9c51203a4b7e087b050be75eac127cdeb717286a542961f294e48e0e1e1ea432

Analysis

max time kernel
172s
max time network
233s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
11/10/2022, 22:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9c51203a4b7e087b050be75eac127cdeb717286a542961f294e48e0e1e1ea432.exe
Size

178KB
MD5

4c357d76c061f83034a2d2fa9bd1d6c0
SHA1

4aacc3d385eca6ec1d4296e348b8006f359e7166
SHA256

9c51203a4b7e087b050be75eac127cdeb717286a542961f294e48e0e1e1ea432
SHA512

0fce4158b00aff53b7ea2ca11e1af38876ba8d9e8a4b0941eafd50b081df61c5ca0c25791f504d6f844e00706544dfab281de05e1863b6d572808d2fa2848ff7
SSDEEP

3072:akAwOzhjdRmSZiAqFbrnp+KsYGngtnQnMgjy7jfY0fJLr/7AIvpwZj9u6js5U:+w8h/7PCkKsYGg5Pgjy9RLDcY+hu8V

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1240	9c51203a4b7e087b050be75eac127cdeb717286a542961f294e48e0e1e1ea432mgr.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1828-61-0x0000000000400000-0x000000000041A000-memory.dmp	upx
behavioral1/memory/1828-64-0x0000000000400000-0x000000000041A000-memory.dmp	upx
behavioral1/memory/1240-66-0x0000000000400000-0x000000000041A000-memory.dmp	upx

Loads dropped DLL 2 IoCs

pid	Process
1828	9c51203a4b7e087b050be75eac127cdeb717286a542961f294e48e0e1e1ea432.exe
1828	9c51203a4b7e087b050be75eac127cdeb717286a542961f294e48e0e1e1ea432.exe

Modifies Internet Explorer settings 1 TTPs 53 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{F654BCE1-4A24-11ED-99B1-EA25B6F29539} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{F6550B01-4A24-11ED-99B1-EA25B6F29539} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "372340801"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
1240	9c51203a4b7e087b050be75eac127cdeb717286a542961f294e48e0e1e1ea432mgr.exe
1240	9c51203a4b7e087b050be75eac127cdeb717286a542961f294e48e0e1e1ea432mgr.exe
1828	9c51203a4b7e087b050be75eac127cdeb717286a542961f294e48e0e1e1ea432.exe
1828	9c51203a4b7e087b050be75eac127cdeb717286a542961f294e48e0e1e1ea432.exe
1240	9c51203a4b7e087b050be75eac127cdeb717286a542961f294e48e0e1e1ea432mgr.exe
1828	9c51203a4b7e087b050be75eac127cdeb717286a542961f294e48e0e1e1ea432.exe
1240	9c51203a4b7e087b050be75eac127cdeb717286a542961f294e48e0e1e1ea432mgr.exe
1828	9c51203a4b7e087b050be75eac127cdeb717286a542961f294e48e0e1e1ea432.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1240	9c51203a4b7e087b050be75eac127cdeb717286a542961f294e48e0e1e1ea432mgr.exe
Token: SeDebugPrivilege	1828	9c51203a4b7e087b050be75eac127cdeb717286a542961f294e48e0e1e1ea432.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
956	iexplore.exe
2008	iexplore.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
2008	iexplore.exe
956	iexplore.exe
2008	iexplore.exe
956	iexplore.exe
1412	IEXPLORE.EXE
396	IEXPLORE.EXE
396	IEXPLORE.EXE
1412	IEXPLORE.EXE
396	IEXPLORE.EXE
396	IEXPLORE.EXE

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1828	9c51203a4b7e087b050be75eac127cdeb717286a542961f294e48e0e1e1ea432.exe
1240	9c51203a4b7e087b050be75eac127cdeb717286a542961f294e48e0e1e1ea432mgr.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1828 wrote to memory of 1240	1828	9c51203a4b7e087b050be75eac127cdeb717286a542961f294e48e0e1e1ea432.exe	27
PID 1828 wrote to memory of 1240	1828	9c51203a4b7e087b050be75eac127cdeb717286a542961f294e48e0e1e1ea432.exe	27
PID 1828 wrote to memory of 1240	1828	9c51203a4b7e087b050be75eac127cdeb717286a542961f294e48e0e1e1ea432.exe	27
PID 1828 wrote to memory of 1240	1828	9c51203a4b7e087b050be75eac127cdeb717286a542961f294e48e0e1e1ea432.exe	27
PID 1240 wrote to memory of 956	1240	9c51203a4b7e087b050be75eac127cdeb717286a542961f294e48e0e1e1ea432mgr.exe	29
PID 1240 wrote to memory of 956	1240	9c51203a4b7e087b050be75eac127cdeb717286a542961f294e48e0e1e1ea432mgr.exe	29
PID 1240 wrote to memory of 956	1240	9c51203a4b7e087b050be75eac127cdeb717286a542961f294e48e0e1e1ea432mgr.exe	29
PID 1240 wrote to memory of 956	1240	9c51203a4b7e087b050be75eac127cdeb717286a542961f294e48e0e1e1ea432mgr.exe	29
PID 1828 wrote to memory of 2008	1828	9c51203a4b7e087b050be75eac127cdeb717286a542961f294e48e0e1e1ea432.exe	28
PID 1828 wrote to memory of 2008	1828	9c51203a4b7e087b050be75eac127cdeb717286a542961f294e48e0e1e1ea432.exe	28
PID 1828 wrote to memory of 2008	1828	9c51203a4b7e087b050be75eac127cdeb717286a542961f294e48e0e1e1ea432.exe	28
PID 1828 wrote to memory of 2008	1828	9c51203a4b7e087b050be75eac127cdeb717286a542961f294e48e0e1e1ea432.exe	28
PID 956 wrote to memory of 396	956	iexplore.exe	31
PID 956 wrote to memory of 396	956	iexplore.exe	31
PID 956 wrote to memory of 396	956	iexplore.exe	31
PID 956 wrote to memory of 396	956	iexplore.exe	31
PID 2008 wrote to memory of 1412	2008	iexplore.exe	32
PID 2008 wrote to memory of 1412	2008	iexplore.exe	32
PID 2008 wrote to memory of 1412	2008	iexplore.exe	32
PID 2008 wrote to memory of 1412	2008	iexplore.exe	32

C:\Users\Admin\AppData\Local\Temp\9c51203a4b7e087b050be75eac127cdeb717286a542961f294e48e0e1e1ea432.exe
"C:\Users\Admin\AppData\Local\Temp\9c51203a4b7e087b050be75eac127cdeb717286a542961f294e48e0e1e1ea432.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1828
- C:\Users\Admin\AppData\Local\Temp\9c51203a4b7e087b050be75eac127cdeb717286a542961f294e48e0e1e1ea432mgr.exe
  C:\Users\Admin\AppData\Local\Temp\9c51203a4b7e087b050be75eac127cdeb717286a542961f294e48e0e1e1ea432mgr.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:1240
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:956
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:956 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:396
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe"
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2008
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2008 CREDAT:275457 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:1412

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{F654BCE1-4A24-11ED-99B1-EA25B6F29539}.dat

Filesize
3KB

MD5
918ae3b216593a8a4efc73c0b0b8f01f

SHA1
d7261e16220af6188af7e5e0500d76ee08ce24e8

SHA256
ade83a3c97d2a6592dd2b16a34b34c6f611823f94c3e0fd9e5811c99b6be603e

SHA512
7bdf193f2b11e4e6b96d3295cc1381e20a960b5253d3eb0ecfc95226f59728d876854a28ca614b523dd43c9bb255266d95f878cfb57bde5f16dda8f6222bda54

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{F6550B01-4A24-11ED-99B1-EA25B6F29539}.dat

Filesize
3KB

MD5
f504f94cb01eae79f3d3d25f12b5de1c

SHA1
cace5c4f1da2bfac639558198ce3b3f2aa569f83

SHA256
4770cab0b94ea42b780a73b016c049e64de7b087945d6851de8daf26048a5d28

SHA512
db4caac77d512bdd37b5634e7567bd7660030bf60bc1d5150263abf7d216c1fd240c564ed8d54bb82311e7e405502b087f71c55a8dd08c2b87e2e65b016d6cd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\9c51203a4b7e087b050be75eac127cdeb717286a542961f294e48e0e1e1ea432mgr.exe

Filesize
88KB

MD5
a61ea5f2325332c52bff5bce3d161336

SHA1
3a883b8241f5f2efaa76367240db800d78a0209c

SHA256
e6f8a54ed663061527ab46b8e8efc2a0f3c99ae77829c0be0e50eb5b1b48415b

SHA512
fae031e0e7dcd719240bfe94a3f78d1aac73060324d5b65e0cbe564ce6d6781aaa5e930f0729293e3b502b7d07f53f3a72fb2048d44d93d36851aab8330479e5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\UH8PCP9F.txt

Filesize
608B

MD5
d2369d25d6e8bc0869704e430ece2687

SHA1
30f2ab0888262609dcf3e689494a9e522b1f29e9

SHA256
c9748722ac200ee957e37f16d4297d497d9e8d96ce60444064344d4c66b5077b

SHA512
188d1cd3b7d7bf993203714561bd1f7538b984c391403e3879dade3620d9d3df1a307ffa897caefe462d80b3cbc3d5143da08adf84107d4447cd4bc955f2d8b9

Download Submit
\Users\Admin\AppData\Local\Temp\9c51203a4b7e087b050be75eac127cdeb717286a542961f294e48e0e1e1ea432mgr.exe

Filesize
88KB

MD5
a61ea5f2325332c52bff5bce3d161336

SHA1
3a883b8241f5f2efaa76367240db800d78a0209c

SHA256
e6f8a54ed663061527ab46b8e8efc2a0f3c99ae77829c0be0e50eb5b1b48415b

SHA512
fae031e0e7dcd719240bfe94a3f78d1aac73060324d5b65e0cbe564ce6d6781aaa5e930f0729293e3b502b7d07f53f3a72fb2048d44d93d36851aab8330479e5

Download Submit
\Users\Admin\AppData\Local\Temp\9c51203a4b7e087b050be75eac127cdeb717286a542961f294e48e0e1e1ea432mgr.exe

Filesize
88KB

MD5
a61ea5f2325332c52bff5bce3d161336

SHA1
3a883b8241f5f2efaa76367240db800d78a0209c

SHA256
e6f8a54ed663061527ab46b8e8efc2a0f3c99ae77829c0be0e50eb5b1b48415b

SHA512
fae031e0e7dcd719240bfe94a3f78d1aac73060324d5b65e0cbe564ce6d6781aaa5e930f0729293e3b502b7d07f53f3a72fb2048d44d93d36851aab8330479e5

Download Submit
memory/1240-66-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1828-61-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1828-64-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download