e42d5e4dffcc22496d544ccb2d28d82afa6066b584dbc58b6a9cb84b611714c4

Analysis

max time kernel
135s
max time network
129s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
24/12/2023, 17:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

09334fc3aaf061d576e270ade067d237.dll
Size

66KB
MD5

09334fc3aaf061d576e270ade067d237
SHA1

a7a7b7a694d1f4db267cee5f56511037314e29cf
SHA256

e42d5e4dffcc22496d544ccb2d28d82afa6066b584dbc58b6a9cb84b611714c4
SHA512

06bc6239e0532d4e33e51329a7dba35e55886905a8350515a7ec7067dfc5609ba83c9f6f9e302d444e6ea3c8d1ac5498bbb011ea8608d478a0084fa545b21d36
SSDEEP

1536:yKaouK0rof8925RMehGW496cHqP3fqshuqRR7+/4:yKaouK99MqB49g3Bno/4

Score

5^/10

Malware Config

Signatures

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2552 set thread context of 2532	2552	rundll32.exe	20

Modifies Internet Explorer settings 1 TTPs 28 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "409611928"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{D04649D1-A29B-11EE-9FFF-CEEF1DCBEAFA} = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2532	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2532	IEXPLORE.EXE
2532	IEXPLORE.EXE
1744	IEXPLORE.EXE
1744	IEXPLORE.EXE
1744	IEXPLORE.EXE
1744	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2988 wrote to memory of 2552	2988	rundll32.exe	16
PID 2988 wrote to memory of 2552	2988	rundll32.exe	16
PID 2988 wrote to memory of 2552	2988	rundll32.exe	16
PID 2988 wrote to memory of 2552	2988	rundll32.exe	16
PID 2988 wrote to memory of 2552	2988	rundll32.exe	16
PID 2988 wrote to memory of 2552	2988	rundll32.exe	16
PID 2988 wrote to memory of 2552	2988	rundll32.exe	16
PID 2552 wrote to memory of 2532	2552	rundll32.exe	20
PID 2552 wrote to memory of 2532	2552	rundll32.exe	20
PID 2552 wrote to memory of 2532	2552	rundll32.exe	20
PID 2552 wrote to memory of 2532	2552	rundll32.exe	20
PID 2552 wrote to memory of 2532	2552	rundll32.exe	20
PID 2532 wrote to memory of 1744	2532	IEXPLORE.EXE	19
PID 2532 wrote to memory of 1744	2532	IEXPLORE.EXE	19
PID 2532 wrote to memory of 1744	2532	IEXPLORE.EXE	19
PID 2532 wrote to memory of 1744	2532	IEXPLORE.EXE	19

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\09334fc3aaf061d576e270ade067d237.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2988
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\09334fc3aaf061d576e270ade067d237.dll,#1
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:2552
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2532

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2532 CREDAT:275457 /prefetch:2
1⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1744

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
20726939a9a6d8bf91fe6a21416a94b6

SHA1
b32255128f556cd083ac7748422c68467913b652

SHA256
bbdd1480b125c24cf965bd9af1537098246e0cd6f180fbe8755423524967d84b

SHA512
3ce4f571a31aa58bbac9195a8ad8b7bfda7e3b8662fcfe3deba85f5ee417e09d61081ed80819aa5ee42df7411bf94f277126e748234b629523311a0d1d3ffb4e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d1508de949e965be7b985e5e6b50bb2d

SHA1
17b695e2432c1c0c5d3c3cebea788a41ba91d93a

SHA256
eb97dafa8141ed7f8650ec4b756f8a4c38efa3ed1ccc8f92cf73ccee235c84c6

SHA512
297bface82471f9372ba746276a708eff7c50e24dd5a3a0c6c9f6843d89bbfe39488d2ad45f29b2fe4c4ae9eb4da69fde00b60b59eb2e883d39b0063a9362d20

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
855c8959019605e74be44718cba3e643

SHA1
783e8869fc7abf74c329ec04b2e00b3fcbce0df5

SHA256
1561f4a108d96525cca8c8607bf186d42cc57201d250e48b0a0598318026cf24

SHA512
eb22f66f6bcc6c1c533e0bb8e523f6bc70fcb1d07da80f4647c5f4a6bb4f120ed1b40c3308267f7a953a40fdf07466dd28bd76135aa09b7727d79955064d1063

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
fb76f07ed8fd7c1c004f2b38725623a6

SHA1
78a5933b7ab3a1ddf9ba30adeb8cb2694a826db3

SHA256
f07ec88ad9ad19e183e82c574ed9383e6d5a57c0b7fcabeb06ee7df6722ae1af

SHA512
e4dfb0567e458ee3065478dc18a7e331e52df2dc5bcc8ffc0bf3e084b199815243009894a896e3f9704712cc7ae9dd77a25cbeb7b30a14650b8f1b0595bcc808

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
5bbd366e9f362f06effe195f9d1c27ee

SHA1
0cd5e5e929175bc49cc77b05d1605fed345feeef

SHA256
9fce8bf4991d4a341df1922af6962246bb1c653acaace919e9e04eb5bacd52be

SHA512
dbbe4fbae1576b52c8baa913561bb8a1abc4dda4af0362cd1e5c5c8895bdd24c5bbd5a41bde380c588e973715bba754455ef972ab93ca2001cf77f057d1b98b5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
dba6cf6f0e582812156902a061e514b7

SHA1
5efb80c3985dc6acb901357398e5ddc96a8a773e

SHA256
c2b0475690b3e59d100ba22fbf3f2a9e1a3e8901d5a15ad33412daa8c63ba9b7

SHA512
73ac80caf75b4e6ca702896c7f28ff98c95fc08aa8a32b379d7fdf9f7be9e04290e4d96288ee63f0ff89a2f13a061d560dee6995d403fa2df4239764dfadbc0a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
0c308495355adf5143483883b199a8da

SHA1
8eedc91b677e155f752f270e70945e0c35a3cba6

SHA256
76134a4078f30757f90878a2c09607bf789856d444f8d49054c66aa033ae581b

SHA512
84151b656f8209b7709c744269affe1b56fe4a8b20ce0d3a54995b9cad43a3ccea4964f2d525343641ce295ccddc48ce27f78b4ea7a7716c7f5f694f8102e833

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab3102.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar3115.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit