aa34dfed45d8225f76ffdc57305c0f3bfb80a5d6448ac6ec225b8dabb970a2a3

Analysis

max time kernel
112s
max time network
158s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
06/12/2022, 23:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

aa34dfed45d8225f76ffdc57305c0f3bfb80a5d6448ac6ec225b8dabb970a2a3.exe
Size

16KB
MD5

00d2cd2b9c97b5208ee023118ca80976
SHA1

f4c2bba6fb36039abfda175fc4316662360163f1
SHA256

aa34dfed45d8225f76ffdc57305c0f3bfb80a5d6448ac6ec225b8dabb970a2a3
SHA512

214937b6795d9ee59dc481967b664dbe8e43f953402c21fadf8bd2208d09724dc883de524c66ef6d48e75bb8119933b5f2ef5c29fb36e768a2c284536304f9af
SSDEEP

192:DmGwWlwFtG5u/9JvChQYVCH7dIPlMuNW+ruJf57VaEhS7Mv:DKWotMgJ7+CbduMuNVkf55awkMv

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DOMStorage\youtube.com\Total = "282"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DOMStorage\youtube.com	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.youtube.com\ = "6"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.youtube.com\ = "200"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DOMStorage\hugedomains.com	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "2974"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "197"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.youtube.com\ = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "121"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DOMStorage\youtube.com\Total = "200"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "377544746"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{54BE51A1-7979-11ED-98FE-466E2F293893} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "222"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	aa34dfed45d8225f76ffdc57305c0f3bfb80a5d6448ac6ec225b8dabb970a2a3.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "6"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DOMStorage\google.com	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	aa34dfed45d8225f76ffdc57305c0f3bfb80a5d6448ac6ec225b8dabb970a2a3.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DOMStorage\hugedomains.com\NumberOfSubdomains = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DOMStorage\youtube.com\Total = "197"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.youtube.com\ = "2949"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "225"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.youtube.com\ = "115"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DOMStorage\google.com\NumberOfSubdomains = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.youtube.com\ = "1732"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DOMStorage\youtube.com\Total = "115"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.google.com	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DOMStorage\youtube.com\NumberOfSubdomains = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DOMStorage\youtube.com\Total = "6"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "115"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.youtube.com\ = "282"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DOMStorage\youtube.com\Total = "1732"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000f61d521ba95a1a428ff1e553480391d50000000002000000000010660000000100002000000077f99482b8d8771cb1f40e322df053fa290169e293e0f1fc82e11a63eef4b244000000000e8000000002000020000000cdacf5f9db1a06fdd05b7b686aebaee6aca37a346bd72e562b7cf1667ff38481900000001c473177121e38099e226f0ba3aba812b498874e0bd33cf0630133570d3d09f4240655d8942cf522178d4e323bcc7c4f207daaf71095a95eb205433a7f86e53d6d8310375be7d45f3cdcc56cc059e83d1f7a5a8bc49b378402a3d2f4cbb70dcf9e6d90a8c9170b6e7a3cdfd37ed257544848bdd35a395c9ce2dc91d4eed240f3fd5f4a1f3522607103ff062eb0f6d96940000000e7e1331d6c478e53e65cbc7ea2e61d02998b3c72a25ee1a2a0c8b5b31070a8d1586ef80b46d491d33eb544d8d4ce22c6ffe41edc602227b345b6979115a46ecd	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.youtube.com	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "1757"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DOMStorage\youtube.com\Total = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000f61d521ba95a1a428ff1e553480391d5000000000200000000001066000000010000200000003524aac7377dd3331ba7083a9cc58454b7c50977d1725f4b415b65fa44a2b9fc000000000e8000000002000020000000775fa661db99ba2ddc7fb1b806db80b69b498ad6e508871e726205db16fab34c2000000055522ca10f76f3763333dd4af0c6a9af2fd308df41e5d0ba235950313ee64f6b4000000070d35b53996f8cfecbd81273e3da915d735bb5b745e449f47e362101210bf020b5a489e6c64eea59d926510161d89c66e0e13910152575330c2992ad23d2fcec	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "307"	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1572	iexplore.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1572	iexplore.exe
1572	iexplore.exe
652	IEXPLORE.EXE
652	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1192 wrote to memory of 1400	1192	aa34dfed45d8225f76ffdc57305c0f3bfb80a5d6448ac6ec225b8dabb970a2a3.exe	27
PID 1192 wrote to memory of 1400	1192	aa34dfed45d8225f76ffdc57305c0f3bfb80a5d6448ac6ec225b8dabb970a2a3.exe	27
PID 1192 wrote to memory of 1400	1192	aa34dfed45d8225f76ffdc57305c0f3bfb80a5d6448ac6ec225b8dabb970a2a3.exe	27
PID 1192 wrote to memory of 1400	1192	aa34dfed45d8225f76ffdc57305c0f3bfb80a5d6448ac6ec225b8dabb970a2a3.exe	27
PID 1572 wrote to memory of 652	1572	iexplore.exe	30
PID 1572 wrote to memory of 652	1572	iexplore.exe	30
PID 1572 wrote to memory of 652	1572	iexplore.exe	30
PID 1572 wrote to memory of 652	1572	iexplore.exe	30

C:\Users\Admin\AppData\Local\Temp\aa34dfed45d8225f76ffdc57305c0f3bfb80a5d6448ac6ec225b8dabb970a2a3.exe
"C:\Users\Admin\AppData\Local\Temp\aa34dfed45d8225f76ffdc57305c0f3bfb80a5d6448ac6ec225b8dabb970a2a3.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1192
- C:\Users\Admin\AppData\Local\Temp\aa34dfed45d8225f76ffdc57305c0f3bfb80a5d6448ac6ec225b8dabb970a2a3.exe
  C:\Users\Admin\AppData\Local\Temp\aa34dfed45d8225f76ffdc57305c0f3bfb80a5d6448ac6ec225b8dabb970a2a3.exe
  2⤵
  - Modifies Internet Explorer settings
  PID:1400

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1572
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1572 CREDAT:275457 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:652

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\82CB34DD3343FE727DF8890D352E0D8F

Filesize
7KB

MD5
128b756d3be59fd846a3a972b84b8fd1

SHA1
c1250b6e8cf32a2be6f3aefff7134a9ebd9ad664

SHA256
1885e5d1a69fc5b29df5095824f3b73c2fe27cac566797b0a5e502c1b6489432

SHA512
800c8eb3c547eee8bf4a963e2f525daacd387c171014453f640715ad964697b6375e2e70cccfda4f30397fb585fdab55ec739a311fb1f036182222c44fddf237

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
61KB

MD5
fc4666cbca561e864e7fdf883a9e6661

SHA1
2f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5

SHA256
10f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b

SHA512
c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\82CB34DD3343FE727DF8890D352E0D8F

Filesize
232B

MD5
801eb05a096e2e7f8cf81d4807be5496

SHA1
1be3c16119037cfac20b34f6fca91de4891462a8

SHA256
87aa667adaf76f5247c78f21eab00ff9f0a38f7a1e5447e8d8c4bce8573ccf2c

SHA512
5b213259e44a0e3da1ff971b2329b8a184baeb5761e47c2a1bc81df1d077032b673b6b2966691a52f29deadbe75d3e5f521ebb481a165f5ff3fa48f545312f5d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3e718afcf01a919492c37a17d804a31d

SHA1
ff5d9e36f5f77d0727e3f36283e6cb0ab10a7ef8

SHA256
85ea3acf1305251e87ae31fd177adfc6e856bbdcb07fed572a4ab44c00b406cb

SHA512
ea58aef415b0a37f0e554bb5e13ee0fd1f3a6cbf294065f730afa99cd9c00763fdcbb2fa1be24d283afe4bcced981dcb57df6b1791c48224b8dd9fd26f345f95

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\1evexod\imagestore.dat

Filesize
5KB

MD5
c437a9c2cf077ee598aeb96d8726606f

SHA1
208e94a7eeeb831395c288a856df1f0dd51ffd69

SHA256
64e29a301f7d7a6e7772511ff7f878db93d1dea9f95015c8ebd7fee6328e67b4

SHA512
c744bf97d60282f1b3b64585916344898be26a806caaaa7204be5f39b01368de7893b0d56cf03dc5f5485d23253cad8f62520c1a0d4198d741b9e90894d76971

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\8JNVLWHA.txt

Filesize
606B

MD5
c494336f999e1b97dcbc67a9098c81fd

SHA1
c8dd79467b2179c5024b740c59e7a2b37665f60a

SHA256
7aff0b03085872b6da438b020316e1b7e9efb63d48241c0dc707d4860d8213b1

SHA512
77f482651a851d35fab7c0c66d978532bda7e02ca40fedc041e22d393a2f539a81e1adfee5e1fdb12148b4ac55a0193ff345d00adbde5f25e1bb634246ac9f13

Download Submit
memory/1400-55-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/1400-56-0x0000000076701000-0x0000000076703000-memory.dmp

Filesize
8KB

Download
memory/1400-57-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download