1e9041a54523ebc58eb461c51d803a4bf052b8ca0f0101d1704f2b2b0db59c8a

Analysis

max time kernel
19s
max time network
61s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
25-11-2022 15:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1e9041a54523ebc58eb461c51d803a4bf052b8ca0f0101d1704f2b2b0db59c8a.exe
Size

780KB
MD5

b7ec624b7201387e591798f6c1276551
SHA1

ab07b289ca804fcd3124d7a8830983edfb15e2c2
SHA256

1e9041a54523ebc58eb461c51d803a4bf052b8ca0f0101d1704f2b2b0db59c8a
SHA512

bef4267e96faa295c5d5e09d8fc74b47f5eb2286ab196803c1dc354a216b9f4246449b0f040baec3885ff31bac24c6312c3b6204e4d79ca835deda973c76040e
SSDEEP

24576:qhiDoNJQWSSo3YSKkci0LyB+XehPlFKth8Yz:eiDPWSS2Kkci0OB+ElgtXz

Score

8^/10

evasion persistence trojan

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

setup.exe

pid process

1992 setup.exe

pid	process
1992	setup.exe

Registers COM server for autorun 1 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Processes:

setup.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\Wow6432Node\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\LocalServer32\ServerExecutable = "C:\\Users\\Admin\\AppData\\Local\\Temp\\0b9c459e\\setup.exe"	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\Wow6432Node\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\LocalServer32	setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\Wow6432Node\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\0b9c459e\\setup.exe"	setup.exe

Loads dropped DLL 1 IoCs

Processes:

1e9041a54523ebc58eb461c51d803a4bf052b8ca0f0101d1704f2b2b0db59c8a.exe

pid process

1816 1e9041a54523ebc58eb461c51d803a4bf052b8ca0f0101d1704f2b2b0db59c8a.exe
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

setup.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA setup.exe
Modifies Internet Explorer settings 1 TTPs 1 IoCs
adware spyware

Modify Registry
T1112

Processes:

setup.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main setup.exe

pid	process
1816	1e9041a54523ebc58eb461c51d803a4bf052b8ca0f0101d1704f2b2b0db59c8a.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	setup.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main	setup.exe

Modifies registry class 36 IoCs

Processes:

setup.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\Wow6432Node\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\0b9c459e\\setup.exe"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{157B1AA6-3E5C-404A-9118-C1D91F537040}\1.0	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{157B1AA6-3E5C-404A-9118-C1D91F537040}\1.0\FLAGS\ = "0"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{157B1AA6-3E5C-404A-9118-C1D91F537040}\1.0\HELPDIR	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\Wow6432Node\CLSID	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\Wow6432Node\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\Wow6432Node\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\Programmable	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{157B1AA6-3E5C-404A-9118-C1D91F537040}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{157B1AA6-3E5C-404A-9118-C1D91F537040}\1.0\ = "JSIELib"	setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\Wow6432Node\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\LocalServer32\ServerExecutable = "C:\\Users\\Admin\\AppData\\Local\\Temp\\0b9c459e\\setup.exe"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{157B1AA6-3E5C-404A-9118-C1D91F537040}\1.0\0	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{157B1AA6-3E5C-404A-9118-C1D91F537040}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\0b9c459e\\setup.exe"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}\TypeLib\Version = "1.0"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}\ = "ITinyJSObject"	setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\Wow6432Node\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\ = "TinyJSObject Class"	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\Wow6432Node\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\TypeLib	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}\TypeLib\Version = "1.0"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\Wow6432Node\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\TypeLib\ = "{7E77E9F2-D76B-4D54-B515-9A7F93DF03DF}"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{157B1AA6-3E5C-404A-9118-C1D91F537040}\1.0\0\win32	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}\ProxyStubClsid32	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}\ProxyStubClsid32	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{157B1AA6-3E5C-404A-9118-C1D91F537040}\1.0\FLAGS	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{157B1AA6-3E5C-404A-9118-C1D91F537040}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\0b9c459e"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}\ = "ITinyJSObject"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}\TypeLib	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}\TypeLib\ = "{157B1AA6-3E5C-404A-9118-C1D91F537040}"	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\Wow6432Node	setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\Wow6432Node\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\Version\ = "1.0"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}\TypeLib\ = "{157B1AA6-3E5C-404A-9118-C1D91F537040}"	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\Wow6432Node\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\LocalServer32	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\Wow6432Node\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\Version	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}\TypeLib	setup.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

setup.exe

description pid process

Token: SeDebugPrivilege 1992 setup.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

setup.exe

pid process

1992 setup.exe
1992 setup.exe

description	pid	process
Token: SeDebugPrivilege	1992	setup.exe

pid	process
1992	setup.exe
1992	setup.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

1e9041a54523ebc58eb461c51d803a4bf052b8ca0f0101d1704f2b2b0db59c8a.exe

description	pid	process	target process
PID 1816 wrote to memory of 1992	1816	1e9041a54523ebc58eb461c51d803a4bf052b8ca0f0101d1704f2b2b0db59c8a.exe	setup.exe
PID 1816 wrote to memory of 1992	1816	1e9041a54523ebc58eb461c51d803a4bf052b8ca0f0101d1704f2b2b0db59c8a.exe	setup.exe
PID 1816 wrote to memory of 1992	1816	1e9041a54523ebc58eb461c51d803a4bf052b8ca0f0101d1704f2b2b0db59c8a.exe	setup.exe
PID 1816 wrote to memory of 1992	1816	1e9041a54523ebc58eb461c51d803a4bf052b8ca0f0101d1704f2b2b0db59c8a.exe	setup.exe
PID 1816 wrote to memory of 1992	1816	1e9041a54523ebc58eb461c51d803a4bf052b8ca0f0101d1704f2b2b0db59c8a.exe	setup.exe
PID 1816 wrote to memory of 1992	1816	1e9041a54523ebc58eb461c51d803a4bf052b8ca0f0101d1704f2b2b0db59c8a.exe	setup.exe
PID 1816 wrote to memory of 1992	1816	1e9041a54523ebc58eb461c51d803a4bf052b8ca0f0101d1704f2b2b0db59c8a.exe	setup.exe

C:\Users\Admin\AppData\Local\Temp\1e9041a54523ebc58eb461c51d803a4bf052b8ca0f0101d1704f2b2b0db59c8a.exe
"C:\Users\Admin\AppData\Local\Temp\1e9041a54523ebc58eb461c51d803a4bf052b8ca0f0101d1704f2b2b0db59c8a.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1816

C:\Users\Admin\AppData\Local\Temp\0b9c459e\setup.exe
"C:\Users\Admin\AppData\Local\Temp/0b9c459e/setup.exe" ProfileFileName=step0.ini
2⤵
- Executes dropped EXE
- Registers COM server for autorun
- Checks whether UAC is enabled
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1992

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0b9c459e\installer\boot.dat
Filesize
1KB

MD5
82ff009dd3236db90393cead19bd2b16

SHA1
3b9eab7281a500960d6598316db7b8299970d8ba

SHA256
0f1d6e066ebc9ed29cc2f194fad5091431a57eb85e13fdd19d1c8881c9402e71

SHA512
47bc6609654812719030e470f949b2af139346937cb689d078de731d57278f2743da5a1cf2dd71bbadb47251be7e5b784c429ba2769559e2d4dcddc978fbe8f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\0b9c459e\installer\installer-config.dat
Filesize
4KB

MD5
26346960decad3a50d16370897784854

SHA1
a2a5986399f33bd62cd15757895475f818291302

SHA256
e6283313fa634034a1251471b5517fa9264c55f1e8008af103dbb13242dcc88f

SHA512
1344d6c3201e33ff26063c58b2030b1b16fb8bcab951caa9bfe9cce4c09d190881705a7eafccc6ccfe0bdf1abf71ae360ea3e3ef10ee6ef0cfaf0eb1aba39e54

Download Submit
C:\Users\Admin\AppData\Local\Temp\0b9c459e\installer\installer.dat
Filesize
36KB

MD5
298dc9fe1774bad46acae8aec86b8a40

SHA1
f9f5564461b94e309043e2c555b645fdb69611b0

SHA256
ceee1f89c72361136d3c7f884c9a54ccf3e99aa25fbc0aeef4c79c9f1e38307e

SHA512
a47c66bd350774b0932a42062952e9cd260daf0cf4b6a2f5ce886a24e592bb113aaa0d386c712d7a63ef3070f85540a8125579a524269091684e59ccc601f2eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\0b9c459e\installer\new-screen.dat
Filesize
2KB

MD5
ff3ac2ce15df8c6e09677fff184dd67e

SHA1
a9b938df0cb6338c557c118766e25acc97bcf1f8

SHA256
ae780c4499c3560092e6b5bcbf4ae596f7b0df3e77d0d3cb3eeb33b54eeb2dfe

SHA512
a7fdd31a34c45d608f99afb06c9ac54c2218603f1d3828af13a0060e19f2d4903ddc253f3209455acff7459679e3514cade3289e21c1f3f598a07b7e8e361ad0

Download Submit
C:\Users\Admin\AppData\Local\Temp\0b9c459e\installer\step0.ini
Filesize
862B

MD5
fd41c9c95028561dd2ce2aa833504b1b

SHA1
c1ee291977a25e44b651bff6107c82629b6fbac7

SHA256
0caf581bba091666c922564f2c991659549b924bba3c0f0b41f33e63acea7b16

SHA512
5996fa9a6c20444e4f7610ed79acdfdf4aa5a69c3ad849437be54c5c8e5f906074c4c01083f9f961268b588f455e91f1b8fe9749b08d0782db44df369c890ecd

Download Submit
C:\Users\Admin\AppData\Local\Temp\0b9c459e\installer\step0.ini
Filesize
13KB

MD5
a8fda1fb574e4c7a41beecaad06e21c9

SHA1
375f41043acbd2267c534d5fdab38e6490cf6ede

SHA256
7edb90860f27f5f3a2de8a8c270bd48d4c321979ae00342039d8505ec70164f7

SHA512
ec8e7ca89c50ab02bed9b69a569cbe4d82531dc574debcf8ef0436209036958e838aa7454f7028dc26f8110836a2e91fadd6fad1d02e8864b4c62c8178fc4cc0

Download Submit
C:\Users\Admin\AppData\Local\Temp\0b9c459e\setup.exe
Filesize
1.4MB

MD5
c3bc99a2f410a5bede595c6a35aabc44

SHA1
cf513259f468b9b15d1749dbe60d215c0b76098c

SHA256
747193c4bdfed0a0d9dc2cd79e9682787169467c90e89d165026ccc220142cd6

SHA512
ddc3eee00d14947fc7cab3ff870328e9046c62357ef1a0ba809ec846a404e3797a1bead5c85ba393ef2536589ea69293da3eefa57e1e99f33b60912c1f1908b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\0b9c459e\setup.exe
Filesize
1.4MB

MD5
c3bc99a2f410a5bede595c6a35aabc44

SHA1
cf513259f468b9b15d1749dbe60d215c0b76098c

SHA256
747193c4bdfed0a0d9dc2cd79e9682787169467c90e89d165026ccc220142cd6

SHA512
ddc3eee00d14947fc7cab3ff870328e9046c62357ef1a0ba809ec846a404e3797a1bead5c85ba393ef2536589ea69293da3eefa57e1e99f33b60912c1f1908b3

Download Submit
\Users\Admin\AppData\Local\Temp\0b9c459e\setup.exe
Filesize
1.4MB

MD5
c3bc99a2f410a5bede595c6a35aabc44

SHA1
cf513259f468b9b15d1749dbe60d215c0b76098c

SHA256
747193c4bdfed0a0d9dc2cd79e9682787169467c90e89d165026ccc220142cd6

SHA512
ddc3eee00d14947fc7cab3ff870328e9046c62357ef1a0ba809ec846a404e3797a1bead5c85ba393ef2536589ea69293da3eefa57e1e99f33b60912c1f1908b3

Download Submit
memory/1816-54-0x0000000075511000-0x0000000075513000-memory.dmp

Filesize
8KB

Download
memory/1992-56-0x0000000000000000-mapping.dmp

Download