e4837c284e99642172c0a4f061c0257e59a7427e53c6a8400a2ac614d37d5a50

Analysis

max time kernel
111s
max time network
152s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
04/12/2022, 13:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e4837c284e99642172c0a4f061c0257e59a7427e53c6a8400a2ac614d37d5a50.exe
Size

426KB
MD5

1269f325cf85ef7661e389965bbe9f20
SHA1

2f387f399df006f2980495a1cdbf06a63f794f3c
SHA256

e4837c284e99642172c0a4f061c0257e59a7427e53c6a8400a2ac614d37d5a50
SHA512

6c5ae3456758f082744cafbc300695fe5f2cfcbafb824510e2c040975688be3339c3e38b7ab1a8dfa065a4d1f7bcfcc4e8b9bfcb5d2cd9d218dfac7264dfa87e
SSDEEP

6144:ycD0z5qh2tlU8Dv7XRzZXUjdmj7aN3dJ9HaT7Ov4zmRBchuLAAk6ypDvxxoRAU+m:5YtbtfDzXl0sjONwjaRB4RzpDeAUVv

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 39 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000008fe83fa90228ac4a9fe080c06653ad2300000000020000000000106600000001000020000000b259be759790b401c9d4e151b7072305f7434eea5769f81f72b67bf80426815d000000000e800000000200002000000097c22b9df9372256f03d661c09a44ac8863d8e8ccf0c4d2aff65aa36ab59e3df9000000006c1995303fe098cf242a202a02a3232c5b039667288b80448a360ef66df65bb5defc67ccd546881d6b7f73fa9cad0dbdc512d63041bed9edc306203eff13886ee68a6a113c91f37a0990466948021811666cce89372ce0398c16d38c2c202a77a2a00fc9027d7fcc60bda760a4d4769804603b8be9642e8cfd3a65eee1ad606470a4987d7ec4ed627566b2eff28081b400000004854a1b4fc04b8ef12589df1a0e2bcbd1c705202f70eb2e3ae622c767e950c10a12179a3471147837fe4f246d685e3db48948af608351189d36eaa9f06456940	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\513cg.com\NumberOfSubdomains = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\513cg.com	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{E9C57F11-76B5-11ED-A920-7ADB5DB493F4} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000008fe83fa90228ac4a9fe080c06653ad23000000000200000000001066000000010000200000003976e646ddf5ccb0823220d63ec78526c9ba91fea5f2943150129372768a17f9000000000e8000000002000020000000e049a51d1af503c9738d445148122d95523e97271118ae64e066784a69f4b42a20000000cd25966561a9400351330573cb8ccac649eb46c76323e23e1567285205c59ac1400000001e0cc990cce16c4e627ee0349ea80bd8fd514d062c4f1def3eebaf9ffa62dcf64ff5f368ff7efb55120a1833d90311f9c8b1f44a85df4b67fa61de7005684dd2	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 6045e2cac20ad901	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "377240898"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe

Suspicious use of FindShellTrayWindow 6 IoCs

pid	Process
1064	e4837c284e99642172c0a4f061c0257e59a7427e53c6a8400a2ac614d37d5a50.exe
1064	e4837c284e99642172c0a4f061c0257e59a7427e53c6a8400a2ac614d37d5a50.exe
1064	e4837c284e99642172c0a4f061c0257e59a7427e53c6a8400a2ac614d37d5a50.exe
1064	e4837c284e99642172c0a4f061c0257e59a7427e53c6a8400a2ac614d37d5a50.exe
1064	e4837c284e99642172c0a4f061c0257e59a7427e53c6a8400a2ac614d37d5a50.exe
856	iexplore.exe

Suspicious use of SendNotifyMessage 5 IoCs

pid	Process
1064	e4837c284e99642172c0a4f061c0257e59a7427e53c6a8400a2ac614d37d5a50.exe
1064	e4837c284e99642172c0a4f061c0257e59a7427e53c6a8400a2ac614d37d5a50.exe
1064	e4837c284e99642172c0a4f061c0257e59a7427e53c6a8400a2ac614d37d5a50.exe
1064	e4837c284e99642172c0a4f061c0257e59a7427e53c6a8400a2ac614d37d5a50.exe
1064	e4837c284e99642172c0a4f061c0257e59a7427e53c6a8400a2ac614d37d5a50.exe

Suspicious use of SetWindowsHookEx 9 IoCs

pid	Process
1064	e4837c284e99642172c0a4f061c0257e59a7427e53c6a8400a2ac614d37d5a50.exe
1064	e4837c284e99642172c0a4f061c0257e59a7427e53c6a8400a2ac614d37d5a50.exe
1064	e4837c284e99642172c0a4f061c0257e59a7427e53c6a8400a2ac614d37d5a50.exe
856	iexplore.exe
856	iexplore.exe
1528	IEXPLORE.EXE
1528	IEXPLORE.EXE
1528	IEXPLORE.EXE
1528	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 1064 wrote to memory of 936	1064	e4837c284e99642172c0a4f061c0257e59a7427e53c6a8400a2ac614d37d5a50.exe	27
PID 1064 wrote to memory of 936	1064	e4837c284e99642172c0a4f061c0257e59a7427e53c6a8400a2ac614d37d5a50.exe	27
PID 1064 wrote to memory of 936	1064	e4837c284e99642172c0a4f061c0257e59a7427e53c6a8400a2ac614d37d5a50.exe	27
PID 1064 wrote to memory of 936	1064	e4837c284e99642172c0a4f061c0257e59a7427e53c6a8400a2ac614d37d5a50.exe	27
PID 564 wrote to memory of 856	564	explorer.exe	29
PID 564 wrote to memory of 856	564	explorer.exe	29
PID 564 wrote to memory of 856	564	explorer.exe	29
PID 856 wrote to memory of 1528	856	iexplore.exe	31
PID 856 wrote to memory of 1528	856	iexplore.exe	31
PID 856 wrote to memory of 1528	856	iexplore.exe	31
PID 856 wrote to memory of 1528	856	iexplore.exe	31

C:\Users\Admin\AppData\Local\Temp\e4837c284e99642172c0a4f061c0257e59a7427e53c6a8400a2ac614d37d5a50.exe
"C:\Users\Admin\AppData\Local\Temp\e4837c284e99642172c0a4f061c0257e59a7427e53c6a8400a2ac614d37d5a50.exe"
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1064
- C:\Windows\SysWOW64\explorer.exe
  explorer.exe http://www.513cg.com
  2⤵
  PID:936

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Suspicious use of WriteProcessMemory
PID:564
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://www.513cg.com/
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:856
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:856 CREDAT:275457 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:1528

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
c9f45c9cba425e090f2bdbe91337afbc

SHA1
067fc4b157da0d9bae74e6a6f5199e844074582a

SHA256
ce60db1a66428fafc5ad11fcab413a6c77b7a541d931f4683b969126b3853e07

SHA512
1c217358d9032d70c1f844aff3c62b6c47f51e187daf7b527d34aeab6c422fc139f51751e4dafcc627b905070eaca824c6354a83436dc286436791fa77e38d1c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\309axvf\imagestore.dat

Filesize
9KB

MD5
6aaea0bafebb858930eef3aa65ed02f9

SHA1
501d4406b98886614a16cfefadd31413fa62d8ce

SHA256
1bdb2438bf1969ea5f6e3ed71a7f99b48a02ca60643724aa19ba8c1eb6b21bcb

SHA512
8e2fdc54fdb5fba0cb60271133453b3535ade94275bf0fb3f76366b10c7fc5009d05e68ed997b870965fc5ef8579d66ab82cf1a0fa1711b0bf88f0fc1ae9cf43

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\UD8VPWV0.txt

Filesize
608B

MD5
96bab604eceb375a01bfb2f976a40c84

SHA1
5f095e5eb0cca66f3150184e00c6b1c1b6d6b502

SHA256
65e1b40e9ed2f23397c9b6c57f57fe24f69f24ddc42485fcae91454b504f3ecb

SHA512
8ebcd24f1e3e5b638d5ff58a7a60fb215e6d0182000b783d8d0189fbd75bc48ee4c273a095b0d9f2b998ac33f104d1e4651bf7f011a2eab0f4b8c0376714c633

Download Submit
memory/564-61-0x000007FEFBDB1000-0x000007FEFBDB3000-memory.dmp

Filesize
8KB

Download
memory/936-59-0x00000000749B1000-0x00000000749B3000-memory.dmp

Filesize
8KB

Download
memory/1064-54-0x0000000075BB1000-0x0000000075BB3000-memory.dmp

Filesize
8KB

Download
memory/1064-55-0x0000000000400000-0x000000000056B000-memory.dmp

Filesize
1.4MB

Download
memory/1064-56-0x0000000000400000-0x000000000056B000-memory.dmp

Filesize
1.4MB

Download
memory/1064-60-0x0000000000400000-0x000000000056B000-memory.dmp

Filesize
1.4MB

Download