359857837"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{D138F9C2-D89C-11EC-A58B-F23C9496A3E7} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Internet Explorer\International\CpMRU	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30960809"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = d00e95b4a96cd801	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Internet Explorer\International\CpMRU\Enable = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2812485580"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2812485580"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000043099a93b0a2dd41b22bfbb30670caee00000000020000000000106600000001000020000000bdf2340f7a5e68752769db0237c8ddc434a3802985f32942724c97b4b2ea65ac000000000e8000000002000020000000ba5b5f8dfb13df258eeb151e6939c43903493b5d3049eed85900be5ad0fd8d4720000000f26343dd3500442d092e7f759da42020d3208515475ebd93211749fa6fa31b9a400000007d5b1f587168d99f144d903fc45663278ff12736c4e97493c922af20e294886160c2c4534141f9c360cae31b702c0a57155b82fcdf5166dfd89f8e353f9785a4	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Internet Explorer\International\CpMRU\Factor = "20"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Internet Explorer\International\CpMRU\Size = "10"	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

3516 iexplore.exe

pid	process
3516	iexplore.exe

Suspicious use of SetWindowsHookEx 8 IoCs

Processes:

98785f9f46be062786928fa65c6eeb71b4d9ef271eb55b2bbefa7d3d1abe6bd8.exeiexplore.exeIEXPLORE.EXE

pid	process
2996	98785f9f46be062786928fa65c6eeb71b4d9ef271eb55b2bbefa7d3d1abe6bd8.exe
2996	98785f9f46be062786928fa65c6eeb71b4d9ef271eb55b2bbefa7d3d1abe6bd8.exe
3516	iexplore.exe
3516	iexplore.exe
1328	IEXPLORE.EXE
1328	IEXPLORE.EXE
1328	IEXPLORE.EXE
1328	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

iexplore.exe

description	pid	process	target process
PID 3516 wrote to memory of 1328	3516	iexplore.exe	IEXPLORE.EXE
PID 3516 wrote to memory of 1328	3516	iexplore.exe	IEXPLORE.EXE
PID 3516 wrote to memory of 1328	3516	iexplore.exe	IEXPLORE.EXE

C:\Users\Admin\AppData\Local\Temp\98785f9f46be062786928fa65c6eeb71b4d9ef271eb55b2bbefa7d3d1abe6bd8.exe
"C:\Users\Admin\AppData\Local\Temp\98785f9f46be062786928fa65c6eeb71b4d9ef271eb55b2bbefa7d3d1abe6bd8.exe"
1⤵
- Checks whether UAC is enabled
- Suspicious use of SetWindowsHookEx
PID:2996

C:\Program Files (x86)\Internet Explorer\ielowutil.exe
"C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{D5E8041D-920F-45e9-B8FB-B1DEB82C6E5E} -Embedding
1⤵
PID:224

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -startmediumtab -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3516

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3516 CREDAT:17410 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1328

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize
471B

MD5
fa526918a211e850a6078fb1d00b2045

SHA1
75bad6b9476e0655e6a2947a682e81df689682f3

SHA256
396b94c667643afa59d155ef4d812da6f4d67dd50cec97194e1ca3a1b3ece3fe

SHA512
27a3e00ba0e478d8a79cbbd134ef7beaff7fde2fc57aecfaf022806af41c2a85183fda3e1abc2dec38d27a7f22960db3549721b8d821ea659a5592b430de1ed6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize
434B

MD5
792d93d576a1dc5431907cb793c23042

SHA1
904ee332ce49ba77d7835611c1267a6036393a40

SHA256
8b74ca5be77f56b03a750d19c9d17e3401b2a688577bd3de7e68cc8e288f4e99

SHA512
e294f499f7c4b92f309a8e1cee5eec5b0908bf7378117a0fc75b8e134d7beda5d9df6db6ab6cf493047ebff54ec1ef3483b77a41fa836b8d0ee2f0ad8122100f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\a5473fd\imagestore.dat
Filesize
1KB

MD5
037f8fa4c1d58731141430800111a897

SHA1
7f0bcedb38f5b25bbd35805cdd639446791ac392

SHA256
e5c3db05629fb54fac2d4e5b0fcf9251c42e8b089fc50225f6b0e0271c1bba0a

SHA512
ff70e2b6dbccacc29e28c4e9a492dd91830d29b55bbd7f7de242aae22b1a0ea75642e1facaddd1bcd941d9bac145cb9313ec7497c50b57afa75d877ea1deb4b8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\AUYK2XVC\favicon[1].ico
Filesize
1KB

MD5
291530f9b085527ca937426337991f79

SHA1
67714f3578da3efbd612f757d041cd29a6c605a1

SHA256
b34cba01e546edc251e36544c5989aee04221f3f05db2edb51ba97a5b9b1cf7a

SHA512
6ca95e43157d197c095310c94a60d5051cac2da0c0c6c10f41301b8a3ef2dc94bcd4eae1cecf311a4d47666a470d74be8962d5ef6bf386af0acb300b42a38d5b

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads