ad2b6a26a419855a75af65a719dcefbe549f531b7c9a53a91e6e9f1258a89bfc

Analysis

max time kernel
81s
max time network
165s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
27/11/2022, 21:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ad2b6a26a419855a75af65a719dcefbe549f531b7c9a53a91e6e9f1258a89bfc.exe
Size

1.3MB
MD5

b1fd26e97f2e81a66c412574e5647e34
SHA1

1bea16036a58c603b3422896e8b1f37c7eb12b84
SHA256

ad2b6a26a419855a75af65a719dcefbe549f531b7c9a53a91e6e9f1258a89bfc
SHA512

04e5c7799e918a9380ccaf3ee58caf901cd48f1f2b0b635323529c1b7fb4e641905233d6712fa0f042e131738d72dadf46b0721fe3cbbe75e9fc2ce93e783287
SSDEEP

24576:8qyGy7DgvIwMLdZiz518Jh1G92pq/2QRe1sOG3l:8D7DguhGiPS2A2QReeO6

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 44 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\ali213.net\NumberOfSubdomains = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "376442699"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\ali213.net\Total = "63"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "63"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\browser.ali213.net\ = "63"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{74255801-6F73-11ED-85E0-FE41811C61F5} = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007ddd1b070fa9a8459566b626c31d7362000000000200000000001066000000010000200000009b91187edbea9cf04285384e2da687d705934ba60711e546e59f6c69abd21db1000000000e8000000002000020000000c8b8f34a01590acf97f2f518cd2751c17d70edc1707cf85257b402aacf3cf31090000000ef5481b6ae5a7a45afdeb9182e75752b5fe4ac398c12703cce1d2107d8a5cc1be37cc76baec93ac512b77b99b177e218067193fc6164af54bf9fa4bfee9999966417d0406b45da810fd6d8202feb327b0643f5627f642c472fe0229bd01219c26910d728682e9202921538dd08c2264cef74f032fb1e70d95cbb3a22fbbd0472e5f4156134682944d1e5a5634beb176c40000000b6eba711425109d30094b899cdc8a6074a8f452b3c02558959f17bb146723a92e154753643cb1284cd8969400af6f694adf54fc32c4d036eb79a2cda9cc6ce00	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 40bc604e8003d901	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\browser.ali213.net	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007ddd1b070fa9a8459566b626c31d73620000000002000000000010660000000100002000000034eb0dae8d9e1559eb5c6bec5cb084876cccaa7ec0e26729dd74bfbd642da7ba000000000e800000000200002000000061f79e48c4e3af6ceafcd64bd00218079cb668db12f65025456a5bf8d03f008a200000005a5ed86285653db8a345c06438aeadb658b33518fe358c49ba6f2998afb8246a40000000db17e35589b13ffb70c361e4ebe7943895b6143c95fb35d351ae9e9b6d88802b46d538f82b4a001da30f917803abbb36fbb2b5d163bd9d299eb01bf2a7694180	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\ali213.net	IEXPLORE.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2000	ad2b6a26a419855a75af65a719dcefbe549f531b7c9a53a91e6e9f1258a89bfc.exe
2000	ad2b6a26a419855a75af65a719dcefbe549f531b7c9a53a91e6e9f1258a89bfc.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2000	ad2b6a26a419855a75af65a719dcefbe549f531b7c9a53a91e6e9f1258a89bfc.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
268	iexplore.exe

Suspicious use of SetWindowsHookEx 9 IoCs

pid	Process
2000	ad2b6a26a419855a75af65a719dcefbe549f531b7c9a53a91e6e9f1258a89bfc.exe
2000	ad2b6a26a419855a75af65a719dcefbe549f531b7c9a53a91e6e9f1258a89bfc.exe
2000	ad2b6a26a419855a75af65a719dcefbe549f531b7c9a53a91e6e9f1258a89bfc.exe
268	iexplore.exe
268	iexplore.exe
428	IEXPLORE.EXE
428	IEXPLORE.EXE
428	IEXPLORE.EXE
428	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2000 wrote to memory of 268	2000	ad2b6a26a419855a75af65a719dcefbe549f531b7c9a53a91e6e9f1258a89bfc.exe	29
PID 2000 wrote to memory of 268	2000	ad2b6a26a419855a75af65a719dcefbe549f531b7c9a53a91e6e9f1258a89bfc.exe	29
PID 2000 wrote to memory of 268	2000	ad2b6a26a419855a75af65a719dcefbe549f531b7c9a53a91e6e9f1258a89bfc.exe	29
PID 2000 wrote to memory of 268	2000	ad2b6a26a419855a75af65a719dcefbe549f531b7c9a53a91e6e9f1258a89bfc.exe	29
PID 268 wrote to memory of 428	268	iexplore.exe	30
PID 268 wrote to memory of 428	268	iexplore.exe	30
PID 268 wrote to memory of 428	268	iexplore.exe	30
PID 268 wrote to memory of 428	268	iexplore.exe	30

C:\Users\Admin\AppData\Local\Temp\ad2b6a26a419855a75af65a719dcefbe549f531b7c9a53a91e6e9f1258a89bfc.exe
"C:\Users\Admin\AppData\Local\Temp\ad2b6a26a419855a75af65a719dcefbe549f531b7c9a53a91e6e9f1258a89bfc.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2000
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://browser.ali213.net/?
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:268
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:268 CREDAT:275457 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:428

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
340B

MD5
fce8e1dd061bf4538a7f75e69811f445

SHA1
30d92a7ac08bb987dc695175e80f63c1511a875f

SHA256
a8549eada2d06f84c29881cee9d5606c05a3c1ba857eb01b3911cff1f17eaf69

SHA512
d895fe86a79fbe347dc8ce4fdf3a9dca7acc398ade691453c454d543823207c9b7204c5e0700437a6d8e1dfcf3d21a6077772254bbe7405a50dcc30ec7c73112

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\lwrmjt1\imagestore.dat

Filesize
21KB

MD5
dea8e3ed7c8dc0dc4f6c4f126916085b

SHA1
a708f42a337575e3edd216b1cd577f60d6785a61

SHA256
190e20af3eae474546424de3b169fc5e426f30b9e483bfe4f81d39de51605ea5

SHA512
16e8e92cee19040586d84e00b6fc0009a6b11ce984fcf96a7849b5ea6ba486600e5167909ad1b2b538afb221ddc8ab3bdaf3084adf0c970efbe764682dd8e7a4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\U63LNVU6.txt

Filesize
608B

MD5
4d491d7176ace2b3154f2bbcc1b2d503

SHA1
6d8877846eef79d4e30a3a8f5930fe2d05183987

SHA256
389c3b185363bd077e7149fecf9463ffbc98e0cd108cad4638b30f96adbe4ee5

SHA512
9eeaea88431c67606a7ba1f5fd915634f7f928e2f31d382bc767b128c22e288fa9c56bafd7b9325ea7193a7f581d6b6c229e431abb16ef15f77d352b4c9f6e5d

Download Submit
memory/2000-54-0x0000000075DF1000-0x0000000075DF3000-memory.dmp

Filesize
8KB

Download
memory/2000-55-0x0000000010000000-0x0000000010051000-memory.dmp

Filesize
324KB

Download
memory/2000-56-0x0000000010000000-0x0000000010051000-memory.dmp

Filesize
324KB

Download
memory/2000-57-0x0000000010000000-0x0000000010051000-memory.dmp

Filesize
324KB

Download