1640f42b2992a7a41f2804f45ffbad2ee36fac538865a0b875ee12a0ca53f026

Analysis

max time kernel
149s
max time network
191s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
11/10/2022, 12:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1640f42b2992a7a41f2804f45ffbad2ee36fac538865a0b875ee12a0ca53f026.dll
Size

14.6MB
MD5

6eaf6f6a28b0cae784a04a59c36a102b
SHA1

63ccbdf14e6621c98ada7e4228c7b100c4850e16
SHA256

1640f42b2992a7a41f2804f45ffbad2ee36fac538865a0b875ee12a0ca53f026
SHA512

e5490f763ffab322f1e98ad342474cb1a168d3d740d628ab1982a5516b0456af406d68c307255566249e2480d84bb3f0097d31fc4596b8b2f443dcfd92513d0e
SSDEEP

196608:4RPoqFr6cC5APwjHD+nqNFneTLIOMNjKdeNeC6JVc5g4C/GdAsMD0xwr:yoer6nnjHFneTLIOMwUNP6b

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2000	rundll32mgr.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x00140000000054ab-56.dat	upx
behavioral1/files/0x00140000000054ab-57.dat	upx
behavioral1/files/0x00140000000054ab-59.dat	upx
behavioral1/memory/2000-64-0x0000000000400000-0x0000000000470000-memory.dmp	upx
behavioral1/memory/2000-67-0x0000000000400000-0x0000000000470000-memory.dmp	upx

Loads dropped DLL 2 IoCs

pid	Process
1988	rundll32.exe
1988	rundll32.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\rundll32mgr.exe	rundll32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1924	1988	WerFault.exe	27

Modifies Internet Explorer settings 1 TTPs 53 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "372283647"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{E3EFAAE1-499F-11ED-A645-626C2AE6DC56} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{E3F20C41-499F-11ED-A645-626C2AE6DC56} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
2000	rundll32mgr.exe
2000	rundll32mgr.exe
2000	rundll32mgr.exe
2000	rundll32mgr.exe
2000	rundll32mgr.exe
2000	rundll32mgr.exe
2000	rundll32mgr.exe
2000	rundll32mgr.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2000	rundll32mgr.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1980	iexplore.exe
1656	iexplore.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
1980	iexplore.exe
1980	iexplore.exe
1656	iexplore.exe
1656	iexplore.exe
1528	IEXPLORE.EXE
1528	IEXPLORE.EXE
1756	IEXPLORE.EXE
1756	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 31 IoCs

description	pid	Process	procid_target
PID 900 wrote to memory of 1988	900	rundll32.exe	27
PID 900 wrote to memory of 1988	900	rundll32.exe	27
PID 900 wrote to memory of 1988	900	rundll32.exe	27
PID 900 wrote to memory of 1988	900	rundll32.exe	27
PID 900 wrote to memory of 1988	900	rundll32.exe	27
PID 900 wrote to memory of 1988	900	rundll32.exe	27
PID 900 wrote to memory of 1988	900	rundll32.exe	27
PID 1988 wrote to memory of 2000	1988	rundll32.exe	28
PID 1988 wrote to memory of 2000	1988	rundll32.exe	28
PID 1988 wrote to memory of 2000	1988	rundll32.exe	28
PID 1988 wrote to memory of 2000	1988	rundll32.exe	28
PID 1988 wrote to memory of 1924	1988	rundll32.exe	29
PID 1988 wrote to memory of 1924	1988	rundll32.exe	29
PID 1988 wrote to memory of 1924	1988	rundll32.exe	29
PID 1988 wrote to memory of 1924	1988	rundll32.exe	29
PID 2000 wrote to memory of 1980	2000	rundll32mgr.exe	30
PID 2000 wrote to memory of 1980	2000	rundll32mgr.exe	30
PID 2000 wrote to memory of 1980	2000	rundll32mgr.exe	30
PID 2000 wrote to memory of 1980	2000	rundll32mgr.exe	30
PID 2000 wrote to memory of 1656	2000	rundll32mgr.exe	31
PID 2000 wrote to memory of 1656	2000	rundll32mgr.exe	31
PID 2000 wrote to memory of 1656	2000	rundll32mgr.exe	31
PID 2000 wrote to memory of 1656	2000	rundll32mgr.exe	31
PID 1980 wrote to memory of 1756	1980	iexplore.exe	34
PID 1980 wrote to memory of 1756	1980	iexplore.exe	34
PID 1980 wrote to memory of 1756	1980	iexplore.exe	34
PID 1980 wrote to memory of 1756	1980	iexplore.exe	34
PID 1656 wrote to memory of 1528	1656	iexplore.exe	33
PID 1656 wrote to memory of 1528	1656	iexplore.exe	33
PID 1656 wrote to memory of 1528	1656	iexplore.exe	33
PID 1656 wrote to memory of 1528	1656	iexplore.exe	33

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\1640f42b2992a7a41f2804f45ffbad2ee36fac538865a0b875ee12a0ca53f026.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:900
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\1640f42b2992a7a41f2804f45ffbad2ee36fac538865a0b875ee12a0ca53f026.dll,#1
  2⤵
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:1988
- - C:\Windows\SysWOW64\rundll32mgr.exe
    C:\Windows\SysWOW64\rundll32mgr.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2000
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1980
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1980 CREDAT:275457 /prefetch:2
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:1756
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1656
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1656 CREDAT:275457 /prefetch:2
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:1528
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1988 -s 268
    3⤵
    - Program crash
    PID:1924

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{E3EFAAE1-499F-11ED-A645-626C2AE6DC56}.dat

Filesize
4KB

MD5
74bb7fc27bec882fce2b6f1f74025db5

SHA1
1b0c2dfd89f76db5aab78d77e996d46b0929815d

SHA256
01338ee3fb83ebc2c3cfa5a12c3ca66109480d54de09106f04a11717fc79e418

SHA512
1743104f0be06e1881057c0fb2db6b2fe66ba0ab1c290d2d9ad2dd6dbe51ad412e824caa371978b1913a34d9b80bdc965cdc83ff32e50ec5efb4cfe30825b13d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{E3F20C41-499F-11ED-A645-626C2AE6DC56}.dat

Filesize
5KB

MD5
90420b7e0a35d6aa282f4ab71b02b23c

SHA1
2f6e7e06c9cdaf3ccdbac47cea935ef09cabdfab

SHA256
bba81de2652d36666378bf463e6ca7e9cad9bab6664d18bef741c4a2a6913eed

SHA512
06c7b10efc44c25275d48f9793a3d9b3d1f45029e4cdf1c4c258a16edd4cc295ca993aff76a757a39809bf86112271547d6038a25f60dd6be1cc61416cf39dc9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\44BDKL86.txt

Filesize
608B

MD5
ac943a58bd6ae9f4a47046b1a79c9e6c

SHA1
e710bc421a66c01b80cdb2ae19c07ffd1c94b5a2

SHA256
5f977c4441a3e8aa6e9397f3f4fe88a2b82078e270c121d5d6c505b90583f9d8

SHA512
85d96725ef13e69797ba27d072a229dcce633899b759f5e98dd2abb5cf47ca8275321ae2b99d0082fd8785baef6361e06c6c30c7a270001f0f3264fb27fcfe9c

Download Submit
C:\Windows\SysWOW64\rundll32mgr.exe

Filesize
206KB

MD5
71a0cc521d70fca7e86fba2b799e54e3

SHA1
689ab159541c45d738be7329918808c1c1e58050

SHA256
e13ad23118da481600ad8e4ffd4d5e060eeb23da05eeffcd299c2cdcfa3dc023

SHA512
6da749226ddc085a8d04a8bdd3c30a0476257673c1489281301dc3204cc32fae6740e5b4368f8bc53d882ae7415034bf9dc98247504425e7c815387578796952

Download Submit
\Windows\SysWOW64\rundll32mgr.exe

Filesize
206KB

MD5
71a0cc521d70fca7e86fba2b799e54e3

SHA1
689ab159541c45d738be7329918808c1c1e58050

SHA256
e13ad23118da481600ad8e4ffd4d5e060eeb23da05eeffcd299c2cdcfa3dc023

SHA512
6da749226ddc085a8d04a8bdd3c30a0476257673c1489281301dc3204cc32fae6740e5b4368f8bc53d882ae7415034bf9dc98247504425e7c815387578796952

Download Submit
\Windows\SysWOW64\rundll32mgr.exe

Filesize
206KB

MD5
71a0cc521d70fca7e86fba2b799e54e3

SHA1
689ab159541c45d738be7329918808c1c1e58050

SHA256
e13ad23118da481600ad8e4ffd4d5e060eeb23da05eeffcd299c2cdcfa3dc023

SHA512
6da749226ddc085a8d04a8bdd3c30a0476257673c1489281301dc3204cc32fae6740e5b4368f8bc53d882ae7415034bf9dc98247504425e7c815387578796952

Download Submit
memory/1988-62-0x0000000000470000-0x00000000004E0000-memory.dmp

Filesize
448KB

Download
memory/1988-63-0x0000000000470000-0x00000000004E0000-memory.dmp

Filesize
448KB

Download
memory/1988-61-0x0000000010000000-0x0000000010EA3000-memory.dmp

Filesize
14.6MB

Download
memory/1988-68-0x0000000000470000-0x00000000004E0000-memory.dmp

Filesize
448KB

Download
memory/1988-69-0x0000000000470000-0x00000000004E0000-memory.dmp

Filesize
448KB

Download
memory/1988-55-0x0000000075571000-0x0000000075573000-memory.dmp

Filesize
8KB

Download
memory/2000-64-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/2000-67-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download