32142eebdf31c032adf8635d393e05624a473df584515c9b52ed69c160da184d

General

Target

a298c409a8ccd9e7a025373fac8686b3_mafia_JC.exe
Size

1.4MB
MD5

a298c409a8ccd9e7a025373fac8686b3
SHA1

d125c539e93a7b8d5c52ba36383b1135f372afbf
SHA256

32142eebdf31c032adf8635d393e05624a473df584515c9b52ed69c160da184d
SHA512

ee5e64cd967374d56207296c39e1a00258733af36fc2f63d32cd5b21ce8a621c8d2fffeed82ba54e46fa52cd4caa2a3564ad8cb41f2246180741ec9061dccaab
SSDEEP

24576:ZaHd06F9QtFyFwq1ybU+idP+ce+9DiSxgf1gT8SwMVQrBNvDKmUZ8p/DhXm+YwW6:wAyafbcmce2DDLQRMYBNvDKX8p/DhXmY

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 26 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\Software\Microsoft\Internet Explorer\IESettingSync	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000052a69338ef97e94eb4d938c2816c6e0d00000000020000000000106600000001000020000000218c44697c0686319a11f3309d800b249ca5d2f5dc4ba98de2d21fc6c34ffc88000000000e8000000002000020000000dc46d960b289eae7a01921f8d93dd254e0c0574521e2fda7da91ae64b7076e5320000000e322574dc4f77abebc6eb9ca6e739ee28ed55326bd7b42608480c79ea9b0d952400000007f466d2d49121ef0126967217868add7f3f71f56042fbb1487cd240c3057ba2d3b3561e97a6bac2419771e20b343aa37980006f1c37705f3e6ddf457a4e4c621	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = d03c7d02b8add901	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{28344F75-4418-11EE-A95E-6A662EB9E81F} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000052a69338ef97e94eb4d938c2816c6e0d000000000200000000001066000000010000200000002237988ea6615fc70cb53eefa33572ffd059d4520522927d17248f264c78a76e000000000e80000000020000200000001ba8c1932ef820b362641d383b2eb63ee81c075065098e9ac52201362b7357212000000028d1aa6a360d5b0d740e666df6d6a00852edeff383d16fe28abf4e9b5675029c400000000fa95e63b65b25e67e146727b751cb3f959abaeb533d817384ce69011a0461567fcc6c415be54cc27a7c6f214f285947f15520e229c0c1d3b83fd08bdaca12ab	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "394555208"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = b0058e02b8add901	iexplore.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
4564	a298c409a8ccd9e7a025373fac8686b3_mafia_JC.exe
4564	a298c409a8ccd9e7a025373fac8686b3_mafia_JC.exe
4564	a298c409a8ccd9e7a025373fac8686b3_mafia_JC.exe
4564	a298c409a8ccd9e7a025373fac8686b3_mafia_JC.exe
4564	a298c409a8ccd9e7a025373fac8686b3_mafia_JC.exe
4564	a298c409a8ccd9e7a025373fac8686b3_mafia_JC.exe
4564	a298c409a8ccd9e7a025373fac8686b3_mafia_JC.exe
4564	a298c409a8ccd9e7a025373fac8686b3_mafia_JC.exe
4564	a298c409a8ccd9e7a025373fac8686b3_mafia_JC.exe
4564	a298c409a8ccd9e7a025373fac8686b3_mafia_JC.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
892	iexplore.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
4564	a298c409a8ccd9e7a025373fac8686b3_mafia_JC.exe
892	iexplore.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
4564	a298c409a8ccd9e7a025373fac8686b3_mafia_JC.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
892	iexplore.exe
892	iexplore.exe
4812	IEXPLORE.EXE
4812	IEXPLORE.EXE
4812	IEXPLORE.EXE
4812	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 4564 wrote to memory of 892	4564	a298c409a8ccd9e7a025373fac8686b3_mafia_JC.exe	85
PID 4564 wrote to memory of 892	4564	a298c409a8ccd9e7a025373fac8686b3_mafia_JC.exe	85
PID 892 wrote to memory of 4812	892	iexplore.exe	86
PID 892 wrote to memory of 4812	892	iexplore.exe	86
PID 892 wrote to memory of 4812	892	iexplore.exe	86

C:\Users\Admin\AppData\Local\Temp\a298c409a8ccd9e7a025373fac8686b3_mafia_JC.exe
"C:\Users\Admin\AppData\Local\Temp\a298c409a8ccd9e7a025373fac8686b3_mafia_JC.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4564
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://127.0.0.1:8282
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:892
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:892 CREDAT:17410 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:4812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\5amy22j\imagestore.dat

Filesize
1KB

MD5
363501027c398d1e9f85c0c9c98d109e

SHA1
f3573646a8f31dfe1462f4146d077259fc324b6f

SHA256
8745b67a3e77a612414a1ef9b6ba24287f15c3dd2618654e5bbdb972c9eb1362

SHA512
c4435f36d1af7898c97499b35449e8af514467a866e753f63d4346002ba385f761862d3be36c4ce9ab4142f6a3141ad9dff48cd7633efde4b9ef114fa9af75af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\PQKW7621\favicon[1].ico

Filesize
1KB

MD5
36f4e7d97e40abb439ff89bfa60e1cdf

SHA1
8f31aa04e2434e6b4a18a787a6d378ea9f967154

SHA256
3e558125d591ae0eb95ba91c58e263c2d0a59f7b04b6ecb496d7857363baa99c

SHA512
cccfc172786cf3592b6b9fa7c717af8b7b9a6e1fb39e99097e6a0af6acca91e5277e1bbc1a506e732069c654a797a1ac776af61261b9576f8fc9dfb6f914175f

Download Submit

Analysis

Sharing