140351c5c4a997f4513c400d057caa961c301f5b696f83d41addad73f8fe7e0a

Analysis

max time kernel
146s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
05-12-2022 15:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

140351c5c4a997f4513c400d057caa961c301f5b696f83d41addad73f8fe7e0a.dll
Size

380KB
MD5

02f1936f0fa7e0a3e8b194170a903690
SHA1

36a03f650492cd59c509b8959588ff7f450709bb
SHA256

140351c5c4a997f4513c400d057caa961c301f5b696f83d41addad73f8fe7e0a
SHA512

e884b44247b496d7efbdc35ed32e4580fa7c0df8fbc6c10d0eca1bd0817795ad47ce8b63f358db1257483499a9607d0992339963caf26cd3d5a8fa36dd0d30c4
SSDEEP

6144:QcQMa2MoFPk6/3hdgle9pnv5tQ0tbB15rznMnGj4EW2Id:mMa2MKf/3hdgleFFdBmenW2

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\140351c5c4a997f4513c400d057caa961c301f5b696f83d41addad73f8fe7e0a = "rundll32.exe C:\\Users\\Admin\\AppData\\Local\\Temp\\140351c5c4a997f4513c400d057caa961c301f5b696f83d41addad73f8fe7e0a.dll,#1"	rundll32.exe

Program crash 2 IoCs

pid	pid_target	Process	procid_target
4856	3540	WerFault.exe	82
2980	3540	WerFault.exe	82

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3476234282"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3456544967"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31001640"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31001640"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "377394682"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3456544967"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{F97BC656-781B-11ED-A0EE-7A46CE8ECE48} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff5800000000000000de04000065020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff5800000000000000de04000065020000	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff720000001a000000f80400007f020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31001640"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff3e0000003e000000c4040000a3020000	iexplore.exe

Suspicious use of FindShellTrayWindow 40 IoCs

pid	Process
3932	iexplore.exe
3932	iexplore.exe
3932	iexplore.exe
3932	iexplore.exe
3932	iexplore.exe
3932	iexplore.exe
3932	iexplore.exe
3932	iexplore.exe
3932	iexplore.exe
3932	iexplore.exe
3932	iexplore.exe
3932	iexplore.exe
3932	iexplore.exe
3932	iexplore.exe
3932	iexplore.exe
3932	iexplore.exe
3932	iexplore.exe
3932	iexplore.exe
3932	iexplore.exe
3932	iexplore.exe
3932	iexplore.exe
3932	iexplore.exe
3932	iexplore.exe
3932	iexplore.exe
3932	iexplore.exe
3932	iexplore.exe
3932	iexplore.exe
3932	iexplore.exe
3932	iexplore.exe
3932	iexplore.exe
3932	iexplore.exe
3932	iexplore.exe
3932	iexplore.exe
3932	iexplore.exe
3932	iexplore.exe
3932	iexplore.exe
3932	iexplore.exe
3932	iexplore.exe
3932	iexplore.exe
3932	iexplore.exe

Suspicious use of SetWindowsHookEx 17 IoCs

pid	Process
3540	rundll32.exe
3932	iexplore.exe
3932	iexplore.exe
1404	IEXPLORE.EXE
1404	IEXPLORE.EXE
3932	iexplore.exe
3932	iexplore.exe
4244	IEXPLORE.EXE
4244	IEXPLORE.EXE
3932	iexplore.exe
3932	iexplore.exe
548	IEXPLORE.EXE
548	IEXPLORE.EXE
3932	iexplore.exe
3932	iexplore.exe
4772	IEXPLORE.EXE
4772	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 3796 wrote to memory of 3540	3796	rundll32.exe	82
PID 3796 wrote to memory of 3540	3796	rundll32.exe	82
PID 3796 wrote to memory of 3540	3796	rundll32.exe	82
PID 3932 wrote to memory of 1404	3932	iexplore.exe	85
PID 3932 wrote to memory of 1404	3932	iexplore.exe	85
PID 3932 wrote to memory of 1404	3932	iexplore.exe	85
PID 3932 wrote to memory of 4244	3932	iexplore.exe	94
PID 3932 wrote to memory of 4244	3932	iexplore.exe	94
PID 3932 wrote to memory of 4244	3932	iexplore.exe	94
PID 3932 wrote to memory of 548	3932	iexplore.exe	95
PID 3932 wrote to memory of 548	3932	iexplore.exe	95
PID 3932 wrote to memory of 548	3932	iexplore.exe	95
PID 3932 wrote to memory of 4772	3932	iexplore.exe	97
PID 3932 wrote to memory of 4772	3932	iexplore.exe	97
PID 3932 wrote to memory of 4772	3932	iexplore.exe	97

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\140351c5c4a997f4513c400d057caa961c301f5b696f83d41addad73f8fe7e0a.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:3796
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\140351c5c4a997f4513c400d057caa961c301f5b696f83d41addad73f8fe7e0a.dll,#1
  2⤵
  - Adds Run key to start application
  - Suspicious use of SetWindowsHookEx
  PID:3540
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3540 -s 696
    3⤵
    - Program crash
    PID:4856
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3540 -s 976
    3⤵
    - Program crash
    PID:2980

C:\Program Files (x86)\Internet Explorer\ielowutil.exe
"C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding
1⤵
PID:452

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3932
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3932 CREDAT:17410 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1404
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3932 CREDAT:82986 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:4244
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3932 CREDAT:82990 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:548
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3932 CREDAT:83036 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:4772

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 3540 -ip 3540
1⤵
PID:5112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3540 -ip 3540
1⤵
PID:3176

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
471B

MD5
2e02780939de763a8bb3e91dfbf21980

SHA1
47e818dcbc1d307b43654dfe3a03b9a7625d9ce4

SHA256
971abb405a443302f8c61627933bd0f46ed6953f5815e298974e6f7532908748

SHA512
51709ae31e885719d848f619c4b3e732b0765a5349484f7c4ca524072a6b0d75f33d3f6c015a0ed4fd188a43d5cc9e0d221d1d7cca5a31a044b73fcbcebbe5fd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
434B

MD5
81961912479ca9f99cbc6a3c077b288e

SHA1
c4d743bbf701ad4b36c5c6d14362682cba248b30

SHA256
6cf19abf2b0f0bec16bbecf02225584ec1376a6946aa7b8a50382128d52430d9

SHA512
d8a89ca9748299c98e455e07597d2ed8419e807083a004da9defd388ae6a92611d6d57686ceed528cef6072618276648699f235c82c3a25fcd40ea114c9f33e0

Download Submit
memory/3540-133-0x00000000029D0000-0x0000000002A07000-memory.dmp

Filesize
220KB

Download
memory/3540-134-0x0000000002A20000-0x0000000002A7F000-memory.dmp

Filesize
380KB

Download
memory/3540-138-0x00000000029D0000-0x0000000002A07000-memory.dmp

Filesize
220KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads