aa5afc7a11983a547176e526c6e1bf304e1933684a4efd57803451241e862081

Analysis

max time kernel
149s
max time network
192s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
29-11-2022 14:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

aa5afc7a11983a547176e526c6e1bf304e1933684a4efd57803451241e862081.exe
Size

638KB
MD5

08458c7838a78efa0ac089627b10f6c0
SHA1

6516c18bb8bf76f290332cbf584cd3022ce79ccc
SHA256

aa5afc7a11983a547176e526c6e1bf304e1933684a4efd57803451241e862081
SHA512

f13d49b98e28cd91bfe6d5403c2573fd72e79ae8289ff2da5a2f0e88213c856d8e476ba6111c3e0e0159e9504e3a2504bcd94ccf8489c4a208daecb843569499
SSDEEP

12288:j2I9Oy2fYOEKg9VicRiYu3REOU+aZbPWS6kuUNP3S06e8X:C42+KgHiaiYMEOUVZTrjNPi7

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 60 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "376618713"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000fbec07815684004d899a318f710de6af00000000020000000000106600000001000020000000407822117bd0210a6a870bf81aca670ec651bb73e8446b8491edb3fffb08986c000000000e8000000002000020000000246276eda0c767cacb29b1320ea47da0df738179079ae2e01a86e8af63d5f58390000000b89e97751aa81c477a739f1a1724bd1e327ddf3ed9f307d6882ab8133f6c29dc41268bf10b559557eb2791f163587c0089c784adc080f448067edb5b320968b47722faee89bf427b9b33889901d80466a456266deba3a1dc08fcf7a2798c5b7498b4f58829acdd5641010052956329efb77718c12b1c31d9bb9875565eb2182144d9dad08db7aae862e771b24a57c04f40000000c8067bdafb0e0462caa6e039b24ceefedb8bd520ff921662c75ebc027e7f0013e8ca68378baab6d0411faf1c27b615aada25618103724391f209bab553fb5030	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{4CEF5BF0-710D-11ED-8BE9-EEAC7132E42C} = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000fbec07815684004d899a318f710de6af000000000200000000001066000000010000200000005c3fb253c9fe72624b88d23da314313c332affe5117eed2898a0bfd7c8783157000000000e800000000200002000000095a879d8ee9e37b2e88b53e10320f6681e1c53f1bde9f61d316ab8940e11905620000000c5e660edec3f8489175359f76b6e74cc9277742e60a53ccb22764f4b30009b4040000000e5f7f2f344ed0041212036991c2dc10ad21aa0c6446f6942452b5fafaf9f3aaa7070afbaa4179db8a578717ec2074bf609e9bac5a7a41b41edd90a4873fc594d	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{436C3D51-710D-11ED-8BE9-EEAC7132E42C} = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = f09aa13d1a05d901	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
940	IEXPLORE.EXE
896	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 11 IoCs

pid	Process
1352	aa5afc7a11983a547176e526c6e1bf304e1933684a4efd57803451241e862081.exe
940	IEXPLORE.EXE
940	IEXPLORE.EXE
1112	IEXPLORE.EXE
1112	IEXPLORE.EXE
896	IEXPLORE.EXE
896	IEXPLORE.EXE
832	IEXPLORE.EXE
832	IEXPLORE.EXE
832	IEXPLORE.EXE
832	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1352 wrote to memory of 940	1352	aa5afc7a11983a547176e526c6e1bf304e1933684a4efd57803451241e862081.exe	28
PID 1352 wrote to memory of 940	1352	aa5afc7a11983a547176e526c6e1bf304e1933684a4efd57803451241e862081.exe	28
PID 1352 wrote to memory of 940	1352	aa5afc7a11983a547176e526c6e1bf304e1933684a4efd57803451241e862081.exe	28
PID 1352 wrote to memory of 940	1352	aa5afc7a11983a547176e526c6e1bf304e1933684a4efd57803451241e862081.exe	28
PID 940 wrote to memory of 1112	940	IEXPLORE.EXE	30
PID 940 wrote to memory of 1112	940	IEXPLORE.EXE	30
PID 940 wrote to memory of 1112	940	IEXPLORE.EXE	30
PID 940 wrote to memory of 1112	940	IEXPLORE.EXE	30
PID 1352 wrote to memory of 896	1352	aa5afc7a11983a547176e526c6e1bf304e1933684a4efd57803451241e862081.exe	31
PID 1352 wrote to memory of 896	1352	aa5afc7a11983a547176e526c6e1bf304e1933684a4efd57803451241e862081.exe	31
PID 1352 wrote to memory of 896	1352	aa5afc7a11983a547176e526c6e1bf304e1933684a4efd57803451241e862081.exe	31
PID 1352 wrote to memory of 896	1352	aa5afc7a11983a547176e526c6e1bf304e1933684a4efd57803451241e862081.exe	31
PID 896 wrote to memory of 832	896	IEXPLORE.EXE	32
PID 896 wrote to memory of 832	896	IEXPLORE.EXE	32
PID 896 wrote to memory of 832	896	IEXPLORE.EXE	32
PID 896 wrote to memory of 832	896	IEXPLORE.EXE	32

C:\Users\Admin\AppData\Local\Temp\aa5afc7a11983a547176e526c6e1bf304e1933684a4efd57803451241e862081.exe
"C:\Users\Admin\AppData\Local\Temp\aa5afc7a11983a547176e526c6e1bf304e1933684a4efd57803451241e862081.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1352
- C:\Program Files\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://123.kukankan.com/index3.html
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:940
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:940 CREDAT:275457 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:1112
- C:\Program Files\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://123.kukankan.com/index3.html
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:896
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:896 CREDAT:275457 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:832

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
61KB

MD5
fc4666cbca561e864e7fdf883a9e6661

SHA1
2f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5

SHA256
10f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b

SHA512
c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
79f835c6861f93e3c63f7113a4a017bb

SHA1
664ae20ab5e4e31956d2089f6030b52d79061b5d

SHA256
238a792db7eb753ef146e9f4b2e073f614a0c4d1752ead63456570cafca7aaa6

SHA512
88bbc5e3b85f96e8e67a8e978b0b93057ac4e3ca6237c7187020afd0024ac993bfaa5338e8d9c5401b073bc654a8eed5fcfaf6b967dd861db13a12fa475237ee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{436C3D51-710D-11ED-8BE9-EEAC7132E42C}.dat

Filesize
5KB

MD5
bfe842d64ed9d7d3f507ef35f051aaeb

SHA1
95bd5e06e07138287bb641e1f6beaec161ca227f

SHA256
51df9b019b79f8b39be4f184f0ebf93c06dccfa090efd49c3ec022c7aeb0a9f3

SHA512
05d24e992f9771a47384e4269c6c2a5402be2e4f9f3e402250741e1dc5e41a02d6ff2ee2900b60fd8d9e60712e211131e6e8565d36db2939d81a75184d5ba149

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\1HMZIG41.txt

Filesize
533B

MD5
00eb14400fdce455932a175f8305a3db

SHA1
859078d888c66281b6f5c01dfd5a9db84c622b17

SHA256
5e78c8b9ef807ec9fa22a8e74344892d93a53a6c7f12b09321e39fcf38aa5c08

SHA512
8a3cf76ee96f233e9ec85843a1307fecba65c13529b0375a16356a2029c5dd9637ba1daa1a79f63af0e4c64bb099f2e935e9e0d2d3a0bf4fb0ade5413cb5b2fa

Download Submit
memory/1352-56-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/1352-57-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download