fd5c80d139c56764514474db1c03b045c42f21c2b20ad192f9ed5ce8780bc0ff

Analysis

max time kernel
125s
max time network
175s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
01-10-2022 17:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fd5c80d139c56764514474db1c03b045c42f21c2b20ad192f9ed5ce8780bc0ff.exe
Size

169KB
MD5

77abdeb661498d34c244cc7535108f60
SHA1

525667e467607a9323aea4667d4392418b5e2621
SHA256

fd5c80d139c56764514474db1c03b045c42f21c2b20ad192f9ed5ce8780bc0ff
SHA512

bacb3b8127831db7ee58d06308693dbba42551a8c176b1f3449cf746e416a2230d0bd6eae54785c25fd559343b69990701bf6211949235c648669b52151705fb
SSDEEP

3072:VobQatKHZw3Zvi+iY1mPTa3LXluHULgza3uJgrca3fXRatdh6:VwQatuZuNi+oTwz4crca3fhaE

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1780	fd5c80d139c56764514474db1c03b045c42f21c2b20ad192f9ed5ce8780bc0ffmgr.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x00140000000054ab-54.dat	upx
behavioral1/files/0x00140000000054ab-55.dat	upx
behavioral1/files/0x00140000000054ab-58.dat	upx
behavioral1/memory/1780-60-0x0000000000400000-0x0000000000454000-memory.dmp	upx
behavioral1/memory/1780-63-0x0000000000400000-0x0000000000454000-memory.dmp	upx

Loads dropped DLL 2 IoCs

pid	Process
1884	fd5c80d139c56764514474db1c03b045c42f21c2b20ad192f9ed5ce8780bc0ff.exe
1884	fd5c80d139c56764514474db1c03b045c42f21c2b20ad192f9ed5ce8780bc0ff.exe

Modifies Internet Explorer settings 1 TTPs 53 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{E73F5B41-41C1-11ED-9AD4-7A3897842414} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{E73FA961-41C1-11ED-9AD4-7A3897842414} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "371418647"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
1780	fd5c80d139c56764514474db1c03b045c42f21c2b20ad192f9ed5ce8780bc0ffmgr.exe
1780	fd5c80d139c56764514474db1c03b045c42f21c2b20ad192f9ed5ce8780bc0ffmgr.exe
1780	fd5c80d139c56764514474db1c03b045c42f21c2b20ad192f9ed5ce8780bc0ffmgr.exe
1780	fd5c80d139c56764514474db1c03b045c42f21c2b20ad192f9ed5ce8780bc0ffmgr.exe
1780	fd5c80d139c56764514474db1c03b045c42f21c2b20ad192f9ed5ce8780bc0ffmgr.exe
1780	fd5c80d139c56764514474db1c03b045c42f21c2b20ad192f9ed5ce8780bc0ffmgr.exe
1780	fd5c80d139c56764514474db1c03b045c42f21c2b20ad192f9ed5ce8780bc0ffmgr.exe
1780	fd5c80d139c56764514474db1c03b045c42f21c2b20ad192f9ed5ce8780bc0ffmgr.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1780	fd5c80d139c56764514474db1c03b045c42f21c2b20ad192f9ed5ce8780bc0ffmgr.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1740	iexplore.exe
1252	iexplore.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
1252	iexplore.exe
1740	iexplore.exe
1252	iexplore.exe
1740	iexplore.exe
612	IEXPLORE.EXE
612	IEXPLORE.EXE
668	IEXPLORE.EXE
668	IEXPLORE.EXE
668	IEXPLORE.EXE
668	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1884 wrote to memory of 1780	1884	fd5c80d139c56764514474db1c03b045c42f21c2b20ad192f9ed5ce8780bc0ff.exe	28
PID 1884 wrote to memory of 1780	1884	fd5c80d139c56764514474db1c03b045c42f21c2b20ad192f9ed5ce8780bc0ff.exe	28
PID 1884 wrote to memory of 1780	1884	fd5c80d139c56764514474db1c03b045c42f21c2b20ad192f9ed5ce8780bc0ff.exe	28
PID 1884 wrote to memory of 1780	1884	fd5c80d139c56764514474db1c03b045c42f21c2b20ad192f9ed5ce8780bc0ff.exe	28
PID 1780 wrote to memory of 1252	1780	fd5c80d139c56764514474db1c03b045c42f21c2b20ad192f9ed5ce8780bc0ffmgr.exe	29
PID 1780 wrote to memory of 1252	1780	fd5c80d139c56764514474db1c03b045c42f21c2b20ad192f9ed5ce8780bc0ffmgr.exe	29
PID 1780 wrote to memory of 1252	1780	fd5c80d139c56764514474db1c03b045c42f21c2b20ad192f9ed5ce8780bc0ffmgr.exe	29
PID 1780 wrote to memory of 1252	1780	fd5c80d139c56764514474db1c03b045c42f21c2b20ad192f9ed5ce8780bc0ffmgr.exe	29
PID 1780 wrote to memory of 1740	1780	fd5c80d139c56764514474db1c03b045c42f21c2b20ad192f9ed5ce8780bc0ffmgr.exe	30
PID 1780 wrote to memory of 1740	1780	fd5c80d139c56764514474db1c03b045c42f21c2b20ad192f9ed5ce8780bc0ffmgr.exe	30
PID 1780 wrote to memory of 1740	1780	fd5c80d139c56764514474db1c03b045c42f21c2b20ad192f9ed5ce8780bc0ffmgr.exe	30
PID 1780 wrote to memory of 1740	1780	fd5c80d139c56764514474db1c03b045c42f21c2b20ad192f9ed5ce8780bc0ffmgr.exe	30
PID 1740 wrote to memory of 612	1740	iexplore.exe	32
PID 1740 wrote to memory of 612	1740	iexplore.exe	32
PID 1740 wrote to memory of 612	1740	iexplore.exe	32
PID 1740 wrote to memory of 612	1740	iexplore.exe	32
PID 1252 wrote to memory of 668	1252	iexplore.exe	33
PID 1252 wrote to memory of 668	1252	iexplore.exe	33
PID 1252 wrote to memory of 668	1252	iexplore.exe	33
PID 1252 wrote to memory of 668	1252	iexplore.exe	33

C:\Users\Admin\AppData\Local\Temp\fd5c80d139c56764514474db1c03b045c42f21c2b20ad192f9ed5ce8780bc0ff.exe
"C:\Users\Admin\AppData\Local\Temp\fd5c80d139c56764514474db1c03b045c42f21c2b20ad192f9ed5ce8780bc0ff.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1884
- C:\Users\Admin\AppData\Local\Temp\fd5c80d139c56764514474db1c03b045c42f21c2b20ad192f9ed5ce8780bc0ffmgr.exe
  C:\Users\Admin\AppData\Local\Temp\fd5c80d139c56764514474db1c03b045c42f21c2b20ad192f9ed5ce8780bc0ffmgr.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1780
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1252
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1252 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:668
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1740
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1740 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:612

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{E73F5B41-41C1-11ED-9AD4-7A3897842414}.dat

Filesize
3KB

MD5
cff8a29bfc621f1b627d745fb8a36581

SHA1
235cc104c3240b2b85170eec5e4e96054ea53fcf

SHA256
6fa91d49acd636b34e5006485c508ced749918bb0fab90384e858e553067c8f6

SHA512
4dea22855aef001e328122e4f23bb88404928ee1b1f4ede6a2ecbef302539ac926568bc3e72cca46a40ce3d7a69127f0e9598116c832b8e67d1e96ef118d92dd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{E73FA961-41C1-11ED-9AD4-7A3897842414}.dat

Filesize
5KB

MD5
bdbcde06b91c27d8f07b600ac2a1d8b5

SHA1
fa4008706ad59dfcba096d66382aef87dd0d928e

SHA256
f8156ad947c0a15087389488722fe8daf5bf2daf76669d103a44a22c110fb2bf

SHA512
96ac6f9e196385a258657a8978ab5a4dc6e1def3bfb7acd68d25e9591398a01364779d9f9891aa1b6282150fd7030c0c637ff2d5dbfea231a3704a8296f06ea4

Download Submit
C:\Users\Admin\AppData\Local\Temp\fd5c80d139c56764514474db1c03b045c42f21c2b20ad192f9ed5ce8780bc0ffmgr.exe

Filesize
99KB

MD5
f57eee1185dee33198b752dd1f66ad55

SHA1
b60f88d65f8805bf2ca095ecd1727b15eed4ff12

SHA256
6bb93bea58d84b9c6a562a6b888ec84ba0ecb7575b6c8f3264a9e9fb44ee37f7

SHA512
cd97a2207d7ad6178cc7c9fb13fda7015bc30a924aa43b6e8ba07961ef878a841e6d025047a35e3b60ef23a3ab9b59b16d1abe09f39dc0cd6e5515d46630ad40

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\NVYBG3QW.txt

Filesize
608B

MD5
4daeef8acac0e70212ca4b087ac4f37e

SHA1
dd5e20ab14ae1e6d05017f32cbe2defeee3da156

SHA256
3fbdb4df0b59e8ed0fa5405b398a01c26aaeccbcb2c57e340b3a7f74556efbc8

SHA512
ad9d10fcb468b7149941feede9e91bbfb8cc4594aa5e2548faaf3598eb75d201dfaf86ba90ed9473a653df0fad53a0ba011cbcbb23fc478ab570ae8f1e7f8ba8

Download Submit
\Users\Admin\AppData\Local\Temp\fd5c80d139c56764514474db1c03b045c42f21c2b20ad192f9ed5ce8780bc0ffmgr.exe

Filesize
99KB

MD5
f57eee1185dee33198b752dd1f66ad55

SHA1
b60f88d65f8805bf2ca095ecd1727b15eed4ff12

SHA256
6bb93bea58d84b9c6a562a6b888ec84ba0ecb7575b6c8f3264a9e9fb44ee37f7

SHA512
cd97a2207d7ad6178cc7c9fb13fda7015bc30a924aa43b6e8ba07961ef878a841e6d025047a35e3b60ef23a3ab9b59b16d1abe09f39dc0cd6e5515d46630ad40

Download Submit
\Users\Admin\AppData\Local\Temp\fd5c80d139c56764514474db1c03b045c42f21c2b20ad192f9ed5ce8780bc0ffmgr.exe

Filesize
99KB

MD5
f57eee1185dee33198b752dd1f66ad55

SHA1
b60f88d65f8805bf2ca095ecd1727b15eed4ff12

SHA256
6bb93bea58d84b9c6a562a6b888ec84ba0ecb7575b6c8f3264a9e9fb44ee37f7

SHA512
cd97a2207d7ad6178cc7c9fb13fda7015bc30a924aa43b6e8ba07961ef878a841e6d025047a35e3b60ef23a3ab9b59b16d1abe09f39dc0cd6e5515d46630ad40

Download Submit
memory/1780-60-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/1780-63-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/1884-57-0x0000000076321000-0x0000000076323000-memory.dmp

Filesize
8KB

Download
memory/1884-59-0x00000000009F0000-0x0000000000A1F000-memory.dmp

Filesize
188KB

Download