a3ec4bd1ce1bfe598872aac1c8a4a8db281003f4ac99e43e20d19ce49fd7ca69

Analysis

max time kernel
118s
max time network
121s
platform
windows7_x64
resource
win7-20230621-en
resource tags

arch:x64arch:x86image:win7-20230621-enlocale:en-usos:windows7-x64system
submitted
24-06-2023 05:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tmp.exe
Size

375KB
MD5

04b346cab54c682b9091b173b1dfbd38
SHA1

3fcc2279403de376d554f691090c1670c6ce6087
SHA256

a3ec4bd1ce1bfe598872aac1c8a4a8db281003f4ac99e43e20d19ce49fd7ca69
SHA512

f09e75514f1a4fa52d433b091510c68a7ecb4a1f976874ca07b0a7d239984dd4a604d928d5fc62c08b8cce3404bc4b615de8bc61c13675e32946ac8425d8881f
SSDEEP

6144:xaxd9NJrrnTlSq5HdBu/FHhU+Cg9ddMU9ld/zzwoh/rRo4ycXbONDe/X65:sxBJnTlSq5Hn80qDdM2TXJruHki1e/X

Score

8^/10

adware stealer

Malware Config

Signatures

Downloads MZ/PE file
Loads dropped DLL 1 IoCs

Processes:

tmp.exe

pid process

1216 tmp.exe

pid	process
1216	tmp.exe

Installs/modifies Browser Helper Object 2 TTPs 3 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

Processes:

tmp.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	tmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{81C57AAD-F991-48E5-A42D-51AF23F40150}	tmp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{81C57AAD-F991-48E5-A42D-51AF23F40150}\NoExplorer = "1"	tmp.exe

Drops file in System32 directory 7 IoCs

Processes:

tmp.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\gdiplus.dll	tmp.exe
File created	C:\Windows\SysWOW64\gdiplus.dll	tmp.exe
File created	C:\Windows\SysWOW64\CBRun.rar	tmp.exe
File created	C:\Windows\SysWOW64\CBExt.bpl	tmp.exe
File created	C:\Windows\SysWOW64\CBRun.bpl	tmp.exe
File created	C:\Windows\SysWOW64\AppCache.v2.dat	tmp.exe
File opened for modification	C:\Windows\SysWOW64\AppCache.v2.dat	tmp.exe

Modifies Internet Explorer settings 1 TTPs 27 IoCs

adware spyware

Modify Registry

T1112

Processes:

IEXPLORE.EXEtmp.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\DEPon = "1"	tmp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\DEPoff = "1"	tmp.exe
Key created	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{FA58F181-1251-11EE-A9F2-DA01AA0573FA} = "0"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE

Modifies registry class 64 IoCs

Processes:

tmp.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6FAB0FBD-2252-4825-A581-512F9EE939C3}\TypeLib\Version = "1.0"	tmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BFEE3E69-F75C-4ED7-A3FE-1CF67C096D64}\ProgID	tmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{81C57AAD-F991-48E5-A42D-51AF23F40150}\Verb\	tmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{51C34CCD-02E7-487F-900A-80F01B807969}\ProxyStubClsid32	tmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6FAB0FBD-2252-4825-A581-512F9EE939C3}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	tmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6FAB0FBD-2252-4825-A581-512F9EE939C3}\TypeLib\Version = "1.0"	tmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DAF593D9-515A-4869-864D-8DCE6D7DCB91}\ = "IntelliObjX Control"	tmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DAF593D9-515A-4869-864D-8DCE6D7DCB91}\Version	tmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLXBaseAppX.CBXNSHandler\Clsid	tmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CCC51463-1F85-462B-A8FA-A8428805B304}	tmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0981FBA3-F54A-4C81-B343-53A1C7B78CD9}\TypeLib\Version = "1.0"	tmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6FAB0FBD-2252-4825-A581-512F9EE939C3}\TypeLib	tmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLXBaseAppX.EmbedWordX\ = "EmbedWordX Control"	tmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BFEE3E69-F75C-4ED7-A3FE-1CF67C096D64}\Verb\0	tmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CCC51463-1F85-462B-A8FA-A8428805B304}\1.0\FLAGS	tmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{51C34CCD-02E7-487F-900A-80F01B807969}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	tmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{569137C9-A7AA-41FB-AC5A-116E8C91399D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	tmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6FAB0FBD-2252-4825-A581-512F9EE939C3}\ = "IIntelliObjXEvents"	tmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{A46ADB95-7678-4C80-95EA-A6C48DF2E5BC}	tmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{A46ADB95-7678-4C80-95EA-A6C48DF2E5BC}\ProxyStubClsid32	tmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BFEE3E69-F75C-4ED7-A3FE-1CF67C096D64}\InprocServer32\ThreadingModel = "Apartment"	tmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{51C34CCD-02E7-487F-900A-80F01B807969}\ = "ICLXBaseRunEvents"	tmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6FAB0FBD-2252-4825-A581-512F9EE939C3}\TypeLib\ = "{CCC51463-1F85-462B-A8FA-A8428805B304}"	tmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E80FD4F4-DEFA-41C7-A5EE-8E75C22C3077}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	tmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{81C57AAD-F991-48E5-A42D-51AF23F40150}\ToolboxBitmap32	tmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{81C57AAD-F991-48E5-A42D-51AF23F40150}\Control	tmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DAF593D9-515A-4869-864D-8DCE6D7DCB91}\Control	tmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLXBaseAppX.CBXNSHandler\ = "CBXNSHandler"	tmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CCC51463-1F85-462B-A8FA-A8428805B304}\1.0\ = "CLXBaseAppX Library"	tmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{51C34CCD-02E7-487F-900A-80F01B807969}\TypeLib\Version = "1.0"	tmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E80FD4F4-DEFA-41C7-A5EE-8E75C22C3077}\TypeLib\Version = "1.0"	tmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BFEE3E69-F75C-4ED7-A3FE-1CF67C096D64}\InprocServer32	tmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BFEE3E69-F75C-4ED7-A3FE-1CF67C096D64}\MiscStatus\1\ = "205201"	tmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DAF593D9-515A-4869-864D-8DCE6D7DCB91}\InprocServer32	tmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DAE1419C-B543-4AD0-BDD4-065E1A505269}\InprocServer32\ = "C:\\Windows\\SysWow64\\CBRun.bpl"	tmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0981FBA3-F54A-4C81-B343-53A1C7B78CD9}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	tmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0981FBA3-F54A-4C81-B343-53A1C7B78CD9}\TypeLib\ = "{CCC51463-1F85-462B-A8FA-A8428805B304}"	tmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{569137C9-A7AA-41FB-AC5A-116E8C91399D}\ProxyStubClsid32	tmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E80FD4F4-DEFA-41C7-A5EE-8E75C22C3077}\TypeLib\ = "{CCC51463-1F85-462B-A8FA-A8428805B304}"	tmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DAF593D9-515A-4869-864D-8DCE6D7DCB91}	tmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{51C34CCD-02E7-487F-900A-80F01B807969}\TypeLib	tmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{51C34CCD-02E7-487F-900A-80F01B807969}	tmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E80FD4F4-DEFA-41C7-A5EE-8E75C22C3077}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	tmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLXBaseAppX.EmbedWordX\Clsid	tmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{81C57AAD-F991-48E5-A42D-51AF23F40150}	tmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{81C57AAD-F991-48E5-A42D-51AF23F40150}\Verb	tmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DAF593D9-515A-4869-864D-8DCE6D7DCB91}\InprocServer32\ = "C:\\Windows\\SysWow64\\CBRun.bpl"	tmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DAF593D9-515A-4869-864D-8DCE6D7DCB91}\InprocServer32\ThreadingModel = "Apartment"	tmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DAF593D9-515A-4869-864D-8DCE6D7DCB91}\Verb\0\ = "Properties,0,2"	tmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{51C34CCD-02E7-487F-900A-80F01B807969}\TypeLib	tmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DAF593D9-515A-4869-864D-8DCE6D7DCB91}\ProgID	tmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DAF593D9-515A-4869-864D-8DCE6D7DCB91}\TypeLib	tmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DAF593D9-515A-4869-864D-8DCE6D7DCB91}\MiscStatus\1\ = "205201"	tmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6FAB0FBD-2252-4825-A581-512F9EE939C3}	tmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E80FD4F4-DEFA-41C7-A5EE-8E75C22C3077}\ProxyStubClsid32	tmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{A46ADB95-7678-4C80-95EA-A6C48DF2E5BC}\TypeLib\ = "{CCC51463-1F85-462B-A8FA-A8428805B304}"	tmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLXBaseAppX.CLXBaseRun	tmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{81C57AAD-F991-48E5-A42D-51AF23F40150}\MiscStatus\1	tmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DAF593D9-515A-4869-864D-8DCE6D7DCB91}\ToolboxBitmap32\ = "C:\\Windows\\SysWow64\\CBRun.bpl,2"	tmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0981FBA3-F54A-4C81-B343-53A1C7B78CD9}\ = "ICLXBaseRun"	tmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLXBaseAppX.EmbedWordX	tmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BFEE3E69-F75C-4ED7-A3FE-1CF67C096D64}\Verb\0\ = "Properties,0,2"	tmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DAE1419C-B543-4AD0-BDD4-065E1A505269}\InprocServer32\ThreadingModel = "Apartment"	tmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CCC51463-1F85-462B-A8FA-A8428805B304}\1.0\HELPDIR	tmp.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

IEXPLORE.EXE

pid process

1344 IEXPLORE.EXE
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

IEXPLORE.EXEIEXPLORE.EXE

pid process

1344 IEXPLORE.EXE
1344 IEXPLORE.EXE
836 IEXPLORE.EXE
836 IEXPLORE.EXE
836 IEXPLORE.EXE
836 IEXPLORE.EXE

pid	process
1344	IEXPLORE.EXE

pid	process
1344	IEXPLORE.EXE
1344	IEXPLORE.EXE
836	IEXPLORE.EXE
836	IEXPLORE.EXE
836	IEXPLORE.EXE
836	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

tmp.exeIEXPLORE.EXE

description	pid	process	target process
PID 1216 wrote to memory of 1344	1216	tmp.exe	IEXPLORE.EXE
PID 1216 wrote to memory of 1344	1216	tmp.exe	IEXPLORE.EXE
PID 1216 wrote to memory of 1344	1216	tmp.exe	IEXPLORE.EXE
PID 1216 wrote to memory of 1344	1216	tmp.exe	IEXPLORE.EXE
PID 1344 wrote to memory of 836	1344	IEXPLORE.EXE	IEXPLORE.EXE
PID 1344 wrote to memory of 836	1344	IEXPLORE.EXE	IEXPLORE.EXE
PID 1344 wrote to memory of 836	1344	IEXPLORE.EXE	IEXPLORE.EXE
PID 1344 wrote to memory of 836	1344	IEXPLORE.EXE	IEXPLORE.EXE
PID 1344 wrote to memory of 836	1344	IEXPLORE.EXE	IEXPLORE.EXE
PID 1344 wrote to memory of 836	1344	IEXPLORE.EXE	IEXPLORE.EXE
PID 1344 wrote to memory of 836	1344	IEXPLORE.EXE	IEXPLORE.EXE

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1216

C:\Program Files\Internet Explorer\IEXPLORE.EXE
"C:\Program Files\Internet Explorer\IEXPLORE.EXE"
2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1344

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1344 CREDAT:275457 /prefetch:2
3⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:836

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
ef0d4d4f409dca44168264d2936aa640

SHA1
6bbeefc4ca2379fd7b13067304f513a217d2f4f4

SHA256
7f697f9e02406ce5dfecabf8507437498c638ba7d8532ac7726482a15bb49680

SHA512
c4cea4a8263382ad299a64f1ff9c7a18104536bfc4329eabe3748baac6daefc0a527b0d6698b2ab975e69d78859519633f67babc285884bb38d614a261855ebe

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
a268a1e4cedd67ae060c51c455e3e23c

SHA1
5b894e4a1a930218e9a59ed60b7b95b693b268e3

SHA256
c997219bb8df4d6a447c9293177ef61a786a1e52140a44047e85a0282ac5af91

SHA512
196675d4b50ff04850e745c2f9448c64d2bede9da6fc78410e9e7e3699d5a55ec91bc8b002c14bd1c1361885a44f60a6a7cc3180235b823b450ca07bf0fb3108

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
9dad11fb6054703d7400aa7c47639b92

SHA1
3f04cdd8b5c27e0efc4fe0e61bea94947782bed8

SHA256
b971ba4f72d437ec976b1b5081d8bc68a77809bbbd689d3415d3095a8feba7eb

SHA512
b41a5448ce64aec412856ae45a412f88970609c0c9a8e118891bb9123604d59f0033401cde5a0962ec1775c7826becc3c590d211df1cdd7fd05d0b61c35a6552

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
a74b503dd5f9322649a66632ceaee19e

SHA1
1c0bc8b644b8da4d668c2bfab1c23effb59713ee

SHA256
6c4ff266b06df7523f2b1a6dee75215ca8e5bf1ee7b57875c9ab7c41a8c3d974

SHA512
d47028a3394e13a0662e83325860aaa632e338c9c702393d3a0440786209f299a6812d062bbb5912ad5656aaa710f5e12ef38946112fc88e2db2dcc505a7aa06

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
caeaa5ee88d3fd697a7dd57b855c15ca

SHA1
f8f9fc0127107b1e14bed1e8f770bbd9c5f98dd6

SHA256
4494051a73e527e6e3f450af21c669b0ba80e55e9bc387a5918c7efeda4cda68

SHA512
bcbcf93666fc802dd3b1654144b337098eb8186ff2423642f50caeb872e83cb8e11a8aac45ce599916956f7dfa133e4032fd7496c64d662eb3202c9a1e977b7a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
25aaa2decb96dce3713758ecce36eb65

SHA1
84161bf24187e0b45d1757a7db5cdd512382d027

SHA256
5fb18eb652105a65edf6adc308c2ccff402c148ce61edba17b0f4af9d799c7c9

SHA512
d2c66f80f783213c599df1b9c175fc71d99ac8e55fdebaec23d8d0a053d9c0dd9389d79e0d3ef73e3ba82f29cdedfe3d208ce9889e4739f302a6564bae9a3557

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
8feca05a3969c4a4bf7821a9171d0e1d

SHA1
4fa46947e4d25e77365c635cff2c3f1cd26037dc

SHA256
7c5b8328561a3cffae3b53c8ea50c14b1b1f80743c310fcf0c88ee54f6e0e05d

SHA512
30fd000b4043b1c28842c9683b729ab8411e39b37ecb08202e744e4d262f6c631e359fa4d424dcad16380632c358c6034162b68a0c2063e0ff4efdeb94612178

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
eeffded90efacd0844b69ed624cbe389

SHA1
afafc1dce1e8385a9e0ed50d3e68b680ad518ee8

SHA256
d7001b1283a31ebdc85cc461e7388ee498c526e2d34764405f6be86c8c1791f5

SHA512
911fd9753d63bcbb6090e777031ca2969be0fc372de9d7c5794262279162329cae4e50873d15e97bec65b1da653329d8e612206f6408eb8d59629f67d28d4ad6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
b5bee5e17dff58c338152c1ecf4c1acb

SHA1
3956b6949e3701ccb876c3cdbb774860b5ef9e9a

SHA256
4bf51d75161153bef8825099953e2d040c358c829dd6ac41bcdaa8caf059e1a6

SHA512
4069d525285b3eafa01862e6ed60f33f394bf7c82d2b6c38fa50a221518825ddccfbc4e3f2db67ef390115a9a8f815d5a120b09db8912e3ad5a3b5d3ca3390ec

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
a0e379097d14362a9b7259ee846b0a13

SHA1
dc8a6cbe6d0b1e72fbb30ddd0c46808711eac14e

SHA256
f9767140de71873dfe71025f195372275d9a892a5b85caa1390f4c538e778cad

SHA512
acb361793f556b5812c484dfdfc046de5dc03f1f3a4d44070c1b0f24a71afbec12a9a7d3d20e53ae5be45629fc0685229a08ff14a4f5bf6f7875a7cc10817e15

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
342733d73ab85756a3ee778ee92bd718

SHA1
06a44354fa9bbb3dabdcb914dcb7bf9e138953f7

SHA256
71a8d23aa5e785d7ed84a9f0cb96dffdead02fd40b5a662869d3943de72a90bf

SHA512
b6d801de694135e5609455195c6239f67c196b66fab962180ad5216852f5f8a1c58cc8838de6946a94a42ad5f8239d7d0c5722540116e04921171533d44e287e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab5BD.tmp
Filesize
62KB

MD5
3ac860860707baaf32469fa7cc7c0192

SHA1
c33c2acdaba0e6fa41fd2f00f186804722477639

SHA256
d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

SHA512
d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar65E.tmp
Filesize
164KB

MD5
4ff65ad929cd9a367680e0e5b1c08166

SHA1
c0af0d4396bd1f15c45f39d3b849ba444233b3a2

SHA256
c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6

SHA512
f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

Download Submit
\Windows\SysWOW64\CBRun.bpl
Filesize
7.2MB

MD5
45682678083ba2f948dd6517e1b5323b

SHA1
990c6cd98510d1d73d61bc652d2900894da0a319

SHA256
4a0d3d5680985b883446801a6e4b71d20abc643a5b8272a214defbf18843066c

SHA512
a81fb6ba09c0bec253d1c5580a27c188962293ef64a56f8ed08c7c1cf53da4579725b63266555768cc2a112688c0c46672dab33550675f9d9e9b7db7a357a92f

Download Submit
memory/1216-74-0x0000000000400000-0x00000000004E6000-memory.dmp

Filesize
920KB

Download
memory/1216-85-0x00000000022F0000-0x0000000002300000-memory.dmp

Filesize
64KB

Download
memory/1216-115-0x0000000003EB0000-0x00000000045F5000-memory.dmp

Filesize
7.3MB

Download
memory/1216-112-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/1216-107-0x0000000004900000-0x00000000049BA000-memory.dmp

Filesize
744KB

Download
memory/1216-98-0x0000000003260000-0x0000000003281000-memory.dmp

Filesize
132KB

Download
memory/1216-92-0x0000000003890000-0x000000000394A000-memory.dmp

Filesize
744KB

Download
memory/1216-114-0x0000000000400000-0x00000000004E6000-memory.dmp

Filesize
920KB

Download
memory/1216-82-0x0000000003EB0000-0x00000000045F5000-memory.dmp

Filesize
7.3MB

Download
memory/1216-55-0x00000000004F0000-0x0000000000538000-memory.dmp

Filesize
288KB

Download
memory/1216-71-0x0000000000400000-0x00000000004E6000-memory.dmp

Filesize
920KB

Download
memory/1216-70-0x0000000000400000-0x00000000004E6000-memory.dmp

Filesize
920KB

Download
memory/1216-69-0x0000000000400000-0x00000000004E6000-memory.dmp

Filesize
920KB

Download
memory/1216-62-0x0000000000400000-0x00000000004E6000-memory.dmp

Filesize
920KB

Download
memory/1216-61-0x0000000000400000-0x00000000004E6000-memory.dmp

Filesize
920KB

Download
memory/1216-60-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download