0ed0eef1437ca3e8208cdfc201372035228debc0c362803ff7d1837fedaa3522

Analysis

max time kernel
194s
max time network
202s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
29-10-2022 18:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0ed0eef1437ca3e8208cdfc201372035228debc0c362803ff7d1837fedaa3522.exe
Size

449KB
MD5

83cd3c3eb4b822d859368ff517e48c4c
SHA1

2840459122c3d8481318c15a5f39b6b8b77e5a67
SHA256

0ed0eef1437ca3e8208cdfc201372035228debc0c362803ff7d1837fedaa3522
SHA512

c6e680a64ad45d12f2b16d11c863ec5075fdf2907b60fef17b3eb7c7d40fc314b190c05099f61b97ac3c5f528d79cb94a4a1ebe3d7ecddf790663045e5dc4919
SSDEEP

12288:q0+GxSV74cwpgpJq3m6qkdKEFOwrv7m+ed/f05wCDPSdptRlJFA:pxe8c8gp43NdZLref05wrfRlo

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1224	cmd.exe

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000062e6ef0d45f4454ab79548c962d74cdf0000000002000000000010660000000100002000000020b6e47c934d16b78f1a32ea5beaf352390d34e871ba01d513e090472d01be30000000000e80000000020000200000002365171fdee0315628ba1e5b183bd6983988cf9d1a6de6b89f1d4850431ea21820000000144c053ba5c34ebe2524a6121206a35f031e24b36a67ee7848e6fc88117d4b0f40000000449ec6ded0c4e0c9b7a805b876f351ccc36b0524e6d3929acc54063787ee4fab880ae377352b1e43ea15c64ba9fd2532c63870f9cd45d1cea27f252689a69a2c	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{48ABCB11-57FD-11ED-8716-EAF6071D98F9} = "0"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = e00aaf440aecd801	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000062e6ef0d45f4454ab79548c962d74cdf00000000020000000000106600000001000020000000ce77182ba1a0fe49998c118fbd8885c37cca04e386703be5faf3ac63e85a1694000000000e80000000020000200000008b1a196f61e3693e6b1c6ec5292066d691c6843ecf6582681e586f481d502cb290000000c09edc0d6e6ef624a820c7725f8b80e594aa6073ed5d564fdc6f1811eb5c0518ee3be6d16eb8e4b964e1bd906126ce1971b7cc42766281fc6638d27ed6c18e8ee882913535041e623a5efb1970bacd6d7cc122391214e9af2331ee8e8dc073d8df4177aad7f63613bcb0a88aeed5435056e477d27abd8d2227017e5d1468aa7ce50e948d39b5e003c0789c20c3b3f05540000000cf9ff363715f61dedb49fafcfca647374803ca6076de1068f6692ede6295a029cdc32b4019a882721ed3377c289a55d01b7e7272445373bfce42df7cb365fc12	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "373863093"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1708	0ed0eef1437ca3e8208cdfc201372035228debc0c362803ff7d1837fedaa3522.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2028	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
1708	0ed0eef1437ca3e8208cdfc201372035228debc0c362803ff7d1837fedaa3522.exe
2028	IEXPLORE.EXE
2028	IEXPLORE.EXE
1180	IEXPLORE.EXE
1180	IEXPLORE.EXE
1180	IEXPLORE.EXE
1180	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1708 wrote to memory of 2028	1708	0ed0eef1437ca3e8208cdfc201372035228debc0c362803ff7d1837fedaa3522.exe	28
PID 1708 wrote to memory of 2028	1708	0ed0eef1437ca3e8208cdfc201372035228debc0c362803ff7d1837fedaa3522.exe	28
PID 1708 wrote to memory of 2028	1708	0ed0eef1437ca3e8208cdfc201372035228debc0c362803ff7d1837fedaa3522.exe	28
PID 1708 wrote to memory of 2028	1708	0ed0eef1437ca3e8208cdfc201372035228debc0c362803ff7d1837fedaa3522.exe	28
PID 2028 wrote to memory of 1180	2028	IEXPLORE.EXE	30
PID 2028 wrote to memory of 1180	2028	IEXPLORE.EXE	30
PID 2028 wrote to memory of 1180	2028	IEXPLORE.EXE	30
PID 2028 wrote to memory of 1180	2028	IEXPLORE.EXE	30
PID 1708 wrote to memory of 1224	1708	0ed0eef1437ca3e8208cdfc201372035228debc0c362803ff7d1837fedaa3522.exe	31
PID 1708 wrote to memory of 1224	1708	0ed0eef1437ca3e8208cdfc201372035228debc0c362803ff7d1837fedaa3522.exe	31
PID 1708 wrote to memory of 1224	1708	0ed0eef1437ca3e8208cdfc201372035228debc0c362803ff7d1837fedaa3522.exe	31
PID 1708 wrote to memory of 1224	1708	0ed0eef1437ca3e8208cdfc201372035228debc0c362803ff7d1837fedaa3522.exe	31

C:\Users\Admin\AppData\Local\Temp\0ed0eef1437ca3e8208cdfc201372035228debc0c362803ff7d1837fedaa3522.exe
"C:\Users\Admin\AppData\Local\Temp\0ed0eef1437ca3e8208cdfc201372035228debc0c362803ff7d1837fedaa3522.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1708
- C:\Program Files\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://www.wa300.com/tj.html
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2028
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2028 CREDAT:275457 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:1180
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\0ED0EE~1.EXE
  2⤵
  - Deletes itself
  PID:1224

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\IA4D55D9.txt

Filesize
608B

MD5
6eb864dfd248b5101999dbaa6c2d5d28

SHA1
70087220cb98706e9389ddcb131328190f89ef72

SHA256
29c1cb35bb2553ff46a97c13e3b9f241e3bbc7f86dace449c49e02ea76a98b8d

SHA512
a2e555f475d050e0231c9e8ae7b2b2f8e09d3429c3daef4aebc56042ee4b7c320172d03987a59f0831565b07a5278d07e36aa6aa22e2ac097d6bd53405966314

Download Submit
memory/1224-57-0x0000000000000000-mapping.dmp

Download
memory/1708-55-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1708-58-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download