7c8f1464f92ea0c4bcf217276e14dec30575edd05ae5ab3dc7570f180974bae1

Analysis

max time kernel
150s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
01/12/2022, 22:30

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

7c8f1464f92ea0c4bcf217276e14dec30575edd05ae5ab3dc7570f180974bae1.exe
Size

222KB
MD5

28e2e8e859d42705b4755c510ab4ca04
SHA1

8cd18d4f782ae6698d113ead606506495d20e996
SHA256

7c8f1464f92ea0c4bcf217276e14dec30575edd05ae5ab3dc7570f180974bae1
SHA512

d6cdf7532a2f2a1905bd6eedf7ac20652120aeb4ae2ba146e02ebadcb6bc4408b1ac57b6f30faaeb6d5b58ad4b35efad23aa43726a01a4eff776ca34c7a6cbac
SSDEEP

3072:vcM0FuD8QaTbsCjyoFlQsQhs6ScQDNkw50iZbAqA9FA44HS8dG4Oo0L+NuqSbRUi:vcXFcPdCEhssQDWw1cn9n4aeNuqeUXzu

Score

5^/10

Malware Config

Signatures

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1420 set thread context of 3356	1420	7c8f1464f92ea0c4bcf217276e14dec30575edd05ae5ab3dc7570f180974bae1.exe	81

Modifies Internet Explorer settings 1 TTPs 30 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31000485"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31000485"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31000485"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2556841683"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2556841683"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31000485"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2606058645"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2606058645"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{B7A5B30D-7398-11ED-89AC-E64E24383C5C} = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "376898502"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
3356	7c8f1464f92ea0c4bcf217276e14dec30575edd05ae5ab3dc7570f180974bae1.exe
3356	7c8f1464f92ea0c4bcf217276e14dec30575edd05ae5ab3dc7570f180974bae1.exe
3356	7c8f1464f92ea0c4bcf217276e14dec30575edd05ae5ab3dc7570f180974bae1.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	3356	7c8f1464f92ea0c4bcf217276e14dec30575edd05ae5ab3dc7570f180974bae1.exe
Token: SeDebugPrivilege	3356	7c8f1464f92ea0c4bcf217276e14dec30575edd05ae5ab3dc7570f180974bae1.exe
Token: SeDebugPrivilege	752	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1696	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1696	IEXPLORE.EXE
1696	IEXPLORE.EXE
752	IEXPLORE.EXE
752	IEXPLORE.EXE
752	IEXPLORE.EXE
752	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 1420 wrote to memory of 3356	1420	7c8f1464f92ea0c4bcf217276e14dec30575edd05ae5ab3dc7570f180974bae1.exe	81
PID 1420 wrote to memory of 3356	1420	7c8f1464f92ea0c4bcf217276e14dec30575edd05ae5ab3dc7570f180974bae1.exe	81
PID 1420 wrote to memory of 3356	1420	7c8f1464f92ea0c4bcf217276e14dec30575edd05ae5ab3dc7570f180974bae1.exe	81
PID 1420 wrote to memory of 3356	1420	7c8f1464f92ea0c4bcf217276e14dec30575edd05ae5ab3dc7570f180974bae1.exe	81
PID 1420 wrote to memory of 3356	1420	7c8f1464f92ea0c4bcf217276e14dec30575edd05ae5ab3dc7570f180974bae1.exe	81
PID 1420 wrote to memory of 3356	1420	7c8f1464f92ea0c4bcf217276e14dec30575edd05ae5ab3dc7570f180974bae1.exe	81
PID 1420 wrote to memory of 3356	1420	7c8f1464f92ea0c4bcf217276e14dec30575edd05ae5ab3dc7570f180974bae1.exe	81
PID 1420 wrote to memory of 3356	1420	7c8f1464f92ea0c4bcf217276e14dec30575edd05ae5ab3dc7570f180974bae1.exe	81
PID 1420 wrote to memory of 3356	1420	7c8f1464f92ea0c4bcf217276e14dec30575edd05ae5ab3dc7570f180974bae1.exe	81
PID 3356 wrote to memory of 5028	3356	7c8f1464f92ea0c4bcf217276e14dec30575edd05ae5ab3dc7570f180974bae1.exe	83
PID 3356 wrote to memory of 5028	3356	7c8f1464f92ea0c4bcf217276e14dec30575edd05ae5ab3dc7570f180974bae1.exe	83
PID 3356 wrote to memory of 5028	3356	7c8f1464f92ea0c4bcf217276e14dec30575edd05ae5ab3dc7570f180974bae1.exe	83
PID 5028 wrote to memory of 1696	5028	iexplore.exe	84
PID 5028 wrote to memory of 1696	5028	iexplore.exe	84
PID 1696 wrote to memory of 752	1696	IEXPLORE.EXE	85
PID 1696 wrote to memory of 752	1696	IEXPLORE.EXE	85
PID 1696 wrote to memory of 752	1696	IEXPLORE.EXE	85
PID 3356 wrote to memory of 752	3356	7c8f1464f92ea0c4bcf217276e14dec30575edd05ae5ab3dc7570f180974bae1.exe	85
PID 3356 wrote to memory of 752	3356	7c8f1464f92ea0c4bcf217276e14dec30575edd05ae5ab3dc7570f180974bae1.exe	85

C:\Users\Admin\AppData\Local\Temp\7c8f1464f92ea0c4bcf217276e14dec30575edd05ae5ab3dc7570f180974bae1.exe
"C:\Users\Admin\AppData\Local\Temp\7c8f1464f92ea0c4bcf217276e14dec30575edd05ae5ab3dc7570f180974bae1.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1420
- C:\Users\Admin\AppData\Local\Temp\7c8f1464f92ea0c4bcf217276e14dec30575edd05ae5ab3dc7570f180974bae1.exe
  "C:\Users\Admin\AppData\Local\Temp\7c8f1464f92ea0c4bcf217276e14dec30575edd05ae5ab3dc7570f180974bae1.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3356
- - C:\Program Files (x86)\Internet Explorer\iexplore.exe
    "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5028
  - - C:\Program Files\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1696
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1696 CREDAT:17410 /prefetch:2
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:752

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
471B

MD5
0ff2da8bfc83bec6bce38ba6a3f7bf58

SHA1
84c37df7bed08d69f040c289676735c49a9564eb

SHA256
91026f24711c435d99a44884c7239ed1265cd17c0259a6c5885f69e4309421ea

SHA512
78afdc44d7557b2f14444182085252e8456c91289511d6f2abfd1d7273d05baba9a94206d370add716b9fc30dc326a1a2e1c78f642e926759d962cf216c3a489

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
434B

MD5
c5e2655a656ba256ca7324165c23b717

SHA1
3e34aab981d9494e17eb75024137d702aa12f297

SHA256
189d248e4e812a4fa1dd662348e1cf28d694ed8a3cee322a5e4e092da3c50f71

SHA512
6f9cb99676f69b7a6d922e9f9d2444336feb50f05e97f87772faf4991ef7394e71caa88af9444eb28aac0bf4190f57eec0664e48323d3996004253eed54a3b8b

Download Submit
memory/1420-135-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/1420-139-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/3356-137-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/3356-140-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/3356-141-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/3356-142-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/3356-143-0x0000000002730000-0x000000000277F000-memory.dmp

Filesize
316KB

Download