e24eeb6b7bf9a4ebf42cbaaa8974604ad7e7ec14460455496f40c37eb6b9a8cf

Analysis

max time kernel
152s
max time network
175s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
04-12-2022 07:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e24eeb6b7bf9a4ebf42cbaaa8974604ad7e7ec14460455496f40c37eb6b9a8cf.exe
Size

294KB
MD5

218fb36acbcea6b58f23e4fd0f819b5c
SHA1

22f00ef1d9e3719922dda34db5a014c6aae9447f
SHA256

e24eeb6b7bf9a4ebf42cbaaa8974604ad7e7ec14460455496f40c37eb6b9a8cf
SHA512

765b46b67c65c2e74aeaf3854ad698e3449bf9faf2b2afbb615b5256d60c66e8847d8052a76f44658dac899c7d4a309544a6b8be5403919c34a825e84ec47412
SSDEEP

6144:cdYgxDExluzMm2mBiXS6S9JSelDyX2UFLstcAyXRU0ODDon:tgxDEvuLTKSH9flD74sK60ODDon

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3716	e24eeb6b7bf9a4ebf42cbaaa8974604ad7e7ec14460455496f40c37eb6b9a8cf.tmp

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Progra~1\TaoBao\is-L3R2R.tmp	e24eeb6b7bf9a4ebf42cbaaa8974604ad7e7ec14460455496f40c37eb6b9a8cf.tmp

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Internet Explorer\Main	Regedit.exe

Modifies Internet Explorer start page 1 TTPs 1 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.hae123.com"	Regedit.exe

Runs regedit.exe 1 IoCs

pid	Process
4156	Regedit.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3716	e24eeb6b7bf9a4ebf42cbaaa8974604ad7e7ec14460455496f40c37eb6b9a8cf.tmp

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4260 wrote to memory of 3716	4260	e24eeb6b7bf9a4ebf42cbaaa8974604ad7e7ec14460455496f40c37eb6b9a8cf.exe	83
PID 4260 wrote to memory of 3716	4260	e24eeb6b7bf9a4ebf42cbaaa8974604ad7e7ec14460455496f40c37eb6b9a8cf.exe	83
PID 4260 wrote to memory of 3716	4260	e24eeb6b7bf9a4ebf42cbaaa8974604ad7e7ec14460455496f40c37eb6b9a8cf.exe	83
PID 3716 wrote to memory of 4156	3716	e24eeb6b7bf9a4ebf42cbaaa8974604ad7e7ec14460455496f40c37eb6b9a8cf.tmp	86
PID 3716 wrote to memory of 4156	3716	e24eeb6b7bf9a4ebf42cbaaa8974604ad7e7ec14460455496f40c37eb6b9a8cf.tmp	86
PID 3716 wrote to memory of 4156	3716	e24eeb6b7bf9a4ebf42cbaaa8974604ad7e7ec14460455496f40c37eb6b9a8cf.tmp	86
PID 3716 wrote to memory of 4728	3716	e24eeb6b7bf9a4ebf42cbaaa8974604ad7e7ec14460455496f40c37eb6b9a8cf.tmp	87
PID 3716 wrote to memory of 4728	3716	e24eeb6b7bf9a4ebf42cbaaa8974604ad7e7ec14460455496f40c37eb6b9a8cf.tmp	87
PID 3716 wrote to memory of 4728	3716	e24eeb6b7bf9a4ebf42cbaaa8974604ad7e7ec14460455496f40c37eb6b9a8cf.tmp	87

C:\Users\Admin\AppData\Local\Temp\e24eeb6b7bf9a4ebf42cbaaa8974604ad7e7ec14460455496f40c37eb6b9a8cf.exe
"C:\Users\Admin\AppData\Local\Temp\e24eeb6b7bf9a4ebf42cbaaa8974604ad7e7ec14460455496f40c37eb6b9a8cf.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4260
- C:\Users\Admin\AppData\Local\Temp\is-SEQIS.tmp\e24eeb6b7bf9a4ebf42cbaaa8974604ad7e7ec14460455496f40c37eb6b9a8cf.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-SEQIS.tmp\e24eeb6b7bf9a4ebf42cbaaa8974604ad7e7ec14460455496f40c37eb6b9a8cf.tmp" /SL5="$B003E,51915,51712,C:\Users\Admin\AppData\Local\Temp\e24eeb6b7bf9a4ebf42cbaaa8974604ad7e7ec14460455496f40c37eb6b9a8cf.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:3716
- - C:\Windows\SysWOW64\Regedit.exe
    "C:\Windows\Regedit.exe" -s C:\Progra~1\TaoBao\info.desc
    3⤵
    - Modifies Internet Explorer settings
    - Modifies Internet Explorer start page
    - Runs regedit.exe
    PID:4156
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\e24eeb6b7bf9a4ebf42cbaaa8974604ad7e7ec14460455496f40c37eb6b9a8cf.exe"
    3⤵
    PID:4728

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\TaoBao\info.desc

Filesize
280B

MD5
a0fd44bf16c285a195d371ba2404dc0a

SHA1
1880991f3f49d2f35e86ce2575d7535517a10f28

SHA256
686ea1ff46449d5412e6454ca7329a6f03e777714e35d502640c61ac16849613

SHA512
3477a190eda4b3fd79319ebeab24c3a62cdaffeb4d58f65488713f23e370f8a906365985dad5a8bd39a5d2e047c6f1da40af1d952cb3899c9809a32fb03b970a

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-SEQIS.tmp\e24eeb6b7bf9a4ebf42cbaaa8974604ad7e7ec14460455496f40c37eb6b9a8cf.tmp

Filesize
706KB

MD5
1a6c2b578c69b9388e22d38afa16a7fb

SHA1
186370d5438b1f5f3d75891aa8412e8edd00981c

SHA256
86ac18632bfdca026df9fe12a1d4df2de64bbdc1d2d7e42d2dcbf7809cbbebb3

SHA512
fb868c629cd0255b7620c9260bb5712b6622f53f0b7de3d6125c295e02d16f03584ce3a90eccb02b65ce9825885aa1bca5f68c7cc09dc0c09e7c208fcef54714

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-SEQIS.tmp\e24eeb6b7bf9a4ebf42cbaaa8974604ad7e7ec14460455496f40c37eb6b9a8cf.tmp

Filesize
706KB

MD5
1a6c2b578c69b9388e22d38afa16a7fb

SHA1
186370d5438b1f5f3d75891aa8412e8edd00981c

SHA256
86ac18632bfdca026df9fe12a1d4df2de64bbdc1d2d7e42d2dcbf7809cbbebb3

SHA512
fb868c629cd0255b7620c9260bb5712b6622f53f0b7de3d6125c295e02d16f03584ce3a90eccb02b65ce9825885aa1bca5f68c7cc09dc0c09e7c208fcef54714

Download Submit
memory/4260-132-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4260-134-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4260-138-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4260-141-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads