b3ec6bb833f63625b13372eaf2ce6996130765a98446b29f6faa592125041724

Analysis

max time kernel
109s
max time network
135s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
19/09/2022, 15:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b3ec6bb833f63625b13372eaf2ce6996130765a98446b29f6faa592125041724.exe
Size

25KB
MD5

1fa3998bdcfd65ce8fff76175f18b055
SHA1

d718056cd87d39a10495eb610e3ec431df9c9e45
SHA256

b3ec6bb833f63625b13372eaf2ce6996130765a98446b29f6faa592125041724
SHA512

f9bcc92c0b93f14d9c3ca62260d751cc0071f3ff2ed52db6c0b2a6967adaa863b47869204ff000d3a18f50a2474dcd5fb9370f63e3a9662f4b588e966753ade3
SSDEEP

384:/TlT/W+52Y+nyDGJp7oFtwcp/mDpQjlp0huQSNyPVbkTtnJWAEJc3zia:7lTf8Y+yiJp7oQkK28VghJWAEC3b

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1640	cmd.exe

Loads dropped DLL 1 IoCs

pid	Process
1484	b3ec6bb833f63625b13372eaf2ce6996130765a98446b29f6faa592125041724.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\setup.ad	b3ec6bb833f63625b13372eaf2ce6996130765a98446b29f6faa592125041724.exe
File opened for modification	C:\Windows\SysWOW64\tarpurd32.dll	b3ec6bb833f63625b13372eaf2ce6996130765a98446b29f6faa592125041724.exe
File created	C:\Windows\SysWOW64\setup.ad	b3ec6bb833f63625b13372eaf2ce6996130765a98446b29f6faa592125041724.exe

Modifies Control Panel 2 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Control Panel\International	b3ec6bb833f63625b13372eaf2ce6996130765a98446b29f6faa592125041724.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Control Panel\International\nTimes = "66"	b3ec6bb833f63625b13372eaf2ce6996130765a98446b29f6faa592125041724.exe

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000048ca5449a4d21846ba8a995ea0abd35a00000000020000000000106600000001000020000000cb83e61a3b7f2448c7f6a488b9c2cf0313c6985e029d2464268cb4358a5b2f9c000000000e800000000200002000000049123b3de53b2d1378098b25dc06331981ddf00d5d5ea1a6609c7817c2bb656b20000000394153bc423b67b08b7d8031f8068549d972a8dd240fa9b8ba02110315f3818940000000ad20138fbbb57946f407645ea30475552ac8520f2b75ff17d7ff0b3ff00a49c98960d36f1d36d5935b04c074fb80b20e75dd21b7f1954ffd3ffde8694fdce0df	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff5600000000000000dc04000065020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{75F3DC21-386D-11ED-A03D-460E09B1FADA} = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000048ca5449a4d21846ba8a995ea0abd35a00000000020000000000106600000001000020000000d237a1f5bf9c8b3295994df394d5ab0894851c84ab7b76cc9778e6a31cec37c0000000000e800000000200002000000083744de0c93b4ddec4d49f5b13a50ef6f0c01532614429ae092e62089ba5c4d990000000399f0a869e8e8cc7c327c4dd234d67f88b4bdc6ab8c4ae0eda610584c542cf92e326adb0acc9f5174cd5563733e310517661f1d292d0d73897db81d521afb37885afe8eab3ff44d7e8160f790000e1b395b8936522c62bea67904dd8bdd7bb174ec33d8b7e818cc8f9546e0c3e36729f1f1173f0c086a93041b57096bb4fa2a156eb91b1f4f3c1a6396714a9d32aa16a40000000c0af81a07cc00d37df698a3bf9f72b509cf508e565b3959a7efe109f56d0aad3209a2b37a0ea6e064c8f6986d33976aa24e2c019f69fbb36d8ff22bfa19b398c	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE

Modifies registry class 49 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{96B27E0F-E2B6-4CC4-8F14-D2E408DDEE23}\ = "_ShellExt"	b3ec6bb833f63625b13372eaf2ce6996130765a98446b29f6faa592125041724.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{96B27E0F-E2B6-4CC4-8F14-D2E408DDEE23}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	b3ec6bb833f63625b13372eaf2ce6996130765a98446b29f6faa592125041724.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{96B27E0F-E2B6-4CC4-8F14-D2E408DDEE23}\TypeLib	b3ec6bb833f63625b13372eaf2ce6996130765a98446b29f6faa592125041724.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6DCB487C-0DFA-48C2-ABDC-296BBD892262}\ProgID\ = "pIContextMenu.ShellExt"	b3ec6bb833f63625b13372eaf2ce6996130765a98446b29f6faa592125041724.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6DCB487C-0DFA-48C2-ABDC-296BBD892262}\InprocServer32\ = "C:\\Windows\\SysWow64\\tarpurd32.dll"	b3ec6bb833f63625b13372eaf2ce6996130765a98446b29f6faa592125041724.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TYPELIB\{9B3FD067-74E7-4809-B908-DF358CF1A511}\1.0\HELPDIR\ = "C:\\Windows\\system32"	b3ec6bb833f63625b13372eaf2ce6996130765a98446b29f6faa592125041724.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{96B27E0F-E2B6-4CC4-8F14-D2E408DDEE23}\TypeLib\ = "{9B3FD067-74E7-4809-B908-DF358CF1A511}"	b3ec6bb833f63625b13372eaf2ce6996130765a98446b29f6faa592125041724.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{96B27E0F-E2B6-4CC4-8F14-D2E408DDEE23}\TypeLib\Version = "1.0"	b3ec6bb833f63625b13372eaf2ce6996130765a98446b29f6faa592125041724.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6DCB487C-0DFA-48C2-ABDC-296BBD892262}\VERSION\ = "1.0"	b3ec6bb833f63625b13372eaf2ce6996130765a98446b29f6faa592125041724.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\pIContextMenu.ShellExt	b3ec6bb833f63625b13372eaf2ce6996130765a98446b29f6faa592125041724.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\pIContextMenu.ShellExt\Clsid	b3ec6bb833f63625b13372eaf2ce6996130765a98446b29f6faa592125041724.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\pIContextMenu.ShellExt\Clsid\ = "{6DCB487C-0DFA-48C2-ABDC-296BBD892262}"	b3ec6bb833f63625b13372eaf2ce6996130765a98446b29f6faa592125041724.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\Background\shellex\ContextMenuHandlers\{FCO94F32-9210-4A7D-AAE8-BB0320CB1D10}\ = "{6DCB487C-0DFA-48C2-ABDC-296BBD892262}"	b3ec6bb833f63625b13372eaf2ce6996130765a98446b29f6faa592125041724.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TYPELIB\{9B3FD067-74E7-4809-B908-DF358CF1A511}\1.0\ = "IContextMenu Shell Extension.."	b3ec6bb833f63625b13372eaf2ce6996130765a98446b29f6faa592125041724.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TYPELIB\{9B3FD067-74E7-4809-B908-DF358CF1A511}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\tarpurd32.dll"	b3ec6bb833f63625b13372eaf2ce6996130765a98446b29f6faa592125041724.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{96B27E0F-E2B6-4CC4-8F14-D2E408DDEE23}\ProxyStubClsid32	b3ec6bb833f63625b13372eaf2ce6996130765a98446b29f6faa592125041724.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{96B27E0F-E2B6-4CC4-8F14-D2E408DDEE23}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	b3ec6bb833f63625b13372eaf2ce6996130765a98446b29f6faa592125041724.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6DCB487C-0DFA-48C2-ABDC-296BBD892262}\Implemented Categories	b3ec6bb833f63625b13372eaf2ce6996130765a98446b29f6faa592125041724.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6DCB487C-0DFA-48C2-ABDC-296BBD892262}\Implemented Categories\{40FC6ED5-2438-11CF-A3DB-080036F12502}	b3ec6bb833f63625b13372eaf2ce6996130765a98446b29f6faa592125041724.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\{FCO94F32-9210-4A7D-AAE8-BB0320CB1D10}	b3ec6bb833f63625b13372eaf2ce6996130765a98446b29f6faa592125041724.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\{FCO94F32-9210-4A7D-AAE8-BB0320CB1D10}\ = "{6DCB487C-0DFA-48C2-ABDC-296BBD892262}"	b3ec6bb833f63625b13372eaf2ce6996130765a98446b29f6faa592125041724.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TYPELIB\{9B3FD067-74E7-4809-B908-DF358CF1A511}\1.0\FLAGS	b3ec6bb833f63625b13372eaf2ce6996130765a98446b29f6faa592125041724.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6DCB487C-0DFA-48C2-ABDC-296BBD892262}\ProgID	b3ec6bb833f63625b13372eaf2ce6996130765a98446b29f6faa592125041724.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6DCB487C-0DFA-48C2-ABDC-296BBD892262}\TypeLib	b3ec6bb833f63625b13372eaf2ce6996130765a98446b29f6faa592125041724.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6DCB487C-0DFA-48C2-ABDC-296BBD892262}\VERSION	b3ec6bb833f63625b13372eaf2ce6996130765a98446b29f6faa592125041724.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{96B27E0F-E2B6-4CC4-8F14-D2E408DDEE23}\ = "_ShellExt"	b3ec6bb833f63625b13372eaf2ce6996130765a98446b29f6faa592125041724.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6DCB487C-0DFA-48C2-ABDC-296BBD892262}	b3ec6bb833f63625b13372eaf2ce6996130765a98446b29f6faa592125041724.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6DCB487C-0DFA-48C2-ABDC-296BBD892262}\InprocServer32\ThreadingModel = "Apartment"	b3ec6bb833f63625b13372eaf2ce6996130765a98446b29f6faa592125041724.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6DCB487C-0DFA-48C2-ABDC-296BBD892262}\TypeLib\ = "{9B3FD067-74E7-4809-B908-DF358CF1A511}"	b3ec6bb833f63625b13372eaf2ce6996130765a98446b29f6faa592125041724.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{96B27E0F-E2B6-4CC4-8F14-D2E408DDEE23}\ProxyStubClsid	b3ec6bb833f63625b13372eaf2ce6996130765a98446b29f6faa592125041724.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6DCB487C-0DFA-48C2-ABDC-296BBD892262}\Programmable	b3ec6bb833f63625b13372eaf2ce6996130765a98446b29f6faa592125041724.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TYPELIB\{9B3FD067-74E7-4809-B908-DF358CF1A511}	b3ec6bb833f63625b13372eaf2ce6996130765a98446b29f6faa592125041724.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{96B27E0F-E2B6-4CC4-8F14-D2E408DDEE23}\ProxyStubClsid32	b3ec6bb833f63625b13372eaf2ce6996130765a98446b29f6faa592125041724.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TYPELIB\{9B3FD067-74E7-4809-B908-DF358CF1A511}\1.0	b3ec6bb833f63625b13372eaf2ce6996130765a98446b29f6faa592125041724.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TYPELIB\{9B3FD067-74E7-4809-B908-DF358CF1A511}\1.0\0\win32	b3ec6bb833f63625b13372eaf2ce6996130765a98446b29f6faa592125041724.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{96B27E0F-E2B6-4CC4-8F14-D2E408DDEE23}	b3ec6bb833f63625b13372eaf2ce6996130765a98446b29f6faa592125041724.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{96B27E0F-E2B6-4CC4-8F14-D2E408DDEE23}\TypeLib\Version = "1.0"	b3ec6bb833f63625b13372eaf2ce6996130765a98446b29f6faa592125041724.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{96B27E0F-E2B6-4CC4-8F14-D2E408DDEE23}	b3ec6bb833f63625b13372eaf2ce6996130765a98446b29f6faa592125041724.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{96B27E0F-E2B6-4CC4-8F14-D2E408DDEE23}\TypeLib\ = "{9B3FD067-74E7-4809-B908-DF358CF1A511}"	b3ec6bb833f63625b13372eaf2ce6996130765a98446b29f6faa592125041724.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6DCB487C-0DFA-48C2-ABDC-296BBD892262}\ = "pIContextMenu.ShellExt"	b3ec6bb833f63625b13372eaf2ce6996130765a98446b29f6faa592125041724.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{96B27E0F-E2B6-4CC4-8F14-D2E408DDEE23}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}"	b3ec6bb833f63625b13372eaf2ce6996130765a98446b29f6faa592125041724.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\Background\shellex\ContextMenuHandlers\{FCO94F32-9210-4A7D-AAE8-BB0320CB1D10}	b3ec6bb833f63625b13372eaf2ce6996130765a98446b29f6faa592125041724.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TYPELIB\{9B3FD067-74E7-4809-B908-DF358CF1A511}\1.0\FLAGS\ = "0"	b3ec6bb833f63625b13372eaf2ce6996130765a98446b29f6faa592125041724.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TYPELIB\{9B3FD067-74E7-4809-B908-DF358CF1A511}\1.0\0	b3ec6bb833f63625b13372eaf2ce6996130765a98446b29f6faa592125041724.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TYPELIB\{9B3FD067-74E7-4809-B908-DF358CF1A511}\1.0\HELPDIR	b3ec6bb833f63625b13372eaf2ce6996130765a98446b29f6faa592125041724.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{96B27E0F-E2B6-4CC4-8F14-D2E408DDEE23}\TypeLib	b3ec6bb833f63625b13372eaf2ce6996130765a98446b29f6faa592125041724.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6DCB487C-0DFA-48C2-ABDC-296BBD892262}\InprocServer32	b3ec6bb833f63625b13372eaf2ce6996130765a98446b29f6faa592125041724.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\pIContextMenu.ShellExt\ = "pIContextMenu.ShellExt"	b3ec6bb833f63625b13372eaf2ce6996130765a98446b29f6faa592125041724.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{96B27E0F-E2B6-4CC4-8F14-D2E408DDEE23}\ = "ShellExt"	b3ec6bb833f63625b13372eaf2ce6996130765a98446b29f6faa592125041724.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
1152	IEXPLORE.EXE
524	IEXPLORE.EXE
1732	IEXPLORE.EXE
832	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 19 IoCs

pid	Process
1484	b3ec6bb833f63625b13372eaf2ce6996130765a98446b29f6faa592125041724.exe
1152	IEXPLORE.EXE
1152	IEXPLORE.EXE
1648	IEXPLORE.EXE
1648	IEXPLORE.EXE
524	IEXPLORE.EXE
524	IEXPLORE.EXE
1732	IEXPLORE.EXE
1732	IEXPLORE.EXE
2016	IEXPLORE.EXE
2016	IEXPLORE.EXE
1012	IEXPLORE.EXE
1012	IEXPLORE.EXE
832	IEXPLORE.EXE
832	IEXPLORE.EXE
1720	IEXPLORE.EXE
1720	IEXPLORE.EXE
1720	IEXPLORE.EXE
1720	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 52 IoCs

description	pid	Process	procid_target
PID 1484 wrote to memory of 1416	1484	b3ec6bb833f63625b13372eaf2ce6996130765a98446b29f6faa592125041724.exe	27
PID 1484 wrote to memory of 1416	1484	b3ec6bb833f63625b13372eaf2ce6996130765a98446b29f6faa592125041724.exe	27
PID 1484 wrote to memory of 1416	1484	b3ec6bb833f63625b13372eaf2ce6996130765a98446b29f6faa592125041724.exe	27
PID 1484 wrote to memory of 1416	1484	b3ec6bb833f63625b13372eaf2ce6996130765a98446b29f6faa592125041724.exe	27
PID 1416 wrote to memory of 1152	1416	iexplore.exe	28
PID 1416 wrote to memory of 1152	1416	iexplore.exe	28
PID 1416 wrote to memory of 1152	1416	iexplore.exe	28
PID 1416 wrote to memory of 1152	1416	iexplore.exe	28
PID 1152 wrote to memory of 1648	1152	IEXPLORE.EXE	30
PID 1152 wrote to memory of 1648	1152	IEXPLORE.EXE	30
PID 1152 wrote to memory of 1648	1152	IEXPLORE.EXE	30
PID 1152 wrote to memory of 1648	1152	IEXPLORE.EXE	30
PID 1484 wrote to memory of 1708	1484	b3ec6bb833f63625b13372eaf2ce6996130765a98446b29f6faa592125041724.exe	31
PID 1484 wrote to memory of 1708	1484	b3ec6bb833f63625b13372eaf2ce6996130765a98446b29f6faa592125041724.exe	31
PID 1484 wrote to memory of 1708	1484	b3ec6bb833f63625b13372eaf2ce6996130765a98446b29f6faa592125041724.exe	31
PID 1484 wrote to memory of 1708	1484	b3ec6bb833f63625b13372eaf2ce6996130765a98446b29f6faa592125041724.exe	31
PID 1708 wrote to memory of 524	1708	iexplore.exe	32
PID 1708 wrote to memory of 524	1708	iexplore.exe	32
PID 1708 wrote to memory of 524	1708	iexplore.exe	32
PID 1708 wrote to memory of 524	1708	iexplore.exe	32
PID 1484 wrote to memory of 1404	1484	b3ec6bb833f63625b13372eaf2ce6996130765a98446b29f6faa592125041724.exe	33
PID 1484 wrote to memory of 1404	1484	b3ec6bb833f63625b13372eaf2ce6996130765a98446b29f6faa592125041724.exe	33
PID 1484 wrote to memory of 1404	1484	b3ec6bb833f63625b13372eaf2ce6996130765a98446b29f6faa592125041724.exe	33
PID 1484 wrote to memory of 1404	1484	b3ec6bb833f63625b13372eaf2ce6996130765a98446b29f6faa592125041724.exe	33
PID 1404 wrote to memory of 1732	1404	iexplore.exe	34
PID 1404 wrote to memory of 1732	1404	iexplore.exe	34
PID 1404 wrote to memory of 1732	1404	iexplore.exe	34
PID 1404 wrote to memory of 1732	1404	iexplore.exe	34
PID 1484 wrote to memory of 1952	1484	b3ec6bb833f63625b13372eaf2ce6996130765a98446b29f6faa592125041724.exe	35
PID 1484 wrote to memory of 1952	1484	b3ec6bb833f63625b13372eaf2ce6996130765a98446b29f6faa592125041724.exe	35
PID 1484 wrote to memory of 1952	1484	b3ec6bb833f63625b13372eaf2ce6996130765a98446b29f6faa592125041724.exe	35
PID 1484 wrote to memory of 1952	1484	b3ec6bb833f63625b13372eaf2ce6996130765a98446b29f6faa592125041724.exe	35
PID 1952 wrote to memory of 832	1952	iexplore.exe	36
PID 1952 wrote to memory of 832	1952	iexplore.exe	36
PID 1952 wrote to memory of 832	1952	iexplore.exe	36
PID 1952 wrote to memory of 832	1952	iexplore.exe	36
PID 1484 wrote to memory of 1640	1484	b3ec6bb833f63625b13372eaf2ce6996130765a98446b29f6faa592125041724.exe	37
PID 1484 wrote to memory of 1640	1484	b3ec6bb833f63625b13372eaf2ce6996130765a98446b29f6faa592125041724.exe	37
PID 1484 wrote to memory of 1640	1484	b3ec6bb833f63625b13372eaf2ce6996130765a98446b29f6faa592125041724.exe	37
PID 1484 wrote to memory of 1640	1484	b3ec6bb833f63625b13372eaf2ce6996130765a98446b29f6faa592125041724.exe	37
PID 524 wrote to memory of 2016	524	IEXPLORE.EXE	39
PID 524 wrote to memory of 2016	524	IEXPLORE.EXE	39
PID 524 wrote to memory of 2016	524	IEXPLORE.EXE	39
PID 524 wrote to memory of 2016	524	IEXPLORE.EXE	39
PID 1732 wrote to memory of 1012	1732	IEXPLORE.EXE	40
PID 1732 wrote to memory of 1012	1732	IEXPLORE.EXE	40
PID 1732 wrote to memory of 1012	1732	IEXPLORE.EXE	40
PID 1732 wrote to memory of 1012	1732	IEXPLORE.EXE	40
PID 832 wrote to memory of 1720	832	IEXPLORE.EXE	41
PID 832 wrote to memory of 1720	832	IEXPLORE.EXE	41
PID 832 wrote to memory of 1720	832	IEXPLORE.EXE	41
PID 832 wrote to memory of 1720	832	IEXPLORE.EXE	41

C:\Users\Admin\AppData\Local\Temp\b3ec6bb833f63625b13372eaf2ce6996130765a98446b29f6faa592125041724.exe
"C:\Users\Admin\AppData\Local\Temp\b3ec6bb833f63625b13372eaf2ce6996130765a98446b29f6faa592125041724.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Modifies Control Panel
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1484
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" http://u.9lwan.com/cj/direct/628546.html
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1416
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://u.9lwan.com/cj/direct/628546.html
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1152
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1152 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:1648
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" http://u.9lwan.com/cj/direct/628546.html
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1708
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://u.9lwan.com/cj/direct/628546.html
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:524
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:524 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2016
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" http://u.9lwan.com/cj/direct/628635.html
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1404
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://u.9lwan.com/cj/direct/628635.html
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1732
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1732 CREDAT:275457 /prefetch:2
      4⤵
      Suspicious use of SetWindowsHookEx
      PID:1012
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" http://u.9lwan.com/cj/direct/628635.html
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1952
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://u.9lwan.com/cj/direct/628635.html
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:832
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:832 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:1720
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\_zh.bat
  2⤵
  - Deletes itself
  PID:1640

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{75E9A2F1-386D-11ED-A03D-460E09B1FADA}.dat

Filesize
5KB

MD5
ea0fe91b2e30148dbd1929d208f05f84

SHA1
fac3fbb6fd540fc9fae1524a41ad34354ba954d2

SHA256
b52519e536f970db225baf63d994defa76164f99822b42a7b75b72ccf00d7ce3

SHA512
4e670bea846708a95c512abd30c64513c337641267f352c56642c008a4159beb3d5efd0b1df79f9602a8f4e021a6d813f0b20bf00bb53cb6fe0b05c185fdc0ec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{75F3DC21-386D-11ED-A03D-460E09B1FADA}.dat

Filesize
3KB

MD5
51ae354194f16f5c92b95422563a2c52

SHA1
018d2343bf34952ca41943dea41d1b47cb417964

SHA256
1e6ae6a3a4962de1fb134e27fea51c7ac832c4ac6e345be818041b0990918c88

SHA512
3e45f093b8668e2fb664770217d121aa5946821d34193f5e49c6d4382d85e8f7eb8402c6319ab60e72c0673723c1ac767fee1f2667635d981337147d370e7fd4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{75F3DC21-386D-11ED-A03D-460E09B1FADA}.dat

Filesize
5KB

MD5
a21f5a32a78d6299211ef1ff71bcc1a3

SHA1
8bc7ce6dc915a87f257e27a500faf2380401dd1d

SHA256
1fef64405fb94d96ce527339aea4c8773ba2db507c262c45c2b0da8a08fc3ea2

SHA512
8581097301828435dcda98c0d7128410ec453f2f3775a9bea26886ff829a93ebe717040f8e92f13d84a9098354cd0d63c86818e484ee7f80d4159bebb5159d49

Download Submit
C:\Users\Admin\AppData\Local\Temp\_zh.bat

Filesize
248B

MD5
dcb8d6a37552cee0f8112c87e1e01d40

SHA1
9e2323faf00c5ec44010d45602915e01ebc1d174

SHA256
2f06ea2399b880b9a2e8b9dd4f62930d1ea4506e410bd6635075fa80decbf51e

SHA512
c745d6d5c73e4e752f0b418c19551677564193ecc12aff4e8beebd13b32d96c02c5c0eb0dd981a89921468578875cb82c0483a2598b48124d047715b3a214f55

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\I853BNLK.txt

Filesize
608B

MD5
2cc1aff4633c4c1618337859062ea8e4

SHA1
c08ac4117efc385c16e4d359736586500d507d94

SHA256
8b90cb85a1fdbeafb76cef0e10addd82bdd33603d9bb1415ddf6d86cddd46030

SHA512
f0ae2621a47dcf15de44c566ba47661fd5d8e2c054eb4b081d0ce22c664dd0fd763af560d357f81198e86c34b08016479948eded51828e714ac666aca867e017

Download Submit
\Windows\SysWOW64\tarpurd32.dll

Filesize
44KB

MD5
2a4c90b7c7f4d5bee9b17a4476cc4213

SHA1
4c3f82e45c38cb1d9b449da774a4f58d78f931b5

SHA256
e0a526ee76b4c57deafdcfc2f129587e5739d3eddadb1286cd927008c001a143

SHA512
3828237e30cf2a3cbe58c212a6c5bfc598cef7916ae4cb4518b7c32c619d9f9eb5885ff623449813cf0e30f707dd35668e22411ab70df1c5009210a9865def20

Download Submit
memory/1484-58-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download