061ad6e0b740ed0263c55a73f1cc6acdb1b2ec5527bb0047e1e11f60dbf7e2df

Analysis

max time kernel
237s
max time network
301s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
24/12/2023, 23:03

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

17e80dadf5ad87c5c277ada54b60b73e.exe
Size

109KB
MD5

17e80dadf5ad87c5c277ada54b60b73e
SHA1

9e59aa16861c0edc2b6bc188c48084b6b51f328c
SHA256

061ad6e0b740ed0263c55a73f1cc6acdb1b2ec5527bb0047e1e11f60dbf7e2df
SHA512

9c9c80b03b7a7460ca44c144e7b5631aaafb86248f9f76a6590f574a944700abe32c6a451fc56fa3e4bd5f13e3485cf50ab81334af55e75cf01982aa40adce8d
SSDEEP

3072:2X7DItrfaocyTgfsqQOlJCeqgKJ+BCua2jq2RT0fZpk:2saocyLCWgKSTj9RTYW

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 2 IoCs

pid	Process
2696	17e80dadf5ad87c5c277ada54b60b73e.exe
2696	17e80dadf5ad87c5c277ada54b60b73e.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a883829c536588438b4279b7bc6c193000000000020000000000106600000001000020000000a503e936edda156006882600a5e6a341b1e721e791fd5dd640c716c9a2631167000000000e8000000002000020000000b14f6145dc12e56b439f971e86fa159396b2f76df06ee53ef053b500a055757f20000000d16c9fed24af4529e1d1f2c95ef0d25182f12100cc68ec5b11f6fee9ed4e3f6b400000009184e55c022bd9141816eafd2fc7d4906d58f272d0398ce387fbd3b39bb0b052405930ca8ae9ed4a11548a385f5d9beddc0ce5907cf40ca475af7dcea0604855	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = a0cae8c8a237da01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "409719349"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a883829c536588438b4279b7bc6c193000000000020000000000106600000001000020000000eab0a97c99aa301d1a0135c6695a4df2f082f1b22bdd703f837d032b2cebe00a000000000e800000000200002000000006e033c999093b016f61dfbcfedd03e8d42993b138de734a57e19f7ebfbfec55900000003848ac8d650a979ae850121a3a01ea134a7d01763595d7058ed815c44da224dcd7243c5ff74800858ba519ae4a873fd93aca51304310e31c397ab5c78298665dd094cc842a454ebbbd4f32e51c6bba14a9a427a5c2b4a6c1a83cb2389e3702b777a5c5f0098cd15d881a3b7eb79e0a08ea15cc02716125a2a25ddf540f38cfe5181faf96f84e9a91f66e4cb9a6d6789640000000f6615eec0ac8101d28e9ea397a7a5d029516f731ae371bea14a8449799224bee6b8ece4d46f0c8ab842bdb5b9c0d5a90a31849b6b8ad44a36c67523302de089e	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{EB0AACC1-A395-11EE-8C00-76B33C18F4CF} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
484	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
484	iexplore.exe
484	iexplore.exe
436	IEXPLORE.EXE
436	IEXPLORE.EXE
436	IEXPLORE.EXE
436	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2696 wrote to memory of 484	2696	17e80dadf5ad87c5c277ada54b60b73e.exe	28
PID 2696 wrote to memory of 484	2696	17e80dadf5ad87c5c277ada54b60b73e.exe	28
PID 2696 wrote to memory of 484	2696	17e80dadf5ad87c5c277ada54b60b73e.exe	28
PID 2696 wrote to memory of 484	2696	17e80dadf5ad87c5c277ada54b60b73e.exe	28
PID 484 wrote to memory of 436	484	iexplore.exe	29
PID 484 wrote to memory of 436	484	iexplore.exe	29
PID 484 wrote to memory of 436	484	iexplore.exe	29
PID 484 wrote to memory of 436	484	iexplore.exe	29
PID 484 wrote to memory of 436	484	iexplore.exe	29
PID 484 wrote to memory of 436	484	iexplore.exe	29
PID 484 wrote to memory of 436	484	iexplore.exe	29

C:\Users\Admin\AppData\Local\Temp\17e80dadf5ad87c5c277ada54b60b73e.exe
"C:\Users\Admin\AppData\Local\Temp\17e80dadf5ad87c5c277ada54b60b73e.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2696
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://rg-mechanics.net/load/0-0-0-200-20
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:484
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:484 CREDAT:275457 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:436

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
db37ecf25cc620251e75933b6bd25f2e

SHA1
7acba1d06bb629660febc67ce13e7250da3a638e

SHA256
102b880ef8d86cb4a74c2d6742a6fffe1ba37829a230c24015dabea7280ce3fb

SHA512
bdf0d6ecc8c2a504dade8999615dce853f02b368e931efd6719b8cc87ed0eda5b7860ef24deedbdbd0db73c6ceabf1920d247a29aa2d1132555c2f5a11da1290

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
38f4e6121ee918dae1809c78f3cfa872

SHA1
eb2035fd86467f9c5f1211bf31ecf66e19e4d343

SHA256
898a6d1ae096ae00aa99ba95f96a183703ba84b602047713dc03367bbee85b4a

SHA512
52012bb7a8d2b19d06e2a79c4ba007061627eba235498179ccd2d1634d764694b62ff6d0b04d0c13485a0fdda22e0b5bbd94576b1f823a9d746bc8030386996b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
1bdf708c5ebb1310ac31e9bf9bae940e

SHA1
6d1a75877b3028f4f1abc49961942d40eefeab39

SHA256
8ba56de2877cc9b227bf4e58a4e1d737af558d12c2de48803519059ad53607af

SHA512
607dab7012cf4bc6070ed140cddfaf8fbe09f780c41dba8edfd69e81894d1975aa5c98eafa19dc30f56be8931350693c6d70d217ed2b4e1b8e54e94fb12ea99c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
cf6938deece08cee5a47c9cc2a7de6c1

SHA1
b5323eec34dc9376c45be94bff98528eff906d08

SHA256
e7bd895779d37663130f91e358fa7aef70c19af61f1fd4aac9a0af9e7f1fc301

SHA512
f7a41bb415d13fef3c72a0ffa8e1c3e6b314552547edb8280e9b7cab1642c37ba9ccf61d096f6ce4d0c8f17bde74d6c55a5df82483e5807e3526f993ba07a3b3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ec4e195c6cf915517cfc93f3c596315d

SHA1
9f2336477b8341eb942454a7e186a8372e189263

SHA256
782ee11da9dbf0bfd0db2a82b0f2b2745e6a2ef3d776f5ba98829687813044a1

SHA512
d0f2f340daeb5f3b3dbd744aa1efa535a383ca4f75eecb37b35bb8b5af662d80280bc3e41d8350e0726b8f151294d963c36124a19864efa86da3590f22d45073

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
53cc277ae55bf361b9e2ac101be207bc

SHA1
16ce1227a7063399ca94921b6281dfe794567fc7

SHA256
b3940c20116be97d88980984685a16e2b42d4864c6af55ff3a63812f5230559f

SHA512
72f34f1b4d053a499e6115135865f44e95960d034f34819be689349212f864c1a2c7b4b557fe3d0fd4000a0ec181cd78e63225ee3652bad0562091cf01db64af

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
7df8cc4fc83a46b1f5fa22995ef23ee5

SHA1
16629f2d0cd13683e1dc40ba67e0672d0441f21c

SHA256
8d5e4d8e99870c2832502647e3c2c7d0f6bbd7efcbd1cdda24b2a577f8176324

SHA512
137116f32e480b41cef91f7a0d5422b778bf177da758b972fe5e2ae1818da68dbc91c29f94fb2dafda1406c1ed8dc9f02556e061cdb5101874e56764637978a7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
543b40325ccdb54ecab530612bca48d4

SHA1
d2a392abc4c35bc0c11fa02a73b474f4bddac23d

SHA256
cc122eb7a78bd052fb70d7ae7c7ce4af8d5f624366df4ee03f4af3aacb56e0dc

SHA512
110887240132285940700876608dee76445af5d17fe77528000e371ddb7a0504380b22ac7ef57e5d84d8fc694efa02f7da9fe78db3f3a35d10b5f5ee8ce60779

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
51f940d3abb78ea22d4216b619768fce

SHA1
cf663a51a54f85da39af801c5b8a5df8a1c05efa

SHA256
cda0a716caa2ca26ac81da1dda5aecccfeb036540cae567beeac253fc01d1390

SHA512
3ae5e0ec9b337fad1a0613091b980dd74bbf3dccdd4c1190e20413c475fa2ae6973093dad5c9276275ff855ee8b204f61d48809f9b5207544f542a8b86f81d34

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f970f01eda730ac00e27e725b343c531

SHA1
e638d6182c4ad42daa1b7a7ed0534d9d410070d4

SHA256
f5b2f01df7bbc04c4b9263f0bb1bbf0bef644a50cc377bf0594b3e574f9cf391

SHA512
3a78fbf6b110f101ba621b0f09d0a12801788301f5ba1b7703b3e612e47ac4ee708564f01e3b11a80579be6c2919ab3eb00bf98a645b76b1e11464419b86fae7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
7299f4de91be8e16a74ed24c85fc3740

SHA1
548daf020dd83246160675b532158bdb1b07e54f

SHA256
8456f7d4d74adefaf3c0413925057baaf476430a0a9ca7b8bfd64e6407c6f530

SHA512
3b428dc9bcf826ae15f69e52e5a9a52f224e6d610e2dd25fe2d48f25dae9ca9e8e9dbab92acd78b9c34834fd55296bf7d273101a63621f109998ca7ad5806b01

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
4c593a21e4f7d466dd681eb3feeb2bd1

SHA1
68c4c193951049fb2e45584f06a031511167ce22

SHA256
b5b0f0de9c902cce989ffe22d4721c53275b546ea8928cd6b442635c311fb6b9

SHA512
a7e260553976c4549ee4fc61af46c739fad846a16a01789fd3ff075fc37d6325577151e3e3077049f9fccbd9b52920e1c559032db270a5806e7013eaf1b4c901

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab1048.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar12CC.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
\Users\Admin\AppData\Local\Temp\nsjA565.tmp\System.dll

Filesize
23KB

MD5
a64b9c1f10a5434738f6efec8a1399c9

SHA1
a66e15e4125cb358c1e1998ce393f9660e4f65bb

SHA256
2d863a8cebd864ce51052984bd2031d37c9b022bb80c80ec0b1ca382160ae57b

SHA512
53510079aff46a1b98ff7e0055288af2dce8ec3224fa5869fca4c29b33b26bad7bddecde0ded08a07e162d1bfbcca1120c0717a6156967f944567eeb99f942ee

Download Submit
\Users\Admin\AppData\Local\Temp\nsjA565.tmp\nsDialogs.dll

Filesize
11KB

MD5
51b31092bc19fff637a4b0433b2bd36e

SHA1
ed35222ff897af309ce25bd7a215c08e1188c6f2

SHA256
04e9d5b91cf9782066ccd043cb1cc2e5eda08b8340cc98ea5786597669f8237c

SHA512
c10535cd7a1dcb07eaa4975b329effe6e6563e9946f5ed4dfa42ad50c06f1ef038aeaf62868ebe7c13745328bf3bfd0a7430105683c7fa154a4cee4116df0e7a

Download Submit
memory/2696-0-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2696-11-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2696-12-0x000000006E3C0000-0x000000006E3CD000-memory.dmp

Filesize
52KB

Download
memory/2696-13-0x000000006E940000-0x000000006E94A000-memory.dmp

Filesize
40KB

Download