ba404633fb680896cb7e31a8687dc680934f8c8f0fd20a88422abb51edd4b46d

Analysis

max time kernel
136s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
06-12-2022 14:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ba404633fb680896cb7e31a8687dc680934f8c8f0fd20a88422abb51edd4b46d.exe
Size

148KB
MD5

f5347a592713c95a431b3da91f0f11e3
SHA1

f8f2fda70f502176494578a93ae445fab4533d26
SHA256

ba404633fb680896cb7e31a8687dc680934f8c8f0fd20a88422abb51edd4b46d
SHA512

40eee3a41020e488c8ab40914fe994bace04d0948f84217c0626f1ce6b4804cd8466c0e4f438f23361e1d22975e57af18cfb2ec076c5a11d6040760bb77ffb17
SSDEEP

3072:v7o5pvCZkc9fS1UgsHFEqJKyUsxLlaSQlQa5zzq:v7ovCR9a1UgMEqJGn9QaQ

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1964	Rwwtwk.exe
3192	Rwwtwk.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows\CurrentVersion\Run	ba404633fb680896cb7e31a8687dc680934f8c8f0fd20a88422abb51edd4b46d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Rwwtwk = "C:\\Users\\Admin\\AppData\\Roaming\\Rwwtwk.exe"	ba404633fb680896cb7e31a8687dc680934f8c8f0fd20a88422abb51edd4b46d.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2320 set thread context of 4492	2320	ba404633fb680896cb7e31a8687dc680934f8c8f0fd20a88422abb51edd4b46d.exe	81
PID 1964 set thread context of 3192	1964	Rwwtwk.exe	85

Modifies Internet Explorer settings 1 TTPs 28 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2889008200"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31001873"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{D7998C13-7904-11ED-A0EE-5E349B7DFDEC} = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31001873"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31001873"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2896509456"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2888852954"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "377494697"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4492	ba404633fb680896cb7e31a8687dc680934f8c8f0fd20a88422abb51edd4b46d.exe
4492	ba404633fb680896cb7e31a8687dc680934f8c8f0fd20a88422abb51edd4b46d.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2952	IEXPLORE.EXE

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3192	Rwwtwk.exe
Token: SeDebugPrivilege	1580	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2952	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2952	IEXPLORE.EXE
2952	IEXPLORE.EXE
1580	IEXPLORE.EXE
1580	IEXPLORE.EXE
1580	IEXPLORE.EXE
1580	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 2320 wrote to memory of 4492	2320	ba404633fb680896cb7e31a8687dc680934f8c8f0fd20a88422abb51edd4b46d.exe	81
PID 2320 wrote to memory of 4492	2320	ba404633fb680896cb7e31a8687dc680934f8c8f0fd20a88422abb51edd4b46d.exe	81
PID 2320 wrote to memory of 4492	2320	ba404633fb680896cb7e31a8687dc680934f8c8f0fd20a88422abb51edd4b46d.exe	81
PID 2320 wrote to memory of 4492	2320	ba404633fb680896cb7e31a8687dc680934f8c8f0fd20a88422abb51edd4b46d.exe	81
PID 2320 wrote to memory of 4492	2320	ba404633fb680896cb7e31a8687dc680934f8c8f0fd20a88422abb51edd4b46d.exe	81
PID 2320 wrote to memory of 4492	2320	ba404633fb680896cb7e31a8687dc680934f8c8f0fd20a88422abb51edd4b46d.exe	81
PID 2320 wrote to memory of 4492	2320	ba404633fb680896cb7e31a8687dc680934f8c8f0fd20a88422abb51edd4b46d.exe	81
PID 2320 wrote to memory of 4492	2320	ba404633fb680896cb7e31a8687dc680934f8c8f0fd20a88422abb51edd4b46d.exe	81
PID 4492 wrote to memory of 1964	4492	ba404633fb680896cb7e31a8687dc680934f8c8f0fd20a88422abb51edd4b46d.exe	84
PID 4492 wrote to memory of 1964	4492	ba404633fb680896cb7e31a8687dc680934f8c8f0fd20a88422abb51edd4b46d.exe	84
PID 4492 wrote to memory of 1964	4492	ba404633fb680896cb7e31a8687dc680934f8c8f0fd20a88422abb51edd4b46d.exe	84
PID 1964 wrote to memory of 3192	1964	Rwwtwk.exe	85
PID 1964 wrote to memory of 3192	1964	Rwwtwk.exe	85
PID 1964 wrote to memory of 3192	1964	Rwwtwk.exe	85
PID 1964 wrote to memory of 3192	1964	Rwwtwk.exe	85
PID 1964 wrote to memory of 3192	1964	Rwwtwk.exe	85
PID 1964 wrote to memory of 3192	1964	Rwwtwk.exe	85
PID 1964 wrote to memory of 3192	1964	Rwwtwk.exe	85
PID 1964 wrote to memory of 3192	1964	Rwwtwk.exe	85
PID 3192 wrote to memory of 4700	3192	Rwwtwk.exe	88
PID 3192 wrote to memory of 4700	3192	Rwwtwk.exe	88
PID 3192 wrote to memory of 4700	3192	Rwwtwk.exe	88
PID 4700 wrote to memory of 2952	4700	iexplore.exe	89
PID 4700 wrote to memory of 2952	4700	iexplore.exe	89
PID 2952 wrote to memory of 1580	2952	IEXPLORE.EXE	91
PID 2952 wrote to memory of 1580	2952	IEXPLORE.EXE	91
PID 2952 wrote to memory of 1580	2952	IEXPLORE.EXE	91
PID 3192 wrote to memory of 1580	3192	Rwwtwk.exe	91
PID 3192 wrote to memory of 1580	3192	Rwwtwk.exe	91

C:\Users\Admin\AppData\Local\Temp\ba404633fb680896cb7e31a8687dc680934f8c8f0fd20a88422abb51edd4b46d.exe
"C:\Users\Admin\AppData\Local\Temp\ba404633fb680896cb7e31a8687dc680934f8c8f0fd20a88422abb51edd4b46d.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2320
- C:\Users\Admin\AppData\Local\Temp\ba404633fb680896cb7e31a8687dc680934f8c8f0fd20a88422abb51edd4b46d.exe
  C:\Users\Admin\AppData\Local\Temp\ba404633fb680896cb7e31a8687dc680934f8c8f0fd20a88422abb51edd4b46d.exe
  2⤵
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4492
- - C:\Users\Admin\AppData\Roaming\Rwwtwk.exe
    "C:\Users\Admin\AppData\Roaming\Rwwtwk.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:1964
  - - C:\Users\Admin\AppData\Roaming\Rwwtwk.exe
      C:\Users\Admin\AppData\Roaming\Rwwtwk.exe
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3192
    - - C:\Program Files (x86)\Internet Explorer\iexplore.exe
        
        "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4700
      - C:\Program Files\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
        6⤵
        Modifies Internet Explorer settings
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2952
        
        C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2952 CREDAT:17410 /prefetch:2
        7⤵
        Modifies Internet Explorer settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:1580

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
471B

MD5
228d25dd7d377af29848012a2b059814

SHA1
a29a3c1e167f3581b0aa4be90b1769a89beab01c

SHA256
9d4e26398806093c8af5a60e646afb3c2fc110ea0dc93821e29dc48da62280bb

SHA512
1d004bb21f7225fe220aae71d7836c0f5b2e58cb855209e2cc7f1a903ae73b67c408f59108b31faf7caed420758f4753b476c927299da5d607304b5d3a45bc61

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
434B

MD5
9e5a88bcae1042a9148722323d9988df

SHA1
46fb73c398598864d2644c8cef87f8cb73c2c696

SHA256
9702e679582a79aa7ffc3e86bee9d25598eace564ced9711143727e162e8574f

SHA512
71c2241393edcba4e2a034a7e5e7da7b1fea6b4b75edad09993ba216868d1b7045de8e9ff9141392e97909cbbeaf2e8b2ab8c6ababf503fb32352b35311436cb

Download Submit
C:\Users\Admin\AppData\Roaming\Rwwtwk.exe

Filesize
148KB

MD5
f5347a592713c95a431b3da91f0f11e3

SHA1
f8f2fda70f502176494578a93ae445fab4533d26

SHA256
ba404633fb680896cb7e31a8687dc680934f8c8f0fd20a88422abb51edd4b46d

SHA512
40eee3a41020e488c8ab40914fe994bace04d0948f84217c0626f1ce6b4804cd8466c0e4f438f23361e1d22975e57af18cfb2ec076c5a11d6040760bb77ffb17

Download Submit
C:\Users\Admin\AppData\Roaming\Rwwtwk.exe

Filesize
148KB

MD5
f5347a592713c95a431b3da91f0f11e3

SHA1
f8f2fda70f502176494578a93ae445fab4533d26

SHA256
ba404633fb680896cb7e31a8687dc680934f8c8f0fd20a88422abb51edd4b46d

SHA512
40eee3a41020e488c8ab40914fe994bace04d0948f84217c0626f1ce6b4804cd8466c0e4f438f23361e1d22975e57af18cfb2ec076c5a11d6040760bb77ffb17

Download Submit
C:\Users\Admin\AppData\Roaming\Rwwtwk.exe

Filesize
148KB

MD5
f5347a592713c95a431b3da91f0f11e3

SHA1
f8f2fda70f502176494578a93ae445fab4533d26

SHA256
ba404633fb680896cb7e31a8687dc680934f8c8f0fd20a88422abb51edd4b46d

SHA512
40eee3a41020e488c8ab40914fe994bace04d0948f84217c0626f1ce6b4804cd8466c0e4f438f23361e1d22975e57af18cfb2ec076c5a11d6040760bb77ffb17

Download Submit
memory/1964-139-0x0000000000000000-mapping.dmp

Download
memory/1964-143-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1964-147-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2320-132-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2320-136-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3192-149-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3192-151-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3192-150-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3192-144-0x0000000000000000-mapping.dmp

Download
memory/4492-137-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4492-142-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4492-138-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4492-134-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4492-133-0x0000000000000000-mapping.dmp

Download