ea34c7952d8553828006944578d06f61056341b5f388f146f26b0c12a3f1a848

Analysis

max time kernel
90s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
04/10/2022, 01:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ea34c7952d8553828006944578d06f61056341b5f388f146f26b0c12a3f1a848.exe
Size

142KB
MD5

3fa39957763b0ff79b6892ce72387d10
SHA1

8acf0b49b74ae78e95e97be61f410811828e4f03
SHA256

ea34c7952d8553828006944578d06f61056341b5f388f146f26b0c12a3f1a848
SHA512

7a054712e0ed4c4ce37d434e82714983e07e1c8f388d0a6a8a2265165685cc19222c6da05962e5cf587d49de3638982204b89edc83a9a84b6c8589793a6cf1ee
SSDEEP

3072:A2DvqxtToYddW29ZJfjkNBE9Vshx8gZuoC96rjW:NDCxB1S29DYrET9R6r6

Score

5^/10

Malware Config

Signatures

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4256 set thread context of 4652	4256	ea34c7952d8553828006944578d06f61056341b5f388f146f26b0c12a3f1a848.exe	81

Modifies Internet Explorer settings 1 TTPs 28 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{06E802CE-43CF-11ED-A0EE-7A25E1058669} = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3687368258"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3681900548"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30988251"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3681900548"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30988251"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "371644173"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30988251"	IEXPLORE.EXE

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
4652	ea34c7952d8553828006944578d06f61056341b5f388f146f26b0c12a3f1a848.exe
4652	ea34c7952d8553828006944578d06f61056341b5f388f146f26b0c12a3f1a848.exe
4652	ea34c7952d8553828006944578d06f61056341b5f388f146f26b0c12a3f1a848.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3516	IEXPLORE.EXE

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	4652	ea34c7952d8553828006944578d06f61056341b5f388f146f26b0c12a3f1a848.exe
Token: SeDebugPrivilege	4652	ea34c7952d8553828006944578d06f61056341b5f388f146f26b0c12a3f1a848.exe
Token: SeDebugPrivilege	544	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3516	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
3516	IEXPLORE.EXE
3516	IEXPLORE.EXE
544	IEXPLORE.EXE
544	IEXPLORE.EXE
544	IEXPLORE.EXE
544	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 4256 wrote to memory of 4652	4256	ea34c7952d8553828006944578d06f61056341b5f388f146f26b0c12a3f1a848.exe	81
PID 4256 wrote to memory of 4652	4256	ea34c7952d8553828006944578d06f61056341b5f388f146f26b0c12a3f1a848.exe	81
PID 4256 wrote to memory of 4652	4256	ea34c7952d8553828006944578d06f61056341b5f388f146f26b0c12a3f1a848.exe	81
PID 4256 wrote to memory of 4652	4256	ea34c7952d8553828006944578d06f61056341b5f388f146f26b0c12a3f1a848.exe	81
PID 4256 wrote to memory of 4652	4256	ea34c7952d8553828006944578d06f61056341b5f388f146f26b0c12a3f1a848.exe	81
PID 4256 wrote to memory of 4652	4256	ea34c7952d8553828006944578d06f61056341b5f388f146f26b0c12a3f1a848.exe	81
PID 4256 wrote to memory of 4652	4256	ea34c7952d8553828006944578d06f61056341b5f388f146f26b0c12a3f1a848.exe	81
PID 4256 wrote to memory of 4652	4256	ea34c7952d8553828006944578d06f61056341b5f388f146f26b0c12a3f1a848.exe	81
PID 4256 wrote to memory of 4652	4256	ea34c7952d8553828006944578d06f61056341b5f388f146f26b0c12a3f1a848.exe	81
PID 4652 wrote to memory of 4424	4652	ea34c7952d8553828006944578d06f61056341b5f388f146f26b0c12a3f1a848.exe	82
PID 4652 wrote to memory of 4424	4652	ea34c7952d8553828006944578d06f61056341b5f388f146f26b0c12a3f1a848.exe	82
PID 4652 wrote to memory of 4424	4652	ea34c7952d8553828006944578d06f61056341b5f388f146f26b0c12a3f1a848.exe	82
PID 4424 wrote to memory of 3516	4424	iexplore.exe	83
PID 4424 wrote to memory of 3516	4424	iexplore.exe	83
PID 3516 wrote to memory of 544	3516	IEXPLORE.EXE	84
PID 3516 wrote to memory of 544	3516	IEXPLORE.EXE	84
PID 3516 wrote to memory of 544	3516	IEXPLORE.EXE	84
PID 4652 wrote to memory of 544	4652	ea34c7952d8553828006944578d06f61056341b5f388f146f26b0c12a3f1a848.exe	84
PID 4652 wrote to memory of 544	4652	ea34c7952d8553828006944578d06f61056341b5f388f146f26b0c12a3f1a848.exe	84

C:\Users\Admin\AppData\Local\Temp\ea34c7952d8553828006944578d06f61056341b5f388f146f26b0c12a3f1a848.exe
"C:\Users\Admin\AppData\Local\Temp\ea34c7952d8553828006944578d06f61056341b5f388f146f26b0c12a3f1a848.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4256
- C:\Users\Admin\AppData\Local\Temp\ea34c7952d8553828006944578d06f61056341b5f388f146f26b0c12a3f1a848.exe
  "C:\Users\Admin\AppData\Local\Temp\ea34c7952d8553828006944578d06f61056341b5f388f146f26b0c12a3f1a848.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4652
- - C:\Program Files (x86)\Internet Explorer\iexplore.exe
    "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4424
  - - C:\Program Files\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
      4⤵
      Modifies Internet Explorer settings
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:3516
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3516 CREDAT:17410 /prefetch:2
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:544

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
471B

MD5
afc3e2584b32e1e7c23c33e9534089a5

SHA1
ea4e2266d010c300621d2287ea60fe3e9a9ee753

SHA256
61597f5f937da250a5ed7b4b82867bebc546a5a35c0029982a003b1e9cbd2e7e

SHA512
f0e0d20b15bc390292baf0d93d982315afc466ccd2d4e48152ed65af97aed573d5b9e65b2b50925cbcd2e736955dfec4f63de5739cdb1499eb2db5dfc3cc4fe6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
404B

MD5
a5125f44e07d836568c8bdc48492bdff

SHA1
dfaa79b0a72f7193c5bebdf718092b91e2e52208

SHA256
7606dab38c245a1f046cf14e87985b3cb6a9744a0cf44170cb9645947ed90246

SHA512
fee2e9b9995d9a2d737f17c7fae2f555be5124f9e8a7afc4d083e232ebb6084e257637fe8799cd78e49cfa7b9f9a510351b4d8a5aad47ce53565db3024890050

Download Submit
memory/4256-135-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/4652-133-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/4652-136-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/4652-137-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/4652-138-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/4652-139-0x00000000021D0000-0x000000000221E000-memory.dmp

Filesize
312KB

Download