99ebfb872d9876925f166cb8aed920cf9a8bf23e549b808afa1aa59448a75c63

Analysis

max time kernel
37s
max time network
69s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
07/11/2022, 14:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

99ebfb872d9876925f166cb8aed920cf9a8bf23e549b808afa1aa59448a75c63.exe
Size

783KB
MD5

0ef1cf7eb7e04d7909e207cc13882c40
SHA1

d8dffe56820652bc54f995b4f6c974c3508e1c35
SHA256

99ebfb872d9876925f166cb8aed920cf9a8bf23e549b808afa1aa59448a75c63
SHA512

afda7d4b0ab3da5bf973689d5df15d2ca44bf4ad091c3cacd10e2cbe8e87b559ab9e3e0521bb58ef61901096a4856d0e3a970a6adba325995dea3eac4c562b98
SSDEEP

24576:/1Rt36NQ3fsCZtg2d50j1DegVrbRmBIie3jAG:/R6NQPsCZt3YYgZbUj0jX

Score

8^/10

evasion persistence trojan

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
480	setup.exe

Registers COM server for autorun 1 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Wow6432Node\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\520b7b8b\\setup.exe"	setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Wow6432Node\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\LocalServer32\ServerExecutable = "C:\\Users\\Admin\\AppData\\Local\\Temp\\520b7b8b\\setup.exe"	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Wow6432Node\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\LocalServer32	setup.exe

Loads dropped DLL 1 IoCs

pid	Process
1988	99ebfb872d9876925f166cb8aed920cf9a8bf23e549b808afa1aa59448a75c63.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	setup.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main	setup.exe

Modifies registry class 36 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Wow6432Node\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{157B1AA6-3E5C-404A-9118-C1D91F537040}\1.0\HELPDIR	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}\TypeLib\Version = "1.0"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{157B1AA6-3E5C-404A-9118-C1D91F537040}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\520b7b8b\\setup.exe"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}\TypeLib\ = "{157B1AA6-3E5C-404A-9118-C1D91F537040}"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}\TypeLib\ = "{157B1AA6-3E5C-404A-9118-C1D91F537040}"	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Wow6432Node\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\Programmable	setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Wow6432Node\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\520b7b8b\\setup.exe"	setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Wow6432Node\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\LocalServer32\ServerExecutable = "C:\\Users\\Admin\\AppData\\Local\\Temp\\520b7b8b\\setup.exe"	setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Wow6432Node\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\TypeLib\ = "{7E77E9F2-D76B-4D54-B515-9A7F93DF03DF}"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}\ = "ITinyJSObject"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Wow6432Node	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Wow6432Node\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\TypeLib	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{157B1AA6-3E5C-404A-9118-C1D91F537040}\1.0\FLAGS	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{157B1AA6-3E5C-404A-9118-C1D91F537040}\1.0\0	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}\ProxyStubClsid32	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}\ProxyStubClsid32	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{157B1AA6-3E5C-404A-9118-C1D91F537040}\1.0\ = "JSIELib"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}\TypeLib	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}\TypeLib\Version = "1.0"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}\ = "ITinyJSObject"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}\TypeLib	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Wow6432Node\CLSID	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Wow6432Node\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\Version	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{157B1AA6-3E5C-404A-9118-C1D91F537040}\1.0	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{157B1AA6-3E5C-404A-9118-C1D91F537040}\1.0\0\win32	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{157B1AA6-3E5C-404A-9118-C1D91F537040}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\520b7b8b"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Wow6432Node\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\ = "TinyJSObject Class"	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Wow6432Node\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\LocalServer32	setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Wow6432Node\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\Version\ = "1.0"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{157B1AA6-3E5C-404A-9118-C1D91F537040}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{157B1AA6-3E5C-404A-9118-C1D91F537040}\1.0\FLAGS\ = "0"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	setup.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	480	setup.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
480	setup.exe
480	setup.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1988 wrote to memory of 480	1988	99ebfb872d9876925f166cb8aed920cf9a8bf23e549b808afa1aa59448a75c63.exe	28
PID 1988 wrote to memory of 480	1988	99ebfb872d9876925f166cb8aed920cf9a8bf23e549b808afa1aa59448a75c63.exe	28
PID 1988 wrote to memory of 480	1988	99ebfb872d9876925f166cb8aed920cf9a8bf23e549b808afa1aa59448a75c63.exe	28
PID 1988 wrote to memory of 480	1988	99ebfb872d9876925f166cb8aed920cf9a8bf23e549b808afa1aa59448a75c63.exe	28
PID 1988 wrote to memory of 480	1988	99ebfb872d9876925f166cb8aed920cf9a8bf23e549b808afa1aa59448a75c63.exe	28
PID 1988 wrote to memory of 480	1988	99ebfb872d9876925f166cb8aed920cf9a8bf23e549b808afa1aa59448a75c63.exe	28
PID 1988 wrote to memory of 480	1988	99ebfb872d9876925f166cb8aed920cf9a8bf23e549b808afa1aa59448a75c63.exe	28

C:\Users\Admin\AppData\Local\Temp\99ebfb872d9876925f166cb8aed920cf9a8bf23e549b808afa1aa59448a75c63.exe
"C:\Users\Admin\AppData\Local\Temp\99ebfb872d9876925f166cb8aed920cf9a8bf23e549b808afa1aa59448a75c63.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1988
- C:\Users\Admin\AppData\Local\Temp\520b7b8b\setup.exe
  "C:\Users\Admin\AppData\Local\Temp/520b7b8b/setup.exe" ProfileFileName=step0.ini
  2⤵
  - Executes dropped EXE
  - Registers COM server for autorun
  - Checks whether UAC is enabled
  - Modifies Internet Explorer settings
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:480

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\520b7b8b\installer\boot.dat

Filesize
1KB

MD5
006bb5d4955e8b539afc413eb10c183b

SHA1
2f7e9309271048f4beecddd3632c422d4ca19852

SHA256
136472a8f1212856a24f158aac4a9ec48e9109b025c984e3988c5a8cfcfe8837

SHA512
5e454355f1b2103973595eb8a5d01979405eb802a659fa13b890d032fff1321e5919c989bd4bd4cdd97d85d96851f8bbddeaa4485983eca8fc12482dcd805da7

Download Submit
C:\Users\Admin\AppData\Local\Temp\520b7b8b\installer\installer-config.dat

Filesize
4KB

MD5
9e81bb82a1ae6e9323fdc1d46a561904

SHA1
32de2c2c79b5a849e3a967e653ce372ae10a0142

SHA256
a8218daa14622cd1cd7e822c74aa686f87e0afca9ee41eb48d2ef8cc29add5ea

SHA512
10e356fe68090713ed85002c2a1f8afc52dcc06744c44cf0266b730089c05ac312640b92b66c086d4f1fbb8609fdeb4b34e393f32f11fafdfdadafa216cb83c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\520b7b8b\installer\installer.dat

Filesize
34KB

MD5
545390d29b63954b7a3bdc5da8d5761d

SHA1
4d2a227fee05d6682f718fcb567825f4a04d2aa7

SHA256
90814e67da7cfb0826937ec935562d6f8663b64159ee8f9bd3dbc71cbe263c26

SHA512
bbf0869b4143fcb095e8d7f7dcc8dc2ae8ab6899317072f1af94ae51d393e583071cd4c96dd398c649747f0a072f664f825422a25457fec13809ce77b2212521

Download Submit
C:\Users\Admin\AppData\Local\Temp\520b7b8b\installer\new-screen.dat

Filesize
2KB

MD5
a569b2637d244040df5c07207724e5b5

SHA1
64bc7873c74e40ab794f4a49aa01079a70d00094

SHA256
081f00d28a89b52810e9f468719d2b3aa6aafbe81770cc658b63019d7166d511

SHA512
011a72ac621f84dbdf906c96e81c99d43c0476047261eeb31bd2679eba76eecf3bced3c2ebe7db5e1b9f6a46b4146151668b071f7597e866bffb2a7abb55bbee

Download Submit
C:\Users\Admin\AppData\Local\Temp\520b7b8b\installer\step0.ini

Filesize
996B

MD5
0f0a89d9031f0b44f1efaca75002079a

SHA1
ac083a8a00c48ebd3fd3480edb9a2d68eb08dc2e

SHA256
e5e6709e6d06bca797a52d17792be27e729f75b635112f1bc64f6079a708ea8d

SHA512
f1b8fc572454dc6ee8af11561f7c14aecf47f1aa17a4acb149f6decef031d7ad5ec87c0e8d13a645313f77d613ad3dacb6edde56c4f22f3b90984d778177e818

Download Submit
C:\Users\Admin\AppData\Local\Temp\520b7b8b\installer\step0.ini

Filesize
16KB

MD5
e7e08c0eba5f916636df976423142321

SHA1
010e808ad05d90d584c7bf5e2bd5d6b98f17b1d7

SHA256
202547614be7e64d400e62930e0937fe5a7413ecbde775d0683728f61240e707

SHA512
85f0f03b1a092726e0908bb902cbce69ccf8306903680383a30aea5f57daa84006aaad0f3d6c81f1053ae1cb1e751e4bf6d54c88b8dea31560f9d363e7220266

Download Submit
C:\Users\Admin\AppData\Local\Temp\520b7b8b\setup.exe

Filesize
1.3MB

MD5
09814f775da3cb93cda28b18bacc1f98

SHA1
eeaf8388bba468f5317ff24a781d7257f891ee71

SHA256
4f98d731e973311f13c6c9f214624068d9eb83290de5422e0218ddd81dbb7432

SHA512
b81bd9bb1c56f5a9e03196d754833a1dc90cf260c2f040c8e0933c24f23ac011cbb74e9864d8b3a15a6509371ce5f59c64b7dac64b3148a02c7c69bc7f33c539

Download Submit
C:\Users\Admin\AppData\Local\Temp\520b7b8b\setup.exe

Filesize
1.3MB

MD5
09814f775da3cb93cda28b18bacc1f98

SHA1
eeaf8388bba468f5317ff24a781d7257f891ee71

SHA256
4f98d731e973311f13c6c9f214624068d9eb83290de5422e0218ddd81dbb7432

SHA512
b81bd9bb1c56f5a9e03196d754833a1dc90cf260c2f040c8e0933c24f23ac011cbb74e9864d8b3a15a6509371ce5f59c64b7dac64b3148a02c7c69bc7f33c539

Download Submit
\Users\Admin\AppData\Local\Temp\520b7b8b\setup.exe

Filesize
1.3MB

MD5
09814f775da3cb93cda28b18bacc1f98

SHA1
eeaf8388bba468f5317ff24a781d7257f891ee71

SHA256
4f98d731e973311f13c6c9f214624068d9eb83290de5422e0218ddd81dbb7432

SHA512
b81bd9bb1c56f5a9e03196d754833a1dc90cf260c2f040c8e0933c24f23ac011cbb74e9864d8b3a15a6509371ce5f59c64b7dac64b3148a02c7c69bc7f33c539

Download Submit
memory/1988-54-0x0000000075281000-0x0000000075283000-memory.dmp

Filesize
8KB

Download