93389a2323247cfb2b8b238fca8708e437a314a269cd9475033e180f6fae06c0

Analysis

max time kernel
133s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
03/12/2022, 20:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

93389a2323247cfb2b8b238fca8708e437a314a269cd9475033e180f6fae06c0.exe
Size

556KB
MD5

433653a6019b94f97231432f6c17918e
SHA1

3dd1af994b91fb96a7808499450c685c52afbb04
SHA256

93389a2323247cfb2b8b238fca8708e437a314a269cd9475033e180f6fae06c0
SHA512

ac5e4fee01fe4ea80425eec04161166ee53f42784f67e19879cdc7e6e0c4f537e5903e7b4bd5e12d20b617879d4974081bce50d2c740cacde2476400d9fe41d4
SSDEEP

12288:yGf4LJX4zRiiGFxmfNJ6El+nsjOQGRLNtTirdLybWbJd:ypX4zR3gxMi2+sfGR7TEdLybu

Score

5^/10

Malware Config

Signatures

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Deleteme.bat	93389a2323247cfb2b8b238fca8708e437a314a269cd9475033e180f6fae06c0.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
4444	93389a2323247cfb2b8b238fca8708e437a314a269cd9475033e180f6fae06c0.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4444 set thread context of 4848	4444	93389a2323247cfb2b8b238fca8708e437a314a269cd9475033e180f6fae06c0.exe	79

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\han.exe	93389a2323247cfb2b8b238fca8708e437a314a269cd9475033e180f6fae06c0.exe
File opened for modification	C:\Windows\han.exe	93389a2323247cfb2b8b238fca8708e437a314a269cd9475033e180f6fae06c0.exe

Modifies Internet Explorer settings 1 TTPs 28 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{563FE2A8-75DA-11ED-AECB-4AA92575F981} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "720277892"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31001063"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31001063"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "752465677"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "720277892"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31001063"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "377146590"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4848	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4848	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
4848	iexplore.exe
4848	iexplore.exe
1584	IEXPLORE.EXE
1584	IEXPLORE.EXE
1584	IEXPLORE.EXE
1584	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4444 wrote to memory of 4848	4444	93389a2323247cfb2b8b238fca8708e437a314a269cd9475033e180f6fae06c0.exe	79
PID 4444 wrote to memory of 4848	4444	93389a2323247cfb2b8b238fca8708e437a314a269cd9475033e180f6fae06c0.exe	79
PID 4444 wrote to memory of 4848	4444	93389a2323247cfb2b8b238fca8708e437a314a269cd9475033e180f6fae06c0.exe	79
PID 4848 wrote to memory of 1584	4848	iexplore.exe	80
PID 4848 wrote to memory of 1584	4848	iexplore.exe	80
PID 4848 wrote to memory of 1584	4848	iexplore.exe	80
PID 4444 wrote to memory of 2700	4444	93389a2323247cfb2b8b238fca8708e437a314a269cd9475033e180f6fae06c0.exe	81
PID 4444 wrote to memory of 2700	4444	93389a2323247cfb2b8b238fca8708e437a314a269cd9475033e180f6fae06c0.exe	81
PID 4444 wrote to memory of 2700	4444	93389a2323247cfb2b8b238fca8708e437a314a269cd9475033e180f6fae06c0.exe	81

C:\Users\Admin\AppData\Local\Temp\93389a2323247cfb2b8b238fca8708e437a314a269cd9475033e180f6fae06c0.exe
"C:\Users\Admin\AppData\Local\Temp\93389a2323247cfb2b8b238fca8708e437a314a269cd9475033e180f6fae06c0.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4444
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" ¨Á
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4848
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4848 CREDAT:17410 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:1584
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\system32\Deleteme.bat
  2⤵
  PID:2700

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
471B

MD5
f8f8086f87156d14091b152fcaadc3ce

SHA1
fe3cfbf9e2e871c948300473593dfcf189013386

SHA256
8d92f28b70ed5265fafad8b37ce049b0b8ecad038745173acc35a21b8222bf56

SHA512
1235be77513694a1478459e999631920be42183a6993dc1f93333831eaa54ea60c7d8617029289c95fed2f861fc7aa79da551c128df4428d23752044eb68ba7a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
404B

MD5
f9b1825a190b118a25102718d4710c9c

SHA1
9fd11d233a6a52816f566a221991aa166d0b40c0

SHA256
1677261f2ad4c413c922554618e70e0dd797847d026a34db1b59b8e8c5a9b768

SHA512
a48c00b4fa7d9f87f5cfeeb83da6ae5fde66e8e063c8a9f59d0324e149c74b46b62bbb0ce801b710bb642143d5b7e8889250c3987331b991152943b8b27def26

Download Submit
C:\Windows\SysWOW64\Deleteme.bat

Filesize
254B

MD5
70cec09cf24c0cf2234e92468fac4af9

SHA1
b53025ca70ad0002d1f7eb30b5b77aff4424d51f

SHA256
a45ac8f358d066194cd04c0c77c9fcf71125e718408a3ffba99afcabb841b6d3

SHA512
41ef055c8428d7df010d20d0bddc4e9002b1b252d5b99edd0832c8cf23f3049b44cd3e28cd36efb0289a0948f45822e15c412d06778be7239775f8556883dc55

Download Submit
memory/4444-132-0x0000000000400000-0x0000000000502000-memory.dmp

Filesize
1.0MB

Download
memory/4444-134-0x0000000002500000-0x0000000002508000-memory.dmp

Filesize
32KB

Download
memory/4444-133-0x0000000000A90000-0x0000000000B26000-memory.dmp

Filesize
600KB

Download
memory/4444-136-0x0000000000400000-0x0000000000502000-memory.dmp

Filesize
1.0MB

Download