8a8dea3df1099aebbd0ab3c89aa4ff6a2acf2220c37b1166b47789f2ec42db4b

Analysis

max time kernel
143s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
01/12/2022, 01:19 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8a8dea3df1099aebbd0ab3c89aa4ff6a2acf2220c37b1166b47789f2ec42db4b.exe
Size

163KB
MD5

a81848cfeebddcb637e78723794e9383
SHA1

0a0c78c8c14e66a6306183912d968e6e0df465c1
SHA256

8a8dea3df1099aebbd0ab3c89aa4ff6a2acf2220c37b1166b47789f2ec42db4b
SHA512

19aab0277f7bf478d29c7ee7ad46c7106b594b1e7bf204cc49d9e77a9f1fba8d0ee39b2628d82f8d4b35d98538e13ee23b8981dc11496b976f70fa9ed9c46e0a
SSDEEP

3072:YgparkbXjvUoW4sObiMS719ERvzxOt0jWL2AFTf40++bJ2ofLqxO:YcbzvUCyM7RM3L2AFL40+6TA

Score

7^/10

persistence

Malware Config

Signatures

Loads dropped DLL 3 IoCs

pid	Process
448	rundll32.exe
1500	IEXPLORE.EXE
1500	IEXPLORE.EXE

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\utams = "rundll32.exe \"C:\\Users\\Admin\\AppData\\Roaming\\utams.dll\",GetExePath"	rundll32.exe

Modifies Internet Explorer settings 1 TTPs 39 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1362150815"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1508557071"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31000271"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1508713465"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1576370208"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff5800000000000000de04000065020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "376806501"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1362150815"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31000271"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1490588640"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31000271"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{7C6F044A-72C2-11ED-89AC-72E5C3FA065D} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31000271"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31000271"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31000271"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff3e0000003e000000c4040000a3020000	iexplore.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
1420	iexplore.exe
1420	iexplore.exe
1420	iexplore.exe

Suspicious use of SetWindowsHookEx 15 IoCs

pid	Process
1420	iexplore.exe
1420	iexplore.exe
4988	IEXPLORE.EXE
4988	IEXPLORE.EXE
448	rundll32.exe
1420	iexplore.exe
1420	iexplore.exe
2840	IEXPLORE.EXE
2840	IEXPLORE.EXE
448	rundll32.exe
1420	iexplore.exe
1420	iexplore.exe
1500	IEXPLORE.EXE
1500	IEXPLORE.EXE
448	rundll32.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4808 wrote to memory of 448	4808	8a8dea3df1099aebbd0ab3c89aa4ff6a2acf2220c37b1166b47789f2ec42db4b.exe	80
PID 4808 wrote to memory of 448	4808	8a8dea3df1099aebbd0ab3c89aa4ff6a2acf2220c37b1166b47789f2ec42db4b.exe	80
PID 4808 wrote to memory of 448	4808	8a8dea3df1099aebbd0ab3c89aa4ff6a2acf2220c37b1166b47789f2ec42db4b.exe	80
PID 1420 wrote to memory of 4988	1420	iexplore.exe	83
PID 1420 wrote to memory of 4988	1420	iexplore.exe	83
PID 1420 wrote to memory of 4988	1420	iexplore.exe	83
PID 1420 wrote to memory of 2840	1420	iexplore.exe	86
PID 1420 wrote to memory of 2840	1420	iexplore.exe	86
PID 1420 wrote to memory of 2840	1420	iexplore.exe	86
PID 1420 wrote to memory of 1500	1420	iexplore.exe	87
PID 1420 wrote to memory of 1500	1420	iexplore.exe	87
PID 1420 wrote to memory of 1500	1420	iexplore.exe	87

C:\Users\Admin\AppData\Local\Temp\8a8dea3df1099aebbd0ab3c89aa4ff6a2acf2220c37b1166b47789f2ec42db4b.exe
"C:\Users\Admin\AppData\Local\Temp\8a8dea3df1099aebbd0ab3c89aa4ff6a2acf2220c37b1166b47789f2ec42db4b.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4808
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe "C:\Users\Admin\AppData\Roaming\utams.dll",GetExePath
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of SetWindowsHookEx
  PID:448

C:\Program Files (x86)\Internet Explorer\ielowutil.exe
"C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding
1⤵
PID:4176

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1420
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1420 CREDAT:17410 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:4988
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1420 CREDAT:82948 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2840
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1420 CREDAT:17414 /prefetch:2
  2⤵
  - Loads dropped DLL
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1500

Network

DNS

12r4g0d.cdn147.filesuploadetc.com

IEXPLORE.EXE

Remote address:

8.8.8.8:53

Request

12r4g0d.cdn147.filesuploadetc.com

IN A

Response
DNS

12r4g0d.cdn147.filesuploadetc.com

IEXPLORE.EXE

Remote address:

8.8.8.8:53

Request

12r4g0d.cdn147.filesuploadetc.com

IN A

Response
DNS

12r4g0d.cdn147.filesuploadetc.com

IEXPLORE.EXE

Remote address:

8.8.8.8:53

Request

12r4g0d.cdn147.filesuploadetc.com

IN A

Response
DNS

12r4g0d.cdn147.filesuploadetc.com

IEXPLORE.EXE

Remote address:

8.8.8.8:53

Request

12r4g0d.cdn147.filesuploadetc.com

IN A

Response
DNS

12r4g0d.cdn147.filesuploadetc.com

IEXPLORE.EXE

Remote address:

8.8.8.8:53

Request

12r4g0d.cdn147.filesuploadetc.com

IN A

Response
DNS

12r4g0d.cdn147.filesuploadetc.com

IEXPLORE.EXE

Remote address:

8.8.8.8:53

Request

12r4g0d.cdn147.filesuploadetc.com

IN A

Response
DNS

12r4g0d.cdn147.filesuploadetc.com

IEXPLORE.EXE

Remote address:

8.8.8.8:53

Request

12r4g0d.cdn147.filesuploadetc.com

IN A

Response

93.184.221.240:80

322 B
7
93.184.221.240:80

322 B
7
93.184.221.240:80

260 B
5
104.80.225.205:443

322 B
7
93.184.221.240:80

322 B
7
93.184.221.240:80

322 B
7
93.184.220.29:80

iexplore.exe

260 B
5
204.79.197.200:443

ieonline.microsoft.com

tls, http2

iexplore.exe

1.2kB
8.0kB
15
13

8.8.8.8:53

12r4g0d.cdn147.filesuploadetc.com

dns

IEXPLORE.EXE

79 B
152 B
1
1

DNS Request

12r4g0d.cdn147.filesuploadetc.com
8.8.8.8:53

12r4g0d.cdn147.filesuploadetc.com

dns

IEXPLORE.EXE

79 B
152 B
1
1

DNS Request

12r4g0d.cdn147.filesuploadetc.com
8.8.8.8:53

12r4g0d.cdn147.filesuploadetc.com

dns

IEXPLORE.EXE

79 B
152 B
1
1

DNS Request

12r4g0d.cdn147.filesuploadetc.com
8.8.8.8:53

12r4g0d.cdn147.filesuploadetc.com

dns

IEXPLORE.EXE

79 B
152 B
1
1

DNS Request

12r4g0d.cdn147.filesuploadetc.com
8.8.8.8:53

12r4g0d.cdn147.filesuploadetc.com

dns

IEXPLORE.EXE

79 B
152 B
1
1

DNS Request

12r4g0d.cdn147.filesuploadetc.com
8.8.8.8:53

12r4g0d.cdn147.filesuploadetc.com

dns

IEXPLORE.EXE

79 B
152 B
1
1

DNS Request

12r4g0d.cdn147.filesuploadetc.com
8.8.8.8:53

12r4g0d.cdn147.filesuploadetc.com

dns

IEXPLORE.EXE

79 B
152 B
1
1

DNS Request

12r4g0d.cdn147.filesuploadetc.com

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
471B

MD5
4132c54f59c529167c112e7f519120fa

SHA1
94cc9036fa031258aa744c7ee88e3c0b6c7a73da

SHA256
e9f456cf8bb8cc4a683d1c2f792feeb4c83fff24a86e6bcb260eff8fbff126fb

SHA512
e8efb8e81a90ffbe177301fbba4470ded104fc6d12cfa0123938b981d612eb2c4a66bb47b585cd43ed6ed4940e0ad5a1e3a5d9d18f8cb643e741aae694c4baee

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
434B

MD5
5cedbbdbc0d8a9c352d1fcf10c767123

SHA1
1b8b9e456ea37b565ea3e0476ad464666bc867b8

SHA256
f04145be857661592ef21b8d094a4eab9a0bcc18a12da018896ece2d079d096b

SHA512
2621822b27544720144bc14ba426211e35c69171ce0585e6946f3ce261ebbe86bdb7a5a89dc03014e2611313ab7ad96890a019c0e815b453ab4c356aee0697c4

Download Submit
C:\Users\Admin\AppData\Roaming\utams.dll

Filesize
163KB

MD5
e518db52e90ed00597faa3e1dc73e2d7

SHA1
8dcc27e126dcd6dcb9b822c8715cb622223ce646

SHA256
1b3cd9c038829d8a900f8ff13b8eef618afaf9339dde8316c8def65d2742151c

SHA512
14ffc6f291a502504c991adb877111ed3085384cb498b67740d71ec296812773fb5e95d9a5530aeda40ef86de005c2d6e3338c015b2b1febec2f373679038660

Download Submit
C:\Users\Admin\AppData\Roaming\utams.dll

Filesize
163KB

MD5
e518db52e90ed00597faa3e1dc73e2d7

SHA1
8dcc27e126dcd6dcb9b822c8715cb622223ce646

SHA256
1b3cd9c038829d8a900f8ff13b8eef618afaf9339dde8316c8def65d2742151c

SHA512
14ffc6f291a502504c991adb877111ed3085384cb498b67740d71ec296812773fb5e95d9a5530aeda40ef86de005c2d6e3338c015b2b1febec2f373679038660

Download Submit
C:\Users\Admin\AppData\Roaming\utams.dll

Filesize
163KB

MD5
e518db52e90ed00597faa3e1dc73e2d7

SHA1
8dcc27e126dcd6dcb9b822c8715cb622223ce646

SHA256
1b3cd9c038829d8a900f8ff13b8eef618afaf9339dde8316c8def65d2742151c

SHA512
14ffc6f291a502504c991adb877111ed3085384cb498b67740d71ec296812773fb5e95d9a5530aeda40ef86de005c2d6e3338c015b2b1febec2f373679038660

Download Submit
C:\Users\Admin\AppData\Roaming\utams.dll

Filesize
163KB

MD5
e518db52e90ed00597faa3e1dc73e2d7

SHA1
8dcc27e126dcd6dcb9b822c8715cb622223ce646

SHA256
1b3cd9c038829d8a900f8ff13b8eef618afaf9339dde8316c8def65d2742151c

SHA512
14ffc6f291a502504c991adb877111ed3085384cb498b67740d71ec296812773fb5e95d9a5530aeda40ef86de005c2d6e3338c015b2b1febec2f373679038660

Download Submit
memory/448-139-0x0000000002AF0000-0x0000000002B1A000-memory.dmp

Filesize
168KB

Download
memory/448-142-0x0000000001180000-0x0000000001195000-memory.dmp

Filesize
84KB

Download
memory/448-145-0x0000000001180000-0x0000000001195000-memory.dmp

Filesize
84KB

Download
memory/4808-132-0x0000000000680000-0x00000000006AA000-memory.dmp

Filesize
168KB

Download
memory/4808-141-0x0000000000650000-0x0000000000665000-memory.dmp

Filesize
84KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.