cee81cafb953b0d7a0739463b8be21fcef6a033374c257cd7b2569e0035afef5

Analysis

max time kernel
151s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20230824-en
resource tags

arch:x64arch:x86image:win10v2004-20230824-enlocale:en-usos:windows10-2004-x64system
submitted
27-08-2023 09:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cee81cafb953b0d7a0739463b8be21fcef6a033374c257cd7b2569e0035afef5.exe
Size

484KB
MD5

2086fbc069ecf841de389482021f97fb
SHA1

66b0cf650dbbd53247ee47b1968ecf306a6242f2
SHA256

cee81cafb953b0d7a0739463b8be21fcef6a033374c257cd7b2569e0035afef5
SHA512

b368e2f1010ef72259e0af5499611a0268810513ec12d21c2715d627bdcc27e419275e29b408d7fe8c2fa1a01d42a35b014b63bd3e287b293acb0baa4126e9cb
SSDEEP

12288:iu4lNAtYytvS5Aku1YLYxdkUoDj9JU01tuMsTp:iwhtvSLupeUoPo0uM

Score

5^/10

Malware Config

Signatures

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{9908441A-E661-4691-9624-30AEB9225C9C}.catalogItem	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 43 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-642304425-1816607141-2958861556-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-642304425-1816607141-2958861556-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2739107370"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-642304425-1816607141-2958861556-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 70c23da4c8d8d901	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-642304425-1816607141-2958861556-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-642304425-1816607141-2958861556-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{CE7EB8C0-44BB-11EE-877E-72BA02C93D25} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-642304425-1816607141-2958861556-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-642304425-1816607141-2958861556-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-642304425-1816607141-2958861556-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31054024"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-642304425-1816607141-2958861556-1000\Software\Microsoft\Internet Explorer\DOMStorage\gtimg.com	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-642304425-1816607141-2958861556-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-642304425-1816607141-2958861556-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-642304425-1816607141-2958861556-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-642304425-1816607141-2958861556-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-642304425-1816607141-2958861556-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-642304425-1816607141-2958861556-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-642304425-1816607141-2958861556-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-642304425-1816607141-2958861556-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-642304425-1816607141-2958861556-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-642304425-1816607141-2958861556-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-642304425-1816607141-2958861556-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "399893369"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-642304425-1816607141-2958861556-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-642304425-1816607141-2958861556-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-642304425-1816607141-2958861556-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-642304425-1816607141-2958861556-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-642304425-1816607141-2958861556-1000\Software\Microsoft\Internet Explorer\IESettingSync	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-642304425-1816607141-2958861556-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-642304425-1816607141-2958861556-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\gtimg.com	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-642304425-1816607141-2958861556-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-642304425-1816607141-2958861556-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31054024"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-642304425-1816607141-2958861556-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-642304425-1816607141-2958861556-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-642304425-1816607141-2958861556-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-642304425-1816607141-2958861556-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-642304425-1816607141-2958861556-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-642304425-1816607141-2958861556-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31054024"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-642304425-1816607141-2958861556-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2739107370"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-642304425-1816607141-2958861556-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-642304425-1816607141-2958861556-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-642304425-1816607141-2958861556-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000035bca1fda3dd0a4bb84e31f373208d97000000000200000000001066000000010000200000002d7fd112e118e0161038e6b979f090153aae8b059b8b1e63d2920658fd3d2673000000000e8000000002000020000000754ed19f12e47542e2d99ea07d2435c05458590cf368aca6425116c3fe60254220000000ca870e346cef08bb463bb23c2e107621f5e08108f47572f548edf8a7b61b7f14400000002b5295409f7308d374bc1a4aca9ac1598dbc0afe88d140135fedea65faf8d0395e599ada6328cd1787af6bccdd2bd66aae86ccdc04f6471c0e5eb2cae1ec2483	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-642304425-1816607141-2958861556-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\gtimg.com\NumberOfSubdomains = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-642304425-1816607141-2958861556-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-642304425-1816607141-2958861556-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2758822217"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-642304425-1816607141-2958861556-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-642304425-1816607141-2958861556-1000\{B96F74BC-9445-4019-B700-23DC2035B9D8}	IEXPLORE.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
5028	iexplore.exe

Suspicious use of AdjustPrivilegeToken 46 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1384	IEXPLORE.EXE
Token: SeCreatePagefilePrivilege	1384	IEXPLORE.EXE
Token: SeShutdownPrivilege	1384	IEXPLORE.EXE
Token: SeCreatePagefilePrivilege	1384	IEXPLORE.EXE
Token: 33	1644	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1644	AUDIODG.EXE
Token: SeShutdownPrivilege	1384	IEXPLORE.EXE
Token: SeCreatePagefilePrivilege	1384	IEXPLORE.EXE
Token: SeShutdownPrivilege	1384	IEXPLORE.EXE
Token: SeCreatePagefilePrivilege	1384	IEXPLORE.EXE
Token: SeShutdownPrivilege	1384	IEXPLORE.EXE
Token: SeCreatePagefilePrivilege	1384	IEXPLORE.EXE
Token: SeShutdownPrivilege	1384	IEXPLORE.EXE
Token: SeCreatePagefilePrivilege	1384	IEXPLORE.EXE
Token: SeShutdownPrivilege	1384	IEXPLORE.EXE
Token: SeCreatePagefilePrivilege	1384	IEXPLORE.EXE
Token: SeShutdownPrivilege	1384	IEXPLORE.EXE
Token: SeCreatePagefilePrivilege	1384	IEXPLORE.EXE
Token: SeShutdownPrivilege	1384	IEXPLORE.EXE
Token: SeCreatePagefilePrivilege	1384	IEXPLORE.EXE
Token: SeShutdownPrivilege	1384	IEXPLORE.EXE
Token: SeCreatePagefilePrivilege	1384	IEXPLORE.EXE
Token: SeShutdownPrivilege	1384	IEXPLORE.EXE
Token: SeCreatePagefilePrivilege	1384	IEXPLORE.EXE
Token: SeShutdownPrivilege	1384	IEXPLORE.EXE
Token: SeCreatePagefilePrivilege	1384	IEXPLORE.EXE
Token: SeShutdownPrivilege	1384	IEXPLORE.EXE
Token: SeCreatePagefilePrivilege	1384	IEXPLORE.EXE
Token: SeShutdownPrivilege	1384	IEXPLORE.EXE
Token: SeCreatePagefilePrivilege	1384	IEXPLORE.EXE
Token: SeShutdownPrivilege	1384	IEXPLORE.EXE
Token: SeCreatePagefilePrivilege	1384	IEXPLORE.EXE
Token: SeShutdownPrivilege	1384	IEXPLORE.EXE
Token: SeCreatePagefilePrivilege	1384	IEXPLORE.EXE
Token: SeShutdownPrivilege	1384	IEXPLORE.EXE
Token: SeCreatePagefilePrivilege	1384	IEXPLORE.EXE
Token: SeShutdownPrivilege	1384	IEXPLORE.EXE
Token: SeCreatePagefilePrivilege	1384	IEXPLORE.EXE
Token: SeShutdownPrivilege	1384	IEXPLORE.EXE
Token: SeCreatePagefilePrivilege	1384	IEXPLORE.EXE
Token: SeShutdownPrivilege	1384	IEXPLORE.EXE
Token: SeCreatePagefilePrivilege	1384	IEXPLORE.EXE
Token: SeShutdownPrivilege	1384	IEXPLORE.EXE
Token: SeCreatePagefilePrivilege	1384	IEXPLORE.EXE
Token: SeShutdownPrivilege	1384	IEXPLORE.EXE
Token: SeCreatePagefilePrivilege	1384	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
5028	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
5028	iexplore.exe
5028	iexplore.exe
1384	IEXPLORE.EXE
1384	IEXPLORE.EXE
1384	IEXPLORE.EXE
1384	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 3732 wrote to memory of 5028	3732	cee81cafb953b0d7a0739463b8be21fcef6a033374c257cd7b2569e0035afef5.exe	87
PID 3732 wrote to memory of 5028	3732	cee81cafb953b0d7a0739463b8be21fcef6a033374c257cd7b2569e0035afef5.exe	87
PID 5028 wrote to memory of 1384	5028	iexplore.exe	88
PID 5028 wrote to memory of 1384	5028	iexplore.exe	88
PID 5028 wrote to memory of 1384	5028	iexplore.exe	88

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p
1⤵
- Drops file in System32 directory
PID:2108

C:\Users\Admin\AppData\Local\Temp\cee81cafb953b0d7a0739463b8be21fcef6a033374c257cd7b2569e0035afef5.exe
"C:\Users\Admin\AppData\Local\Temp\cee81cafb953b0d7a0739463b8be21fcef6a033374c257cd7b2569e0035afef5.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3732
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://skjp.zcjczj.cn/rxzgzb.html?s=156&v=157&c=207&a=175&m=&t=1614703116
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:5028
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:5028 CREDAT:17410 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:1384

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x448 0x3d8
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1644

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\js71l92\imagestore.dat

Filesize
151B

MD5
546f02d1c55750d346c5470975d375d5

SHA1
2d31d9211dd5cc4aeb93ba3b9ae6807313c23bef

SHA256
9059f6f978db864b90ce2de59a711f3dbdf3175a059dde347dc8bfe73a317724

SHA512
843518d10fb283189951afa01bff4411c734dcdc174c5050f208071ee205f81bf67de74b71829541c488e8c5854c70154f1c794e25c65c2bbf6e0fd3e1001a98

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\AEAPT34I\TCaptcha[1].js

Filesize
79KB

MD5
cf1f7b5f26170b63eb1a5fea4abb05a5

SHA1
d03a929c5f82d8d31cd8e9aaa0b686086a15ae6b

SHA256
bc4ac878d90b7721264cb605ea1efae6bc7ab573c801620651416fab052c1f4a

SHA512
97954bd96e60bbc32934db460ae71ceb8122e6be0e01b7bdd98a9a30d0744fdb9bb56f3cf65ef3967372ede0c60e0400d129375a1d9ba80eb07e779c54806588

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\CFFTX8HI\index[1].mp4

Filesize
48KB

MD5
7d548ad8096ed4830cf823def72ad7ca

SHA1
25c149be12aa87a1c00fa9554017948541ba618b

SHA256
ace81101836fa8c9fade88e686016c0501230f552beabb85a60d94b868ffa04b

SHA512
72316d733bf57f5130029e98622d544bde81b001f3f86fd84af3b626782b975f9c90afc5e933ecedb886b10c636c6ecf45fddf35c5ae144f92841bde04700ded

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\E8UKABFF\5[1].js

Filesize
10B

MD5
74e1080b5e3125ca3a5abc7b340399aa

SHA1
b1e150e5809482e54c347d440f1824179c0d6d5f

SHA256
623017a5748ff1b4e9d0f227f5cd58869ae4959d1ca8fd204c9441cd11e2695b

SHA512
51985a333a6c225976863cf49eca3492f5b8a61f525d08d0bc69c25a7eecaad6fc3ec6f71420f06bb1c3fbfbd197eed6c5c4a99929bd0dbdee73ec2f88265f80

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\E8UKABFF\favicon[1].ico

Filesize
43B

MD5
ad4b0f606e0f8465bc4c4c170b37e1a3

SHA1
50b30fd5f87c85fe5cba2635cb83316ca71250d7

SHA256
cf4724b2f736ed1a0ae6bc28f1ead963d9cd2c1fd87b6ef32e7799fc1c5c8bda

SHA512
ebfe0c0df4bcc167d5cb6ebdd379f9083df62bef63a23818e1c6adf0f64b65467ea58b7cd4d03cf0a1b1a2b07fb7b969bf35f25f1f8538cc65cf3eebdf8a0910

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\E8UKABFF\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit