hxxps://github[.]com/patrykq9/Metamask-Arbitrage-Trading-Bot/blob/main/setup[.]exe

Analysis

max time kernel
105s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
10-01-2023 17:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/patrykq9/Metamask-Arbitrage-Trading-Bot/blob/main/setup.exe

Score

8^/10

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 1 IoCs

pid	Process
4620	setup.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\PhishingFilter	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\PhishingFilter\ClientSupported_MigrationTime = ebb3b15315f6d801	iexplore.exe

Modifies Internet Explorer settings 1 TTPs 41 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "877502752"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31008032"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{5FC00BB5-9113-11ED-919F-FAE5CAF4041A} = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e6851ef31fd3cf49b332bbb4721c974800000000020000000000106600000001000020000000fa971a65b72fdc95e32c5729f469f0e718d924644b97d61028a43589c60e3a0c000000000e8000000002000020000000f20c2d62b50b7dde6907151e63e9b182c42a39fc3080dd90348123b09f2d75a52000000059cedc74a923732a0d46e1532d5948e758e2d62e9e74d9e5e14b95b9be408dbf40000000db797067d8ce59a306856365d41bcd13f3da8f791250a8011d8f501464944958e2978d18543141784026ea53e892837f1540c3964ec8885717faf5084c55f138	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e6851ef31fd3cf49b332bbb4721c97480000000002000000000010660000000100002000000054af699bfbd72c452408f7eb80bc81067644271855af0873e7a83e9578529d97000000000e8000000002000020000000e8cf5f1ad80bcdf1e28930b2d4610fc23c30af126fb50ad47dc6e56e2337e1ec2000000027dee651b1fb54951cd45d6ab16339f1a7c99d4e99e3ac9671414a3890d6748c4000000072a8a425327a247e4ceb5a649f2e306d898fa537ff405497cff350859d13e4af1ecb13bb121e834ab746c6387157a03f4dff56e0a5d091ac14d7a54f845e7c04	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\RepId\PublicId = "{529FD68A-C0EF-43DF-BD70-7E630712F53E}"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "877502752"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31008032"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\RepId	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\IESettingSync	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = b0b911372025d901	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 902f1b372025d901	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "380139768"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31008032"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "900629054"	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
4856	iexplore.exe
4856	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
4856	iexplore.exe
4856	iexplore.exe
4924	IEXPLORE.EXE
4924	IEXPLORE.EXE
4924	IEXPLORE.EXE
4924	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 4856 wrote to memory of 4924	4856	iexplore.exe	79
PID 4856 wrote to memory of 4924	4856	iexplore.exe	79
PID 4856 wrote to memory of 4924	4856	iexplore.exe	79
PID 4856 wrote to memory of 4620	4856	iexplore.exe	83
PID 4856 wrote to memory of 4620	4856	iexplore.exe	83

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://github.com/patrykq9/Metamask-Arbitrage-Trading-Bot/blob/main/setup.exe
1⤵
- Modifies Internet Explorer Phishing Filter
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4856
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4856 CREDAT:17410 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:4924
- C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\E3KT0FLH\setup.exe
  "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\E3KT0FLH\setup.exe"
  2⤵
  - Executes dropped EXE
  PID:4620

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Web Service

T1102

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
471B

MD5
2edb0497a0b1af9ce4fd1678e28d33ca

SHA1
a187a6aa5d6a6adaf84d883d45393d3467a969a1

SHA256
ef88897d83afa3568fd2b4d8e4c3dbebf153081b157b16074a8ed0737411e5bb

SHA512
fb929af42c1a5438a5008b67953230b3864875af25529f12bce1c4f7c4ce467e66a35ff18be15f1a0db9c81ab5f2dc6f45cc0a0b7d9199c4e9c1274557256d31

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
434B

MD5
d68eefb5d15c93f269109daf13f95e09

SHA1
2fe5d52e09478cd4d53cc4d67c4d1d424a0878ec

SHA256
c6058e93162194d19dd6f2054c0d224c6c91dc19ea314608d7b293e9b8927e76

SHA512
34306a60c53c80b35e7f816f540b9ef236582ca926bd600adf76394ef74eff0d2a53a24bb7b7cb87a419a3fc8b21afb06f7477de7768c4b223c71066bb10d857

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\xyoggsx\imagestore.dat

Filesize
1KB

MD5
2d8e0433f3667bce4ed4c603f197204a

SHA1
5f9b0d79377d91b2bd9ef19f23f574ded173f62b

SHA256
72dc24649dba765056c00e1e4aaf3c62a18a2c143efade2bd81fb0c6b509fec9

SHA512
692ee78d5b6856d0b32cd6c87fd4b998fce3aae8a63ce1bbf2908aaca611315d5863851aa595c4f01e5ff287bfb9d5ab9a221cc9801dd9f1b7eda8c5afa0cae7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\E3KT0FLH\setup.exe

Filesize
3.8MB

MD5
cdfe1df11ea71c1b9bc1b865a8b90960

SHA1
d300c5a7d8e3722513707ae5b82201db231334c9

SHA256
a334e628d5daf5fbce24680d8db0f7f86963ca62922657c5d1b271ef414285a2

SHA512
e3eee96b51031b1d133c71a13a2ee4945764f82376ab061d6e85feb6f61a5d52c52c0a82fdb9dea9298279da9e864de9df1a975a380e2583a6c9efb3fcdbc24f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\E3KT0FLH\setup.exe.du82gs5.partial

Filesize
3.8MB

MD5
cdfe1df11ea71c1b9bc1b865a8b90960

SHA1
d300c5a7d8e3722513707ae5b82201db231334c9

SHA256
a334e628d5daf5fbce24680d8db0f7f86963ca62922657c5d1b271ef414285a2

SHA512
e3eee96b51031b1d133c71a13a2ee4945764f82376ab061d6e85feb6f61a5d52c52c0a82fdb9dea9298279da9e864de9df1a975a380e2583a6c9efb3fcdbc24f

Download Submit
memory/4620-134-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads