02263a9f7cfd53e3d5b987a05f4a41361f9efa7c94d7fd1a60b964791c100bd5

Analysis

max time kernel
41s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
12/10/2022, 14:23

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

02263a9f7cfd53e3d5b987a05f4a41361f9efa7c94d7fd1a60b964791c100bd5.exe
Size

45KB
MD5

774df6f5d913c52644620dd54f6481aa
SHA1

8f8fa8202f5f9d9c4f6862a33344e513ccd98c80
SHA256

02263a9f7cfd53e3d5b987a05f4a41361f9efa7c94d7fd1a60b964791c100bd5
SHA512

a1ce8eb2f5d8a31a9573d69c79173fc9c13f7230d462a0faf5447e2c53bf105a5197ec0c5f370b59bd11a17eb3586102638cb101cb0afdb1181a678a27c1ddc1
SSDEEP

768:ywTukTPTBKhmGjam9HczJqoBRV+CsGlsdnBqhmef1hXLssk4fBf0YU7sw8Xv:yKNTPmTczJZbXPsdVI1lLh1Yst

Score

10^/10

evasion

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "1"	02263a9f7cfd53e3d5b987a05f4a41361f9efa7c94d7fd1a60b964791c100bd5.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Common Files\dao.ico	02263a9f7cfd53e3d5b987a05f4a41361f9efa7c94d7fd1a60b964791c100bd5.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key deleted	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TYPEDURLS	02263a9f7cfd53e3d5b987a05f4a41361f9efa7c94d7fd1a60b964791c100bd5.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "Microsoft Internet Explorer"	02263a9f7cfd53e3d5b987a05f4a41361f9efa7c94d7fd1a60b964791c100bd5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Window Title = "Microsoft Internet Explorer"	02263a9f7cfd53e3d5b987a05f4a41361f9efa7c94d7fd1a60b964791c100bd5.exe

Modifies Internet Explorer start page 1 TTPs 2 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.ccc7.com"	02263a9f7cfd53e3d5b987a05f4a41361f9efa7c94d7fd1a60b964791c100bd5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Start Page = "http://www.ccc7.com"	02263a9f7cfd53e3d5b987a05f4a41361f9efa7c94d7fd1a60b964791c100bd5.exe

Modifies registry class 30 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Pz	02263a9f7cfd53e3d5b987a05f4a41361f9efa7c94d7fd1a60b964791c100bd5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C1A8AF25-1257-101B-8FB0-0020AF039CA8}\Shell\Open(&O)\Command	02263a9f7cfd53e3d5b987a05f4a41361f9efa7c94d7fd1a60b964791c100bd5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C1A8AF25-1257-101B-8FB0-0020AF039CA8}\Shell\ÖØÃüÃû(&M)	02263a9f7cfd53e3d5b987a05f4a41361f9efa7c94d7fd1a60b964791c100bd5.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Pz\1 = "20221012"	02263a9f7cfd53e3d5b987a05f4a41361f9efa7c94d7fd1a60b964791c100bd5.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Pz\9 = "0"	02263a9f7cfd53e3d5b987a05f4a41361f9efa7c94d7fd1a60b964791c100bd5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C1A8AF25-1257-101B-8FB0-0020AF039CA8}\Shell\ÊôÐÔ(&R)	02263a9f7cfd53e3d5b987a05f4a41361f9efa7c94d7fd1a60b964791c100bd5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C1A8AF25-1257-101B-8FB0-0020AF039CA8}\Shell\ÊôÐÔ(&R)\Command\ = "Rundll32.exe Shell32.dll,Control_RunDLL Inetcpl.cpl"	02263a9f7cfd53e3d5b987a05f4a41361f9efa7c94d7fd1a60b964791c100bd5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C1A8AF25-1257-101B-8FB0-0020AF039CA8}\Shell\É¾³ý(&D)\Command	02263a9f7cfd53e3d5b987a05f4a41361f9efa7c94d7fd1a60b964791c100bd5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C1A8AF25-1257-101B-8FB0-0020AF039CA8}\Shell\É¾³ý(&D)\Command\ = "Rundll32.exe"	02263a9f7cfd53e3d5b987a05f4a41361f9efa7c94d7fd1a60b964791c100bd5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C1A8AF25-1257-101B-8FB0-0020AF039CA8}\DefaultIcon	02263a9f7cfd53e3d5b987a05f4a41361f9efa7c94d7fd1a60b964791c100bd5.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C1A8AF25-1257-101B-8FB0-0020AF039CA8}\ShellFolder\Attributes = "0"	02263a9f7cfd53e3d5b987a05f4a41361f9efa7c94d7fd1a60b964791c100bd5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C1A8AF25-1257-101B-8FB0-0020AF039CA8}\ShellFolder\WantsParseDisplayName	02263a9f7cfd53e3d5b987a05f4a41361f9efa7c94d7fd1a60b964791c100bd5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C1A8AF25-1257-101B-8FB0-0020AF039CA8}\Shell\ÊôÐÔ(&R)\Command	02263a9f7cfd53e3d5b987a05f4a41361f9efa7c94d7fd1a60b964791c100bd5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C1A8AF25-1257-101B-8FB0-0020AF039CA8}\Shell\ÖØÃüÃû(&M)\Command\ = "Rundll32.exe"	02263a9f7cfd53e3d5b987a05f4a41361f9efa7c94d7fd1a60b964791c100bd5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C1A8AF25-1257-101B-8FB0-0020AF039CA8}\Shell\Open(&O)\Command\ = "iexplore.exe http://www.ccc7.com"	02263a9f7cfd53e3d5b987a05f4a41361f9efa7c94d7fd1a60b964791c100bd5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C1A8AF25-1257-101B-8FB0-0020AF039CA8}\ShellFolder\HideOnDesktopPerUser	02263a9f7cfd53e3d5b987a05f4a41361f9efa7c94d7fd1a60b964791c100bd5.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Pz\5 = "51"	02263a9f7cfd53e3d5b987a05f4a41361f9efa7c94d7fd1a60b964791c100bd5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C1A8AF25-1257-101B-8FB0-0020AF039CA8}	02263a9f7cfd53e3d5b987a05f4a41361f9efa7c94d7fd1a60b964791c100bd5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C1A8AF25-1257-101B-8FB0-0020AF039CA8}\DefaultIcon\ = "C:\\Program Files (x86)\\Internet Explorer\\IEXPLORE.EXE"	02263a9f7cfd53e3d5b987a05f4a41361f9efa7c94d7fd1a60b964791c100bd5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	02263a9f7cfd53e3d5b987a05f4a41361f9efa7c94d7fd1a60b964791c100bd5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C1A8AF25-1257-101B-8FB0-0020AF039CA8}\Shell\Open(&O)\ = "´ò¿ªÖ÷Ò³(&H)"	02263a9f7cfd53e3d5b987a05f4a41361f9efa7c94d7fd1a60b964791c100bd5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C1A8AF25-1257-101B-8FB0-0020AF039CA8}\Shell	02263a9f7cfd53e3d5b987a05f4a41361f9efa7c94d7fd1a60b964791c100bd5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C1A8AF25-1257-101B-8FB0-0020AF039CA8}\Shell\É¾³ý(&D)	02263a9f7cfd53e3d5b987a05f4a41361f9efa7c94d7fd1a60b964791c100bd5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C1A8AF25-1257-101B-8FB0-0020AF039CA8}\ShellFolder\HideFolderVerbs	02263a9f7cfd53e3d5b987a05f4a41361f9efa7c94d7fd1a60b964791c100bd5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C1A8AF25-1257-101B-8FB0-0020AF039CA8}\ = "Internet Explorer"	02263a9f7cfd53e3d5b987a05f4a41361f9efa7c94d7fd1a60b964791c100bd5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	02263a9f7cfd53e3d5b987a05f4a41361f9efa7c94d7fd1a60b964791c100bd5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C1A8AF25-1257-101B-8FB0-0020AF039CA8}\Shell\ÖØÃüÃû(&M)\Command	02263a9f7cfd53e3d5b987a05f4a41361f9efa7c94d7fd1a60b964791c100bd5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C1A8AF25-1257-101B-8FB0-0020AF039CA8}\Shell\Open(&O)	02263a9f7cfd53e3d5b987a05f4a41361f9efa7c94d7fd1a60b964791c100bd5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C1A8AF25-1257-101B-8FB0-0020AF039CA8}\ShellFolder	02263a9f7cfd53e3d5b987a05f4a41361f9efa7c94d7fd1a60b964791c100bd5.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Pz\9 = "1"	02263a9f7cfd53e3d5b987a05f4a41361f9efa7c94d7fd1a60b964791c100bd5.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 828 wrote to memory of 1284	828	02263a9f7cfd53e3d5b987a05f4a41361f9efa7c94d7fd1a60b964791c100bd5.exe	28
PID 828 wrote to memory of 1284	828	02263a9f7cfd53e3d5b987a05f4a41361f9efa7c94d7fd1a60b964791c100bd5.exe	28
PID 828 wrote to memory of 1284	828	02263a9f7cfd53e3d5b987a05f4a41361f9efa7c94d7fd1a60b964791c100bd5.exe	28
PID 828 wrote to memory of 1284	828	02263a9f7cfd53e3d5b987a05f4a41361f9efa7c94d7fd1a60b964791c100bd5.exe	28

C:\Users\Admin\AppData\Local\Temp\02263a9f7cfd53e3d5b987a05f4a41361f9efa7c94d7fd1a60b964791c100bd5.exe
"C:\Users\Admin\AppData\Local\Temp\02263a9f7cfd53e3d5b987a05f4a41361f9efa7c94d7fd1a60b964791c100bd5.exe"
1⤵
- Modifies visiblity of hidden/system files in Explorer
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:828
- C:\Users\Admin\AppData\Local\Temp\02263a9f7cfd53e3d5b987a05f4a41361f9efa7c94d7fd1a60b964791c100bd5.exe
  C:\Users\Admin\AppData\Local\Temp\02263a9f7cfd53e3d5b987a05f4a41361f9efa7c94d7fd1a60b964791c100bd5.exe
  2⤵
  - Modifies Internet Explorer settings
  - Modifies Internet Explorer start page
  PID:1284

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/828-54-0x0000000075A11000-0x0000000075A13000-memory.dmp

Filesize
8KB

Download
memory/828-59-0x0000000000330000-0x0000000000356000-memory.dmp

Filesize
152KB

Download
memory/828-58-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/828-60-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1284-57-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads