75f19365a44771e6d0164d8ce01195df2ccb6bd383f056119215d389f45f5a7a

General

Target

75f19365a44771e6d0164d8ce01195df2ccb6bd383f056119215d389f45f5a7a.exe
Size

331KB
MD5

50be6d8299daf5181d8b97013a067844
SHA1

18bc1d6417fd5d34b7d47678e2a139cee0816a37
SHA256

75f19365a44771e6d0164d8ce01195df2ccb6bd383f056119215d389f45f5a7a
SHA512

b9fee8d8aa029ae18ce8d1135070bbd881aebbc0c29997e5d15d88d2d1003d95289955e243f34a09ed636bfc66968a7a08360cf3adf90836b3be3e553ae41198
SSDEEP

6144:/YJQkqiKYkTzlGz9gOUb2GBqoOkR6loMnKXAOkK7A+Q9PZQgre7sapV:QJbqiK/lGRgOUqmq9kR6lhKXSK7hcRQp

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000f90abb0c0fa5ac45a88027710c1bd39e00000000020000000000106600000001000020000000f722ae1a0a4146a04bc36dcfda638c368669a6e165bbaa95dc08d53235edd4ec000000000e80000000020000200000009fef20ea3c87267c5e844f8b9afcf7b2b5ab44d398328da6d46be7a21038b32c20000000160763e8ec655ae0284691e21c0cca8875741a8115f97e97b7f5cddcb45294c3400000008e752b2f4252e781a3bf3060a834264de236f873cd2b1a9de7ffc1b519602f9e34303a3a135761f277f7cd19edd50d31113e31d53e4c52646aaa85836f54414b	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000f90abb0c0fa5ac45a88027710c1bd39e00000000020000000000106600000001000020000000ef2a87b4c2cfa49eed450e226742d3c94254f6d472492e7b1413502f2c522fa5000000000e800000000200002000000009af3f2037d3051a86bd0e9c565bd6729b3fd88c9450ff0b4d2e2c954230e4e990000000d8fa89a78375dd7bcf8384ab4c94747cec008a8dce5e7019b29c6c33f2a01354583ea668671a476bdf0d8261ccf6edb1ee2312c51e9a2249342f5228a197571c81ccbcf53f3c52bf49ceab7156d4a3f4ab65af7f14dc334b55657cb1883e02eabeb0aa5f61bc578e3ad884eba151b2233d5844eaeb45c3a98910ce06b38382963d43c21f6cb1253f7834cb5988f8743d40000000d441dc8aa4da1a24a870be90ed9b5060adb27d2d5e248a93cc4fd81504105ab6946862aef3289e1ce5a20ffb9de1a9737b6cebe55f1a42b423145847e57ea777	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "376814078"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{12AE85B1-72D4-11ED-93F0-EAF6071D98F9} = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 60883a10e106d901	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

272 iexplore.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

272 iexplore.exe
272 iexplore.exe
852 IEXPLORE.EXE
852 IEXPLORE.EXE
852 IEXPLORE.EXE
852 IEXPLORE.EXE

pid	process
272	iexplore.exe

pid	process
272	iexplore.exe
272	iexplore.exe
852	IEXPLORE.EXE
852	IEXPLORE.EXE
852	IEXPLORE.EXE
852	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

75f19365a44771e6d0164d8ce01195df2ccb6bd383f056119215d389f45f5a7a.exeiexplore.exe

description	pid	process	target process
PID 1648 wrote to memory of 272	1648	75f19365a44771e6d0164d8ce01195df2ccb6bd383f056119215d389f45f5a7a.exe	iexplore.exe
PID 1648 wrote to memory of 272	1648	75f19365a44771e6d0164d8ce01195df2ccb6bd383f056119215d389f45f5a7a.exe	iexplore.exe
PID 1648 wrote to memory of 272	1648	75f19365a44771e6d0164d8ce01195df2ccb6bd383f056119215d389f45f5a7a.exe	iexplore.exe
PID 1648 wrote to memory of 272	1648	75f19365a44771e6d0164d8ce01195df2ccb6bd383f056119215d389f45f5a7a.exe	iexplore.exe
PID 272 wrote to memory of 852	272	iexplore.exe	IEXPLORE.EXE
PID 272 wrote to memory of 852	272	iexplore.exe	IEXPLORE.EXE
PID 272 wrote to memory of 852	272	iexplore.exe	IEXPLORE.EXE
PID 272 wrote to memory of 852	272	iexplore.exe	IEXPLORE.EXE

C:\Users\Admin\AppData\Local\Temp\75f19365a44771e6d0164d8ce01195df2ccb6bd383f056119215d389f45f5a7a.exe
"C:\Users\Admin\AppData\Local\Temp\75f19365a44771e6d0164d8ce01195df2ccb6bd383f056119215d389f45f5a7a.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1648

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=75f19365a44771e6d0164d8ce01195df2ccb6bd383f056119215d389f45f5a7a.exe&platform=0009&osver=5&isServer=0&shimver=4.0.30319.0
2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:272

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:272 CREDAT:275457 /prefetch:2
3⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:852

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\IKUGCV7U.txt

Filesize
535B

MD5
81df856ec4576869eff97c73de61b776

SHA1
fbbc8f470ee512e7fadad69f289452aeedf6bca9

SHA256
82e05486a133195315a1b0c7173e5ec6e147ae007cc3ca0960a6dc1ff5b9a3b3

SHA512
b6ec590ed6854073fdd5c2774cf7ddd1ed1965b23ed2223a19c5d62edadaa3e53478195ad111fdfd2cc87c6b51502a802984db1d183e0fd4274c6277b55d0d5a

Download Submit
memory/1648-54-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1648-55-0x0000000000310000-0x0000000000370000-memory.dmp

Filesize
384KB

Download
memory/1648-56-0x0000000075811000-0x0000000075813000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing