ab7facb7ec6cb28dd884b91117d0e32cf044c391bf8cb57bc450f6552fb1cd5f

Analysis

max time kernel
137s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
02/10/2022, 12:35

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

ab7facb7ec6cb28dd884b91117d0e32cf044c391bf8cb57bc450f6552fb1cd5f.exe
Size

166KB
MD5

66a0c53d5f16df9130c8b57ebd63e6b0
SHA1

c843e2afc3ce4148834811f4e1363ea1b0ac951d
SHA256

ab7facb7ec6cb28dd884b91117d0e32cf044c391bf8cb57bc450f6552fb1cd5f
SHA512

1b047ad30a6a7e69ec151620d0de6f68f1bb22c7a22f7a5fb6acf109c025a4d41746fd29b9488bd5769bdf68aeffa85e4acd492252679d03d7ef8aa455ccd821
SSDEEP

3072:oKPyF1ni06CVlUzlIqRN/Sz4N1V+d+hcTcRAAwDPsHa0Dqc3O9L4sY:oKPyFUC8z+qKzc1hvKFs605e4r

Score

5^/10

Malware Config

Signatures

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4948 set thread context of 2192	4948	ab7facb7ec6cb28dd884b91117d0e32cf044c391bf8cb57bc450f6552fb1cd5f.exe	81

Modifies Internet Explorer settings 1 TTPs 28 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3710584575"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{0826867D-4280-11ED-AECB-C264E7FE3618} = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3710584575"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "371500296"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30987916"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30987916"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30987916"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3737304120"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2192	ab7facb7ec6cb28dd884b91117d0e32cf044c391bf8cb57bc450f6552fb1cd5f.exe
2192	ab7facb7ec6cb28dd884b91117d0e32cf044c391bf8cb57bc450f6552fb1cd5f.exe
2192	ab7facb7ec6cb28dd884b91117d0e32cf044c391bf8cb57bc450f6552fb1cd5f.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4036	IEXPLORE.EXE

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2192	ab7facb7ec6cb28dd884b91117d0e32cf044c391bf8cb57bc450f6552fb1cd5f.exe
Token: SeDebugPrivilege	4272	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4036	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
4036	IEXPLORE.EXE
4036	IEXPLORE.EXE
4272	IEXPLORE.EXE
4272	IEXPLORE.EXE
4272	IEXPLORE.EXE
4272	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 4948 wrote to memory of 2192	4948	ab7facb7ec6cb28dd884b91117d0e32cf044c391bf8cb57bc450f6552fb1cd5f.exe	81
PID 4948 wrote to memory of 2192	4948	ab7facb7ec6cb28dd884b91117d0e32cf044c391bf8cb57bc450f6552fb1cd5f.exe	81
PID 4948 wrote to memory of 2192	4948	ab7facb7ec6cb28dd884b91117d0e32cf044c391bf8cb57bc450f6552fb1cd5f.exe	81
PID 4948 wrote to memory of 2192	4948	ab7facb7ec6cb28dd884b91117d0e32cf044c391bf8cb57bc450f6552fb1cd5f.exe	81
PID 4948 wrote to memory of 2192	4948	ab7facb7ec6cb28dd884b91117d0e32cf044c391bf8cb57bc450f6552fb1cd5f.exe	81
PID 4948 wrote to memory of 2192	4948	ab7facb7ec6cb28dd884b91117d0e32cf044c391bf8cb57bc450f6552fb1cd5f.exe	81
PID 4948 wrote to memory of 2192	4948	ab7facb7ec6cb28dd884b91117d0e32cf044c391bf8cb57bc450f6552fb1cd5f.exe	81
PID 4948 wrote to memory of 2192	4948	ab7facb7ec6cb28dd884b91117d0e32cf044c391bf8cb57bc450f6552fb1cd5f.exe	81
PID 4948 wrote to memory of 2192	4948	ab7facb7ec6cb28dd884b91117d0e32cf044c391bf8cb57bc450f6552fb1cd5f.exe	81
PID 2192 wrote to memory of 4832	2192	ab7facb7ec6cb28dd884b91117d0e32cf044c391bf8cb57bc450f6552fb1cd5f.exe	85
PID 2192 wrote to memory of 4832	2192	ab7facb7ec6cb28dd884b91117d0e32cf044c391bf8cb57bc450f6552fb1cd5f.exe	85
PID 2192 wrote to memory of 4832	2192	ab7facb7ec6cb28dd884b91117d0e32cf044c391bf8cb57bc450f6552fb1cd5f.exe	85
PID 4832 wrote to memory of 4036	4832	iexplore.exe	86
PID 4832 wrote to memory of 4036	4832	iexplore.exe	86
PID 4036 wrote to memory of 4272	4036	IEXPLORE.EXE	88
PID 4036 wrote to memory of 4272	4036	IEXPLORE.EXE	88
PID 4036 wrote to memory of 4272	4036	IEXPLORE.EXE	88
PID 2192 wrote to memory of 4272	2192	ab7facb7ec6cb28dd884b91117d0e32cf044c391bf8cb57bc450f6552fb1cd5f.exe	88
PID 2192 wrote to memory of 4272	2192	ab7facb7ec6cb28dd884b91117d0e32cf044c391bf8cb57bc450f6552fb1cd5f.exe	88

C:\Users\Admin\AppData\Local\Temp\ab7facb7ec6cb28dd884b91117d0e32cf044c391bf8cb57bc450f6552fb1cd5f.exe
"C:\Users\Admin\AppData\Local\Temp\ab7facb7ec6cb28dd884b91117d0e32cf044c391bf8cb57bc450f6552fb1cd5f.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4948
- C:\Users\Admin\AppData\Local\Temp\ab7facb7ec6cb28dd884b91117d0e32cf044c391bf8cb57bc450f6552fb1cd5f.exe
  "C:\Users\Admin\AppData\Local\Temp\ab7facb7ec6cb28dd884b91117d0e32cf044c391bf8cb57bc450f6552fb1cd5f.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2192
- - C:\Program Files (x86)\Internet Explorer\iexplore.exe
    "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4832
  - - C:\Program Files\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
      4⤵
      Modifies Internet Explorer settings
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:4036
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4036 CREDAT:17410 /prefetch:2
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:4272

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
471B

MD5
fd70739fca5345a28f924f9102ae10ee

SHA1
6ce3f92183544f3bf52cb76364591589cb940a19

SHA256
f238404cc643efddef8ff430f128cdc8ec1513969eaac24b5e5bce81248a91e7

SHA512
a787d3a2bceeaed2f2a29f357df6ae17d5b9f66a3c561550d5f83c308ad26a1ddf876488151ff5e51ce93bfb9d0c7b8ca812d595e8d3ebdda7d805707ac1b278

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
404B

MD5
66175999ca72426492cac9377dc118e5

SHA1
f15bb9d5cc58ad7c09a339c4aff193a2874d8a6e

SHA256
db518c1d78958985995acd67b437f227c060c59708b2949170353cb932bf6108

SHA512
dcec2b22e2068ee73dd7a1a35a33b7d14b0b5943bd3d5743a0a789518f0e36ef104061b65fce0b4736774715bac384e7df6ad41482bb59950473350aa8b85b57

Download Submit
memory/2192-134-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2192-137-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2192-138-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2192-139-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/4948-132-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4948-136-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download