e471d4552d7641f3ff1b82739d0117a7a44674153afae207882ee5d6b9249e3e

Analysis

max time kernel
128s
max time network
161s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
20-10-2022 19:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e471d4552d7641f3ff1b82739d0117a7a44674153afae207882ee5d6b9249e3e.exe
Size

120KB
MD5

a00ff1e969bd14e156d2906ae11d2640
SHA1

75acf44a565302e1cacc79828ee826923504cf5f
SHA256

e471d4552d7641f3ff1b82739d0117a7a44674153afae207882ee5d6b9249e3e
SHA512

e363cf19f472716f4de1ca0bc7f75b4121f39b02a26c875d11099c483396fee1c0123447d129a8bf658dfb9243c99ba2bbe0a186d09b40884e320ff335b012bb
SSDEEP

1536:t96bx0D38opylZipii7LkoyXYTBgmqzgmvQxRjXrvXk8VPkvf98wO2z+gRqEpes:GO8opyl0ZspX0AgGQz/v0gir+k8s

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
4712	Cklplr.exe
5024	Cklplr.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Run	e471d4552d7641f3ff1b82739d0117a7a44674153afae207882ee5d6b9249e3e.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Cklplr = "C:\\Users\\Admin\\AppData\\Roaming\\Cklplr.exe"	e471d4552d7641f3ff1b82739d0117a7a44674153afae207882ee5d6b9249e3e.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2384 set thread context of 3304	2384	e471d4552d7641f3ff1b82739d0117a7a44674153afae207882ee5d6b9249e3e.exe	81
PID 4712 set thread context of 5024	4712	Cklplr.exe	85

Modifies Internet Explorer settings 1 TTPs 30 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{9403F3D4-50D3-11ED-B696-D2A4FF929712} = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1796850716"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "373075496"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30991584"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30991584"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30991584"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1796850716"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30991584"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1796850716"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1796850716"	IEXPLORE.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3304	e471d4552d7641f3ff1b82739d0117a7a44674153afae207882ee5d6b9249e3e.exe
3304	e471d4552d7641f3ff1b82739d0117a7a44674153afae207882ee5d6b9249e3e.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	5024	Cklplr.exe
Token: SeDebugPrivilege	1712	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
5116	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
5116	IEXPLORE.EXE
5116	IEXPLORE.EXE
1712	IEXPLORE.EXE
1712	IEXPLORE.EXE
1712	IEXPLORE.EXE
1712	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 2384 wrote to memory of 3304	2384	e471d4552d7641f3ff1b82739d0117a7a44674153afae207882ee5d6b9249e3e.exe	81
PID 2384 wrote to memory of 3304	2384	e471d4552d7641f3ff1b82739d0117a7a44674153afae207882ee5d6b9249e3e.exe	81
PID 2384 wrote to memory of 3304	2384	e471d4552d7641f3ff1b82739d0117a7a44674153afae207882ee5d6b9249e3e.exe	81
PID 2384 wrote to memory of 3304	2384	e471d4552d7641f3ff1b82739d0117a7a44674153afae207882ee5d6b9249e3e.exe	81
PID 2384 wrote to memory of 3304	2384	e471d4552d7641f3ff1b82739d0117a7a44674153afae207882ee5d6b9249e3e.exe	81
PID 2384 wrote to memory of 3304	2384	e471d4552d7641f3ff1b82739d0117a7a44674153afae207882ee5d6b9249e3e.exe	81
PID 2384 wrote to memory of 3304	2384	e471d4552d7641f3ff1b82739d0117a7a44674153afae207882ee5d6b9249e3e.exe	81
PID 2384 wrote to memory of 3304	2384	e471d4552d7641f3ff1b82739d0117a7a44674153afae207882ee5d6b9249e3e.exe	81
PID 3304 wrote to memory of 4712	3304	e471d4552d7641f3ff1b82739d0117a7a44674153afae207882ee5d6b9249e3e.exe	84
PID 3304 wrote to memory of 4712	3304	e471d4552d7641f3ff1b82739d0117a7a44674153afae207882ee5d6b9249e3e.exe	84
PID 3304 wrote to memory of 4712	3304	e471d4552d7641f3ff1b82739d0117a7a44674153afae207882ee5d6b9249e3e.exe	84
PID 4712 wrote to memory of 5024	4712	Cklplr.exe	85
PID 4712 wrote to memory of 5024	4712	Cklplr.exe	85
PID 4712 wrote to memory of 5024	4712	Cklplr.exe	85
PID 4712 wrote to memory of 5024	4712	Cklplr.exe	85
PID 4712 wrote to memory of 5024	4712	Cklplr.exe	85
PID 4712 wrote to memory of 5024	4712	Cklplr.exe	85
PID 4712 wrote to memory of 5024	4712	Cklplr.exe	85
PID 4712 wrote to memory of 5024	4712	Cklplr.exe	85
PID 5024 wrote to memory of 4176	5024	Cklplr.exe	86
PID 5024 wrote to memory of 4176	5024	Cklplr.exe	86
PID 5024 wrote to memory of 4176	5024	Cklplr.exe	86
PID 4176 wrote to memory of 5116	4176	iexplore.exe	87
PID 4176 wrote to memory of 5116	4176	iexplore.exe	87
PID 5116 wrote to memory of 1712	5116	IEXPLORE.EXE	88
PID 5116 wrote to memory of 1712	5116	IEXPLORE.EXE	88
PID 5116 wrote to memory of 1712	5116	IEXPLORE.EXE	88
PID 5024 wrote to memory of 1712	5024	Cklplr.exe	88
PID 5024 wrote to memory of 1712	5024	Cklplr.exe	88

C:\Users\Admin\AppData\Local\Temp\e471d4552d7641f3ff1b82739d0117a7a44674153afae207882ee5d6b9249e3e.exe
"C:\Users\Admin\AppData\Local\Temp\e471d4552d7641f3ff1b82739d0117a7a44674153afae207882ee5d6b9249e3e.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2384
- C:\Users\Admin\AppData\Local\Temp\e471d4552d7641f3ff1b82739d0117a7a44674153afae207882ee5d6b9249e3e.exe
  C:\Users\Admin\AppData\Local\Temp\e471d4552d7641f3ff1b82739d0117a7a44674153afae207882ee5d6b9249e3e.exe
  2⤵
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3304
- - C:\Users\Admin\AppData\Roaming\Cklplr.exe
    "C:\Users\Admin\AppData\Roaming\Cklplr.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:4712
  - - C:\Users\Admin\AppData\Roaming\Cklplr.exe
      C:\Users\Admin\AppData\Roaming\Cklplr.exe
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:5024
    - - C:\Program Files (x86)\Internet Explorer\iexplore.exe
        
        "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4176
      - C:\Program Files\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
        6⤵
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:5116
        
        C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:5116 CREDAT:17410 /prefetch:2
        7⤵
        Modifies Internet Explorer settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:1712

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
471B

MD5
6a15e3564b9eb382fe5534f59d6fccb4

SHA1
911dbc1a988c2d6816beb0c21c4ea5402253b884

SHA256
6b478c66c9a2024177d4a478ccea9a82f3162aa87a5125a0dc3750c920bdbc62

SHA512
2801f46d495eed08dbb10e73ccda4828faf4ef6b1ff3ff45ce8d73331e692381c25417d15c958f8c3f9c6932300cd0e66b1aad6bb5a92e2bf27b338b6d245711

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
434B

MD5
a89e5b53a96c659042fc7b032fa5e6b0

SHA1
37f2465b357a6f265acc37144c54454731c73835

SHA256
bff71c9d3e7727176b109224205948f4ca8326e1335a87fcd31eef5ac6823d17

SHA512
dfdb68574fcf9a22d187b7581d2dcac202399a64058d13a988ac15dcc9714a7833c07b34c9a7e27badc22f466e376b1e9e1e2d7274181552abc484c4dc671bf5

Download Submit
C:\Users\Admin\AppData\Roaming\Cklplr.exe

Filesize
120KB

MD5
a00ff1e969bd14e156d2906ae11d2640

SHA1
75acf44a565302e1cacc79828ee826923504cf5f

SHA256
e471d4552d7641f3ff1b82739d0117a7a44674153afae207882ee5d6b9249e3e

SHA512
e363cf19f472716f4de1ca0bc7f75b4121f39b02a26c875d11099c483396fee1c0123447d129a8bf658dfb9243c99ba2bbe0a186d09b40884e320ff335b012bb

Download Submit
C:\Users\Admin\AppData\Roaming\Cklplr.exe

Filesize
120KB

MD5
a00ff1e969bd14e156d2906ae11d2640

SHA1
75acf44a565302e1cacc79828ee826923504cf5f

SHA256
e471d4552d7641f3ff1b82739d0117a7a44674153afae207882ee5d6b9249e3e

SHA512
e363cf19f472716f4de1ca0bc7f75b4121f39b02a26c875d11099c483396fee1c0123447d129a8bf658dfb9243c99ba2bbe0a186d09b40884e320ff335b012bb

Download Submit
C:\Users\Admin\AppData\Roaming\Cklplr.exe

Filesize
120KB

MD5
a00ff1e969bd14e156d2906ae11d2640

SHA1
75acf44a565302e1cacc79828ee826923504cf5f

SHA256
e471d4552d7641f3ff1b82739d0117a7a44674153afae207882ee5d6b9249e3e

SHA512
e363cf19f472716f4de1ca0bc7f75b4121f39b02a26c875d11099c483396fee1c0123447d129a8bf658dfb9243c99ba2bbe0a186d09b40884e320ff335b012bb

Download Submit
memory/2384-136-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2384-132-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3304-138-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3304-137-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3304-142-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3304-134-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4712-146-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/5024-149-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5024-150-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download