c0da46365ff955192a01c2035c26534294937f87219fe1912f1c723af95cbc75

Analysis

max time kernel
136s
max time network
160s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
03/10/2022, 06:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c0da46365ff955192a01c2035c26534294937f87219fe1912f1c723af95cbc75.exe
Size

461KB
MD5

602b3c1c9b0684f7090df9559db254d8
SHA1

c6b802667d1d0b8f6dec50f6c38586526b40e175
SHA256

c0da46365ff955192a01c2035c26534294937f87219fe1912f1c723af95cbc75
SHA512

ed4038dd22821735d66f64edabb0cd03f3668b5549f03d553fb45f5538fef704711a9fb5e93dab174c288b7a374f9b2c5b983f638690ebf0598e0ddca1419531
SSDEEP

12288:e1fxi9LmrPUrNTc1vMN9lVPyAUJrrusrt+709bdcV:e1pYLmrKNw1vMNVPg+gfbd6

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 35 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "113515392"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000883ed98174fc174d8e18111dae0d9120000000000200000000001066000000010000200000008be04efdeffae752d771a5ad479728656beeeb29ae381193f0fa232e112f88f6000000000e800000000200002000000055169e447beab024450eb5235f62592c7fb06509314b95372a4514844ca46ce620000000094c4045058e5df6b3e2b307a15224092950818fb0f93d74ed3691da2796322d40000000ad54e66044e65f1f6f5ff411afd94209c63ead046b0c6274db83fbfb9bbdb2bc0fb2aa0cef2473528ff40f6cd866ccf1272b5df191a55f2f0d8bda48c1b659d8	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "113515392"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "141328237"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30988322"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "371674312"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = d097c70a22d8d801	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 70d1ba0b22d8d801	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{31BF9747-4415-11ED-AECB-F6A3911CAFFB} = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30988322"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30988322"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000883ed98174fc174d8e18111dae0d9120000000000200000000001066000000010000200000007ce3754f0c9d0909051d141bfa8dc6e9e1c8fbf9e47961926e24fa9eaa75b9a4000000000e800000000200002000000079651ab9c3d6813d6fd327aeb91800d2d386f754c7d9cb31576ea2e61594d313200000003aa5b3970780521bb1abe5b1c50522a496280767c260d1cc85522fc4905e70b8400000003d7e755a78d3d932708858dd77846e0dc462c89915f57f6e5da2ae1ae19504a11195a9405b19029202b68ed6015fe3f3f0dd3612daad84049372698945a4df84	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4976	IEXPLORE.EXE

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3984	c0da46365ff955192a01c2035c26534294937f87219fe1912f1c723af95cbc75.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4976	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
3984	c0da46365ff955192a01c2035c26534294937f87219fe1912f1c723af95cbc75.exe
4976	IEXPLORE.EXE
4976	IEXPLORE.EXE
4860	IEXPLORE.EXE
4860	IEXPLORE.EXE
4860	IEXPLORE.EXE
4860	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3984 wrote to memory of 4976	3984	c0da46365ff955192a01c2035c26534294937f87219fe1912f1c723af95cbc75.exe	81
PID 3984 wrote to memory of 4976	3984	c0da46365ff955192a01c2035c26534294937f87219fe1912f1c723af95cbc75.exe	81
PID 4976 wrote to memory of 4860	4976	IEXPLORE.EXE	82
PID 4976 wrote to memory of 4860	4976	IEXPLORE.EXE	82
PID 4976 wrote to memory of 4860	4976	IEXPLORE.EXE	82
PID 3984 wrote to memory of 1492	3984	c0da46365ff955192a01c2035c26534294937f87219fe1912f1c723af95cbc75.exe	83
PID 3984 wrote to memory of 1492	3984	c0da46365ff955192a01c2035c26534294937f87219fe1912f1c723af95cbc75.exe	83
PID 3984 wrote to memory of 1492	3984	c0da46365ff955192a01c2035c26534294937f87219fe1912f1c723af95cbc75.exe	83

C:\Users\Admin\AppData\Local\Temp\c0da46365ff955192a01c2035c26534294937f87219fe1912f1c723af95cbc75.exe
"C:\Users\Admin\AppData\Local\Temp\c0da46365ff955192a01c2035c26534294937f87219fe1912f1c723af95cbc75.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3984
- C:\Program Files\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://www.wa300.com/tj.html
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4976
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4976 CREDAT:17410 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:4860
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\C0DA46~1.EXE
  2⤵
  PID:1492

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
471B

MD5
afc3e2584b32e1e7c23c33e9534089a5

SHA1
ea4e2266d010c300621d2287ea60fe3e9a9ee753

SHA256
61597f5f937da250a5ed7b4b82867bebc546a5a35c0029982a003b1e9cbd2e7e

SHA512
f0e0d20b15bc390292baf0d93d982315afc466ccd2d4e48152ed65af97aed573d5b9e65b2b50925cbcd2e736955dfec4f63de5739cdb1499eb2db5dfc3cc4fe6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
404B

MD5
0c06621a04018e28ef6bc169dab1cb92

SHA1
d1e67eb3b14caa140e4876f9d7cf034b8c0e6bba

SHA256
587c4019c74b039c134b5a2e5e0c847ac154a884647bda414a0381d23d248ade

SHA512
12a4a0d671ded48b71e51a39d250d6634869c6a515b89b050a93f175023000a2efedb3bde3fda077f7b261e6275f9df74e61fd070324365bae8e7399ca1c81de

Download Submit
memory/3984-132-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/3984-136-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download