61e8591612fbe6e901d212115c774a505fa8e64b0865bd83703412c95ba966ad

Analysis

max time kernel
74s
max time network
142s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
20/10/2022, 12:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

61e8591612fbe6e901d212115c774a505fa8e64b0865bd83703412c95ba966ad.exe
Size

547KB
MD5

905831fe2588e691826a4d7738a57460
SHA1

387b19f74e45930bb42c67fdae7a5b54755a4143
SHA256

61e8591612fbe6e901d212115c774a505fa8e64b0865bd83703412c95ba966ad
SHA512

d477d548a28f6a6aa8125c1603eba6e9753b0cf9e92b92bf12aeafcb6c9ed42d64f756e3db3ce94783d4431bfaeb7a0310f267ee12f0c88eeba742a620757534
SSDEEP

6144:Q56+Aq4WBTWpSqXhpeEioU2UO9xqTwQVJ7Xi1iDtoB3:eONXiEiJ2X2VFpDtg

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
976	61e8591612fbe6e901d212115c774a505fa8e64b0865bd83703412c95ba966admgr.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000c0000000054a8-55.dat	upx
behavioral1/files/0x000c0000000054a8-56.dat	upx
behavioral1/files/0x000c0000000054a8-58.dat	upx
behavioral1/memory/976-62-0x0000000000400000-0x0000000000485000-memory.dmp	upx
behavioral1/memory/976-63-0x0000000000400000-0x0000000000485000-memory.dmp	upx

Loads dropped DLL 2 IoCs

pid	Process
2020	61e8591612fbe6e901d212115c774a505fa8e64b0865bd83703412c95ba966ad.exe
2020	61e8591612fbe6e901d212115c774a505fa8e64b0865bd83703412c95ba966ad.exe

Modifies Internet Explorer settings 1 TTPs 53 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{84772951-51D1-11ED-BD84-7E4CDA66D2DC} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{847135E1-51D1-11ED-BD84-7E4CDA66D2DC} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "373184565"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
976	61e8591612fbe6e901d212115c774a505fa8e64b0865bd83703412c95ba966admgr.exe
976	61e8591612fbe6e901d212115c774a505fa8e64b0865bd83703412c95ba966admgr.exe
976	61e8591612fbe6e901d212115c774a505fa8e64b0865bd83703412c95ba966admgr.exe
976	61e8591612fbe6e901d212115c774a505fa8e64b0865bd83703412c95ba966admgr.exe
976	61e8591612fbe6e901d212115c774a505fa8e64b0865bd83703412c95ba966admgr.exe
976	61e8591612fbe6e901d212115c774a505fa8e64b0865bd83703412c95ba966admgr.exe
976	61e8591612fbe6e901d212115c774a505fa8e64b0865bd83703412c95ba966admgr.exe
976	61e8591612fbe6e901d212115c774a505fa8e64b0865bd83703412c95ba966admgr.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	976	61e8591612fbe6e901d212115c774a505fa8e64b0865bd83703412c95ba966admgr.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1308	iexplore.exe
612	iexplore.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
612	iexplore.exe
612	iexplore.exe
1308	iexplore.exe
1308	iexplore.exe
1312	IEXPLORE.EXE
1312	IEXPLORE.EXE
440	IEXPLORE.EXE
440	IEXPLORE.EXE
440	IEXPLORE.EXE
440	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2020 wrote to memory of 976	2020	61e8591612fbe6e901d212115c774a505fa8e64b0865bd83703412c95ba966ad.exe	29
PID 2020 wrote to memory of 976	2020	61e8591612fbe6e901d212115c774a505fa8e64b0865bd83703412c95ba966ad.exe	29
PID 2020 wrote to memory of 976	2020	61e8591612fbe6e901d212115c774a505fa8e64b0865bd83703412c95ba966ad.exe	29
PID 2020 wrote to memory of 976	2020	61e8591612fbe6e901d212115c774a505fa8e64b0865bd83703412c95ba966ad.exe	29
PID 976 wrote to memory of 612	976	61e8591612fbe6e901d212115c774a505fa8e64b0865bd83703412c95ba966admgr.exe	30
PID 976 wrote to memory of 612	976	61e8591612fbe6e901d212115c774a505fa8e64b0865bd83703412c95ba966admgr.exe	30
PID 976 wrote to memory of 612	976	61e8591612fbe6e901d212115c774a505fa8e64b0865bd83703412c95ba966admgr.exe	30
PID 976 wrote to memory of 612	976	61e8591612fbe6e901d212115c774a505fa8e64b0865bd83703412c95ba966admgr.exe	30
PID 976 wrote to memory of 1308	976	61e8591612fbe6e901d212115c774a505fa8e64b0865bd83703412c95ba966admgr.exe	31
PID 976 wrote to memory of 1308	976	61e8591612fbe6e901d212115c774a505fa8e64b0865bd83703412c95ba966admgr.exe	31
PID 976 wrote to memory of 1308	976	61e8591612fbe6e901d212115c774a505fa8e64b0865bd83703412c95ba966admgr.exe	31
PID 976 wrote to memory of 1308	976	61e8591612fbe6e901d212115c774a505fa8e64b0865bd83703412c95ba966admgr.exe	31
PID 612 wrote to memory of 1312	612	iexplore.exe	33
PID 612 wrote to memory of 1312	612	iexplore.exe	33
PID 612 wrote to memory of 1312	612	iexplore.exe	33
PID 612 wrote to memory of 1312	612	iexplore.exe	33
PID 1308 wrote to memory of 440	1308	iexplore.exe	34
PID 1308 wrote to memory of 440	1308	iexplore.exe	34
PID 1308 wrote to memory of 440	1308	iexplore.exe	34
PID 1308 wrote to memory of 440	1308	iexplore.exe	34

C:\Users\Admin\AppData\Local\Temp\61e8591612fbe6e901d212115c774a505fa8e64b0865bd83703412c95ba966ad.exe
"C:\Users\Admin\AppData\Local\Temp\61e8591612fbe6e901d212115c774a505fa8e64b0865bd83703412c95ba966ad.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2020
- C:\Users\Admin\AppData\Local\Temp\61e8591612fbe6e901d212115c774a505fa8e64b0865bd83703412c95ba966admgr.exe
  C:\Users\Admin\AppData\Local\Temp\61e8591612fbe6e901d212115c774a505fa8e64b0865bd83703412c95ba966admgr.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:976
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:612
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:612 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:1312
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1308
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1308 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:440

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{847135E1-51D1-11ED-BD84-7E4CDA66D2DC}.dat

Filesize
3KB

MD5
e7f036774563dd1c1c4445b2020131ac

SHA1
973fc0a2581d00534e0b542cfe3b67f2c8e1bcbf

SHA256
6de86830acbe4a336ff5b61b2dea1a7ded51bae748e3184c27c90259d284d723

SHA512
54131d7895ec817439c066b0124522d68d3451056c731ad752403c76d75850c6265e69562e167781f5a080397f3961c6a344a38f81ff38381d7200df26d734eb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{84772951-51D1-11ED-BD84-7E4CDA66D2DC}.dat

Filesize
3KB

MD5
c99136341bf96b839dd1c8c3ce3e58ca

SHA1
5e0c7a3512eb04d6dfca5bb676e94afc58bc8951

SHA256
71f808af2f531df71a263575038872ace10741e021061b5279ed3f00896f84d5

SHA512
76318766851361842c2bc1eed37c694d94c189f16978b14f6135da4ed4d54ded095ae7bd11267fe54eacc4ba06a3095f68e737255e2520d9ab48a5566da10921

Download Submit
C:\Users\Admin\AppData\Local\Temp\61e8591612fbe6e901d212115c774a505fa8e64b0865bd83703412c95ba966admgr.exe

Filesize
261KB

MD5
76e30d26768cb8c604ee48228aa3cfab

SHA1
fed43a9130e452816d7ab21c6a9338f5f40ccad2

SHA256
b815739ca0ddb9cd6ae32363dfdc0eabd14c260c9c545e7e9fad3206428ac93c

SHA512
31365fa37dcfbafa6c74607d24abb42e7688344e6606382e4a17b2346d5da11843a6289b4ae4624c6a5696e4f90ea3f0306228efbb90e467f1b4e8e056d7a356

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\CHFQ5Z9G.txt

Filesize
608B

MD5
8d6ce1e6222bd30003b55614c7fc2a0c

SHA1
b9a8bdd35135c963e1ceefe543d33480192d6ab8

SHA256
9a4c2f06a1de33edabf4f9a29dde9f31a65b3a1111a1a0fb5c77135d0d06f6de

SHA512
7e3cca2680cfabf65902bdd49923bdcb37178e35fc87447ecd1f335c5f48deb1d0de2bb63582a93946c35b33cee000c58c01a2db6f3118469fa30e76e860f583

Download Submit
\Users\Admin\AppData\Local\Temp\61e8591612fbe6e901d212115c774a505fa8e64b0865bd83703412c95ba966admgr.exe

Filesize
261KB

MD5
76e30d26768cb8c604ee48228aa3cfab

SHA1
fed43a9130e452816d7ab21c6a9338f5f40ccad2

SHA256
b815739ca0ddb9cd6ae32363dfdc0eabd14c260c9c545e7e9fad3206428ac93c

SHA512
31365fa37dcfbafa6c74607d24abb42e7688344e6606382e4a17b2346d5da11843a6289b4ae4624c6a5696e4f90ea3f0306228efbb90e467f1b4e8e056d7a356

Download Submit
\Users\Admin\AppData\Local\Temp\61e8591612fbe6e901d212115c774a505fa8e64b0865bd83703412c95ba966admgr.exe

Filesize
261KB

MD5
76e30d26768cb8c604ee48228aa3cfab

SHA1
fed43a9130e452816d7ab21c6a9338f5f40ccad2

SHA256
b815739ca0ddb9cd6ae32363dfdc0eabd14c260c9c545e7e9fad3206428ac93c

SHA512
31365fa37dcfbafa6c74607d24abb42e7688344e6606382e4a17b2346d5da11843a6289b4ae4624c6a5696e4f90ea3f0306228efbb90e467f1b4e8e056d7a356

Download Submit
memory/976-62-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/976-63-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2020-54-0x00000000756B1000-0x00000000756B3000-memory.dmp

Filesize
8KB

Download
memory/2020-59-0x0000000001000000-0x0000000001097000-memory.dmp

Filesize
604KB

Download