52b4aa5b05aac2ef920aa286948b8b9051a5735d8b192d28a816b1b440cef1ff

Analysis

max time kernel
150s
max time network
153s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
19/09/2022, 05:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

52b4aa5b05aac2ef920aa286948b8b9051a5735d8b192d28a816b1b440cef1ff.exe
Size

1.3MB
MD5

b003052dd6986aea6c5343f05f588843
SHA1

e9523b47bd04340e6231313fec26771347542b5a
SHA256

52b4aa5b05aac2ef920aa286948b8b9051a5735d8b192d28a816b1b440cef1ff
SHA512

70206dae01f9b887215dd7fc3564f380a5b012afd6da1722c46dbc846b90040b43b80a5c97538b149b5f1ad88460bd1f7214c065fc55e170443d8e4c28ded290
SSDEEP

24576:szYXUY5BuVJl6aK0bTrzCXSk953Kwwn2uX3txhbg1GQHbfA7djwif96Jwr9HH3Iq:FkjVf6aK0bTe953v02kP01GmbAHQyr9V

Score

6^/10

evasion trojan

Malware Config

Signatures

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	52b4aa5b05aac2ef920aa286948b8b9051a5735d8b192d28a816b1b440cef1ff.exe

Modifies Internet Explorer settings 1 TTPs 41 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e0f3d159765a7f43b6bf060b4b70c9a30000000002000000000010660000000100002000000092d2f4835fd5a96be0b627024c833dfa914e629a6155776820ca60b771494a9b000000000e8000000002000020000000a5dd4631f9b5a8d3cf3a08aa7daa98f2e75e56e3a218856391c2eadd8387fdc720000000d3ab9a9f305d5e7cf560072f576b92842739c18a757433d9fdaf44391889f04840000000533686b9337094acae11c8fce2a85ad276b90f5069f2f2993640619c344d6a044380fd26e75aeb37bcfd086389006dae52ec306694646801da8eac3c4d6af6b6	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 60a507210dccd801	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Size = "10"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "370345877"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e0f3d159765a7f43b6bf060b4b70c9a3000000000200000000001066000000010000200000007d2dbd0e84d1519b758f8408066bbd13424af7b83522eb8fad9e80e0bd92aec2000000000e80000000020000200000002e9ad46c8bf6c58586d65ddcb378d2dbfde165b8508ffda29923ab1b3e51deb690000000e79a8ee4be390e31b5318dfac9479ed60e8583c7c1f6071ad722dfb5a0fa9d1febe8460291f7c2d90e520ac51860d2ffd9d72c166645048806b90db740e1309eeff100c23286fb53acbcd378fdb7a97b4c8c8f2db295c9e76ceb259d68c9cbee389157078eb5b424b4bf67f7a0c7b731c0b161806bed2318e0da7b953f3651446267191252eb46dd6c7c383f6a5d03914000000021799c273f0007afc783d8f06e5379c5db1c638bdf068c558c01688c330f795ae111e905a2da3e4c8f586784b9fde51d956af6dd33edb22341362c68c06121ac	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{32AD40E1-3800-11ED-9916-DE5CC620A9B4} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\International\CpMRU	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Enable = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main	52b4aa5b05aac2ef920aa286948b8b9051a5735d8b192d28a816b1b440cef1ff.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\International\CpMRU\InitHits = "100"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Factor = "20"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1416	iexplore.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
1052	52b4aa5b05aac2ef920aa286948b8b9051a5735d8b192d28a816b1b440cef1ff.exe
1052	52b4aa5b05aac2ef920aa286948b8b9051a5735d8b192d28a816b1b440cef1ff.exe
1416	iexplore.exe
1416	iexplore.exe
288	IEXPLORE.EXE
288	IEXPLORE.EXE
288	IEXPLORE.EXE
288	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1416 wrote to memory of 288	1416	iexplore.exe	30
PID 1416 wrote to memory of 288	1416	iexplore.exe	30
PID 1416 wrote to memory of 288	1416	iexplore.exe	30
PID 1416 wrote to memory of 288	1416	iexplore.exe	30
PID 1416 wrote to memory of 288	1416	iexplore.exe	30
PID 1416 wrote to memory of 288	1416	iexplore.exe	30
PID 1416 wrote to memory of 288	1416	iexplore.exe	30

C:\Users\Admin\AppData\Local\Temp\52b4aa5b05aac2ef920aa286948b8b9051a5735d8b192d28a816b1b440cef1ff.exe
"C:\Users\Admin\AppData\Local\Temp\52b4aa5b05aac2ef920aa286948b8b9051a5735d8b192d28a816b1b440cef1ff.exe"
1⤵
- Checks whether UAC is enabled
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1052

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -startmediumtab -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1416
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1416 CREDAT:275457 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:288

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\tcz8fqz\imagestore.dat

Filesize
5KB

MD5
f226ef2711b0f5dbbfc032384826a7a7

SHA1
6bb0caa839c51ec85c56376457d82a7d02f6e383

SHA256
00ce75f5be523c8de9c0270a9abc2ffa69945b708d9ed1790f605332e7931cad

SHA512
605c4fb956e5bfdf40e706ad971f258f1493b64369667c2cbd12dd8b2d069cecbbe81f6289acaec7a18b015961678d053623f1064a313d05cb7ee1a463e3b709

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\GTD9TYIX.txt

Filesize
603B

MD5
364cf63c1fdd1c42844e82ae0f680e27

SHA1
0f33a5feedf9bc687cfe065186ac8b8e3de80553

SHA256
f4cc686b15c8d9971c23e9f2a9c00eeb78eb653e7302dcde9a82356ee823b3c2

SHA512
d0178b8f7023bb6e071cd5321b5cbf00eab3daa95e1a4ec757f098f1fa7655bf9c35c3b2a7e845824d1327d57c5d8bcf0441edae63a52cb55c92218dfd51f923

Download Submit
memory/1052-54-0x0000000075931000-0x0000000075933000-memory.dmp

Filesize
8KB

Download