e6d06c3ceb6ae761b45b0f39e1b4bb83a28e5541bc4bc63e27b1af04d9561e52

Analysis

max time kernel
66s
max time network
136s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
12/09/2022, 12:43

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

ralink-rt5390-802-11b-g-n-wifi-adapter.html
Size

221KB
MD5

9ffc0770710b433a360267865552ac92
SHA1

bfb9683155853f0c28c39d55a5a864b55c6fcf56
SHA256

e6d06c3ceb6ae761b45b0f39e1b4bb83a28e5541bc4bc63e27b1af04d9561e52
SHA512

e8359ca2281c0217abc291fd1824d69fc15ca5301d253a6e0064eb62464e5d723672c1f3a802f08545de1f86f711a79f317cb4bd8d1d237a0913b3320cf444a2
SSDEEP

3072:yX8JZP63OKNAvT11s51th8dzkRaAQQBDgfj4e571I72om1AeLm:dZPWyL1651th8OB8AeLm

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000062e6ef0d45f4454ab79548c962d74cdf00000000020000000000106600000001000020000000f9818ea86cac49b34bf7a7d7aad4ba0497159d5968ea9c5c4c926941694affa9000000000e800000000200002000000084c6cebde84208896e81aff6798b371e26d4173661aa0bc94b82ee20d5aebe9f9000000015658d463c62905b1b923e7fd9b4f68912008cc3d3bdb0d0d0b01895b7620d48b04877ae1b6e6a740bc5c7b4d5be4750c963dce0dadb2c6848e9978c52f1b2026afc5fc311b0c7366d02bb596b418bedf82429e29bf73e7a41d2a505b9a7340b4c018c9d927459493dc200135970fbabdce09b5dc22cc5ce1a6bca48a685d0b5ce6b2ad398b2bd57eee7b67a1e1987d540000000241f4edf8e5a96986dba907493a27e6390d07c863d260f6137887e1804322ce9ad7ec08b54d4d8a5e0dfd57571ecdc957ec1682d9cfb64d522698de9d07b7b0b	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{558B5591-32A9-11ED-AE30-7E4CDA66D2DC} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "369758813"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000062e6ef0d45f4454ab79548c962d74cdf00000000020000000000106600000001000020000000ecf0e52a749adbedc36723b01c38c549e2e7a10b12667bc279b6c2071ee4565b000000000e80000000020000200000008a572b92f08d29e631f55ca5cd2197277e585194b778883e5921df250e66494b20000000a2a940e8bc0271bd84f7b0ca2529f93a0858d881aeb896d4e9a70cbc594967204000000018c88ea3e247702a0d3feed6648055b557b78fa5775117375950de1487942da10279202644b543135bbbdac749391e6c3493b5259e77d84bb65817b8926fb0e9	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 4043b42fb6c6d801	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1088	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1088	iexplore.exe
1088	iexplore.exe
2040	IEXPLORE.EXE
2040	IEXPLORE.EXE
2040	IEXPLORE.EXE
2040	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1088 wrote to memory of 2040	1088	iexplore.exe	28
PID 1088 wrote to memory of 2040	1088	iexplore.exe	28
PID 1088 wrote to memory of 2040	1088	iexplore.exe	28
PID 1088 wrote to memory of 2040	1088	iexplore.exe	28

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\ralink-rt5390-802-11b-g-n-wifi-adapter.html
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1088
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1088 CREDAT:275457 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2040

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
340B

MD5
ca2366933f20552d83b937e715470146

SHA1
26f592dc98b501c4a9de315f47b1c72878e4a1fa

SHA256
fc5eff35973b55b22d81180307e9132a03854fb589f50d1bfa39cd1be97ab95c

SHA512
a61d13fc43a8729c899583534f72d8b2cc73439a06b385328c40b1d086dc0e528264391b2a3cf376b809bcec2580f6404e7e81d5b1ba51779508e61727dfa500

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\LAQPFKKL.txt

Filesize
603B

MD5
7b3417f140953d1f74ed1132682fb456

SHA1
99689be6937474bbf01a8f87d00af69f257a7fdf

SHA256
3c12a9d27544c97d6dca5f7a85f5e38fa35b5df50e81b57d6ee2bba34761bba2

SHA512
aca4b5d1d01087cda6b2d53c1ec1bcca45ff727929a21ccc958cfaa73f0a8b5c756014ec3fc245e07cc4a0f9744fefd69eacb9ea015fce0f6dc7f90a9fa7a712

Download Submit