hxxps://cdn[.]discordapp[.]com/attachments/1087849368675176460/1088103716277723146/Setup[.]rar

Resubmissions

01/04/2023, 13:15

230401-qg7r5abe91 1

01/04/2023, 13:11

230401-qe8xeabe71 1

Analysis

max time kernel
11s
max time network
40s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
01/04/2023, 13:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://cdn.discordapp.com/attachments/1087849368675176460/1088103716277723146/Setup.rar

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Internet Explorer\PhishingFilter	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\PhishingFilter\ClientSupported_MigrationTime = d3273793ae45d901	iexplore.exe

Modifies Internet Explorer settings 1 TTPs 15 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{00526D12-D0A0-11ED-9F77-6A765FEA1DF2} = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\RepId\PublicId = "{F5F0DA9E-EA38-49F3-8680-2A254F3FD17B}"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Internet Explorer\RepId	iexplore.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
4936	iexplore.exe
4936	iexplore.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
4936	iexplore.exe
4936	iexplore.exe
1240	IEXPLORE.EXE
1240	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4936 wrote to memory of 1240	4936	iexplore.exe	84
PID 4936 wrote to memory of 1240	4936	iexplore.exe	84
PID 4936 wrote to memory of 1240	4936	iexplore.exe	84

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://cdn.discordapp.com/attachments/1087849368675176460/1088103716277723146/Setup.rar
1⤵
- Modifies Internet Explorer Phishing Filter
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4936
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4936 CREDAT:17410 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1240

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
PID:2216
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8b29a9758,0x7ff8b29a9768,0x7ff8b29a9778
  2⤵
  PID:4740
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1812 --field-trial-handle=1904,i,12372924954067450874,12651235709830198695,131072 /prefetch:2
  2⤵
  PID:2908
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2148 --field-trial-handle=1904,i,12372924954067450874,12651235709830198695,131072 /prefetch:8
  2⤵
  PID:5084
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2228 --field-trial-handle=1904,i,12372924954067450874,12651235709830198695,131072 /prefetch:8
  2⤵
  PID:3296
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3172 --field-trial-handle=1904,i,12372924954067450874,12651235709830198695,131072 /prefetch:1
  2⤵
  PID:4680
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3300 --field-trial-handle=1904,i,12372924954067450874,12651235709830198695,131072 /prefetch:1
  2⤵
  PID:2760
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4464 --field-trial-handle=1904,i,12372924954067450874,12651235709830198695,131072 /prefetch:1
  2⤵
  PID:232
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4572 --field-trial-handle=1904,i,12372924954067450874,12651235709830198695,131072 /prefetch:8
  2⤵
  PID:4936
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4340 --field-trial-handle=1904,i,12372924954067450874,12651235709830198695,131072 /prefetch:8
  2⤵
  PID:2124
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4992 --field-trial-handle=1904,i,12372924954067450874,12651235709830198695,131072 /prefetch:8
  2⤵
  PID:4652
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4996 --field-trial-handle=1904,i,12372924954067450874,12651235709830198695,131072 /prefetch:8
  2⤵
  PID:220
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5292 --field-trial-handle=1904,i,12372924954067450874,12651235709830198695,131072 /prefetch:8
  2⤵
  PID:2776

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4156

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
371B

MD5
06e46e0874ddc1cb05ef0e7514f1121b

SHA1
af1e45a5aca8fefc0f822388a602b33c0a7c951a

SHA256
393190b0e3f534f3e5707a7e10e49cc32a7911cf2fca700229260fd36e1e2ba6

SHA512
45cba7155097d69c141f200ff4c2e8e2f5accfaf0ecaaf2fe3aa746a2ebf8e4e6171fa44dbca52fd65f83a73e7f79e7b0d341417cbb6354680e85a77592adb1c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
dda40cb389d55547793550aa0b3c34c5

SHA1
878a60f71f5539bb9a3a4ae57982eec482f7a67b

SHA256
7242d3b4e535d26bca4e436bc970c09ede09d33a25a359ef92eea8ca31ecedac

SHA512
d6bf21dab86dad35c00d6ef04637373f451dd520cad571c930cd63e8c5126c307a08d5c546d1bc95b93a9ff8a76ef58297db5b5061fc5f78a67a6b08eb0d2932

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
c1a949818e01c49da2e4da7d189293fc

SHA1
a28fd3e8ce1f1e3e6ada39b8eed5908d9578fc8f

SHA256
9ca44268f54c1f37b06c5d823428f12dd4b644cf2d46db1f33661b13872ffc1f

SHA512
58e4bf4957473539c089051a6d869bd33c29afa425c902d4a2cc3759c603e2159b03f188eb17872d90636ed771ae79dca4f49c891d326f8fc6df6c9e0472b707

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
175KB

MD5
e05d9397deca2a1cadf383dc39005288

SHA1
8e28377ab4254c071bd9e4dbe79281142db937f5

SHA256
8ed8d45b236794bd13b30ba257d9bbb82d8c26c113dade2ba369ded9647f39fb

SHA512
4fe7efe2118ee15a89d6af5561f0108c480b7409745494b0073195ae20af1b3a8c34fbb1d5fd2b7f220338793e7e68bc052a5e2c9225d511da15f4b0e6bc2521

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
72KB

MD5
b73d9e76816a3c636df34ec197bba6c0

SHA1
cd895db776f7206777feb9a52ef986a79da9426a

SHA256
6ef9ca3c51421985f154ad13c4ce2b6a22799bce63a83f17cf91d3ce206c4b42

SHA512
58e2a2ccc56a69a5296f321713e7e5c13ba20d0b8e19eac62811c6e622a80251f18ae9241ec406fdea636393043360dfbce2bad60c87b5077e67954a57d9157f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\TUIJN6ZA\Setup[1].rar

Filesize
56.5MB

MD5
6305b5402391d1088f8086d21a24c241

SHA1
3eeac2dee953119bbe45eecd07c97833e97c9346

SHA256
90b0950960b30715a9f9c78ff507858c14655f55bd33ce76ff4e63d0a1eabb43

SHA512
3a40cbb093847f5372af9484bb8e9d74309e00ab556d1ad27df88da5d8482f34ffab1a12b25bc7a3b073dfe41c0fdd8fcb4251486b0ab211fb28402043aadc62

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\YYL8D8JJ\Setup.rar.36ny18q.partial

Filesize
56.5MB

MD5
6305b5402391d1088f8086d21a24c241

SHA1
3eeac2dee953119bbe45eecd07c97833e97c9346

SHA256
90b0950960b30715a9f9c78ff507858c14655f55bd33ce76ff4e63d0a1eabb43

SHA512
3a40cbb093847f5372af9484bb8e9d74309e00ab556d1ad27df88da5d8482f34ffab1a12b25bc7a3b073dfe41c0fdd8fcb4251486b0ab211fb28402043aadc62

Download Submit

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads