7a023e2fad2a78cfd927b21153aa690781f30f0c58dc75e52c7d7fae6446fd13

General

Target

7a023e2fad2a78cfd927b21153aa690781f30f0c58dc75e52c7d7fae6446fd13.dll
Size

101KB
MD5

d4ae0cb9493e07bbde77bb341f9943f0
SHA1

2dffdcc424f4e734a2f784c7e46584738a2616f8
SHA256

7a023e2fad2a78cfd927b21153aa690781f30f0c58dc75e52c7d7fae6446fd13
SHA512

5a42861c454c05da833df776f58388fe3cb53ee7086e8048a8ce4c02aded988a32672dd128a0d1099da464105762367b8385401abf240b5e4c6787874389d078
SSDEEP

3072:XsU+S7o2ET2Xm5h0yXkyohodNfgxEHsvAEnYc+jlp:cU+SM2ETIG0yXk6Ux6svjv

Score

8^/10

discovery exploit persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

mscorp.exe

pid process

3768 mscorp.exe
Possible privilege escalation attempt 2 IoCs
exploit

Processes:

takeown.exeicacls.exe

pid process

3500 takeown.exe
1140 icacls.exe

pid	process
3768	mscorp.exe

pid	process
3500	takeown.exe
1140	icacls.exe

Sets service image path in registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

rundll32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\mscorp\ImagePath = "%SystemRoot%\\System32\\spoolsv.exe"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\mscorp\ImagePath = "%SystemRoot%\\System32\\mscorp.exe"	rundll32.exe

Modifies file permissions 1 TTPs 2 IoCs
discovery

File Permissions Modification
T1222

Processes:

takeown.exeicacls.exe

pid process

3500 takeown.exe
1140 icacls.exe
Drops file in System32 directory 2 IoCs

Processes:

rundll32.exe

description ioc process

File created C:\Windows\system32\mscorp.exe rundll32.exe
File opened for modification C:\Windows\system32\mscorp.exe rundll32.exe

pid	process
3500	takeown.exe
1140	icacls.exe

description	ioc	process
File created	C:\Windows\system32\mscorp.exe	rundll32.exe
File opened for modification	C:\Windows\system32\mscorp.exe	rundll32.exe

Modifies Internet Explorer settings 1 TTPs 32 IoCs

adware spyware

Modify Registry

T1112

Processes:

IEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000005fba934e30d5d94caf93a9a26d412eae0000000002000000000010660000000100002000000083fc388b3a6797470a5197899d687923292654ff7e924fc525594b974d26c922000000000e80000000020000200000004d71d2ba9527ebadff64721cddd9842af8e444d223f692cd48779a7102d47b94200000003052c9bcc7da6256c6d7f3a4211980deabbfc549283874ed8950fae7689cb5a1400000004959519ce3df34e0329df8f644b14e2347021f0314d2cb45dfc435562a63e4e1ed840f6cf0e16e4e55ab27ba7812f23a9495dd701f31f95dd268b6379b75b230	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{0E198F49-A007-11ED-89AC-7ED4F7B3352B} = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31011859"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3967586328"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 00aeeeef1334d901	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 80491ef01334d901	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31011859"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "381783743"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3967586328"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000005fba934e30d5d94caf93a9a26d412eae00000000020000000000106600000001000020000000ff00358fda53926530cc301598c9a6598d3de8644ea6a46dc9b6a160856ba15e000000000e80000000020000200000004bfe2f66aa8a15bffe563cd9787b11255b0d5c18fe41d7c0b586fb6d91180764200000001324a0b0474d23c432ea5a536c838ca2d46e06c98cc5b6f908ab977e8cd28f3c40000000bb4338a7aeec35f11f957bb2d36d512d924e7b0de4dbf362162a94efc2fd00e5d86cd18953a13191fe0b137344529569fdd7f9293e5268423949f59d14c7783e	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

IEXPLORE.EXE

pid process

4428 IEXPLORE.EXE
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

IEXPLORE.EXE

pid process

4428 IEXPLORE.EXE
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

IEXPLORE.EXEIEXPLORE.EXE

pid process

4428 IEXPLORE.EXE
4428 IEXPLORE.EXE
320 IEXPLORE.EXE
320 IEXPLORE.EXE
320 IEXPLORE.EXE
320 IEXPLORE.EXE

pid	process
4428	IEXPLORE.EXE

pid	process
4428	IEXPLORE.EXE

pid	process
4428	IEXPLORE.EXE
4428	IEXPLORE.EXE
320	IEXPLORE.EXE
320	IEXPLORE.EXE
320	IEXPLORE.EXE
320	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

rundll32.execmd.exemscorp.exeiexplore.exeIEXPLORE.EXE

description	pid	process	target process
PID 1800 wrote to memory of 1936	1800	rundll32.exe	cmd.exe
PID 1800 wrote to memory of 1936	1800	rundll32.exe	cmd.exe
PID 1800 wrote to memory of 3768	1800	rundll32.exe	mscorp.exe
PID 1800 wrote to memory of 3768	1800	rundll32.exe	mscorp.exe
PID 1800 wrote to memory of 3768	1800	rundll32.exe	mscorp.exe
PID 1936 wrote to memory of 3500	1936	cmd.exe	takeown.exe
PID 1936 wrote to memory of 3500	1936	cmd.exe	takeown.exe
PID 1936 wrote to memory of 1140	1936	cmd.exe	icacls.exe
PID 1936 wrote to memory of 1140	1936	cmd.exe	icacls.exe
PID 3768 wrote to memory of 3740	3768	mscorp.exe	iexplore.exe
PID 3768 wrote to memory of 3740	3768	mscorp.exe	iexplore.exe
PID 3768 wrote to memory of 3740	3768	mscorp.exe	iexplore.exe
PID 3740 wrote to memory of 4428	3740	iexplore.exe	IEXPLORE.EXE
PID 3740 wrote to memory of 4428	3740	iexplore.exe	IEXPLORE.EXE
PID 3768 wrote to memory of 3740	3768	mscorp.exe	iexplore.exe
PID 4428 wrote to memory of 320	4428	IEXPLORE.EXE	IEXPLORE.EXE
PID 4428 wrote to memory of 320	4428	IEXPLORE.EXE	IEXPLORE.EXE
PID 4428 wrote to memory of 320	4428	IEXPLORE.EXE	IEXPLORE.EXE

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\7a023e2fad2a78cfd927b21153aa690781f30f0c58dc75e52c7d7fae6446fd13.dll,#1
1⤵
- Sets service image path in registry
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1800

C:\Windows\system32\cmd.exe
cmd.exe /c takeown /f "C:\Windows\system32\mscorp.exe" && icacls "C:\Windows\system32\mscorp.exe" /grant administrators:F
2⤵
- Suspicious use of WriteProcessMemory
PID:1936

C:\Windows\system32\takeown.exe
takeown /f "C:\Windows\system32\mscorp.exe"
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3500

C:\Windows\system32\icacls.exe
icacls "C:\Windows\system32\mscorp.exe" /grant administrators:F
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1140

C:\Windows\system32\mscorp.exe
C:\Windows\system32\mscorp.exe
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3768

C:\program files (x86)\Internet Explorer\iexplore.exe
"C:\program files (x86)\Internet Explorer\iexplore.exe" google.com
3⤵
- Suspicious use of WriteProcessMemory
PID:3740

C:\Program Files\Internet Explorer\IEXPLORE.EXE
"C:\Program Files\Internet Explorer\IEXPLORE.EXE" google.com
4⤵
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4428

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4428 CREDAT:17410 /prefetch:2
5⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:320

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

File Permissions Modification

1

T1222

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System32\mscorp.exe
Filesize
28KB

MD5
7a761c26dcf4c1e3b607bb09a17a6691

SHA1
3348c59e794f19cc328ab262c2c0b57d25656d8e

SHA256
21b3ecefc540dd04a9e30d8bb8333279faef495661be9d99bbbb2cc43db8bd68

SHA512
56b2a3041c37d3a3b8f2b622aca71145dd8db0b5b8a16f8bd86170af83e683c2bc824ca8912c71ce3447152f44854e9b529fd2c79aae06910c62dc313947ef1b

Download Submit
C:\Windows\system32\mscorp.exe
Filesize
28KB

MD5
7a761c26dcf4c1e3b607bb09a17a6691

SHA1
3348c59e794f19cc328ab262c2c0b57d25656d8e

SHA256
21b3ecefc540dd04a9e30d8bb8333279faef495661be9d99bbbb2cc43db8bd68

SHA512
56b2a3041c37d3a3b8f2b622aca71145dd8db0b5b8a16f8bd86170af83e683c2bc824ca8912c71ce3447152f44854e9b529fd2c79aae06910c62dc313947ef1b

Download Submit
memory/1140-137-0x0000000000000000-mapping.dmp

Download
memory/1936-132-0x0000000000000000-mapping.dmp

Download
memory/3500-135-0x0000000000000000-mapping.dmp

Download
memory/3768-133-0x0000000000000000-mapping.dmp

Download
memory/3768-138-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads