707c77401961314821ba8378408e01f47be09dc49a3a165e992e1e1c070a1725

General

Target

707c77401961314821ba8378408e01f47be09dc49a3a165e992e1e1c070a1725.exe
Size

96KB
MD5

a513cdb3ab73f3edba729ca76c0db788
SHA1

59f687a707b186897c4381a1857625cd78ee711b
SHA256

707c77401961314821ba8378408e01f47be09dc49a3a165e992e1e1c070a1725
SHA512

43d6823070122ce6d974bf7f19ddf67a100ebd72d2453daba0078da5183fbb16a2bc14b9e8dd7c9edfaa69af4be409981bd113b0e5247b4699181731b3489acc
SSDEEP

1536:wIt3jmz7o5taYManp7OGNpebBDqhUDf3tuBmFneQrK7EHtgUC+mvCAjO:n3C7atZnp7OG7elqhUTjezwtBw9jO

Score

5^/10

Malware Config

Signatures

Suspicious use of SetThreadContext 1 IoCs

Processes:

707c77401961314821ba8378408e01f47be09dc49a3a165e992e1e1c070a1725.exe

description	pid	process	target process
PID 1048 set thread context of 948	1048	707c77401961314821ba8378408e01f47be09dc49a3a165e992e1e1c070a1725.exe	707c77401961314821ba8378408e01f47be09dc49a3a165e992e1e1c070a1725.exe

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000822e5fd872434b48bca4869b7444745600000000020000000000106600000001000020000000a5bf8ca69996b3e6998fe06c4b69ab1c11ca2c0d6228cc8ab91cec30a225b700000000000e8000000002000020000000844c40f15843c68dd6ce42afde5885e4910ca6fbd2f5cf5e9b11572ab95dc91f90000000e3bdedb89604ae6708be41cffd4c63ee1b4345a024e630fc64900d677fabb874817044d1246f81eca284f33dde3d4c7e84759fa4ed75b6ba0fd5e7889574ec060cf2d13934fe7a20479082fc6730ea52d1db25e8365057827249d3faa53b88cb7ea289feb1b11bcb2bab93383a29eeb39833b694ec757581f2a2b3d5be11c08878eb96a4310501836ba08753eaa78c0e40000000fa17d1b345ed124ce51f40ab3198177e26a3f30596a2fce1bf278d7530a26a596d8361820baae5220b40ffe6bc16eacaa7d465a7c5bf28e8e6958acea55f0501	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "376797290"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000822e5fd872434b48bca4869b74447456000000000200000000001066000000010000200000007b46c90bedbebc135ab4cdcc59c51f8b135fc90abdaa86bea876e61ea7386d17000000000e80000000020000200000000240f99fdecb829f7894e5945e1f96572351a1c5969b34f2463b6c00325ebce42000000085130a78c328163c80e17a61c5588f61630c1364d0ef80b014b06d6da7b88f8c40000000a2d2d5576e33c2e514bbca3bf1acf5dbd5b4c28619c32f6d80c3c7059a45039edaab3ef9008c50f85093bd79eb06e3a2c23c2dd90d9bbe49e45074f88118a41f	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 90c39eeab906d901	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{105EAC31-72AD-11ED-B559-F63187E7FFAB} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

768 iexplore.exe

pid	process
768	iexplore.exe

Suspicious use of SetWindowsHookEx 7 IoCs

Processes:

707c77401961314821ba8378408e01f47be09dc49a3a165e992e1e1c070a1725.exeiexplore.exeIEXPLORE.EXE

pid	process
1048	707c77401961314821ba8378408e01f47be09dc49a3a165e992e1e1c070a1725.exe
768	iexplore.exe
768	iexplore.exe
1756	IEXPLORE.EXE
1756	IEXPLORE.EXE
1756	IEXPLORE.EXE
1756	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

707c77401961314821ba8378408e01f47be09dc49a3a165e992e1e1c070a1725.exe707c77401961314821ba8378408e01f47be09dc49a3a165e992e1e1c070a1725.exeiexplore.exe

description	pid	process	target process
PID 1048 wrote to memory of 948	1048	707c77401961314821ba8378408e01f47be09dc49a3a165e992e1e1c070a1725.exe	707c77401961314821ba8378408e01f47be09dc49a3a165e992e1e1c070a1725.exe
PID 1048 wrote to memory of 948	1048	707c77401961314821ba8378408e01f47be09dc49a3a165e992e1e1c070a1725.exe	707c77401961314821ba8378408e01f47be09dc49a3a165e992e1e1c070a1725.exe
PID 1048 wrote to memory of 948	1048	707c77401961314821ba8378408e01f47be09dc49a3a165e992e1e1c070a1725.exe	707c77401961314821ba8378408e01f47be09dc49a3a165e992e1e1c070a1725.exe
PID 1048 wrote to memory of 948	1048	707c77401961314821ba8378408e01f47be09dc49a3a165e992e1e1c070a1725.exe	707c77401961314821ba8378408e01f47be09dc49a3a165e992e1e1c070a1725.exe
PID 1048 wrote to memory of 948	1048	707c77401961314821ba8378408e01f47be09dc49a3a165e992e1e1c070a1725.exe	707c77401961314821ba8378408e01f47be09dc49a3a165e992e1e1c070a1725.exe
PID 1048 wrote to memory of 948	1048	707c77401961314821ba8378408e01f47be09dc49a3a165e992e1e1c070a1725.exe	707c77401961314821ba8378408e01f47be09dc49a3a165e992e1e1c070a1725.exe
PID 1048 wrote to memory of 948	1048	707c77401961314821ba8378408e01f47be09dc49a3a165e992e1e1c070a1725.exe	707c77401961314821ba8378408e01f47be09dc49a3a165e992e1e1c070a1725.exe
PID 1048 wrote to memory of 948	1048	707c77401961314821ba8378408e01f47be09dc49a3a165e992e1e1c070a1725.exe	707c77401961314821ba8378408e01f47be09dc49a3a165e992e1e1c070a1725.exe
PID 1048 wrote to memory of 948	1048	707c77401961314821ba8378408e01f47be09dc49a3a165e992e1e1c070a1725.exe	707c77401961314821ba8378408e01f47be09dc49a3a165e992e1e1c070a1725.exe
PID 948 wrote to memory of 768	948	707c77401961314821ba8378408e01f47be09dc49a3a165e992e1e1c070a1725.exe	iexplore.exe
PID 948 wrote to memory of 768	948	707c77401961314821ba8378408e01f47be09dc49a3a165e992e1e1c070a1725.exe	iexplore.exe
PID 948 wrote to memory of 768	948	707c77401961314821ba8378408e01f47be09dc49a3a165e992e1e1c070a1725.exe	iexplore.exe
PID 948 wrote to memory of 768	948	707c77401961314821ba8378408e01f47be09dc49a3a165e992e1e1c070a1725.exe	iexplore.exe
PID 768 wrote to memory of 1756	768	iexplore.exe	IEXPLORE.EXE
PID 768 wrote to memory of 1756	768	iexplore.exe	IEXPLORE.EXE
PID 768 wrote to memory of 1756	768	iexplore.exe	IEXPLORE.EXE
PID 768 wrote to memory of 1756	768	iexplore.exe	IEXPLORE.EXE

C:\Users\Admin\AppData\Local\Temp\707c77401961314821ba8378408e01f47be09dc49a3a165e992e1e1c070a1725.exe
"C:\Users\Admin\AppData\Local\Temp\707c77401961314821ba8378408e01f47be09dc49a3a165e992e1e1c070a1725.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1048

C:\Users\Admin\AppData\Local\Temp\707c77401961314821ba8378408e01f47be09dc49a3a165e992e1e1c070a1725.exe
C:\Users\Admin\AppData\Local\Temp\707c77401961314821ba8378408e01f47be09dc49a3a165e992e1e1c070a1725.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:948

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=707c77401961314821ba8378408e01f47be09dc49a3a165e992e1e1c070a1725.exe&platform=0009&osver=5&isServer=0&shimver=4.0.30319.0
3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:768

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:768 CREDAT:275457 /prefetch:2
4⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1756

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\XXC3UZYD.txt

Filesize
539B

MD5
262cbdfb74852ab3be50e1d8cd72e20b

SHA1
42f7e9d6f75858d7cfe083d1e1d7e3172a015ae0

SHA256
bd840360f44483bd55b5eea7e8d87ff9febbf588132f407b1f1eabbf94a58829

SHA512
4d20dc241f09d2864a695799b8e4eb5a876c08da2eb7474032ee63914abf9a916fd8a65b5a7575265a8234ea396d804e6b34786f268138e05acb1d22e0022f79

Download Submit
memory/948-56-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/948-57-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/948-59-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/948-60-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/948-62-0x0000000000411F2A-mapping.dmp

Download
memory/948-64-0x0000000000402000-0x0000000000412000-memory.dmp

Filesize
64KB

Download
memory/948-65-0x0000000000402000-0x0000000000412000-memory.dmp

Filesize
64KB

Download
memory/948-66-0x00000000759F1000-0x00000000759F3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads