deb818a627dc9fb39e3f5652e379fad89d09fee88233e70a086f3366b8796d9e

General

Target

deb818a627dc9fb39e3f5652e379fad89d09fee88233e70a086f3366b8796d9e.exe
Size

600KB
MD5

81a4839a22c9ce63b29a3494d5e8e271
SHA1

8220025fbf0a5cc0a1960101c907955629db2a6f
SHA256

deb818a627dc9fb39e3f5652e379fad89d09fee88233e70a086f3366b8796d9e
SHA512

1df71f34d6d6172e07921a1d12238fd43a8420179dcae7fb94d9343add8c2ed71888f15fe05e8f52d563a0abad6cd78353d2ec862c25b5ae201a100cd22635b5
SSDEEP

6144:/yvNdOw29lBUcyp7aXs73hq+uJp1UwyoYemQcA0FHnJ7DZ7Ahg0BFhOBAavE:/yOw29h2mXs73cVUv9/HnxDZ7x05Oo

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 38 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000256ed27e8919d04f83812f84ee5c95da00000000020000000000106600000001000020000000d143977a6842342e00b1b517fe3fd8da4adab9febcb92b9d8844244b03a9ddf2000000000e80000000020000200000004c242e5a7f5dda00611c9489385a241734d568ef273020e4a0edcc02b4bec51620000000cc4af234827f644fb46bbab65113135f26e40f57b5d8ecd01f15662377d58c1240000000dd30714ba34da1fd480bb9b909a6379e15d7d110b595738d5d369e673b75f1c3e06a07eaf948505941d2f7e163b9468ab84738e844d596f1ba061d2b529f2512	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000256ed27e8919d04f83812f84ee5c95da0000000002000000000010660000000100002000000043c9987dd7cc3d672a0109ab178d4e9159880bc948f4d505653ff32616262650000000000e8000000002000020000000e50bb4fcf379bd833efd251812f293d473eaa7bc0e5873e9b3b09ad4e06238cc9000000045c1f2df41dbee2d0480233baae40ddccc816e48f2d609ba152fdd856b9745a650d4d2a4a3499193d6430301a5f8f043c2dacd7ec1c49057e25c4ce567de87a984bbb88150f66eaf4fac19d445f4a31f93a21aeb5b1200a8523833b0356268c8ea5f780f680e3c1ee363d1b760c7f56679136dcffdf36073376c6d81864595f656e93c9e8a2d9dbd07374ef8038b646a400000008200793511bdf763cd2c40c65affdceb1a6f2eb110655feb619cd352b007ddee99f6d0ad95a63669936241c5910de57c898e77b759bf1a4fadc57547c6e0c83e	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "376173433"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{7FB38B31-6D00-11ED-A005-4ED4A804E0FC} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 60ce7c570d01d901	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

892 iexplore.exe

pid	process
892	iexplore.exe

Suspicious use of SetWindowsHookEx 7 IoCs

Processes:

deb818a627dc9fb39e3f5652e379fad89d09fee88233e70a086f3366b8796d9e.exeiexplore.exeIEXPLORE.EXE

pid	process
1160	deb818a627dc9fb39e3f5652e379fad89d09fee88233e70a086f3366b8796d9e.exe
1160	deb818a627dc9fb39e3f5652e379fad89d09fee88233e70a086f3366b8796d9e.exe
1160	deb818a627dc9fb39e3f5652e379fad89d09fee88233e70a086f3366b8796d9e.exe
892	iexplore.exe
892	iexplore.exe
552	IEXPLORE.EXE
552	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

deb818a627dc9fb39e3f5652e379fad89d09fee88233e70a086f3366b8796d9e.exeiexplore.exe

description	pid	process	target process
PID 1160 wrote to memory of 892	1160	deb818a627dc9fb39e3f5652e379fad89d09fee88233e70a086f3366b8796d9e.exe	iexplore.exe
PID 1160 wrote to memory of 892	1160	deb818a627dc9fb39e3f5652e379fad89d09fee88233e70a086f3366b8796d9e.exe	iexplore.exe
PID 1160 wrote to memory of 892	1160	deb818a627dc9fb39e3f5652e379fad89d09fee88233e70a086f3366b8796d9e.exe	iexplore.exe
PID 1160 wrote to memory of 892	1160	deb818a627dc9fb39e3f5652e379fad89d09fee88233e70a086f3366b8796d9e.exe	iexplore.exe
PID 892 wrote to memory of 552	892	iexplore.exe	IEXPLORE.EXE
PID 892 wrote to memory of 552	892	iexplore.exe	IEXPLORE.EXE
PID 892 wrote to memory of 552	892	iexplore.exe	IEXPLORE.EXE
PID 892 wrote to memory of 552	892	iexplore.exe	IEXPLORE.EXE

C:\Users\Admin\AppData\Local\Temp\deb818a627dc9fb39e3f5652e379fad89d09fee88233e70a086f3366b8796d9e.exe
"C:\Users\Admin\AppData\Local\Temp\deb818a627dc9fb39e3f5652e379fad89d09fee88233e70a086f3366b8796d9e.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1160

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" http://www.dz239.com/gen/
2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:892

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:892 CREDAT:275457 /prefetch:2
3⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:552

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\1KS4REUU.txt
Filesize
89B

MD5
81018b51f08e89064ab254e45367d266

SHA1
c440798d44eaa65ceb83c9810ab5ddaf7de0dd4e

SHA256
e3d7b4c5cca4bc3e27b7b1338a68d6b2f5adb9633cf6481451915858fb1cc10b

SHA512
6567cf1218baa9e38ca4a14ae728b62f1d2c1f10e05d3bc4d3a6422d20b98e9121f4378a104c12274b485ad29c21a8be9238f343f10036d3cd5ce4a8bc4f5775

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\LQZTZZC2.txt
Filesize
608B

MD5
b253f7159c600262ff00b888956fd3d7

SHA1
c54409cd78e449cd8629820b448b7e189252beb6

SHA256
1ec5d48b8ce06aefda2d99dcbc40e8ee2d040992d56ac3ff2d8c56360f1735aa

SHA512
bc36cb2423d27ac21313c2146b817497b12e0f58e7cdb219c76b69a59976a887cc9531bf56588daed40b8844cb551f64b8f0061c48553a9c385b8c1bd187b776

Download Submit
memory/1160-54-0x00000000757E1000-0x00000000757E3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads