706e35f7084666251d9acb93c168b6ee3e1fba31412f7a8292752ef63ccd7a2d

Analysis

max time kernel
182s
max time network
187s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
19/09/2022, 05:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

706e35f7084666251d9acb93c168b6ee3e1fba31412f7a8292752ef63ccd7a2d.exe
Size

686KB
MD5

af830d2376c528fba876e1578ca76b8c
SHA1

54a552359cd339b79f174f13d57c7d341cbac968
SHA256

706e35f7084666251d9acb93c168b6ee3e1fba31412f7a8292752ef63ccd7a2d
SHA512

3acd30b66bff42640821f1f715be8b6f7cddf27be5c59938933c3b236235e0d51c3a6f0a6640c6b83ff6e4138d796ce811f7da40ee0572d7df71649e4cc2d057
SSDEEP

12288:stlYXURbBg2Tfc3ilWZ0qECz2JV/fLylQwgmTIPd76nI4CtZPoqZNb2LaXaSX66D:szYXURG2fc3imzmV/jylQx76IfwqZN6i

Score

6^/10

evasion trojan

Malware Config

Signatures

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	706e35f7084666251d9acb93c168b6ee3e1fba31412f7a8292752ef63ccd7a2d.exe

Modifies Internet Explorer settings 1 TTPs 41 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "370345822"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\International\CpMRU\InitHits = "100"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Factor = "20"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Size = "10"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = f085fd140dccd801	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000062e6ef0d45f4454ab79548c962d74cdf00000000020000000000106600000001000020000000ff902c43cc762dc416b6ae583624c116a9fc6f67a29578db0a638fa3b321ac9c000000000e80000000020000200000004bc32dd94da58806e83b0f685c7404128dd8fa8aca37df0a163ce48c80a3ae1a90000000519253f4c366c8885d42beea43cd8750029e10c6ddb7217ea4a9fc97eee61ec49980041637e9fac17633e1e804dc09d5f9d2de733dfcb87ed5fdb17cc268331168fda3c7b7f22b3ab444022deb1fc9a9c4c0fe4e3677ceeb1dcfa0fd4f0da7b65f5b07e6f27f76e9272785ff81c309ce1326abe24eba925d67f184f912970176134129d79da5ebaac5eb05949f5e1cd34000000036ebb064382cb62cef0fb5b2b47013fb1845f33d020feb1eae779e440cca2d5a49cbc1c6e569b268d16101163553c131f608916b445dacb97d16aff91accbe5e	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main	706e35f7084666251d9acb93c168b6ee3e1fba31412f7a8292752ef63ccd7a2d.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\International\CpMRU	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000062e6ef0d45f4454ab79548c962d74cdf00000000020000000000106600000001000020000000c2168f44e804969136b29e099afd6d12054a1e802bd0714578471c15035cd753000000000e8000000002000020000000d715073350a199db961d7504208e2ac609f87af2aa47efbc9094f1d0c270bf4320000000d154ea7e708561d70f64f67d851cfb20a88ce1207a198bcfb22f7413845c0ed140000000bcac0d1924fa7289f538eef1c4931a1e7d728b7e51935fa0f265e9896270c0a2894d39ff3a2eb28fd893f7d278fb2947418cc0aa21d90666c644161943f37d94	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{06A68831-3800-11ED-A94D-C6F54D7498C3} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Enable = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
784	iexplore.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
1756	706e35f7084666251d9acb93c168b6ee3e1fba31412f7a8292752ef63ccd7a2d.exe
1756	706e35f7084666251d9acb93c168b6ee3e1fba31412f7a8292752ef63ccd7a2d.exe
784	iexplore.exe
784	iexplore.exe
932	IEXPLORE.EXE
932	IEXPLORE.EXE
932	IEXPLORE.EXE
932	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 784 wrote to memory of 932	784	iexplore.exe	29
PID 784 wrote to memory of 932	784	iexplore.exe	29
PID 784 wrote to memory of 932	784	iexplore.exe	29
PID 784 wrote to memory of 932	784	iexplore.exe	29
PID 784 wrote to memory of 932	784	iexplore.exe	29
PID 784 wrote to memory of 932	784	iexplore.exe	29
PID 784 wrote to memory of 932	784	iexplore.exe	29

C:\Users\Admin\AppData\Local\Temp\706e35f7084666251d9acb93c168b6ee3e1fba31412f7a8292752ef63ccd7a2d.exe
"C:\Users\Admin\AppData\Local\Temp\706e35f7084666251d9acb93c168b6ee3e1fba31412f7a8292752ef63ccd7a2d.exe"
1⤵
- Checks whether UAC is enabled
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1756

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -startmediumtab -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:784
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:784 CREDAT:275457 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:932

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\lwrmjt1\imagestore.dat

Filesize
5KB

MD5
3f4baa1d1cdb059542756adf3717f096

SHA1
594245957b97ac0813f3ef5c17de8fe4c63b34b9

SHA256
9a64946c56d8d01d7c6a0d06152d7c7786d229746573df9d8f04f3ac18675f5e

SHA512
1ccfebd78ae99069459e8fa94c3d901f72f7546352e901d06f3edc59cef584683b713dbd0ace1314486704958ed5dbf81ec115d62c1d494c2d5d3b996e0a6a20

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\N33BC7JD.txt

Filesize
608B

MD5
453ef93313cabf8b643c255d8aebc3ec

SHA1
6436ca325d8648a63eaffee914e93b54b096382e

SHA256
b307d8420723ba97c455a9ca4c0a438ecdd780358a1a933cbff6e6c43596b37c

SHA512
d9ea375e00840028c6af3bb2fa0b8f6b0193cd99bb2c0879ff7631e6c2f1e32a5d8b4b8a0f63ca5639d5c958a2ad6191fab3a82aa3807b5368a8797706a98d20

Download Submit
memory/1756-54-0x0000000076171000-0x0000000076173000-memory.dmp

Filesize
8KB

Download