bfb871bcaafbe219de01d417297c29af618e72a8fe30e25a7dd3cb73d4202d62

Analysis

max time kernel
91s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
03/12/2022, 05:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bfb871bcaafbe219de01d417297c29af618e72a8fe30e25a7dd3cb73d4202d62.exe
Size

197KB
MD5

48f182e2725c8466d11a395c67ab69ed
SHA1

b752b48a172e6de5a231506722e1444c0a50ea04
SHA256

bfb871bcaafbe219de01d417297c29af618e72a8fe30e25a7dd3cb73d4202d62
SHA512

f2ccb0c5db051ea15fdfeaa38c076cb6d66140efb2867ffffe66fea0e286a7e1d18b5b0ee4c10a178162da7037d847fa2571eafb25933033fabbbe9d415e5fde
SSDEEP

6144:hJs5AK0xf6eV3hHgT0rYVEwN095/YHp59A3elX49P:Ls5AK0xf6eV3hHgT1VrtEed49P

Score

5^/10

Malware Config

Signatures

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3340 set thread context of 3064	3340	bfb871bcaafbe219de01d417297c29af618e72a8fe30e25a7dd3cb73d4202d62.exe	80

Modifies Internet Explorer settings 1 TTPs 28 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "377072286"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{573AEE90-752D-11ED-A0EE-C2D2A1265889} = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31000890"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "734854476"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "734854476"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31000890"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "740480812"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31000890"	IEXPLORE.EXE

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
3064	bfb871bcaafbe219de01d417297c29af618e72a8fe30e25a7dd3cb73d4202d62.exe
3064	bfb871bcaafbe219de01d417297c29af618e72a8fe30e25a7dd3cb73d4202d62.exe
3064	bfb871bcaafbe219de01d417297c29af618e72a8fe30e25a7dd3cb73d4202d62.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1192	IEXPLORE.EXE

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	3064	bfb871bcaafbe219de01d417297c29af618e72a8fe30e25a7dd3cb73d4202d62.exe
Token: SeDebugPrivilege	3064	bfb871bcaafbe219de01d417297c29af618e72a8fe30e25a7dd3cb73d4202d62.exe
Token: SeDebugPrivilege	1332	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1192	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1192	IEXPLORE.EXE
1192	IEXPLORE.EXE
1332	IEXPLORE.EXE
1332	IEXPLORE.EXE
1332	IEXPLORE.EXE
1332	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 3340 wrote to memory of 3064	3340	bfb871bcaafbe219de01d417297c29af618e72a8fe30e25a7dd3cb73d4202d62.exe	80
PID 3340 wrote to memory of 3064	3340	bfb871bcaafbe219de01d417297c29af618e72a8fe30e25a7dd3cb73d4202d62.exe	80
PID 3340 wrote to memory of 3064	3340	bfb871bcaafbe219de01d417297c29af618e72a8fe30e25a7dd3cb73d4202d62.exe	80
PID 3340 wrote to memory of 3064	3340	bfb871bcaafbe219de01d417297c29af618e72a8fe30e25a7dd3cb73d4202d62.exe	80
PID 3340 wrote to memory of 3064	3340	bfb871bcaafbe219de01d417297c29af618e72a8fe30e25a7dd3cb73d4202d62.exe	80
PID 3340 wrote to memory of 3064	3340	bfb871bcaafbe219de01d417297c29af618e72a8fe30e25a7dd3cb73d4202d62.exe	80
PID 3340 wrote to memory of 3064	3340	bfb871bcaafbe219de01d417297c29af618e72a8fe30e25a7dd3cb73d4202d62.exe	80
PID 3340 wrote to memory of 3064	3340	bfb871bcaafbe219de01d417297c29af618e72a8fe30e25a7dd3cb73d4202d62.exe	80
PID 3340 wrote to memory of 3064	3340	bfb871bcaafbe219de01d417297c29af618e72a8fe30e25a7dd3cb73d4202d62.exe	80
PID 3064 wrote to memory of 4764	3064	bfb871bcaafbe219de01d417297c29af618e72a8fe30e25a7dd3cb73d4202d62.exe	81
PID 3064 wrote to memory of 4764	3064	bfb871bcaafbe219de01d417297c29af618e72a8fe30e25a7dd3cb73d4202d62.exe	81
PID 3064 wrote to memory of 4764	3064	bfb871bcaafbe219de01d417297c29af618e72a8fe30e25a7dd3cb73d4202d62.exe	81
PID 4764 wrote to memory of 1192	4764	iexplore.exe	82
PID 4764 wrote to memory of 1192	4764	iexplore.exe	82
PID 1192 wrote to memory of 1332	1192	IEXPLORE.EXE	83
PID 1192 wrote to memory of 1332	1192	IEXPLORE.EXE	83
PID 1192 wrote to memory of 1332	1192	IEXPLORE.EXE	83
PID 3064 wrote to memory of 1332	3064	bfb871bcaafbe219de01d417297c29af618e72a8fe30e25a7dd3cb73d4202d62.exe	83
PID 3064 wrote to memory of 1332	3064	bfb871bcaafbe219de01d417297c29af618e72a8fe30e25a7dd3cb73d4202d62.exe	83

C:\Users\Admin\AppData\Local\Temp\bfb871bcaafbe219de01d417297c29af618e72a8fe30e25a7dd3cb73d4202d62.exe
"C:\Users\Admin\AppData\Local\Temp\bfb871bcaafbe219de01d417297c29af618e72a8fe30e25a7dd3cb73d4202d62.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3340
- C:\Users\Admin\AppData\Local\Temp\bfb871bcaafbe219de01d417297c29af618e72a8fe30e25a7dd3cb73d4202d62.exe
  C:\Users\Admin\AppData\Local\Temp\bfb871bcaafbe219de01d417297c29af618e72a8fe30e25a7dd3cb73d4202d62.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3064
- - C:\Program Files (x86)\Internet Explorer\iexplore.exe
    "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4764
  - - C:\Program Files\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
      4⤵
      Modifies Internet Explorer settings
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1192
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1192 CREDAT:17410 /prefetch:2
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:1332

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
471B

MD5
ac572cbbc82d6d652cdbe2596aeac4ee

SHA1
a631b27cf33fe134f42ed411d7ea06c21df41ad5

SHA256
50b6d8f62150a7bd25fb3e462130e8e054a0f1fb619487e8c426a4c8bf6bdca8

SHA512
070095ec83e4eeccae5dcbadcb3132f08fd0aac50badbc42cb72691236b6cfcdf14ce275fb1bf5511896bb4dd25c2121e044341003c1a507be8fabc0b2b1bfff

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
434B

MD5
d5806e5bce1c8d3368b273bf80329ce0

SHA1
c2a4b3622cdd6dc01ad5f9c47abc54f670bec512

SHA256
63047dcc3ee86d66a129a4f912b8a892cd8b889cfab2edae349c2c43657512b2

SHA512
712bbabeca3789b8b7be99fefea78b4d37d791745b7626bd14d79eb2c40ce982ab689d6a4cea9d0100545bfe8f0fcc5cdf77540a85af54c3111bd6bb66ff92cc

Download Submit
memory/3064-134-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/3064-135-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/3064-136-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/3064-133-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/3064-139-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/3064-140-0x0000000000401000-0x0000000000411000-memory.dmp

Filesize
64KB

Download
memory/3064-141-0x0000000002740000-0x000000000278E000-memory.dmp

Filesize
312KB

Download