dc4f212ae3f65a7af491aab6c24439af572f5bf5be610f21e24b67affdfacfd6

General

Target

dc4f212ae3f65a7af491aab6c24439af572f5bf5be610f21e24b67affdfacfd6.exe
Size

639KB
MD5

3fd24dc919dda49ca61b1a75ad07c456
SHA1

ee06de52351710e8b5e15bb74ee36e3c8be47688
SHA256

dc4f212ae3f65a7af491aab6c24439af572f5bf5be610f21e24b67affdfacfd6
SHA512

57bc257e1de3374b4d2822e66b03cec35415bcfb408173e726e78b5759fa093fb4a6dd9e472f20da01cd4fca37bf6f2c63bbf718739b6daf4cb2deb55750af6d
SSDEEP

12288:MXCvbV+qxCnjpXPg3OduQ/kSRmsPTP2oNqyVPfA0yPChFsnszjL8:MXMwnjpamumkumsPzLbVwHPmF6szf8

Score

4^/10

Malware Config

Signatures

Drops file in Program Files directory 1 IoCs

Processes:

dc4f212ae3f65a7af491aab6c24439af572f5bf5be610f21e24b67affdfacfd6.exe

description ioc process

File opened for modification C:\Program Files\ dc4f212ae3f65a7af491aab6c24439af572f5bf5be610f21e24b67affdfacfd6.exe

description	ioc	process
File opened for modification	C:\Program Files\	dc4f212ae3f65a7af491aab6c24439af572f5bf5be610f21e24b67affdfacfd6.exe

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

Processes:

IEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{A2898D41-6B51-11ED-A20B-4279513DF160} = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000048ca5449a4d21846ba8a995ea0abd35a000000000200000000001066000000010000200000009298901ff96f2fdb8fea45fd6f4e6579f2fdd0d97ec9f0b85e873792860eea18000000000e800000000200002000000068507c40ea5db4c8505e726568ccf464d03432a7bcbf582c0a92f7f15093cbf090000000d73a287cc8d2aba37c18a6680b6e9e26b5ae4563d05e0fdc0d2577c9d61c0bfd23c6ef9b59b2401f84125f454431c06815cd6359a09d8d1a78d9a1228fe44869830a5870b7b049abbab2d01312776c13883771af0638f3b73009e28a950f77e3235a818ffe2a8205ed48c139c47376accedae60ce60bb73bd66d8f3eb65e7d518e77e038f4512b85e91be19efae3be96400000000e802b24c4a3a92917d166749fe7c4660f5fe13584e73b4d9e730d6b1ce92add0ba917afea65283bc659b18d9db4d8a60e34a5bdd5918d79acf339d7c4ab932d	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "375988364"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000048ca5449a4d21846ba8a995ea0abd35a0000000002000000000010660000000100002000000092381b1447ac36fcbc8683203333d1b4cdc38f57c5f3b7c12fe213ac69d0952e000000000e800000000200002000000068604c362f842a20cbf2396500ba501368aed028a2a508650770172aa80f7aab20000000130168401974601512148372f40ec41da9f8baa4f9a3a80e2af0146ea4666eef400000004a9bd6eb954980abf0fa2e4f889bc470fa77beefd5e79cdcfd836bdb87e3fde7ef1e8f177de2e1880ae1ed2eca3fbfc7c8fd731a05d1bd4147fe2b110453d620	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 40a316825effd801	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

IEXPLORE.EXE

pid process

988 IEXPLORE.EXE

pid	process
988	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 7 IoCs

Processes:

dc4f212ae3f65a7af491aab6c24439af572f5bf5be610f21e24b67affdfacfd6.exeIEXPLORE.EXEIEXPLORE.EXE

pid	process
1696	dc4f212ae3f65a7af491aab6c24439af572f5bf5be610f21e24b67affdfacfd6.exe
988	IEXPLORE.EXE
988	IEXPLORE.EXE
764	IEXPLORE.EXE
764	IEXPLORE.EXE
764	IEXPLORE.EXE
764	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

dc4f212ae3f65a7af491aab6c24439af572f5bf5be610f21e24b67affdfacfd6.exeIEXPLORE.EXE

description	pid	process	target process
PID 1696 wrote to memory of 988	1696	dc4f212ae3f65a7af491aab6c24439af572f5bf5be610f21e24b67affdfacfd6.exe	IEXPLORE.EXE
PID 1696 wrote to memory of 988	1696	dc4f212ae3f65a7af491aab6c24439af572f5bf5be610f21e24b67affdfacfd6.exe	IEXPLORE.EXE
PID 1696 wrote to memory of 988	1696	dc4f212ae3f65a7af491aab6c24439af572f5bf5be610f21e24b67affdfacfd6.exe	IEXPLORE.EXE
PID 1696 wrote to memory of 988	1696	dc4f212ae3f65a7af491aab6c24439af572f5bf5be610f21e24b67affdfacfd6.exe	IEXPLORE.EXE
PID 988 wrote to memory of 764	988	IEXPLORE.EXE	IEXPLORE.EXE
PID 988 wrote to memory of 764	988	IEXPLORE.EXE	IEXPLORE.EXE
PID 988 wrote to memory of 764	988	IEXPLORE.EXE	IEXPLORE.EXE
PID 988 wrote to memory of 764	988	IEXPLORE.EXE	IEXPLORE.EXE

C:\Users\Admin\AppData\Local\Temp\dc4f212ae3f65a7af491aab6c24439af572f5bf5be610f21e24b67affdfacfd6.exe
"C:\Users\Admin\AppData\Local\Temp\dc4f212ae3f65a7af491aab6c24439af572f5bf5be610f21e24b67affdfacfd6.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1696

C:\Program Files\Internet Explorer\IEXPLORE.EXE
"C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://www.wa300.com/tj.html
2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:988

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:988 CREDAT:275457 /prefetch:2
3⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:764

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\CDY1UG7Q.txt

Filesize
603B

MD5
e4b6d76c7c039d99b24b16443ff92c91

SHA1
b89ddf5fbb1305401b2bad9f97dc7af7d7940ddb

SHA256
7056b949c2660648ad3c3ac82607106882b256be034c2abfaeb33045908a9c2b

SHA512
7eba73731e31c41e8b59c0c880de60de5adaf6d7d0587faabca302042d9790fe4a3d04df5ecdcd88b8e768cf46161e56a9561f25ab0e93efb5f8f812dfedd06c

Download Submit
memory/1696-56-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/1696-57-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads