Behavioral Report

General

Target

5f8e7c1b4fd87cfbff41369dc163e651a7d016c0f53d496867a76ccfee77b308.exe
Size

2MB
MD5

656436ec2c07053b199a19730a74283d
SHA1

ff2b556a5fa2f0c1de17698a52fde3589607877b
SHA256

5f8e7c1b4fd87cfbff41369dc163e651a7d016c0f53d496867a76ccfee77b308
SHA512

07337ac7fcc5529a99b52c97facf554f61a9483ee40d8ca5375607858111b1abd1f10dab66cbf4829d3f9308925267429fb1285e9434d3f65658927151906c03
SSDEEP

24576:IlVCxwY7fti7Hb3Z4e4VtHvtftQih8ESwSMP3/R6pjl:IlMw6tij+eGHhtQiqZjyRSJ

Score

5^/10

Malware Config

Signatures

Suspicious use of SetThreadContext 1 IoCs

Processes:

5f8e7c1b4fd87cfbff41369dc163e651a7d016c0f53d496867a76ccfee77b308.exe

description	pid	process	target process
PID 2044 set thread context of 1772	2044	5f8e7c1b4fd87cfbff41369dc163e651a7d016c0f53d496867a76ccfee77b308.exe	5f8e7c1b4fd87cfbff41369dc163e651a7d016c0f53d496867a76ccfee77b308.exe

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

TTPs:

Modify Registry

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{14F1AA71-42A3-11ED-8FA4-466E2F293893} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000062e6ef0d45f4454ab79548c962d74cdf00000000020000000000106600000001000020000000a5e3ea5b54557eab1636b647db44199d7a90eefd052dad945981f8a63a3fe566000000000e800000000200002000000076ee5a202b1378c18642bc7ebefb6ff0b26ab704ecb769038028f5f1dc64e55890000000d5828191e36859954a3a7d8d1fdeb418b0d2e0038f7b3fe5b45d9fd69790071d71af5617ce50d686bfbd3f6921f4a1e5b5721b3b4b793a0eb5fa86de3e8a10092b681cd464d181d248175f001ed23d60cff99c491c0ac7ff36f2da9ad448a462d3832c97f8461b785b05d6df40e20737e8c81dcfd432ee3d8333da7a60ecb36c7f1da9645cb18ae79aa1c826c2aac6664000000079adaf24bfcd9a46c612d14edd4384650212d96f69fcc510f234b8f79b855d269fb71f2a9264ed59fd960fa0ded6f8a76a1cea3ca54f41283a6089522e49c28f	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "371515352"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000062e6ef0d45f4454ab79548c962d74cdf00000000020000000000106600000001000020000000e5ff6e0f4b3f679b02da31f0ca770a00e2a1cf8aa7e10e8755f52327749af5f4000000000e80000000020000200000009652eef16dc90ee99ee3a9a417e49fed247c55900f0f0bc30326c7a1062c7d5d20000000f87c591e26eb5727ca4633b91e75151a08a6ec781deafc0b81d7cf07d773259940000000ec881a114f1a7dec2dffe8f26ef49eecf1eb41960bdb6b0fca2800d447264c48da57a89769a30fc68a957b701f6a069cd5c91c7651562bade66e2d8ba5c391a6	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = d0ab0befafd6d801	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

1984 iexplore.exe

pid	process
1984	iexplore.exe

Suspicious use of SetWindowsHookEx 7 IoCs

Processes:

5f8e7c1b4fd87cfbff41369dc163e651a7d016c0f53d496867a76ccfee77b308.exeiexplore.exeIEXPLORE.EXE

pid	process
2044	5f8e7c1b4fd87cfbff41369dc163e651a7d016c0f53d496867a76ccfee77b308.exe
1984	iexplore.exe
1984	iexplore.exe
1080	IEXPLORE.EXE
1080	IEXPLORE.EXE
1080	IEXPLORE.EXE
1080	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

5f8e7c1b4fd87cfbff41369dc163e651a7d016c0f53d496867a76ccfee77b308.exe5f8e7c1b4fd87cfbff41369dc163e651a7d016c0f53d496867a76ccfee77b308.exeiexplore.exe

description	pid	process	target process
PID 2044 wrote to memory of 1772	2044	5f8e7c1b4fd87cfbff41369dc163e651a7d016c0f53d496867a76ccfee77b308.exe	5f8e7c1b4fd87cfbff41369dc163e651a7d016c0f53d496867a76ccfee77b308.exe
PID 2044 wrote to memory of 1772	2044	5f8e7c1b4fd87cfbff41369dc163e651a7d016c0f53d496867a76ccfee77b308.exe	5f8e7c1b4fd87cfbff41369dc163e651a7d016c0f53d496867a76ccfee77b308.exe
PID 2044 wrote to memory of 1772	2044	5f8e7c1b4fd87cfbff41369dc163e651a7d016c0f53d496867a76ccfee77b308.exe	5f8e7c1b4fd87cfbff41369dc163e651a7d016c0f53d496867a76ccfee77b308.exe
PID 2044 wrote to memory of 1772	2044	5f8e7c1b4fd87cfbff41369dc163e651a7d016c0f53d496867a76ccfee77b308.exe	5f8e7c1b4fd87cfbff41369dc163e651a7d016c0f53d496867a76ccfee77b308.exe
PID 2044 wrote to memory of 1772	2044	5f8e7c1b4fd87cfbff41369dc163e651a7d016c0f53d496867a76ccfee77b308.exe	5f8e7c1b4fd87cfbff41369dc163e651a7d016c0f53d496867a76ccfee77b308.exe
PID 2044 wrote to memory of 1772	2044	5f8e7c1b4fd87cfbff41369dc163e651a7d016c0f53d496867a76ccfee77b308.exe	5f8e7c1b4fd87cfbff41369dc163e651a7d016c0f53d496867a76ccfee77b308.exe
PID 2044 wrote to memory of 1772	2044	5f8e7c1b4fd87cfbff41369dc163e651a7d016c0f53d496867a76ccfee77b308.exe	5f8e7c1b4fd87cfbff41369dc163e651a7d016c0f53d496867a76ccfee77b308.exe
PID 2044 wrote to memory of 1772	2044	5f8e7c1b4fd87cfbff41369dc163e651a7d016c0f53d496867a76ccfee77b308.exe	5f8e7c1b4fd87cfbff41369dc163e651a7d016c0f53d496867a76ccfee77b308.exe
PID 2044 wrote to memory of 1772	2044	5f8e7c1b4fd87cfbff41369dc163e651a7d016c0f53d496867a76ccfee77b308.exe	5f8e7c1b4fd87cfbff41369dc163e651a7d016c0f53d496867a76ccfee77b308.exe
PID 1772 wrote to memory of 1984	1772	5f8e7c1b4fd87cfbff41369dc163e651a7d016c0f53d496867a76ccfee77b308.exe	iexplore.exe
PID 1772 wrote to memory of 1984	1772	5f8e7c1b4fd87cfbff41369dc163e651a7d016c0f53d496867a76ccfee77b308.exe	iexplore.exe
PID 1772 wrote to memory of 1984	1772	5f8e7c1b4fd87cfbff41369dc163e651a7d016c0f53d496867a76ccfee77b308.exe	iexplore.exe
PID 1772 wrote to memory of 1984	1772	5f8e7c1b4fd87cfbff41369dc163e651a7d016c0f53d496867a76ccfee77b308.exe	iexplore.exe
PID 1984 wrote to memory of 1080	1984	iexplore.exe	IEXPLORE.EXE
PID 1984 wrote to memory of 1080	1984	iexplore.exe	IEXPLORE.EXE
PID 1984 wrote to memory of 1080	1984	iexplore.exe	IEXPLORE.EXE
PID 1984 wrote to memory of 1080	1984	iexplore.exe	IEXPLORE.EXE

C:\Users\Admin\AppData\Local\Temp\5f8e7c1b4fd87cfbff41369dc163e651a7d016c0f53d496867a76ccfee77b308.exe

"C:\Users\Admin\AppData\Local\Temp\5f8e7c1b4fd87cfbff41369dc163e651a7d016c0f53d496867a76ccfee77b308.exe"

Suspicious use of SetThreadContext
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory

PID:2044

C:\Users\Admin\AppData\Local\Temp\5f8e7c1b4fd87cfbff41369dc163e651a7d016c0f53d496867a76ccfee77b308.exe

C:\Users\Admin\AppData\Local\Temp\5f8e7c1b4fd87cfbff41369dc163e651a7d016c0f53d496867a76ccfee77b308.exe

Suspicious use of WriteProcessMemory

PID:1772

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=5f8e7c1b4fd87cfbff41369dc163e651a7d016c0f53d496867a76ccfee77b308.exe&platform=0009&osver=5&isServer=0&shimver=4.0.30319.0

Modifies Internet Explorer settings
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory

PID:1984

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1984 CREDAT:275457 /prefetch:2

Modifies Internet Explorer settings
Suspicious use of SetWindowsHookEx

PID:1080

Network

MITRE ATT&CK Matrix

Collection

Command and Control

Credential Access

Defense Evasion

Modify Registry

1

T1112

Discovery

Execution

Exfiltration

Impact

Initial Access

Lateral Movement

Persistence

Privilege Escalation

Replay Monitor

00:00 00:00

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\M69549OF.txt
Filesize
598B

MD5
a547356396c29afe93abea210a153153

SHA1
77f31698d468847e32a9e692ea2f9835687e4f59

SHA256
2c26f0f776627ffa8a5345f7631e5ed780f075c511fab5e4845f170a4c2b9e60

SHA512
7376cad555092ad2d5dc48e8cc04e2a1c260ae1bb93584ab25ba3326576d322b95d1f2250d271bdca8df05ea04186f30af6fb8a571b092051ac25a593e427ce2

Download Submit
memory/1772-56-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/1772-57-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/1772-59-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/1772-60-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/1772-61-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/1772-62-0x000000000046FFF2-mapping.dmp

Download
memory/1772-64-0x0000000000402000-0x0000000000470000-memory.dmp

Filesize
440KB

Download
memory/1772-65-0x0000000000402000-0x0000000000470000-memory.dmp

Filesize
440KB

Download
memory/1772-66-0x0000000076DC1000-0x0000000076DC3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Downloads