6d7aff1014e5b210d0901974929d5f38c9c4c9cdc32c934fe1816d8ce0864bc8

Analysis

max time kernel
149s
max time network
152s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
02/12/2022, 22:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6d7aff1014e5b210d0901974929d5f38c9c4c9cdc32c934fe1816d8ce0864bc8.exe
Size

533KB
MD5

8995f07e7eca043f1fa053974cd04f3a
SHA1

6bc71f02833285df4260d25e27697d921dad441f
SHA256

6d7aff1014e5b210d0901974929d5f38c9c4c9cdc32c934fe1816d8ce0864bc8
SHA512

d6ec3d8ed2a78c53938a8698ab60081a2281bdc078539c2bd7956619d68fdd4b3fe0e83fc267ac0d7d17e1d3c051f900e49abf91a28a71de6d621314e52c08ac
SSDEEP

12288:stlYXU9NczKhfk0XSIbXUDXMCkTPWMx2GYP2Gsw:szYXU4ScYbXaMZTlxDYuw

Score

6^/10

evasion trojan

Malware Config

Signatures

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	6d7aff1014e5b210d0901974929d5f38c9c4c9cdc32c934fe1816d8ce0864bc8.exe

Modifies Internet Explorer settings 1 TTPs 41 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\International\CpMRU\InitHits = "100"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Factor = "20"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000ebc9cd7f10630c49833212380d3d3f09000000000200000000001066000000010000200000006b0a8cfb75b1834d4d3958a6a9b6f192fcc3920eec4a7c265ca3e7de507ea754000000000e8000000002000020000000f1b7af0e681b71d52df2282d47b27d95b976c974dca8411d5630aba365316b72900000004d7937dcb49b707210ac0971143bce809a6b4eb4b4c805e909fb926920b15c2b6f8d67e18f05f75c8bd356b6f830d6e5336323de0fb19b88034dc4d55247da92494012a8cbef4827fc70eaa65634ac0255ee9662437404cf23ed3f06a1d264611e7de2e1ff7db8b27babe349811adf6ef09c6e97bb1d1078b47fd359169511817808d77f2eb9d32b98f1b0936fd1e6f540000000da593fbd67e63a0676b807fed4e27fb69dc283cde65ee32aff3cf357d9aecf11cea7680e46d45ce28c35ff9eb4f623d22965d92548f8f8b0dbc12f2b2097a111	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\International\CpMRU	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "377028630"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Size = "10"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Enable = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{B153DA91-74C7-11ED-B243-5AF036119C64} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000ebc9cd7f10630c49833212380d3d3f09000000000200000000001066000000010000200000005e8a24592b80f7fb7ca6415f5a6ca991e70ef7602281e494915b4f670290e43b000000000e800000000200002000000098498f863ff8b5f5a8a2b1a51a44fb8406fd949f7de2dd2fbd7583d257bce3ba200000000f0a73f7f184460271445ad66a133ac1da4ec8b76053f5a132ea55395262eebc40000000df714aa48970f40e638092e9a3294b91d9f3bc2563c290a772d270b24dab34e92684818dfabe080e72cdca5257fb827c8ebb5bacdc5bec6ce8000ba1066471e6	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 60052996d408d901	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main	6d7aff1014e5b210d0901974929d5f38c9c4c9cdc32c934fe1816d8ce0864bc8.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
632	iexplore.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
1408	6d7aff1014e5b210d0901974929d5f38c9c4c9cdc32c934fe1816d8ce0864bc8.exe
1408	6d7aff1014e5b210d0901974929d5f38c9c4c9cdc32c934fe1816d8ce0864bc8.exe
632	iexplore.exe
632	iexplore.exe
1428	IEXPLORE.EXE
1428	IEXPLORE.EXE
1428	IEXPLORE.EXE
1428	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 632 wrote to memory of 1428	632	iexplore.exe	29
PID 632 wrote to memory of 1428	632	iexplore.exe	29
PID 632 wrote to memory of 1428	632	iexplore.exe	29
PID 632 wrote to memory of 1428	632	iexplore.exe	29
PID 632 wrote to memory of 1428	632	iexplore.exe	29
PID 632 wrote to memory of 1428	632	iexplore.exe	29
PID 632 wrote to memory of 1428	632	iexplore.exe	29

C:\Users\Admin\AppData\Local\Temp\6d7aff1014e5b210d0901974929d5f38c9c4c9cdc32c934fe1816d8ce0864bc8.exe
"C:\Users\Admin\AppData\Local\Temp\6d7aff1014e5b210d0901974929d5f38c9c4c9cdc32c934fe1816d8ce0864bc8.exe"
1⤵
- Checks whether UAC is enabled
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1408

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -startmediumtab -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:632
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:632 CREDAT:275457 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1428

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\309axvf\imagestore.dat

Filesize
5KB

MD5
af77f1846bbd42f05e743da639ff75cc

SHA1
aa00aaccf0ad07ece1f991509d15251f0fdfc7df

SHA256
16c7b76f16ce6b44ff3910644c4c1c3c9ec5567c34fcfcd803b86081b4ba0d5a

SHA512
1f434a1ed5a4b6743be55b7a8572a2617937717fcdc5c1fb1a248382a35b527773a5ebaf88f120fd868deaab3fb75dc6e0c32a996674b3f84e3cd8ab2cd4ea0f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\LBK1QGUV.txt

Filesize
603B

MD5
06a4a69082b245b87cf3e612fa47e135

SHA1
9625256dbfc65aa037c8557cbb6793cb9998af8e

SHA256
439776b6b26290dc7075c83b6f549765d02651f35cd3de64fead652afe71261f

SHA512
1c5a46889f201896e3b66a45c48594678b69a3646197c90955bd9339643da5dd532995bae26e8cacdf7e517870eb9fd821398a28ed07c87d5a40527a5b314052

Download Submit
memory/1408-54-0x0000000074B51000-0x0000000074B53000-memory.dmp

Filesize
8KB

Download