3a174c4147035d270a163364d65bfff17eb6dace5f066402640bf16ffe8a0053

Analysis

max time kernel
110s
max time network
151s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
19/09/2022, 00:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3a174c4147035d270a163364d65bfff17eb6dace5f066402640bf16ffe8a0053.exe
Size

72KB
MD5

f44e19bdfb48d55070b178f2390cb377
SHA1

51a80565642350107b469896f983b2b65eb08864
SHA256

3a174c4147035d270a163364d65bfff17eb6dace5f066402640bf16ffe8a0053
SHA512

a7f6c2cd37800248d70a74882fbbc39c59c822c70f44bd9c61e1fe6590ff57ab6c8a84403b4c0ae580c1048fa9f31094c7d6e443bd377f55e3a680f58f9fe01f
SSDEEP

768:1gR2+xq206IEcCv69Xt/OGf2nLtyXUNA0ev0Z:1gR2+x/OEPv63xOnLAcAXvG

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 44 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DOMStorage\infoflow.baidu.com\ = "63"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e0f3d159765a7f43b6bf060b4b70c9a30000000002000000000010660000000100002000000023b5f2686dde8a6e421a0c3264194bef7f05cb55bba04c5f775a6e16899ead62000000000e800000000200002000000031acc25e41b2c6f0bd69df4a519cd2787e6172a1d746bf05c7959fbdda0c122120000000cce064ea4edbf3bd4d64ef138aba0542a3057bc9128254e1a5c029b5b72f41984000000059f4fcaa04e7978522e7e88590be2b598d06f4f9fb5e3ae4cfc68b3ab921a32d253ee0f0c83472c55cdc2a47d44fc9f0275cfac03370bd1f17bae9b5da4d5624	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DOMStorage\baidu.com\NumberOfSubdomains = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "63"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DOMStorage\baidu.com	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DOMStorage\baidu.com\Total = "63"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{4696B471-37C8-11ED-9551-6E705F4A26E5} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DOMStorage\infoflow.baidu.com	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = d096ac25d5cbd801	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "370321859"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e0f3d159765a7f43b6bf060b4b70c9a300000000020000000000106600000001000020000000c0dd1f0140106afc18a8e8e00b01aaca6269ae8ca07367735d8dad220241cac0000000000e800000000200002000000029838a8fa13c776cfa537eeecfaeea1b92fed99f9153d94d3ea9fa781b13b33690000000ab0adf2ee7fb8247d564be0bc785485b4c29b0323cfaa98e451a6c97d5d47a857b54185ab86d1e3c87e6d22b8a53bcbb88760272efd17cbb6e7c09eea80aeccb588c926a1f9c32a3b65f00e94f2f674505d003f6817b1203a607319c3c985787a3ff6faf9a9dca20af24107c3c69ed33782de430df54a4322a15daa95ce1990cfb4f8aee8e46b914e4c0abbb845bbf7340000000ffc0d15baab41c938c0ac2834aa8a36c364694adce8052cec2e5c0c35f664b194fb800acffe449644c96d8ad0214d1a98f274d1e10b8878ab32a30e556486631	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1224	iexplore.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
948	3a174c4147035d270a163364d65bfff17eb6dace5f066402640bf16ffe8a0053.exe
1224	iexplore.exe
1224	iexplore.exe
468	IEXPLORE.EXE
468	IEXPLORE.EXE
468	IEXPLORE.EXE
468	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 948 wrote to memory of 1884	948	3a174c4147035d270a163364d65bfff17eb6dace5f066402640bf16ffe8a0053.exe	28
PID 948 wrote to memory of 1884	948	3a174c4147035d270a163364d65bfff17eb6dace5f066402640bf16ffe8a0053.exe	28
PID 948 wrote to memory of 1884	948	3a174c4147035d270a163364d65bfff17eb6dace5f066402640bf16ffe8a0053.exe	28
PID 948 wrote to memory of 1884	948	3a174c4147035d270a163364d65bfff17eb6dace5f066402640bf16ffe8a0053.exe	28
PID 1240 wrote to memory of 1224	1240	explorer.exe	30
PID 1240 wrote to memory of 1224	1240	explorer.exe	30
PID 1240 wrote to memory of 1224	1240	explorer.exe	30
PID 1224 wrote to memory of 468	1224	iexplore.exe	32
PID 1224 wrote to memory of 468	1224	iexplore.exe	32
PID 1224 wrote to memory of 468	1224	iexplore.exe	32
PID 1224 wrote to memory of 468	1224	iexplore.exe	32

C:\Users\Admin\AppData\Local\Temp\3a174c4147035d270a163364d65bfff17eb6dace5f066402640bf16ffe8a0053.exe
"C:\Users\Admin\AppData\Local\Temp\3a174c4147035d270a163364d65bfff17eb6dace5f066402640bf16ffe8a0053.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:948
- C:\Windows\SysWOW64\explorer.exe
  explorer http://hi.baidu.com/qq289555239/blog
  2⤵
  PID:1884

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Suspicious use of WriteProcessMemory
PID:1240
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://hi.baidu.com/qq289555239/blog
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1224
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1224 CREDAT:275457 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:468

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
340B

MD5
070a3a9da27e80808b476bd508f400f5

SHA1
1d13b0e01b876f377acf9df97764421b3b37096d

SHA256
ffa8586175d92032cac1b4bf6b3db44b3fa78b4871006098d208f24e6b592cde

SHA512
5c8b6bfd7ecc212fd8a2cc4ee8b43d27f6d5ab26e298a5a1cae169cafa3e6cc23bb774cfba1b7254937c7fe8cf9cb70eb415bc8d8154c12897bb619fcf2303a5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\tcz8fqz\imagestore.dat

Filesize
8KB

MD5
1f55bc669421587f70e6e728db3bbd1f

SHA1
a2982d6f1b52b4fa41bdf3c7a1b7f6486966c7cd

SHA256
b58d5ef162addf4920e922e340eee43bf129af590a790292f8261bf9d3568877

SHA512
1893bed4ff84accb2ade53bf388b9d31fddf8354def566b5d7814c790d1eacb648a54e851997e4a568ba8c74bd41ce57c8c00dcb62a994414cd201ff693f9bbb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\O67X7PPL.txt

Filesize
597B

MD5
58d441964f6324dd10a9268ff4089c42

SHA1
7e455ae27c21c46327683dc95b3aa0c3572f0055

SHA256
df3b1f3134b39bc6779d3d9fcef080ad56949d75cfd5ffb40c313ff86c2c90fc

SHA512
14fb87472a23aee8fc0444b724eefd77de28dce337c8f5b877cfa25dfa1007dd428a6ec73531fe6a626e874c7b96379572288cd761ee2ed37c55c31629cd03b9

Download Submit
memory/948-56-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/948-60-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1240-61-0x000007FEFB6D1000-0x000007FEFB6D3000-memory.dmp

Filesize
8KB

Download
memory/1884-58-0x0000000074AB1000-0x0000000074AB3000-memory.dmp

Filesize
8KB

Download
memory/1884-59-0x00000000744C1000-0x00000000744C3000-memory.dmp

Filesize
8KB

Download