4ca9c066f3a6ef10e3ba272b749514384ab277c3819047f57d42b4a744594abc

General

Target

4ca9c066f3a6ef10e3ba272b749514384ab277c3819047f57d42b4a744594abc.exe
Size

1.1MB
MD5

a6c84f6b96e016a2093bb546d4b597e2
SHA1

e55ecff5d86f7b23b7809600a7df86d067a2d45c
SHA256

4ca9c066f3a6ef10e3ba272b749514384ab277c3819047f57d42b4a744594abc
SHA512

f9cc8b3116353acd8174c6e30d772337df1e5dc8a7be107402428dc414739ef66a8085e3b9097d0592fc714132247ffc36e98c5953f9755c652fb3633ed486dd
SSDEEP

24576:htb20pkaCqT5TBWgNQ7aGRVZe8MdRYtN+b6A:yVg5tQ7aGY8M8tC5

Score

5^/10

Malware Config

Signatures

Suspicious use of SetThreadContext 1 IoCs

Processes:

4ca9c066f3a6ef10e3ba272b749514384ab277c3819047f57d42b4a744594abc.exe

description	pid	process	target process
PID 1224 set thread context of 816	1224	4ca9c066f3a6ef10e3ba272b749514384ab277c3819047f57d42b4a744594abc.exe	WerFault.exe

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d116101422b99e4cb5eff28bda49628b000000000200000000001066000000010000200000007a76188d06f65cb439f890b531d279caf1c8b4267f0cb75a2ba463b92f509e79000000000e8000000002000020000000e59e5c5c6606638959bace855555348f39e082ce25a5dd7134b4adaf73dd965a9000000004cff278c305ea9ebbb33dd96e189df6dc11aef462607fe0fecfb7f319d798ae607d8ca3ac66e9357fe53b62174118b55e9e6be124e3e6f70aeaa323936b0f0d46e2551988b935da53b5b3eae1d405c484dd0ef23d52bacea02cf2e35458ec3c25071bfe2bff02e2a999a874e7fe413567f8e18b581ae486483d313ae6f624ca1aff8043648ad6b95745fd3ebef539314000000096cb2f2876bf4bbf946770d82d6bc8c29cae8c3ee4736184508a54f6d9565a9b3afe5ce32b3beaaf8b790322f995c8cb8058a1b6a36a3656cb493f12bbdba151	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d116101422b99e4cb5eff28bda49628b00000000020000000000106600000001000020000000a0651d4587a02700f8341d365e3dcbe98df7a7847b761e25e713c5dab5a28416000000000e8000000002000020000000b0eebf290664c2629da18b26b43b7467ec716a72f58ab56c0995656069e4a7c0200000000f838c13eac55375ad3c1f56bf2a6c34a8f100b04a57df1d7910d788854d747440000000d172db3b15740239a14033846073c8e2805df088cd34735a76dce5adf142ad10a34f2b111796b2b300b81491fc22d8f70549fe6512f72dd4f5c35f1449b0b83f	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = c00db39f3e02d901	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{B611C481-6E31-11ED-9C7C-660C31E8D015} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "376304517"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe

NTFS ADS 1 IoCs

Processes:

4ca9c066f3a6ef10e3ba272b749514384ab277c3819047f57d42b4a744594abc.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Local\Temp\4ca9c066f3a6ef10e3ba272b749514384ab277c3819047f57d42b4a744594abc.exe:Zone.Identifier:$DATA	4ca9c066f3a6ef10e3ba272b749514384ab277c3819047f57d42b4a744594abc.exe

Suspicious use of FindShellTrayWindow 5 IoCs

Processes:

4ca9c066f3a6ef10e3ba272b749514384ab277c3819047f57d42b4a744594abc.exeiexplore.exe

pid	process
1224	4ca9c066f3a6ef10e3ba272b749514384ab277c3819047f57d42b4a744594abc.exe
1224	4ca9c066f3a6ef10e3ba272b749514384ab277c3819047f57d42b4a744594abc.exe
1224	4ca9c066f3a6ef10e3ba272b749514384ab277c3819047f57d42b4a744594abc.exe
1224	4ca9c066f3a6ef10e3ba272b749514384ab277c3819047f57d42b4a744594abc.exe
1716	iexplore.exe

Suspicious use of SendNotifyMessage 4 IoCs

Processes:

4ca9c066f3a6ef10e3ba272b749514384ab277c3819047f57d42b4a744594abc.exe

pid	process
1224	4ca9c066f3a6ef10e3ba272b749514384ab277c3819047f57d42b4a744594abc.exe
1224	4ca9c066f3a6ef10e3ba272b749514384ab277c3819047f57d42b4a744594abc.exe
1224	4ca9c066f3a6ef10e3ba272b749514384ab277c3819047f57d42b4a744594abc.exe
1224	4ca9c066f3a6ef10e3ba272b749514384ab277c3819047f57d42b4a744594abc.exe

Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

1716 iexplore.exe
1716 iexplore.exe
908 IEXPLORE.EXE
908 IEXPLORE.EXE
908 IEXPLORE.EXE
908 IEXPLORE.EXE

pid	process
1716	iexplore.exe
1716	iexplore.exe
908	IEXPLORE.EXE
908	IEXPLORE.EXE
908	IEXPLORE.EXE
908	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

4ca9c066f3a6ef10e3ba272b749514384ab277c3819047f57d42b4a744594abc.exeiexplore.exe

description	pid	process	target process
PID 1224 wrote to memory of 816	1224	4ca9c066f3a6ef10e3ba272b749514384ab277c3819047f57d42b4a744594abc.exe	WerFault.exe
PID 1224 wrote to memory of 816	1224	4ca9c066f3a6ef10e3ba272b749514384ab277c3819047f57d42b4a744594abc.exe	WerFault.exe
PID 1224 wrote to memory of 816	1224	4ca9c066f3a6ef10e3ba272b749514384ab277c3819047f57d42b4a744594abc.exe	WerFault.exe
PID 1224 wrote to memory of 816	1224	4ca9c066f3a6ef10e3ba272b749514384ab277c3819047f57d42b4a744594abc.exe	WerFault.exe
PID 1224 wrote to memory of 816	1224	4ca9c066f3a6ef10e3ba272b749514384ab277c3819047f57d42b4a744594abc.exe	WerFault.exe
PID 1224 wrote to memory of 816	1224	4ca9c066f3a6ef10e3ba272b749514384ab277c3819047f57d42b4a744594abc.exe	WerFault.exe
PID 1224 wrote to memory of 816	1224	4ca9c066f3a6ef10e3ba272b749514384ab277c3819047f57d42b4a744594abc.exe	WerFault.exe
PID 1224 wrote to memory of 816	1224	4ca9c066f3a6ef10e3ba272b749514384ab277c3819047f57d42b4a744594abc.exe	WerFault.exe
PID 1224 wrote to memory of 816	1224	4ca9c066f3a6ef10e3ba272b749514384ab277c3819047f57d42b4a744594abc.exe	WerFault.exe
PID 1716 wrote to memory of 908	1716	iexplore.exe	IEXPLORE.EXE
PID 1716 wrote to memory of 908	1716	iexplore.exe	IEXPLORE.EXE
PID 1716 wrote to memory of 908	1716	iexplore.exe	IEXPLORE.EXE
PID 1716 wrote to memory of 908	1716	iexplore.exe	IEXPLORE.EXE

C:\Users\Admin\AppData\Local\Temp\4ca9c066f3a6ef10e3ba272b749514384ab277c3819047f57d42b4a744594abc.exe
"C:\Users\Admin\AppData\Local\Temp\4ca9c066f3a6ef10e3ba272b749514384ab277c3819047f57d42b4a744594abc.exe"
1⤵
- Suspicious use of SetThreadContext
- NTFS ADS
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1224
- C:\Windows\SysWOW64\WerFault.exe
  "C:\Windows\SysWOW64\WerFault.exe"
  2⤵
  PID:816
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=WerFault.exe&platform=0009&osver=5&isServer=0&shimver=4.0.30319.0
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1716
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1716 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:908

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\POG1S5H0.txt

Filesize
608B

MD5
731987c57a96ea3dc0c53c0c0c9b7ff3

SHA1
38f380b32f82ef9ed01366862d5f1689d8481dfe

SHA256
ff918add40b03db87c6daf371b8c507ff18391ef84785215fa49c42e6a59f97d

SHA512
83e8af95e3564ab59a962d22f6bffdf9a18c1da40b5d4856b46a1786802da37c31dcd162cdc555660f759536d73bef5920548825eca2cf071f1731f06dc3a292

Download Submit
memory/816-55-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/816-56-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/816-58-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/816-59-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/816-60-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/816-61-0x000000000044514E-mapping.dmp

Download
memory/1224-54-0x0000000076711000-0x0000000076713000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads