bae57ea87dcb32a31267b90dd10469e3d5af905f41c80b972c35869b47ac6617

Analysis

max time kernel
202s
max time network
251s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
27/11/2022, 00:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bae57ea87dcb32a31267b90dd10469e3d5af905f41c80b972c35869b47ac6617.exe
Size

51KB
MD5

8191a193cf8e6576152558fc423e809a
SHA1

b97b5acaf9bafd3f9ebb832fd39f82d8f3f4954e
SHA256

bae57ea87dcb32a31267b90dd10469e3d5af905f41c80b972c35869b47ac6617
SHA512

33c0766d92ce2df7fec25c9afd3eebd9293bb31f18b2db41531c6e86c489b26d860f71a5efae34407735cf584a06ac34bf10033d8455b689f8e7acd13f9b196a
SSDEEP

768:ZdpnF5/ija+1I+NYVawgYvCAvEZQ25AX94JowOy5up9/05unb184woTMe28xoEP7:ZdJyqnvE3tJGbB05gVxoEP7

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 57 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DOMStorage\sina.com.cn\NumberOfSubdomains = "2"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DOMStorage\news.sina.com.cn\ = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "376340541"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000256ed27e8919d04f83812f84ee5c95da00000000020000000000106600000001000020000000ce5b59db242f4bfa0285aec31bcaebc1dcabd5dd23114671cf44914e144049ba000000000e80000000020000200000000f93d491285e9b40d1d241c90ff53f4e0ca72f7bb1d68f18589460d27919ed2790000000cd5b613254d826af0036597710e6d174090daeb5887438a9a94fb15efb13e22d3c520e40cb6bc66802f7022a521105df5566b7825acf3b596b2f23187b6a108461ecb1a19b42af9e65a3c101129c0dd26363e6ed69110d5b1fefd36532792444ab39fdf67d1e4f75a4eadbb5da34f80be6966c63446d751ef6d1a90dbabbd30f69c8d2d96dc89be844460c7e128f7b2d40000000b81cb86bd22a881fddcc55169af27697a2ff3a91dc797b0fdf74878f7b0d0d90a839626bd32bb520676e8ee90581618f36bc6983f3916f46e9bd2f6e2c09a849	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000256ed27e8919d04f83812f84ee5c95da0000000002000000000010660000000100002000000079b17c3b4659e4519562ade438e3c03f3ef9e9d0c3f96fd6dc04235636277587000000000e8000000002000020000000a37443088fa696241b1a3b3e7354d6465d8605c651f45fa3416d71a4c3802228200000008f26de59758e38ed6babba419cad9e3ef505eadbb182ea32b2bdd4d2b88abdc640000000b51b4720318261831c339799849859149c7793d354bee3d49407abd173df2b74630468e9d2936f7ee39a0e95c75e8014eadcfe119fb7ca2cf2a225f4ab029ca7	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DOMStorage\sina.com.cn\Total = "46"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{8CB17051-6E85-11ED-8965-5263E908E3CD} = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DOMStorage\d6.sina.com.cn	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 20c325879202d901	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Size = "10"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DOMStorage\sina.com.cn\Total = "22"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DOMStorage\sina.com.cn	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DOMStorage\d6.sina.com.cn\ = "22"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\International\CpMRU\InitHits = "100"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "22"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "46"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Enable = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\International\CpMRU	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DOMStorage\news.sina.com.cn\ = "24"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DOMStorage\sina.com.cn\NumberOfSubdomains = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Factor = "20"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DOMStorage\news.sina.com.cn	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1172	PING.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1428	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1428	iexplore.exe
1428	iexplore.exe
1520	IEXPLORE.EXE
1520	IEXPLORE.EXE
1520	IEXPLORE.EXE
1520	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 1220 wrote to memory of 652	1220	bae57ea87dcb32a31267b90dd10469e3d5af905f41c80b972c35869b47ac6617.exe	29
PID 1220 wrote to memory of 652	1220	bae57ea87dcb32a31267b90dd10469e3d5af905f41c80b972c35869b47ac6617.exe	29
PID 1220 wrote to memory of 652	1220	bae57ea87dcb32a31267b90dd10469e3d5af905f41c80b972c35869b47ac6617.exe	29
PID 1220 wrote to memory of 652	1220	bae57ea87dcb32a31267b90dd10469e3d5af905f41c80b972c35869b47ac6617.exe	29
PID 652 wrote to memory of 856	652	cmd.exe	30
PID 652 wrote to memory of 856	652	cmd.exe	30
PID 652 wrote to memory of 856	652	cmd.exe	30
PID 652 wrote to memory of 856	652	cmd.exe	30
PID 824 wrote to memory of 1428	824	explorer.exe	32
PID 824 wrote to memory of 1428	824	explorer.exe	32
PID 824 wrote to memory of 1428	824	explorer.exe	32
PID 652 wrote to memory of 1172	652	cmd.exe	33
PID 652 wrote to memory of 1172	652	cmd.exe	33
PID 652 wrote to memory of 1172	652	cmd.exe	33
PID 652 wrote to memory of 1172	652	cmd.exe	33
PID 1428 wrote to memory of 1520	1428	iexplore.exe	35
PID 1428 wrote to memory of 1520	1428	iexplore.exe	35
PID 1428 wrote to memory of 1520	1428	iexplore.exe	35
PID 1428 wrote to memory of 1520	1428	iexplore.exe	35

C:\Users\Admin\AppData\Local\Temp\bae57ea87dcb32a31267b90dd10469e3d5af905f41c80b972c35869b47ac6617.exe
"C:\Users\Admin\AppData\Local\Temp\bae57ea87dcb32a31267b90dd10469e3d5af905f41c80b972c35869b47ac6617.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1220
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1220B3DR.bat" "C:\Users\Admin\AppData\Local\Temp\bae57ea87dcb32a31267b90dd10469e3d5af905f41c80b972c35869b47ac6617.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:652
- - C:\Windows\SysWOW64\explorer.exe
    explorer http://blog.sina.com.cn/romdiying
    3⤵
    PID:856
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1 -n 3 -w 1000
    3⤵
    - Runs ping.exe
    PID:1172

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Suspicious use of WriteProcessMemory
PID:824
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://blog.sina.com.cn/romdiying
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1428
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1428 CREDAT:275457 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:1520

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2a44efd68bfc6d5f94478c95de0494c5

SHA1
5a4ee2193920be103d43552d37d5e8ba4fe369e3

SHA256
8863231cbc4468347018600d0a16e19e6acb5c8c3e9f477a42a5681e900ef8b5

SHA512
1dafecc2f286744b7df5f69f107ed03f0b0035dd5c7e57a7a78be63da1afa839306aedee93367a7acfc1d6f3a0a5ef0693431ed091d5d42f5bd056389d26294e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\t9o3c8r\imagestore.dat

Filesize
884B

MD5
f990552fe0e3756c6e4342463a2a3d95

SHA1
315b47ff5f6f1b2d4feffdd26e3ebaa1fec1deb8

SHA256
c4b6639fa476701b60d94e72ac1790084159fd6f73ab7f9d57d9a5d73cbc2bbb

SHA512
9286298e4af88b6e0abc8b6c2701c2f6dbc836a9e3a8c6bf491dec5512635e5ebfcfdc2375402b628414ea8e57c2e126b7b8c0fc18333b97f64276d40db1fdf4

Download Submit
C:\Users\Admin\AppData\Local\Temp\1220B3DR.bat

Filesize
3KB

MD5
6b2c10bd5e84c5ab6f676d0fa206b0ee

SHA1
0c1ce2357a51f40543b00270089c8921d9907e82

SHA256
967a1d4b85b00d213473e445561f1dcf916f8e278b62141d6559c6d635403831

SHA512
28955951ccf348d89d7d72ff09f806c6405a9851180e0a9668cf1af9fd9db4ba36762d8e1626179543c53446062d1dc2ff888324c06bef8bc30a2168ca49fbc6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\4DMDBDJ1.txt

Filesize
608B

MD5
2c7a761fd57e900226d3b04abcb01c47

SHA1
c080b6c7081442a0a4e73f5bc3ae8f64a2efb9e5

SHA256
2e4b63c34b896749766412f88216b5fc310ddc3de471622eb019c0c2a5e24e7e

SHA512
a0b322dd1a6221e0526c89d51601b9c9ada0556be4446288f907e4102a28663fe760df3cb23c1883ac24ea0464ebbb0632edcae33617310d468f5789b99bff5c

Download Submit
memory/824-59-0x000007FEFC181000-0x000007FEFC183000-memory.dmp

Filesize
8KB

Download
memory/856-57-0x0000000075BA1000-0x0000000075BA3000-memory.dmp

Filesize
8KB

Download
memory/856-58-0x00000000750F1000-0x00000000750F3000-memory.dmp

Filesize
8KB

Download