f09697c50b4c5e8101b9c993c84fbb3c24de6691387ca7b893e66484a7aeefbb

Analysis

max time kernel
134s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
29/10/2022, 18:38

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

f09697c50b4c5e8101b9c993c84fbb3c24de6691387ca7b893e66484a7aeefbb.exe
Size

466KB
MD5

8434b6117d08ad473d4ccf835f21d62b
SHA1

a6d7a347e8cf733964673bbcde6c44f707854b5b
SHA256

f09697c50b4c5e8101b9c993c84fbb3c24de6691387ca7b893e66484a7aeefbb
SHA512

9dd9cec7dc9395be73345cb95b8913878972e6c562c502905ce1e351f070eedd63ef3c5309b9acb262c085f84797b65f5d41c314519b5bfa8aa7a1139ebacfb8
SSDEEP

12288:KOfr3+AZz6vIlBP9S/hsbRbG8UvY15yjRnEhGMZhqGmbwJJ:bbf1lyhsb97nSjx0GIqGN

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 35 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1689000868"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1732917169"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000043e2eb2e51ccf149ab640c8bdb0d7906000000000200000000001066000000010000200000005a4c8897e0bfa52a0aea4760810f88fbf2c0a7beb9429dcfe7835e34e035ec3a000000000e8000000002000020000000510f6d2b4196ae6535e6043119c7a7208c9abb662063f76ec7cf567c7dacd81320000000a5dbbd74ed1e08fb6f3c77f421301eecb6641426d0b4cab138b4eb4a8afb480d400000008a03e0e6d6e562cf917ff5430494b912e72eaed5a40fd2011e75472483f0930f251d526c026c84a2092986c7bf6e181b2aced49f5ee28c42b86131a14cbe3c02	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{9006F5A7-57F4-11ED-A0EE-C65219BF0A09} = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1689000868"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = e0a1586c01ecd801	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30993409"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30993409"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000043e2eb2e51ccf149ab640c8bdb0d7906000000000200000000001066000000010000200000001e1fde46422c98b82c95e60aa75c7229ef20d02b2bf974938590e46e82171693000000000e800000000200002000000088d83d317b956909ac2f323ed93f92cc9e43e2f10370fd6dfd12f8086cf2499b200000000f129a41bfddabdd78f0cb2602dec0252de31e9f4f11d6cb08ff6d2cb7c17f25400000009840e84a8c7a65f6923dfaadd20f02069ea31e8c806c8cac411f94d505eb9da4e6a282e2fceee8649ccf5ba5e73b14b57a8dfd06ca3f277339da68def9e60dca	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = d0b4fb6b01ecd801	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30993409"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "373859319"	IEXPLORE.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
5028	IEXPLORE.EXE

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1220	f09697c50b4c5e8101b9c993c84fbb3c24de6691387ca7b893e66484a7aeefbb.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
5028	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
1220	f09697c50b4c5e8101b9c993c84fbb3c24de6691387ca7b893e66484a7aeefbb.exe
5028	IEXPLORE.EXE
5028	IEXPLORE.EXE
392	IEXPLORE.EXE
392	IEXPLORE.EXE
392	IEXPLORE.EXE
392	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1220 wrote to memory of 5028	1220	f09697c50b4c5e8101b9c993c84fbb3c24de6691387ca7b893e66484a7aeefbb.exe	82
PID 1220 wrote to memory of 5028	1220	f09697c50b4c5e8101b9c993c84fbb3c24de6691387ca7b893e66484a7aeefbb.exe	82
PID 5028 wrote to memory of 392	5028	IEXPLORE.EXE	83
PID 5028 wrote to memory of 392	5028	IEXPLORE.EXE	83
PID 5028 wrote to memory of 392	5028	IEXPLORE.EXE	83
PID 1220 wrote to memory of 3028	1220	f09697c50b4c5e8101b9c993c84fbb3c24de6691387ca7b893e66484a7aeefbb.exe	84
PID 1220 wrote to memory of 3028	1220	f09697c50b4c5e8101b9c993c84fbb3c24de6691387ca7b893e66484a7aeefbb.exe	84
PID 1220 wrote to memory of 3028	1220	f09697c50b4c5e8101b9c993c84fbb3c24de6691387ca7b893e66484a7aeefbb.exe	84

C:\Users\Admin\AppData\Local\Temp\f09697c50b4c5e8101b9c993c84fbb3c24de6691387ca7b893e66484a7aeefbb.exe
"C:\Users\Admin\AppData\Local\Temp\f09697c50b4c5e8101b9c993c84fbb3c24de6691387ca7b893e66484a7aeefbb.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1220
- C:\Program Files\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://www.wa300.com/tj.html
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:5028
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:5028 CREDAT:17410 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:392
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\F09697~1.EXE
  2⤵
  PID:3028

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
471B

MD5
a66314123c8c72372bcb8583a5400a95

SHA1
fc3e45060463c37775da0bd4a8920296d222753d

SHA256
657c92d95798fc5dad4272f3d6d71776737ac0bcdce4ac6864ca5532f2ccf34d

SHA512
d9f5c243b04d7b3fbbcb37c68c583db672390644500cfa4d58280048d9fde52c668fd67e84ecd6ace20b2813eefb756627adbd04a6f19719f6e907aa3fffe4f1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
434B

MD5
f0b0ae634bd7c5759e18e7ff4cee7362

SHA1
e2ff14bfb4c007c3f24cafe583cb95a27aaec3f9

SHA256
b06d8411fa7498c41bcbc60ae5b843a8a7fd80ff70875d41d172448876db89f8

SHA512
fd6ee2e8f8bdadbb43114fd03d5a0820734f3fc8e00fd3f1ffec6a7cbd04a4aee47b4d63cba667c44c579ed33d05436611ef57001a260b2ca37e432c705a5f3c

Download Submit
memory/1220-134-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/1220-136-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download