32373e33b928a0ca1fcddbeff8a6fd1a3267a2d7d568aaac23ed5d011fdeda51

General

Target

32373e33b928a0ca1fcddbeff8a6fd1a3267a2d7d568aaac23ed5d011fdeda51.exe
Size

466KB
MD5

32992360b59e5443dec1fa2647d3002e
SHA1

20fbb94e8f01820d615dc207ef373de86e79da8d
SHA256

32373e33b928a0ca1fcddbeff8a6fd1a3267a2d7d568aaac23ed5d011fdeda51
SHA512

99763061905d43b912ad42d295f123643520eb00a9bc0e7977738434ac694404b6c864b6ae8f857b19a6e5638ea23a366ea9c9b70f2deecb4e71eeae9cf14f8f
SSDEEP

12288:Fr3+AZz6vIlBP9S/hsbRbG8LJgEFm8BDVqdEyoFWVoBz:Ff1lyhsb97LiAm8BxoErFWyp

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1888 cmd.exe

pid	process
1888	cmd.exe

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

Processes:

IEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "375992197"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 9081608867ffd801	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000fbafda4d2839344b902c87c07ddf25a1000000000200000000001066000000010000200000008aad814e37dd6b40fe69436d474464ddcd99dbfb82dcbb6bb3f2f17ee0f0a30d000000000e8000000002000020000000eb5f7a395e1f89fb4e0535b7ece332b32c811e843c399905e7443808ef12fe0590000000ca5da3d3cdf76f33956ffd1b3aa437797fb0f86089485e4c64760bac835d671e3cb65eb8dcf842f6822f7870ae9ad5088c62b33959a5eb79e4622232d3786922f33cf59b23d3ccf89fd710556d7171edb5bcbc196374817f027a7470dfe41753507748b4d718013157baba34f82f9a545f6ea2cad44e1f5b78b4a6746be42570a89ece80a8d9072358dfe2e2b2b6caad40000000f1df6b8db99829db78c4127f725870837bf09a87e45db7dbc662c513cfb8d3ebdcf57d294590d71e12edc7c7a6678ea5b2619eb0af7076cedde235313686e397	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{8ED66F81-6B5A-11ED-A74D-4ED4A804E0FC} = "0"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000fbafda4d2839344b902c87c07ddf25a100000000020000000000106600000001000020000000095cec9296cd148e8a2144b9e95a75a725eff982c8059378f62ea2e626185044000000000e8000000002000020000000229fa4df79263ce327bcfbf2054dae0d637e324675ec5e83707f9db8471a6e7c200000002bb6be7380c75abd4e93feed945bdcd7364317f6c8caa923874a3b94b2e2fb1d4000000068110837ded48d9e67d1d1c8d3b37990f3f32c6b90aabe429c1ae3ee7ab0f4985226ea4d0b7477b391f56a93763afa7a4dcdda9d76c236abccbc6acffc7febca	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

32373e33b928a0ca1fcddbeff8a6fd1a3267a2d7d568aaac23ed5d011fdeda51.exe

description pid process

Token: SeIncBasePriorityPrivilege 936 32373e33b928a0ca1fcddbeff8a6fd1a3267a2d7d568aaac23ed5d011fdeda51.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

IEXPLORE.EXE

pid process

1296 IEXPLORE.EXE

description	pid	process
Token: SeIncBasePriorityPrivilege	936	32373e33b928a0ca1fcddbeff8a6fd1a3267a2d7d568aaac23ed5d011fdeda51.exe

pid	process
1296	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 7 IoCs

Processes:

32373e33b928a0ca1fcddbeff8a6fd1a3267a2d7d568aaac23ed5d011fdeda51.exeIEXPLORE.EXEIEXPLORE.EXE

pid	process
936	32373e33b928a0ca1fcddbeff8a6fd1a3267a2d7d568aaac23ed5d011fdeda51.exe
1296	IEXPLORE.EXE
1296	IEXPLORE.EXE
1908	IEXPLORE.EXE
1908	IEXPLORE.EXE
1908	IEXPLORE.EXE
1908	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

32373e33b928a0ca1fcddbeff8a6fd1a3267a2d7d568aaac23ed5d011fdeda51.exeIEXPLORE.EXE

description	pid	process	target process
PID 936 wrote to memory of 1296	936	32373e33b928a0ca1fcddbeff8a6fd1a3267a2d7d568aaac23ed5d011fdeda51.exe	IEXPLORE.EXE
PID 936 wrote to memory of 1296	936	32373e33b928a0ca1fcddbeff8a6fd1a3267a2d7d568aaac23ed5d011fdeda51.exe	IEXPLORE.EXE
PID 936 wrote to memory of 1296	936	32373e33b928a0ca1fcddbeff8a6fd1a3267a2d7d568aaac23ed5d011fdeda51.exe	IEXPLORE.EXE
PID 936 wrote to memory of 1296	936	32373e33b928a0ca1fcddbeff8a6fd1a3267a2d7d568aaac23ed5d011fdeda51.exe	IEXPLORE.EXE
PID 1296 wrote to memory of 1908	1296	IEXPLORE.EXE	IEXPLORE.EXE
PID 1296 wrote to memory of 1908	1296	IEXPLORE.EXE	IEXPLORE.EXE
PID 1296 wrote to memory of 1908	1296	IEXPLORE.EXE	IEXPLORE.EXE
PID 1296 wrote to memory of 1908	1296	IEXPLORE.EXE	IEXPLORE.EXE
PID 936 wrote to memory of 1888	936	32373e33b928a0ca1fcddbeff8a6fd1a3267a2d7d568aaac23ed5d011fdeda51.exe	cmd.exe
PID 936 wrote to memory of 1888	936	32373e33b928a0ca1fcddbeff8a6fd1a3267a2d7d568aaac23ed5d011fdeda51.exe	cmd.exe
PID 936 wrote to memory of 1888	936	32373e33b928a0ca1fcddbeff8a6fd1a3267a2d7d568aaac23ed5d011fdeda51.exe	cmd.exe
PID 936 wrote to memory of 1888	936	32373e33b928a0ca1fcddbeff8a6fd1a3267a2d7d568aaac23ed5d011fdeda51.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\32373e33b928a0ca1fcddbeff8a6fd1a3267a2d7d568aaac23ed5d011fdeda51.exe
"C:\Users\Admin\AppData\Local\Temp\32373e33b928a0ca1fcddbeff8a6fd1a3267a2d7d568aaac23ed5d011fdeda51.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:936
- C:\Program Files\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://www.wa300.com/tj.html
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1296
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1296 CREDAT:275457 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:1908
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\32373E~1.EXE
  2⤵
  - Deletes itself
  PID:1888

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\E2I9BVMW.txt

Filesize
608B

MD5
909e0f04be3446f34f02bbeb649aa47a

SHA1
59eadef28c788afc592f15df89e661c737748610

SHA256
05d89ea449ab8c832de16060f22f304d1225e97110ea45f8d7e868a25e3dcefa

SHA512
dc9aa48ff4259da8b7ee8c3c8b4c9024eaf0814d0405872801a2688a5867991eedc3b0d33fa40f30849a96e340d2f01b5e3d94848faca319f30a636e00cba2b1

Download Submit
memory/936-54-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/936-58-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/1888-57-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads