d83d1ec3f265f18e9b144cecc68657c2c5f667bd99ed1ec34f2a3b2989fb0587

Analysis

max time kernel
152s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
04/12/2022, 14:17 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d83d1ec3f265f18e9b144cecc68657c2c5f667bd99ed1ec34f2a3b2989fb0587.exe
Size

25KB
MD5

ac7849de3120a3ddb72af08bd426a8bd
SHA1

904eb51be8d1bf8e4b7df4bcb623676fe9fa113e
SHA256

d83d1ec3f265f18e9b144cecc68657c2c5f667bd99ed1ec34f2a3b2989fb0587
SHA512

301ffd3a4b2696df8ca9b43929438e5b74c73fcce52122046b5fe693c71ad8332d379f294a0075254ca68d144cd64bf4cffcd2ec2e26fd75345fa6ba6f70f291
SSDEEP

384:tlT/W+52Y+nyDGJp7oFtwcp/mDpQjlp0huQSNyPVbkTtnJWAEJc3ziJ:tlTf8Y+yiJp7oQkK28VghJWAEC38

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 1 IoCs

pid	Process
4172	d83d1ec3f265f18e9b144cecc68657c2c5f667bd99ed1ec34f2a3b2989fb0587.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\setup.ad	d83d1ec3f265f18e9b144cecc68657c2c5f667bd99ed1ec34f2a3b2989fb0587.exe
File opened for modification	C:\Windows\SysWOW64\setup.ad	d83d1ec3f265f18e9b144cecc68657c2c5f667bd99ed1ec34f2a3b2989fb0587.exe
File opened for modification	C:\Windows\SysWOW64\tarpurd32.dll	d83d1ec3f265f18e9b144cecc68657c2c5f667bd99ed1ec34f2a3b2989fb0587.exe

Modifies Control Panel 2 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International	d83d1ec3f265f18e9b144cecc68657c2c5f667bd99ed1ec34f2a3b2989fb0587.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\nTimes = "66"	d83d1ec3f265f18e9b144cecc68657c2c5f667bd99ed1ec34f2a3b2989fb0587.exe

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{AA4A688D-76C9-11ED-B696-E62D9FD3CB0B} = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = a0dc9770d60ad901	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2354474113"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000f3d65ae3565a4d4ba7f0d50e04c194f50000000002000000000010660000000100002000000008413433d067df12ed3f72249b43f86f2b02431745074f345eefb6c2f5f05089000000000e80000000020000200000004600a6f82e1dc37f6e861e13cba62b523e99d683c28500b43a114029b31e3a1f2000000090d37c74535741972fa2b917d04b1b803b3c5eea17f80ac6f5e0e50890692d97400000006aabf16f9fcd9d412a9144717206cca383d4e82f390e63aea4fe7a4dc7a6f52dd81fb5a558a704e2edc97348ebbb6f7035b93beff47c63c94e402bdbd0030732	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "377249410"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31001302"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3e0000003e000000c4040000a3020000	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2354628948"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31001302"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE

Modifies registry class 49 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\Background\shellex\ContextMenuHandlers\{FCO94F32-9210-4A7D-AAE8-BB0320CB1D10}	d83d1ec3f265f18e9b144cecc68657c2c5f667bd99ed1ec34f2a3b2989fb0587.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9B3FD067-74E7-4809-B908-DF358CF1A511}\1.0	d83d1ec3f265f18e9b144cecc68657c2c5f667bd99ed1ec34f2a3b2989fb0587.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9B3FD067-74E7-4809-B908-DF358CF1A511}\1.0\ = "IContextMenu Shell Extension.."	d83d1ec3f265f18e9b144cecc68657c2c5f667bd99ed1ec34f2a3b2989fb0587.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{96B27E0F-E2B6-4CC4-8F14-D2E408DDEE23}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	d83d1ec3f265f18e9b144cecc68657c2c5f667bd99ed1ec34f2a3b2989fb0587.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{96B27E0F-E2B6-4CC4-8F14-D2E408DDEE23}\TypeLib\Version = "1.0"	d83d1ec3f265f18e9b144cecc68657c2c5f667bd99ed1ec34f2a3b2989fb0587.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6DCB487C-0DFA-48C2-ABDC-296BBD892262}\InprocServer32	d83d1ec3f265f18e9b144cecc68657c2c5f667bd99ed1ec34f2a3b2989fb0587.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{96B27E0F-E2B6-4CC4-8F14-D2E408DDEE23}\ProxyStubClsid	d83d1ec3f265f18e9b144cecc68657c2c5f667bd99ed1ec34f2a3b2989fb0587.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9B3FD067-74E7-4809-B908-DF358CF1A511}\1.0\0	d83d1ec3f265f18e9b144cecc68657c2c5f667bd99ed1ec34f2a3b2989fb0587.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6DCB487C-0DFA-48C2-ABDC-296BBD892262}\ProgID	d83d1ec3f265f18e9b144cecc68657c2c5f667bd99ed1ec34f2a3b2989fb0587.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6DCB487C-0DFA-48C2-ABDC-296BBD892262}\TypeLib\ = "{9B3FD067-74E7-4809-B908-DF358CF1A511}"	d83d1ec3f265f18e9b144cecc68657c2c5f667bd99ed1ec34f2a3b2989fb0587.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6DCB487C-0DFA-48C2-ABDC-296BBD892262}\VERSION	d83d1ec3f265f18e9b144cecc68657c2c5f667bd99ed1ec34f2a3b2989fb0587.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{96B27E0F-E2B6-4CC4-8F14-D2E408DDEE23}\ = "ShellExt"	d83d1ec3f265f18e9b144cecc68657c2c5f667bd99ed1ec34f2a3b2989fb0587.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6DCB487C-0DFA-48C2-ABDC-296BBD892262}\Implemented Categories	d83d1ec3f265f18e9b144cecc68657c2c5f667bd99ed1ec34f2a3b2989fb0587.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\{FCO94F32-9210-4A7D-AAE8-BB0320CB1D10}	d83d1ec3f265f18e9b144cecc68657c2c5f667bd99ed1ec34f2a3b2989fb0587.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9B3FD067-74E7-4809-B908-DF358CF1A511}\1.0\FLAGS	d83d1ec3f265f18e9b144cecc68657c2c5f667bd99ed1ec34f2a3b2989fb0587.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\pIContextMenu.ShellExt	d83d1ec3f265f18e9b144cecc68657c2c5f667bd99ed1ec34f2a3b2989fb0587.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{96B27E0F-E2B6-4CC4-8F14-D2E408DDEE23}	d83d1ec3f265f18e9b144cecc68657c2c5f667bd99ed1ec34f2a3b2989fb0587.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{96B27E0F-E2B6-4CC4-8F14-D2E408DDEE23}\ProxyStubClsid32	d83d1ec3f265f18e9b144cecc68657c2c5f667bd99ed1ec34f2a3b2989fb0587.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\pIContextMenu.ShellExt\Clsid	d83d1ec3f265f18e9b144cecc68657c2c5f667bd99ed1ec34f2a3b2989fb0587.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6DCB487C-0DFA-48C2-ABDC-296BBD892262}\TypeLib	d83d1ec3f265f18e9b144cecc68657c2c5f667bd99ed1ec34f2a3b2989fb0587.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9B3FD067-74E7-4809-B908-DF358CF1A511}	d83d1ec3f265f18e9b144cecc68657c2c5f667bd99ed1ec34f2a3b2989fb0587.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9B3FD067-74E7-4809-B908-DF358CF1A511}\1.0\FLAGS\ = "0"	d83d1ec3f265f18e9b144cecc68657c2c5f667bd99ed1ec34f2a3b2989fb0587.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9B3FD067-74E7-4809-B908-DF358CF1A511}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\tarpurd32.dll"	d83d1ec3f265f18e9b144cecc68657c2c5f667bd99ed1ec34f2a3b2989fb0587.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9B3FD067-74E7-4809-B908-DF358CF1A511}\1.0\HELPDIR\ = "C:\\Windows\\system32"	d83d1ec3f265f18e9b144cecc68657c2c5f667bd99ed1ec34f2a3b2989fb0587.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{96B27E0F-E2B6-4CC4-8F14-D2E408DDEE23}\TypeLib\ = "{9B3FD067-74E7-4809-B908-DF358CF1A511}"	d83d1ec3f265f18e9b144cecc68657c2c5f667bd99ed1ec34f2a3b2989fb0587.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{96B27E0F-E2B6-4CC4-8F14-D2E408DDEE23}\ProxyStubClsid32	d83d1ec3f265f18e9b144cecc68657c2c5f667bd99ed1ec34f2a3b2989fb0587.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{96B27E0F-E2B6-4CC4-8F14-D2E408DDEE23}\TypeLib	d83d1ec3f265f18e9b144cecc68657c2c5f667bd99ed1ec34f2a3b2989fb0587.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\pIContextMenu.ShellExt\Clsid\ = "{6DCB487C-0DFA-48C2-ABDC-296BBD892262}"	d83d1ec3f265f18e9b144cecc68657c2c5f667bd99ed1ec34f2a3b2989fb0587.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{96B27E0F-E2B6-4CC4-8F14-D2E408DDEE23}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}"	d83d1ec3f265f18e9b144cecc68657c2c5f667bd99ed1ec34f2a3b2989fb0587.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6DCB487C-0DFA-48C2-ABDC-296BBD892262}\Programmable	d83d1ec3f265f18e9b144cecc68657c2c5f667bd99ed1ec34f2a3b2989fb0587.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\background\shellex\ContextMenuHandlers\{FCO94F32-9210-4A7D-AAE8-BB0320CB1D10}\ = "{6DCB487C-0DFA-48C2-ABDC-296BBD892262}"	d83d1ec3f265f18e9b144cecc68657c2c5f667bd99ed1ec34f2a3b2989fb0587.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9B3FD067-74E7-4809-B908-DF358CF1A511}\1.0\HELPDIR	d83d1ec3f265f18e9b144cecc68657c2c5f667bd99ed1ec34f2a3b2989fb0587.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{96B27E0F-E2B6-4CC4-8F14-D2E408DDEE23}\ = "_ShellExt"	d83d1ec3f265f18e9b144cecc68657c2c5f667bd99ed1ec34f2a3b2989fb0587.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{96B27E0F-E2B6-4CC4-8F14-D2E408DDEE23}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	d83d1ec3f265f18e9b144cecc68657c2c5f667bd99ed1ec34f2a3b2989fb0587.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{96B27E0F-E2B6-4CC4-8F14-D2E408DDEE23}\TypeLib\Version = "1.0"	d83d1ec3f265f18e9b144cecc68657c2c5f667bd99ed1ec34f2a3b2989fb0587.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{96B27E0F-E2B6-4CC4-8F14-D2E408DDEE23}	d83d1ec3f265f18e9b144cecc68657c2c5f667bd99ed1ec34f2a3b2989fb0587.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\pIContextMenu.ShellExt\ = "pIContextMenu.ShellExt"	d83d1ec3f265f18e9b144cecc68657c2c5f667bd99ed1ec34f2a3b2989fb0587.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\{FCO94F32-9210-4A7D-AAE8-BB0320CB1D10}\ = "{6DCB487C-0DFA-48C2-ABDC-296BBD892262}"	d83d1ec3f265f18e9b144cecc68657c2c5f667bd99ed1ec34f2a3b2989fb0587.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{96B27E0F-E2B6-4CC4-8F14-D2E408DDEE23}\TypeLib\ = "{9B3FD067-74E7-4809-B908-DF358CF1A511}"	d83d1ec3f265f18e9b144cecc68657c2c5f667bd99ed1ec34f2a3b2989fb0587.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6DCB487C-0DFA-48C2-ABDC-296BBD892262}\VERSION\ = "1.0"	d83d1ec3f265f18e9b144cecc68657c2c5f667bd99ed1ec34f2a3b2989fb0587.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6DCB487C-0DFA-48C2-ABDC-296BBD892262}\InprocServer32\ThreadingModel = "Apartment"	d83d1ec3f265f18e9b144cecc68657c2c5f667bd99ed1ec34f2a3b2989fb0587.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9B3FD067-74E7-4809-B908-DF358CF1A511}\1.0\0\win32	d83d1ec3f265f18e9b144cecc68657c2c5f667bd99ed1ec34f2a3b2989fb0587.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{96B27E0F-E2B6-4CC4-8F14-D2E408DDEE23}\TypeLib	d83d1ec3f265f18e9b144cecc68657c2c5f667bd99ed1ec34f2a3b2989fb0587.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{96B27E0F-E2B6-4CC4-8F14-D2E408DDEE23}\ = "_ShellExt"	d83d1ec3f265f18e9b144cecc68657c2c5f667bd99ed1ec34f2a3b2989fb0587.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6DCB487C-0DFA-48C2-ABDC-296BBD892262}	d83d1ec3f265f18e9b144cecc68657c2c5f667bd99ed1ec34f2a3b2989fb0587.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6DCB487C-0DFA-48C2-ABDC-296BBD892262}\ = "pIContextMenu.ShellExt"	d83d1ec3f265f18e9b144cecc68657c2c5f667bd99ed1ec34f2a3b2989fb0587.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6DCB487C-0DFA-48C2-ABDC-296BBD892262}\ProgID\ = "pIContextMenu.ShellExt"	d83d1ec3f265f18e9b144cecc68657c2c5f667bd99ed1ec34f2a3b2989fb0587.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6DCB487C-0DFA-48C2-ABDC-296BBD892262}\InprocServer32\ = "C:\\Windows\\SysWow64\\tarpurd32.dll"	d83d1ec3f265f18e9b144cecc68657c2c5f667bd99ed1ec34f2a3b2989fb0587.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6DCB487C-0DFA-48C2-ABDC-296BBD892262}\Implemented Categories\{40FC6ED5-2438-11CF-A3DB-080036F12502}	d83d1ec3f265f18e9b144cecc68657c2c5f667bd99ed1ec34f2a3b2989fb0587.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2100	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2100	IEXPLORE.EXE
2100	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 11 IoCs

pid	Process
4172	d83d1ec3f265f18e9b144cecc68657c2c5f667bd99ed1ec34f2a3b2989fb0587.exe
2100	IEXPLORE.EXE
2100	IEXPLORE.EXE
2100	IEXPLORE.EXE
2100	IEXPLORE.EXE
4944	IEXPLORE.EXE
4944	IEXPLORE.EXE
4944	IEXPLORE.EXE
4944	IEXPLORE.EXE
4944	IEXPLORE.EXE
4944	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 4172 wrote to memory of 1344	4172	d83d1ec3f265f18e9b144cecc68657c2c5f667bd99ed1ec34f2a3b2989fb0587.exe	81
PID 4172 wrote to memory of 1344	4172	d83d1ec3f265f18e9b144cecc68657c2c5f667bd99ed1ec34f2a3b2989fb0587.exe	81
PID 4172 wrote to memory of 1344	4172	d83d1ec3f265f18e9b144cecc68657c2c5f667bd99ed1ec34f2a3b2989fb0587.exe	81
PID 1344 wrote to memory of 2100	1344	iexplore.exe	82
PID 1344 wrote to memory of 2100	1344	iexplore.exe	82
PID 2100 wrote to memory of 4944	2100	IEXPLORE.EXE	83
PID 2100 wrote to memory of 4944	2100	IEXPLORE.EXE	83
PID 2100 wrote to memory of 4944	2100	IEXPLORE.EXE	83
PID 4172 wrote to memory of 1952	4172	d83d1ec3f265f18e9b144cecc68657c2c5f667bd99ed1ec34f2a3b2989fb0587.exe	84
PID 4172 wrote to memory of 1952	4172	d83d1ec3f265f18e9b144cecc68657c2c5f667bd99ed1ec34f2a3b2989fb0587.exe	84
PID 4172 wrote to memory of 1952	4172	d83d1ec3f265f18e9b144cecc68657c2c5f667bd99ed1ec34f2a3b2989fb0587.exe	84
PID 1952 wrote to memory of 2556	1952	iexplore.exe	85
PID 1952 wrote to memory of 2556	1952	iexplore.exe	85
PID 4172 wrote to memory of 4556	4172	d83d1ec3f265f18e9b144cecc68657c2c5f667bd99ed1ec34f2a3b2989fb0587.exe	86
PID 4172 wrote to memory of 4556	4172	d83d1ec3f265f18e9b144cecc68657c2c5f667bd99ed1ec34f2a3b2989fb0587.exe	86
PID 4172 wrote to memory of 4556	4172	d83d1ec3f265f18e9b144cecc68657c2c5f667bd99ed1ec34f2a3b2989fb0587.exe	86
PID 4556 wrote to memory of 5016	4556	iexplore.exe	87
PID 4556 wrote to memory of 5016	4556	iexplore.exe	87
PID 4172 wrote to memory of 3272	4172	d83d1ec3f265f18e9b144cecc68657c2c5f667bd99ed1ec34f2a3b2989fb0587.exe	88
PID 4172 wrote to memory of 3272	4172	d83d1ec3f265f18e9b144cecc68657c2c5f667bd99ed1ec34f2a3b2989fb0587.exe	88
PID 4172 wrote to memory of 3272	4172	d83d1ec3f265f18e9b144cecc68657c2c5f667bd99ed1ec34f2a3b2989fb0587.exe	88
PID 3272 wrote to memory of 4528	3272	iexplore.exe	89
PID 3272 wrote to memory of 4528	3272	iexplore.exe	89
PID 4172 wrote to memory of 1392	4172	d83d1ec3f265f18e9b144cecc68657c2c5f667bd99ed1ec34f2a3b2989fb0587.exe	90
PID 4172 wrote to memory of 1392	4172	d83d1ec3f265f18e9b144cecc68657c2c5f667bd99ed1ec34f2a3b2989fb0587.exe	90
PID 4172 wrote to memory of 1392	4172	d83d1ec3f265f18e9b144cecc68657c2c5f667bd99ed1ec34f2a3b2989fb0587.exe	90

C:\Users\Admin\AppData\Local\Temp\d83d1ec3f265f18e9b144cecc68657c2c5f667bd99ed1ec34f2a3b2989fb0587.exe
"C:\Users\Admin\AppData\Local\Temp\d83d1ec3f265f18e9b144cecc68657c2c5f667bd99ed1ec34f2a3b2989fb0587.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Modifies Control Panel
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4172
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" http://u.9lwan.com/cj/direct/628546.html
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1344
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://u.9lwan.com/cj/direct/628546.html
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2100
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2100 CREDAT:17410 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:4944
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" http://u.9lwan.com/cj/direct/628546.html
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1952
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://u.9lwan.com/cj/direct/628546.html
    3⤵
    - Modifies Internet Explorer settings
    PID:2556
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" http://u.9lwan.com/cj/direct/628635.html
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4556
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://u.9lwan.com/cj/direct/628635.html
    3⤵
    - Modifies Internet Explorer settings
    PID:5016
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" http://u.9lwan.com/cj/direct/628635.html
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3272
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://u.9lwan.com/cj/direct/628635.html
    3⤵
    - Modifies Internet Explorer settings
    PID:4528
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\_zh.bat
  2⤵
  PID:1392

Network

DNS

u.9lwan.com

IEXPLORE.EXE

Remote address:

8.8.8.8:53

Request

u.9lwan.com

IN A

Response
DNS

u.9lwan.com

IEXPLORE.EXE

Remote address:

8.8.8.8:53

Request

u.9lwan.com

IN A

Response
DNS

226.101.242.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

226.101.242.52.in-addr.arpa

IN PTR

Response
DNS

0.e.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.0.0.4.0.c.0.0.3.0.1.3.0.6.2.ip6.arpa

Remote address:

8.8.8.8:53

Request

0.e.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.0.0.4.0.c.0.0.3.0.1.3.0.6.2.ip6.arpa

IN PTR

Response

93.184.221.240:80

260 B
5
93.184.220.29:80

322 B
7
93.184.221.240:80

322 B
7
93.184.221.240:80

322 B
7
93.184.221.240:80

322 B
7
104.80.225.205:443

322 B
7
93.184.220.29:80

IEXPLORE.EXE

260 B
5
204.79.197.200:443

ieonline.microsoft.com

IEXPLORE.EXE

156 B
3
204.79.197.200:443

ieonline.microsoft.com

IEXPLORE.EXE

156 B
3
93.184.220.29:80

IEXPLORE.EXE

260 B
5
93.184.221.240:80

322 B
7
20.189.173.2:443

184 B
4

8.8.8.8:53

u.9lwan.com

dns

IEXPLORE.EXE

57 B
118 B
1
1

DNS Request

u.9lwan.com
8.8.8.8:53

u.9lwan.com

dns

IEXPLORE.EXE

57 B
118 B
1
1

DNS Request

u.9lwan.com
8.8.8.8:53

226.101.242.52.in-addr.arpa

dns

73 B
147 B
1
1

DNS Request

226.101.242.52.in-addr.arpa
8.8.8.8:53

0.e.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.0.0.4.0.c.0.0.3.0.1.3.0.6.2.ip6.arpa

dns

118 B
204 B
1
1

DNS Request

0.e.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.0.0.4.0.c.0.0.3.0.1.3.0.6.2.ip6.arpa

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_zh.bat

Filesize
248B

MD5
f4550899a106e7b10b4365ac6231308f

SHA1
c6a1482896918945e43f11eb29fc7a26649dd3b5

SHA256
03c2e0514b45d4e7cb5d18b32e8e2e14072c37d2074e3d6f6dbd766c1ebffdf7

SHA512
622cdf7732b8288fecff0128669bc090a7b6695a4e2a18aa4b69a23c4c47a8675c29710c9fc6eb373140a86e131e6d77413deac887f3a3e8b390ee566ac121f2

Download Submit
C:\Windows\SysWOW64\tarpurd32.dll

Filesize
44KB

MD5
314820a6faa4adb2a3a7c010cbecf373

SHA1
0822004226f7b4faf64c1fda9eeb8f43840baeec

SHA256
a88ed841f678b1f6d3aec197ca9b3b909bd5c03fab7b48b2217d7249419175c6

SHA512
4354745bc3e00b0906dc3902edff9cab332e45c087ac4e0a9f5a5b164e520932ef430ce9b1d340b66131963d6dc945defcf5aaeda1f75ffb92a6cf6ea78189e0

Download Submit
memory/4172-132-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4172-137-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

DNS Request

DNS Request

DNS Request

DNS Request

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.