b55b75dd1108aeb9afdf043f2b3a08fae100bca44c68617945ef6472eb6e47b9

Analysis

max time kernel
3s
max time network
51s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
05/12/2022, 08:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b55b75dd1108aeb9afdf043f2b3a08fae100bca44c68617945ef6472eb6e47b9.exe
Size

45KB
MD5

8b936b3ae5b23deee98ab6e4b69e96ff
SHA1

0f0b174454bd88b4d16d558a708684320a906abe
SHA256

b55b75dd1108aeb9afdf043f2b3a08fae100bca44c68617945ef6472eb6e47b9
SHA512

a7b6c5097e1e96a31a05698039fcceb8f77380affcff4f5787bffd09738722025e3fd2b7b92069fcb9fe6418e3cdac57c63d38ecca4dd65b410be84b75291a10
SSDEEP

768:kRJ8sWszOYqYwi/bv4HoAOh3FHExerMFjbebE7YHibbbpiFt5VBb0VxOy0deysy:kRJ8sTzU/i/bv4HfOh3FkIrMF2bWb8Lr

Score

10^/10

evasion

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "1"	b55b75dd1108aeb9afdf043f2b3a08fae100bca44c68617945ef6472eb6e47b9.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Common Files\dao.ico	b55b75dd1108aeb9afdf043f2b3a08fae100bca44c68617945ef6472eb6e47b9.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key deleted	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\TYPEDURLS	b55b75dd1108aeb9afdf043f2b3a08fae100bca44c68617945ef6472eb6e47b9.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "Microsoft Internet Explorer"	b55b75dd1108aeb9afdf043f2b3a08fae100bca44c68617945ef6472eb6e47b9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Window Title = "Microsoft Internet Explorer"	b55b75dd1108aeb9afdf043f2b3a08fae100bca44c68617945ef6472eb6e47b9.exe

Modifies Internet Explorer start page 1 TTPs 2 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Start Page = "http://www.4462.com/?yya"	b55b75dd1108aeb9afdf043f2b3a08fae100bca44c68617945ef6472eb6e47b9.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.4462.com/?yya"	b55b75dd1108aeb9afdf043f2b3a08fae100bca44c68617945ef6472eb6e47b9.exe

Modifies registry class 30 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C1A8AF25-1257-101B-8FB0-0020AF039CA8}	b55b75dd1108aeb9afdf043f2b3a08fae100bca44c68617945ef6472eb6e47b9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C1A8AF25-1257-101B-8FB0-0020AF039CA8}\Shell\ÊôÐÔ(&R)	b55b75dd1108aeb9afdf043f2b3a08fae100bca44c68617945ef6472eb6e47b9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C1A8AF25-1257-101B-8FB0-0020AF039CA8}\Shell\Open(&O)\ = "´ò¿ªÖ÷Ò³(&H)"	b55b75dd1108aeb9afdf043f2b3a08fae100bca44c68617945ef6472eb6e47b9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C1A8AF25-1257-101B-8FB0-0020AF039CA8}\ShellFolder\HideOnDesktopPerUser	b55b75dd1108aeb9afdf043f2b3a08fae100bca44c68617945ef6472eb6e47b9.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\PlayFlashDXA\9 = "1"	b55b75dd1108aeb9afdf043f2b3a08fae100bca44c68617945ef6472eb6e47b9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	b55b75dd1108aeb9afdf043f2b3a08fae100bca44c68617945ef6472eb6e47b9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C1A8AF25-1257-101B-8FB0-0020AF039CA8}\Shell\ÊôÐÔ(&R)\Command\ = "Rundll32.exe Shell32.dll,Control_RunDLL Inetcpl.cpl"	b55b75dd1108aeb9afdf043f2b3a08fae100bca44c68617945ef6472eb6e47b9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C1A8AF25-1257-101B-8FB0-0020AF039CA8}\Shell\É¾³ý(&D)\Command\ = "Rundll32.exe"	b55b75dd1108aeb9afdf043f2b3a08fae100bca44c68617945ef6472eb6e47b9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C1A8AF25-1257-101B-8FB0-0020AF039CA8}\ShellFolder\HideFolderVerbs	b55b75dd1108aeb9afdf043f2b3a08fae100bca44c68617945ef6472eb6e47b9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PlayFlashDXA	b55b75dd1108aeb9afdf043f2b3a08fae100bca44c68617945ef6472eb6e47b9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C1A8AF25-1257-101B-8FB0-0020AF039CA8}\DefaultIcon\ = "C:\\Program Files (x86)\\Internet Explorer\\IEXPLORE.EXE"	b55b75dd1108aeb9afdf043f2b3a08fae100bca44c68617945ef6472eb6e47b9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C1A8AF25-1257-101B-8FB0-0020AF039CA8}\Shell	b55b75dd1108aeb9afdf043f2b3a08fae100bca44c68617945ef6472eb6e47b9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C1A8AF25-1257-101B-8FB0-0020AF039CA8}\Shell\É¾³ý(&D)\Command	b55b75dd1108aeb9afdf043f2b3a08fae100bca44c68617945ef6472eb6e47b9.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C1A8AF25-1257-101B-8FB0-0020AF039CA8}\ShellFolder\Attributes = "0"	b55b75dd1108aeb9afdf043f2b3a08fae100bca44c68617945ef6472eb6e47b9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C1A8AF25-1257-101B-8FB0-0020AF039CA8}\Shell\É¾³ý(&D)	b55b75dd1108aeb9afdf043f2b3a08fae100bca44c68617945ef6472eb6e47b9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C1A8AF25-1257-101B-8FB0-0020AF039CA8}\Shell\ÖØÃüÃû(&M)	b55b75dd1108aeb9afdf043f2b3a08fae100bca44c68617945ef6472eb6e47b9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C1A8AF25-1257-101B-8FB0-0020AF039CA8}\ShellFolder	b55b75dd1108aeb9afdf043f2b3a08fae100bca44c68617945ef6472eb6e47b9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C1A8AF25-1257-101B-8FB0-0020AF039CA8}\ShellFolder\WantsParseDisplayName	b55b75dd1108aeb9afdf043f2b3a08fae100bca44c68617945ef6472eb6e47b9.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\PlayFlashDXA\1 = "20221209"	b55b75dd1108aeb9afdf043f2b3a08fae100bca44c68617945ef6472eb6e47b9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C1A8AF25-1257-101B-8FB0-0020AF039CA8}\DefaultIcon	b55b75dd1108aeb9afdf043f2b3a08fae100bca44c68617945ef6472eb6e47b9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C1A8AF25-1257-101B-8FB0-0020AF039CA8}\Shell\Open(&O)\Command\ = "iexplore.exe http://www.4462.com/?yya"	b55b75dd1108aeb9afdf043f2b3a08fae100bca44c68617945ef6472eb6e47b9.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\PlayFlashDXA\9 = "0"	b55b75dd1108aeb9afdf043f2b3a08fae100bca44c68617945ef6472eb6e47b9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C1A8AF25-1257-101B-8FB0-0020AF039CA8}\Shell\ÖØÃüÃû(&M)\Command\ = "Rundll32.exe"	b55b75dd1108aeb9afdf043f2b3a08fae100bca44c68617945ef6472eb6e47b9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C1A8AF25-1257-101B-8FB0-0020AF039CA8}\Shell\Open(&O)\Command	b55b75dd1108aeb9afdf043f2b3a08fae100bca44c68617945ef6472eb6e47b9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C1A8AF25-1257-101B-8FB0-0020AF039CA8}\Shell\Open(&O)	b55b75dd1108aeb9afdf043f2b3a08fae100bca44c68617945ef6472eb6e47b9.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\PlayFlashDXA\cdafile2 = "202251"	b55b75dd1108aeb9afdf043f2b3a08fae100bca44c68617945ef6472eb6e47b9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C1A8AF25-1257-101B-8FB0-0020AF039CA8}\ = "Internet Explorer"	b55b75dd1108aeb9afdf043f2b3a08fae100bca44c68617945ef6472eb6e47b9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C1A8AF25-1257-101B-8FB0-0020AF039CA8}\Shell\ÊôÐÔ(&R)\Command	b55b75dd1108aeb9afdf043f2b3a08fae100bca44c68617945ef6472eb6e47b9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	b55b75dd1108aeb9afdf043f2b3a08fae100bca44c68617945ef6472eb6e47b9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C1A8AF25-1257-101B-8FB0-0020AF039CA8}\Shell\ÖØÃüÃû(&M)\Command	b55b75dd1108aeb9afdf043f2b3a08fae100bca44c68617945ef6472eb6e47b9.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2036 wrote to memory of 844	2036	b55b75dd1108aeb9afdf043f2b3a08fae100bca44c68617945ef6472eb6e47b9.exe	28
PID 2036 wrote to memory of 844	2036	b55b75dd1108aeb9afdf043f2b3a08fae100bca44c68617945ef6472eb6e47b9.exe	28
PID 2036 wrote to memory of 844	2036	b55b75dd1108aeb9afdf043f2b3a08fae100bca44c68617945ef6472eb6e47b9.exe	28
PID 2036 wrote to memory of 844	2036	b55b75dd1108aeb9afdf043f2b3a08fae100bca44c68617945ef6472eb6e47b9.exe	28

C:\Users\Admin\AppData\Local\Temp\b55b75dd1108aeb9afdf043f2b3a08fae100bca44c68617945ef6472eb6e47b9.exe
"C:\Users\Admin\AppData\Local\Temp\b55b75dd1108aeb9afdf043f2b3a08fae100bca44c68617945ef6472eb6e47b9.exe"
1⤵
- Modifies visiblity of hidden/system files in Explorer
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2036
- C:\Users\Admin\AppData\Local\Temp\b55b75dd1108aeb9afdf043f2b3a08fae100bca44c68617945ef6472eb6e47b9.exe
  C:\Users\Admin\AppData\Local\Temp\b55b75dd1108aeb9afdf043f2b3a08fae100bca44c68617945ef6472eb6e47b9.exe
  2⤵
  - Modifies Internet Explorer settings
  PID:844

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/844-57-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2036-54-0x0000000076411000-0x0000000076413000-memory.dmp

Filesize
8KB

Download
memory/2036-58-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2036-59-0x0000000001CA0000-0x0000000001CC6000-memory.dmp

Filesize
152KB

Download
memory/2036-60-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads