5e7fddd0c419cb08413dd353e5986e9e41663be8ff382e1665fa20eeccf97b60

Analysis

max time kernel
36s
max time network
39s
platform
windows7_x64
resource
win7-20230621-en
resource tags

arch:x64arch:x86image:win7-20230621-enlocale:en-usos:windows7-x64system
submitted
30/06/2023, 05:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

????(?????????????,??????????).exe
Size

805KB
MD5

63126cbceb38700ed8d8b95a88bc88ee
SHA1

776f02c82ed0a814e5a342fd2ab38d206ba9afcb
SHA256

da9503e27cddce64c271b6c94d6c37f8996db7cc938eefd42f36b06bc0d9597f
SHA512

37c2d7a17c1ba82f40baca0f5372a9996f530beb5a7b614480ff812d900b541ed05c109022f25f4ab6a49d5e92b8fd6aac4068e95c6f1fb2a92526e19f132dc2
SSDEEP

3072:1+JZ/FdHbd4wYeOsK9i7AROnMVE/GpYT0WyvStvStvStvStvStvSRigj+sBouJuG:qfclvsvsvsvsvsvOigguJutvXM

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 25 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3297628651-743815474-1126733160-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3297628651-743815474-1126733160-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3297628651-743815474-1126733160-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3297628651-743815474-1126733160-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3297628651-743815474-1126733160-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3297628651-743815474-1126733160-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3297628651-743815474-1126733160-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3297628651-743815474-1126733160-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3297628651-743815474-1126733160-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3297628651-743815474-1126733160-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3297628651-743815474-1126733160-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3297628651-743815474-1126733160-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3297628651-743815474-1126733160-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3297628651-743815474-1126733160-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{37648811-1706-11EE-A029-7A00E859885E} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3297628651-743815474-1126733160-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3297628651-743815474-1126733160-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3297628651-743815474-1126733160-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3297628651-743815474-1126733160-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3297628651-743815474-1126733160-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3297628651-743815474-1126733160-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3297628651-743815474-1126733160-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3297628651-743815474-1126733160-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3297628651-743815474-1126733160-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3297628651-743815474-1126733160-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3297628651-743815474-1126733160-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
668	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
668	iexplore.exe
668	iexplore.exe
1484	IEXPLORE.EXE
1484	IEXPLORE.EXE
1484	IEXPLORE.EXE
1484	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 1716 wrote to memory of 876	1716	____(_____________,__________).exe	28
PID 1716 wrote to memory of 876	1716	____(_____________,__________).exe	28
PID 1716 wrote to memory of 876	1716	____(_____________,__________).exe	28
PID 1716 wrote to memory of 668	1716	____(_____________,__________).exe	30
PID 1716 wrote to memory of 668	1716	____(_____________,__________).exe	30
PID 1716 wrote to memory of 668	1716	____(_____________,__________).exe	30
PID 668 wrote to memory of 1484	668	iexplore.exe	32
PID 668 wrote to memory of 1484	668	iexplore.exe	32
PID 668 wrote to memory of 1484	668	iexplore.exe	32
PID 668 wrote to memory of 1484	668	iexplore.exe	32

C:\Users\Admin\AppData\Local\Temp\____(_____________,__________).exe
"C:\Users\Admin\AppData\Local\Temp\____(_____________,__________).exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1716
- C:\Windows\system32\cmd.exe
  "cmd.exe"
  2⤵
  PID:876
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://www.carrotchou.blog/
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:668
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:668 CREDAT:275457 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:1484

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\502E041F97D2F7B7194A1D050625B177

Filesize
5B

MD5
5bfa51f3a417b98e7443eca90fc94703

SHA1
8c015d80b8a23f780bdd215dc842b0f5551f63bd

SHA256
bebe2853a3485d1c2e5c5be4249183e0ddaff9f87de71652371700a89d937128

SHA512
4cd03686254bb28754cbaa635ae1264723e2be80ce1dd0f78d1ab7aee72232f5b285f79e488e9c5c49ff343015bd07bb8433d6cee08ae3cea8c317303e3ac399

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ea7cad67d9f48879ebf9b9a07c5c2f07

SHA1
b144af7dae5fa9f0a822cac227f0239fdf15347c

SHA256
04efd9e52abcda90c45fcd06e7e0099d56d4c7aae05164937d53f8b7daa24fe0

SHA512
3f7a15bec15e0bfccdbb9e50963457e9a80983332e824ca05ff337c164b0d8aa0c388851549dbd77b3d24616ebd4098f66d80962e96cb6a44887493cb7ed5360

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
5ea3e43b32369da9406bcccc70c2ddaf

SHA1
f720aa05a27261c3e888b59788e7fdd1ee4b8e66

SHA256
d0f7dfc2113d3a39ce1c10b334257bc7de50492382cb454eb45a2f691b56b961

SHA512
f8c8e3003332f19b85fa460de4ba901be9f0c895ceafc79bfe12efcb7f6a0a5fe0e112ab5f4fe5d55a681b78811beb03f9ea65af9206bdcc3d3315ed308ac41b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
931f6303fdcf81a9312f47a712fc4eb8

SHA1
078bde3c6e96b3100ccac378d9ef7c19c962e859

SHA256
a7e24ac71e80e04bb5b1ec884278fc886fa8263aedc6db6f503b6c819d180965

SHA512
faf550756b6fb99a372495f338bdff60d6cb91f7176a136aebb6d6411a9ac750c196a9f7c43b788b292c11374e3512dbb6126cdf243f40a91f62548ec3c55e9e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
cf88acea6a856a6072027eb291af9b29

SHA1
6878fb656540fa9b86ff0bc1b29312059488c54b

SHA256
6a6d4cb1a9c90ceae1f2433959182644f13c8732a6047a6a7a10edbe99b26bf0

SHA512
7cdb405d9edb9e801e3f813c92acaa0c1e6962e90600dacf261a35bd5b405f96a1c2b97d531bd1c94aa8602791ed724b6231873aed5f6f8504a2b07fd02e94c6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
55e3e5207c29e8a29784078a93508c4b

SHA1
da30fae53741a69122415d37a2346f0748060213

SHA256
96d850c872ffcf35a697b21c806f87a5260fafbd8ad2ae79bfcdbe2bf2eded21

SHA512
b7636d3a1799b3784d70c0248e6dc283d87d893bf4ae41a9574d3b6f7c87c33f4541e2e59ed7ed7f1f08fc3249528eb2517063ff9cf2e525a7e9a3bef29738cd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e099a5c894a47e7afc1b5fb20d8b5064

SHA1
accf49145543f0e5426f0ba0b4a00b6bb0fcad6c

SHA256
7af999aaef5a1c547158a43db25f7240561b36dadd56f38d8a97193555c49372

SHA512
299516bc5e60ee5168f98dcc84d02bf0d8880e88556005d690699e8118506bc96394c79e2d35379fd08060920a045995300c4b98647df6675aac51e129e29448

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
4b42ef0c8e3fd69d4b44c1b4591f98f5

SHA1
5a82aa705de7cafa11eff9d13baee90e9234a76e

SHA256
166fa0d2b6adf425167ed15aa4ee0dae3994e1ac5d12eea36dd66227da720c52

SHA512
8b03bc44b50e8f23683d65861dff627c3dfe5a33a17c7e765b92044812c13ae489695f513ab539e3127938b8accc56706bf56df0c6952f825ceee862d95af5c2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
bf345c9f63c091355ea0e38897c67323

SHA1
20499e41175296375e2b08568a59794be0ac6e36

SHA256
086c03cf900fa2efa5618ebd2a58d5aa5ee86b7c19027ec5034440171381f513

SHA512
d080dd80f15982207493de74d849c487d251babf97093200b3c75d2e3059c61829719fc886f3c37b9a696b94e7274a64dec1965ae36e2c498251fb21513b3153

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f7bb50df40d5a6bc89c130ab66cbb4df

SHA1
0f782f4359ca212215069dd3c0d85efbb8cfd102

SHA256
11ca350fbfe972679b0890257c013b03e6393a8cfe57b7dddded82ac0bc397c3

SHA512
3401dddfd7b0fbba18ba717b867f8f4b45ceea3772652d864220645360c4c3c6a293420795b7ab172298b910bb682f5a6ef2a5c6b2f2dccc4d4cefff04d5e4e1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
3fabca78a4f284aa61e28e56bc3a8ff8

SHA1
a441e2948f4f660866790ff3094f5b682fe6f0dd

SHA256
399cce27381fc31fcb656ebfa3f93681e47c6d9d3cbf69bc6966a6c56c365a00

SHA512
082d5ccdc9e64f87fc9b0263ce26f824eb385e9aef52243945b76ca25c2ff787c7231b8886cc6607ba780e4faafc92d7d20928ba93e466bf24e9ae64f985c2a6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
da1c974ecd35be761895f0172ee07885

SHA1
3a181ccd79fb8fa82d4962a9aaf66f0c36392c2d

SHA256
d0293cbe32fc00c785a2ad7dd7c53d877aabc51ceef477a6665eabab2e4f4591

SHA512
e88613139317d72bae592e7dd02cdabefc66ff6ad5ea94e93ecbb68580ac16ac491f8835a21249e0c20b7a99920cb8993d58d782c4feec53521e353da93325bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab6C8B.tmp

Filesize
62KB

MD5
3ac860860707baaf32469fa7cc7c0192

SHA1
c33c2acdaba0e6fa41fd2f00f186804722477639

SHA256
d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

SHA512
d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar6D59.tmp

Filesize
164KB

MD5
4ff65ad929cd9a367680e0e5b1c08166

SHA1
c0af0d4396bd1f15c45f39d3b849ba444233b3a2

SHA256
c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6

SHA512
f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

Download Submit
memory/1716-57-0x000000001B700000-0x000000001B780000-memory.dmp

Filesize
512KB

Download
memory/1716-56-0x000000001B700000-0x000000001B780000-memory.dmp

Filesize
512KB

Download
memory/1716-55-0x000000001B700000-0x000000001B780000-memory.dmp

Filesize
512KB

Download
memory/1716-54-0x0000000000FC0000-0x000000000108E000-memory.dmp

Filesize
824KB

Download