6e228ee890c028a15a9cf32a3166d8bed09c9959741a8083225c50b7de3038d0

Analysis

max time kernel
149s
max time network
142s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
09-01-2023 15:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SCAN_DT6281.html
Size

1.2MB
MD5

f0b615c8a648722fcdcc6a1f055c0bc0
SHA1

5e6a22b9044c9d684a3392391b23a762182ef5b3
SHA256

4efc4cc462a27245945ee90465caef589b71c41b33bf6d24ce2e6f74b75fdbe7
SHA512

9a5de209c7eaa3f0766fa0c4448302fd778401da9720347b5a4e5ae10eb6e6a065b7a86391c8dcac1d38f998ed4091b6a21fbcc3ad8f717e1e16737b757e2d75
SSDEEP

24576:dcEyMGTCmlO13OxIZGrntxnlvdcA09Xq3RzKJzIcZBENivdcAEYMfvG:qB8eDnt5Bx+AUBDxFMfO

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 005b3f074b24d901	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{31325E31-903E-11ED-B25A-FE72C9E2D9C9} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e5df4c3e62a09947ab62b4d11602c04e000000000200000000001066000000010000200000008ff02219a4f87f4188c872db301b7a9ec4105add76afbca51888123be8daabb0000000000e80000000020000200000001de6ff77b8cfc79f04e2768632040471ad89905bd5fdee3c2eadbc55899e07c290000000d05d899404be3bea454a6e40e5f61d3e2a58eb74dc78f6610df9d8577e992cd763a3ad28be7045a454b134f64054c66becc09a7c5bb7007db36dc6730b3dd8a6caabfc956f391907eb1960633fbb2aefd7ba94b1313a9e2a5b3fae242eb08417e3780d5d7e16275bc4451bb4042c6649c2da4b6b89e5983621a45a529812e68e6092536537fc1f524e865b6fedb7fe3040000000098036abfca4eaeaa1ef3e69f0af09c6de6ea2cc4be1b615476546bb93d831e1d6e5f21f3cc28aa270a121fbab8be3d25da998948875725e3e0e571178eb5986	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e5df4c3e62a09947ab62b4d11602c04e0000000002000000000010660000000100002000000092d19122ffb235f39118f8748823fed31817ae0157b66fa158ec236c2be0f46c000000000e8000000002000020000000f42c1a3d2265119f18eb4c3ca6b2086e378613646ed5ff3cf5dc22c15fa89069200000005e0707e90ad60d4fd0ec00fbe6526db8103da1eb7758a2ac24f5d89c1f96756640000000fbd64d76998cbaee33ba471d3f138f638516dd1e23b71b31e906672ee1c8b2f537f8424210a08154fc328e352ee1e858083514b47c0cf8341da9bf45b827adfb	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "380048213"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

AUDIODG.EXE

description	pid	process
Token: 33	1852	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1852	AUDIODG.EXE
Token: 33	1852	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1852	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

1636 iexplore.exe
Suspicious use of SetWindowsHookEx 8 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

1636 iexplore.exe
1636 iexplore.exe
1828 IEXPLORE.EXE
1828 IEXPLORE.EXE
1828 IEXPLORE.EXE
1828 IEXPLORE.EXE
1828 IEXPLORE.EXE
1828 IEXPLORE.EXE

pid	process
1636	iexplore.exe

pid	process
1636	iexplore.exe
1636	iexplore.exe
1828	IEXPLORE.EXE
1828	IEXPLORE.EXE
1828	IEXPLORE.EXE
1828	IEXPLORE.EXE
1828	IEXPLORE.EXE
1828	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

iexplore.exe

description	pid	process	target process
PID 1636 wrote to memory of 1828	1636	iexplore.exe	IEXPLORE.EXE
PID 1636 wrote to memory of 1828	1636	iexplore.exe	IEXPLORE.EXE
PID 1636 wrote to memory of 1828	1636	iexplore.exe	IEXPLORE.EXE
PID 1636 wrote to memory of 1828	1636	iexplore.exe	IEXPLORE.EXE

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\SCAN_DT6281.html
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1636

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1636 CREDAT:275457 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1828

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:1620

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x148
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1852

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\W6HPCSC0.txt
Filesize
603B

MD5
42fbff4a5cd0e1117c4b5059b8a5767a

SHA1
bc7caa1193ff53c9c8fb5965c18f3859412e3b27

SHA256
a0536cc310d4077ef4cb19d39978e639f9e2f8b05ab1340b90ad1441cd8a15aa

SHA512
6506ff8a1bddeabdefaad3b0389e0db1b832000356feb9841c7c0924e42f1e049b5afa9f428fcf413e9ecda9df7a8a41335912176c4984de1e6a1fc2d446ef5a

Download Submit
memory/1620-54-0x000007FEFB821000-0x000007FEFB823000-memory.dmp

Filesize
8KB

Download