ae6287c078c5c6426a12723e67951ce1820a0eb1af1c176a1d3fecc7a699614a

Analysis

max time kernel
135s
max time network
154s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
25/11/2022, 12:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ae6287c078c5c6426a12723e67951ce1820a0eb1af1c176a1d3fecc7a699614a.dll
Size

666KB
MD5

a500d3575e09c282cc97b9d60d5270c6
SHA1

9926800d8436264b7d78b45f41ed071f3469aaa8
SHA256

ae6287c078c5c6426a12723e67951ce1820a0eb1af1c176a1d3fecc7a699614a
SHA512

6cdafad189a8e5cfe5fe05c62b28120d0c69296570b0d3317e9196324255cf045b1d18614ef89e8f34891987584159796499b30b1dee69252ddad097d2e92f99
SSDEEP

12288:UBPgEfxixsIbWME80+YAKK54ygTGI0JwT8TOG6V4W8KorWeIqZxS2sBxcHQgEyqW:UBAbWME80vAxHgTuyTuOGiF8rqePW2lz

Score

5^/10

Malware Config

Signatures

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 360 set thread context of 680	360	rundll32.exe	29

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.java.com\ = "22"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "122"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "266"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DOMStorage\java.com\NumberOfSubdomains = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DOMStorage\java.com\Total = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "22"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DOMStorage\java.com\Total = "22"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.java.com\ = "224"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000256ed27e8919d04f83812f84ee5c95da000000000200000000001066000000010000200000009e84dd83c12a89e463810b89d72e140077acb7a8cf21e2b4055a780f1f977e0a000000000e8000000002000020000000d78cea077ee14bc2db52ba0c0fbc7560e029b6ee290461e33a9480de0deea47f200100008749c359882092d4919479089d3cf0c9bb8114c69b8f59aabe1e82d5e9ef084758ac3d3628150adbfdad72cd0e7f5546e517d17c8ad239541bafc2a409233d349c504d73a0face5026bde4476fd8500a72c5a1ac07e4a7b84505f057133cdcf6aa25b37d00ed68dea6de411891d2e0cc90e66e0145309088c74df5c364e2a2c1e8887b08ed820c6223ce72b5230d3ad2aa5f935a677a1bba75454b0412ca972cb0077895ca73a3c62458eb517b520bbd95b730a2f78c90f090d433ea42e1938c77fb73121b1b8364b7b0081565f54f3d777837cb7c5908de59368a53e394f750a7933a3e11ef0a2b2eb58b0427b96b6bbccc3f8aa64cb5832e2e395f6fdb6b8653ad789038b52897521aeea23c87e0c3f719b92201af74483475bce6b495e3da40000000957d460df4b798ac277d2dba957771ea24435ced683e4697088e1c0ed6879ef92455da2f54c2a13cddbbce4c4025332adb80e9556980d5da3a8e38f5459cabcc	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DOMStorage\java.com\Total = "42"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "209"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DOMStorage\java.com\Total = "209"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.java.com\ = "266"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "229"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DOMStorage\java.com\Total = "229"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{90188361-6CFE-11ED-9D71-7AAB9C3024C2} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.java.com\ = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "224"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.java.com\ = "209"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DOMStorage\java.com\Total = "144"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.java.com\ = "42"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.java.com\ = "229"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.java.com\ = "122"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "144"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000256ed27e8919d04f83812f84ee5c95da00000000020000000000106600000001000020000000395e40b2b8f84fae2b7b1d89904c0dcd7ceb59245a04e2e0edb3705726616329000000000e8000000002000020000000175b96eeab3a7c17402438f2ec3b7385272e2ab8bd6937f9f2d7ab9f982b49dc200000002a69fe88fa078e4bc8db7e96ee57a3a2f4d2b05f2983327be057dc6f9d909d1c400000006431ebb184cd4ed6e853bc404ab8122e41eefa0871881edc01244c7babebd8b35b3478fd59179b50565f6127e4e51025c3aa7af9e71c327c30dc03f0eaa110b2	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "42"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.java.com	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "376172616"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DOMStorage\java.com	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.java.com\ = "144"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 305ce2860b01d901	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DOMStorage\java.com\Total = "122"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DOMStorage\java.com\Total = "266"	IEXPLORE.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
360	rundll32.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1268	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1268	iexplore.exe
1268	iexplore.exe
1532	IEXPLORE.EXE
1532	IEXPLORE.EXE
1532	IEXPLORE.EXE
1532	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 1660 wrote to memory of 360	1660	rundll32.exe	28
PID 1660 wrote to memory of 360	1660	rundll32.exe	28
PID 1660 wrote to memory of 360	1660	rundll32.exe	28
PID 1660 wrote to memory of 360	1660	rundll32.exe	28
PID 1660 wrote to memory of 360	1660	rundll32.exe	28
PID 1660 wrote to memory of 360	1660	rundll32.exe	28
PID 1660 wrote to memory of 360	1660	rundll32.exe	28
PID 360 wrote to memory of 680	360	rundll32.exe	29
PID 360 wrote to memory of 680	360	rundll32.exe	29
PID 360 wrote to memory of 680	360	rundll32.exe	29
PID 360 wrote to memory of 680	360	rundll32.exe	29
PID 360 wrote to memory of 680	360	rundll32.exe	29
PID 360 wrote to memory of 680	360	rundll32.exe	29
PID 680 wrote to memory of 1268	680	svchost.exe	30
PID 680 wrote to memory of 1268	680	svchost.exe	30
PID 680 wrote to memory of 1268	680	svchost.exe	30
PID 680 wrote to memory of 1268	680	svchost.exe	30
PID 1268 wrote to memory of 1532	1268	iexplore.exe	32
PID 1268 wrote to memory of 1532	1268	iexplore.exe	32
PID 1268 wrote to memory of 1532	1268	iexplore.exe	32
PID 1268 wrote to memory of 1532	1268	iexplore.exe	32

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\ae6287c078c5c6426a12723e67951ce1820a0eb1af1c176a1d3fecc7a699614a.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1660
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\ae6287c078c5c6426a12723e67951ce1820a0eb1af1c176a1d3fecc7a699614a.dll,#1
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:360
- - C:\Windows\SysWOW64\svchost.exe
    "C:\Windows\system32\svchost.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:680
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" http://www.java.com/pt_BR/
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1268
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1268 CREDAT:275457 /prefetch:2
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:1532

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0cf21278c78fe6e4a45d9de8e4d3fd73

SHA1
f10deb8cab744501503d51321640855ddbde8270

SHA256
7c2c57a7808b3e756dfacf55e83c1e48373fda5d9f84756956f298ff5313b9ce

SHA512
883efd998e20430d9af7b0346847c05be4fd436e0de7cc6b9c26b365eb01ea63d4d8be78e57e1ea0fb85f126ed31bd0164c3c6522834acac7b42bae271cf3ad7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\t9o3c8r\imagestore.dat

Filesize
1KB

MD5
fe5862c81c7398f6b073059bb62b2c60

SHA1
cea44376e42c992800f23517cd329b35c706c32b

SHA256
0a538732a65a43a076ec6814a98ca3462ff02ef2c808b14c899917788805e5c6

SHA512
390d2a1fbcc8f091a82ddbf04276b723c2ad74e580ba752f1ca47a8dcf856b1ba8346c6aa2cccb55983adbb43e03e7c63bb70fbb889be2599a398e2efd13dff4

Download Submit
C:\Users\Admin\AppData\Local\Temp\image.gif

Filesize
1022B

MD5
e8f7fdb9e108ee44039f52e157b43a10

SHA1
51e6bebebe0ac865c065eb9a6c3fd41f6c3c3c70

SHA256
d5a320d22071d9907e6c456b83b422978db1bc7474274ee4afd5bcbf6f5fd0c2

SHA512
aed5b60b7e777655d4c88b56c77fefe7dede00b4ca5f17dbfbbbb60897133f520391dc6fefd9e5a65fdfb6c00b12aa806d4ba60a442f5bbb280ca31cafc8879e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\QG7XW2YO.txt

Filesize
608B

MD5
9c8e73a6bbac51ec5b8a4b775e1a96e1

SHA1
a028c57d14564347b5f75f9e2f7ce2779b548671

SHA256
5742c1f30b8b2bb021cb4b744f84e779cdbb2001dc30360e889f5ad68c96106a

SHA512
30ebd1d044fe019cf9babda82f04adb5f32903befa3d0cdcc4de1ed5ef4ef2218cad576c56338ef4baf3beaca8c3aaa522acda44707fd8968100db111c7faf0f

Download Submit
memory/360-55-0x00000000767D1000-0x00000000767D3000-memory.dmp

Filesize
8KB

Download
memory/360-64-0x0000000005F30000-0x0000000006039000-memory.dmp

Filesize
1.0MB

Download
memory/680-62-0x0000000008C60000-0x0000000008CBF000-memory.dmp

Filesize
380KB

Download
memory/680-60-0x0000000008C60000-0x0000000008CBF000-memory.dmp

Filesize
380KB

Download
memory/680-65-0x0000000008C60000-0x0000000008CBF000-memory.dmp

Filesize
380KB

Download
memory/680-66-0x0000000008C60000-0x0000000008CBF000-memory.dmp

Filesize
380KB

Download
memory/680-58-0x0000000008C60000-0x0000000008CBF000-memory.dmp

Filesize
380KB

Download
memory/680-56-0x0000000008C60000-0x0000000008CBF000-memory.dmp

Filesize
380KB

Download