d6c1175050c98aef2e83a8a0d677966d0911ac1e22ae0b35125ac92f4d658cc3

Analysis

max time kernel
152s
max time network
161s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
06/12/2022, 13:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d6c1175050c98aef2e83a8a0d677966d0911ac1e22ae0b35125ac92f4d658cc3.exe
Size

96KB
MD5

d3410bc55b4d24901bc4c23fe7b6cb71
SHA1

aede413a82d9047b9f32a82a281879d466c31f61
SHA256

d6c1175050c98aef2e83a8a0d677966d0911ac1e22ae0b35125ac92f4d658cc3
SHA512

70dee79027627b6e358bef3ff2aef11b4f54e2a1512502f2f023cec911738a5d6366abe0839b496da992f83c1b961a18f6078713ca5c3c7666e9b66b5f0e40a6
SSDEEP

768:XlUKN42vhkPqtQEKuXg8RFkdkbSMz7AnV0lv8TEQlUKN42vhkPqtQEKuXg8RFkdO:XhSIkKXgkYvcAnVKQhSIkKXgkYvcAnV

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	d6c1175050c98aef2e83a8a0d677966d0911ac1e22ae0b35125ac92f4d658cc3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\d6c1175050c98aef2e83a8a0d677966d0911ac1e22ae0b35125ac92f4d658cc3 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\d6c1175050c98aef2e83a8a0d677966d0911ac1e22ae0b35125ac92f4d658cc3.exe"	d6c1175050c98aef2e83a8a0d677966d0911ac1e22ae0b35125ac92f4d658cc3.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main	d6c1175050c98aef2e83a8a0d677966d0911ac1e22ae0b35125ac92f4d658cc3.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Main	d6c1175050c98aef2e83a8a0d677966d0911ac1e22ae0b35125ac92f4d658cc3.exe

Modifies Internet Explorer start page 1 TTPs 2 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Start Page = "http://www.baidu.com/"	d6c1175050c98aef2e83a8a0d677966d0911ac1e22ae0b35125ac92f4d658cc3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.baidu.com/"	d6c1175050c98aef2e83a8a0d677966d0911ac1e22ae0b35125ac92f4d658cc3.exe

Modifies registry class 11 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}hell\OpenHomePage	d6c1175050c98aef2e83a8a0d677966d0911ac1e22ae0b35125ac92f4d658cc3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}hell\OpenHomePage\Command\"C:	d6c1175050c98aef2e83a8a0d677966d0911ac1e22ae0b35125ac92f4d658cc3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}hell\OpenHomePage\Command\"C:\Program Files	d6c1175050c98aef2e83a8a0d677966d0911ac1e22ae0b35125ac92f4d658cc3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	d6c1175050c98aef2e83a8a0d677966d0911ac1e22ae0b35125ac92f4d658cc3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}hell	d6c1175050c98aef2e83a8a0d677966d0911ac1e22ae0b35125ac92f4d658cc3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}hell\OpenHomePage\Command	d6c1175050c98aef2e83a8a0d677966d0911ac1e22ae0b35125ac92f4d658cc3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}hell\OpenHomePage\Command\	d6c1175050c98aef2e83a8a0d677966d0911ac1e22ae0b35125ac92f4d658cc3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}hell\OpenHomePage\Command\"C:\Program Files\Internet Explorer	d6c1175050c98aef2e83a8a0d677966d0911ac1e22ae0b35125ac92f4d658cc3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}hell\OpenHomePage\Command\"C:\Program Files\Internet Explorer\IEXPLORE.EXEhttp://www.baidu.com/ = "REG_SZ"	d6c1175050c98aef2e83a8a0d677966d0911ac1e22ae0b35125ac92f4d658cc3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}hell\OpenHomePage\Command\\"C:\Program Files\Internet Explorer	d6c1175050c98aef2e83a8a0d677966d0911ac1e22ae0b35125ac92f4d658cc3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	d6c1175050c98aef2e83a8a0d677966d0911ac1e22ae0b35125ac92f4d658cc3.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4020	d6c1175050c98aef2e83a8a0d677966d0911ac1e22ae0b35125ac92f4d658cc3.exe

C:\Users\Admin\AppData\Local\Temp\d6c1175050c98aef2e83a8a0d677966d0911ac1e22ae0b35125ac92f4d658cc3.exe
"C:\Users\Admin\AppData\Local\Temp\d6c1175050c98aef2e83a8a0d677966d0911ac1e22ae0b35125ac92f4d658cc3.exe"
1⤵
- Adds Run key to start application
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4020

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads