6b96e0007a49eaef5fd31cad551563f33a347f361c2c5e4c6abc37ca0d0d72af

Analysis

max time kernel
153s
max time network
157s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
05/12/2022, 20:51

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

6b96e0007a49eaef5fd31cad551563f33a347f361c2c5e4c6abc37ca0d0d72af.exe
Size

208KB
MD5

267e574b090a153c35668fa6ab9f4e01
SHA1

7dc8402d0435788dd90e162477e56a54b7efa553
SHA256

6b96e0007a49eaef5fd31cad551563f33a347f361c2c5e4c6abc37ca0d0d72af
SHA512

6588c984cb102777b888e85c60fe6107eb19acad8905f0f2dd8cc1e8d60691c0683a0edde105a569d84154a931eb058d91423c3e0f13f1ff6830298f8923a39d
SSDEEP

6144:sZvuCYX6bmERmQ5Jt0cQ5w+QmNIkGGLfw:stlYXUZQS+kT

Score

6^/10

evasion trojan

Malware Config

Signatures

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	6b96e0007a49eaef5fd31cad551563f33a347f361c2c5e4c6abc37ca0d0d72af.exe

Modifies Internet Explorer settings 1 TTPs 41 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\International\CpMRU	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Factor = "20"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000dae5fb5fbc78a441bb5d46b32d2b550d00000000020000000000106600000001000020000000da0bc22d2caeabce05f4d531bd2a78495b9f905e190a9e2c300018ed0c09beee000000000e800000000200002000000030ea7e2c6d6dc233c9a9e6800e0313fda8d51fc07e7712518ce18b585c6f8cc72000000087a63ca39ff028595ca5ee5437d4fb5357d04f929520181cd7e266e97454ba0a40000000d8dbde4e36b1020603b63da718ca86cc44cd7e55de653e60c005201788b548a83caf003396a1ce68b97b14ef30ce3662e5884623211e2fba9dd6ee0f37f71a6a	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\International\CpMRU\InitHits = "100"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main	6b96e0007a49eaef5fd31cad551563f33a347f361c2c5e4c6abc37ca0d0d72af.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{517C3121-785B-11ED-8C11-42FEA5F7B9B2} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000dae5fb5fbc78a441bb5d46b32d2b550d000000000200000000001066000000010000200000002cfb020df23656ea0fd959b6f97cb33dba0023044da6cf84bebfc779bc515d6d000000000e8000000002000020000000877bad956adc97b4e7dd3450ce2318e82d3f24a549711a1d65e9b9d836e0daed90000000e9833c4fa625f1439413b84eb705fd5add29ef10f74dcb01aee0f814d6602961a0d6d0bd94ce9f7b67774515651e5f5edd72b4039e4929efe8ad3e4597f46da62441c4603d9c26d0868059c34a4f4e0b3992aa671e79b4e59fa790445ec4182630c9949b6ceccc025e9b83471c310d31c96cbf70e9fa49e0cbe6de5ee457abcc4be9f3c090d4dfbb6bae78eeb016a1ba4000000077df671d996356c01f8019d32e47005552003496e7159d16c96607e4bd19d6960990364c37b3d45274c9d6b02296328346d6c776ee133613b6ed755ffd8dfa46	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "377421907"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Enable = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Size = "10"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 905bf353680cd901	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1312	iexplore.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
1184	6b96e0007a49eaef5fd31cad551563f33a347f361c2c5e4c6abc37ca0d0d72af.exe
1184	6b96e0007a49eaef5fd31cad551563f33a347f361c2c5e4c6abc37ca0d0d72af.exe
1312	iexplore.exe
1312	iexplore.exe
2016	IEXPLORE.EXE
2016	IEXPLORE.EXE
2016	IEXPLORE.EXE
2016	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1312 wrote to memory of 2016	1312	iexplore.exe	29
PID 1312 wrote to memory of 2016	1312	iexplore.exe	29
PID 1312 wrote to memory of 2016	1312	iexplore.exe	29
PID 1312 wrote to memory of 2016	1312	iexplore.exe	29
PID 1312 wrote to memory of 2016	1312	iexplore.exe	29
PID 1312 wrote to memory of 2016	1312	iexplore.exe	29
PID 1312 wrote to memory of 2016	1312	iexplore.exe	29

C:\Users\Admin\AppData\Local\Temp\6b96e0007a49eaef5fd31cad551563f33a347f361c2c5e4c6abc37ca0d0d72af.exe
"C:\Users\Admin\AppData\Local\Temp\6b96e0007a49eaef5fd31cad551563f33a347f361c2c5e4c6abc37ca0d0d72af.exe"
1⤵
- Checks whether UAC is enabled
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1184

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -startmediumtab -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1312
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1312 CREDAT:275457 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2016

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\1evexod\imagestore.dat

Filesize
5KB

MD5
c7cb65dd79566e1aee6a7c3fb3a7b42f

SHA1
34c17f79a5ccdc2d14ad31f79cf3afce1b98e421

SHA256
f3b881e10bbcffce6470f08371bf48a9fee1b6c3fba5116a1c0b476edd856c26

SHA512
e8faeb07fb3111501c3a3dd0f4b3150cf9b7be92def35b8c01ae480731db4826858ab2e03a4c0ac3471b92fd45062c1ce2dd7a0c8ff2014526ac20a51445623f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\1YFBOE3C.txt

Filesize
606B

MD5
0547be2e99df0184cf48ea308d9b327e

SHA1
2f2005f22c75c7fe2c464ea424d7d77394facbe5

SHA256
7af7493aa89c4560113ec289a9156fb8e40d421499c37a398c3e98a4bfab84ea

SHA512
4a368da6f6fa08197b9bcc8548056a3a795435e6e59bd88ce4f7af243cfe519e5683fe7ca73c195cefeeacb5dc1dc7e4e1112f1f5c9dc420953ecb830668b364

Download Submit
memory/1184-54-0x0000000074BB1000-0x0000000074BB3000-memory.dmp

Filesize
8KB

Download