35fe3486b44c2295cbce485fa2083550428f558fbb0165ac129edbd49db318db

General

Target

35fe3486b44c2295cbce485fa2083550428f558fbb0165ac129edbd49db318db.exe
Size

1.1MB
MD5

ffd0cf25adbdab73f84daaed84bdede6
SHA1

138c05f62392714c8d3cb0a9f7c97fbab07585a8
SHA256

35fe3486b44c2295cbce485fa2083550428f558fbb0165ac129edbd49db318db
SHA512

4456cb9aca2530e501a4686902bb0872b99132b84fdc4a804daa00820a43988f3de1e884f0000aca966c53f0242889a7cfd75e24fdcf3302ca31f32276d74905
SSDEEP

24576:zELTkXBwWja4SlukeeKL0xJaqT//aqT8E94Tf3C:ox6

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{98DA3681-6FDB-11ED-B8AC-EED7317926BC} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 20f7a382e803d901	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000256ed27e8919d04f83812f84ee5c95da00000000020000000000106600000001000020000000c3b2f3347f18e5dca3de7d6315f0c46b2869949cb904ad837dcba4c6eb48f95b000000000e8000000002000020000000e8c408592843a2c4955c30b5edeb2c583fad34acdd4622d6b2c7cb8bbfe827f09000000049af8944043f43b6a4b3ef8708d32d2a2b5ad2b6b248df4634599af123e31faf8e218b061c99173c958b91e2464948b1dfa16c9f5c7d9301fbb80dc4d20f784f3d889155914510d9f8a50fc2398800a7ccc7a980b12cab3be736d3bff3fe1ed484aef8250ad7d0e75d4afb8d8a4a29c41b27664b6b4d02a3ba766aae660c9956a0c8d2ebca3eba42fe44837e83bbf5ef400000003b2bd4b1133013a9b4ad7896f7f6e9d71229505094082ee8a814bccd9031a259f5e81f34c2c0f689e89465a46122b6918aee20947de9e6067226ecb64f1d14a5	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000256ed27e8919d04f83812f84ee5c95da00000000020000000000106600000001000020000000ab09da79041f6cb4c78e2155d06a9fe004ec87f85d9088500ca5d6cbc3307d9d000000000e80000000020000200000008e936b87fbb425c1f1517da500d22884db5f0108029123c46bafa9601bf54b222000000012c915d75212304fd26b84a2cc927a3de6f4132faef32ce2e04a7a5ca61704d2400000008d497fef2dfb7b9f8c71482c4abf1c0498c44083039ac90b6799df6418ec96a40948535f94c719e07fe4efd09e484e3489c12d887c54c421c93afeadb6973d18	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "376487438"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

1180 iexplore.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

1180 iexplore.exe
1180 iexplore.exe
912 IEXPLORE.EXE
912 IEXPLORE.EXE
912 IEXPLORE.EXE
912 IEXPLORE.EXE

pid	process
1180	iexplore.exe

pid	process
1180	iexplore.exe
1180	iexplore.exe
912	IEXPLORE.EXE
912	IEXPLORE.EXE
912	IEXPLORE.EXE
912	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

35fe3486b44c2295cbce485fa2083550428f558fbb0165ac129edbd49db318db.exeiexplore.exe

description	pid	process	target process
PID 956 wrote to memory of 1180	956	35fe3486b44c2295cbce485fa2083550428f558fbb0165ac129edbd49db318db.exe	iexplore.exe
PID 956 wrote to memory of 1180	956	35fe3486b44c2295cbce485fa2083550428f558fbb0165ac129edbd49db318db.exe	iexplore.exe
PID 956 wrote to memory of 1180	956	35fe3486b44c2295cbce485fa2083550428f558fbb0165ac129edbd49db318db.exe	iexplore.exe
PID 956 wrote to memory of 1180	956	35fe3486b44c2295cbce485fa2083550428f558fbb0165ac129edbd49db318db.exe	iexplore.exe
PID 1180 wrote to memory of 912	1180	iexplore.exe	IEXPLORE.EXE
PID 1180 wrote to memory of 912	1180	iexplore.exe	IEXPLORE.EXE
PID 1180 wrote to memory of 912	1180	iexplore.exe	IEXPLORE.EXE
PID 1180 wrote to memory of 912	1180	iexplore.exe	IEXPLORE.EXE

C:\Users\Admin\AppData\Local\Temp\35fe3486b44c2295cbce485fa2083550428f558fbb0165ac129edbd49db318db.exe
"C:\Users\Admin\AppData\Local\Temp\35fe3486b44c2295cbce485fa2083550428f558fbb0165ac129edbd49db318db.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:956

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=35fe3486b44c2295cbce485fa2083550428f558fbb0165ac129edbd49db318db.exe&platform=0009&osver=5&isServer=0&shimver=4.0.30319.0
2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1180

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1180 CREDAT:275457 /prefetch:2
3⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:912

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\CCCYA61K.txt
Filesize
608B

MD5
2763479c28af53d61b628b91c0ded6a4

SHA1
be3b73afcc9b2a213c056d7b3f8df99f16b6a9ea

SHA256
55c3ddb1b23180b07df9dbf784d93b4b8570697868cf3cdb534c556562746bab

SHA512
7e1c22eebe2ace3b59ed7d6380c55d392e490c532f4440c872b940f838a69a22834837c35219d7c67e8d113cb70f8300b54fe53d0ad384c3e18a79f9dfbb0fbc

Download Submit
memory/956-54-0x0000000075701000-0x0000000075703000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing