80489f61a6971d36ca46a467e423e09c30d2d0360e199375544b084766935a8e

Analysis

max time kernel
149s
max time network
144s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
05/12/2022, 20:50

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

80489f61a6971d36ca46a467e423e09c30d2d0360e199375544b084766935a8e.exe
Size

1.1MB
MD5

9bea69ceeab490218c7036d6c5ccc3f0
SHA1

3634de5fc843cfcb8ec7afc0e307afbc778fbf58
SHA256

80489f61a6971d36ca46a467e423e09c30d2d0360e199375544b084766935a8e
SHA512

273d117ad76ac4a2aa6b901e7d8ab856459b6d08dcd8f164d41307b4ad832adb5db71fada07f920de4243a2bccf91af8f539c5866d5fabfdcd200474db2b3d49
SSDEEP

24576:szYXUEmlntwVl1KcZ25qTf77E2LTKn689Ho35jMxoNQe9t9x2/I05nqHzHN:FkdtwV+cnhLTKt9HoRSeGNqHzHN

Score

6^/10

evasion trojan

Malware Config

Signatures

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	80489f61a6971d36ca46a467e423e09c30d2d0360e199375544b084766935a8e.exe

Modifies Internet Explorer settings 1 TTPs 41 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main	80489f61a6971d36ca46a467e423e09c30d2d0360e199375544b084766935a8e.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Enable = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\International\CpMRU	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\International\CpMRU\InitHits = "100"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000044d6574a0c42fb40a8446055ead3e8250000000002000000000010660000000100002000000071b157c7513b757a64f513ab1c14b80e0337a6ae2933d12b8a89618ff339cccd000000000e800000000200002000000089381dcfe47ff7491e2eb9682703513fd1beda0718d7e7e0b715bc0370d2fbc220000000c1392081eb93d5b4f0af9e5c9dcea95a05a7801bc3c0ad746d407a98299d84bb400000005f722ea4931338d088093fd2dc076ec679a5367d8941946e2f4d9f36ef34c2202c2f2f6cd9f8957aadb3368d1095e160224a82bf62e78d65257a4e5d9d94d70b	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{959932D1-7852-11ED-9201-42465D836E7B} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000044d6574a0c42fb40a8446055ead3e82500000000020000000000106600000001000020000000577a1e8067843e2d797c1f2d0c2d0e78d2d96d1d1a17a45baaab25714dc54dc9000000000e80000000020000200000001485222fec681409a9a74176b94471813986fe835d349b9818f0391936d2a13a9000000081a72d7bae05dc49ddeeb9d5bf7e33115bbc9e0741e0674838800ebe4cd437b267abc0fc66abe881a04ce333fb7c0d9d2626691395f0df2d446d56894c19080417f8f18e21d05481fdf053c6d6884080be7fbd2bb0af78f7d217bb14f7fe24fa6e2142e1ea5beb03944c41104297577e4d3d553525d34de82843cc4ab52b8e4a1e0ea3980c2bc3beea05ae4c91baeea2400000002b28325f484e303e6a5698245ffedd07639b54027aab24e9f43b04ac5600281cdef03120a27ddd417bd2b2680d3f41bc7b2c6e406b7ea9c820390b8dc1fb2249	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Size = "10"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Factor = "20"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "377418137"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 307ef9845f0cd901	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
764	iexplore.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
1284	80489f61a6971d36ca46a467e423e09c30d2d0360e199375544b084766935a8e.exe
1284	80489f61a6971d36ca46a467e423e09c30d2d0360e199375544b084766935a8e.exe
764	iexplore.exe
764	iexplore.exe
1772	IEXPLORE.EXE
1772	IEXPLORE.EXE
1772	IEXPLORE.EXE
1772	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 764 wrote to memory of 1772	764	iexplore.exe	29
PID 764 wrote to memory of 1772	764	iexplore.exe	29
PID 764 wrote to memory of 1772	764	iexplore.exe	29
PID 764 wrote to memory of 1772	764	iexplore.exe	29
PID 764 wrote to memory of 1772	764	iexplore.exe	29
PID 764 wrote to memory of 1772	764	iexplore.exe	29
PID 764 wrote to memory of 1772	764	iexplore.exe	29

C:\Users\Admin\AppData\Local\Temp\80489f61a6971d36ca46a467e423e09c30d2d0360e199375544b084766935a8e.exe
"C:\Users\Admin\AppData\Local\Temp\80489f61a6971d36ca46a467e423e09c30d2d0360e199375544b084766935a8e.exe"
1⤵
- Checks whether UAC is enabled
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1284

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -startmediumtab -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:764
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:764 CREDAT:275457 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1772

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\309axvf\imagestore.dat

Filesize
5KB

MD5
1add06d68b689877fbf047caf4c9dd0c

SHA1
9385fdea5aac6b8b4e396ee414350917ab35737f

SHA256
e3412c37747b17ff3251a955f32cf908006649bf2f467c97601812479828f8de

SHA512
42b3363b5ab0f627534bcd21ac7936c71dc1bec2b15a8533c2d05542e9f35458b7d503cb5520e19eda7420f9e0d2331d36d0e26b1506e4d4072a3f1c1b1d7fd3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\VYD4FKV9.txt

Filesize
603B

MD5
ad7b8787ba4bc126597915758f7f2452

SHA1
eb21f4a7718cc776727de7d0665c829252c4ab5b

SHA256
77cbee0c4969fcf80faf1f0c9b52eeaea466f8f1c29d9a7d2285454d487b7d06

SHA512
80d66552444a5fe2f01bb35506a56069ee5ba664073d8cecdfdca42c1ac1fbaa3ea2a90135e0ad20679e9e296ba599354e7ac53558cdca72d6700d853c8e0b95

Download Submit
memory/1284-54-0x00000000762E1000-0x00000000762E3000-memory.dmp

Filesize
8KB

Download