537b464463db98847e22ff6a54a743a5b18936ae70fb3ce30b68fd99608fc925

General

Target

hxjyxichaofz_fr/4399????????V0.0.1???/??????.url
Size

219B
MD5

122e953f3a92541c27cc62db2d9bb0f7
SHA1

5c85d98b4bce0daac9631297ddb00b005161d131
SHA256

5bf9390d32df4da5ddb91425fc5002768a85305964a8e0cb8eda391b4b6511dd
SHA512

77240964186d2e9c9c73ed6bf13edccaeb40c0d8cbf477080c9a40a76d044964330e97421e4b45818bfbb2688e6bfaf6720a52f2efdd3b944f3624b1b5767583

Score

6^/10

evasion trojan

Malware Config

Signatures

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

rundll32.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe

Modifies Internet Explorer settings 1 TTPs 40 IoCs

adware spyware

Modify Registry

T1112

Processes:

IEXPLORE.EXEiexplore.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 7072f8407f99d801	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{5494A601-0572-11ED-821F-66578E127779} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "364787401"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Factor = "20"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007647cecb75a30445a6fd9fb68eba542700000000020000000000106600000001000020000000214ddd4b8f3aeeff3aae708d357888133e235bb54f24078137f14c41132620ba000000000e8000000002000020000000b280cf0a947ead2a0881fd1f2e91c7be6f6448c18b398ffa0e47bfc50485e02b900000009baa0435480f66a7f6710cece7e21ff8067c9803678747fc49f6f70e9b649a97061fc0e80924025c21a20cdf3a08c44bb7fccd86b64f34ce63841bb805d9fbb0f71906ffe021face808ffc10eb69a0b7aa0d4c6a749a8541bfb1ee3b5f5ea212fba937fe8a1d3ac8b09cfcaad564221588a536706df47dc94eb1ab1338a9857f3eb1ec693c156ae527a0d50b9e9ee470400000009e145c547c4f077634ff3fdb1134219e0cc0eb68d8e67f9d7aecdbe1f76872363837304cae0d3056a346a2585cf3c05f4ff1b78b316d652faa6a6a0b4a78a0bc	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Internet Explorer\International\CpMRU	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007647cecb75a30445a6fd9fb68eba5427000000000200000000001066000000010000200000005cf7200725f2c8fc4f8be055b3992e1a58978cd5e49c46bfa8a8583547e8923e000000000e80000000020000200000001201ec2d10d19b9e42a3e5c294339c80115cb824f7d33a00eac4df19bbccbdd320000000e9426a2b40ecbda0ea70720dbe2723b0603b83a6a68a8821a4f4dfcbf31fb33f400000002b26c5287751d70a4d783e731f633ac97d537f8f08d7d436a379c8d62ce4f6e096c0cc2f77e74aee336c3be58eec588ad1723a4e3f7495c0c5446297700fb442	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Enable = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Internet Explorer\International\CpMRU\InitHits = "100"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Size = "10"	IEXPLORE.EXE

NTFS ADS 1 IoCs

Processes:

IEXPLORE.EXE

description ioc process

File created C:\Users\Admin\AppData\Local\Temp\hxjyxichaofz_fr\4399________V0.0.1___\______.url:favicon IEXPLORE.EXE
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

1380 iexplore.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

1380 iexplore.exe
1380 iexplore.exe
1148 IEXPLORE.EXE
1148 IEXPLORE.EXE
1148 IEXPLORE.EXE
1148 IEXPLORE.EXE

description	ioc	process
File created	C:\Users\Admin\AppData\Local\Temp\hxjyxichaofz_fr\4399________V0.0.1___\______.url:favicon	IEXPLORE.EXE

pid	process
1380	iexplore.exe

pid	process
1380	iexplore.exe
1380	iexplore.exe
1148	IEXPLORE.EXE
1148	IEXPLORE.EXE
1148	IEXPLORE.EXE
1148	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

iexplore.exe

description	pid	process	target process
PID 1380 wrote to memory of 1148	1380	iexplore.exe	IEXPLORE.EXE
PID 1380 wrote to memory of 1148	1380	iexplore.exe	IEXPLORE.EXE
PID 1380 wrote to memory of 1148	1380	iexplore.exe	IEXPLORE.EXE
PID 1380 wrote to memory of 1148	1380	iexplore.exe	IEXPLORE.EXE

C:\Windows\System32\rundll32.exe
"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL C:\Users\Admin\AppData\Local\Temp\hxjyxichaofz_fr\4399________V0.0.1___\______.url
1⤵
- Checks whether UAC is enabled
PID:640

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1380

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1380 CREDAT:275457 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- NTFS ADS
- Suspicious use of SetWindowsHookEx
PID:1148

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\3uhj3kn\imagestore.dat
Filesize
5KB

MD5
f0fa392a200eed6fe120f93a3387f3de

SHA1
1a788d61b3f32f368cf1bd28896df25ec03fb0e3

SHA256
98b3663014c183b694cccb1c815b69e170a8ba0f4aab3a1ce392737ca6a130ad

SHA512
d995061f581e8d047f18c767e1a6704aa536870b2807d018baefe5732e1478f86b614540c815335852f7f9e3fd45d025e27565d7791a936ca6da37d54d1b751e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\NDCOIC9D.txt
Filesize
602B

MD5
f7d1347f861dbb0f845afccef2511d42

SHA1
84150ca3fb863a4b0f70961bc025074b227f0bb2

SHA256
0e3f7d88a2ad99a7faaaed90dfecd936ed5ec4f00e18cec2252c3902c192b48c

SHA512
4b0c24316fa9c95d91f8ea9653aaaaf40acf500f96ef234243a1c25840b7ee2fb5c3ffa38265028f98f97f76616351ee799ef1aa3202ce964f63ebc720af3618

Download Submit
memory/640-54-0x000007FEFBCC1000-0x000007FEFBCC3000-memory.dmp

Filesize
8KB

Download
memory/640-55-0x00000000001C0000-0x00000000001D0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing