d5729a5ff5816bafdf975027bb154b2483d45e00706433148e91c3a75d739346

Analysis

max time kernel
100s
max time network
148s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
26/11/2022, 00:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d5729a5ff5816bafdf975027bb154b2483d45e00706433148e91c3a75d739346.dll
Size

488KB
MD5

59150b72da8f2a912d57c79533e5614d
SHA1

50a059bb9a12be3461866c36150c51bfb2034bbe
SHA256

d5729a5ff5816bafdf975027bb154b2483d45e00706433148e91c3a75d739346
SHA512

cab3a0877538f8db4851501f517e8a04f2a8a7cda5683d2c2bd259a6182ffcc7b4c9a447e8f1858e8af26ba8635adbef43ff0217086a0fb6db4f14bf06f3f2aa
SSDEEP

12288:KBn7Uu9eEB18wTt2vcv+c2yBxsF8888888888888W88888888888:U7Uu9eW3TtQo+ABx

Score

5^/10

Malware Config

Signatures

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1956 set thread context of 844	1956	rundll32.exe	29

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "376231141"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000dd3253c89d354440ad47e79e0da363170000000002000000000010660000000100002000000008176b1fd3b892639ca20b218e3958409406e1630d14c940d79458bdc39f7d6d000000000e800000000200002000000073d268f924d4694ea0c9dd9e9bd828a1b595720e7aff62045f0e57d6aa628ac0900000007cac7497b95af25cb30b1cb394439e31c64f30770bc0c561113553425261139ff056263fd1828c3ca15e47227aff762c8431def3e6f9b774e8c6779987c22e20fdd2ebeca6a382acae2062224b627fd04895ea74bf6f32bdbc73fc17c8e6c5a496734a1bad615ac1b0119e9bb9b03a28bd254801b9a04ea9a63f17539df9761a68f0a3f62749493f656f1b991523a89e40000000091e0a7a3a6499c8cc296be3d7e8096df7e7a3a6879bbace31874eec17ff26809498063bcff0dcb339819b30b1cc73dc71add67fb86da296a1bb287f3aacba36	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000dd3253c89d354440ad47e79e0da36317000000000200000000001066000000010000200000004a31f1e3be5ecf19ea6ebc379b3e7a4bdc6cfff4953603cd67be0c02e03ca1c2000000000e80000000020000200000004f11a87b9b6194482c2f4a986cd0995cf7d735a3c18db064c09a2b509adcc695200000001195ff685cc35f11fff660f380c757d936f498c8c82d4782f29fda4ca4278ac5400000006080b67c977d69247f578f3c0fe8316205d3d7e8f52f261043bb8ed2085116572d51b96bfb5661983780ae33ff1b20abe25dc5a29e189537d50b4a59fc4e9e67	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = f03e6ace9301d901	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{E4F17CB1-6D86-11ED-BF27-66397CAA4A34} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1656	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1656	iexplore.exe
1656	iexplore.exe
940	IEXPLORE.EXE
940	IEXPLORE.EXE
940	IEXPLORE.EXE
940	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 1404 wrote to memory of 1956	1404	rundll32.exe	28
PID 1404 wrote to memory of 1956	1404	rundll32.exe	28
PID 1404 wrote to memory of 1956	1404	rundll32.exe	28
PID 1404 wrote to memory of 1956	1404	rundll32.exe	28
PID 1404 wrote to memory of 1956	1404	rundll32.exe	28
PID 1404 wrote to memory of 1956	1404	rundll32.exe	28
PID 1404 wrote to memory of 1956	1404	rundll32.exe	28
PID 1956 wrote to memory of 844	1956	rundll32.exe	29
PID 1956 wrote to memory of 844	1956	rundll32.exe	29
PID 1956 wrote to memory of 844	1956	rundll32.exe	29
PID 1956 wrote to memory of 844	1956	rundll32.exe	29
PID 1956 wrote to memory of 844	1956	rundll32.exe	29
PID 1956 wrote to memory of 844	1956	rundll32.exe	29
PID 844 wrote to memory of 1656	844	iexplore.exe	30
PID 844 wrote to memory of 1656	844	iexplore.exe	30
PID 844 wrote to memory of 1656	844	iexplore.exe	30
PID 844 wrote to memory of 1656	844	iexplore.exe	30
PID 1656 wrote to memory of 940	1656	iexplore.exe	32
PID 1656 wrote to memory of 940	1656	iexplore.exe	32
PID 1656 wrote to memory of 940	1656	iexplore.exe	32
PID 1656 wrote to memory of 940	1656	iexplore.exe	32

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\d5729a5ff5816bafdf975027bb154b2483d45e00706433148e91c3a75d739346.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1404
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\d5729a5ff5816bafdf975027bb154b2483d45e00706433148e91c3a75d739346.dll,#1
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1956
- - C:\Program Files (x86)\Internet Explorer\iexplore.exe
    "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:844
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" http://www.java.com/pt_BR/
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1656
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1656 CREDAT:275457 /prefetch:2
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:940

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
61KB

MD5
3dcf580a93972319e82cafbc047d34d5

SHA1
8528d2a1363e5de77dc3b1142850e51ead0f4b6b

SHA256
40810e31f1b69075c727e6d557f9614d5880112895ff6f4df1767e87ae5640d1

SHA512
98384be7218340f95dae88d1cb865f23a0b4e12855beb6e74a3752274c9b4c601e493864db777bca677a370d0a9dbffd68d94898a82014537f3a801cce839c42

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1017dcca002b50ab49e34b46fe513803

SHA1
16d60521260e274d1c71291c4c8f89652c6dc30b

SHA256
a8abcfa6b5b30d0cffc3c5f57c02d24a97147691ff5ca1389a9e24c7d4663a0c

SHA512
f84dd942eaa60b12b326bab7cf70940991c2767b322565caffef0019bb735df844e79cc0499698f89ee4445e0d87c2d22ee7aee20626230337cfb258f1278763

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\GFY3SWBF.txt

Filesize
603B

MD5
e9486084d4f162fa61acd46e5ac426b0

SHA1
7be998b3a7f521a5d688d3035a9e958cebd81d7b

SHA256
f1df570592c91b55a54eb170fc8695d0c2fa4da1a5b6db214927d836d3f0e8b2

SHA512
e929baf8f0e216d0a607f4b27dab93eb1e47efea30a6c922ca631a73f0c244c4d4928b13e639bc7a421dd860cee4fa3395aa2c2c318baf0c538ec7c2275d2e01

Download Submit
memory/1956-55-0x0000000074F01000-0x0000000074F03000-memory.dmp

Filesize
8KB

Download