6a61d550ead9604617b2979b67d6da5b095e559c6623ff6d19879a2feb939ced

General

Target

6a61d550ead9604617b2979b67d6da5b095e559c6623ff6d19879a2feb939ced.exe
Size

466KB
MD5

4444fdd8a9c1a6e6ca191054bf4039c6
SHA1

1b6fee86baaeefe746d932361203b9bf27fad5f9
SHA256

6a61d550ead9604617b2979b67d6da5b095e559c6623ff6d19879a2feb939ced
SHA512

97dad2cbb4c94c8a3fabbcfaa6dd4367b8b394ca4dcf151da7d576b60968064d7702f8e10ac43a6233ff91f0a5c8c9dd5ec658b3c5af1b3994e2fde4ac4b64e3
SSDEEP

12288:Fr3+AZz6vIlBP9S/hsbRbG8LJgEFm8BDVqdEyoFWVoBX:Ff1lyhsb97LiAm8BxoErFWyl

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2036 cmd.exe

pid	process
2036	cmd.exe

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

Processes:

IEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "375992368"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000005cb78d52f11fd5449f13d3b8ebc61012000000000200000000001066000000010000200000003be4d959229a522ad969c46dc4ca69134d6e13af5b3a545d087957df87f5a3fb000000000e8000000002000020000000a66e9050823a6f0949f620e1d399e595c47cd3bad5666fd7474e8fc4b838f9c29000000052640fe9759ab12cb5aa9ac24108df7e85c822f6ff0c44105a06bc703e1e176df243d7004ffe17991815aa2eb89083b60d752f84acd6e3c81d2246c92103befe90bb3999026226661f44ec052124e00de785a509fda32c04fbf4a3940c5beacc675e0ad76bcfefba471ad2dfa1d41e16941459a62ea247a771bdfde69fad8728955987e23d9ef9cf7c4494254912783440000000e19142762e8b18519d071d3d74367be2dd9d22d0c36dd76fbd7544982bc9d6bfec215e0445ad9d314e4cc94cb69d8c3b91270afbbdf6b620ae6f088d41f2e7c6	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{EE5C2BC0-6B5A-11ED-84F9-5A21EB137514} = "0"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000005cb78d52f11fd5449f13d3b8ebc61012000000000200000000001066000000010000200000006b979862e7a7d18bc62d6c1f96562883d69062c88a9c12fd0a4d3f5207e0fbc4000000000e8000000002000020000000af236810e849271f81de0faa93749471a9a86240be8172f305021239951a5bc62000000056e8780c4eac854b2b960df69a02c496d980bb2032b101d22593cd4709d7572a4000000052745798b5f092eb53477883e0c7a36c9b2f9d055975c26d86ef5709b936757628f2df4785b1867eaabd8dd23836709f1a52efec944032bb1894f198f0fe7561	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 6080a8da67ffd801	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

6a61d550ead9604617b2979b67d6da5b095e559c6623ff6d19879a2feb939ced.exe

description pid process

Token: SeIncBasePriorityPrivilege 944 6a61d550ead9604617b2979b67d6da5b095e559c6623ff6d19879a2feb939ced.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

IEXPLORE.EXE

pid process

1992 IEXPLORE.EXE

description	pid	process
Token: SeIncBasePriorityPrivilege	944	6a61d550ead9604617b2979b67d6da5b095e559c6623ff6d19879a2feb939ced.exe

pid	process
1992	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 7 IoCs

Processes:

6a61d550ead9604617b2979b67d6da5b095e559c6623ff6d19879a2feb939ced.exeIEXPLORE.EXEIEXPLORE.EXE

pid	process
944	6a61d550ead9604617b2979b67d6da5b095e559c6623ff6d19879a2feb939ced.exe
1992	IEXPLORE.EXE
1992	IEXPLORE.EXE
552	IEXPLORE.EXE
552	IEXPLORE.EXE
552	IEXPLORE.EXE
552	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

6a61d550ead9604617b2979b67d6da5b095e559c6623ff6d19879a2feb939ced.exeIEXPLORE.EXE

description	pid	process	target process
PID 944 wrote to memory of 1992	944	6a61d550ead9604617b2979b67d6da5b095e559c6623ff6d19879a2feb939ced.exe	IEXPLORE.EXE
PID 944 wrote to memory of 1992	944	6a61d550ead9604617b2979b67d6da5b095e559c6623ff6d19879a2feb939ced.exe	IEXPLORE.EXE
PID 944 wrote to memory of 1992	944	6a61d550ead9604617b2979b67d6da5b095e559c6623ff6d19879a2feb939ced.exe	IEXPLORE.EXE
PID 944 wrote to memory of 1992	944	6a61d550ead9604617b2979b67d6da5b095e559c6623ff6d19879a2feb939ced.exe	IEXPLORE.EXE
PID 944 wrote to memory of 2036	944	6a61d550ead9604617b2979b67d6da5b095e559c6623ff6d19879a2feb939ced.exe	cmd.exe
PID 944 wrote to memory of 2036	944	6a61d550ead9604617b2979b67d6da5b095e559c6623ff6d19879a2feb939ced.exe	cmd.exe
PID 944 wrote to memory of 2036	944	6a61d550ead9604617b2979b67d6da5b095e559c6623ff6d19879a2feb939ced.exe	cmd.exe
PID 944 wrote to memory of 2036	944	6a61d550ead9604617b2979b67d6da5b095e559c6623ff6d19879a2feb939ced.exe	cmd.exe
PID 1992 wrote to memory of 552	1992	IEXPLORE.EXE	IEXPLORE.EXE
PID 1992 wrote to memory of 552	1992	IEXPLORE.EXE	IEXPLORE.EXE
PID 1992 wrote to memory of 552	1992	IEXPLORE.EXE	IEXPLORE.EXE
PID 1992 wrote to memory of 552	1992	IEXPLORE.EXE	IEXPLORE.EXE

C:\Users\Admin\AppData\Local\Temp\6a61d550ead9604617b2979b67d6da5b095e559c6623ff6d19879a2feb939ced.exe
"C:\Users\Admin\AppData\Local\Temp\6a61d550ead9604617b2979b67d6da5b095e559c6623ff6d19879a2feb939ced.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:944

C:\Program Files\Internet Explorer\IEXPLORE.EXE
"C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://www.wa300.com/tj.html
2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1992

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1992 CREDAT:275457 /prefetch:2
3⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:552

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\6A61D5~1.EXE
2⤵
- Deletes itself
PID:2036

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\2EYP1HL1.txt
Filesize
601B

MD5
34c4d92b469c9511009964e9f0990be3

SHA1
5d18c5214a6c8c68a6cbd152601b1a2097a3bbee

SHA256
76e10cb27613c26c89d36081739a6132cf2276ea9f0c9ae476bb6d4510207d8e

SHA512
e3d049fb0fc3c616c7ca989962d913baca460bac4197ddcf7d3091bad9f2dfd976f84d5832f3c9fe279d0aae63a33454ac198ad263908f38fe09378474c5c991

Download Submit
memory/944-55-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/944-58-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/2036-57-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads