c7a07bf7cc3700cc03d64d9fb140864926c4aa557a7af8f905eb7c500cb4daa4

General

Target

c7a07bf7cc3700cc03d64d9fb140864926c4aa557a7af8f905eb7c500cb4daa4.exe
Size

176KB
MD5

f7c11fc55c70dc52878c81229b5e3faf
SHA1

6a2dfcd23e41c7d37ae535d5e064d2bbab8927d3
SHA256

c7a07bf7cc3700cc03d64d9fb140864926c4aa557a7af8f905eb7c500cb4daa4
SHA512

a7ed88760d503c4a2df62fe2f4510e6cc20bc4f664f0e2f9496f01a50dc0d41b3365b28abb9d02d0190dbb8dae15fbfcde76e36005e2ffef50a367c345a1f5c9
SSDEEP

3072:4oi1dBSK7g9W7tnNtd1D96GSa/w5S+LknndPgUyKlUs2QcCsns:4f1vSWBnNj1ROa45S+YdPFyYUsd9ss

Score

5^/10

Malware Config

Signatures

Suspicious use of SetThreadContext 1 IoCs

Processes:

c7a07bf7cc3700cc03d64d9fb140864926c4aa557a7af8f905eb7c500cb4daa4.exe

description	pid	process	target process
PID 1504 set thread context of 580	1504	c7a07bf7cc3700cc03d64d9fb140864926c4aa557a7af8f905eb7c500cb4daa4.exe	c7a07bf7cc3700cc03d64d9fb140864926c4aa557a7af8f905eb7c500cb4daa4.exe

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000003bad9e5810411a41b405bdc87c3b0eb800000000020000000000106600000001000020000000394d32feb21e7e142b82a4c8f51effcf05c424796c398869e2049a467e0fcd76000000000e80000000020000200000009d0c231499824d83ccd45c653793c8f4da2a67fd0bd94ce7c80c5f91dd07f28c90000000fc93e3e3bb565cb520501f1ce0f4337b051327b1f09ce3031faf9be48a47cc95d13e687deee9ad5d1111beb92eaa002c65ab2919a38f0c596276c5c0893fb66a7ca4080d7bf4c9f707928187bda802bca4374212fb712cc9fcaf03849bfae94ac26485316f2539692dd013b608b6aee1f84243bdda140209257ee864e5c9854e0e3d2abed1a77559370ccaeebc379d6a400000003c80a82d450fb8e7537d2ff22a1a16c8bc9aac1e4ec9a17b3f642a99b6fd05e436c82d64a4ef96b1d3137bf2accafbab096ce88e1e41276fd26c7f4a72f5fe4c	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "376539979"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000003bad9e5810411a41b405bdc87c3b0eb80000000002000000000010660000000100002000000098fcacc7a9e7d05e805464d0b5ef9e9cb79c16447e6e70c72f5fd57d0e1e9b95000000000e8000000002000020000000c494a05ac5568616ee123f6b34f3a96ef87a0e4ce411a86e40c0b74b88a1fd6b20000000128a59cf55e105536600d5f2279cf3ad6ced30803d07ae888ffde104f476db6e40000000ce0b21deb3b753a8aea15a623f050ed7f2c0fa3b00fbff8230dfe20c3006d191e8e1e09b2c978e57d0dddd6d36f515515be35f9e8206a650de4133bcaf15c735	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{DAD87F91-7055-11ED-BBF9-5A5CFA1077B6} = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 10eac5da6204d901	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

728 iexplore.exe

pid	process
728	iexplore.exe

Suspicious use of SetWindowsHookEx 7 IoCs

Processes:

c7a07bf7cc3700cc03d64d9fb140864926c4aa557a7af8f905eb7c500cb4daa4.exeiexplore.exeIEXPLORE.EXE

pid	process
1504	c7a07bf7cc3700cc03d64d9fb140864926c4aa557a7af8f905eb7c500cb4daa4.exe
728	iexplore.exe
728	iexplore.exe
2020	IEXPLORE.EXE
2020	IEXPLORE.EXE
2020	IEXPLORE.EXE
2020	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

c7a07bf7cc3700cc03d64d9fb140864926c4aa557a7af8f905eb7c500cb4daa4.exec7a07bf7cc3700cc03d64d9fb140864926c4aa557a7af8f905eb7c500cb4daa4.exeiexplore.exe

description	pid	process	target process
PID 1504 wrote to memory of 580	1504	c7a07bf7cc3700cc03d64d9fb140864926c4aa557a7af8f905eb7c500cb4daa4.exe	c7a07bf7cc3700cc03d64d9fb140864926c4aa557a7af8f905eb7c500cb4daa4.exe
PID 1504 wrote to memory of 580	1504	c7a07bf7cc3700cc03d64d9fb140864926c4aa557a7af8f905eb7c500cb4daa4.exe	c7a07bf7cc3700cc03d64d9fb140864926c4aa557a7af8f905eb7c500cb4daa4.exe
PID 1504 wrote to memory of 580	1504	c7a07bf7cc3700cc03d64d9fb140864926c4aa557a7af8f905eb7c500cb4daa4.exe	c7a07bf7cc3700cc03d64d9fb140864926c4aa557a7af8f905eb7c500cb4daa4.exe
PID 1504 wrote to memory of 580	1504	c7a07bf7cc3700cc03d64d9fb140864926c4aa557a7af8f905eb7c500cb4daa4.exe	c7a07bf7cc3700cc03d64d9fb140864926c4aa557a7af8f905eb7c500cb4daa4.exe
PID 1504 wrote to memory of 580	1504	c7a07bf7cc3700cc03d64d9fb140864926c4aa557a7af8f905eb7c500cb4daa4.exe	c7a07bf7cc3700cc03d64d9fb140864926c4aa557a7af8f905eb7c500cb4daa4.exe
PID 1504 wrote to memory of 580	1504	c7a07bf7cc3700cc03d64d9fb140864926c4aa557a7af8f905eb7c500cb4daa4.exe	c7a07bf7cc3700cc03d64d9fb140864926c4aa557a7af8f905eb7c500cb4daa4.exe
PID 1504 wrote to memory of 580	1504	c7a07bf7cc3700cc03d64d9fb140864926c4aa557a7af8f905eb7c500cb4daa4.exe	c7a07bf7cc3700cc03d64d9fb140864926c4aa557a7af8f905eb7c500cb4daa4.exe
PID 1504 wrote to memory of 580	1504	c7a07bf7cc3700cc03d64d9fb140864926c4aa557a7af8f905eb7c500cb4daa4.exe	c7a07bf7cc3700cc03d64d9fb140864926c4aa557a7af8f905eb7c500cb4daa4.exe
PID 1504 wrote to memory of 580	1504	c7a07bf7cc3700cc03d64d9fb140864926c4aa557a7af8f905eb7c500cb4daa4.exe	c7a07bf7cc3700cc03d64d9fb140864926c4aa557a7af8f905eb7c500cb4daa4.exe
PID 1504 wrote to memory of 580	1504	c7a07bf7cc3700cc03d64d9fb140864926c4aa557a7af8f905eb7c500cb4daa4.exe	c7a07bf7cc3700cc03d64d9fb140864926c4aa557a7af8f905eb7c500cb4daa4.exe
PID 580 wrote to memory of 728	580	c7a07bf7cc3700cc03d64d9fb140864926c4aa557a7af8f905eb7c500cb4daa4.exe	iexplore.exe
PID 580 wrote to memory of 728	580	c7a07bf7cc3700cc03d64d9fb140864926c4aa557a7af8f905eb7c500cb4daa4.exe	iexplore.exe
PID 580 wrote to memory of 728	580	c7a07bf7cc3700cc03d64d9fb140864926c4aa557a7af8f905eb7c500cb4daa4.exe	iexplore.exe
PID 580 wrote to memory of 728	580	c7a07bf7cc3700cc03d64d9fb140864926c4aa557a7af8f905eb7c500cb4daa4.exe	iexplore.exe
PID 728 wrote to memory of 2020	728	iexplore.exe	IEXPLORE.EXE
PID 728 wrote to memory of 2020	728	iexplore.exe	IEXPLORE.EXE
PID 728 wrote to memory of 2020	728	iexplore.exe	IEXPLORE.EXE
PID 728 wrote to memory of 2020	728	iexplore.exe	IEXPLORE.EXE

C:\Users\Admin\AppData\Local\Temp\c7a07bf7cc3700cc03d64d9fb140864926c4aa557a7af8f905eb7c500cb4daa4.exe
"C:\Users\Admin\AppData\Local\Temp\c7a07bf7cc3700cc03d64d9fb140864926c4aa557a7af8f905eb7c500cb4daa4.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1504

C:\Users\Admin\AppData\Local\Temp\c7a07bf7cc3700cc03d64d9fb140864926c4aa557a7af8f905eb7c500cb4daa4.exe
C:\Users\Admin\AppData\Local\Temp\c7a07bf7cc3700cc03d64d9fb140864926c4aa557a7af8f905eb7c500cb4daa4.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:580

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=c7a07bf7cc3700cc03d64d9fb140864926c4aa557a7af8f905eb7c500cb4daa4.exe&platform=0009&osver=5&isServer=0&shimver=4.0.30319.0
3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:728

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:728 CREDAT:275457 /prefetch:2
4⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2020

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\C910G8DX.txt
Filesize
601B

MD5
5cd48b7e447c5ba86c31bff908fa60ce

SHA1
4049598f1201ec5dbe81b77434cdc360dcbdef35

SHA256
17b837912ca28b91bf10b217d537a1c891662088570058d361e3de2cff254723

SHA512
0ea8022596e7e0fa563c2ee99c11edb85152285eeb3860e3f069751cc6bb74f9f864337f977f3b18c8d78bac14aaa06584afc4fe3e8b89a08be5b29e64977992

Download Submit
memory/580-56-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/580-57-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/580-59-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/580-60-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/580-62-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/580-64-0x0000000000422B9E-mapping.dmp

Download
memory/580-63-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/580-66-0x0000000000402000-0x0000000000422C00-memory.dmp

Filesize
131KB

Download
memory/580-67-0x0000000000402000-0x0000000000422C00-memory.dmp

Filesize
131KB

Download
memory/580-68-0x0000000075C11000-0x0000000075C13000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads