97d510407c1308c0bd20baf7096d74f36da03ef28fa9edc49d3b47f01628e276

Analysis

max time kernel
186s
max time network
210s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
01/12/2022, 12:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

97d510407c1308c0bd20baf7096d74f36da03ef28fa9edc49d3b47f01628e276.exe
Size

36KB
MD5

5237ac6195e4e6626aceaa3812a78904
SHA1

8f6e97795a6601b3bf619749155845e4c549001f
SHA256

97d510407c1308c0bd20baf7096d74f36da03ef28fa9edc49d3b47f01628e276
SHA512

3e4404dda883208cde310d25da80a3807f6e64a9ef0c8a918b5dc968ffcd03d7f838cb0228be134ba6fba7438458f51daf019c0db548205bd6961d08365e4b7c
SSDEEP

768:/A/eg/zVRM3EqvvEbNUEnHrei6hDbAQQwgu97a0Eg:/A/fZRM/vsfei6Suhqg

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 61 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "376859401"	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000256ed27e8919d04f83812f84ee5c95da0000000002000000000010660000000100002000000039ac8f5fe8d24114c737e3c6fcaca7164d1250965fcbeb03b36b4a79c09117cd000000000e8000000002000020000000b1bbb4d06916bfa172b65136d6b10f27fb2b6f0604c20e470838228386678b0220000000579d7566a474700c0ec8b152511a5f4f6d9a056fe5913eef027599beee87f71d40000000d8a83e3322b89ae6725423637221645cc75f7a7adf60b5e73513f85e30c5f1226e3e6e6d2eb0860ba1f6a661c15ac23f4e51f02b31c01ce10b4f585b2c5d6432	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000256ed27e8919d04f83812f84ee5c95da00000000020000000000106600000001000020000000ce34a8ab3f4a1d2e0b6e9a3ef7ae3b054c60280d773d0e991449034bcc484469000000000e80000000020000200000007d70e6a2e1450d5d576df5ebd1a1f9f4dfa6e729600637a7ea51893526c1ce2790000000fc79e9467adf885cfc4dc4268aed0f84c5918dde59a0b0e951daafd15bffa27febbc1970e9b5509fc1a4b633968e00c1d3e6d6125207053a1afcfd327563bed274a49b9453d21f8f18ecaaa987f9665264e09a73ed15c89cc1d69a86acf85c8defd974b56084394a23ef3f8e91de80161dac958d2310c8192268ff86b8c635d6a590e3323a1e4ed8f2027502debad1b340000000cc4d7f5ecb455c4b141367fa0499aa48f857cce7e30640a506a0382929b8fe243531b2a703426769b31515ff08e3a418734407b6d99e4607ac7543ceee414234	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 3038d7934a07d901	IEXPLORE.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{ADA1E8F0-733D-11ED-8589-FE63F52BA449} = "0"	IEXPLORE.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{AAFB8111-733D-11ED-8589-FE63F52BA449} = "0"	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1348	IEXPLORE.exe
1336	IEXPLORE.exe

Suspicious use of SetWindowsHookEx 11 IoCs

pid	Process
1256	97d510407c1308c0bd20baf7096d74f36da03ef28fa9edc49d3b47f01628e276.exe
1348	IEXPLORE.exe
1348	IEXPLORE.exe
1336	IEXPLORE.exe
1336	IEXPLORE.exe
1692	IEXPLORE.EXE
1692	IEXPLORE.EXE
1656	IEXPLORE.EXE
1656	IEXPLORE.EXE
1656	IEXPLORE.EXE
1656	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1256 wrote to memory of 1336	1256	97d510407c1308c0bd20baf7096d74f36da03ef28fa9edc49d3b47f01628e276.exe	28
PID 1256 wrote to memory of 1336	1256	97d510407c1308c0bd20baf7096d74f36da03ef28fa9edc49d3b47f01628e276.exe	28
PID 1256 wrote to memory of 1336	1256	97d510407c1308c0bd20baf7096d74f36da03ef28fa9edc49d3b47f01628e276.exe	28
PID 1256 wrote to memory of 1336	1256	97d510407c1308c0bd20baf7096d74f36da03ef28fa9edc49d3b47f01628e276.exe	28
PID 1256 wrote to memory of 1348	1256	97d510407c1308c0bd20baf7096d74f36da03ef28fa9edc49d3b47f01628e276.exe	29
PID 1256 wrote to memory of 1348	1256	97d510407c1308c0bd20baf7096d74f36da03ef28fa9edc49d3b47f01628e276.exe	29
PID 1256 wrote to memory of 1348	1256	97d510407c1308c0bd20baf7096d74f36da03ef28fa9edc49d3b47f01628e276.exe	29
PID 1256 wrote to memory of 1348	1256	97d510407c1308c0bd20baf7096d74f36da03ef28fa9edc49d3b47f01628e276.exe	29
PID 1348 wrote to memory of 1656	1348	IEXPLORE.exe	31
PID 1348 wrote to memory of 1656	1348	IEXPLORE.exe	31
PID 1348 wrote to memory of 1656	1348	IEXPLORE.exe	31
PID 1348 wrote to memory of 1656	1348	IEXPLORE.exe	31
PID 1336 wrote to memory of 1692	1336	IEXPLORE.exe	32
PID 1336 wrote to memory of 1692	1336	IEXPLORE.exe	32
PID 1336 wrote to memory of 1692	1336	IEXPLORE.exe	32
PID 1336 wrote to memory of 1692	1336	IEXPLORE.exe	32

C:\Users\Admin\AppData\Local\Temp\97d510407c1308c0bd20baf7096d74f36da03ef28fa9edc49d3b47f01628e276.exe
"C:\Users\Admin\AppData\Local\Temp\97d510407c1308c0bd20baf7096d74f36da03ef28fa9edc49d3b47f01628e276.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1256
- C:\Program Files\Internet Explorer\IEXPLORE.exe
  "C:\Program Files\Internet Explorer\IEXPLORE.exe" http://dl.kanlink.cn:1287/CPAdown/vplay.php
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1336
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1336 CREDAT:275459 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:1692
- C:\Program Files\Internet Explorer\IEXPLORE.exe
  "C:\Program Files\Internet Explorer\IEXPLORE.exe" http://dl.kanlink.cn:1287/CPAdown/PPTV(pplive)_forjieku_977.html
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1348
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1348 CREDAT:275457 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:1656

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{AAFB8111-733D-11ED-8589-FE63F52BA449}.dat

Filesize
3KB

MD5
bb4a40aa466603beb6295088d313e8c3

SHA1
4964ea700dbd04da05d42f2131e31a66aa9c4c97

SHA256
f67136c2c8e9dfcdaa2efa970afe0df1d39bfbb35789ecbc80809dedcc482d17

SHA512
b8f04eec15447f3a00f3e96954c235de8af4f5035697c976f5c0ca61bee9a040be0225dbc2db4070d1cc01412320501c1d23877792637ae7f9a072b11c892641

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{ADA1E8F0-733D-11ED-8589-FE63F52BA449}.dat

Filesize
4KB

MD5
759ae6f8319b7d615e0c6206f748443d

SHA1
870a05051135b5274dfc758a330907cbdc61829f

SHA256
131c143af03ef6bb8f0148002096a8140190be44c96212e14f3f23c99949c6fd

SHA512
350f07fbdf5bf32ce240a9e61a2f2e8f4bd7c4929d8bb08eecb9c9f4f731052b6d0a7038fbc296145ed2ac8d17dfcdf5b14a680e8f2307ea1674e13f6e26a4f5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\3X76KEVK.txt

Filesize
539B

MD5
7c685df015166099afead355dc204761

SHA1
6e53cc6cd1ce87d2f4e8c34cf0302e1964f3b363

SHA256
7cf9a07fad86350b4db0d1fa551715ad43e3060e538f0d096e02c65eee338124

SHA512
befcc31cb1872a3c3506609f70e057230b82d33b48410b614697aa563dc4b38e4385915e39bdfa9ab0aaf766a115d83c3d31f999fc3f75a7e90cdadea87a5d98

Download Submit
memory/1256-56-0x0000000075BE1000-0x0000000075BE3000-memory.dmp

Filesize
8KB

Download