hxxp://updater[.]prntscr[.]com/builds/setup-lightshot-5[.]5[.]0[.]7[.]exe/{tmp}\downloader[.]exe

Analysis

max time kernel
91s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
07/07/2023, 08:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://updater.prntscr.com/builds/setup-lightshot-5.5.0.7.exe/{tmp}\downloader.exe

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 49 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Internet Explorer\TypedURLs\url3 = "https://login.aliexpress.com/"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Internet Explorer\TypedURLs\url5 = "https://login.live.com/"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Internet Explorer\TypedURLs\url6 = "https://twitter.com/"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Internet Explorer\TypedURLsTime\url5 = 0000000000000000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{C181C461-1CA3-11EE-AF72-7290DE67E8EA} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\Software\Microsoft\Internet Explorer\TypedURLs	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Internet Explorer\TypedURLsTime\url3 = 0000000000000000	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Internet Explorer\TypedURLs\url4 = "https://signin.ebay.com/ws/ebayisapi.dll"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2517408010"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31043760"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "6"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2517408010"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31043760"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31043760"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\Software\Microsoft\Internet Explorer\TypedURLsTime	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Internet Explorer\TypedURLsTime\url1 = 6351c290b0b0d901	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Internet Explorer\TypedURLsTime\url2 = 0000000000000000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Internet Explorer\TypedURLsTime\url6 = 0000000000000000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2528188891"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Internet Explorer\TypedURLs\url2 = "https://www.facebook.com/"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Internet Explorer\TypedURLsTime\url4 = 0000000000000000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\Software\Microsoft\Internet Explorer\IESettingSync	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000000929439ee50e204ba4f4b605da59efba00000000020000000000106600000001000020000000a6ddbfec0637b9abe44ed3d1de80178b2a96b4bc1a89341568a3d80c35fc0ae1000000000e8000000002000020000000200c73506c51accc240d52fe4edefeb98bd97a5fa1c6c7964992e2483c31ed16200000009101e3a7cb920ac56df9a0751e9fd1c07d8374d27c34e17853ff43f7f6411f5940000000e9d654dde741868731fa8db8a2d25b00e5eb27d59818dff965b03e498cc503d0a094fb1b925dd6228c084f8e31d187fa823eed6c96789a661c437ef7207627d3	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Internet Explorer\TypedURLs\url1 = "http://updater.prntscr.com/builds/setup-lightshot-5.5.0.7.exe/downloader.exe"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = a066c790b0b0d901	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "395484990"	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
5084	iexplore.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
5084	iexplore.exe
5084	iexplore.exe
1752	IEXPLORE.EXE
1752	IEXPLORE.EXE
1752	IEXPLORE.EXE
1752	IEXPLORE.EXE
5084	iexplore.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 5084 wrote to memory of 1752	5084	iexplore.exe	83
PID 5084 wrote to memory of 1752	5084	iexplore.exe	83
PID 5084 wrote to memory of 1752	5084	iexplore.exe	83

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" http://updater.prntscr.com/builds/setup-lightshot-5.5.0.7.exe/{tmp}\downloader.exe
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5084
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:5084 CREDAT:17410 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1752

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\42JDD8EA\qsml[1].xml

Filesize
272B

MD5
c59bd68d8e3d424fe03774d1c6fbd44c

SHA1
6560e3d5a3cc784cc8f8b6a9ed315b5294ffe50c

SHA256
89e88ca8b64f57abf5818fa7e70d3b4b1e9b42a51e6b68fd0e22c0956bb0c893

SHA512
e2996bbcfba298226b256b82943197be50092d148b8add2229a1df550e9f3392408374fd977d2f269ede95aeb9a481d50ff20a3bdc7afa73ed80b497c1026b9b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\42JDD8EA\qsml[2].xml

Filesize
268B

MD5
0066380dd9176e782bc1e2d64f000dbf

SHA1
2a00747df6ddbecdbdfff4593c4bdc7e50b4f3e0

SHA256
9648b125833ac74d858704e05181535cbe516de6960eef59e4db4df7b9ac3233

SHA512
8966f26d240bea29617d7687513d8c52be99602bb8da6b2a20f678e26fd94faf19469b186a59074b194f2f10bc811b9310caef3f48279bd4072c12a10b0e3791

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\42JDD8EA\v52afc6f149f6479b8c77fa569edb01181681764108816[1].js

Filesize
19KB

MD5
d294b48fb7400508953205265f95d2e1

SHA1
fd545d38241c9c56e81f61e45cd239976ecd0b46

SHA256
13a548e040a1ec08f77911fed1d559b95e5daae0ee227e632140e003c7268e7b

SHA512
8c6093a43a410180c6358479ced2ade0140f19e7f53f482237a6465548bcdf990517cf053a69a7f2305058d82b35df20fd8bb8db535d81687042868e3c57e50f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\M4YEGMW2\qsml[1].xml

Filesize
277B

MD5
26952cb5586030d981d4868e0bf320f8

SHA1
1e4fe9443a23540503f148a404616326c2478607

SHA256
22457bf318421fe46285635dff50dd9605682381578c093fe931978d939440cc

SHA512
9dd6630f2db50f75bed1b8d93cf48d1e49acde23547b726aad07134e66c0adbfdcbea27e65e123ad1e7541c4383011559b12d748db59450abad1c07325afb3f5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\M4YEGMW2\qsml[2].xml

Filesize
273B

MD5
ea75fdc256e2c6d696a117c83307ab63

SHA1
1b3c53587194ee9eac7c72dcbf1ed8e6566c7e91

SHA256
dfd1a76eb96346c1d53b2a6f850c7bd17b202c22bff326b3bbe1f88f60785529

SHA512
f671e1368b114f19dc511e3cf98fb252b40e85a3f93b5986c413482bfb1638fdec35c679c24a8c83b290f33d37408d9ecfcd8d470dcef386ebb5de650af1cd56

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\M4YEGMW2\qsml[3].xml

Filesize
269B

MD5
849d72e3e06acc94164e4f1ba40a104d

SHA1
c0b84dea2f3af042712d7b5d1e9a45d40381faef

SHA256
e473df832f271c44097bae02605d984a2e39fde8565742ba9c3ca0dbd01e805c

SHA512
0e7db2a48dcadded63db0fba1d229e679c49d3e69382f58a53724f6fe01923c93cce346b99eedaa451e5afae0447602441513f3d1db17d5ddfcfdb8e0fcd250d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\ZYPP69YI\qsml[1].xml

Filesize
274B

MD5
ba27d0c10f263c96a2718682b12901ad

SHA1
4105b45071ed434ffa4371bba9c9b9034fcfbc71

SHA256
24e1e891ebafbac685f3f8e49a7abf729268a81ff7b0e5e23f23145a35156a66

SHA512
4dd730300879ef02b10e0585ed4ab179514a15864be55dfac0591daabed08c4edd5d95fca224ac1ebb36a0f4120aad64f3dcc5921b926c95e62820b3ca303c8c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\ZYPP69YI\qsml[2].xml

Filesize
270B

MD5
12e16e297dc4eb2f0bf7111adecca0f9

SHA1
c3f956fd8745446b7e32780608d6609906310e3f

SHA256
f200deee39a83dbea824e8d5b6143d430bf95af38ba686649f79d72b48907242

SHA512
b1f4547c69b74cd15474e930972b82f0cf1f58c759139ec4379a262159933d7a342b44731ba8564ade3e90af71a88b227c90efd5926314e1a7077e5e6f8f490e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\ZYPP69YI\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit