3a41c4467eb05fa493c1a348310f3983f091f5514edc5fe7f2a625e4363a40bc

General

Target

3a41c4467eb05fa493c1a348310f3983f091f5514edc5fe7f2a625e4363a40bc.exe
Size

139KB
MD5

1a6f580c6d097b0c5dd11beda4bb6447
SHA1

39b7edae33318ca5960dea15c6cd53337789da29
SHA256

3a41c4467eb05fa493c1a348310f3983f091f5514edc5fe7f2a625e4363a40bc
SHA512

40e8329e34dd0d893bf45c732f67f84accc931d4f7dfdfc2df8eac4f3bfd10cb56171085be5d5abf98c6c58aefd3551d10e76af8ed44ef15f8433e1a2c79f19f
SSDEEP

3072:Il8X0rG3q/1/KNUv9DPwHSbi0i4VOXOAKfKwsaFjpOV:IOX0y3YIivqHSbFEOpgkk

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

iexplore.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows\CurrentVersion\Run	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Pfkikx = "C:\\Users\\Admin\\AppData\\Roaming\\Pfkikx.exe"	iexplore.exe

Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082

Processes:

iexplore.exe

description ioc process

File opened (read-only) \??\D: iexplore.exe

description	ioc	process
File opened (read-only)	\??\D:	iexplore.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

3a41c4467eb05fa493c1a348310f3983f091f5514edc5fe7f2a625e4363a40bc.exe

description	pid	process	target process
PID 4932 set thread context of 4944	4932	3a41c4467eb05fa493c1a348310f3983f091f5514edc5fe7f2a625e4363a40bc.exe	3a41c4467eb05fa493c1a348310f3983f091f5514edc5fe7f2a625e4363a40bc.exe

Modifies Internet Explorer settings 1 TTPs 28 IoCs

adware spyware

Modify Registry

T1112

Processes:

IEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30998467"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3781467562"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3511779675"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{023491FB-6BB7-11ED-AECB-E23A5D90AA50} = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30998467"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3511779675"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30998467"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "376031919"	IEXPLORE.EXE

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

3a41c4467eb05fa493c1a348310f3983f091f5514edc5fe7f2a625e4363a40bc.exe

pid	process
4944	3a41c4467eb05fa493c1a348310f3983f091f5514edc5fe7f2a625e4363a40bc.exe
4944	3a41c4467eb05fa493c1a348310f3983f091f5514edc5fe7f2a625e4363a40bc.exe
4944	3a41c4467eb05fa493c1a348310f3983f091f5514edc5fe7f2a625e4363a40bc.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

3a41c4467eb05fa493c1a348310f3983f091f5514edc5fe7f2a625e4363a40bc.exeiexplore.exe

description	pid	process
Token: SeDebugPrivilege	4944	3a41c4467eb05fa493c1a348310f3983f091f5514edc5fe7f2a625e4363a40bc.exe
Token: SeDebugPrivilege	2276	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

IEXPLORE.EXE

pid process

1236 IEXPLORE.EXE
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

IEXPLORE.EXEIEXPLORE.EXE

pid process

1236 IEXPLORE.EXE
1236 IEXPLORE.EXE
5100 IEXPLORE.EXE
5100 IEXPLORE.EXE
5100 IEXPLORE.EXE
5100 IEXPLORE.EXE

pid	process
1236	IEXPLORE.EXE

pid	process
1236	IEXPLORE.EXE
1236	IEXPLORE.EXE
5100	IEXPLORE.EXE
5100	IEXPLORE.EXE
5100	IEXPLORE.EXE
5100	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

3a41c4467eb05fa493c1a348310f3983f091f5514edc5fe7f2a625e4363a40bc.exe3a41c4467eb05fa493c1a348310f3983f091f5514edc5fe7f2a625e4363a40bc.exeiexplore.exeIEXPLORE.EXE

description	pid	process	target process
PID 4932 wrote to memory of 4944	4932	3a41c4467eb05fa493c1a348310f3983f091f5514edc5fe7f2a625e4363a40bc.exe	3a41c4467eb05fa493c1a348310f3983f091f5514edc5fe7f2a625e4363a40bc.exe
PID 4932 wrote to memory of 4944	4932	3a41c4467eb05fa493c1a348310f3983f091f5514edc5fe7f2a625e4363a40bc.exe	3a41c4467eb05fa493c1a348310f3983f091f5514edc5fe7f2a625e4363a40bc.exe
PID 4932 wrote to memory of 4944	4932	3a41c4467eb05fa493c1a348310f3983f091f5514edc5fe7f2a625e4363a40bc.exe	3a41c4467eb05fa493c1a348310f3983f091f5514edc5fe7f2a625e4363a40bc.exe
PID 4932 wrote to memory of 4944	4932	3a41c4467eb05fa493c1a348310f3983f091f5514edc5fe7f2a625e4363a40bc.exe	3a41c4467eb05fa493c1a348310f3983f091f5514edc5fe7f2a625e4363a40bc.exe
PID 4932 wrote to memory of 4944	4932	3a41c4467eb05fa493c1a348310f3983f091f5514edc5fe7f2a625e4363a40bc.exe	3a41c4467eb05fa493c1a348310f3983f091f5514edc5fe7f2a625e4363a40bc.exe
PID 4932 wrote to memory of 4944	4932	3a41c4467eb05fa493c1a348310f3983f091f5514edc5fe7f2a625e4363a40bc.exe	3a41c4467eb05fa493c1a348310f3983f091f5514edc5fe7f2a625e4363a40bc.exe
PID 4932 wrote to memory of 4944	4932	3a41c4467eb05fa493c1a348310f3983f091f5514edc5fe7f2a625e4363a40bc.exe	3a41c4467eb05fa493c1a348310f3983f091f5514edc5fe7f2a625e4363a40bc.exe
PID 4932 wrote to memory of 4944	4932	3a41c4467eb05fa493c1a348310f3983f091f5514edc5fe7f2a625e4363a40bc.exe	3a41c4467eb05fa493c1a348310f3983f091f5514edc5fe7f2a625e4363a40bc.exe
PID 4932 wrote to memory of 4944	4932	3a41c4467eb05fa493c1a348310f3983f091f5514edc5fe7f2a625e4363a40bc.exe	3a41c4467eb05fa493c1a348310f3983f091f5514edc5fe7f2a625e4363a40bc.exe
PID 4944 wrote to memory of 2276	4944	3a41c4467eb05fa493c1a348310f3983f091f5514edc5fe7f2a625e4363a40bc.exe	iexplore.exe
PID 4944 wrote to memory of 2276	4944	3a41c4467eb05fa493c1a348310f3983f091f5514edc5fe7f2a625e4363a40bc.exe	iexplore.exe
PID 4944 wrote to memory of 2276	4944	3a41c4467eb05fa493c1a348310f3983f091f5514edc5fe7f2a625e4363a40bc.exe	iexplore.exe
PID 2276 wrote to memory of 1236	2276	iexplore.exe	IEXPLORE.EXE
PID 2276 wrote to memory of 1236	2276	iexplore.exe	IEXPLORE.EXE
PID 4944 wrote to memory of 2276	4944	3a41c4467eb05fa493c1a348310f3983f091f5514edc5fe7f2a625e4363a40bc.exe	iexplore.exe
PID 4944 wrote to memory of 2276	4944	3a41c4467eb05fa493c1a348310f3983f091f5514edc5fe7f2a625e4363a40bc.exe	iexplore.exe
PID 1236 wrote to memory of 5100	1236	IEXPLORE.EXE	IEXPLORE.EXE
PID 1236 wrote to memory of 5100	1236	IEXPLORE.EXE	IEXPLORE.EXE
PID 1236 wrote to memory of 5100	1236	IEXPLORE.EXE	IEXPLORE.EXE

C:\Users\Admin\AppData\Local\Temp\3a41c4467eb05fa493c1a348310f3983f091f5514edc5fe7f2a625e4363a40bc.exe
"C:\Users\Admin\AppData\Local\Temp\3a41c4467eb05fa493c1a348310f3983f091f5514edc5fe7f2a625e4363a40bc.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4932

C:\Users\Admin\AppData\Local\Temp\3a41c4467eb05fa493c1a348310f3983f091f5514edc5fe7f2a625e4363a40bc.exe
"C:\Users\Admin\AppData\Local\Temp\3a41c4467eb05fa493c1a348310f3983f091f5514edc5fe7f2a625e4363a40bc.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4944

C:\Program Files (x86)\Internet Explorer\iexplore.exe
"C:\Program Files (x86)\Internet Explorer\iexplore.exe"
3⤵
- Adds Run key to start application
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2276

C:\Program Files\Internet Explorer\IEXPLORE.EXE
"C:\Program Files\Internet Explorer\IEXPLORE.EXE"
4⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1236

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1236 CREDAT:17410 /prefetch:2
5⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:5100

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
471B

MD5
e32d02ce684c01ef3af05fae9066160e

SHA1
29c7a6e8ed553ac2765634265d1db041d6d422ec

SHA256
b00322d178a6cfc206458c26b26d6c80596073bb3283dcc3fc4e33a4b5f29d71

SHA512
e4e3175fb131095e4681ecb76d14dc74d059c0beafb6340965516c6d3d0538deb314b36a3f09df03b491edac84d5c0580e764fed1d8bca9abd4e65cb56167148

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
404B

MD5
775057d4944c6ac591fc3133b22f58df

SHA1
e64b7044c4ccd7e3b87c29f6f5ffaf900312e82c

SHA256
48dc8a45765b65db8982fbabd7f92b2f54671d8cd06f1911da5cddcc98db08c2

SHA512
56cfcc92da876d13c4e47160b85ec2c41fbd53a2121d24baf76781909fa623c4f539b825d95a8d448103959984d7a8e0869e57738f026622ad5430d29ba804d9

Download Submit
memory/4932-132-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4932-136-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4944-133-0x0000000000000000-mapping.dmp

Download
memory/4944-134-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/4944-137-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/4944-138-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/4944-139-0x0000000000600000-0x000000000064F000-memory.dmp

Filesize
316KB

Download
memory/4944-140-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads