be9c571d8a0b9b2e5bce5f23cc694a69913e91c0993f27a07435fa78c352c817

Analysis

max time kernel
137s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
03/12/2022, 06:04

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

be9c571d8a0b9b2e5bce5f23cc694a69913e91c0993f27a07435fa78c352c817.exe
Size

131KB
MD5

28ce116fcbfa4f781b0212d75b109946
SHA1

a4e6b5d987be76c7172f4b8e997a3ca9df641e3f
SHA256

be9c571d8a0b9b2e5bce5f23cc694a69913e91c0993f27a07435fa78c352c817
SHA512

c0d10b1d99b32b5ad6e232de1f80009182ebf06e88cbe1e3ef5f2d325a6dfc9c4e5ed3bba4ec8bfe0ef3700a1fcd39a8c58050e9aff99e2f616b1765c3f313a0
SSDEEP

3072:uMmncESH4efNoUjELJe2Vo4GhkEVDoHh2FmgyGnOo6EwBjn:uMmncqeb0Je2VophFDoSvnOoz

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
4832	Injfjn.exe
3652	Injfjn.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows\CurrentVersion\Run	be9c571d8a0b9b2e5bce5f23cc694a69913e91c0993f27a07435fa78c352c817.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Injfjn = "C:\\Users\\Admin\\AppData\\Roaming\\Injfjn.exe"	be9c571d8a0b9b2e5bce5f23cc694a69913e91c0993f27a07435fa78c352c817.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4984 set thread context of 4416	4984	be9c571d8a0b9b2e5bce5f23cc694a69913e91c0993f27a07435fa78c352c817.exe	81
PID 4832 set thread context of 3652	4832	Injfjn.exe	83

Modifies Internet Explorer settings 1 TTPs 28 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3708716458"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{0891E118-7528-11ED-A0EE-46E60354FB13} = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3708716458"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31000884"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "377070007"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31000884"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3716527505"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31000884"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	IEXPLORE.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4416	be9c571d8a0b9b2e5bce5f23cc694a69913e91c0993f27a07435fa78c352c817.exe
4416	be9c571d8a0b9b2e5bce5f23cc694a69913e91c0993f27a07435fa78c352c817.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4484	IEXPLORE.EXE

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3652	Injfjn.exe
Token: SeDebugPrivilege	3532	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4484	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
4484	IEXPLORE.EXE
4484	IEXPLORE.EXE
3532	IEXPLORE.EXE
3532	IEXPLORE.EXE
3532	IEXPLORE.EXE
3532	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 31 IoCs

description	pid	Process	procid_target
PID 4984 wrote to memory of 4416	4984	be9c571d8a0b9b2e5bce5f23cc694a69913e91c0993f27a07435fa78c352c817.exe	81
PID 4984 wrote to memory of 4416	4984	be9c571d8a0b9b2e5bce5f23cc694a69913e91c0993f27a07435fa78c352c817.exe	81
PID 4984 wrote to memory of 4416	4984	be9c571d8a0b9b2e5bce5f23cc694a69913e91c0993f27a07435fa78c352c817.exe	81
PID 4984 wrote to memory of 4416	4984	be9c571d8a0b9b2e5bce5f23cc694a69913e91c0993f27a07435fa78c352c817.exe	81
PID 4984 wrote to memory of 4416	4984	be9c571d8a0b9b2e5bce5f23cc694a69913e91c0993f27a07435fa78c352c817.exe	81
PID 4984 wrote to memory of 4416	4984	be9c571d8a0b9b2e5bce5f23cc694a69913e91c0993f27a07435fa78c352c817.exe	81
PID 4984 wrote to memory of 4416	4984	be9c571d8a0b9b2e5bce5f23cc694a69913e91c0993f27a07435fa78c352c817.exe	81
PID 4984 wrote to memory of 4416	4984	be9c571d8a0b9b2e5bce5f23cc694a69913e91c0993f27a07435fa78c352c817.exe	81
PID 4984 wrote to memory of 4416	4984	be9c571d8a0b9b2e5bce5f23cc694a69913e91c0993f27a07435fa78c352c817.exe	81
PID 4416 wrote to memory of 4832	4416	be9c571d8a0b9b2e5bce5f23cc694a69913e91c0993f27a07435fa78c352c817.exe	82
PID 4416 wrote to memory of 4832	4416	be9c571d8a0b9b2e5bce5f23cc694a69913e91c0993f27a07435fa78c352c817.exe	82
PID 4416 wrote to memory of 4832	4416	be9c571d8a0b9b2e5bce5f23cc694a69913e91c0993f27a07435fa78c352c817.exe	82
PID 4832 wrote to memory of 3652	4832	Injfjn.exe	83
PID 4832 wrote to memory of 3652	4832	Injfjn.exe	83
PID 4832 wrote to memory of 3652	4832	Injfjn.exe	83
PID 4832 wrote to memory of 3652	4832	Injfjn.exe	83
PID 4832 wrote to memory of 3652	4832	Injfjn.exe	83
PID 4832 wrote to memory of 3652	4832	Injfjn.exe	83
PID 4832 wrote to memory of 3652	4832	Injfjn.exe	83
PID 4832 wrote to memory of 3652	4832	Injfjn.exe	83
PID 4832 wrote to memory of 3652	4832	Injfjn.exe	83
PID 3652 wrote to memory of 964	3652	Injfjn.exe	84
PID 3652 wrote to memory of 964	3652	Injfjn.exe	84
PID 3652 wrote to memory of 964	3652	Injfjn.exe	84
PID 964 wrote to memory of 4484	964	iexplore.exe	85
PID 964 wrote to memory of 4484	964	iexplore.exe	85
PID 4484 wrote to memory of 3532	4484	IEXPLORE.EXE	86
PID 4484 wrote to memory of 3532	4484	IEXPLORE.EXE	86
PID 4484 wrote to memory of 3532	4484	IEXPLORE.EXE	86
PID 3652 wrote to memory of 3532	3652	Injfjn.exe	86
PID 3652 wrote to memory of 3532	3652	Injfjn.exe	86

C:\Users\Admin\AppData\Local\Temp\be9c571d8a0b9b2e5bce5f23cc694a69913e91c0993f27a07435fa78c352c817.exe
"C:\Users\Admin\AppData\Local\Temp\be9c571d8a0b9b2e5bce5f23cc694a69913e91c0993f27a07435fa78c352c817.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4984
- C:\Users\Admin\AppData\Local\Temp\be9c571d8a0b9b2e5bce5f23cc694a69913e91c0993f27a07435fa78c352c817.exe
  "C:\Users\Admin\AppData\Local\Temp\be9c571d8a0b9b2e5bce5f23cc694a69913e91c0993f27a07435fa78c352c817.exe"
  2⤵
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4416
- - C:\Users\Admin\AppData\Roaming\Injfjn.exe
    "C:\Users\Admin\AppData\Roaming\Injfjn.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:4832
  - - C:\Users\Admin\AppData\Roaming\Injfjn.exe
      "C:\Users\Admin\AppData\Roaming\Injfjn.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3652
    - - C:\Program Files (x86)\Internet Explorer\iexplore.exe
        
        "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:964
      - C:\Program Files\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
        6⤵
        Modifies Internet Explorer settings
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4484
        
        C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4484 CREDAT:17410 /prefetch:2
        7⤵
        Modifies Internet Explorer settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:3532

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
471B

MD5
ac572cbbc82d6d652cdbe2596aeac4ee

SHA1
a631b27cf33fe134f42ed411d7ea06c21df41ad5

SHA256
50b6d8f62150a7bd25fb3e462130e8e054a0f1fb619487e8c426a4c8bf6bdca8

SHA512
070095ec83e4eeccae5dcbadcb3132f08fd0aac50badbc42cb72691236b6cfcdf14ce275fb1bf5511896bb4dd25c2121e044341003c1a507be8fabc0b2b1bfff

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
434B

MD5
1c444ffe741dc46f6e0c5190a72540a3

SHA1
fd598e6baa29b16d7286c9c3520fcd3a5485618d

SHA256
09b2d01336d4ae7f48fae87e50c9bff8418a1745bba2b37220d94e9d41261dd8

SHA512
786694f3985acd1dd984e0c49888edb4f18480ffd4e6276b28f794747f5f1431ddff6a4c264e103cbc43953ae91531e8dd276e70571ee1fdd388638bd86928b0

Download Submit
C:\Users\Admin\AppData\Roaming\Injfjn.exe

Filesize
131KB

MD5
28ce116fcbfa4f781b0212d75b109946

SHA1
a4e6b5d987be76c7172f4b8e997a3ca9df641e3f

SHA256
be9c571d8a0b9b2e5bce5f23cc694a69913e91c0993f27a07435fa78c352c817

SHA512
c0d10b1d99b32b5ad6e232de1f80009182ebf06e88cbe1e3ef5f2d325a6dfc9c4e5ed3bba4ec8bfe0ef3700a1fcd39a8c58050e9aff99e2f616b1765c3f313a0

Download Submit
C:\Users\Admin\AppData\Roaming\Injfjn.exe

Filesize
131KB

MD5
28ce116fcbfa4f781b0212d75b109946

SHA1
a4e6b5d987be76c7172f4b8e997a3ca9df641e3f

SHA256
be9c571d8a0b9b2e5bce5f23cc694a69913e91c0993f27a07435fa78c352c817

SHA512
c0d10b1d99b32b5ad6e232de1f80009182ebf06e88cbe1e3ef5f2d325a6dfc9c4e5ed3bba4ec8bfe0ef3700a1fcd39a8c58050e9aff99e2f616b1765c3f313a0

Download Submit
C:\Users\Admin\AppData\Roaming\Injfjn.exe

Filesize
131KB

MD5
28ce116fcbfa4f781b0212d75b109946

SHA1
a4e6b5d987be76c7172f4b8e997a3ca9df641e3f

SHA256
be9c571d8a0b9b2e5bce5f23cc694a69913e91c0993f27a07435fa78c352c817

SHA512
c0d10b1d99b32b5ad6e232de1f80009182ebf06e88cbe1e3ef5f2d325a6dfc9c4e5ed3bba4ec8bfe0ef3700a1fcd39a8c58050e9aff99e2f616b1765c3f313a0

Download Submit
memory/3652-147-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3652-148-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3652-149-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4416-138-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4416-137-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4416-142-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4416-134-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4984-136-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/4984-132-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download