44ff5418d16dbb43f5a380a3eb93b3047168ac57115fd182ec1ba4a5849e7c28

General

Target

44ff5418d16dbb43f5a380a3eb93b3047168ac57115fd182ec1ba4a5849e7c28.exe
Size

2.7MB
MD5

8a87f92e03771c5a65892d7811517201
SHA1

76b7cc50978ff5bda8d26131e61245126da9d69d
SHA256

44ff5418d16dbb43f5a380a3eb93b3047168ac57115fd182ec1ba4a5849e7c28
SHA512

a9b17ed97db9f7d5e2ed431662579540b1ab0654b32d67a55c553172d5df594c8c7eaaa31fc22a76d7970389b79f04230dad2c8e3c247e67f0c591c2ce8ed08b

Score

6^/10

evasion trojan

Malware Config

Signatures

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

44ff5418d16dbb43f5a380a3eb93b3047168ac57115fd182ec1ba4a5849e7c28.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	44ff5418d16dbb43f5a380a3eb93b3047168ac57115fd182ec1ba4a5849e7c28.exe

Modifies Internet Explorer settings 1 TTPs 41 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE44ff5418d16dbb43f5a380a3eb93b3047168ac57115fd182ec1ba4a5849e7c28.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Enable = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = d00ec87a2b92d801	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Size = "10"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{9145C711-FE1E-11EC-AA2F-C621D3E3FB96} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Factor = "20"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004863fcdc101a3947b120786fa95ba35b00000000020000000000106600000001000020000000a6acf8c17ba0591d53ccbd65b7516dfa0c3da0e4e81c7344e83449d22013c3f4000000000e8000000002000020000000a45dbc52ace1ce83b43944bb7485531579152eb8dbd7a4ee6eedd33bbed910619000000040458f9b00890ae57df693a4d917e04608e066286dddb251862f13c64835758932177defc975b79972a9103f07fd45a94c455fcec2c351ea7ce1dc25a1cb1c44fb1aaf0360c73872a6729a961204a4e56c361995b375086bc99e0facd82819474b7ed8aaf4ac36217b25e837dda2ce8a44af4db96c2af696fe768735d1eb117d6a6bfc00885c0fc6f382e77fdeb4905e40000000768147e0484865fb6a84b42882a2b9a9e14684c064e00c463d3937d11d2c64373fe31a89106766efdf972173b5c6aeea6cbf94bcf46b14993068eb132dd40594	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main	44ff5418d16dbb43f5a380a3eb93b3047168ac57115fd182ec1ba4a5849e7c28.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\International\CpMRU\InitHits = "100"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "363981753"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\International\CpMRU	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004863fcdc101a3947b120786fa95ba35b00000000020000000000106600000001000020000000404818ec33b3724d387b87e448cd4b5c56105704b82daf153ea4628eee6b717b000000000e80000000020000200000009c01e88b332c84d892bbd63d3c3e8ffcfe0ec1952caafc0360631310ea874e5a200000003b2f851e466551c33f0b45b2352dc389270e6932eca1d409aba49402c0bfe701400000000b0747fc8e73c33f666cdd3f2fd48d2cabffa4a4c68776c188e8028c6bcd77c62f05f2d1fa154a9d77d7e1a315f8f662f2a803e0988244abfae982a488cffc26	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

1948 iexplore.exe

pid	process
1948	iexplore.exe

Suspicious use of SetWindowsHookEx 8 IoCs

Processes:

44ff5418d16dbb43f5a380a3eb93b3047168ac57115fd182ec1ba4a5849e7c28.exeiexplore.exeIEXPLORE.EXE

pid	process
2024	44ff5418d16dbb43f5a380a3eb93b3047168ac57115fd182ec1ba4a5849e7c28.exe
2024	44ff5418d16dbb43f5a380a3eb93b3047168ac57115fd182ec1ba4a5849e7c28.exe
1948	iexplore.exe
1948	iexplore.exe
1628	IEXPLORE.EXE
1628	IEXPLORE.EXE
1628	IEXPLORE.EXE
1628	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

iexplore.exe

description	pid	process	target process
PID 1948 wrote to memory of 1628	1948	iexplore.exe	IEXPLORE.EXE
PID 1948 wrote to memory of 1628	1948	iexplore.exe	IEXPLORE.EXE
PID 1948 wrote to memory of 1628	1948	iexplore.exe	IEXPLORE.EXE
PID 1948 wrote to memory of 1628	1948	iexplore.exe	IEXPLORE.EXE
PID 1948 wrote to memory of 1628	1948	iexplore.exe	IEXPLORE.EXE
PID 1948 wrote to memory of 1628	1948	iexplore.exe	IEXPLORE.EXE
PID 1948 wrote to memory of 1628	1948	iexplore.exe	IEXPLORE.EXE

C:\Users\Admin\AppData\Local\Temp\44ff5418d16dbb43f5a380a3eb93b3047168ac57115fd182ec1ba4a5849e7c28.exe
"C:\Users\Admin\AppData\Local\Temp\44ff5418d16dbb43f5a380a3eb93b3047168ac57115fd182ec1ba4a5849e7c28.exe"
1⤵
- Checks whether UAC is enabled
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2024

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -startmediumtab -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1948
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1948 CREDAT:275457 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1628

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\ezmz917\imagestore.dat

Filesize
5KB

MD5
d4b4cdb5e916070c3d6aa135def63f05

SHA1
869df67598f75fec68af7e33d1d001ca88af1661

SHA256
22260ed1c809e5bf7a7e50f93bb0cd5187790708a4d2b3fffcd2518d846e466c

SHA512
147055e035a9a2d7c4d96d618cbd46848aab067d2a03725cb69418a714b44a3d5a9dba65c1d8b22ad1793bf39c4f8029a8440e3a60ae0c185825452d7de93094

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\FV32SIOJ.txt

Filesize
602B

MD5
c251566d3d6ce2a1969b17329e138f8e

SHA1
ef4ea8140c04449af81b4965556baeda63c262a1

SHA256
5fc614e0102edf5831bfa3e687b42eb975de77352280468c8f85e71b1f40bb8a

SHA512
d3d4c81213d97d347a471f870327332550326f1e1e1ff0d04c9eec9304b0a88b8edd940938dc51df0b8578f2478661821c50dada64cfb9ea5c01aba238a821c4

Download Submit
memory/2024-54-0x0000000076011000-0x0000000076013000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads