5ace5208288f2437f4e6b5d7bb2aa5fdbf277f6124d7afe3b3d3f113e6987ec5

General

Target

5ace5208288f2437f4e6b5d7bb2aa5fdbf277f6124d7afe3b3d3f113e6987ec5.dll
Size

135KB
MD5

b42396d9fa5989e9a4b60dad3ab26a92
SHA1

a8172766b7091459e974f434ed5e9fb680c4fa62
SHA256

5ace5208288f2437f4e6b5d7bb2aa5fdbf277f6124d7afe3b3d3f113e6987ec5
SHA512

937bfc9ada850ce6a66b22c8f4b38c6c8544ace525df0106fc90d9f1215bcde9fc3588b5d587ad321464cfa736f40a1fa720898a2d89fe5ae24a1089ecbb2160
SSDEEP

3072:48M77Il/0qyLq1uy0Bmlzip0uoCYPaSdmgMV2f+kaT8qaGyI:4l77It0qy213lipJCJmjVO3aT7ad

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

rundll32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\5ace5208288f2437f4e6b5d7bb2aa5fdbf277f6124d7afe3b3d3f113e6987ec5 = "rundll32.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\5ace5208288f2437f4e6b5d7bb2aa5fdbf277f6124d7afe3b3d3f113e6987ec5.dll\",RicheditStreamIn"	rundll32.exe

Modifies Internet Explorer settings 1 TTPs 27 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3238318055"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{EB29B65C-6CC6-11ED-A0EE-E6AF42CF752C} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "376148688"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3223159989"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30998739"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30998739"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3223159989"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30998739"	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

3032 iexplore.exe
Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

iexplore.exeIEXPLORE.EXErundll32.exe

pid process

3032 iexplore.exe
3032 iexplore.exe
3320 IEXPLORE.EXE
3320 IEXPLORE.EXE
996 rundll32.exe

pid	process
3032	iexplore.exe

pid	process
3032	iexplore.exe
3032	iexplore.exe
3320	IEXPLORE.EXE
3320	IEXPLORE.EXE
996	rundll32.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

rundll32.exeiexplore.exe

description	pid	process	target process
PID 2084 wrote to memory of 996	2084	rundll32.exe	rundll32.exe
PID 2084 wrote to memory of 996	2084	rundll32.exe	rundll32.exe
PID 2084 wrote to memory of 996	2084	rundll32.exe	rundll32.exe
PID 3032 wrote to memory of 3320	3032	iexplore.exe	IEXPLORE.EXE
PID 3032 wrote to memory of 3320	3032	iexplore.exe	IEXPLORE.EXE
PID 3032 wrote to memory of 3320	3032	iexplore.exe	IEXPLORE.EXE

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\5ace5208288f2437f4e6b5d7bb2aa5fdbf277f6124d7afe3b3d3f113e6987ec5.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2084

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\5ace5208288f2437f4e6b5d7bb2aa5fdbf277f6124d7afe3b3d3f113e6987ec5.dll,#1
2⤵
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
PID:996

C:\Program Files (x86)\Internet Explorer\ielowutil.exe
"C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding
1⤵
PID:3792

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3032

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3032 CREDAT:17410 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:3320

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize
471B

MD5
a42abb21be3940a88a73771b18ed0f35

SHA1
de12f2f619852ef135ee726614c43c2033ec5743

SHA256
edaf1fb1f6ca2a0caf5f4d85b3f13507bd5df4971fa9ea8a6e08c1227f1ec667

SHA512
c1f775deb2bcb2e0c48ed74dec1cd95f34690ca16d6465175d52d60ae45e746201cc608a58b6f8f080b7e6a7893993b61093c7d9ff63fa735ebaba61ddd0ebf7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize
434B

MD5
44f3fbf3d62cfe372f07970b7ffe1162

SHA1
5e03815408845222e3f32a4ea980e60ecaab5aab

SHA256
6b60c5d814613ce8362295f69a2c05b7404df430313253022c2833bd3b9f4064

SHA512
9ec4e085dcf49c739a78b66e2ae436526a33ccf254499a8b626d20814a2314d03b96e1d847f27398faaed3f7118889065c14ef08f72c498d075146d3a8684a25

Download Submit
memory/996-132-0x0000000000000000-mapping.dmp

Download
memory/996-133-0x0000000000E50000-0x0000000000E63000-memory.dmp

Filesize
76KB

Download
memory/996-134-0x0000000002640000-0x0000000002664000-memory.dmp

Filesize
144KB

Download
memory/996-137-0x0000000000E50000-0x0000000000E63000-memory.dmp

Filesize
76KB

Download
memory/996-139-0x0000000010000000-0x0000000010024000-memory.dmp

Filesize
144KB

Download
memory/996-140-0x0000000000E50000-0x0000000000E63000-memory.dmp

Filesize
76KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads