d01ae3928648a1d4f3d16d2bd86d545b121cec119938cffb04a2e543d98283b6

Analysis

max time kernel
121s
max time network
133s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
21-10-2022 00:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d01ae3928648a1d4f3d16d2bd86d545b121cec119938cffb04a2e543d98283b6.exe
Size

734KB
MD5

5b0980fe58acb76e1b89feaa051fea60
SHA1

55e1a8ce8c2742f4ecb69f6e9ca215102b2c72a2
SHA256

d01ae3928648a1d4f3d16d2bd86d545b121cec119938cffb04a2e543d98283b6
SHA512

d0a122cb96fa2f5fd875b5b753fa76205ae2f44142950616b144e9da150ee770462e7762e78a3b7a6c70565d3042599f8ee30271d835a426d4c9d6075e150e8c
SSDEEP

12288:QhC71id9ZwcjRjvWgcDQshlJNO13t1nEmm4SnFoE9/BK5b7IBkU+A4:QhCEZ5jJvWgc1EcJ9gpIE

Score

8^/10

discovery evasion trojan

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1220	preloader.exe

Loads dropped DLL 1 IoCs

pid	Process
288	d01ae3928648a1d4f3d16d2bd86d545b121cec119938cffb04a2e543d98283b6.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	preloader.exe

Maps connected drives based on registry 3 TTPs 5 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	preloader.exe
Key value enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	preloader.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	preloader.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\Count	preloader.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\NextInstance	preloader.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main	preloader.exe

Modifies registry class 34 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{157B1AA6-3E5C-404A-9118-C1D91F537040}	preloader.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}	preloader.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}\TypeLib\Version = "1.0"	preloader.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	preloader.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\LocalServer32	preloader.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}\TypeLib\ = "{157B1AA6-3E5C-404A-9118-C1D91F537040}"	preloader.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}\TypeLib	preloader.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\0357066f\\preloader.exe"	preloader.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\TypeLib\ = "{7E77E9F2-D76B-4D54-B515-9A7F93DF03DF}"	preloader.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{157B1AA6-3E5C-404A-9118-C1D91F537040}\1.0\ = "JSIELib"	preloader.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{157B1AA6-3E5C-404A-9118-C1D91F537040}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\0357066f\\preloader.exe"	preloader.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}	preloader.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}\TypeLib\Version = "1.0"	preloader.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\TypeLib	preloader.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{157B1AA6-3E5C-404A-9118-C1D91F537040}\1.0\0\win32	preloader.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}\TypeLib	preloader.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{157B1AA6-3E5C-404A-9118-C1D91F537040}\1.0\0	preloader.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	preloader.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{157B1AA6-3E5C-404A-9118-C1D91F537040}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\0357066f"	preloader.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\Programmable	preloader.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\LocalServer32\ServerExecutable = "C:\\Users\\Admin\\AppData\\Local\\Temp\\0357066f\\preloader.exe"	preloader.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}	preloader.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\Version\ = "1.0"	preloader.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{157B1AA6-3E5C-404A-9118-C1D91F537040}\1.0	preloader.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}\ = "ITinyJSObject"	preloader.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}\TypeLib\ = "{157B1AA6-3E5C-404A-9118-C1D91F537040}"	preloader.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\Version	preloader.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{157B1AA6-3E5C-404A-9118-C1D91F537040}\1.0\FLAGS	preloader.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{157B1AA6-3E5C-404A-9118-C1D91F537040}\1.0\FLAGS\ = "0"	preloader.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{157B1AA6-3E5C-404A-9118-C1D91F537040}\1.0\HELPDIR	preloader.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}\ProxyStubClsid32	preloader.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}\ = "ITinyJSObject"	preloader.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}\ProxyStubClsid32	preloader.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\ = "TinyJSObject Class"	preloader.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1220	preloader.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1220	preloader.exe
1220	preloader.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 288 wrote to memory of 1220	288	d01ae3928648a1d4f3d16d2bd86d545b121cec119938cffb04a2e543d98283b6.exe	26
PID 288 wrote to memory of 1220	288	d01ae3928648a1d4f3d16d2bd86d545b121cec119938cffb04a2e543d98283b6.exe	26
PID 288 wrote to memory of 1220	288	d01ae3928648a1d4f3d16d2bd86d545b121cec119938cffb04a2e543d98283b6.exe	26
PID 288 wrote to memory of 1220	288	d01ae3928648a1d4f3d16d2bd86d545b121cec119938cffb04a2e543d98283b6.exe	26

C:\Users\Admin\AppData\Local\Temp\d01ae3928648a1d4f3d16d2bd86d545b121cec119938cffb04a2e543d98283b6.exe
"C:\Users\Admin\AppData\Local\Temp\d01ae3928648a1d4f3d16d2bd86d545b121cec119938cffb04a2e543d98283b6.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:288
- C:\Users\Admin\AppData\Local\Temp\0357066f\preloader.exe
  "C:\Users\Admin\AppData\Local\Temp/0357066f/preloader.exe" ProfileFileName=step0.ini
  2⤵
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Maps connected drives based on registry
  - Modifies Internet Explorer settings
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:1220

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0357066f\installer\boot.dat

Filesize
1KB

MD5
6db0fd7f293dd6ed225f6bff92aecbdd

SHA1
b3467986e47d40c4c64ab6a985ff733930efcafa

SHA256
8900730951ed90b21d1643dd685e0a75c4ac72196c7eb4094e5bb5d48ebd351a

SHA512
2a87b596c8da681177e3ae4ac62667b398d1c4857e2bbf970c35f519883191b856c5fd4ac95e761cb0c3c1a5885d6cc7eb5385c6643ef0c65f853c00c19283b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\0357066f\installer\installer-config.dat

Filesize
4KB

MD5
a452b6172db2abff033fdcf07348db7e

SHA1
c6dc34da668691f92435d587d05d29ae80318e57

SHA256
90a37ac4d4679a4d33d4a68bd438c40c3daba0930be6d741555a96430a042a45

SHA512
b1d581c679ad402de53510673bec889854d4f1a7960b2fafcb9b16c063a5efd9158784495887136c756539e712f21cb05c1e5c471e9089eca90698555cef1cf1

Download Submit
C:\Users\Admin\AppData\Local\Temp\0357066f\installer\installer.dat

Filesize
33KB

MD5
3f90d1ae2cd6585e05f2e88b083ed7fe

SHA1
315f4a145f3258217f5366cf9e63bea1e59af9ea

SHA256
313aee635db631714c93dc12d77420d5b7aa9fb0de1e34c1c283528399f5f219

SHA512
41c8048e32cab2a49c94cd416c7bb72f605edb67bd03b49415d0fdd3e88578df3111a3a068638da5ca8c808b209c94d49f8e6e9fa81c4c6d0d0bd7927fd0a686

Download Submit
C:\Users\Admin\AppData\Local\Temp\0357066f\installer\new-screen.dat

Filesize
2KB

MD5
e7bd86cc534ea38eb2a028443ca03fdf

SHA1
eb344f4892e295621cfa05b3251daf57a16e725e

SHA256
f07b65edea8a35f0ae5b909e04a29bcde0ab7f996381b3773645f70375e772df

SHA512
0b1a99e911ac6b3b47fbeb2943924f4a072080be8ddfb148552c5d9b7dc30e4894c30e02b6975c345785972e849b0512d59c36760cbf5e9caa587e5878ec327f

Download Submit
C:\Users\Admin\AppData\Local\Temp\0357066f\installer\step0.ini

Filesize
965B

MD5
9cb7d0b61d3b2827d90fc0e09c691def

SHA1
6937ea4e3ab35ab12e97f7c8b30fe64c70fe56ee

SHA256
79e20f53fe54a2f63a01ee40bc24bb57b7c550acd932b0e9d0c23f0c36660be8

SHA512
3361b93a24f9b26b6a8da23b601c2d78d6933ae52f19b511dc185373004a15a8a0d58237418680c5bc8b75f2018e79403524f1efc5d060b945f1572233016349

Download Submit
C:\Users\Admin\AppData\Local\Temp\0357066f\installer\step0.ini

Filesize
15KB

MD5
a9f3fdd761af5e0f69caa47325ff0970

SHA1
583652a620e1c5e7812e1e91c64be663577d4937

SHA256
315628cb4cb7d6fe683665f0082cefd08d79be4ddba085ccab0184cbf50671a9

SHA512
4aa679a366f8d492b22c8d2e3f9945744ea68fac8e3ab646904b5e3aebb31fbd0c4050081841396c72739f1b90665b02424f2c2b3d9ae7936d6826e70263be6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\0357066f\preloader.exe

Filesize
1.3MB

MD5
1ca6cc8caaeda9ff6369146d461af826

SHA1
0dac7d2bc99c76710d508c7e1fc02ea1085def3b

SHA256
cf3be7118a2588ca52d94bab8fca88feae263f1e7fca185fa2cacde7ee8b713a

SHA512
ebb4799f8a170cebbac3235efdf4ea00ac8cde25ec80b2f5b09e3523456e667a689a0cf34270271c5815e62963241eb7a698b0838e25cc4be022a748a0a113d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\0357066f\preloader.exe

Filesize
1.3MB

MD5
1ca6cc8caaeda9ff6369146d461af826

SHA1
0dac7d2bc99c76710d508c7e1fc02ea1085def3b

SHA256
cf3be7118a2588ca52d94bab8fca88feae263f1e7fca185fa2cacde7ee8b713a

SHA512
ebb4799f8a170cebbac3235efdf4ea00ac8cde25ec80b2f5b09e3523456e667a689a0cf34270271c5815e62963241eb7a698b0838e25cc4be022a748a0a113d1

Download Submit
\Users\Admin\AppData\Local\Temp\0357066f\preloader.exe

Filesize
1.3MB

MD5
1ca6cc8caaeda9ff6369146d461af826

SHA1
0dac7d2bc99c76710d508c7e1fc02ea1085def3b

SHA256
cf3be7118a2588ca52d94bab8fca88feae263f1e7fca185fa2cacde7ee8b713a

SHA512
ebb4799f8a170cebbac3235efdf4ea00ac8cde25ec80b2f5b09e3523456e667a689a0cf34270271c5815e62963241eb7a698b0838e25cc4be022a748a0a113d1

Download Submit
memory/288-54-0x0000000075351000-0x0000000075353000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads