d3bd86884f7216885d5b0dd653ea5ae548c78d313a27de9232d32ad5ee14812f

Analysis

max time kernel
103s
max time network
146s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
19/09/2022, 09:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d3bd86884f7216885d5b0dd653ea5ae548c78d313a27de9232d32ad5ee14812f.exe
Size

9KB
MD5

63eea99c62061c7fecb41dba69be2510
SHA1

4ee8f644058ecbc8aa35f24e2c04cd55715df476
SHA256

d3bd86884f7216885d5b0dd653ea5ae548c78d313a27de9232d32ad5ee14812f
SHA512

cc874544d535c31589b4fc9e6297beb06b81c7cdd29ca57be8ba68af348d05cba94116ad1bc62cd5304285044b2c2ff75a8f9e6ab487518a8f2892efe017bdb6
SSDEEP

192:/TK291wp9TMrf6UKUpt3TFbNehAi7YBE5A:/TR9ap9TM/DphTFZehAi0S

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e0f3d159765a7f43b6bf060b4b70c9a30000000002000000000010660000000100002000000081cdd09f3637db941c7ceaa99af2d0ad4f5b97b714383f1a5b500ed8adc9c643000000000e80000000020000200000003b819c9f97e2a713a34f107dc4d2db89bcb8ef288cda1c914822b7a4ca01930a90000000f608dd614d2bdfe2b9b3c500768f67a5b9ccda577f8163fb4d837b1a3dfca857dd2fd09d78b9f97eac881934c8c53d2acd6d3915c60b77c787476589cbaeef52c74d183389d55ab1c38d9fc4fb42c9777efd10bdaebc02204c62cd4263baa78a3a6ac73c78a26d86a2db89d0bd10472716f916f60695acd0ba6a4a06f67cdc35a562895afe6ca4864de5096389ee638d40000000ea08253b7b26c96cc9d3d1c579f9ef183a48b4d20f073c49d0217d2ce692d976ade97ddc2709f4455e26d4f45666c23ab865d2e883ae2f5196635b2bffb298a2	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{48333AC1-3830-11ED-99B1-EA25B6F29539} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e0f3d159765a7f43b6bf060b4b70c9a3000000000200000000001066000000010000200000006311e303dd74ba5d91aa288e5182e87ed60e93257b72a7cddbb1a5821a3e7e1b000000000e8000000002000020000000e2283111f198674f8250fbb1fcde75aa5aed977a47353b47fc1db3aa9d6b8586200000003ff85a370732b895b35d43a3861ab42465a3934adb806f7f4ecd4957e6d321734000000049b71b8e0696a96c8880f9412cb40cfa9d71a78a7166b11be89c4cb931d18e6231b7d14d5ec7a01b0abb5cd3a5aac2ba1d7310a9ef92ca82625471e0abbebe09	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = e0c7f2213dccd801	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "370366529"	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1512	iexplore.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
1688	d3bd86884f7216885d5b0dd653ea5ae548c78d313a27de9232d32ad5ee14812f.exe
1512	iexplore.exe
1512	iexplore.exe
2032	IEXPLORE.EXE
2032	IEXPLORE.EXE
2032	IEXPLORE.EXE
2032	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 1688 wrote to memory of 1032	1688	d3bd86884f7216885d5b0dd653ea5ae548c78d313a27de9232d32ad5ee14812f.exe	27
PID 1688 wrote to memory of 1032	1688	d3bd86884f7216885d5b0dd653ea5ae548c78d313a27de9232d32ad5ee14812f.exe	27
PID 1688 wrote to memory of 1032	1688	d3bd86884f7216885d5b0dd653ea5ae548c78d313a27de9232d32ad5ee14812f.exe	27
PID 1688 wrote to memory of 1032	1688	d3bd86884f7216885d5b0dd653ea5ae548c78d313a27de9232d32ad5ee14812f.exe	27
PID 1764 wrote to memory of 1512	1764	explorer.exe	30
PID 1764 wrote to memory of 1512	1764	explorer.exe	30
PID 1764 wrote to memory of 1512	1764	explorer.exe	30
PID 1512 wrote to memory of 2032	1512	iexplore.exe	31
PID 1512 wrote to memory of 2032	1512	iexplore.exe	31
PID 1512 wrote to memory of 2032	1512	iexplore.exe	31
PID 1512 wrote to memory of 2032	1512	iexplore.exe	31

C:\Users\Admin\AppData\Local\Temp\d3bd86884f7216885d5b0dd653ea5ae548c78d313a27de9232d32ad5ee14812f.exe
"C:\Users\Admin\AppData\Local\Temp\d3bd86884f7216885d5b0dd653ea5ae548c78d313a27de9232d32ad5ee14812f.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1688
- C:\Windows\SysWOW64\explorer.exe
  explorer.exe http://humortadela.uol.com.br/animacao/animacao_pop_301.html
  2⤵
  PID:1032

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Suspicious use of WriteProcessMemory
PID:1764
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://humortadela.uol.com.br/animacao/animacao_pop_301.html
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1512
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1512 CREDAT:275457 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:2032

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\UZEQ22AP.txt

Filesize
597B

MD5
6a2b16e64fc7a9678626811cd92a387f

SHA1
bb089ebdeb7033f77952a6b7b4ede51660262775

SHA256
3290593ae52feab064ced56dfdf8ac908fa0fbb88d61e6cea8dd05e5201d1719

SHA512
a7d2a84b209cc6d587c5b7de29bd70de500ee172e5d1961da1cf0b766e3edf6f96ab091d12e9ccaa8331f499e16d8bb07c409004958c9fed2e23d600d7584b0e

Download Submit
memory/1032-58-0x0000000075601000-0x0000000075603000-memory.dmp

Filesize
8KB

Download
memory/1032-59-0x0000000074531000-0x0000000074533000-memory.dmp

Filesize
8KB

Download
memory/1688-55-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/1688-62-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/1764-61-0x000007FEFB6A1000-0x000007FEFB6A3000-memory.dmp

Filesize
8KB

Download