dc4f212ae3f65a7af491aab6c24439af572f5bf5be610f21e24b67affdfacfd6

General

Target

dc4f212ae3f65a7af491aab6c24439af572f5bf5be610f21e24b67affdfacfd6.exe
Size

639KB
MD5

3fd24dc919dda49ca61b1a75ad07c456
SHA1

ee06de52351710e8b5e15bb74ee36e3c8be47688
SHA256

dc4f212ae3f65a7af491aab6c24439af572f5bf5be610f21e24b67affdfacfd6
SHA512

57bc257e1de3374b4d2822e66b03cec35415bcfb408173e726e78b5759fa093fb4a6dd9e472f20da01cd4fca37bf6f2c63bbf718739b6daf4cb2deb55750af6d
SSDEEP

12288:MXCvbV+qxCnjpXPg3OduQ/kSRmsPTP2oNqyVPfA0yPChFsnszjL8:MXMwnjpamumkumsPzLbVwHPmF6szf8

Score

4^/10

Malware Config

Signatures

Drops file in Program Files directory 1 IoCs

Processes:

dc4f212ae3f65a7af491aab6c24439af572f5bf5be610f21e24b67affdfacfd6.exe

description ioc process

File opened for modification C:\Program Files\ dc4f212ae3f65a7af491aab6c24439af572f5bf5be610f21e24b67affdfacfd6.exe

description	ioc	process
File opened for modification	C:\Program Files\	dc4f212ae3f65a7af491aab6c24439af572f5bf5be610f21e24b67affdfacfd6.exe

Modifies Internet Explorer settings 1 TTPs 35 IoCs

adware spyware

Modify Registry

T1112

Processes:

IEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{A5404993-6B51-11ED-A0EE-DE60447A8195} = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2045082385"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2045082385"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000043e2eb2e51ccf149ab640c8bdb0d7906000000000200000000001066000000010000200000002c8860378f663129e6455f3f7afca87811f88f53312089b24da9583edc77bbe6000000000e8000000002000020000000c471483bcd7b0a86986afa0fe8f1b5b57ba36c9314dba27c14898db220e494c120000000f8b8ac6f53837252bf108e4d047304fe3ec2972270403572acd5e919a8ddb1a440000000f4b784892fdde1a9de5164d8f10bd0f5c3b656529a106f3ef25fe8bebc0f94d3b3feedb5bdbe331c26193afa00b019bdc905ecd6ce57a8d25bbc2178c8f02503	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 60229b7c5effd801	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30998366"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000043e2eb2e51ccf149ab640c8bdb0d7906000000000200000000001066000000010000200000004dc7bf30e43efb5a2d263d15ad35c8ccfeda42e1371662046da26fdf26d6c470000000000e80000000020000200000006245176a8b14aad48c83cff4f71183874559dde70c4342dead6177c49b7dd3782000000037d494eac50415ebe7632b3741bd122e670f2bbd4f93b98e317f4eec5d78fc9940000000a9beb3f096195ca32440ffadbf61868de4b188e75e991f274ace314264050340c1330b59032d420a13d1e3dc2393fc1147e8103391b0d57d3b1beac5d5042b6a	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30998366"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2076173731"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30998366"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = a0c5857c5effd801	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "375988370"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	IEXPLORE.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

IEXPLORE.EXE

pid process

1128 IEXPLORE.EXE
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

IEXPLORE.EXE

pid process

1128 IEXPLORE.EXE

pid	process
1128	IEXPLORE.EXE

pid	process
1128	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 7 IoCs

Processes:

dc4f212ae3f65a7af491aab6c24439af572f5bf5be610f21e24b67affdfacfd6.exeIEXPLORE.EXEIEXPLORE.EXE

pid	process
4880	dc4f212ae3f65a7af491aab6c24439af572f5bf5be610f21e24b67affdfacfd6.exe
1128	IEXPLORE.EXE
1128	IEXPLORE.EXE
1684	IEXPLORE.EXE
1684	IEXPLORE.EXE
1684	IEXPLORE.EXE
1684	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

dc4f212ae3f65a7af491aab6c24439af572f5bf5be610f21e24b67affdfacfd6.exeIEXPLORE.EXE

description	pid	process	target process
PID 4880 wrote to memory of 1128	4880	dc4f212ae3f65a7af491aab6c24439af572f5bf5be610f21e24b67affdfacfd6.exe	IEXPLORE.EXE
PID 4880 wrote to memory of 1128	4880	dc4f212ae3f65a7af491aab6c24439af572f5bf5be610f21e24b67affdfacfd6.exe	IEXPLORE.EXE
PID 1128 wrote to memory of 1684	1128	IEXPLORE.EXE	IEXPLORE.EXE
PID 1128 wrote to memory of 1684	1128	IEXPLORE.EXE	IEXPLORE.EXE
PID 1128 wrote to memory of 1684	1128	IEXPLORE.EXE	IEXPLORE.EXE

C:\Users\Admin\AppData\Local\Temp\dc4f212ae3f65a7af491aab6c24439af572f5bf5be610f21e24b67affdfacfd6.exe
"C:\Users\Admin\AppData\Local\Temp\dc4f212ae3f65a7af491aab6c24439af572f5bf5be610f21e24b67affdfacfd6.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4880

C:\Program Files\Internet Explorer\IEXPLORE.EXE
"C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://www.wa300.com/tj.html
2⤵
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1128

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1128 CREDAT:17410 /prefetch:2
3⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1684

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize
471B

MD5
e32d02ce684c01ef3af05fae9066160e

SHA1
29c7a6e8ed553ac2765634265d1db041d6d422ec

SHA256
b00322d178a6cfc206458c26b26d6c80596073bb3283dcc3fc4e33a4b5f29d71

SHA512
e4e3175fb131095e4681ecb76d14dc74d059c0beafb6340965516c6d3d0538deb314b36a3f09df03b491edac84d5c0580e764fed1d8bca9abd4e65cb56167148

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize
434B

MD5
ff3cb58bac053e06425e30c2125e9569

SHA1
8757155d4303a03aa13192882c18115fb4adc673

SHA256
877898fd213d10c8136124d90f3d403c4aabf7370a1ff19206ea251270fcf560

SHA512
e63710956d0cd50c0d310452307c46a0d9ce6dbbcd7d795473e3daddd5b7cb7d1d0587b4cab40e0ee11e68361e1f1108dc77a5b14a6be6757e6de8e6cc72e487

Download Submit
memory/4880-134-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/4880-135-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads