646eabe0272411cc8e35ebfa1abe2af2a652a20b6f2de3b8a50fc78e9c92942b

Analysis

max time kernel
104s
max time network
143s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
20/10/2022, 03:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

646eabe0272411cc8e35ebfa1abe2af2a652a20b6f2de3b8a50fc78e9c92942b.exe
Size

440KB
MD5

81875945823c63fa24fb0929a71931fd
SHA1

55a773138057a1d077683881834e03f1ec4d6d10
SHA256

646eabe0272411cc8e35ebfa1abe2af2a652a20b6f2de3b8a50fc78e9c92942b
SHA512

47ab171dca24b6446b4f5aa57621841a75d24aeb36e4f48a970768462e9a2256ee0ab8b9b5b78ce2eee9a433f4e7910712ed6a976d4cc303310d8139379c7fc8
SSDEEP

12288:NMTi0uhMqe9ts2zWTpMmCG7F24jLZivYuWO:JXJTpMm7FLZih

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1232	646eabe0272411cc8e35ebfa1abe2af2a652a20b6f2de3b8a50fc78e9c92942bmgr.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0008000000005c51-58.dat	upx
behavioral1/files/0x0008000000005c51-55.dat	upx
behavioral1/files/0x0008000000005c51-56.dat	upx
behavioral1/memory/1232-60-0x0000000000400000-0x0000000000471000-memory.dmp	upx
behavioral1/memory/1232-63-0x0000000000400000-0x0000000000471000-memory.dmp	upx

Loads dropped DLL 2 IoCs

pid	Process
1380	646eabe0272411cc8e35ebfa1abe2af2a652a20b6f2de3b8a50fc78e9c92942b.exe
1380	646eabe0272411cc8e35ebfa1abe2af2a652a20b6f2de3b8a50fc78e9c92942b.exe

Modifies Internet Explorer settings 1 TTPs 53 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{79E887A1-5063-11ED-B7CC-CE23F931F8E9} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{79EB6DD1-5063-11ED-B7CC-CE23F931F8E9} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "373027351"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
1232	646eabe0272411cc8e35ebfa1abe2af2a652a20b6f2de3b8a50fc78e9c92942bmgr.exe
1232	646eabe0272411cc8e35ebfa1abe2af2a652a20b6f2de3b8a50fc78e9c92942bmgr.exe
1232	646eabe0272411cc8e35ebfa1abe2af2a652a20b6f2de3b8a50fc78e9c92942bmgr.exe
1232	646eabe0272411cc8e35ebfa1abe2af2a652a20b6f2de3b8a50fc78e9c92942bmgr.exe
1232	646eabe0272411cc8e35ebfa1abe2af2a652a20b6f2de3b8a50fc78e9c92942bmgr.exe
1232	646eabe0272411cc8e35ebfa1abe2af2a652a20b6f2de3b8a50fc78e9c92942bmgr.exe
1232	646eabe0272411cc8e35ebfa1abe2af2a652a20b6f2de3b8a50fc78e9c92942bmgr.exe
1232	646eabe0272411cc8e35ebfa1abe2af2a652a20b6f2de3b8a50fc78e9c92942bmgr.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1232	646eabe0272411cc8e35ebfa1abe2af2a652a20b6f2de3b8a50fc78e9c92942bmgr.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
700	iexplore.exe
1336	iexplore.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
1336	iexplore.exe
1336	iexplore.exe
700	iexplore.exe
700	iexplore.exe
1092	IEXPLORE.EXE
1092	IEXPLORE.EXE
1588	IEXPLORE.EXE
1588	IEXPLORE.EXE
1588	IEXPLORE.EXE
1588	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1380 wrote to memory of 1232	1380	646eabe0272411cc8e35ebfa1abe2af2a652a20b6f2de3b8a50fc78e9c92942b.exe	28
PID 1380 wrote to memory of 1232	1380	646eabe0272411cc8e35ebfa1abe2af2a652a20b6f2de3b8a50fc78e9c92942b.exe	28
PID 1380 wrote to memory of 1232	1380	646eabe0272411cc8e35ebfa1abe2af2a652a20b6f2de3b8a50fc78e9c92942b.exe	28
PID 1380 wrote to memory of 1232	1380	646eabe0272411cc8e35ebfa1abe2af2a652a20b6f2de3b8a50fc78e9c92942b.exe	28
PID 1232 wrote to memory of 700	1232	646eabe0272411cc8e35ebfa1abe2af2a652a20b6f2de3b8a50fc78e9c92942bmgr.exe	29
PID 1232 wrote to memory of 700	1232	646eabe0272411cc8e35ebfa1abe2af2a652a20b6f2de3b8a50fc78e9c92942bmgr.exe	29
PID 1232 wrote to memory of 700	1232	646eabe0272411cc8e35ebfa1abe2af2a652a20b6f2de3b8a50fc78e9c92942bmgr.exe	29
PID 1232 wrote to memory of 700	1232	646eabe0272411cc8e35ebfa1abe2af2a652a20b6f2de3b8a50fc78e9c92942bmgr.exe	29
PID 1232 wrote to memory of 1336	1232	646eabe0272411cc8e35ebfa1abe2af2a652a20b6f2de3b8a50fc78e9c92942bmgr.exe	30
PID 1232 wrote to memory of 1336	1232	646eabe0272411cc8e35ebfa1abe2af2a652a20b6f2de3b8a50fc78e9c92942bmgr.exe	30
PID 1232 wrote to memory of 1336	1232	646eabe0272411cc8e35ebfa1abe2af2a652a20b6f2de3b8a50fc78e9c92942bmgr.exe	30
PID 1232 wrote to memory of 1336	1232	646eabe0272411cc8e35ebfa1abe2af2a652a20b6f2de3b8a50fc78e9c92942bmgr.exe	30
PID 1336 wrote to memory of 1092	1336	iexplore.exe	33
PID 1336 wrote to memory of 1092	1336	iexplore.exe	33
PID 1336 wrote to memory of 1092	1336	iexplore.exe	33
PID 1336 wrote to memory of 1092	1336	iexplore.exe	33
PID 700 wrote to memory of 1588	700	iexplore.exe	32
PID 700 wrote to memory of 1588	700	iexplore.exe	32
PID 700 wrote to memory of 1588	700	iexplore.exe	32
PID 700 wrote to memory of 1588	700	iexplore.exe	32

C:\Users\Admin\AppData\Local\Temp\646eabe0272411cc8e35ebfa1abe2af2a652a20b6f2de3b8a50fc78e9c92942b.exe
"C:\Users\Admin\AppData\Local\Temp\646eabe0272411cc8e35ebfa1abe2af2a652a20b6f2de3b8a50fc78e9c92942b.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1380
- C:\Users\Admin\AppData\Local\Temp\646eabe0272411cc8e35ebfa1abe2af2a652a20b6f2de3b8a50fc78e9c92942bmgr.exe
  C:\Users\Admin\AppData\Local\Temp\646eabe0272411cc8e35ebfa1abe2af2a652a20b6f2de3b8a50fc78e9c92942bmgr.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1232
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:700
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:700 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:1588
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1336
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1336 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:1092

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{79E887A1-5063-11ED-B7CC-CE23F931F8E9}.dat

Filesize
3KB

MD5
06e4c57b093faf7ea53491f7afa8ee12

SHA1
bd00d529b2797384a67afc1e0e03ff300205dacd

SHA256
0036041bab1b3d571f40817c12b22f66d8e8239963c60dd654fe0c4209242df5

SHA512
0c00a1d8a8118063acfbb29be60118b2e120cb41bae7a95c9a6250c8ba83d69defc4872bacb18eefbcd7be5d010e6177a2301b54ec4432872e174174e787abab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{79EB6DD1-5063-11ED-B7CC-CE23F931F8E9}.dat

Filesize
5KB

MD5
73bb6b1b4ce46215f398711fe6a960cb

SHA1
c7bfc1969d32a167e6a9ed5e72b48300e7f49950

SHA256
1579bcdf0dc71648628bd36a96b4b706dac08d3b6bb34d628d8aa4cc67ab94ea

SHA512
7de6eb7b86b4a580f022c7a3fe8159fd36c6808e6b19901d9ef3b55527eb93d24b11c406c0bb0f921b0cbd5dbdfcbe5bb8cfdc825b9c2b89c1ec95ad1add4627

Download Submit
C:\Users\Admin\AppData\Local\Temp\646eabe0272411cc8e35ebfa1abe2af2a652a20b6f2de3b8a50fc78e9c92942bmgr.exe

Filesize
185KB

MD5
650ab7eb4b14cdc873c1db41178ff9fb

SHA1
bcf7c69f507935d452b496075fb776e53e19a5eb

SHA256
a2577db82e69062adb13f810de7da3dcfd80af1682abcd0279fe2e6e59802de2

SHA512
b6a1d23e4a036164472c8e1aaa7ddfd6fc3027231b5c983137e404be81c28175a3f2c2b07bc7029e5588b5559c2de74299d6c24d6e71bc33960c02befa3ce4d1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\33CIVCB9.txt

Filesize
600B

MD5
c6d04948acb1e9c8e44b162f6515f4d8

SHA1
570ad879fe77f1c8fb35adc4131863c1e447f661

SHA256
1642aac0e8fe20ddd4c870126dd7b46d1214d69f1b87a86a6568ca97a9e6a4cd

SHA512
49e748b8b0d8b3a7c5e4aaed13482d88dca41c010e458d1364ee468bff5b08057ffae0e101ddaa6fe3af23e4f4fc823fbab657963f7395c7a6f1c25042ed1471

Download Submit
\Users\Admin\AppData\Local\Temp\646eabe0272411cc8e35ebfa1abe2af2a652a20b6f2de3b8a50fc78e9c92942bmgr.exe

Filesize
185KB

MD5
650ab7eb4b14cdc873c1db41178ff9fb

SHA1
bcf7c69f507935d452b496075fb776e53e19a5eb

SHA256
a2577db82e69062adb13f810de7da3dcfd80af1682abcd0279fe2e6e59802de2

SHA512
b6a1d23e4a036164472c8e1aaa7ddfd6fc3027231b5c983137e404be81c28175a3f2c2b07bc7029e5588b5559c2de74299d6c24d6e71bc33960c02befa3ce4d1

Download Submit
\Users\Admin\AppData\Local\Temp\646eabe0272411cc8e35ebfa1abe2af2a652a20b6f2de3b8a50fc78e9c92942bmgr.exe

Filesize
185KB

MD5
650ab7eb4b14cdc873c1db41178ff9fb

SHA1
bcf7c69f507935d452b496075fb776e53e19a5eb

SHA256
a2577db82e69062adb13f810de7da3dcfd80af1682abcd0279fe2e6e59802de2

SHA512
b6a1d23e4a036164472c8e1aaa7ddfd6fc3027231b5c983137e404be81c28175a3f2c2b07bc7029e5588b5559c2de74299d6c24d6e71bc33960c02befa3ce4d1

Download Submit
memory/1232-60-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1232-63-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1380-54-0x00000000757A1000-0x00000000757A3000-memory.dmp

Filesize
8KB

Download
memory/1380-59-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download