a310993cbcfb446e3b0fcbdcd0346718125fc290c4115836443b1b89c8b10742

General

Target

a310993cbcfb446e3b0fcbdcd0346718125fc290c4115836443b1b89c8b10742.exe
Size

314KB
MD5

062c4f531e2b9a69ca4793702bbce655
SHA1

9a067b350633cee209e8ed78aee5965d0b70ddca
SHA256

a310993cbcfb446e3b0fcbdcd0346718125fc290c4115836443b1b89c8b10742
SHA512

fe93f430b9a2185e563e2985217e294685a6829bea0c2675de18bb028a4fb75447f1f5fd471dffd95090c12067d9becef37ab09fc16af8320e0347ab5352eb2d
SSDEEP

6144:/oNkMkk2DxLqW9NJgmJglioBiM3sOjm6Mh/Xx9UoFiVb9GeUa89impfoS:/TVRN9wiHCGvxqIiVbAefKimpfoS

Score

5^/10

Malware Config

Signatures

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2732 set thread context of 2256	2732	a310993cbcfb446e3b0fcbdcd0346718125fc290c4115836443b1b89c8b10742.exe	82

Modifies Internet Explorer settings 1 TTPs 25 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31001228"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1773693151"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31001228"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "376614464"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1771036788"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31001228"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1773693151"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31001228"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1771036788"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{94C6F74F-767F-11ED-89AC-5203DB9D3E0F} = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2256	a310993cbcfb446e3b0fcbdcd0346718125fc290c4115836443b1b89c8b10742.exe
2256	a310993cbcfb446e3b0fcbdcd0346718125fc290c4115836443b1b89c8b10742.exe
2256	a310993cbcfb446e3b0fcbdcd0346718125fc290c4115836443b1b89c8b10742.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3392	IEXPLORE.EXE

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2256	a310993cbcfb446e3b0fcbdcd0346718125fc290c4115836443b1b89c8b10742.exe
Token: SeDebugPrivilege	2256	a310993cbcfb446e3b0fcbdcd0346718125fc290c4115836443b1b89c8b10742.exe
Token: SeDebugPrivilege	4880	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3392	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
2732	a310993cbcfb446e3b0fcbdcd0346718125fc290c4115836443b1b89c8b10742.exe
3392	IEXPLORE.EXE
3392	IEXPLORE.EXE
4880	IEXPLORE.EXE
4880	IEXPLORE.EXE
4880	IEXPLORE.EXE
4880	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 2732 wrote to memory of 2256	2732	a310993cbcfb446e3b0fcbdcd0346718125fc290c4115836443b1b89c8b10742.exe	82
PID 2732 wrote to memory of 2256	2732	a310993cbcfb446e3b0fcbdcd0346718125fc290c4115836443b1b89c8b10742.exe	82
PID 2732 wrote to memory of 2256	2732	a310993cbcfb446e3b0fcbdcd0346718125fc290c4115836443b1b89c8b10742.exe	82
PID 2732 wrote to memory of 2256	2732	a310993cbcfb446e3b0fcbdcd0346718125fc290c4115836443b1b89c8b10742.exe	82
PID 2732 wrote to memory of 2256	2732	a310993cbcfb446e3b0fcbdcd0346718125fc290c4115836443b1b89c8b10742.exe	82
PID 2732 wrote to memory of 2256	2732	a310993cbcfb446e3b0fcbdcd0346718125fc290c4115836443b1b89c8b10742.exe	82
PID 2732 wrote to memory of 2256	2732	a310993cbcfb446e3b0fcbdcd0346718125fc290c4115836443b1b89c8b10742.exe	82
PID 2732 wrote to memory of 2256	2732	a310993cbcfb446e3b0fcbdcd0346718125fc290c4115836443b1b89c8b10742.exe	82
PID 2732 wrote to memory of 2256	2732	a310993cbcfb446e3b0fcbdcd0346718125fc290c4115836443b1b89c8b10742.exe	82
PID 2256 wrote to memory of 4180	2256	a310993cbcfb446e3b0fcbdcd0346718125fc290c4115836443b1b89c8b10742.exe	83
PID 2256 wrote to memory of 4180	2256	a310993cbcfb446e3b0fcbdcd0346718125fc290c4115836443b1b89c8b10742.exe	83
PID 2256 wrote to memory of 4180	2256	a310993cbcfb446e3b0fcbdcd0346718125fc290c4115836443b1b89c8b10742.exe	83
PID 4180 wrote to memory of 3392	4180	iexplore.exe	84
PID 4180 wrote to memory of 3392	4180	iexplore.exe	84
PID 3392 wrote to memory of 4880	3392	IEXPLORE.EXE	85
PID 3392 wrote to memory of 4880	3392	IEXPLORE.EXE	85
PID 3392 wrote to memory of 4880	3392	IEXPLORE.EXE	85
PID 2256 wrote to memory of 4880	2256	a310993cbcfb446e3b0fcbdcd0346718125fc290c4115836443b1b89c8b10742.exe	85
PID 2256 wrote to memory of 4880	2256	a310993cbcfb446e3b0fcbdcd0346718125fc290c4115836443b1b89c8b10742.exe	85

C:\Users\Admin\AppData\Local\Temp\a310993cbcfb446e3b0fcbdcd0346718125fc290c4115836443b1b89c8b10742.exe
"C:\Users\Admin\AppData\Local\Temp\a310993cbcfb446e3b0fcbdcd0346718125fc290c4115836443b1b89c8b10742.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2732
- C:\Users\Admin\AppData\Local\Temp\a310993cbcfb446e3b0fcbdcd0346718125fc290c4115836443b1b89c8b10742.exe
  C:\Users\Admin\AppData\Local\Temp\a310993cbcfb446e3b0fcbdcd0346718125fc290c4115836443b1b89c8b10742.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2256
- - C:\Program Files (x86)\Internet Explorer\iexplore.exe
    "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4180
  - - C:\Program Files\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
      4⤵
      Modifies Internet Explorer settings
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:3392
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3392 CREDAT:17410 /prefetch:2
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:4880

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
471B

MD5
a62e66dbd157955d60808bf89987bcde

SHA1
a97e8478902ac7db7fd904300304944a41afee8e

SHA256
d34e72ae586b00a60e3526f1e75677dcffa83fd33860a771ae592e7d8320cf25

SHA512
2c969c621bd5881acf47e85b3a2977b1c43dfa80887f0ab447327162d143795ff647b8ed1aec174a868c0faf1e09eb8baa6a67ea42764b65fe4416d2168e81fc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
434B

MD5
b03ba396b099238da1208ed1b9168323

SHA1
d4d0b84080df9617cdc8bc4fa3bb758c2a5b6781

SHA256
afac066d509f8b4ac2dab65a003d0059fdc5a7130f453fc95ac95fb1f2f0e180

SHA512
a5c5349d3f6cf885f00e30c7264bf22c86bf83b70b6efa6d5a6c68008e6b55ce69eed3b8ea7a6f697cdaea38c19a1a5f6cdb305e048fc760d2d74ea410a49dca

Download Submit
memory/2256-136-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2256-138-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2256-140-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2256-141-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2256-142-0x00000000026F0000-0x000000000273E000-memory.dmp

Filesize
312KB

Download
memory/2732-134-0x0000000000400000-0x00000000005F4000-memory.dmp

Filesize
2.0MB

Download
memory/2732-139-0x0000000000400000-0x00000000005F4000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing