04918a8a6aaa19886f47e053ee90ca88550251d9191d7ffb54c3e33192049c26

Analysis

max time kernel
71s
max time network
145s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
02/10/2022, 10:42

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

04918a8a6aaa19886f47e053ee90ca88550251d9191d7ffb54c3e33192049c26.exe
Size

16KB
MD5

6d756a7c4a803089d984f7d01b73fb11
SHA1

ccab825d9635f959a89a0172784242d79e3dbd08
SHA256

04918a8a6aaa19886f47e053ee90ca88550251d9191d7ffb54c3e33192049c26
SHA512

2654d163227a02d0aea1b9927c329eae76a62b3fff9cd7ea497276b8961509962514f3735c9fb92d3a95d0802d683667d27f20480aaf218e74a686ca645a9213
SSDEEP

96:/lx54DI63uPPsh0ohC0yzf908yVsCR72w:/TWDImu8Thi3osw7f

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e0f3d159765a7f43b6bf060b4b70c9a3000000000200000000001066000000010000200000008dc9ec45d285bb07aa6511019258a84aaaeacccf9811e9b7a06a41964db7bb85000000000e800000000200002000000068b163b8a36ffdb91a8495bbf225485ae0c4147fc63d2749a461722261e3784d2000000041f8676d84ebee07956086a303cef592188944e622e86ab1274ce83b43a82b2840000000ab9a43ba10518acd2e55644e1284f578cb89e06d5061c811534ac8cd17d0b4cffec163466fed3a661aaea9abc81aaf1313becaf97964121400c7ac21493711c6	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = b040623175d6d801	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "371490107"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e0f3d159765a7f43b6bf060b4b70c9a3000000000200000000001066000000010000200000004ec32b05f591200cb8eb4c6ef7a807f13e10168ff3060d63d1ed33927a1658dc000000000e8000000002000020000000611aa651f3fc32f31a67e66c1957de66b111f05bc91b2eba96308ea11dd5d08090000000b434bda080d54157692c33004864b6f4ff98f3c39147794c50f2e9e893598d59677069c8692eaaa9cf7b761d34de9b74f9009bae1f07b8dda558bd475a6ba2098317aee96781be520f2b3dba19db8cdaf611c56e9e9b3b8ae3c6adaa1e8c1a901a1ed64fd8e7a26223868797e41beb714fa5b577413d78e3cf6e768c383ab1a2b821e5c10997d4205d2bb64d49f7995f40000000db84a13c6af80250887554bd90d92933304aa1a601226520ef0f111437771d39e9af85cfd5fe4d0a7f79d1df4fe7f838cdb23a523bff481e226182c116aed491	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{4F8CE861-4268-11ED-A50E-C6457FCBF3CF} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1748	iexplore.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
2016	04918a8a6aaa19886f47e053ee90ca88550251d9191d7ffb54c3e33192049c26.exe
1748	iexplore.exe
1748	iexplore.exe
628	IEXPLORE.EXE
628	IEXPLORE.EXE
628	IEXPLORE.EXE
628	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2016 wrote to memory of 1632	2016	04918a8a6aaa19886f47e053ee90ca88550251d9191d7ffb54c3e33192049c26.exe	27
PID 2016 wrote to memory of 1632	2016	04918a8a6aaa19886f47e053ee90ca88550251d9191d7ffb54c3e33192049c26.exe	27
PID 2016 wrote to memory of 1632	2016	04918a8a6aaa19886f47e053ee90ca88550251d9191d7ffb54c3e33192049c26.exe	27
PID 2016 wrote to memory of 1632	2016	04918a8a6aaa19886f47e053ee90ca88550251d9191d7ffb54c3e33192049c26.exe	27
PID 1756 wrote to memory of 1748	1756	explorer.exe	29
PID 1756 wrote to memory of 1748	1756	explorer.exe	29
PID 1756 wrote to memory of 1748	1756	explorer.exe	29
PID 1748 wrote to memory of 628	1748	iexplore.exe	31
PID 1748 wrote to memory of 628	1748	iexplore.exe	31
PID 1748 wrote to memory of 628	1748	iexplore.exe	31
PID 1748 wrote to memory of 628	1748	iexplore.exe	31

C:\Users\Admin\AppData\Local\Temp\04918a8a6aaa19886f47e053ee90ca88550251d9191d7ffb54c3e33192049c26.exe
"C:\Users\Admin\AppData\Local\Temp\04918a8a6aaa19886f47e053ee90ca88550251d9191d7ffb54c3e33192049c26.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2016
- C:\Windows\SysWOW64\explorer.exe
  explorer.exe "http://www.netgy.com/cpm/10102/10194.jsp?s=11054&dm=2"
  2⤵
  PID:1632

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Suspicious use of WriteProcessMemory
PID:1756
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://www.netgy.com/cpm/10102/10194.jsp?s=11054&dm=2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1748
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1748 CREDAT:275457 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:628

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\C3PT9EU5.txt

Filesize
598B

MD5
1541ccf3c67f7ed941c68c6dd26fcb32

SHA1
758dc4afb61b68b4dcb0f014dca019cd192bf22c

SHA256
f11172215c6fac71e641396737f464b727e94af110e8f483da83a72f31aa709b

SHA512
6bca05f7cc91323d8476699236865b5dada08c216aedb70a38d363bc5d891e153f9716826c06f6519b21533a27a2b75e40e51a777e04734192d0c031a26c034e

Download Submit
memory/1632-57-0x00000000761F1000-0x00000000761F3000-memory.dmp

Filesize
8KB

Download
memory/1632-58-0x0000000074D31000-0x0000000074D33000-memory.dmp

Filesize
8KB

Download
memory/1756-59-0x000007FEFBF41000-0x000007FEFBF43000-memory.dmp

Filesize
8KB

Download