Analysis
-
max time kernel
152s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
25-11-2022 07:51
Static task
static1
Behavioral task
behavioral1
Sample
5ace5208288f2437f4e6b5d7bb2aa5fdbf277f6124d7afe3b3d3f113e6987ec5.dll
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
5ace5208288f2437f4e6b5d7bb2aa5fdbf277f6124d7afe3b3d3f113e6987ec5.dll
Resource
win10v2004-20220901-en
General
-
Target
5ace5208288f2437f4e6b5d7bb2aa5fdbf277f6124d7afe3b3d3f113e6987ec5.dll
-
Size
135KB
-
MD5
b42396d9fa5989e9a4b60dad3ab26a92
-
SHA1
a8172766b7091459e974f434ed5e9fb680c4fa62
-
SHA256
5ace5208288f2437f4e6b5d7bb2aa5fdbf277f6124d7afe3b3d3f113e6987ec5
-
SHA512
937bfc9ada850ce6a66b22c8f4b38c6c8544ace525df0106fc90d9f1215bcde9fc3588b5d587ad321464cfa736f40a1fa720898a2d89fe5ae24a1089ecbb2160
-
SSDEEP
3072:48M77Il/0qyLq1uy0Bmlzip0uoCYPaSdmgMV2f+kaT8qaGyI:4l77It0qy213lipJCJmjVO3aT7ad
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
rundll32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\5ace5208288f2437f4e6b5d7bb2aa5fdbf277f6124d7afe3b3d3f113e6987ec5 = "rundll32.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\5ace5208288f2437f4e6b5d7bb2aa5fdbf277f6124d7afe3b3d3f113e6987ec5.dll\",RicheditStreamIn" rundll32.exe -
Processes:
iexplore.exeIEXPLORE.EXEdescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3238318055" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{EB29B65C-6CC6-11ED-A0EE-E6AF42CF752C} = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "376148688" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3223159989" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\VersionManager iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30998739" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames iexplore.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30998739" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3223159989" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30998739" iexplore.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
iexplore.exepid process 3032 iexplore.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
Processes:
iexplore.exeIEXPLORE.EXErundll32.exepid process 3032 iexplore.exe 3032 iexplore.exe 3320 IEXPLORE.EXE 3320 IEXPLORE.EXE 996 rundll32.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exeiexplore.exedescription pid process target process PID 2084 wrote to memory of 996 2084 rundll32.exe rundll32.exe PID 2084 wrote to memory of 996 2084 rundll32.exe rundll32.exe PID 2084 wrote to memory of 996 2084 rundll32.exe rundll32.exe PID 3032 wrote to memory of 3320 3032 iexplore.exe IEXPLORE.EXE PID 3032 wrote to memory of 3320 3032 iexplore.exe IEXPLORE.EXE PID 3032 wrote to memory of 3320 3032 iexplore.exe IEXPLORE.EXE
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\5ace5208288f2437f4e6b5d7bb2aa5fdbf277f6124d7afe3b3d3f113e6987ec5.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\5ace5208288f2437f4e6b5d7bb2aa5fdbf277f6124d7afe3b3d3f113e6987ec5.dll,#12⤵
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Internet Explorer\ielowutil.exe"C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding1⤵
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3032 CREDAT:17410 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776Filesize
471B
MD5a42abb21be3940a88a73771b18ed0f35
SHA1de12f2f619852ef135ee726614c43c2033ec5743
SHA256edaf1fb1f6ca2a0caf5f4d85b3f13507bd5df4971fa9ea8a6e08c1227f1ec667
SHA512c1f775deb2bcb2e0c48ed74dec1cd95f34690ca16d6465175d52d60ae45e746201cc608a58b6f8f080b7e6a7893993b61093c7d9ff63fa735ebaba61ddd0ebf7
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776Filesize
434B
MD544f3fbf3d62cfe372f07970b7ffe1162
SHA15e03815408845222e3f32a4ea980e60ecaab5aab
SHA2566b60c5d814613ce8362295f69a2c05b7404df430313253022c2833bd3b9f4064
SHA5129ec4e085dcf49c739a78b66e2ae436526a33ccf254499a8b626d20814a2314d03b96e1d847f27398faaed3f7118889065c14ef08f72c498d075146d3a8684a25
-
memory/996-132-0x0000000000000000-mapping.dmp
-
memory/996-133-0x0000000000E50000-0x0000000000E63000-memory.dmpFilesize
76KB
-
memory/996-134-0x0000000002640000-0x0000000002664000-memory.dmpFilesize
144KB
-
memory/996-137-0x0000000000E50000-0x0000000000E63000-memory.dmpFilesize
76KB
-
memory/996-139-0x0000000010000000-0x0000000010024000-memory.dmpFilesize
144KB
-
memory/996-140-0x0000000000E50000-0x0000000000E63000-memory.dmpFilesize
76KB