e075382899f58b7f4446bf7ac8a71ea91374aa238ca4dd84af6aa7175e104c2e

General

Target

e075382899f58b7f4446bf7ac8a71ea91374aa238ca4dd84af6aa7175e104c2e.exe
Size

10KB
MD5

2f377db0b73783b029c329590031bf15
SHA1

c9479a944245bb9bdf4176e655f2ba92d46d9256
SHA256

e075382899f58b7f4446bf7ac8a71ea91374aa238ca4dd84af6aa7175e104c2e
SHA512

023c750a87ff3d84b1e82a369f813cfaab8b924c3acb046ce7b1aba2d5a243a02df007ac4b61d2dc114a198ef00238168d2538c378034ccf77341b542b5922e9
SSDEEP

192:9MapQPAHnLhH+EhQIa+ldpYuBlR2sK9sThORBA:9MapQYdH+nIpmuBlReGOB

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{65BBCF01-6B78-11ED-B78F-CED6325FB9F2} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 508d0f4585ffd801	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "376005017"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000fbafda4d2839344b902c87c07ddf25a1000000000200000000001066000000010000200000008536f02409b2cf7b046b5564c1bde551b83d39c0a63c96c8fe8caa66e2363cba000000000e80000000020000200000000bb09e7ec6bdd4ce7fc2b61abf69f17f9479146b695d62caa5b21802156d09ee200000002ab43ffd508d6abdbdf2a7334a661514662d10ba25a6518f527bef54b57a8a41400000000dc2760b71e08d5929b87692f9694c1cce5bc7b5e58a8350c4b8cf83efdbdf7a8bf5a2e287ef4315e03a518e3166e38bc03b4947ffbe6d47a49decd680171f44	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000fbafda4d2839344b902c87c07ddf25a1000000000200000000001066000000010000200000005cacc832b2e2390f99bd633b2c807a5c467eb57177ee5c82e870b3eda98e981e000000000e80000000020000200000001130e83d4f8ce487c83931cf48f762d1474a1aa5ef9842b7357a36b080d9038b9000000020738057f9d968b28a90317122981a7f26a7fcc3ce79856d7d145ed93d53528843e04df703e1cee818c448b6531636f752b75c86cac3c91fd00df1042ff539d80459c42ed756b3356159a727bbf5e0c0c589c0ec90004b989e79a4d06897e087a15fcde820ca0149a750df519241d8dd5c94bc9f2697564e02b3f5b70133b534a7b903aeaad766880ac7090132752b3440000000a432cc0ec800fc23d6ef29e1554f3fc4ca5bf4271fe1f811dfb9879b27c8fec3e643f63e55405e61743b77e49499e2e913fe8862d202bb9ff2cf57343a87f387	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

988 iexplore.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

988 iexplore.exe
988 iexplore.exe
1168 IEXPLORE.EXE
1168 IEXPLORE.EXE
1168 IEXPLORE.EXE
1168 IEXPLORE.EXE

pid	process
988	iexplore.exe

pid	process
988	iexplore.exe
988	iexplore.exe
1168	IEXPLORE.EXE
1168	IEXPLORE.EXE
1168	IEXPLORE.EXE
1168	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

e075382899f58b7f4446bf7ac8a71ea91374aa238ca4dd84af6aa7175e104c2e.exeiexplore.exe

description	pid	process	target process
PID 1792 wrote to memory of 988	1792	e075382899f58b7f4446bf7ac8a71ea91374aa238ca4dd84af6aa7175e104c2e.exe	iexplore.exe
PID 1792 wrote to memory of 988	1792	e075382899f58b7f4446bf7ac8a71ea91374aa238ca4dd84af6aa7175e104c2e.exe	iexplore.exe
PID 1792 wrote to memory of 988	1792	e075382899f58b7f4446bf7ac8a71ea91374aa238ca4dd84af6aa7175e104c2e.exe	iexplore.exe
PID 1792 wrote to memory of 988	1792	e075382899f58b7f4446bf7ac8a71ea91374aa238ca4dd84af6aa7175e104c2e.exe	iexplore.exe
PID 988 wrote to memory of 1168	988	iexplore.exe	IEXPLORE.EXE
PID 988 wrote to memory of 1168	988	iexplore.exe	IEXPLORE.EXE
PID 988 wrote to memory of 1168	988	iexplore.exe	IEXPLORE.EXE
PID 988 wrote to memory of 1168	988	iexplore.exe	IEXPLORE.EXE

C:\Users\Admin\AppData\Local\Temp\e075382899f58b7f4446bf7ac8a71ea91374aa238ca4dd84af6aa7175e104c2e.exe
"C:\Users\Admin\AppData\Local\Temp\e075382899f58b7f4446bf7ac8a71ea91374aa238ca4dd84af6aa7175e104c2e.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1792

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=e075382899f58b7f4446bf7ac8a71ea91374aa238ca4dd84af6aa7175e104c2e.exe&platform=0009&osver=5&isServer=0&shimver=4.0.30319.0
2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:988

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:988 CREDAT:275457 /prefetch:2
3⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1168

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\60QUDPW5.txt
Filesize
608B

MD5
3e9fa5bf747c24d824e2390a7ccf39d3

SHA1
0d5ea760cb566281425cf5f0565a85f1d5fd1fb3

SHA256
1eed9aa59a850f2ae8824ca6aee3d2e5cb403dc752edf0e6a5b74a986c7802ff

SHA512
1df10f2dba4ef15822139f86478ca0becb6ad895bcf64dad2a4efdcd662a4f76a2c9dacedcb52f42da2674968d3706c790bd42dbd8634160d6cee60fbdf4993a

Download Submit
memory/1792-54-0x0000000074E01000-0x0000000074E03000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing