a1f798cb0672be8f80960f435762858e471e9b48abe789fb965e6265ee5cc5cb

Analysis

max time kernel
55s
max time network
62s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
02-10-2022 07:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a1f798cb0672be8f80960f435762858e471e9b48abe789fb965e6265ee5cc5cb.exe
Size

45KB
MD5

6dd401cafb34280d52a7e41ded794c41
SHA1

f67fe72afc5066d1089c02594e5df0d6a02ab4b9
SHA256

a1f798cb0672be8f80960f435762858e471e9b48abe789fb965e6265ee5cc5cb
SHA512

418f086a9a80bc3cca589e8991e94be4f2f1ad7240b2307aa2678433205a660f2618eebc17223f9d36e5e4b2cd2cdc07af9c92add98c36f54551040a1bc950e0
SSDEEP

768:ywTukTPTBKhmGjam9HczJqoBRV+CsGlsdnBqhmef1hXLssk4fBf0YU7sw8XK:yKNTPmTczJZbXPsdVI1lLh1Ysw

Score

10^/10

evasion

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "1"	a1f798cb0672be8f80960f435762858e471e9b48abe789fb965e6265ee5cc5cb.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Common Files\dao.ico	a1f798cb0672be8f80960f435762858e471e9b48abe789fb965e6265ee5cc5cb.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key deleted	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TYPEDURLS	a1f798cb0672be8f80960f435762858e471e9b48abe789fb965e6265ee5cc5cb.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "Microsoft Internet Explorer"	a1f798cb0672be8f80960f435762858e471e9b48abe789fb965e6265ee5cc5cb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Window Title = "Microsoft Internet Explorer"	a1f798cb0672be8f80960f435762858e471e9b48abe789fb965e6265ee5cc5cb.exe

Modifies Internet Explorer start page 1 TTPs 2 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.ccc7.com"	a1f798cb0672be8f80960f435762858e471e9b48abe789fb965e6265ee5cc5cb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Start Page = "http://www.ccc7.com"	a1f798cb0672be8f80960f435762858e471e9b48abe789fb965e6265ee5cc5cb.exe

Modifies registry class 30 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C1A8AF25-1257-101B-8FB0-0020AF039CA8}\Shell\ÖØÃüÃû(&M)\Command\ = "Rundll32.exe"	a1f798cb0672be8f80960f435762858e471e9b48abe789fb965e6265ee5cc5cb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C1A8AF25-1257-101B-8FB0-0020AF039CA8}\ShellFolder\WantsParseDisplayName	a1f798cb0672be8f80960f435762858e471e9b48abe789fb965e6265ee5cc5cb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C1A8AF25-1257-101B-8FB0-0020AF039CA8}\Shell\Open(&O)\Command	a1f798cb0672be8f80960f435762858e471e9b48abe789fb965e6265ee5cc5cb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Pz	a1f798cb0672be8f80960f435762858e471e9b48abe789fb965e6265ee5cc5cb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C1A8AF25-1257-101B-8FB0-0020AF039CA8}\DefaultIcon\ = "C:\\Program Files (x86)\\Internet Explorer\\IEXPLORE.EXE"	a1f798cb0672be8f80960f435762858e471e9b48abe789fb965e6265ee5cc5cb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	a1f798cb0672be8f80960f435762858e471e9b48abe789fb965e6265ee5cc5cb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C1A8AF25-1257-101B-8FB0-0020AF039CA8}\Shell\ÊôÐÔ(&R)	a1f798cb0672be8f80960f435762858e471e9b48abe789fb965e6265ee5cc5cb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C1A8AF25-1257-101B-8FB0-0020AF039CA8}\Shell\ÖØÃüÃû(&M)	a1f798cb0672be8f80960f435762858e471e9b48abe789fb965e6265ee5cc5cb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Pz\5 = "51"	a1f798cb0672be8f80960f435762858e471e9b48abe789fb965e6265ee5cc5cb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C1A8AF25-1257-101B-8FB0-0020AF039CA8}	a1f798cb0672be8f80960f435762858e471e9b48abe789fb965e6265ee5cc5cb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C1A8AF25-1257-101B-8FB0-0020AF039CA8}\DefaultIcon	a1f798cb0672be8f80960f435762858e471e9b48abe789fb965e6265ee5cc5cb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	a1f798cb0672be8f80960f435762858e471e9b48abe789fb965e6265ee5cc5cb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C1A8AF25-1257-101B-8FB0-0020AF039CA8}\Shell\É¾³ý(&D)\Command\ = "Rundll32.exe"	a1f798cb0672be8f80960f435762858e471e9b48abe789fb965e6265ee5cc5cb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C1A8AF25-1257-101B-8FB0-0020AF039CA8}\Shell\É¾³ý(&D)	a1f798cb0672be8f80960f435762858e471e9b48abe789fb965e6265ee5cc5cb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C1A8AF25-1257-101B-8FB0-0020AF039CA8}\Shell\Open(&O)\Command\ = "iexplore.exe http://www.ccc7.com"	a1f798cb0672be8f80960f435762858e471e9b48abe789fb965e6265ee5cc5cb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C1A8AF25-1257-101B-8FB0-0020AF039CA8}\ShellFolder\HideFolderVerbs	a1f798cb0672be8f80960f435762858e471e9b48abe789fb965e6265ee5cc5cb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Pz\1 = "20221002"	a1f798cb0672be8f80960f435762858e471e9b48abe789fb965e6265ee5cc5cb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Pz\9 = "1"	a1f798cb0672be8f80960f435762858e471e9b48abe789fb965e6265ee5cc5cb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C1A8AF25-1257-101B-8FB0-0020AF039CA8}\Shell	a1f798cb0672be8f80960f435762858e471e9b48abe789fb965e6265ee5cc5cb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C1A8AF25-1257-101B-8FB0-0020AF039CA8}\Shell\Open(&O)\ = "´ò¿ªÖ÷Ò³(&H)"	a1f798cb0672be8f80960f435762858e471e9b48abe789fb965e6265ee5cc5cb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C1A8AF25-1257-101B-8FB0-0020AF039CA8}\Shell\É¾³ý(&D)\Command	a1f798cb0672be8f80960f435762858e471e9b48abe789fb965e6265ee5cc5cb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C1A8AF25-1257-101B-8FB0-0020AF039CA8}\Shell\ÖØÃüÃû(&M)\Command	a1f798cb0672be8f80960f435762858e471e9b48abe789fb965e6265ee5cc5cb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C1A8AF25-1257-101B-8FB0-0020AF039CA8}\Shell\Open(&O)	a1f798cb0672be8f80960f435762858e471e9b48abe789fb965e6265ee5cc5cb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C1A8AF25-1257-101B-8FB0-0020AF039CA8}\ShellFolder\Attributes = "0"	a1f798cb0672be8f80960f435762858e471e9b48abe789fb965e6265ee5cc5cb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C1A8AF25-1257-101B-8FB0-0020AF039CA8}\ = "Internet Explorer"	a1f798cb0672be8f80960f435762858e471e9b48abe789fb965e6265ee5cc5cb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C1A8AF25-1257-101B-8FB0-0020AF039CA8}\Shell\ÊôÐÔ(&R)\Command	a1f798cb0672be8f80960f435762858e471e9b48abe789fb965e6265ee5cc5cb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C1A8AF25-1257-101B-8FB0-0020AF039CA8}\ShellFolder	a1f798cb0672be8f80960f435762858e471e9b48abe789fb965e6265ee5cc5cb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Pz\9 = "0"	a1f798cb0672be8f80960f435762858e471e9b48abe789fb965e6265ee5cc5cb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C1A8AF25-1257-101B-8FB0-0020AF039CA8}\Shell\ÊôÐÔ(&R)\Command\ = "Rundll32.exe Shell32.dll,Control_RunDLL Inetcpl.cpl"	a1f798cb0672be8f80960f435762858e471e9b48abe789fb965e6265ee5cc5cb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C1A8AF25-1257-101B-8FB0-0020AF039CA8}\ShellFolder\HideOnDesktopPerUser	a1f798cb0672be8f80960f435762858e471e9b48abe789fb965e6265ee5cc5cb.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1888 wrote to memory of 1448	1888	a1f798cb0672be8f80960f435762858e471e9b48abe789fb965e6265ee5cc5cb.exe	28
PID 1888 wrote to memory of 1448	1888	a1f798cb0672be8f80960f435762858e471e9b48abe789fb965e6265ee5cc5cb.exe	28
PID 1888 wrote to memory of 1448	1888	a1f798cb0672be8f80960f435762858e471e9b48abe789fb965e6265ee5cc5cb.exe	28
PID 1888 wrote to memory of 1448	1888	a1f798cb0672be8f80960f435762858e471e9b48abe789fb965e6265ee5cc5cb.exe	28

C:\Users\Admin\AppData\Local\Temp\a1f798cb0672be8f80960f435762858e471e9b48abe789fb965e6265ee5cc5cb.exe
"C:\Users\Admin\AppData\Local\Temp\a1f798cb0672be8f80960f435762858e471e9b48abe789fb965e6265ee5cc5cb.exe"
1⤵
- Modifies visiblity of hidden/system files in Explorer
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1888
- C:\Users\Admin\AppData\Local\Temp\a1f798cb0672be8f80960f435762858e471e9b48abe789fb965e6265ee5cc5cb.exe
  C:\Users\Admin\AppData\Local\Temp\a1f798cb0672be8f80960f435762858e471e9b48abe789fb965e6265ee5cc5cb.exe
  2⤵
  - Modifies Internet Explorer settings
  - Modifies Internet Explorer start page
  PID:1448

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1448-56-0x0000000000000000-mapping.dmp

Download
memory/1448-58-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1888-54-0x0000000075811000-0x0000000075813000-memory.dmp

Filesize
8KB

Download
memory/1888-55-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1888-59-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads