550ad71c892ae9e8a69f523520af9dd45536cedf01073c714316b65cb27b8689

Analysis

max time kernel
151s
max time network
190s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
26/11/2022, 00:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

550ad71c892ae9e8a69f523520af9dd45536cedf01073c714316b65cb27b8689.exe
Size

154KB
MD5

19599cde7ea15ce8a74935e00326a441
SHA1

93df894a44c9fe0f3afcbc47c174017a3d6d6c84
SHA256

550ad71c892ae9e8a69f523520af9dd45536cedf01073c714316b65cb27b8689
SHA512

860dd4f2d7974532a0045b7e09ca611782dd6757ee8ff68b57e4939b3bb28147e22ea66a907c6557f8fa0c0da699c86e0bbec5f9c812678e1aa569ae7792a9c9
SSDEEP

3072:OecF+3EtOzu41w4M9tzKxHzVqPcnPr3NKyciXPVHuzAPgiAzzVW8i:OecFs3Mv0HzVqPubAyPXPVHCPk

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Windows\CurrentVersion\Run	550ad71c892ae9e8a69f523520af9dd45536cedf01073c714316b65cb27b8689.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SNJQ66R8MU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\550ad71c892ae9e8a69f523520af9dd45536cedf01073c714316b65cb27b8689.exe"	550ad71c892ae9e8a69f523520af9dd45536cedf01073c714316b65cb27b8689.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\{22116563-108C-42c0-A7CE-60161B75E508}.job	550ad71c892ae9e8a69f523520af9dd45536cedf01073c714316b65cb27b8689.exe
File opened for modification	C:\Windows\Tasks\{22116563-108C-42c0-A7CE-60161B75E508}.job	550ad71c892ae9e8a69f523520af9dd45536cedf01073c714316b65cb27b8689.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Main	550ad71c892ae9e8a69f523520af9dd45536cedf01073c714316b65cb27b8689.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\International	550ad71c892ae9e8a69f523520af9dd45536cedf01073c714316b65cb27b8689.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5092	550ad71c892ae9e8a69f523520af9dd45536cedf01073c714316b65cb27b8689.exe
5092	550ad71c892ae9e8a69f523520af9dd45536cedf01073c714316b65cb27b8689.exe
5092	550ad71c892ae9e8a69f523520af9dd45536cedf01073c714316b65cb27b8689.exe
5092	550ad71c892ae9e8a69f523520af9dd45536cedf01073c714316b65cb27b8689.exe
5092	550ad71c892ae9e8a69f523520af9dd45536cedf01073c714316b65cb27b8689.exe
5092	550ad71c892ae9e8a69f523520af9dd45536cedf01073c714316b65cb27b8689.exe
5092	550ad71c892ae9e8a69f523520af9dd45536cedf01073c714316b65cb27b8689.exe
5092	550ad71c892ae9e8a69f523520af9dd45536cedf01073c714316b65cb27b8689.exe
5092	550ad71c892ae9e8a69f523520af9dd45536cedf01073c714316b65cb27b8689.exe
5092	550ad71c892ae9e8a69f523520af9dd45536cedf01073c714316b65cb27b8689.exe
5092	550ad71c892ae9e8a69f523520af9dd45536cedf01073c714316b65cb27b8689.exe
5092	550ad71c892ae9e8a69f523520af9dd45536cedf01073c714316b65cb27b8689.exe
5092	550ad71c892ae9e8a69f523520af9dd45536cedf01073c714316b65cb27b8689.exe
5092	550ad71c892ae9e8a69f523520af9dd45536cedf01073c714316b65cb27b8689.exe
5092	550ad71c892ae9e8a69f523520af9dd45536cedf01073c714316b65cb27b8689.exe
5092	550ad71c892ae9e8a69f523520af9dd45536cedf01073c714316b65cb27b8689.exe
5092	550ad71c892ae9e8a69f523520af9dd45536cedf01073c714316b65cb27b8689.exe
5092	550ad71c892ae9e8a69f523520af9dd45536cedf01073c714316b65cb27b8689.exe
5092	550ad71c892ae9e8a69f523520af9dd45536cedf01073c714316b65cb27b8689.exe
5092	550ad71c892ae9e8a69f523520af9dd45536cedf01073c714316b65cb27b8689.exe
5092	550ad71c892ae9e8a69f523520af9dd45536cedf01073c714316b65cb27b8689.exe
5092	550ad71c892ae9e8a69f523520af9dd45536cedf01073c714316b65cb27b8689.exe
5092	550ad71c892ae9e8a69f523520af9dd45536cedf01073c714316b65cb27b8689.exe
5092	550ad71c892ae9e8a69f523520af9dd45536cedf01073c714316b65cb27b8689.exe
5092	550ad71c892ae9e8a69f523520af9dd45536cedf01073c714316b65cb27b8689.exe
5092	550ad71c892ae9e8a69f523520af9dd45536cedf01073c714316b65cb27b8689.exe
5092	550ad71c892ae9e8a69f523520af9dd45536cedf01073c714316b65cb27b8689.exe
5092	550ad71c892ae9e8a69f523520af9dd45536cedf01073c714316b65cb27b8689.exe
5092	550ad71c892ae9e8a69f523520af9dd45536cedf01073c714316b65cb27b8689.exe
5092	550ad71c892ae9e8a69f523520af9dd45536cedf01073c714316b65cb27b8689.exe
5092	550ad71c892ae9e8a69f523520af9dd45536cedf01073c714316b65cb27b8689.exe
5092	550ad71c892ae9e8a69f523520af9dd45536cedf01073c714316b65cb27b8689.exe
5092	550ad71c892ae9e8a69f523520af9dd45536cedf01073c714316b65cb27b8689.exe
5092	550ad71c892ae9e8a69f523520af9dd45536cedf01073c714316b65cb27b8689.exe
5092	550ad71c892ae9e8a69f523520af9dd45536cedf01073c714316b65cb27b8689.exe
5092	550ad71c892ae9e8a69f523520af9dd45536cedf01073c714316b65cb27b8689.exe
5092	550ad71c892ae9e8a69f523520af9dd45536cedf01073c714316b65cb27b8689.exe
5092	550ad71c892ae9e8a69f523520af9dd45536cedf01073c714316b65cb27b8689.exe
5092	550ad71c892ae9e8a69f523520af9dd45536cedf01073c714316b65cb27b8689.exe
5092	550ad71c892ae9e8a69f523520af9dd45536cedf01073c714316b65cb27b8689.exe
5092	550ad71c892ae9e8a69f523520af9dd45536cedf01073c714316b65cb27b8689.exe
5092	550ad71c892ae9e8a69f523520af9dd45536cedf01073c714316b65cb27b8689.exe
5092	550ad71c892ae9e8a69f523520af9dd45536cedf01073c714316b65cb27b8689.exe
5092	550ad71c892ae9e8a69f523520af9dd45536cedf01073c714316b65cb27b8689.exe
5092	550ad71c892ae9e8a69f523520af9dd45536cedf01073c714316b65cb27b8689.exe
5092	550ad71c892ae9e8a69f523520af9dd45536cedf01073c714316b65cb27b8689.exe
5092	550ad71c892ae9e8a69f523520af9dd45536cedf01073c714316b65cb27b8689.exe
5092	550ad71c892ae9e8a69f523520af9dd45536cedf01073c714316b65cb27b8689.exe
5092	550ad71c892ae9e8a69f523520af9dd45536cedf01073c714316b65cb27b8689.exe
5092	550ad71c892ae9e8a69f523520af9dd45536cedf01073c714316b65cb27b8689.exe
5092	550ad71c892ae9e8a69f523520af9dd45536cedf01073c714316b65cb27b8689.exe
5092	550ad71c892ae9e8a69f523520af9dd45536cedf01073c714316b65cb27b8689.exe
5092	550ad71c892ae9e8a69f523520af9dd45536cedf01073c714316b65cb27b8689.exe
5092	550ad71c892ae9e8a69f523520af9dd45536cedf01073c714316b65cb27b8689.exe
5092	550ad71c892ae9e8a69f523520af9dd45536cedf01073c714316b65cb27b8689.exe
5092	550ad71c892ae9e8a69f523520af9dd45536cedf01073c714316b65cb27b8689.exe
5092	550ad71c892ae9e8a69f523520af9dd45536cedf01073c714316b65cb27b8689.exe
5092	550ad71c892ae9e8a69f523520af9dd45536cedf01073c714316b65cb27b8689.exe
5092	550ad71c892ae9e8a69f523520af9dd45536cedf01073c714316b65cb27b8689.exe
5092	550ad71c892ae9e8a69f523520af9dd45536cedf01073c714316b65cb27b8689.exe
5092	550ad71c892ae9e8a69f523520af9dd45536cedf01073c714316b65cb27b8689.exe
5092	550ad71c892ae9e8a69f523520af9dd45536cedf01073c714316b65cb27b8689.exe
5092	550ad71c892ae9e8a69f523520af9dd45536cedf01073c714316b65cb27b8689.exe
5092	550ad71c892ae9e8a69f523520af9dd45536cedf01073c714316b65cb27b8689.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
5092	550ad71c892ae9e8a69f523520af9dd45536cedf01073c714316b65cb27b8689.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
5092	550ad71c892ae9e8a69f523520af9dd45536cedf01073c714316b65cb27b8689.exe
5092	550ad71c892ae9e8a69f523520af9dd45536cedf01073c714316b65cb27b8689.exe

C:\Users\Admin\AppData\Local\Temp\550ad71c892ae9e8a69f523520af9dd45536cedf01073c714316b65cb27b8689.exe
"C:\Users\Admin\AppData\Local\Temp\550ad71c892ae9e8a69f523520af9dd45536cedf01073c714316b65cb27b8689.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:5092

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/5092-132-0x00000000021D0000-0x00000000021E6000-memory.dmp

Filesize
88KB

Download
memory/5092-133-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5092-134-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download