30c89432c5e94b040613cf333816c51c9b08cb2c69b7521b8b06d9a5c8652201

Analysis

max time kernel
151s
max time network
151s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
19/09/2022, 18:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

30c89432c5e94b040613cf333816c51c9b08cb2c69b7521b8b06d9a5c8652201.exe
Size

10KB
MD5

4f585227bddf9eca0d0becc7d680fc71
SHA1

688765bef31e88ec5f73feaca7890f0388583da3
SHA256

30c89432c5e94b040613cf333816c51c9b08cb2c69b7521b8b06d9a5c8652201
SHA512

a79f60ed824298245469b6716bf1d6dae3c1db8955f1e25a823ed7afe05c7e32d0d1c4ed002a1ef80d576a4c6cfe12ac69d95f885166e52809543796c82e5f61
SSDEEP

192:/T7daWohiDmeqYZMmv+wzv6X/SNpq7JPVXEjX:/T7uXYZMw+9vSryVXEjX

Score

8^/10

upx

Malware Config

Signatures

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1884-54-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral1/memory/1884-59-0x0000000000400000-0x000000000040A000-memory.dmp	upx

Modifies Internet Explorer settings 1 TTPs 58 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{438C3181-38A2-11ED-A94D-C6F54D7498C3} = "0"	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 70ebf93aafccd801	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000062e6ef0d45f4454ab79548c962d74cdf000000000200000000001066000000010000200000004415d5ccd97814bb413c6cc69484d63bd0eea69580262a189e04f38ac5b5400c000000000e8000000002000020000000e3e7026766b398302d4aec0d06c5f671160d2a504ada18c9185f3595a96b2ef220000000f98cefdab41b5acf2c1cdf5688427b8b5e8d57347a812d24185effee5f6aa5d240000000e9054c1c2a4c7a28987f29cad13e59e21f745bbacb88b9a7a61173c866060342db05e4dda691a8fd3e0e1f2fda8c06bb209cb9a7e59487a4ce935ce461d7caf0	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000062e6ef0d45f4454ab79548c962d74cdf000000000200000000001066000000010000200000008dcf2c33b6415166e2cc8d484588150ff0cba0c97e2e1061380dfbcd395476fb000000000e80000000020000200000007d220868fa7173879a4c36bf318e175e5c831288ed2d52f925cca427c2b44adb9000000077dfadda1001320b889bf77197692e2893789c5dd5a8aa464e7f151f80b140763cc48cd35131084b84bb7d8f86406529b35723bd75d21894f55679d51e4b11d97905c02d6c2454b33e91c71b5dab27bcd6e9113c5d07efe51b05e65af82cd70d53ccaf030e38aece8e1e027c51b88a040488dc3b4af4e85982fd40fb7673a2cb2fae2385783bf199483263fb7675d89f4000000017bd5de7ff17be9f8938532fbd56bcf11d79b3ee150cbdbbcbb4d8171108daac618f8cda4dea60b1512a603d42ce433412c1fcfbb24ec40d6cb45ba26209507c	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "370415484"	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{43C7B3E1-38A2-11ED-A94D-C6F54D7498C3} = "0"	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	IEXPLORE.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
960	IEXPLORE.exe
1004	IEXPLORE.exe

Suspicious use of SetWindowsHookEx 11 IoCs

pid	Process
1884	30c89432c5e94b040613cf333816c51c9b08cb2c69b7521b8b06d9a5c8652201.exe
960	IEXPLORE.exe
960	IEXPLORE.exe
648	IEXPLORE.EXE
648	IEXPLORE.EXE
1004	IEXPLORE.exe
1004	IEXPLORE.exe
1604	IEXPLORE.EXE
1604	IEXPLORE.EXE
1604	IEXPLORE.EXE
1604	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1884 wrote to memory of 960	1884	30c89432c5e94b040613cf333816c51c9b08cb2c69b7521b8b06d9a5c8652201.exe	27
PID 1884 wrote to memory of 960	1884	30c89432c5e94b040613cf333816c51c9b08cb2c69b7521b8b06d9a5c8652201.exe	27
PID 1884 wrote to memory of 960	1884	30c89432c5e94b040613cf333816c51c9b08cb2c69b7521b8b06d9a5c8652201.exe	27
PID 1884 wrote to memory of 960	1884	30c89432c5e94b040613cf333816c51c9b08cb2c69b7521b8b06d9a5c8652201.exe	27
PID 960 wrote to memory of 648	960	IEXPLORE.exe	29
PID 960 wrote to memory of 648	960	IEXPLORE.exe	29
PID 960 wrote to memory of 648	960	IEXPLORE.exe	29
PID 960 wrote to memory of 648	960	IEXPLORE.exe	29
PID 1884 wrote to memory of 1004	1884	30c89432c5e94b040613cf333816c51c9b08cb2c69b7521b8b06d9a5c8652201.exe	30
PID 1884 wrote to memory of 1004	1884	30c89432c5e94b040613cf333816c51c9b08cb2c69b7521b8b06d9a5c8652201.exe	30
PID 1884 wrote to memory of 1004	1884	30c89432c5e94b040613cf333816c51c9b08cb2c69b7521b8b06d9a5c8652201.exe	30
PID 1884 wrote to memory of 1004	1884	30c89432c5e94b040613cf333816c51c9b08cb2c69b7521b8b06d9a5c8652201.exe	30
PID 1004 wrote to memory of 1604	1004	IEXPLORE.exe	31
PID 1004 wrote to memory of 1604	1004	IEXPLORE.exe	31
PID 1004 wrote to memory of 1604	1004	IEXPLORE.exe	31
PID 1004 wrote to memory of 1604	1004	IEXPLORE.exe	31

C:\Users\Admin\AppData\Local\Temp\30c89432c5e94b040613cf333816c51c9b08cb2c69b7521b8b06d9a5c8652201.exe
"C:\Users\Admin\AppData\Local\Temp\30c89432c5e94b040613cf333816c51c9b08cb2c69b7521b8b06d9a5c8652201.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1884
- C:\Program Files\Internet Explorer\IEXPLORE.exe
  "C:\Program Files\Internet Explorer\IEXPLORE.exe" http://dl.kanlink.cn:1287/CPAdown/haozip_tiny.200629.html
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:960
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:960 CREDAT:275457 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:648
- C:\Program Files\Internet Explorer\IEXPLORE.exe
  "C:\Program Files\Internet Explorer\IEXPLORE.exe" http://dl.kanlink.cn:1287/CPAdown/vplay.html
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1004
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1004 CREDAT:275457 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:1604

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{438C3181-38A2-11ED-A94D-C6F54D7498C3}.dat

Filesize
5KB

MD5
210de897ffa6a64cd833c25f7f6375ec

SHA1
1c053e2cd4525dec74efedf50374ce4a9bc3244b

SHA256
36782edee2d4d09108ae16f664030df73817cadd49a473b9a1bec681ee53073c

SHA512
220ac3064aa04172f88cc1a4006fd8ce60b2a028b58d64fd227b38338b89bd2a3a4d3188367bd588e4c0f561dfa1bf1917c58f738988f8e3adec4edbff787604

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\OQCMPVMP.txt

Filesize
597B

MD5
04f43feab446e92872f5285fcb4b9e11

SHA1
3cda873f02188bec9865843b193ca83b70e7d88a

SHA256
5a69de25ce4816f7dd0911ceacc3318c967f18fec1e99e6aa46f88a5ad54ecad

SHA512
e761740bcb1eff45884dda2b4a6c017ece0fb8423b9770b33e24b5413f1a56eeec54e08ae7ffa483bc34c06e94391d5fc1dec6550b14c1f6fa3d37cd37580725

Download Submit
memory/1884-54-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/1884-57-0x0000000076171000-0x0000000076173000-memory.dmp

Filesize
8KB

Download
memory/1884-59-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download