c1cbaf7a654a5ddc7d79b995e7c6584c4d4681669bee6baa294c903af2300a20

Analysis

max time kernel
150s
max time network
173s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
03-12-2022 18:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c1cbaf7a654a5ddc7d79b995e7c6584c4d4681669bee6baa294c903af2300a20.exe
Size

322KB
MD5

2c82dca1f27353a571c213251bf588c1
SHA1

2401bf0ae80942cbc759e972ae86277a3bb12757
SHA256

c1cbaf7a654a5ddc7d79b995e7c6584c4d4681669bee6baa294c903af2300a20
SHA512

2c789cd7ab38dde63e3b92e0a5d8607908d7105ef1ce37a95f385ff219cbef9a391041b6232e1c6b534b15fd15686f9df73ad1c1012854fc654fd087b85119a5
SSDEEP

6144:sZvuCYX6bmERmQ5J+I0EHpFEYTtHm5uz/Gs1FVYR/mv/ZsI:stlYXUYIDHNBG47NFVI/0h

Score

6^/10

evasion trojan

Malware Config

Signatures

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	c1cbaf7a654a5ddc7d79b995e7c6584c4d4681669bee6baa294c903af2300a20.exe

Modifies Internet Explorer settings 1 TTPs 41 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = c06cdaaed309d901	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007922d070e2e29f4fad2b134760c01686000000000200000000001066000000010000200000005d764f3de6b9c8140b9118e22bc4a763195e9785ff0cbdc8bd1fd0254654966e000000000e8000000002000020000000f0b40792b789ed512fc6e0b1db71e831f492b55ce56d7ced7d039354439460382000000062147007bf42e01725e5ae9dbf19c80c086c9cdc8276e3cc7e45b3920de149dc40000000701c091d3bcb7cea7dd07098f87e845f95aa4f96fcb3a987bfc15ba82551f8d756365c50cacd85345f01658d1727e18800864df01cf85988bd7cdcd395a6a695	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "377138152"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\International\CpMRU	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{A85EF821-75C6-11ED-BF27-66397CAA4A34} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Enable = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Size = "10"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\International\CpMRU\InitHits = "100"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main	c1cbaf7a654a5ddc7d79b995e7c6584c4d4681669bee6baa294c903af2300a20.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Factor = "20"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007922d070e2e29f4fad2b134760c0168600000000020000000000106600000001000020000000bdbad7b6a33d06ba0907076ca73869e4255771c395aa5fae7305b1511d6960e4000000000e80000000020000200000005274959e5f58a2057cd768d8a02230a422f68ad05a528c5037a99ce5771e647490000000ade38bfcbb1b4d48a9deba8081ec01cedb6b75891933dd0cace93829f8eee6d86f37baa6f4128f54ca6d349a694d7c99c84b913b01f3733ab4c96c07595fbd25fc20d112f1d385e4c033634afe6859d9482f982b5cce2ff05b03e003d4d667837072c70ded0a54a63faed7dfaa7d8ea99ea64beea0a3daf040edd3bfb528c23471eedfa623b9ab6314ffe2aaeae2e0c14000000086484b26d7dc691da2072b5f33fc06c04739f4b80be75a5a13db7adf9305663eb7338ca630402481d3383181e274fa3349e12bae90373b4fdf02b97ff6eb9c62	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
900	iexplore.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
1992	c1cbaf7a654a5ddc7d79b995e7c6584c4d4681669bee6baa294c903af2300a20.exe
1992	c1cbaf7a654a5ddc7d79b995e7c6584c4d4681669bee6baa294c903af2300a20.exe
900	iexplore.exe
900	iexplore.exe
1160	IEXPLORE.EXE
1160	IEXPLORE.EXE
1160	IEXPLORE.EXE
1160	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 900 wrote to memory of 1160	900	iexplore.exe	30
PID 900 wrote to memory of 1160	900	iexplore.exe	30
PID 900 wrote to memory of 1160	900	iexplore.exe	30
PID 900 wrote to memory of 1160	900	iexplore.exe	30
PID 900 wrote to memory of 1160	900	iexplore.exe	30
PID 900 wrote to memory of 1160	900	iexplore.exe	30
PID 900 wrote to memory of 1160	900	iexplore.exe	30

C:\Users\Admin\AppData\Local\Temp\c1cbaf7a654a5ddc7d79b995e7c6584c4d4681669bee6baa294c903af2300a20.exe
"C:\Users\Admin\AppData\Local\Temp\c1cbaf7a654a5ddc7d79b995e7c6584c4d4681669bee6baa294c903af2300a20.exe"
1⤵
- Checks whether UAC is enabled
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1992

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -startmediumtab -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:900
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:900 CREDAT:275457 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1160

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\lwrmjt1\imagestore.dat

Filesize
5KB

MD5
c8b986f627844e4cd0a06dc0f12c114b

SHA1
1ea6fedf1ab29077707c3357d90de25ed6a15ee2

SHA256
8fed0e2f036dbed16af875407619f71c8886ae4fd60ef5a33aa2e83d98c2031c

SHA512
60be001ce3653a58f0c86d8adfd4455068f86f12d4b9f4978952eb9b72ceed4026ed3192fcf7207cf8d0242f29681f00d1149cd66bbf5ec9bcdbcf883ec89cfa

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\OWP1YYBP.txt

Filesize
608B

MD5
fd2569ce63902cd1ae8733d526d56162

SHA1
c3110dfe6834bf607a46e74f9ce3b6e73c2b8873

SHA256
ce93a0886647354c67f52f09e934b0853382b7879f97ce735e06588ef3658aff

SHA512
a74cfe0df3ffb339c4d48fba132d68bf2ba45863ef045094725a993209defdb92e17d5d89cca9c87af86b30a4a08bea0e06b7b32a23f0068a16719eb9c167000

Download Submit
memory/1992-54-0x0000000074F01000-0x0000000074F03000-memory.dmp

Filesize
8KB

Download