0d1bc4fed492bec1ab80aecaf364d2db1236898baa3266bc29f606895f1dea4e

Analysis

max time kernel
150s
max time network
132s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
28/10/2023, 19:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0d1bc4fed492bec1ab80aecaf364d2db1236898baa3266bc29f606895f1dea4e.exe
Size

2.1MB
MD5

4108f3cd0ae3cb1e3695f59e6bf0aaa9
SHA1

0a49f30b3b1356b9b0fecfac85cada488e2dfbd8
SHA256

0d1bc4fed492bec1ab80aecaf364d2db1236898baa3266bc29f606895f1dea4e
SHA512

4437ab7d086d94bc9a999ceb882f4b1fd1e268013d0dc47e61c32535239a985166eb56534e6d230514d0251b5eac843542887e2666e6d43e3a85d2c10ae52e07
SSDEEP

49152:i4cMJBvpsZPiJLxwGvU45G35tvpsZPiJLxwFTy:iqJBRXw0U95tRXwly

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 2 IoCs

pid	Process
2016	0d1bc4fed492bec1ab80aecaf364d2db1236898baa3266bc29f606895f1dea4e.exe
2016	0d1bc4fed492bec1ab80aecaf364d2db1236898baa3266bc29f606895f1dea4e.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\818695\dp1.fne	0d1bc4fed492bec1ab80aecaf364d2db1236898baa3266bc29f606895f1dea4e.exe
File opened for modification	C:\Windows\SysWOW64\818695\dp1.fne	0d1bc4fed492bec1ab80aecaf364d2db1236898baa3266bc29f606895f1dea4e.exe
File created	C:\Windows\SysWOW64\818695\krnln.fnr	0d1bc4fed492bec1ab80aecaf364d2db1236898baa3266bc29f606895f1dea4e.exe
File created	C:\Windows\SysWOW64\818695\WAE0FEC.TXT	0d1bc4fed492bec1ab80aecaf364d2db1236898baa3266bc29f606895f1dea4e.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe

Modifies registry class 34 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = 00000000ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0 = 4a003100000000005c57959d102054656d700000360008000400efbe5457a39c5c57959d2a00000001020000000002000000000000000000000000000000540065006d007000000014000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0 = 52003100000000005457a39c122041707044617461003c0008000400efbe5457a39c5457a39c2a000000ed0100000000020000000000000000000000000000004100700070004400610074006100000016000000	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\KnownFolderDerivedFolderType = "{57807898-8C4F-4462-BB63-71042380B109}"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\NodeSlot = "1"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 74003100000000005457a39c1100557365727300600008000400efbeee3a851a5457a39c2a000000e601000000000100000000000000000036000000000055007300650072007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100380031003300000014000000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 19002f433a5c000000000000000000000000000000000000000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\MRUListEx = 00000000ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 4c003100000000005457c7a3100041646d696e00380008000400efbe5457a39c5457c7a32a00000030000000000004000000000000000000000000000000410064006d0069006e00000014000000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0 = 4c003100000000005457a99e10204c6f63616c00380008000400efbe5457a39c5457a99e2a000000000200000000020000000000000000000000000000004c006f00630061006c00000014000000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\MRUListEx = 00000000ffffffff	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2104	explorer.exe

Suspicious use of SetWindowsHookEx 50 IoCs

pid	Process
2016	0d1bc4fed492bec1ab80aecaf364d2db1236898baa3266bc29f606895f1dea4e.exe
2016	0d1bc4fed492bec1ab80aecaf364d2db1236898baa3266bc29f606895f1dea4e.exe
2104	explorer.exe
2104	explorer.exe
2104	explorer.exe
2104	explorer.exe
2104	explorer.exe
2104	explorer.exe
2104	explorer.exe
2104	explorer.exe
2104	explorer.exe
2104	explorer.exe
2104	explorer.exe
2104	explorer.exe
2104	explorer.exe
2104	explorer.exe
2104	explorer.exe
2104	explorer.exe
2104	explorer.exe
2104	explorer.exe
2104	explorer.exe
2104	explorer.exe
2104	explorer.exe
2104	explorer.exe
2104	explorer.exe
2104	explorer.exe
2104	explorer.exe
2104	explorer.exe
2104	explorer.exe
2104	explorer.exe
2104	explorer.exe
2104	explorer.exe
2104	explorer.exe
2104	explorer.exe
2104	explorer.exe
2104	explorer.exe
2104	explorer.exe
2104	explorer.exe
2104	explorer.exe
2104	explorer.exe
2104	explorer.exe
2104	explorer.exe
2104	explorer.exe
2104	explorer.exe
2104	explorer.exe
2104	explorer.exe
2104	explorer.exe
2104	explorer.exe
2104	explorer.exe
2104	explorer.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2016 wrote to memory of 1468	2016	0d1bc4fed492bec1ab80aecaf364d2db1236898baa3266bc29f606895f1dea4e.exe	28
PID 2016 wrote to memory of 1468	2016	0d1bc4fed492bec1ab80aecaf364d2db1236898baa3266bc29f606895f1dea4e.exe	28
PID 2016 wrote to memory of 1468	2016	0d1bc4fed492bec1ab80aecaf364d2db1236898baa3266bc29f606895f1dea4e.exe	28
PID 2016 wrote to memory of 1468	2016	0d1bc4fed492bec1ab80aecaf364d2db1236898baa3266bc29f606895f1dea4e.exe	28

C:\Users\Admin\AppData\Local\Temp\0d1bc4fed492bec1ab80aecaf364d2db1236898baa3266bc29f606895f1dea4e.exe
"C:\Users\Admin\AppData\Local\Temp\0d1bc4fed492bec1ab80aecaf364d2db1236898baa3266bc29f606895f1dea4e.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2016
- C:\Windows\SysWOW64\explorer.exe
  explorer C:\Users\Admin\AppData\Local\Temp\
  2⤵
  PID:1468

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2104

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\818695\dp1.fne

Filesize
124KB

MD5
f274a62dd5d0cad4cebfe3ca860faa88

SHA1
673d7e882bc762312554f7b2d5430abbc5eeb10a

SHA256
429aea54799e028e192063cdd574d3dea79ba60cde9da2fe8a7ef89c5ca5fd03

SHA512
9aa65b022cf58ee57cdaf1ecb3daff8b9eb4f91e2faeb5b51382cab93a85da16b4e6a5883e31d266181767b42962278059b8afef3634d710e3ff411a0fb22a61

Download Submit
\Users\Admin\AppData\Local\Temp\E_N4\dp1.fne

Filesize
124KB

MD5
f274a62dd5d0cad4cebfe3ca860faa88

SHA1
673d7e882bc762312554f7b2d5430abbc5eeb10a

SHA256
429aea54799e028e192063cdd574d3dea79ba60cde9da2fe8a7ef89c5ca5fd03

SHA512
9aa65b022cf58ee57cdaf1ecb3daff8b9eb4f91e2faeb5b51382cab93a85da16b4e6a5883e31d266181767b42962278059b8afef3634d710e3ff411a0fb22a61

Download Submit
\Users\Admin\AppData\Local\Temp\E_N4\krnln.fnr

Filesize
1.1MB

MD5
42c0a3a09f8bae806fe205b88acedd1a

SHA1
2d1fb548ca8a0b82729167f657936ed065799244

SHA256
80e991c46cdc1830a8b16256a04ef74ea906158531b8139b1f52de704c6a7ca5

SHA512
a020ab237573c740d16fb8ba87203d6309fbdb13b32abb395cbd661e29554e4b9f924aea0bdbf02dcb31c699e214dc3b524e08a571bd75a3a7621fa345a8aeb7

Download Submit
memory/2016-0-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2016-5-0x0000000010000000-0x000000001011D000-memory.dmp

Filesize
1.1MB

Download
memory/2016-9-0x0000000000240000-0x0000000000261000-memory.dmp

Filesize
132KB

Download
memory/2016-15-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2016-16-0x0000000010000000-0x000000001011D000-memory.dmp

Filesize
1.1MB

Download
memory/2104-17-0x0000000003730000-0x0000000003731000-memory.dmp

Filesize
4KB

Download
memory/2104-18-0x0000000003740000-0x0000000003750000-memory.dmp

Filesize
64KB

Download
memory/2104-19-0x0000000003730000-0x0000000003731000-memory.dmp

Filesize
4KB

Download