8b319c60fadea11665c997899aa75846c9ec243021dcc60a23e24a357199aed4

Analysis

max time kernel
121s
max time network
154s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
30/10/2022, 04:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8b319c60fadea11665c997899aa75846c9ec243021dcc60a23e24a357199aed4.exe
Size

221KB
MD5

a2c4f8ee430fbb8ce1574b6ae14583b3
SHA1

7ef1d60c3d0226f733c7a996217fcafcc96942fb
SHA256

8b319c60fadea11665c997899aa75846c9ec243021dcc60a23e24a357199aed4
SHA512

179fec791f6821f2f3564a58d67176cbeeaabe9ee81c5e123cd423e903d5661365ab5868647677059bf3155741e320fb8b5921397abcdfca7c054d348b976bfb
SSDEEP

3072:pWeNJofUXhT6bmzKsB+c1pzJyW9uJTlXIDPHT2G:pNIsBPjuRXsr2

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 1 IoCs

pid	Process
856	8b319c60fadea11665c997899aa75846c9ec243021dcc60a23e24a357199aed4.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 856 set thread context of 1980	856	8b319c60fadea11665c997899aa75846c9ec243021dcc60a23e24a357199aed4.exe	28
PID 1980 set thread context of 1608	1980	8b319c60fadea11665c997899aa75846c9ec243021dcc60a23e24a357199aed4.exe	29

Modifies Internet Explorer settings 1 TTPs 28 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{059ACA71-586F-11ED-9916-DE5CC620A9B4} = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "373911920"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	IEXPLORE.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1608	8b319c60fadea11665c997899aa75846c9ec243021dcc60a23e24a357199aed4.exe
1608	8b319c60fadea11665c997899aa75846c9ec243021dcc60a23e24a357199aed4.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1608	8b319c60fadea11665c997899aa75846c9ec243021dcc60a23e24a357199aed4.exe
Token: SeDebugPrivilege	1608	8b319c60fadea11665c997899aa75846c9ec243021dcc60a23e24a357199aed4.exe
Token: SeDebugPrivilege	1356	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
600	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
600	IEXPLORE.EXE
600	IEXPLORE.EXE
1356	IEXPLORE.EXE
1356	IEXPLORE.EXE
1356	IEXPLORE.EXE
1356	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 34 IoCs

description	pid	Process	procid_target
PID 856 wrote to memory of 1980	856	8b319c60fadea11665c997899aa75846c9ec243021dcc60a23e24a357199aed4.exe	28
PID 856 wrote to memory of 1980	856	8b319c60fadea11665c997899aa75846c9ec243021dcc60a23e24a357199aed4.exe	28
PID 856 wrote to memory of 1980	856	8b319c60fadea11665c997899aa75846c9ec243021dcc60a23e24a357199aed4.exe	28
PID 856 wrote to memory of 1980	856	8b319c60fadea11665c997899aa75846c9ec243021dcc60a23e24a357199aed4.exe	28
PID 856 wrote to memory of 1980	856	8b319c60fadea11665c997899aa75846c9ec243021dcc60a23e24a357199aed4.exe	28
PID 856 wrote to memory of 1980	856	8b319c60fadea11665c997899aa75846c9ec243021dcc60a23e24a357199aed4.exe	28
PID 856 wrote to memory of 1980	856	8b319c60fadea11665c997899aa75846c9ec243021dcc60a23e24a357199aed4.exe	28
PID 856 wrote to memory of 1980	856	8b319c60fadea11665c997899aa75846c9ec243021dcc60a23e24a357199aed4.exe	28
PID 856 wrote to memory of 1980	856	8b319c60fadea11665c997899aa75846c9ec243021dcc60a23e24a357199aed4.exe	28
PID 856 wrote to memory of 1980	856	8b319c60fadea11665c997899aa75846c9ec243021dcc60a23e24a357199aed4.exe	28
PID 1980 wrote to memory of 1608	1980	8b319c60fadea11665c997899aa75846c9ec243021dcc60a23e24a357199aed4.exe	29
PID 1980 wrote to memory of 1608	1980	8b319c60fadea11665c997899aa75846c9ec243021dcc60a23e24a357199aed4.exe	29
PID 1980 wrote to memory of 1608	1980	8b319c60fadea11665c997899aa75846c9ec243021dcc60a23e24a357199aed4.exe	29
PID 1980 wrote to memory of 1608	1980	8b319c60fadea11665c997899aa75846c9ec243021dcc60a23e24a357199aed4.exe	29
PID 1980 wrote to memory of 1608	1980	8b319c60fadea11665c997899aa75846c9ec243021dcc60a23e24a357199aed4.exe	29
PID 1980 wrote to memory of 1608	1980	8b319c60fadea11665c997899aa75846c9ec243021dcc60a23e24a357199aed4.exe	29
PID 1980 wrote to memory of 1608	1980	8b319c60fadea11665c997899aa75846c9ec243021dcc60a23e24a357199aed4.exe	29
PID 1980 wrote to memory of 1608	1980	8b319c60fadea11665c997899aa75846c9ec243021dcc60a23e24a357199aed4.exe	29
PID 1980 wrote to memory of 1608	1980	8b319c60fadea11665c997899aa75846c9ec243021dcc60a23e24a357199aed4.exe	29
PID 1980 wrote to memory of 1608	1980	8b319c60fadea11665c997899aa75846c9ec243021dcc60a23e24a357199aed4.exe	29
PID 1608 wrote to memory of 1076	1608	8b319c60fadea11665c997899aa75846c9ec243021dcc60a23e24a357199aed4.exe	30
PID 1608 wrote to memory of 1076	1608	8b319c60fadea11665c997899aa75846c9ec243021dcc60a23e24a357199aed4.exe	30
PID 1608 wrote to memory of 1076	1608	8b319c60fadea11665c997899aa75846c9ec243021dcc60a23e24a357199aed4.exe	30
PID 1608 wrote to memory of 1076	1608	8b319c60fadea11665c997899aa75846c9ec243021dcc60a23e24a357199aed4.exe	30
PID 1076 wrote to memory of 600	1076	iexplore.exe	31
PID 1076 wrote to memory of 600	1076	iexplore.exe	31
PID 1076 wrote to memory of 600	1076	iexplore.exe	31
PID 1076 wrote to memory of 600	1076	iexplore.exe	31
PID 600 wrote to memory of 1356	600	IEXPLORE.EXE	33
PID 600 wrote to memory of 1356	600	IEXPLORE.EXE	33
PID 600 wrote to memory of 1356	600	IEXPLORE.EXE	33
PID 600 wrote to memory of 1356	600	IEXPLORE.EXE	33
PID 1608 wrote to memory of 1356	1608	8b319c60fadea11665c997899aa75846c9ec243021dcc60a23e24a357199aed4.exe	33
PID 1608 wrote to memory of 1356	1608	8b319c60fadea11665c997899aa75846c9ec243021dcc60a23e24a357199aed4.exe	33

C:\Users\Admin\AppData\Local\Temp\8b319c60fadea11665c997899aa75846c9ec243021dcc60a23e24a357199aed4.exe
"C:\Users\Admin\AppData\Local\Temp\8b319c60fadea11665c997899aa75846c9ec243021dcc60a23e24a357199aed4.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:856
- C:\Users\Admin\AppData\Local\Temp\8b319c60fadea11665c997899aa75846c9ec243021dcc60a23e24a357199aed4.exe
  "C:\Users\Admin\AppData\Local\Temp\8b319c60fadea11665c997899aa75846c9ec243021dcc60a23e24a357199aed4.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1980
- - C:\Users\Admin\AppData\Local\Temp\8b319c60fadea11665c997899aa75846c9ec243021dcc60a23e24a357199aed4.exe
    "C:\Users\Admin\AppData\Local\Temp\8b319c60fadea11665c997899aa75846c9ec243021dcc60a23e24a357199aed4.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1608
  - - C:\Program Files (x86)\Internet Explorer\iexplore.exe
      "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1076
    - - C:\Program Files\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:600
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:600 CREDAT:275457 /prefetch:2
        6⤵
        Modifies Internet Explorer settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:1356

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\9ZR3Q0MI.txt

Filesize
603B

MD5
ac0a6978007fc6a7f4292b8d9d1b760a

SHA1
2cfde2be664bac130015f16370a1ed46f21c6276

SHA256
d059f0ea87d200587d4f37f33bb7978564318e71a86508e5fa3e34571a56ca65

SHA512
50bbfbf883bc733f01a9bb930116c97c737594de5d520796eba055d5c7cf825e9b1c9f2e39b921e1a7202c8ef42e2cc0173719a72e53d23249630300a782b250

Download Submit
\Users\Admin\AppData\Local\Temp\POSITION4DLLNAME.txt

Filesize
2KB

MD5
1a5e5b6895af73ee9e53f400ca19947b

SHA1
339a110996d7935e17d27a49a7eca5fd8128f80a

SHA256
83022f2fda3ef1319963cac53546e917633ee5d7fdb4b0e55faff12b61073c4a

SHA512
d91e7608cd5fa65f184665c2f980582c9613cc2f24767d08ba57798bf96a1872285dc7d9fdaf3a21fc6a647e13562b7e94b5876f363a0fab0d72d66d1f75b34f

Download Submit
memory/856-66-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/856-56-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/856-54-0x0000000075931000-0x0000000075933000-memory.dmp

Filesize
8KB

Download
memory/1608-77-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/1608-117-0x0000000000500000-0x000000000054F000-memory.dmp

Filesize
316KB

Download
memory/1608-123-0x0000000000500000-0x000000000054F000-memory.dmp

Filesize
316KB

Download
memory/1608-121-0x0000000000500000-0x000000000054F000-memory.dmp

Filesize
316KB

Download
memory/1608-119-0x0000000000500000-0x000000000054F000-memory.dmp

Filesize
316KB

Download
memory/1608-151-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/1608-150-0x0000000000500000-0x000000000054F000-memory.dmp

Filesize
316KB

Download
memory/1608-70-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/1608-71-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/1608-73-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/1608-75-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/1608-115-0x0000000000500000-0x000000000054F000-memory.dmp

Filesize
316KB

Download
memory/1608-79-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/1608-83-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/1608-125-0x0000000000500000-0x000000000054F000-memory.dmp

Filesize
316KB

Download
memory/1608-86-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/1608-113-0x0000000000500000-0x000000000054F000-memory.dmp

Filesize
316KB

Download
memory/1608-93-0x0000000000500000-0x000000000054F000-memory.dmp

Filesize
316KB

Download
memory/1608-91-0x0000000000500000-0x000000000054F000-memory.dmp

Filesize
316KB

Download
memory/1608-89-0x0000000000500000-0x000000000054F000-memory.dmp

Filesize
316KB

Download
memory/1608-97-0x0000000000500000-0x000000000054F000-memory.dmp

Filesize
316KB

Download
memory/1608-95-0x0000000000500000-0x000000000054F000-memory.dmp

Filesize
316KB

Download
memory/1608-101-0x0000000000500000-0x000000000054F000-memory.dmp

Filesize
316KB

Download
memory/1608-99-0x0000000000500000-0x000000000054F000-memory.dmp

Filesize
316KB

Download
memory/1608-103-0x0000000000500000-0x000000000054F000-memory.dmp

Filesize
316KB

Download
memory/1608-105-0x0000000000500000-0x000000000054F000-memory.dmp

Filesize
316KB

Download
memory/1608-109-0x0000000000500000-0x000000000054F000-memory.dmp

Filesize
316KB

Download
memory/1608-111-0x0000000000500000-0x000000000054F000-memory.dmp

Filesize
316KB

Download
memory/1608-107-0x0000000000500000-0x000000000054F000-memory.dmp

Filesize
316KB

Download
memory/1980-69-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1980-85-0x0000000000520000-0x000000000055A000-memory.dmp

Filesize
232KB

Download
memory/1980-84-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1980-64-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1980-62-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1980-61-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1980-60-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1980-58-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1980-57-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download