a9ee05e7356e6f882a7f8c4d409e80c931073369f53055f6054be796f0ec5600

General

Target

a9ee05e7356e6f882a7f8c4d409e80c931073369f53055f6054be796f0ec5600.dll
Size

671KB
MD5

ee1b0cc0d7225533bc05c08cc96e1485
SHA1

c907c17a25b8dd7b1d1e69b72fc24c06bec83cf8
SHA256

a9ee05e7356e6f882a7f8c4d409e80c931073369f53055f6054be796f0ec5600
SHA512

305f37d1b3672e6acc0a244c0ed268349521bc55493a0fd8fed384578f54a8329eb1c45c721797819557a951b5943875dc8f21041a3b67683f5909ee702f239a
SSDEEP

12288:Tohsg5IxvDzf3R5UUclOJpQ5wCvQAAo+S0PurMaPw2BnG7RQpwpqYlfuIuztA:8Ix/vRuZCQJQI0PurTIRQp6qYdupA

Score

5^/10

Malware Config

Signatures

Suspicious use of SetThreadContext 1 IoCs

Processes:

rundll32.exe

description pid process target process

PID 2028 set thread context of 1716 2028 rundll32.exe svchost.exe

description	pid	process	target process
PID 2028 set thread context of 1716	2028	rundll32.exe	svchost.exe

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\DOMStorage\java.com\Total = "122"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = c00d9e970300d901	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\DOMStorage\java.com\Total = "229"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "251"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\DOMStorage\java.com\Total = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000fbec07815684004d899a318f710de6af000000000200000000001066000000010000200000004d3f57adc337320e00e2343da7d30e41ba056c67890731162ef77bee597f6d00000000000e800000000200002000000006554c6dc6c2806b5f0d82cfb7437503355ec1372b283705268a7b529718f23c20000000600b4e81cddfc733b50d1ba028dbfb26987b65da3cf33897b78db82ed8c61aca40000000365ad262ef65cbc37f1957fa7e363b6a3ebf979a8d122d6fb33551fb33f3d458aa8d8229266083dca1e35418a25fc2191d4b0eb4bb55b51f44186edfff859959	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\DOMStorage\java.com\NumberOfSubdomains = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.java.com\ = "224"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\DOMStorage\java.com\Total = "22"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "209"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.java.com\ = "209"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "122"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.java.com\ = "122"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\DOMStorage\java.com\Total = "251"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "376059301"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.java.com	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.java.com\ = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.java.com\ = "42"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.java.com\ = "22"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.java.com\ = "231"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "22"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\DOMStorage\java.com\Total = "209"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "231"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.java.com\ = "251"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{BE53DF81-6BF6-11ED-91F2-D2F8C2B78FDE} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "229"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "42"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\DOMStorage\java.com\Total = "42"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\DOMStorage\java.com\Total = "224"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.java.com\ = "229"	IEXPLORE.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

IEXPLORE.EXE

pid process

1176 IEXPLORE.EXE
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

1152 iexplore.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

1152 iexplore.exe
1152 iexplore.exe
1176 IEXPLORE.EXE
1176 IEXPLORE.EXE
1176 IEXPLORE.EXE
1176 IEXPLORE.EXE

pid	process
1176	IEXPLORE.EXE

pid	process
1152	iexplore.exe

pid	process
1152	iexplore.exe
1152	iexplore.exe
1176	IEXPLORE.EXE
1176	IEXPLORE.EXE
1176	IEXPLORE.EXE
1176	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

rundll32.exerundll32.exesvchost.exeiexplore.exe

description	pid	process	target process
PID 1224 wrote to memory of 2028	1224	rundll32.exe	rundll32.exe
PID 1224 wrote to memory of 2028	1224	rundll32.exe	rundll32.exe
PID 1224 wrote to memory of 2028	1224	rundll32.exe	rundll32.exe
PID 1224 wrote to memory of 2028	1224	rundll32.exe	rundll32.exe
PID 1224 wrote to memory of 2028	1224	rundll32.exe	rundll32.exe
PID 1224 wrote to memory of 2028	1224	rundll32.exe	rundll32.exe
PID 1224 wrote to memory of 2028	1224	rundll32.exe	rundll32.exe
PID 2028 wrote to memory of 1716	2028	rundll32.exe	svchost.exe
PID 2028 wrote to memory of 1716	2028	rundll32.exe	svchost.exe
PID 2028 wrote to memory of 1716	2028	rundll32.exe	svchost.exe
PID 2028 wrote to memory of 1716	2028	rundll32.exe	svchost.exe
PID 2028 wrote to memory of 1716	2028	rundll32.exe	svchost.exe
PID 2028 wrote to memory of 1716	2028	rundll32.exe	svchost.exe
PID 1716 wrote to memory of 1152	1716	svchost.exe	iexplore.exe
PID 1716 wrote to memory of 1152	1716	svchost.exe	iexplore.exe
PID 1716 wrote to memory of 1152	1716	svchost.exe	iexplore.exe
PID 1716 wrote to memory of 1152	1716	svchost.exe	iexplore.exe
PID 1152 wrote to memory of 1176	1152	iexplore.exe	IEXPLORE.EXE
PID 1152 wrote to memory of 1176	1152	iexplore.exe	IEXPLORE.EXE
PID 1152 wrote to memory of 1176	1152	iexplore.exe	IEXPLORE.EXE
PID 1152 wrote to memory of 1176	1152	iexplore.exe	IEXPLORE.EXE

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\a9ee05e7356e6f882a7f8c4d409e80c931073369f53055f6054be796f0ec5600.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1224

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\a9ee05e7356e6f882a7f8c4d409e80c931073369f53055f6054be796f0ec5600.dll,#1
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2028

C:\Windows\SysWOW64\svchost.exe
"C:\Windows\system32\svchost.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:1716

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" http://www.java.com/pt_BR/
4⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1152

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1152 CREDAT:275457 /prefetch:2
5⤵
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:1176

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
eb76f8ce504ce9c72a8712f4808cfc6c

SHA1
1ae7abb18a542ebc47c1472b5cb76cfa8ebc427e

SHA256
a2f4313e1e767d36806e0ecdb44046fe4cf4c9dbb694482bd9a8060578ce164a

SHA512
ff91979036927de6f673545ecb942b41e17c89dc25e4d827d7e53a507cbfa299c186c0d852f8c27a4959202efe74d086f3a641c223368d463406cfbffae21713

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\try74lz\imagestore.dat

Filesize
1KB

MD5
09077ff613093c6e3b534684d944f6d9

SHA1
a9f437c30cf84bb2a6a3efef2623d8de8fda2552

SHA256
d26248ceda6bf2433ce99404d3a145e6d6ad569d5433a8312009b8868026e4e7

SHA512
ea4cc1ac488ca7fef8a90b781670c58f4073ee8aa3e4099665883b4536f8eb596e4da4bf1f363f50ddf65c18bb7e33ee0b387403d886d040e0828f36b40264bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\image.gif

Filesize
1002B

MD5
94ff00a208cc710d22219e55d2f986a8

SHA1
f477b7e1f497561ad80225e1904dedf78a541444

SHA256
1e7ce3968b2cfdcea4f4405502859e11f98039a6515c78f7fda52d9674767638

SHA512
730a93f5109caad8f4ac05c3b7bf47ae6b8ac5f24cc9407ae5a3a0771e903abdb4c403375d3f3c981c0e9fcc2e3beb4d8f3b2c6c55d31d037b36d2f7d6cf99d0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\VN9TPG0L.txt

Filesize
608B

MD5
9c409d6ab2154ea0a15477ed1ad6e987

SHA1
53346f168c5b5d2fddd9307e9320cf51169b8f98

SHA256
b1f9bd170ee32d65764fae178cb40a3aa8198df36979f1f8bacfbe79508b41aa

SHA512
5ab931c521b180313c446f1a6093a67106c3cb32311a6582b97532b5917281e853a08cae411905033a0853341896230412d3e0ecc183bb7f810543e07be53c3a

Download Submit
memory/1716-61-0x000000003C040000-0x000000003C09F000-memory.dmp

Filesize
380KB

Download
memory/1716-60-0x000000003C082744-mapping.dmp

Download
memory/1716-63-0x000000003C040000-0x000000003C09F000-memory.dmp

Filesize
380KB

Download
memory/1716-59-0x000000003C040000-0x000000003C09F000-memory.dmp

Filesize
380KB

Download
memory/1716-65-0x000000003C040000-0x000000003C09F000-memory.dmp

Filesize
380KB

Download
memory/1716-57-0x000000003C040000-0x000000003C09F000-memory.dmp

Filesize
380KB

Download
memory/2028-54-0x0000000000000000-mapping.dmp

Download
memory/2028-56-0x0000000005F80000-0x0000000006127000-memory.dmp

Filesize
1.7MB

Download
memory/2028-55-0x0000000075291000-0x0000000075293000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing