ecaf99c548f87742ad7d861beedbd3a599f7fe014ac7e0fd60a721069b2ed4ed

Analysis

max time kernel
167s
max time network
174s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
19/09/2022, 03:50

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

ecaf99c548f87742ad7d861beedbd3a599f7fe014ac7e0fd60a721069b2ed4ed.exe
Size

100KB
MD5

444770900d9219c86424dbe1159950ac
SHA1

192570518f9ac7f19adca9b4faf717280deb86cd
SHA256

ecaf99c548f87742ad7d861beedbd3a599f7fe014ac7e0fd60a721069b2ed4ed
SHA512

7ab86b955894231b36b098d1d70aa73c28473271585a0962e386f1d3c32fc34e3b1258910941679a94b449c68038630e03257c3129b5edcaf119752fcfa42716
SSDEEP

1536:1fVvHhBAZ08z3jeeXNXS3zOgyaiQPEigSsA3SIcQyozsm24vw+cXXxXA:fv/Ifz3jeedmz25igSsA3dImbvncXBw

Score

8^/10

bootkit persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4816	smss.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	ecaf99c548f87742ad7d861beedbd3a599f7fe014ac7e0fd60a721069b2ed4ed.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\smss.exe	ecaf99c548f87742ad7d861beedbd3a599f7fe014ac7e0fd60a721069b2ed4ed.exe
File opened for modification	C:\Windows\smss.exe	ecaf99c548f87742ad7d861beedbd3a599f7fe014ac7e0fd60a721069b2ed4ed.exe

Modifies Internet Explorer settings 1 TTPs 37 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 80f35b91f8cbd801	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30985208"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000975fab978604b14697eb522259e91a1000000000020000000000106600000001000020000000d307dc46829f196132e96f140c1dd208b0b8863e7a2c4a37aabae5f621751ddc000000000e8000000002000020000000b482a2f7d2998bd5fa3580f9bd5414d330e8ed4516fb617a5510a3457ab4f68d2000000060b82d974bff171244a1e82b8f24fc977d28bc74a4be18be946602f8bcd3c1614000000087777edb8c16dede52c9a34db632e0a0c2e64e8840f73dead2e271a228c5f39a78c91e874979914700124f76e1af0afd7f5ca4852466fe6e0388f9b1ce7afda4	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = a066b293f8cbd801	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "370337089"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2477794550"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30985208"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2517792847"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{B9BBFC4F-37EB-11ED-89AC-CA2A13AD51D0} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2477794550"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000975fab978604b14697eb522259e91a1000000000020000000000106600000001000020000000bb5cf452988d42b1224b0304a4f8852e90d216f0cad1677355233d0de2102781000000000e8000000002000020000000118b5f9babdcb5dd2084eee9616942de105c2b79055bbe6320fa745f44a73abb200000007b208015a72862ad0be4b1107a77d370115e231e111fb504cbe3de85fbcc1c584000000045ff8cc1042edf3d6a9684f19f77ad739230a8a01afce12573c560d8a2947b464f1e15428900a1dcf015e61f2f3d65b97fbd3758630a8da2b63f3287558acf5c	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2517792847"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30985208"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30985208"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4924	ecaf99c548f87742ad7d861beedbd3a599f7fe014ac7e0fd60a721069b2ed4ed.exe
4924	ecaf99c548f87742ad7d861beedbd3a599f7fe014ac7e0fd60a721069b2ed4ed.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4800	iexplore.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
4800	iexplore.exe
4816	smss.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
4924	ecaf99c548f87742ad7d861beedbd3a599f7fe014ac7e0fd60a721069b2ed4ed.exe
4816	smss.exe
4800	iexplore.exe
4800	iexplore.exe
4376	IEXPLORE.EXE
4376	IEXPLORE.EXE
4376	IEXPLORE.EXE
4376	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4924 wrote to memory of 4816	4924	ecaf99c548f87742ad7d861beedbd3a599f7fe014ac7e0fd60a721069b2ed4ed.exe	81
PID 4924 wrote to memory of 4816	4924	ecaf99c548f87742ad7d861beedbd3a599f7fe014ac7e0fd60a721069b2ed4ed.exe	81
PID 4924 wrote to memory of 4816	4924	ecaf99c548f87742ad7d861beedbd3a599f7fe014ac7e0fd60a721069b2ed4ed.exe	81
PID 4924 wrote to memory of 4800	4924	ecaf99c548f87742ad7d861beedbd3a599f7fe014ac7e0fd60a721069b2ed4ed.exe	82
PID 4924 wrote to memory of 4800	4924	ecaf99c548f87742ad7d861beedbd3a599f7fe014ac7e0fd60a721069b2ed4ed.exe	82
PID 4800 wrote to memory of 4376	4800	iexplore.exe	83
PID 4800 wrote to memory of 4376	4800	iexplore.exe	83
PID 4800 wrote to memory of 4376	4800	iexplore.exe	83

C:\Users\Admin\AppData\Local\Temp\ecaf99c548f87742ad7d861beedbd3a599f7fe014ac7e0fd60a721069b2ed4ed.exe
"C:\Users\Admin\AppData\Local\Temp\ecaf99c548f87742ad7d861beedbd3a599f7fe014ac7e0fd60a721069b2ed4ed.exe"
1⤵
- Writes to the Master Boot Record (MBR)
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4924
- C:\Windows\smss.exe
  C:\Windows\smss.exe auto
  2⤵
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  PID:4816
- C:\progra~1\Intern~1\iexplore.exe
  C:\\progra~1\\Intern~1\\iexplore.exe http://jianqiang960851442.com/AddSetup.asp?57;€UQ44457€7€=35=36466$;>65>94$EQ€<5
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4800
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4800 CREDAT:17410 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:4376

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

T1067

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
471B

MD5
1520b1f0e8660cc8553264ce46871efd

SHA1
70c43f2c0b7599f782461590f8e1650a2df5dbfe

SHA256
8bb8dd5446da57093db31c10b4093a2378a9324f137d3eaa21ab0027e191c09e

SHA512
6ad8d5f620738988286981654070c9a4e2542f629f4e5245381143a2a88c98922145759ff8d90546e1a617639a7dd335ddca4aba5435fb216c01c705bc4f0be0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
404B

MD5
a5479bf34157fcedae2be308fdfc3ec4

SHA1
4015d4f1a2d21bb761a10cea9722cdd67e055ea0

SHA256
d91a233edfdced93b596da0715c9d4b053c1cfaf2eb622bcea6934344dea9b4f

SHA512
8328960de9d0a3544a2b573d21cb627d3b9e089b5a04de957b2487612d5f408dfea0e7b4a7cfc630f4d76b189dda1086d4d62b2eaf384b6aef5f47661deba262

Download Submit
C:\Windows\smss.exe

Filesize
100KB

MD5
444770900d9219c86424dbe1159950ac

SHA1
192570518f9ac7f19adca9b4faf717280deb86cd

SHA256
ecaf99c548f87742ad7d861beedbd3a599f7fe014ac7e0fd60a721069b2ed4ed

SHA512
7ab86b955894231b36b098d1d70aa73c28473271585a0962e386f1d3c32fc34e3b1258910941679a94b449c68038630e03257c3129b5edcaf119752fcfa42716

Download Submit
C:\Windows\smss.exe

Filesize
100KB

MD5
444770900d9219c86424dbe1159950ac

SHA1
192570518f9ac7f19adca9b4faf717280deb86cd

SHA256
ecaf99c548f87742ad7d861beedbd3a599f7fe014ac7e0fd60a721069b2ed4ed

SHA512
7ab86b955894231b36b098d1d70aa73c28473271585a0962e386f1d3c32fc34e3b1258910941679a94b449c68038630e03257c3129b5edcaf119752fcfa42716

Download Submit
memory/4800-143-0x00007FFCC5A90000-0x00007FFCC5AFE000-memory.dmp

Filesize
440KB

Download
memory/4800-142-0x00007FFCC5A90000-0x00007FFCC5AFE000-memory.dmp

Filesize
440KB

Download
memory/4800-145-0x00007FFCC5A90000-0x00007FFCC5AFE000-memory.dmp

Filesize
440KB

Download
memory/4800-146-0x00007FFCC5A90000-0x00007FFCC5AFE000-memory.dmp

Filesize
440KB

Download
memory/4800-147-0x00007FFCC5A90000-0x00007FFCC5AFE000-memory.dmp

Filesize
440KB

Download
memory/4800-148-0x00007FFCC5A90000-0x00007FFCC5AFE000-memory.dmp

Filesize
440KB

Download
memory/4800-149-0x00007FFCC5A90000-0x00007FFCC5AFE000-memory.dmp

Filesize
440KB

Download
memory/4800-150-0x00007FFCC5A90000-0x00007FFCC5AFE000-memory.dmp

Filesize
440KB

Download
memory/4800-153-0x00007FFCC5A90000-0x00007FFCC5AFE000-memory.dmp

Filesize
440KB

Download
memory/4800-152-0x00007FFCC5A90000-0x00007FFCC5AFE000-memory.dmp

Filesize
440KB

Download
memory/4800-151-0x00007FFCC5A90000-0x00007FFCC5AFE000-memory.dmp

Filesize
440KB

Download
memory/4800-154-0x00007FFCC5A90000-0x00007FFCC5AFE000-memory.dmp

Filesize
440KB

Download
memory/4800-158-0x00007FFCC5A90000-0x00007FFCC5AFE000-memory.dmp

Filesize
440KB

Download
memory/4800-156-0x00007FFCC5A90000-0x00007FFCC5AFE000-memory.dmp

Filesize
440KB

Download
memory/4800-160-0x00007FFCC5A90000-0x00007FFCC5AFE000-memory.dmp

Filesize
440KB

Download
memory/4800-161-0x00007FFCC5A90000-0x00007FFCC5AFE000-memory.dmp

Filesize
440KB

Download
memory/4800-163-0x00007FFCC5A90000-0x00007FFCC5AFE000-memory.dmp

Filesize
440KB

Download
memory/4800-162-0x00007FFCC5A90000-0x00007FFCC5AFE000-memory.dmp

Filesize
440KB

Download
memory/4800-166-0x00007FFCC5A90000-0x00007FFCC5AFE000-memory.dmp

Filesize
440KB

Download
memory/4800-164-0x00007FFCC5A90000-0x00007FFCC5AFE000-memory.dmp

Filesize
440KB

Download
memory/4800-170-0x00007FFCC5A90000-0x00007FFCC5AFE000-memory.dmp

Filesize
440KB

Download
memory/4800-171-0x00007FFCC5A90000-0x00007FFCC5AFE000-memory.dmp

Filesize
440KB

Download
memory/4800-169-0x00007FFCC5A90000-0x00007FFCC5AFE000-memory.dmp

Filesize
440KB

Download
memory/4800-168-0x00007FFCC5A90000-0x00007FFCC5AFE000-memory.dmp

Filesize
440KB

Download
memory/4800-172-0x00007FFCC5A90000-0x00007FFCC5AFE000-memory.dmp

Filesize
440KB

Download
memory/4800-173-0x00007FFCC5A90000-0x00007FFCC5AFE000-memory.dmp

Filesize
440KB

Download
memory/4800-174-0x00007FFCC5A90000-0x00007FFCC5AFE000-memory.dmp

Filesize
440KB

Download
memory/4800-175-0x00007FFCC5A90000-0x00007FFCC5AFE000-memory.dmp

Filesize
440KB

Download
memory/4800-176-0x00007FFCC5A90000-0x00007FFCC5AFE000-memory.dmp

Filesize
440KB

Download
memory/4800-180-0x00007FFCC5A90000-0x00007FFCC5AFE000-memory.dmp

Filesize
440KB

Download
memory/4800-181-0x00007FFCC5A90000-0x00007FFCC5AFE000-memory.dmp

Filesize
440KB

Download
memory/4800-182-0x00007FFCC5A90000-0x00007FFCC5AFE000-memory.dmp

Filesize
440KB

Download
memory/4800-183-0x00007FFCC5A90000-0x00007FFCC5AFE000-memory.dmp

Filesize
440KB

Download
memory/4800-184-0x00007FFCC5A90000-0x00007FFCC5AFE000-memory.dmp

Filesize
440KB

Download
memory/4800-189-0x00007FFCC5A90000-0x00007FFCC5AFE000-memory.dmp

Filesize
440KB

Download
memory/4800-193-0x00007FFCC5A90000-0x00007FFCC5AFE000-memory.dmp

Filesize
440KB

Download
memory/4800-192-0x00007FFCC5A90000-0x00007FFCC5AFE000-memory.dmp

Filesize
440KB

Download
memory/4800-194-0x00007FFCC5A90000-0x00007FFCC5AFE000-memory.dmp

Filesize
440KB

Download
memory/4800-191-0x00007FFCC5A90000-0x00007FFCC5AFE000-memory.dmp

Filesize
440KB

Download
memory/4800-190-0x00007FFCC5A90000-0x00007FFCC5AFE000-memory.dmp

Filesize
440KB

Download
memory/4800-196-0x00007FFCC5A90000-0x00007FFCC5AFE000-memory.dmp

Filesize
440KB

Download
memory/4800-197-0x00007FFCC5A90000-0x00007FFCC5AFE000-memory.dmp

Filesize
440KB

Download
memory/4800-201-0x00007FFCC5A90000-0x00007FFCC5AFE000-memory.dmp

Filesize
440KB

Download
memory/4924-132-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download