c62c294f91e3973d950791d99874a97c7ae018cba795dc94c2a84506749426a5

Analysis

max time kernel
149s
max time network
156s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
19/09/2022, 12:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c62c294f91e3973d950791d99874a97c7ae018cba795dc94c2a84506749426a5.exe
Size

28KB
MD5

935a18db907ac663070f559a343138b4
SHA1

3840d5a8da088e45ae665797cc7e36c5dd45f446
SHA256

c62c294f91e3973d950791d99874a97c7ae018cba795dc94c2a84506749426a5
SHA512

7687537442762618e76ca1b1a8ccaba128b0f0c7926c93b50ff9fba9625a1bc2d6ff71f1ff8d79ce3d64db7f3e62a20ba055ffea8602f58d61ddb8da19d86800
SSDEEP

384:30c+R59Tt7QTLdg+BmIoQcEYCfW4QY4UeTHOWJ+QjC2gCW1xkTRg2r7zsX1:3wR7T1Gqz9EhzEUvWJ+cCogE7w

Score

4^/10

Malware Config

Signatures

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\7111383.dat	c62c294f91e3973d950791d99874a97c7ae018cba795dc94c2a84506749426a5.exe

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\IgnoreDefCheck = "Yes"	c62c294f91e3973d950791d99874a97c7ae018cba795dc94c2a84506749426a5.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\DisableFirstRunCustomize = "2"	c62c294f91e3973d950791d99874a97c7ae018cba795dc94c2a84506749426a5.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\Check_Associations = "No"	c62c294f91e3973d950791d99874a97c7ae018cba795dc94c2a84506749426a5.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\RunOnceHasShown = "0"	c62c294f91e3973d950791d99874a97c7ae018cba795dc94c2a84506749426a5.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 40ffd95a6cccd801	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\RunOnceHasShown = "0"	c62c294f91e3973d950791d99874a97c7ae018cba795dc94c2a84506749426a5.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\International\CpMRU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "63"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.eurotechmods.com	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.eurotechmods.com\ = "63"	IEXPLORE.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Enable Browser Extensions = "no"	c62c294f91e3973d950791d99874a97c7ae018cba795dc94c2a84506749426a5.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d3b98f5693c0d24b85f349229339c59c00000000020000000000106600000001000020000000e1bae0d77299b830868b58455d050fc29efbcdd29ca4eb56bb743db8385990e8000000000e80000000020000200000003e5b892bf0bca0910a3b479413ce957dcd5c5b720378127da6842ccb3e48476f20000000bb0c4619602a8f0eff7b401e9191bfa229cf7e2e56b70063bc301c66b7e09fde40000000b41abf2c9af0fed807e18335db1ade2482d492c87744c7f831e039c483407a4f1b5736b7f0c76457d9cf615abc12bc1b873b312a8ed560d83590aee11bec8f74	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Enable Browser Extensions = "yes"	c62c294f91e3973d950791d99874a97c7ae018cba795dc94c2a84506749426a5.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DOMStorage\eurotechmods.com	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "370386748"	iexplore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Check_Associations = "No"	c62c294f91e3973d950791d99874a97c7ae018cba795dc94c2a84506749426a5.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\DisableFirstRunCustomize = "2"	c62c294f91e3973d950791d99874a97c7ae018cba795dc94c2a84506749426a5.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Main	c62c294f91e3973d950791d99874a97c7ae018cba795dc94c2a84506749426a5.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DOMStorage\eurotechmods.com\Total = "63"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DOMStorage\eurotechmods.com\NumberOfSubdomains = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Size = "10"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\RunOnceComplete = "0"	c62c294f91e3973d950791d99874a97c7ae018cba795dc94c2a84506749426a5.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Enable = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\RunOnceComplete = "0"	c62c294f91e3973d950791d99874a97c7ae018cba795dc94c2a84506749426a5.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Factor = "20"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\IgnoreDefCheck = "Yes"	c62c294f91e3973d950791d99874a97c7ae018cba795dc94c2a84506749426a5.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{4F2254E1-385F-11ED-977F-FAF5FAF3A79A} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\International\CpMRU\InitHits = "100"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d3b98f5693c0d24b85f349229339c59c00000000020000000000106600000001000020000000dbcf11670b3b30afac4a5c959c4f1048b5bb312b71b22874625b12368bdad480000000000e8000000002000020000000d38cffcfd7e5d4db2af589b056616ce8dcb4e5d614e11abaabff34923bb184cd90000000efe32d4d0088896bf7b1c8b943e3864bfd1b3afbbdc59a5ce85f457a7176f3c5b31eeb9ae750d53c5848838260c6852d269da5fe44038a13975d6c44f603ef6655c1d67c5f5a0a36395677c4f0bac80b2768fdfc774dcbc5eeb8e034a53b832534a81e6ab3a06b9e6fdf18483bd493a8256c2fbd0c7729c532fdf4f703146e0378d7757ca08160750163e24607acb1c7400000001c18d65f877d3dee3cc33504ba70b4e938231ea5cad59048e321c6198c2dee2ff89ae169042f86dd75a700f427dae9b113a10ae7b0947a474cd2f59f53f18c03	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main	c62c294f91e3973d950791d99874a97c7ae018cba795dc94c2a84506749426a5.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
576	c62c294f91e3973d950791d99874a97c7ae018cba795dc94c2a84506749426a5.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
576	c62c294f91e3973d950791d99874a97c7ae018cba795dc94c2a84506749426a5.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	576	c62c294f91e3973d950791d99874a97c7ae018cba795dc94c2a84506749426a5.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1668	iexplore.exe
1668	iexplore.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
1668	iexplore.exe
1668	iexplore.exe
1680	IEXPLORE.EXE
1680	IEXPLORE.EXE
1668	iexplore.exe
1668	iexplore.exe
1800	IEXPLORE.EXE
1800	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1668 wrote to memory of 1680	1668	iexplore.exe	28
PID 1668 wrote to memory of 1680	1668	iexplore.exe	28
PID 1668 wrote to memory of 1680	1668	iexplore.exe	28
PID 1668 wrote to memory of 1680	1668	iexplore.exe	28
PID 1668 wrote to memory of 1800	1668	iexplore.exe	30
PID 1668 wrote to memory of 1800	1668	iexplore.exe	30
PID 1668 wrote to memory of 1800	1668	iexplore.exe	30
PID 1668 wrote to memory of 1800	1668	iexplore.exe	30

C:\Users\Admin\AppData\Local\Temp\c62c294f91e3973d950791d99874a97c7ae018cba795dc94c2a84506749426a5.exe
"C:\Users\Admin\AppData\Local\Temp\c62c294f91e3973d950791d99874a97c7ae018cba795dc94c2a84506749426a5.exe"
1⤵
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
PID:576

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1668
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1668 CREDAT:275457 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1680
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1668 CREDAT:799748 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1800

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
340B

MD5
10e33d4c3f5c4d4a8df04ce91cbe42e4

SHA1
df644bb4b6906cf867ce0bd7a70ae0253434de58

SHA256
43c07e296ed6a3b00cfb6f05c08d60330313c47fe44de5b60f5db2b1806a3230

SHA512
69f71401394ae33250f7baca8628ff72eea8d7db882fa659f751dce3ec3ebccbe01eeeb00e49e96287cfb336dad2b799ed08bfd7677b24a37034dd833ac75bff

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\2Y2CQFHJ.txt

Filesize
120B

MD5
d2a03fe617f33b6271f884a9118acd18

SHA1
bb1dde1e2f190fa88d4e2a52c6b2c4660e8f8a33

SHA256
73ae8c85954b450e79a4184e57f44ffabcb8d930291e2299b319b598a067a4af

SHA512
28ab7b3b43f0a492a68c7c1c78da963dc46c623f0edf609537dd25e6c36dae8e1b8440a45c21c9f36c7aa49f9a16ca640451ca15c02996196fc0a96b6dd6c433

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\QTY7GZ6K.txt

Filesize
601B

MD5
972a4b6fa468b46657b89f568e0fa364

SHA1
58c370e61bc56aad079c35a34145936fab9d4836

SHA256
c1c224dfb4b677783f89a809c709624c3489bd8cb350c7ac7d8fc4dc22c3a5f1

SHA512
3f9906658cc3d8eca1d7475308db99db37da79440680ab70d1cc4ef0ced4c3f5d3e84f28aac41b88d19186217de88fee3ad7c3908ebf1368e839c52e6b1bb4da

Download Submit
memory/576-54-0x0000000075911000-0x0000000075913000-memory.dmp

Filesize
8KB

Download
memory/576-55-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download