baebe3a7351c7e82c729c06d2fa7f325894d74318d12260b18c51ba3831f7417

Analysis

max time kernel
110s
max time network
190s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
11/10/2022, 12:05

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

baebe3a7351c7e82c729c06d2fa7f325894d74318d12260b18c51ba3831f7417.dll
Size

922KB
MD5

69266422d558e7d94713d25dadded350
SHA1

6cdb1c2c853ad0e4663802673a006d233e82019a
SHA256

baebe3a7351c7e82c729c06d2fa7f325894d74318d12260b18c51ba3831f7417
SHA512

fa721af30fac2fa7b4407363a7f72fc7a9ee76618ae5f119031d2498d51b55874fbb77c3531c56a1025b3a528ef0b094d51a46d3f367fb92a97c6861ca4b08de
SSDEEP

12288:53RWz/CTxoOAjzHljSA6cg8rPbSHYIkhEmEazstA+UinhcoqzJPYoO8lrS9Ehc96:zRbEluQYYIkhwazrQzqlP+9EhWwIg

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1516	rundll32mgr.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000c0000000054a8-57.dat	upx
behavioral1/memory/1928-56-0x0000000010000000-0x00000000102EA000-memory.dmp	upx
behavioral1/files/0x000c0000000054a8-60.dat	upx
behavioral1/files/0x000c0000000054a8-58.dat	upx
behavioral1/memory/1516-62-0x0000000000400000-0x0000000000467000-memory.dmp	upx
behavioral1/memory/1516-65-0x0000000000400000-0x0000000000467000-memory.dmp	upx

Loads dropped DLL 2 IoCs

pid	Process
1928	rundll32.exe
1928	rundll32.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\rundll32mgr.exe	rundll32.exe

Modifies Internet Explorer settings 1 TTPs 53 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "372278667"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{486528D1-4994-11ED-B19F-72E6D75F6BEB} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{486501C1-4994-11ED-B19F-72E6D75F6BEB} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
1516	rundll32mgr.exe
1516	rundll32mgr.exe
1516	rundll32mgr.exe
1516	rundll32mgr.exe
1516	rundll32mgr.exe
1516	rundll32mgr.exe
1516	rundll32mgr.exe
1516	rundll32mgr.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1516	rundll32mgr.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1320	iexplore.exe
1292	iexplore.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
1320	iexplore.exe
1320	iexplore.exe
1292	iexplore.exe
1292	iexplore.exe
1912	IEXPLORE.EXE
1912	IEXPLORE.EXE
672	IEXPLORE.EXE
672	IEXPLORE.EXE
1912	IEXPLORE.EXE
1912	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 1164 wrote to memory of 1928	1164	rundll32.exe	28
PID 1164 wrote to memory of 1928	1164	rundll32.exe	28
PID 1164 wrote to memory of 1928	1164	rundll32.exe	28
PID 1164 wrote to memory of 1928	1164	rundll32.exe	28
PID 1164 wrote to memory of 1928	1164	rundll32.exe	28
PID 1164 wrote to memory of 1928	1164	rundll32.exe	28
PID 1164 wrote to memory of 1928	1164	rundll32.exe	28
PID 1928 wrote to memory of 1516	1928	rundll32.exe	29
PID 1928 wrote to memory of 1516	1928	rundll32.exe	29
PID 1928 wrote to memory of 1516	1928	rundll32.exe	29
PID 1928 wrote to memory of 1516	1928	rundll32.exe	29
PID 1516 wrote to memory of 1292	1516	rundll32mgr.exe	30
PID 1516 wrote to memory of 1292	1516	rundll32mgr.exe	30
PID 1516 wrote to memory of 1292	1516	rundll32mgr.exe	30
PID 1516 wrote to memory of 1292	1516	rundll32mgr.exe	30
PID 1516 wrote to memory of 1320	1516	rundll32mgr.exe	31
PID 1516 wrote to memory of 1320	1516	rundll32mgr.exe	31
PID 1516 wrote to memory of 1320	1516	rundll32mgr.exe	31
PID 1516 wrote to memory of 1320	1516	rundll32mgr.exe	31
PID 1320 wrote to memory of 1912	1320	iexplore.exe	34
PID 1320 wrote to memory of 1912	1320	iexplore.exe	34
PID 1320 wrote to memory of 1912	1320	iexplore.exe	34
PID 1320 wrote to memory of 1912	1320	iexplore.exe	34
PID 1292 wrote to memory of 672	1292	iexplore.exe	33
PID 1292 wrote to memory of 672	1292	iexplore.exe	33
PID 1292 wrote to memory of 672	1292	iexplore.exe	33
PID 1292 wrote to memory of 672	1292	iexplore.exe	33

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\baebe3a7351c7e82c729c06d2fa7f325894d74318d12260b18c51ba3831f7417.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1164
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\baebe3a7351c7e82c729c06d2fa7f325894d74318d12260b18c51ba3831f7417.dll,#1
  2⤵
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:1928
- - C:\Windows\SysWOW64\rundll32mgr.exe
    C:\Windows\SysWOW64\rundll32mgr.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1516
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1292
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1292 CREDAT:275457 /prefetch:2
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:672
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1320
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1320 CREDAT:275457 /prefetch:2
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:1912

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{486501C1-4994-11ED-B19F-72E6D75F6BEB}.dat

Filesize
5KB

MD5
d027d119c0030d5da36ecea4cecf9935

SHA1
58e991433a440f1f384a528b7804db32560acf24

SHA256
e80e67de6b1cf8291080da833803bfa1ae5debdf109ff21515d0a9a164a7180e

SHA512
05aa9becf0d50d43e0b557625cda84dc6f99bdcfa7a433370d3939884d7673bbc3c4b3751dff1f39183e3c7545e7a2b2f07ec63a79add7f1aaefbedeb5914aa4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{486528D1-4994-11ED-B19F-72E6D75F6BEB}.dat

Filesize
3KB

MD5
e899cadeccb8834b599d8c4f7e067372

SHA1
70e8decc3f562622f49749d83c24f44d5e2ce4c3

SHA256
902e3794f0ff419ed3cef1be25679c2f57dd9dd0ccfd49b7a0f69147e7e1c6a8

SHA512
9df7c0331fae0333ea8c3c8ad0cf6ab461ee240a370b00b715a5b5504e20395de8036d605fce85d9c7f9b97858db6aa5e3d1cb4bed3318d9b3a8c4ba5d92ed37

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\KXJDYLT8.txt

Filesize
603B

MD5
58aa39d54ffbc4a1e9414572f52b506d

SHA1
d47c6bb9293fc2046e9dd2b48dfd28785cd7c4b6

SHA256
8a802c1aa21af0558c76cab6905e0eded7c42681b9a6bd70b0a019b4c3e2c4e5

SHA512
37b316b493ffb808f00ff30679b8cd4d727d01d642b61ee80f246f9d25004c63c823fdd0fcdf077ce6ab27a66aab60b02d5ef187ec30783feae2c64cc23e09e6

Download Submit
C:\Windows\SysWOW64\rundll32mgr.exe

Filesize
173KB

MD5
77c5d1f7d9596e57a88f4dbcf3fef526

SHA1
fb265bb6a2cc331edb70b90d36d42ec6e61544ab

SHA256
d09416051d3a9cb33fa22cea2347fab648bfb262d58a5f26bde7da61a7fefae0

SHA512
4d24d309469c834d663f62ae31b52ccd1ca2d0dc73d07d0e4bb19d78fe955ae040554062a972d17106e1a6da738002ceb87a5ccb65517374ba2cca966bb87d3c

Download Submit
\Windows\SysWOW64\rundll32mgr.exe

Filesize
173KB

MD5
77c5d1f7d9596e57a88f4dbcf3fef526

SHA1
fb265bb6a2cc331edb70b90d36d42ec6e61544ab

SHA256
d09416051d3a9cb33fa22cea2347fab648bfb262d58a5f26bde7da61a7fefae0

SHA512
4d24d309469c834d663f62ae31b52ccd1ca2d0dc73d07d0e4bb19d78fe955ae040554062a972d17106e1a6da738002ceb87a5ccb65517374ba2cca966bb87d3c

Download Submit
\Windows\SysWOW64\rundll32mgr.exe

Filesize
173KB

MD5
77c5d1f7d9596e57a88f4dbcf3fef526

SHA1
fb265bb6a2cc331edb70b90d36d42ec6e61544ab

SHA256
d09416051d3a9cb33fa22cea2347fab648bfb262d58a5f26bde7da61a7fefae0

SHA512
4d24d309469c834d663f62ae31b52ccd1ca2d0dc73d07d0e4bb19d78fe955ae040554062a972d17106e1a6da738002ceb87a5ccb65517374ba2cca966bb87d3c

Download Submit
memory/1516-62-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1516-65-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1928-61-0x00000000001F0000-0x0000000000257000-memory.dmp

Filesize
412KB

Download
memory/1928-56-0x0000000010000000-0x00000000102EA000-memory.dmp

Filesize
2.9MB

Download
memory/1928-55-0x0000000075DA1000-0x0000000075DA3000-memory.dmp

Filesize
8KB

Download