2014765669161ed0941ef986598f07efda0a87c1862e85f3c54c5da3abd9a6bc

General

Target

at180dll_itmop.com/IT???_????.url
Size

392B
MD5

2c76b971ac9d6834deb20afe958c3094
SHA1

85784473713fe2b371a9042e23b730660d2197b6
SHA256

1579dcda6f1bc3d32f494c24482fcb222262f616575925cdd1fb4204216489cc
SHA512

707b665b1b31fa3369c12c0187ff4a198a51cbaccd0ec546b8df775516239b1afebaff9bd81cd8f503d8375cacb7ac5e2cbf180db3e0f532f7187308d1bab362

Score

6^/10

evasion trojan

Malware Config

Signatures

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

rundll32.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.baidu.com\ = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\DOMStorage\baidu.com\Total = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\DOMStorage\baidu.com\Total = "116"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.baidu.com\ = "669"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "14103"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.baidu.com\ = "8"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "94"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.baidu.com\ = "119"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "361833401"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{88372EE1-EA94-11EC-BD3F-7E3B55B31640} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "8"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\DOMStorage\baidu.com\Total = "94"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\DOMStorage\baidu.com\Total = "108"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\DOMStorage\baidu.com\Total = "669"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\DOMStorage\baidu.com\Total = "682"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\DOMStorage\baidu.com\Total = "3"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.baidu.com\ = "35"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000962422cf799f2f46a7e75b376cef3c3c0000000002000000000010660000000100002000000027c7b2fb73d8df2180079c4eddda7ea07d6b4dadc8cf1d213e0c59a926421333000000000e8000000002000020000000e28b8330c1bf3a15c85103e40802aaf42006c3680044a5c6eb119900f3be76d39000000093dca0bdaaa97ec7b1a0ade870866c946db3a71e9b61fb841395684ac2979c4551cf8ba9cff287bdbbcd4e956b7d120f75ae3dda4bf336a2e17157e9a37e0e2ffa0e37136e7945fe53fcad23a427b6cb6383cb6c579f6a624bbf7f2f1c43d7a965723d00b37894a4e1dbd773141c16174a412117b88859a37775677e544d0f782950335e82410c4884d92eddd5b0422f40000000766d665a63fc0eb87822beb41622ec0f43a0a3f8734cd4e6af8164b45b89c50e40a21809135902c31e0522deb7f4f01ff996da21e4b7ee2a4cb5df2efaf3e987	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.baidu.com\ = "3"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "669"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000962422cf799f2f46a7e75b376cef3c3c0000000002000000000010660000000100002000000028eb57ce9f3b9bb2d174f2798e975e815e6b0bf176f4ea1b71716ed6d8e8b68f000000000e8000000002000020000000c725b4c24045fab13f82881b5a4a81beda17be7d9044356205f415ffe3a3470920000000b203735da157664b450fc0251d150d81461f0abc9cdbcb9c6f7eb03f19ff790940000000ad06e3d41ade9c8e851375c1851f39dbc7102ee5f0b5cd305903b49249250e96901784016bea02c6e024029b679fc9800a3f7ac9e24278a45b28e23d85ceded1	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\DOMStorage\baidu.com	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.baidu.com	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "119"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "682"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "3"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\DOMStorage\baidu.com\Total = "35"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.baidu.com\ = "682"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.baidu.com\ = "75"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "5"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\DOMStorage\baidu.com\Total = "5"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "116"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.baidu.com\ = "116"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "35"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "75"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.baidu.com\ = "108"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\DOMStorage\baidu.com\NumberOfSubdomains = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\DOMStorage\baidu.com\Total = "119"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\DOMStorage\baidu.com\Total = "14103"	IEXPLORE.EXE

NTFS ADS 3 IoCs

Processes:

IEXPLORE.EXE

description	ioc	process
File created	C:\Users\Admin\AppData\Local\Temp\wwwE6AA.tmp\:favicon:$DATA	IEXPLORE.EXE
File created	C:\Users\Admin\AppData\Local\Temp\at180dll_itmop.com\IT________.url\:favicon:$DATA	IEXPLORE.EXE
File created	C:\Users\Admin\AppData\Local\Temp\at180dll_itmop.com\IT________.url:favicon	IEXPLORE.EXE

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

AUDIODG.EXEIEXPLORE.EXE

description	pid	process
Token: 33	748	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	748	AUDIODG.EXE
Token: 33	748	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	748	AUDIODG.EXE
Token: 33	1596	IEXPLORE.EXE
Token: SeIncBasePriorityPrivilege	1596	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

1888 iexplore.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

1888 iexplore.exe
1888 iexplore.exe
1596 IEXPLORE.EXE
1596 IEXPLORE.EXE
1596 IEXPLORE.EXE
1596 IEXPLORE.EXE

pid	process
1888	iexplore.exe

pid	process
1888	iexplore.exe
1888	iexplore.exe
1596	IEXPLORE.EXE
1596	IEXPLORE.EXE
1596	IEXPLORE.EXE
1596	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

iexplore.exe

description	pid	process	target process
PID 1888 wrote to memory of 1596	1888	iexplore.exe	IEXPLORE.EXE
PID 1888 wrote to memory of 1596	1888	iexplore.exe	IEXPLORE.EXE
PID 1888 wrote to memory of 1596	1888	iexplore.exe	IEXPLORE.EXE
PID 1888 wrote to memory of 1596	1888	iexplore.exe	IEXPLORE.EXE

C:\Windows\System32\rundll32.exe
"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL C:\Users\Admin\AppData\Local\Temp\at180dll_itmop.com\IT________.url
1⤵
- Checks whether UAC is enabled
PID:2036

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1888

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1888 CREDAT:275457 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1596

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x558
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:748

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
310b25d6d5fa4583243453e5cb1d0f0f

SHA1
d842b86f5febb8baeb58a09a982d66a5f4cecafb

SHA256
6d6a06ce6e484656cf61331c588f5ae52dc56f0cab4e03b20e8d72bff6d57093

SHA512
ac01ab3012c808edc0c2ce222089cdb0c87e70e43838430496b21e058c5ac89e444c5ebf6754f770b6768fc575f859221317f5bb7f549c31bdc139f1996dc48f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\1b4wh1e\imagestore.dat
Filesize
20KB

MD5
bf0af5c1c7c2bd3e163c1e476547b17f

SHA1
163fd5585bebc84242da116dc34f940a137df20c

SHA256
8539d306b6e21db36bd8b991096dd9cd53b27d399d10d6c9a9dc00f3a46547c5

SHA512
067f5e4b78d892e5cedaf44efb9e05106cec47475a06b8c8116206ce84d90a20331279b4250009d2b1b8a6cf8bc8272ced5dcff3ef59cdd849feeedb96688548

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\HMV8J4R4.txt
Filesize
608B

MD5
845c3ce9d7f1708830f34ddd06e2f77e

SHA1
9b8a53bd8c29650fb96250092c0ccdb36fa8e5d9

SHA256
a356ca9e2414b984dcfa9274f2f35373ce051708e5bfe5dfcb55eb2a4fa8e12d

SHA512
a688f0425353addecda1f5a12599bb44d5eb7930c64f91021a2dd9b529ed4de45e878265ab13b044f9832f014f3c3f9148e1795935d05fe75d16043c9b5f1ea7

Download Submit
memory/2036-54-0x000007FEFBD81000-0x000007FEFBD83000-memory.dmp

Filesize
8KB

Download
memory/2036-55-0x0000000000140000-0x0000000000150000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads