d6dff46d13b4dd935a2f2754361fe6733d4b1201d0d88b65843a0d4abf989b7d

Analysis

max time kernel
151s
max time network
152s
platform
windows7_x64
resource
win7-20231023-en
resource tags

arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
submitted
23/11/2023, 18:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d6dff46d13b4dd935a2f2754361fe6733d4b1201d0d88b65843a0d4abf989b7d.exe
Size

14.5MB
MD5

87d43ece183a7d7a589085b8ecc2ceec
SHA1

f32cb4aad1f47e51de17f4265f6cad5033a58e19
SHA256

d6dff46d13b4dd935a2f2754361fe6733d4b1201d0d88b65843a0d4abf989b7d
SHA512

5d135b6cd88d70cce872e6fd7fda99903a25fb70b903f6a4c73b9880ad8ca92cae9483a34835f9cc590eb0faac84a6abb9f843e102bfda16728ea676aa150f8e
SSDEEP

393216:a7/LuDxzwkqldhak4QB30A6oxuTYNytmEYOO:a7/LuDx0vdhakfBEA6oxuTkytmAO

Score

5^/10

Malware Config

Signatures

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
2360	d6dff46d13b4dd935a2f2754361fe6733d4b1201d0d88b65843a0d4abf989b7d.exe
2360	d6dff46d13b4dd935a2f2754361fe6733d4b1201d0d88b65843a0d4abf989b7d.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 6 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\International\CpMRU	d6dff46d13b4dd935a2f2754361fe6733d4b1201d0d88b65843a0d4abf989b7d.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Enable = "1"	d6dff46d13b4dd935a2f2754361fe6733d4b1201d0d88b65843a0d4abf989b7d.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Size = "10"	d6dff46d13b4dd935a2f2754361fe6733d4b1201d0d88b65843a0d4abf989b7d.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\International\CpMRU\InitHits = "100"	d6dff46d13b4dd935a2f2754361fe6733d4b1201d0d88b65843a0d4abf989b7d.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Factor = "20"	d6dff46d13b4dd935a2f2754361fe6733d4b1201d0d88b65843a0d4abf989b7d.exe
Key created	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\Main	d6dff46d13b4dd935a2f2754361fe6733d4b1201d0d88b65843a0d4abf989b7d.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	d6dff46d13b4dd935a2f2754361fe6733d4b1201d0d88b65843a0d4abf989b7d.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	d6dff46d13b4dd935a2f2754361fe6733d4b1201d0d88b65843a0d4abf989b7d.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2360	d6dff46d13b4dd935a2f2754361fe6733d4b1201d0d88b65843a0d4abf989b7d.exe
2360	d6dff46d13b4dd935a2f2754361fe6733d4b1201d0d88b65843a0d4abf989b7d.exe
2360	d6dff46d13b4dd935a2f2754361fe6733d4b1201d0d88b65843a0d4abf989b7d.exe
2360	d6dff46d13b4dd935a2f2754361fe6733d4b1201d0d88b65843a0d4abf989b7d.exe
2360	d6dff46d13b4dd935a2f2754361fe6733d4b1201d0d88b65843a0d4abf989b7d.exe
2360	d6dff46d13b4dd935a2f2754361fe6733d4b1201d0d88b65843a0d4abf989b7d.exe
2360	d6dff46d13b4dd935a2f2754361fe6733d4b1201d0d88b65843a0d4abf989b7d.exe
2360	d6dff46d13b4dd935a2f2754361fe6733d4b1201d0d88b65843a0d4abf989b7d.exe
2360	d6dff46d13b4dd935a2f2754361fe6733d4b1201d0d88b65843a0d4abf989b7d.exe
2360	d6dff46d13b4dd935a2f2754361fe6733d4b1201d0d88b65843a0d4abf989b7d.exe
2360	d6dff46d13b4dd935a2f2754361fe6733d4b1201d0d88b65843a0d4abf989b7d.exe
2360	d6dff46d13b4dd935a2f2754361fe6733d4b1201d0d88b65843a0d4abf989b7d.exe
2360	d6dff46d13b4dd935a2f2754361fe6733d4b1201d0d88b65843a0d4abf989b7d.exe
2360	d6dff46d13b4dd935a2f2754361fe6733d4b1201d0d88b65843a0d4abf989b7d.exe
2360	d6dff46d13b4dd935a2f2754361fe6733d4b1201d0d88b65843a0d4abf989b7d.exe
2360	d6dff46d13b4dd935a2f2754361fe6733d4b1201d0d88b65843a0d4abf989b7d.exe
2360	d6dff46d13b4dd935a2f2754361fe6733d4b1201d0d88b65843a0d4abf989b7d.exe
2360	d6dff46d13b4dd935a2f2754361fe6733d4b1201d0d88b65843a0d4abf989b7d.exe
2360	d6dff46d13b4dd935a2f2754361fe6733d4b1201d0d88b65843a0d4abf989b7d.exe
2360	d6dff46d13b4dd935a2f2754361fe6733d4b1201d0d88b65843a0d4abf989b7d.exe
2360	d6dff46d13b4dd935a2f2754361fe6733d4b1201d0d88b65843a0d4abf989b7d.exe
2360	d6dff46d13b4dd935a2f2754361fe6733d4b1201d0d88b65843a0d4abf989b7d.exe
2360	d6dff46d13b4dd935a2f2754361fe6733d4b1201d0d88b65843a0d4abf989b7d.exe
2360	d6dff46d13b4dd935a2f2754361fe6733d4b1201d0d88b65843a0d4abf989b7d.exe
2360	d6dff46d13b4dd935a2f2754361fe6733d4b1201d0d88b65843a0d4abf989b7d.exe
2360	d6dff46d13b4dd935a2f2754361fe6733d4b1201d0d88b65843a0d4abf989b7d.exe
2360	d6dff46d13b4dd935a2f2754361fe6733d4b1201d0d88b65843a0d4abf989b7d.exe
2360	d6dff46d13b4dd935a2f2754361fe6733d4b1201d0d88b65843a0d4abf989b7d.exe
2360	d6dff46d13b4dd935a2f2754361fe6733d4b1201d0d88b65843a0d4abf989b7d.exe
2360	d6dff46d13b4dd935a2f2754361fe6733d4b1201d0d88b65843a0d4abf989b7d.exe
2360	d6dff46d13b4dd935a2f2754361fe6733d4b1201d0d88b65843a0d4abf989b7d.exe
2360	d6dff46d13b4dd935a2f2754361fe6733d4b1201d0d88b65843a0d4abf989b7d.exe
2360	d6dff46d13b4dd935a2f2754361fe6733d4b1201d0d88b65843a0d4abf989b7d.exe
2360	d6dff46d13b4dd935a2f2754361fe6733d4b1201d0d88b65843a0d4abf989b7d.exe
2360	d6dff46d13b4dd935a2f2754361fe6733d4b1201d0d88b65843a0d4abf989b7d.exe
2360	d6dff46d13b4dd935a2f2754361fe6733d4b1201d0d88b65843a0d4abf989b7d.exe
2360	d6dff46d13b4dd935a2f2754361fe6733d4b1201d0d88b65843a0d4abf989b7d.exe
2360	d6dff46d13b4dd935a2f2754361fe6733d4b1201d0d88b65843a0d4abf989b7d.exe
2360	d6dff46d13b4dd935a2f2754361fe6733d4b1201d0d88b65843a0d4abf989b7d.exe
2360	d6dff46d13b4dd935a2f2754361fe6733d4b1201d0d88b65843a0d4abf989b7d.exe
2360	d6dff46d13b4dd935a2f2754361fe6733d4b1201d0d88b65843a0d4abf989b7d.exe
2360	d6dff46d13b4dd935a2f2754361fe6733d4b1201d0d88b65843a0d4abf989b7d.exe
2360	d6dff46d13b4dd935a2f2754361fe6733d4b1201d0d88b65843a0d4abf989b7d.exe
2360	d6dff46d13b4dd935a2f2754361fe6733d4b1201d0d88b65843a0d4abf989b7d.exe
2360	d6dff46d13b4dd935a2f2754361fe6733d4b1201d0d88b65843a0d4abf989b7d.exe
2360	d6dff46d13b4dd935a2f2754361fe6733d4b1201d0d88b65843a0d4abf989b7d.exe
2360	d6dff46d13b4dd935a2f2754361fe6733d4b1201d0d88b65843a0d4abf989b7d.exe
2360	d6dff46d13b4dd935a2f2754361fe6733d4b1201d0d88b65843a0d4abf989b7d.exe
2360	d6dff46d13b4dd935a2f2754361fe6733d4b1201d0d88b65843a0d4abf989b7d.exe
2360	d6dff46d13b4dd935a2f2754361fe6733d4b1201d0d88b65843a0d4abf989b7d.exe
2360	d6dff46d13b4dd935a2f2754361fe6733d4b1201d0d88b65843a0d4abf989b7d.exe
2360	d6dff46d13b4dd935a2f2754361fe6733d4b1201d0d88b65843a0d4abf989b7d.exe
2360	d6dff46d13b4dd935a2f2754361fe6733d4b1201d0d88b65843a0d4abf989b7d.exe
2360	d6dff46d13b4dd935a2f2754361fe6733d4b1201d0d88b65843a0d4abf989b7d.exe
2360	d6dff46d13b4dd935a2f2754361fe6733d4b1201d0d88b65843a0d4abf989b7d.exe
2360	d6dff46d13b4dd935a2f2754361fe6733d4b1201d0d88b65843a0d4abf989b7d.exe
2360	d6dff46d13b4dd935a2f2754361fe6733d4b1201d0d88b65843a0d4abf989b7d.exe
2360	d6dff46d13b4dd935a2f2754361fe6733d4b1201d0d88b65843a0d4abf989b7d.exe
2360	d6dff46d13b4dd935a2f2754361fe6733d4b1201d0d88b65843a0d4abf989b7d.exe
2360	d6dff46d13b4dd935a2f2754361fe6733d4b1201d0d88b65843a0d4abf989b7d.exe
2360	d6dff46d13b4dd935a2f2754361fe6733d4b1201d0d88b65843a0d4abf989b7d.exe
2360	d6dff46d13b4dd935a2f2754361fe6733d4b1201d0d88b65843a0d4abf989b7d.exe
2360	d6dff46d13b4dd935a2f2754361fe6733d4b1201d0d88b65843a0d4abf989b7d.exe
2360	d6dff46d13b4dd935a2f2754361fe6733d4b1201d0d88b65843a0d4abf989b7d.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2360	d6dff46d13b4dd935a2f2754361fe6733d4b1201d0d88b65843a0d4abf989b7d.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2360	d6dff46d13b4dd935a2f2754361fe6733d4b1201d0d88b65843a0d4abf989b7d.exe
2360	d6dff46d13b4dd935a2f2754361fe6733d4b1201d0d88b65843a0d4abf989b7d.exe
2360	d6dff46d13b4dd935a2f2754361fe6733d4b1201d0d88b65843a0d4abf989b7d.exe
2360	d6dff46d13b4dd935a2f2754361fe6733d4b1201d0d88b65843a0d4abf989b7d.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2360 wrote to memory of 2248	2360	d6dff46d13b4dd935a2f2754361fe6733d4b1201d0d88b65843a0d4abf989b7d.exe	28
PID 2360 wrote to memory of 2248	2360	d6dff46d13b4dd935a2f2754361fe6733d4b1201d0d88b65843a0d4abf989b7d.exe	28
PID 2360 wrote to memory of 2248	2360	d6dff46d13b4dd935a2f2754361fe6733d4b1201d0d88b65843a0d4abf989b7d.exe	28
PID 2360 wrote to memory of 2248	2360	d6dff46d13b4dd935a2f2754361fe6733d4b1201d0d88b65843a0d4abf989b7d.exe	28
PID 2360 wrote to memory of 1684	2360	d6dff46d13b4dd935a2f2754361fe6733d4b1201d0d88b65843a0d4abf989b7d.exe	31
PID 2360 wrote to memory of 1684	2360	d6dff46d13b4dd935a2f2754361fe6733d4b1201d0d88b65843a0d4abf989b7d.exe	31
PID 2360 wrote to memory of 1684	2360	d6dff46d13b4dd935a2f2754361fe6733d4b1201d0d88b65843a0d4abf989b7d.exe	31
PID 2360 wrote to memory of 1684	2360	d6dff46d13b4dd935a2f2754361fe6733d4b1201d0d88b65843a0d4abf989b7d.exe	31

C:\Users\Admin\AppData\Local\Temp\d6dff46d13b4dd935a2f2754361fe6733d4b1201d0d88b65843a0d4abf989b7d.exe
"C:\Users\Admin\AppData\Local\Temp\d6dff46d13b4dd935a2f2754361fe6733d4b1201d0d88b65843a0d4abf989b7d.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies Internet Explorer settings
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2360
- C:\Windows\SysWOW64\cmd.exe
  cmd /c del "C:\Users\Admin\AppData\Local\Temp\*ff46d13b4dd935a2f2754361fe6733d4b1201d0d88b65843a0d4abf989b7d.exe"
  2⤵
  PID:2248
- C:\Windows\SysWOW64\cmd.exe
  cmd /c del "C:\Users\Admin\AppData\Local\Temp\*.dll"
  2⤵
  PID:1684

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\75b4bc17893c5e15a931319b31bc4de5.ini

Filesize
2KB

MD5
4a70c27d4800bf524894899f50d8f497

SHA1
02af00b187bf4ad146295112dc60eeeef81fcf26

SHA256
0a7d6634cd3f3788d5b4d0cf80e57ec2a3460a48172013ec19356302e60faf02

SHA512
8fc1376ab5bab2fbb79cce28509acbf2f70ba0874f67f90158a300f4bf8bc218724a261b92181e6547ff01303abd8912a33a773f20cb006acf18c0eea7841d45

Download Submit
C:\Users\Admin\AppData\Local\Temp\75b4bc17893c5e15a931319b31bc4de5A.ini

Filesize
1KB

MD5
c0d7496332120d41a7e02d3411d9c5dc

SHA1
e6ba7a30c5f3f86b57f48e61cfec77861492f223

SHA256
538e316246ac4dbba92b1e7af7d195c67e5cdb096ead70f5a795450bfafdab7c

SHA512
31f720082fa8c66e04f3ef833acd8073c75ae98ba6ce6eae81b22c422c2fff673a39b9963cc65d9e8ddb144d261c0fcb87ae826979cc28044abda6be9658ef08

Download Submit
C:\Users\Admin\AppData\Local\Temp\d6dff46d13b4dd935a2f2754361fe6733d4b1201d0d88b65843a0d4abf989b7d.exepack.tmp

Filesize
2KB

MD5
2da3deba5f134c4fffcd557789ff42fe

SHA1
eb96ba3ea478e84251b18f0ad77181938075edde

SHA256
62056286fbe574327b8fe2b0b899e73b9c155e7af5899ed41acf5550843625f8

SHA512
f66988b6be82ada5f27652bed6a807ceea5ba9b1cc57f8e821cd2f912db3ecb99c461d74ca943b29ef0e1b79b0d3f559c5c45047de6d9a399517bff43631574b

Download Submit
memory/2360-348-0x0000000004080000-0x0000000004090000-memory.dmp

Filesize
64KB

Download
memory/2360-370-0x0000000000400000-0x00000000025E6000-memory.dmp

Filesize
33.9MB

Download
memory/2360-8-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2360-10-0x0000000000400000-0x00000000025E6000-memory.dmp

Filesize
33.9MB

Download
memory/2360-12-0x0000000050000000-0x0000000050109000-memory.dmp

Filesize
1.0MB

Download
memory/2360-4-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2360-2-0x0000000000400000-0x00000000025E6000-memory.dmp

Filesize
33.9MB

Download
memory/2360-1-0x0000000000020000-0x0000000000023000-memory.dmp

Filesize
12KB

Download
memory/2360-343-0x0000000000400000-0x00000000025E6000-memory.dmp

Filesize
33.9MB

Download
memory/2360-344-0x0000000000400000-0x00000000025E6000-memory.dmp

Filesize
33.9MB

Download
memory/2360-345-0x0000000000020000-0x0000000000023000-memory.dmp

Filesize
12KB

Download
memory/2360-0-0x0000000000400000-0x00000000025E6000-memory.dmp

Filesize
33.9MB

Download
memory/2360-351-0x0000000000400000-0x00000000025E6000-memory.dmp

Filesize
33.9MB

Download
memory/2360-6-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2360-372-0x0000000050000000-0x0000000050109000-memory.dmp

Filesize
1.0MB

Download
memory/2360-373-0x0000000000400000-0x00000000025E6000-memory.dmp

Filesize
33.9MB

Download
memory/2360-374-0x0000000000400000-0x00000000025E6000-memory.dmp

Filesize
33.9MB

Download
memory/2360-375-0x0000000000400000-0x00000000025E6000-memory.dmp

Filesize
33.9MB

Download
memory/2360-377-0x0000000000400000-0x00000000025E6000-memory.dmp

Filesize
33.9MB

Download
memory/2360-378-0x0000000000400000-0x00000000025E6000-memory.dmp

Filesize
33.9MB

Download
memory/2360-379-0x0000000000400000-0x00000000025E6000-memory.dmp

Filesize
33.9MB

Download
memory/2360-380-0x0000000000400000-0x00000000025E6000-memory.dmp

Filesize
33.9MB

Download
memory/2360-381-0x0000000000400000-0x00000000025E6000-memory.dmp

Filesize
33.9MB

Download
memory/2360-382-0x0000000000400000-0x00000000025E6000-memory.dmp

Filesize
33.9MB

Download
memory/2360-383-0x0000000000400000-0x00000000025E6000-memory.dmp

Filesize
33.9MB

Download
memory/2360-384-0x0000000000400000-0x00000000025E6000-memory.dmp

Filesize
33.9MB

Download