a08e6363613e43ef47b09a346777ec1952e78d497363db95f2a62d0e6d8ba1e1

Analysis

max time kernel
140s
max time network
177s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
04/12/2022, 01:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a08e6363613e43ef47b09a346777ec1952e78d497363db95f2a62d0e6d8ba1e1.exe
Size

31KB
MD5

b2e3d6edc48b407885eba93e6a5980e9
SHA1

7dcb00176317431cb11ee6f19d44c180a03edd7e
SHA256

a08e6363613e43ef47b09a346777ec1952e78d497363db95f2a62d0e6d8ba1e1
SHA512

40edfa1daff0c86fb555a367651d9ecabee31f67f63c3df4fe0e997f868aa20dbb75b81a12adf25f4fbd9e4cec2fd1c40d276301831af9ca6cff16236a44c60f
SSDEEP

384:7HRq3OevRQWh7WMjHVbv/9SwLVblgG9BVbf1TOpCA4V4fl6dJxb0sjonaWigemcd:b0vd9jHFv/FFlF9BFfYRoJxb0CWignq

Score

4^/10

Malware Config

Signatures

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\WindowsUpdate.log	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 37 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{866E7CF1-7629-11ED-874D-7AEFAD47A2D2} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000fbec07815684004d899a318f710de6af0000000002000000000010660000000100002000000076981382ac6dcc6b45771b2805e9c5382e63add9cf7033fc657d3db1f2594e64000000000e8000000002000020000000c3aa9d9d95ab287ddaab6263a3b75116ae2eca3ed8573f6c3378ec408073b21b20000000d558172bbfa6734dd5df5973da98ec89ee7b752b32f306981a940f0f94e0d2584000000030b4d512287a85bce99f23948eae8865c0fa812ed08a5b13938f3ecc2c7cb13dd0705f8d06551ae39cf7b776aeb33f438ccb5df52dccc64df255181198f0200b	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000fbec07815684004d899a318f710de6af00000000020000000000106600000001000020000000a00ad270d8da859c004e7b6f4b3873e8a931491ff959ddb3b4a2f24621962831000000000e8000000002000020000000c49dd2e4647c344ff4ae64f4db50026075856f3a56db92649a799587ae1f5bc590000000589d52f77d523395e7bbc842cce825ef2e41262b62cf1e918c2025b06be6bbc0d33fdc889c5425430d630b11f428bd8391befa710d6c68b0318e29d2d12e296a8878d84e240acd7f047ce75e0634869a5f82768f1096bf3e669d3ba5c898b650434febe4d06d0bb0872a16289696b1c3474a1c2738759322635674a1a8496a835230634731972449279a4d1bdf5e9b884000000006496894d92856dfec91ecd7c59c89ef021fb8c4952fa76de70a835cedfa4314ac74b80426287df82a39eb01480ea58faf4a893540acc9a37b565a11d540dc19	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "377180606"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 70a94968360ad901	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1640	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1640	iexplore.exe
1640	iexplore.exe
1532	IEXPLORE.EXE
1532	IEXPLORE.EXE
1532	IEXPLORE.EXE
1532	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1640 wrote to memory of 1532	1640	iexplore.exe	30
PID 1640 wrote to memory of 1532	1640	iexplore.exe	30
PID 1640 wrote to memory of 1532	1640	iexplore.exe	30
PID 1640 wrote to memory of 1532	1640	iexplore.exe	30
PID 1640 wrote to memory of 1532	1640	iexplore.exe	30
PID 1640 wrote to memory of 1532	1640	iexplore.exe	30
PID 1640 wrote to memory of 1532	1640	iexplore.exe	30

C:\Users\Admin\AppData\Local\Temp\a08e6363613e43ef47b09a346777ec1952e78d497363db95f2a62d0e6d8ba1e1.exe
"C:\Users\Admin\AppData\Local\Temp\a08e6363613e43ef47b09a346777ec1952e78d497363db95f2a62d0e6d8ba1e1.exe"
1⤵
PID:520

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1640
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1640 CREDAT:275457 /prefetch:2
  2⤵
  - Drops file in Windows directory
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1532

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\try74lz\imagestore.dat

Filesize
15KB

MD5
f4f96eea412b978b11636c86d74869dc

SHA1
e15217f1d18d3db80e2f70b1b7dc44e6fd11282b

SHA256
f19473b021d62d2f05b4b250ff2911d24a83ee12901704ad4d143a07833c0a3e

SHA512
7ccbb8a11c82973f66f0d4793ffa9a17a158f17f1bc52746c15285d83dfcaa71af31222e77c4b472f5672950abf2bb30056458cadd6bde20cd631f9a7ec241d2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\MYG2YA9V.txt

Filesize
608B

MD5
83f92f203e7b1560a617d831c6a0f710

SHA1
9f9a51520056da6867010dbe020c7bb3f7459fc9

SHA256
20402cc3827126b0798415910d4d0e2963cd20f6830600ecc6f2ce5169f1c8de

SHA512
be96488b261edfbad433c4ebe0c63ead369f5b3bf97d594cd4db0d64cbff9c2955286a03a060cb86088819722843f1309683b7a69c08bcbc9cd04c269b0e2d33

Download Submit
memory/520-54-0x0000000075351000-0x0000000075353000-memory.dmp

Filesize
8KB

Download