15bbdcd1a4d23d2119891e165069cc5c37b72bde9baa0e45045edaca6a3ab74b

Analysis

max time kernel
168s
max time network
153s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
20/10/2022, 03:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

15bbdcd1a4d23d2119891e165069cc5c37b72bde9baa0e45045edaca6a3ab74b.dll
Size

184KB
MD5

805fa39cd1587424d07921ec9dec4450
SHA1

1da0db43a69a2949db7ace9877ec4e5eeb8211b6
SHA256

15bbdcd1a4d23d2119891e165069cc5c37b72bde9baa0e45045edaca6a3ab74b
SHA512

718d05cd3b0ebc688069e0046e9c9a87d8cd4bc4844a22e1c1732b485569f00f74313f5bac2385a19f4df5aed262bbdd672e39e4da120d73753804e9ca99e6c0
SSDEEP

1536:75hC1HTdf5oI2RqBxb90UFoED8wPYvHy3u1HuQNEnLlosXOTdgkEQzE+ACvBFHY/:/C1XLx0UFoO3wol+WmDHYevf2ynyF

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1136	rundll32mgr.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000c0000000054a8-56.dat	upx
behavioral1/memory/932-58-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral1/files/0x000c0000000054a8-59.dat	upx
behavioral1/files/0x000c0000000054a8-61.dat	upx
behavioral1/memory/1136-64-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral1/memory/1136-67-0x0000000000400000-0x000000000045B000-memory.dmp	upx

Loads dropped DLL 2 IoCs

pid	Process
932	rundll32.exe
932	rundll32.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\rundll32mgr.exe	rundll32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1760	932	WerFault.exe	27

Modifies Internet Explorer settings 1 TTPs 53 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "373035175"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{9A983F11-5075-11ED-BDAB-FE41811C61F5} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{9A97A2D1-5075-11ED-BDAB-FE41811C61F5} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
1136	rundll32mgr.exe
1136	rundll32mgr.exe
1136	rundll32mgr.exe
1136	rundll32mgr.exe
1136	rundll32mgr.exe
1136	rundll32mgr.exe
1136	rundll32mgr.exe
1136	rundll32mgr.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1136	rundll32mgr.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1504	iexplore.exe
1572	iexplore.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
1504	iexplore.exe
1504	iexplore.exe
1572	iexplore.exe
1572	iexplore.exe
272	IEXPLORE.EXE
272	IEXPLORE.EXE
1872	IEXPLORE.EXE
1872	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 31 IoCs

description	pid	Process	procid_target
PID 1072 wrote to memory of 932	1072	rundll32.exe	27
PID 1072 wrote to memory of 932	1072	rundll32.exe	27
PID 1072 wrote to memory of 932	1072	rundll32.exe	27
PID 1072 wrote to memory of 932	1072	rundll32.exe	27
PID 1072 wrote to memory of 932	1072	rundll32.exe	27
PID 1072 wrote to memory of 932	1072	rundll32.exe	27
PID 1072 wrote to memory of 932	1072	rundll32.exe	27
PID 932 wrote to memory of 1136	932	rundll32.exe	28
PID 932 wrote to memory of 1136	932	rundll32.exe	28
PID 932 wrote to memory of 1136	932	rundll32.exe	28
PID 932 wrote to memory of 1136	932	rundll32.exe	28
PID 1136 wrote to memory of 1504	1136	rundll32mgr.exe	29
PID 1136 wrote to memory of 1504	1136	rundll32mgr.exe	29
PID 1136 wrote to memory of 1504	1136	rundll32mgr.exe	29
PID 1136 wrote to memory of 1504	1136	rundll32mgr.exe	29
PID 1136 wrote to memory of 1572	1136	rundll32mgr.exe	31
PID 1136 wrote to memory of 1572	1136	rundll32mgr.exe	31
PID 1136 wrote to memory of 1572	1136	rundll32mgr.exe	31
PID 1136 wrote to memory of 1572	1136	rundll32mgr.exe	31
PID 932 wrote to memory of 1760	932	rundll32.exe	30
PID 932 wrote to memory of 1760	932	rundll32.exe	30
PID 932 wrote to memory of 1760	932	rundll32.exe	30
PID 932 wrote to memory of 1760	932	rundll32.exe	30
PID 1504 wrote to memory of 272	1504	iexplore.exe	33
PID 1504 wrote to memory of 272	1504	iexplore.exe	33
PID 1504 wrote to memory of 272	1504	iexplore.exe	33
PID 1504 wrote to memory of 272	1504	iexplore.exe	33
PID 1572 wrote to memory of 1872	1572	iexplore.exe	34
PID 1572 wrote to memory of 1872	1572	iexplore.exe	34
PID 1572 wrote to memory of 1872	1572	iexplore.exe	34
PID 1572 wrote to memory of 1872	1572	iexplore.exe	34

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\15bbdcd1a4d23d2119891e165069cc5c37b72bde9baa0e45045edaca6a3ab74b.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1072
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\15bbdcd1a4d23d2119891e165069cc5c37b72bde9baa0e45045edaca6a3ab74b.dll,#1
  2⤵
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:932
- - C:\Windows\SysWOW64\rundll32mgr.exe
    C:\Windows\SysWOW64\rundll32mgr.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1136
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1504
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1504 CREDAT:275457 /prefetch:2
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:272
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1572
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1572 CREDAT:275457 /prefetch:2
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:1872
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 932 -s 228
    3⤵
    - Program crash
    PID:1760

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{9A97A2D1-5075-11ED-BDAB-FE41811C61F5}.dat

Filesize
3KB

MD5
3b49ebe00099a0378079f5d3399e0d38

SHA1
2fb2e949a1e93263d012576509a477578f427ac6

SHA256
97f6de889ba18c854864a8206f53381080d0e6e141a6ace3feb7098b97fc4750

SHA512
c6018c769612ac1147837678e49e8b36fc3ec73fc4d87af200724b7d8dcf82d6bac46c4018baa05a3cd6b551aa92ad6befbb93c5ff782562cd1ada00b0553277

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{9A983F11-5075-11ED-BDAB-FE41811C61F5}.dat

Filesize
3KB

MD5
1bbfed691a25fd74663eb5d42452c658

SHA1
187dd9e9fb6725bfa89668a39aac0c0dba2e3b0f

SHA256
3e1eb4d739173ab2124d9da27efb8fb617f2f9b05dc23e3ae66bbcc0bcae6abf

SHA512
0698d8c2f136203d96799ebf0a094a65832de6e44e8d850f073a40146246bfb64273ba99173535ab525b4c366621bece6283e27b62424689dd8e548d5b2cb048

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\EF497U9T.txt

Filesize
608B

MD5
feddd65c72d6b6be313c943c98602648

SHA1
511b4900874dc014a51308f08e8c5f782468b4b4

SHA256
4bcffbd796a062aac738e01e29a23f5e364dbf5ba6e1d689101f69051620f5b5

SHA512
abe4debc84679c3d32425aff519990927d32cd0d3953875aeddf85b0fd832f89e7af5b526804011dc279a0d702c764788242fe648505560ea18331ab9074c802

Download Submit
C:\Windows\SysWOW64\rundll32mgr.exe

Filesize
125KB

MD5
15da6e81dd1d6ce9cde37a9ec659ef47

SHA1
485d5cc850d5426504fc7f5281d42d3d393ebef4

SHA256
ae74f487b66968ab3aa67daa32ac4a508d07966fefcaa7da0877bd2a257633c2

SHA512
923f45082459168bfd84f94e5afbe67a6ef861b4359f1d068c8d0f788e3425e0bd18a3ca8a4e244ec16dae78ebec368998ad6eaf9104a1ece4ab6b350360d28f

Download Submit
\Windows\SysWOW64\rundll32mgr.exe

Filesize
125KB

MD5
15da6e81dd1d6ce9cde37a9ec659ef47

SHA1
485d5cc850d5426504fc7f5281d42d3d393ebef4

SHA256
ae74f487b66968ab3aa67daa32ac4a508d07966fefcaa7da0877bd2a257633c2

SHA512
923f45082459168bfd84f94e5afbe67a6ef861b4359f1d068c8d0f788e3425e0bd18a3ca8a4e244ec16dae78ebec368998ad6eaf9104a1ece4ab6b350360d28f

Download Submit
\Windows\SysWOW64\rundll32mgr.exe

Filesize
125KB

MD5
15da6e81dd1d6ce9cde37a9ec659ef47

SHA1
485d5cc850d5426504fc7f5281d42d3d393ebef4

SHA256
ae74f487b66968ab3aa67daa32ac4a508d07966fefcaa7da0877bd2a257633c2

SHA512
923f45082459168bfd84f94e5afbe67a6ef861b4359f1d068c8d0f788e3425e0bd18a3ca8a4e244ec16dae78ebec368998ad6eaf9104a1ece4ab6b350360d28f

Download Submit
memory/932-58-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/932-63-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/932-57-0x0000000010000000-0x000000001002E000-memory.dmp

Filesize
184KB

Download
memory/932-55-0x0000000075A81000-0x0000000075A83000-memory.dmp

Filesize
8KB

Download
memory/932-69-0x0000000010000000-0x000000001002E000-memory.dmp

Filesize
184KB

Download
memory/1136-64-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1136-67-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download