e5b8941b39f4134322ff7fe67117d5f070cdfed5cd5d121f29829fe9bf52e687

Analysis

max time kernel
118s
max time network
133s
platform
windows7_x64
resource
win7-20231025-en
resource tags

arch:x64arch:x86image:win7-20231025-enlocale:en-usos:windows7-x64system
submitted
14/11/2023, 02:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fb64f14ee4dc8b8c5348211ccd545c52736fe12509ca62d567f60753679d93a5.exe
Size

368KB
MD5

72a0b32492da29c09de94b30d4666a63
SHA1

ae852561e30e42d2357273fc5995a42726438dec
SHA256

fb64f14ee4dc8b8c5348211ccd545c52736fe12509ca62d567f60753679d93a5
SHA512

d574320e8a248aa7034d0263b64660d9b8299719a544b6e60d958baa17e7b8a6209acb8e57ca4ca08ef7cfb8bbbc0199d448f241024a7af8fc5e03a9ebc9c99f
SSDEEP

3072:wAMbXIVuWJGt7UoOtjCL72miltvX6E0z4J:wbbY4FkRvLO

Score

6^/10

evasion trojan

Malware Config

Signatures

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	fb64f14ee4dc8b8c5348211ccd545c52736fe12509ca62d567f60753679d93a5.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\DOMStorage\yy.com\NumberOfSubdomains = "1"	fb64f14ee4dc8b8c5348211ccd545c52736fe12509ca62d567f60753679d93a5.exe
Key created	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Main	fb64f14ee4dc8b8c5348211ccd545c52736fe12509ca62d567f60753679d93a5.exe
Key created	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\DOMStorage\yy.com	fb64f14ee4dc8b8c5348211ccd545c52736fe12509ca62d567f60753679d93a5.exe
Key created	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\DOMStorage	fb64f14ee4dc8b8c5348211ccd545c52736fe12509ca62d567f60753679d93a5.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	fb64f14ee4dc8b8c5348211ccd545c52736fe12509ca62d567f60753679d93a5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	fb64f14ee4dc8b8c5348211ccd545c52736fe12509ca62d567f60753679d93a5.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2084	fb64f14ee4dc8b8c5348211ccd545c52736fe12509ca62d567f60753679d93a5.exe
2084	fb64f14ee4dc8b8c5348211ccd545c52736fe12509ca62d567f60753679d93a5.exe

C:\Users\Admin\AppData\Local\Temp\fb64f14ee4dc8b8c5348211ccd545c52736fe12509ca62d567f60753679d93a5.exe
"C:\Users\Admin\AppData\Local\Temp\fb64f14ee4dc8b8c5348211ccd545c52736fe12509ca62d567f60753679d93a5.exe"
1⤵
- Checks whether UAC is enabled
- Modifies Internet Explorer settings
- Modifies system certificate store
- Suspicious use of SetWindowsHookEx
PID:2084

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\7TVQOT0Y\index-ddc21dcc[1].css

Filesize
70KB

MD5
ee4ddb0248a08e61d9a7a0b612abc3db

SHA1
101c94bbe9505f2d8d9dc3c636a78a7771f6cbb1

SHA256
dc87bdd8f6c8d73aab092ce4553a3008da006151d590620ee412e77cfd47cec8

SHA512
5edb4973c8a00337063402721f5a42bbcea3f32d28f8f004e7fce6fb39b5204de08e13189e7fa621a1fed6d73fd4d2f15b7c2475e1c3cdd25ef3ffe52ebae810

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\7TVQOT0Y\index-ddc21dcc[2].js

Filesize
291KB

MD5
6c412972493b54b79cb1d6da9a8331fb

SHA1
222935583fc010aea2dc383671aed698f3d00ed5

SHA256
ee4e75e270fc882301848e3792f09bda2b15ee162b1627eb54b842110da923ed

SHA512
ac59b2a0ac9b9347ae2e9cdb1d25deaa2be5379404ad5e7cc6f102316679b3e94beb554aaca6ebe6594e6f75562997d1437bba1e3c4146624fc47e0f55f8a0cf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\7TVQOT0Y\ventors-34121a655f[1].js

Filesize
148KB

MD5
34121a655f51e2e2d240e7f8fc939d9b

SHA1
b6f500bec97c7a7272a4978a1a9137e00d228d65

SHA256
1fab3adce8298a7e5593ff5c3ccb04a49cdd14e527ed7ce62bfa5fb04ef5abf2

SHA512
13fb0d3f69f42e263ddd460f62a37d16c07cfb012ba7acc0d7262bd5f8fd4410d218348ae22712e514fb150aff36c847b5de622add4d117d4622deb0d29188a2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\9G8QJ0N4\hiido_internal[1].js

Filesize
45KB

MD5
4398da94e9949ed337a4a31cc93b24e2

SHA1
b3e6249db556ea1e032950f70b5fb036b14f2ce3

SHA256
f6f72f2d35569e78a018e85dff2cf40597e0acb018ceb0446a7dbdeb9f46ee7e

SHA512
cb521dbccb62700d1b83e061e93a35b405343fa2338670810c74a45a3b9de9c14c294ee2b75a82d0f2282c780863ba5d7cc09b06070b668a16d3269ac250c2e1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\9G8QJ0N4\index-762c0b1b[1].js

Filesize
105KB

MD5
85caffc6602da08cc51d994484aab59c

SHA1
64fdf66c45ae5546cf12b5a717bbd352f2d37326

SHA256
7adc89025c334604ecd322b9b1cc1aad4c326d9a4ec788124b4af34a3f448d19

SHA512
040af5124c1b16cf5dbad5a731de196d3dc6a0d43305ca7ec10b95c2f2896832334516db7769b23ca1793961159220c818b1d28bb80a370ccd45faf0c3d43b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\9G8QJ0N4\shim-3b979d6c[1].js

Filesize
159KB

MD5
b394806565618ace6e46683a95325956

SHA1
9d5f4af2b8ee927b984062fe61fa511b5a0ebcc7

SHA256
0cbd4100d3ec02a724999c05d12bb3af3e9f00ebcf5c1fbd1a2dee11f7031646

SHA512
ccf8605b5cd5cb12df3f6c2a248bd77f56b96f8730ecff60c8f7e9b58d7b7572a60f66ac7b0fc18797d0c0cc78c39dafbc8ae7d83eb48c34caff3992716897df

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\HNDI6Z3B\hiido_internal[2].js

Filesize
45KB

MD5
4a73a436fa73609497fdec017baf7004

SHA1
cf3c07cfd368035edbb272b1adb6ee28025f3660

SHA256
07641545e92c1307d297b9ab010f359e88279a51b0b30b70821173fa68538add

SHA512
cf72de8b31a6aa09f73187b8059f343408cc3ffea75668ac8354a41a20de4bfccb1a59d2282f30a22b9a8fb8c822bfe4855446d6665837a73b311413fe40f31b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\HNDI6Z3B\index-1f19835f[2].css

Filesize
135KB

MD5
b0746600af990acc6933b9203f65e056

SHA1
55eea99652ce6dd62f5729415ad2fa9680b502db

SHA256
91c2e9cda0562bdcf91d830b8898075cab82abcc6d10daf3329449c7100c2b39

SHA512
3f860aec8e992b3292f7240e23f303ece612eaf988bbfcb64d94d1380bc8ba5af59d089f5f4f91b16d015787da11003330ecf8334306dcce062b180633120047

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\HNDI6Z3B\sideTool-4ff64f1b[1].css

Filesize
8KB

MD5
b2b2c34fbd807eb9e3f35d99e8454ebb

SHA1
bafa7323ba78915269a87aa0e7e6e7054e9dcbd8

SHA256
3d30674ac51edf82717ae0c511ae28960ab9748f4c58fbfc90329e4c4ce61a03

SHA512
f854c1a0489c71885cf331eea22afbab8f65f3f38d653baf5ffbb272b02f1379d432c3012ded2d91138c0df1c3eac948c05dd06d515b97ff05dc4042a5d0f5e5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\MQDFJ88W\index-1f19835f[1].js

Filesize
2.6MB

MD5
2b9244b517e88a44a457dfc395467a98

SHA1
01564944ae06775c75885c04c20324a073bb5ae3

SHA256
8cdff7ef3e1a5226594a28f2c64c5a167678b2f2eb0b7a2c1b0da297356b1eaa

SHA512
68112740eb7ae7a91846a9f2278160e20cb7cdd33e88eb8575bdf8b854d401bb9f095be9193f2b849738d6977323e73b8f22af69a84a4add631615358d9e5fa7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\MQDFJ88W\index-762c0b1b[1].css

Filesize
4KB

MD5
b1c6769dc2493ba4dc97625e813805c4

SHA1
eccfca0e135afcbcac9a793074750f1a5d827e10

SHA256
88915b40ae5e41f3cd1a16afea2427ad53709ae94f89236860a4d617536e7824

SHA512
16e21e87276c40145df7bb00f2b22f15c4a4b4e1a7b6665d611187ac3dffe72770b0bc9408eaf035c6af888edfef81fad3297c52a3574052d9ee4f7be29ce898

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\MQDFJ88W\tofuPreview-17a3ed11[1].js

Filesize
123KB

MD5
f6ddceca301c1d787609dc324a751db5

SHA1
6a85d3319ea4caf355d400ed8fae986619c4873f

SHA256
eaee4850943fc73f4dc689ca449a48a3f475de7455d266d9f8e1f495dd2bb2c4

SHA512
2501be8c4a73c444f5f9c765827a6cae4f661710705cc238fe37307a7e55a0ca0654e6fc0ca11b5cdbf4393013831e129bbd585125303599b93ecddcd2918119

Download Submit
memory/2084-135-0x000000000A860000-0x000000000A880000-memory.dmp

Filesize
128KB

Download
memory/2084-139-0x000000000A680000-0x000000000A6A0000-memory.dmp

Filesize
128KB

Download
memory/2084-0-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2084-113-0x0000000006C30000-0x0000000006C50000-memory.dmp

Filesize
128KB

Download
memory/2084-107-0x0000000006C30000-0x0000000006C50000-memory.dmp

Filesize
128KB

Download
memory/2084-333-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2084-359-0x0000000006C30000-0x0000000006C50000-memory.dmp

Filesize
128KB

Download
memory/2084-360-0x000000000A860000-0x000000000A880000-memory.dmp

Filesize
128KB

Download
memory/2084-361-0x000000000A680000-0x000000000A6A0000-memory.dmp

Filesize
128KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads