a553cfe83c35c1089ea65cf32e0d8662beb2ecee7e445bece140310bba057c39

General

Target

a553cfe83c35c1089ea65cf32e0d8662beb2ecee7e445bece140310bba057c39.exe
Size

467KB
MD5

3f1c44cd35212935e4c2ed46e217c100
SHA1

20111150b30fecaffdbbf6c190076558cb0ae920
SHA256

a553cfe83c35c1089ea65cf32e0d8662beb2ecee7e445bece140310bba057c39
SHA512

20f2f3f703a2467b8786190b54e15a4bfe1063abf95b4e3521454bd690491be2616bdb0ded95ab5af4b3e22ff1d94d27153b12f49195f6b44270db8d86157bf5
SSDEEP

12288:GMDtCi7NFlZnNqZ9xGrLpZ0ZHEqtgb0UO:FplNFgxG5eZngb0N

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 20 IoCs

adware spyware

Modify Registry

T1112

Processes:

IEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{9B334C51-6B7B-11ED-B696-DA88DC7FA106} = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e3c032b1bb4e3b41a78601528e8f4abe000000000200000000001066000000010000200000006b93f91173a1740d8a85416e6bfa8b20b5f28b08b90ba90158cf27d11f73a5c7000000000e8000000002000020000000a62e7c1413a7aa482f8d47b835b25631fddb5d7ef12f6608d447b6024f351699200000001bb47e745780f09f2e482811cb743a00ec88979a3619cc6be7a6a569bdb3d810400000002d57d3ca93cdd5d4e265463bfd75760be5b09c0419d99d92f8271381be0e29f290cf60999a701d551f40058809f38d88be3a78810ae24e9a4c88569567dcc385	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 40c0c17b88ffd801	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "375403296"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 30309a7a88ffd801	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e3c032b1bb4e3b41a78601528e8f4abe000000000200000000001066000000010000200000006998c7bc1d92cdc43df6cf166d8457a28c43d96e87975492a006530a68542e3e000000000e80000000020000200000005d35f955572f550b90575351e215245688a520a7ba25c325a9017c14c734735920000000f30dcb8c53b1de9755d8685deac69f4f9e57d8a487f87895bb5d6234ad86136a400000003b67a5d2c7d35cad4ecc7f77e7a07a8d9c689ada50dc1504aad66fbfb2b86302e0d0c380e54f8f794476f108e50db024cbbb911a5410fef0d0cb315b2ea0f737	IEXPLORE.EXE

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

a553cfe83c35c1089ea65cf32e0d8662beb2ecee7e445bece140310bba057c39.exe

description pid process

Token: SeIncBasePriorityPrivilege 5096 a553cfe83c35c1089ea65cf32e0d8662beb2ecee7e445bece140310bba057c39.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

IEXPLORE.EXE

pid process

4568 IEXPLORE.EXE
Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

a553cfe83c35c1089ea65cf32e0d8662beb2ecee7e445bece140310bba057c39.exeIEXPLORE.EXEIEXPLORE.EXE

pid process

5096 a553cfe83c35c1089ea65cf32e0d8662beb2ecee7e445bece140310bba057c39.exe
4568 IEXPLORE.EXE
4568 IEXPLORE.EXE
4828 IEXPLORE.EXE
4828 IEXPLORE.EXE

description	pid	process
Token: SeIncBasePriorityPrivilege	5096	a553cfe83c35c1089ea65cf32e0d8662beb2ecee7e445bece140310bba057c39.exe

pid	process
4568	IEXPLORE.EXE

pid	process
5096	a553cfe83c35c1089ea65cf32e0d8662beb2ecee7e445bece140310bba057c39.exe
4568	IEXPLORE.EXE
4568	IEXPLORE.EXE
4828	IEXPLORE.EXE
4828	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

a553cfe83c35c1089ea65cf32e0d8662beb2ecee7e445bece140310bba057c39.exeIEXPLORE.EXE

description	pid	process	target process
PID 5096 wrote to memory of 4568	5096	a553cfe83c35c1089ea65cf32e0d8662beb2ecee7e445bece140310bba057c39.exe	IEXPLORE.EXE
PID 5096 wrote to memory of 4568	5096	a553cfe83c35c1089ea65cf32e0d8662beb2ecee7e445bece140310bba057c39.exe	IEXPLORE.EXE
PID 5096 wrote to memory of 4244	5096	a553cfe83c35c1089ea65cf32e0d8662beb2ecee7e445bece140310bba057c39.exe	cmd.exe
PID 5096 wrote to memory of 4244	5096	a553cfe83c35c1089ea65cf32e0d8662beb2ecee7e445bece140310bba057c39.exe	cmd.exe
PID 5096 wrote to memory of 4244	5096	a553cfe83c35c1089ea65cf32e0d8662beb2ecee7e445bece140310bba057c39.exe	cmd.exe
PID 4568 wrote to memory of 4828	4568	IEXPLORE.EXE	IEXPLORE.EXE
PID 4568 wrote to memory of 4828	4568	IEXPLORE.EXE	IEXPLORE.EXE
PID 4568 wrote to memory of 4828	4568	IEXPLORE.EXE	IEXPLORE.EXE

C:\Users\Admin\AppData\Local\Temp\a553cfe83c35c1089ea65cf32e0d8662beb2ecee7e445bece140310bba057c39.exe
"C:\Users\Admin\AppData\Local\Temp\a553cfe83c35c1089ea65cf32e0d8662beb2ecee7e445bece140310bba057c39.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5096

C:\Program Files\Internet Explorer\IEXPLORE.EXE
"C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://down.97199.com/install2/?sl3
2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4568

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4568 CREDAT:17410 /prefetch:2
3⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:4828

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\A553CF~1.EXE
2⤵
PID:4244

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4244-135-0x0000000000000000-mapping.dmp

Download
memory/5096-134-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/5096-136-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download

Analysis

Sharing