4a120a25bb58ff6ac470678b9a5625b423c4555de3425041a495959c737a7dd5

Analysis

max time kernel
136s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
05/12/2022, 17:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4a120a25bb58ff6ac470678b9a5625b423c4555de3425041a495959c737a7dd5.exe
Size

367KB
MD5

f79ac1396ea7aca7f2212affe0ef0c47
SHA1

1fb05490843bed336636d584156bdca3ec1c6135
SHA256

4a120a25bb58ff6ac470678b9a5625b423c4555de3425041a495959c737a7dd5
SHA512

547ed2068a64d4e5cebe3e9cde98bd53f6978cf18684d74d2278050f72bc5292becab516d3585ada1b37e40315f080c934867b6bb1d98074a7d24774f6ce792d
SSDEEP

6144:mOwh11PzqzZBljxZ6bJyfDIZK8oW+vwXvEd7Pgr1FHr8v20xTcRoM+mN5t:mOwh11Pzqzci071vagfL8vNNsoM+8n

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 28 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "377402513"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{350943FC-782E-11ED-A0EE-E289BC6C3020} = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "163207697"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31001659"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "163207697"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31001659"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31001659"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "177426498"	IEXPLORE.EXE

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2368	4a120a25bb58ff6ac470678b9a5625b423c4555de3425041a495959c737a7dd5.exe
2368	4a120a25bb58ff6ac470678b9a5625b423c4555de3425041a495959c737a7dd5.exe
2368	4a120a25bb58ff6ac470678b9a5625b423c4555de3425041a495959c737a7dd5.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
5064	IEXPLORE.EXE

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2368	4a120a25bb58ff6ac470678b9a5625b423c4555de3425041a495959c737a7dd5.exe
Token: SeDebugPrivilege	2368	4a120a25bb58ff6ac470678b9a5625b423c4555de3425041a495959c737a7dd5.exe
Token: SeDebugPrivilege	4980	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
5064	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
5064	IEXPLORE.EXE
5064	IEXPLORE.EXE
4980	IEXPLORE.EXE
4980	IEXPLORE.EXE
4980	IEXPLORE.EXE
4980	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 2368 wrote to memory of 5096	2368	4a120a25bb58ff6ac470678b9a5625b423c4555de3425041a495959c737a7dd5.exe	80
PID 2368 wrote to memory of 5096	2368	4a120a25bb58ff6ac470678b9a5625b423c4555de3425041a495959c737a7dd5.exe	80
PID 2368 wrote to memory of 5096	2368	4a120a25bb58ff6ac470678b9a5625b423c4555de3425041a495959c737a7dd5.exe	80
PID 5096 wrote to memory of 5064	5096	iexplore.exe	81
PID 5096 wrote to memory of 5064	5096	iexplore.exe	81
PID 5064 wrote to memory of 4980	5064	IEXPLORE.EXE	82
PID 5064 wrote to memory of 4980	5064	IEXPLORE.EXE	82
PID 5064 wrote to memory of 4980	5064	IEXPLORE.EXE	82
PID 2368 wrote to memory of 4980	2368	4a120a25bb58ff6ac470678b9a5625b423c4555de3425041a495959c737a7dd5.exe	82
PID 2368 wrote to memory of 4980	2368	4a120a25bb58ff6ac470678b9a5625b423c4555de3425041a495959c737a7dd5.exe	82

C:\Users\Admin\AppData\Local\Temp\4a120a25bb58ff6ac470678b9a5625b423c4555de3425041a495959c737a7dd5.exe
"C:\Users\Admin\AppData\Local\Temp\4a120a25bb58ff6ac470678b9a5625b423c4555de3425041a495959c737a7dd5.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2368
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5096
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:5064
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:5064 CREDAT:17410 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:4980

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
471B

MD5
2e02780939de763a8bb3e91dfbf21980

SHA1
47e818dcbc1d307b43654dfe3a03b9a7625d9ce4

SHA256
971abb405a443302f8c61627933bd0f46ed6953f5815e298974e6f7532908748

SHA512
51709ae31e885719d848f619c4b3e732b0765a5349484f7c4ca524072a6b0d75f33d3f6c015a0ed4fd188a43d5cc9e0d221d1d7cca5a31a044b73fcbcebbe5fd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
434B

MD5
b3f792e6e140af9af32f9ec8d0243710

SHA1
500706fb11a8f7d1d3610ba10b2f23e4f646a22a

SHA256
de17e13f7d08c31551a36094939e36d1387f17e7cd1683792b965660bb99f662

SHA512
0a68783fee18009db98acc21c4f7cc47f7f2f78d4214c809fa358e17e13109ca5b6388d4886b99cfa1ac80747d2a575c38b1da327f922a4846b6b83b083e68ae

Download Submit
memory/2368-132-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2368-133-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2368-134-0x00000000022D0000-0x000000000231E000-memory.dmp

Filesize
312KB

Download