ff453098933cc28934e999ca7054c47bc8a96a127eaa32dc64bf37d4ea138630

Analysis

max time kernel
196s
max time network
196s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
04/12/2022, 08:34

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

ff453098933cc28934e999ca7054c47bc8a96a127eaa32dc64bf37d4ea138630.exe
Size

2.0MB
MD5

e87c7e2bd89c8dcd04618184584fd259
SHA1

26f17119520ed7cdcec3120b6a579fb5672f475f
SHA256

ff453098933cc28934e999ca7054c47bc8a96a127eaa32dc64bf37d4ea138630
SHA512

5a4ea5d7cbd188d05b921f775303b9aa243ac59569061a52b53af56789cc71da8c97be837e9961e3031671643e571e2d552540f440271abbb36b6c20169d5fe2
SSDEEP

49152:b8fEtw6dehRbpJlKHc5GQQBwNfynMoVC:+A7qR9685swz

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 37 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1132741275"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31001225"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 80284945890ad901	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31001225"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{5BCC4B7A-767C-11ED-89AC-D2D0017C8629} = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31001225"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31001225"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = b0e53147890ad901	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "903053134"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000074ea8fa1f8319743ab5aebd188093c010000000002000000000010660000000100002000000021e1152a2c2612cc55669393f8a0f4d3635f9c0999e97020a0e8c8ded4dfba7b000000000e80000000020000200000005d3ea4c81fd760fe7d37cdf5438f45565100750fd3aebc3be5b619f7be6b46de200000004f7d20a04f2a06c89e7a123a1156a029d3f14cb63198eafde8398024cc9e83da4000000028526850e0482edb10e555bf21bc9027c7ae55323b2653a46b5d212538b131d4d2ccc80c858a09d2c47a529c899349a410311a7649ffb73a80a3cb72a06d2830	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "377216178"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "903053134"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1132897576"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000074ea8fa1f8319743ab5aebd188093c01000000000200000000001066000000010000200000002f0329466f3e5ee2a0a9886cfc99c2e900abf9e28c0a135eecdeb8cde10b5d27000000000e80000000020000200000005ec8c042adba34eb46b84941f00a6b358032dc1dc6abbbc735b572313a1813b520000000d0c7e9d95163d00a47810c299058b918348211d954199c25ae5169bbf451171340000000878eba1a33e1100d898a8d40451bc85557569274a22e00d00a9826da140a2a6b19b76f80eb51d47fea86ed052629580422102ed7a0dd57e705d9902473984e54	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3468	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3468	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
1180	ff453098933cc28934e999ca7054c47bc8a96a127eaa32dc64bf37d4ea138630.exe
3468	IEXPLORE.EXE
3468	IEXPLORE.EXE
4624	IEXPLORE.EXE
4624	IEXPLORE.EXE
4624	IEXPLORE.EXE
4624	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 1180 wrote to memory of 3468	1180	ff453098933cc28934e999ca7054c47bc8a96a127eaa32dc64bf37d4ea138630.exe	78
PID 1180 wrote to memory of 3468	1180	ff453098933cc28934e999ca7054c47bc8a96a127eaa32dc64bf37d4ea138630.exe	78
PID 3468 wrote to memory of 4624	3468	IEXPLORE.EXE	79
PID 3468 wrote to memory of 4624	3468	IEXPLORE.EXE	79
PID 3468 wrote to memory of 4624	3468	IEXPLORE.EXE	79

C:\Users\Admin\AppData\Local\Temp\ff453098933cc28934e999ca7054c47bc8a96a127eaa32dc64bf37d4ea138630.exe
"C:\Users\Admin\AppData\Local\Temp\ff453098933cc28934e999ca7054c47bc8a96a127eaa32dc64bf37d4ea138630.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1180
- C:\Program Files\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://www.a585.com/?down
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3468
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3468 CREDAT:17410 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:4624

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
471B

MD5
a62e66dbd157955d60808bf89987bcde

SHA1
a97e8478902ac7db7fd904300304944a41afee8e

SHA256
d34e72ae586b00a60e3526f1e75677dcffa83fd33860a771ae592e7d8320cf25

SHA512
2c969c621bd5881acf47e85b3a2977b1c43dfa80887f0ab447327162d143795ff647b8ed1aec174a868c0faf1e09eb8baa6a67ea42764b65fe4416d2168e81fc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

Filesize
302B

MD5
92a7a27063c84c9b90bdf4d70175f1c6

SHA1
0f4aa6c9f73c65c6db7438f9c52183f3fd1993c9

SHA256
6c84be3a04401da1cc09814f9ae3d8d7853967be484e91ca1cc61faa759a305a

SHA512
855ecacb5027ac01116b855b529933e1831ad48a3aa39ff009dcd6e7a5814b4eaccc4382fccf31068b94e75f8fd3adeb66ea70b923b707dcf9ce78eba080d357

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
434B

MD5
191f9d5d588da92066f09a8638d62efc

SHA1
3dddabfed5125c98d1c7523e9fee596ec0aa7f09

SHA256
d7de0ca73eb0c4f6d13324dce1ea89d578c1712a592c6607ab1f527775b511bd

SHA512
f08e4176e86cd6f32cb7704ca33cdb78c006eaf771489482da1d8dbeacdb4a4295de9510262314fc267c11862e702bb85f2f280b804dfad1233ccace88cbe30e

Download Submit
memory/1180-132-0x0000000000400000-0x0000000000600000-memory.dmp

Filesize
2.0MB

Download
memory/1180-135-0x0000000000400000-0x0000000000600000-memory.dmp

Filesize
2.0MB

Download