b08311be7dc84323a9b215694c4bd10e8bae844de5c8690452ba1c1cf68a03fa

General

Target

b08311be7dc84323a9b215694c4bd10e8bae844de5c8690452ba1c1cf68a03fa.exe
Size

149KB
MD5

49f710a8e83dae2ab9828311fcb9311f
SHA1

35e530754a1b91ea183de9405fe3f93fc0af5a62
SHA256

b08311be7dc84323a9b215694c4bd10e8bae844de5c8690452ba1c1cf68a03fa
SHA512

05297ef33a6d7e18e6bb2a05febffd7f2b9f5d2c1890a88fab93fa595780ddf33616e11099a8b68bc8335d1b326f258f07593b67dfdaffe65b67f2f4f5a141d1
SSDEEP

3072:iI/VdsWmvOCevjNRYDYfuUpAbulpKNG1k+xMpFvqhPp:v/1mqvYUfuRalkNM6pZ+

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000998d474cae945b46a753f4a1596a85b400000000020000000000106600000001000020000000bc4914922ce8a3164135811f093663d68c2475f89fd8f7e0b19286fef1e535da000000000e8000000002000020000000c715c4ad0fdb7468223e33f9aa2047091db623a5959cba74c3fcfb64e1c3f00320000000407884ed3078ddd5d6b9683dbcde85a6a74b11e873842548f0eabf08694168c640000000a49ce26bd3aa7094c3bae838fd3a01d0f91491447f37efe586b93204cfbd0efad475bab98ba54fbc2129e9caea595241c5621c072e9a96d50a2ce778a639b995	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 905b24dd1707d901	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000998d474cae945b46a753f4a1596a85b4000000000200000000001066000000010000200000004c8b8027f0270a64408119056fecb948d965e47fb734e87b302befa3270b0ca9000000000e8000000002000020000000436b463ce716fda5fefc8451cfe8706acdd9834b9480c2ad9ad4839d5f0c90f190000000be13829e0cc71a0b973caf269cab0dbf599f9bfa5461c75081b66c583b1a4617c1222811a42182eba1423011978e0c7b07c57018f4e27b017c1641309b337dee87a4bbdc7a203b5bae9406aed086d4dd31fc11c1286ad928e319aaa58e62fd5640117d5750b83a689abde3d4a276396ba95871a4682a2cf2da9a1f14be5ecf3b2690be2d1aaebe24b5bed91e49a7a086400000000fa840470f0cb30a5d76e7fefd425a7444638e046a00ce3030105cefc51a42137766a837ef5682c2a48e318f003b1f1081a8ed14c9d1c92898334c126e790be3	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{FAD946A1-730A-11ED-9584-C22E595EE768} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "376837628"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

1368 iexplore.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

1368 iexplore.exe
1368 iexplore.exe
900 IEXPLORE.EXE
900 IEXPLORE.EXE
900 IEXPLORE.EXE
900 IEXPLORE.EXE

pid	process
1368	iexplore.exe

pid	process
1368	iexplore.exe
1368	iexplore.exe
900	IEXPLORE.EXE
900	IEXPLORE.EXE
900	IEXPLORE.EXE
900	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

b08311be7dc84323a9b215694c4bd10e8bae844de5c8690452ba1c1cf68a03fa.exeiexplore.exe

description	pid	process	target process
PID 1836 wrote to memory of 1368	1836	b08311be7dc84323a9b215694c4bd10e8bae844de5c8690452ba1c1cf68a03fa.exe	iexplore.exe
PID 1836 wrote to memory of 1368	1836	b08311be7dc84323a9b215694c4bd10e8bae844de5c8690452ba1c1cf68a03fa.exe	iexplore.exe
PID 1836 wrote to memory of 1368	1836	b08311be7dc84323a9b215694c4bd10e8bae844de5c8690452ba1c1cf68a03fa.exe	iexplore.exe
PID 1836 wrote to memory of 1368	1836	b08311be7dc84323a9b215694c4bd10e8bae844de5c8690452ba1c1cf68a03fa.exe	iexplore.exe
PID 1368 wrote to memory of 900	1368	iexplore.exe	IEXPLORE.EXE
PID 1368 wrote to memory of 900	1368	iexplore.exe	IEXPLORE.EXE
PID 1368 wrote to memory of 900	1368	iexplore.exe	IEXPLORE.EXE
PID 1368 wrote to memory of 900	1368	iexplore.exe	IEXPLORE.EXE

C:\Users\Admin\AppData\Local\Temp\b08311be7dc84323a9b215694c4bd10e8bae844de5c8690452ba1c1cf68a03fa.exe
"C:\Users\Admin\AppData\Local\Temp\b08311be7dc84323a9b215694c4bd10e8bae844de5c8690452ba1c1cf68a03fa.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1836

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=b08311be7dc84323a9b215694c4bd10e8bae844de5c8690452ba1c1cf68a03fa.exe&platform=0009&osver=5&isServer=0&shimver=4.0.30319.0
2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1368

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1368 CREDAT:275457 /prefetch:2
3⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:900

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\4CBL53FM.txt
Filesize
603B

MD5
846c34f00c70cb2bda4a9f728a06e9ce

SHA1
2b00debb29cb811adf3bdd547f71239f26628b7a

SHA256
614d4f0497f83fc60e34227bd12c13193afc4a2a2d99cf2bd24c8b80bab3e1a9

SHA512
90a15b79cbb3e3fdeac56e8e911164db83a1917a36befcfd30ddbc82c29d0d0016d2a4c2bd9d5e85a40ba9e62a97ac52d3714c423f94f0e402c74d2a7de7ff94

Download Submit
memory/1836-54-0x0000000000020000-0x0000000000024000-memory.dmp

Filesize
16KB

Download
memory/1836-55-0x0000000000250000-0x0000000000289000-memory.dmp

Filesize
228KB

Download
memory/1836-56-0x0000000000361000-0x0000000000365000-memory.dmp

Filesize
16KB

Download
memory/1836-57-0x0000000075771000-0x0000000075773000-memory.dmp

Filesize
8KB

Download
memory/1836-58-0x0000000000250000-0x0000000000289000-memory.dmp

Filesize
228KB

Download

Analysis

Sharing