79a10c8662d45d8ac129c1e56822aa6f8093d4c99c83f1dc49446d0f003aeafc

Analysis

max time kernel
150s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
05/12/2022, 13:28

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

79a10c8662d45d8ac129c1e56822aa6f8093d4c99c83f1dc49446d0f003aeafc.exe
Size

198KB
MD5

072635b456278b4df08efa1cd978133c
SHA1

564e44814bc13c0784135f8003c7deef55beee4d
SHA256

79a10c8662d45d8ac129c1e56822aa6f8093d4c99c83f1dc49446d0f003aeafc
SHA512

a3e33cc1c1deb2c8126883475fafc69a40262ca6580e9a5a0c9362f3d747dc2ae2efab37bd84726c6d6210950fe19f30180c0849108183b39c290db6de5f3b7c
SSDEEP

3072:WBGXflGIwHoZXn6U88s/Duz9sqQhLm2k2iD0PKS1gHwHTCzj6OI5MU:WBGP8toZXb0C+Vi2yD0yS120TCCj

Score

5^/10

Malware Config

Signatures

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2352 set thread context of 680	2352	79a10c8662d45d8ac129c1e56822aa6f8093d4c99c83f1dc49446d0f003aeafc.exe	80

Modifies Internet Explorer settings 1 TTPs 28 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31001615"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3719454557"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31001615"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{08960863-7803-11ED-B696-4AA92575F981} = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3711798834"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "377383976"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31001615"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3711798834"	IEXPLORE.EXE

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
680	79a10c8662d45d8ac129c1e56822aa6f8093d4c99c83f1dc49446d0f003aeafc.exe
680	79a10c8662d45d8ac129c1e56822aa6f8093d4c99c83f1dc49446d0f003aeafc.exe
680	79a10c8662d45d8ac129c1e56822aa6f8093d4c99c83f1dc49446d0f003aeafc.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	680	79a10c8662d45d8ac129c1e56822aa6f8093d4c99c83f1dc49446d0f003aeafc.exe
Token: SeDebugPrivilege	680	79a10c8662d45d8ac129c1e56822aa6f8093d4c99c83f1dc49446d0f003aeafc.exe
Token: SeDebugPrivilege	1672	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4580	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
4580	IEXPLORE.EXE
4580	IEXPLORE.EXE
1672	IEXPLORE.EXE
1672	IEXPLORE.EXE
1672	IEXPLORE.EXE
1672	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 2352 wrote to memory of 680	2352	79a10c8662d45d8ac129c1e56822aa6f8093d4c99c83f1dc49446d0f003aeafc.exe	80
PID 2352 wrote to memory of 680	2352	79a10c8662d45d8ac129c1e56822aa6f8093d4c99c83f1dc49446d0f003aeafc.exe	80
PID 2352 wrote to memory of 680	2352	79a10c8662d45d8ac129c1e56822aa6f8093d4c99c83f1dc49446d0f003aeafc.exe	80
PID 2352 wrote to memory of 680	2352	79a10c8662d45d8ac129c1e56822aa6f8093d4c99c83f1dc49446d0f003aeafc.exe	80
PID 2352 wrote to memory of 680	2352	79a10c8662d45d8ac129c1e56822aa6f8093d4c99c83f1dc49446d0f003aeafc.exe	80
PID 2352 wrote to memory of 680	2352	79a10c8662d45d8ac129c1e56822aa6f8093d4c99c83f1dc49446d0f003aeafc.exe	80
PID 2352 wrote to memory of 680	2352	79a10c8662d45d8ac129c1e56822aa6f8093d4c99c83f1dc49446d0f003aeafc.exe	80
PID 2352 wrote to memory of 680	2352	79a10c8662d45d8ac129c1e56822aa6f8093d4c99c83f1dc49446d0f003aeafc.exe	80
PID 2352 wrote to memory of 680	2352	79a10c8662d45d8ac129c1e56822aa6f8093d4c99c83f1dc49446d0f003aeafc.exe	80
PID 680 wrote to memory of 3576	680	79a10c8662d45d8ac129c1e56822aa6f8093d4c99c83f1dc49446d0f003aeafc.exe	81
PID 680 wrote to memory of 3576	680	79a10c8662d45d8ac129c1e56822aa6f8093d4c99c83f1dc49446d0f003aeafc.exe	81
PID 680 wrote to memory of 3576	680	79a10c8662d45d8ac129c1e56822aa6f8093d4c99c83f1dc49446d0f003aeafc.exe	81
PID 3576 wrote to memory of 4580	3576	iexplore.exe	82
PID 3576 wrote to memory of 4580	3576	iexplore.exe	82
PID 4580 wrote to memory of 1672	4580	IEXPLORE.EXE	83
PID 4580 wrote to memory of 1672	4580	IEXPLORE.EXE	83
PID 4580 wrote to memory of 1672	4580	IEXPLORE.EXE	83
PID 680 wrote to memory of 1672	680	79a10c8662d45d8ac129c1e56822aa6f8093d4c99c83f1dc49446d0f003aeafc.exe	83
PID 680 wrote to memory of 1672	680	79a10c8662d45d8ac129c1e56822aa6f8093d4c99c83f1dc49446d0f003aeafc.exe	83

C:\Users\Admin\AppData\Local\Temp\79a10c8662d45d8ac129c1e56822aa6f8093d4c99c83f1dc49446d0f003aeafc.exe
"C:\Users\Admin\AppData\Local\Temp\79a10c8662d45d8ac129c1e56822aa6f8093d4c99c83f1dc49446d0f003aeafc.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2352
- C:\Users\Admin\AppData\Local\Temp\79a10c8662d45d8ac129c1e56822aa6f8093d4c99c83f1dc49446d0f003aeafc.exe
  "C:\Users\Admin\AppData\Local\Temp\79a10c8662d45d8ac129c1e56822aa6f8093d4c99c83f1dc49446d0f003aeafc.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:680
- - C:\Program Files (x86)\Internet Explorer\iexplore.exe
    "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3576
  - - C:\Program Files\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:4580
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4580 CREDAT:17410 /prefetch:2
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:1672

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
471B

MD5
2e02780939de763a8bb3e91dfbf21980

SHA1
47e818dcbc1d307b43654dfe3a03b9a7625d9ce4

SHA256
971abb405a443302f8c61627933bd0f46ed6953f5815e298974e6f7532908748

SHA512
51709ae31e885719d848f619c4b3e732b0765a5349484f7c4ca524072a6b0d75f33d3f6c015a0ed4fd188a43d5cc9e0d221d1d7cca5a31a044b73fcbcebbe5fd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
434B

MD5
a410316034ae849cdc307249ab486e47

SHA1
2119b145ea84df70cc0880414eb73d6c738ef366

SHA256
1560cd2f335f92af05c3d9d89235efa561fb9eb7fc9c81fe21314df380b627f1

SHA512
29a6f6caeb2c33f60060c4b99f8230bff1aba6aec4bebb736a0b3a06459cded50cda97e4ca0d3d66d41f3aa33feee2cfb03beb9044af306a09b276d2e1fc19b9

Download Submit
memory/680-134-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/680-137-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/680-138-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/680-139-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/680-140-0x0000000000600000-0x000000000064F000-memory.dmp

Filesize
316KB

Download
memory/2352-132-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2352-135-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download