9a78c58d515e501abd5f93d196f8452c1a62736454b7313e8ee26d1fbd20b0d2

General

Target

9a78c58d515e501abd5f93d196f8452c1a62736454b7313e8ee26d1fbd20b0d2.dll
Size

497KB
MD5

91e468a26d3874218232010daf7242fe
SHA1

99d849b7b1949ce57d08baa46873aecb5cc6f304
SHA256

9a78c58d515e501abd5f93d196f8452c1a62736454b7313e8ee26d1fbd20b0d2
SHA512

baf343f5e5f74179450071521e56eb0fbefff00c815ca01626185442e5b16438334eef44f59f3846a880658ca3af65df45b39353e8e3fbcc8bd41aa581e49c77
SSDEEP

12288:xNrMi/MhNrcnzlElRcsUhOsyG3s1AsEOO:/D/MhNgyRc5sJYns

Score

8^/10

discovery exploit

Malware Config

Signatures

Possible privilege escalation attempt 2 IoCs
exploit

Processes:

icacls.exetakeown.exe

pid process

4472 icacls.exe
396 takeown.exe
Loads dropped DLL 2 IoCs

Processes:

IEXPLORE.EXE

pid process

1644 IEXPLORE.EXE
1644 IEXPLORE.EXE
Modifies file permissions 1 TTPs 2 IoCs
discovery

File Permissions Modification
T1222

Processes:

takeown.exeicacls.exe

pid process

396 takeown.exe
4472 icacls.exe
Drops file in System32 directory 2 IoCs

Processes:

rundll32.exe

description ioc process

File created C:\Windows\SysWOW64\msimg64.dll rundll32.exe
File opened for modification C:\Windows\SysWOW64\msimg64.dll rundll32.exe

pid	process
4472	icacls.exe
396	takeown.exe

pid	process
1644	IEXPLORE.EXE
1644	IEXPLORE.EXE

pid	process
396	takeown.exe
4472	icacls.exe

description	ioc	process
File created	C:\Windows\SysWOW64\msimg64.dll	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\msimg64.dll	rundll32.exe

Modifies Internet Explorer settings 1 TTPs 39 IoCs

adware spyware

Modify Registry

T1112

Processes:

IEXPLORE.EXEiexplore.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30991425"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{C3516E4F-5034-11ED-AECB-520B3B914C01} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30991425"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 60975aa341e4d801	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000883ed98174fc174d8e18111dae0d912000000000020000000000106600000001000020000000527ab1e1c171b6158ae10067cd14176b044c22263b91eede9017e171de76616d000000000e8000000002000020000000833f14b82fcdff730eac43adb89fee333dcc33d8a161be74e37c012ffc8cc25920000000247128e3a03de0480ab76af51d318420c95831f462f4d5c261107296adfd14884000000019de0d7337dce22cc7931cbbb16218ddced6e321e60d99fcc3daf32fd0319acd2e3af2a08f50de49e09f685a2422719f20dae766dc875b478a7e25ff13f12354	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\IESettingSync	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30991425"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "373007289"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2625313030"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000883ed98174fc174d8e18111dae0d9120000000000200000000001066000000010000200000000796aa2f54f30e2960a547bc0b6600696991faa8c5ad27de7909f568e725f841000000000e80000000020000200000000db6e2b870c7efd1e92be4b1688b194d6ac62f7aeb54e59deb7ba15531df5f7920000000a0abdbba169f1dac241b89eb21633fbf2fc8328f73129de68b60d85ae2a44c0740000000611f2bab839856c86b76c733b43c979e357c50be5c37727c1adb9066657efe59d6329986bd347a8ccc2e6a72c7d48265a1cc99102c0b822f618e997b084e77c0	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2573595029"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2573595029"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = b0186ca241e4d801	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

4620 iexplore.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

4620 iexplore.exe
4620 iexplore.exe
1644 IEXPLORE.EXE
1644 IEXPLORE.EXE
1644 IEXPLORE.EXE
1644 IEXPLORE.EXE

pid	process
4620	iexplore.exe

pid	process
4620	iexplore.exe
4620	iexplore.exe
1644	IEXPLORE.EXE
1644	IEXPLORE.EXE
1644	IEXPLORE.EXE
1644	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

rundll32.exerundll32.execmd.exeiexplore.exe

description	pid	process	target process
PID 4972 wrote to memory of 2160	4972	rundll32.exe	rundll32.exe
PID 4972 wrote to memory of 2160	4972	rundll32.exe	rundll32.exe
PID 4972 wrote to memory of 2160	4972	rundll32.exe	rundll32.exe
PID 2160 wrote to memory of 960	2160	rundll32.exe	cmd.exe
PID 2160 wrote to memory of 960	2160	rundll32.exe	cmd.exe
PID 2160 wrote to memory of 960	2160	rundll32.exe	cmd.exe
PID 2160 wrote to memory of 4620	2160	rundll32.exe	iexplore.exe
PID 2160 wrote to memory of 4620	2160	rundll32.exe	iexplore.exe
PID 2160 wrote to memory of 4620	2160	rundll32.exe	iexplore.exe
PID 960 wrote to memory of 396	960	cmd.exe	takeown.exe
PID 960 wrote to memory of 396	960	cmd.exe	takeown.exe
PID 960 wrote to memory of 396	960	cmd.exe	takeown.exe
PID 960 wrote to memory of 4472	960	cmd.exe	icacls.exe
PID 960 wrote to memory of 4472	960	cmd.exe	icacls.exe
PID 960 wrote to memory of 4472	960	cmd.exe	icacls.exe
PID 4620 wrote to memory of 1644	4620	iexplore.exe	IEXPLORE.EXE
PID 4620 wrote to memory of 1644	4620	iexplore.exe	IEXPLORE.EXE
PID 4620 wrote to memory of 1644	4620	iexplore.exe	IEXPLORE.EXE

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\9a78c58d515e501abd5f93d196f8452c1a62736454b7313e8ee26d1fbd20b0d2.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4972

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\9a78c58d515e501abd5f93d196f8452c1a62736454b7313e8ee26d1fbd20b0d2.dll,#1
2⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2160

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c takeown /f "C:\Windows\system32\msimg64.dll" && icacls "C:\Windows\system32\msimg64.dll" /grant administrators:F
3⤵
- Suspicious use of WriteProcessMemory
PID:960

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\system32\msimg64.dll"
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:396

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\system32\msimg64.dll" /grant administrators:F
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4472

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" www.google.com
3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4620

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4620 CREDAT:17410 /prefetch:2
4⤵
- Loads dropped DLL
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1644

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Permissions Modification

1

T1222

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize
471B

MD5
d3ff0edeee7d1ea5754d8a290ae01189

SHA1
253ee24a4776d30bac0aedd7ea213adea6acb6f9

SHA256
e2e542a3681c428c021d38e608dffa43da666f6f3c53f623c21dc184639b222b

SHA512
ab14449059ae31856026e8d8cb0ec0b4158da0fd19f2a73940a159574a9084ce6a09ac05fb80ef3ab11cd9b1395dce021872215baced48f9e8a0bf7311000db7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize
434B

MD5
6121387d53a36772ab62c39d96c5bbb9

SHA1
9c5c1f16702b8442be4c361e8b11258235dc8c36

SHA256
c7fd3a58e7aa27713c8d0ffd868240458baf4decd1d10e96c3bf1e1de262df99

SHA512
4274a2314acc9887ed63912c73a45cd1f9eaf3f10968600c3ca8362bea0db7c11785264285e57601c4a721de94368feca232919a1d9c3564fa21899326e4f120

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\z2evvp3\imagestore.dat
Filesize
5KB

MD5
7ef3ea4480eaa319d834e90344a7f2f9

SHA1
edab48207eac20bf67da0d2308a3a3b6db4213d1

SHA256
b61736416ae2dd88d4664251e625d3878bff3f52f3b5e1a876fe18649ad52f7d

SHA512
537a6acffd414259ef8f394138ec542040c69ee19a81c92f14e9f92235e3d6b2e5b8e5bc84aa282eb402185a6b585a944360be38ccc462009defd17bd4b6ce67

Download Submit
C:\Windows\SysWOW64\msimg64.dll
Filesize
178KB

MD5
81cfde0d21674039ba098ac02b541d5e

SHA1
49b09c5afd5b7292030e8bc7f12be160f1e17c88

SHA256
8ffc41824530337e072481d3dbf091be3065facd95749775b205768c2d91e33d

SHA512
03c1dd0c2b059f81911d3d6c790d640ec01be3c40ac5c38b1d491ef75a4b73d4fe8df3da9803aa7db4a3bd0ba93c95950b6cc82d765db224cfe1cada69fad2f4

Download Submit
C:\Windows\SysWOW64\msimg64.dll
Filesize
178KB

MD5
81cfde0d21674039ba098ac02b541d5e

SHA1
49b09c5afd5b7292030e8bc7f12be160f1e17c88

SHA256
8ffc41824530337e072481d3dbf091be3065facd95749775b205768c2d91e33d

SHA512
03c1dd0c2b059f81911d3d6c790d640ec01be3c40ac5c38b1d491ef75a4b73d4fe8df3da9803aa7db4a3bd0ba93c95950b6cc82d765db224cfe1cada69fad2f4

Download Submit
C:\Windows\SysWOW64\msimg64.dll
Filesize
178KB

MD5
81cfde0d21674039ba098ac02b541d5e

SHA1
49b09c5afd5b7292030e8bc7f12be160f1e17c88

SHA256
8ffc41824530337e072481d3dbf091be3065facd95749775b205768c2d91e33d

SHA512
03c1dd0c2b059f81911d3d6c790d640ec01be3c40ac5c38b1d491ef75a4b73d4fe8df3da9803aa7db4a3bd0ba93c95950b6cc82d765db224cfe1cada69fad2f4

Download Submit
memory/396-134-0x0000000000000000-mapping.dmp

Download
memory/960-133-0x0000000000000000-mapping.dmp

Download
memory/2160-132-0x0000000000000000-mapping.dmp

Download
memory/4472-136-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing