07e165fbdf0b5186b48b97340d1420acfa7e4321cef461c6c676bb36819967d4

Analysis

max time kernel
16s
max time network
150s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
24/12/2023, 17:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0947feea86fa77fa91b1723b67559ef3.exe
Size

169KB
MD5

0947feea86fa77fa91b1723b67559ef3
SHA1

31cd07c7a53beba04c14efb3f7ad6aa892846795
SHA256

07e165fbdf0b5186b48b97340d1420acfa7e4321cef461c6c676bb36819967d4
SHA512

9dcb9a1d42077e10b3d3f45d4b53113515cbf1c94f2ff1e1a7642de01fdf689f1b103b8a3644d8eb0960bcff86ff30aba78b7a50d716ab8870b29ad860158b43
SSDEEP

3072:KDE9eYao3+LX5yVYNMY7hPp/jRo00ywyRTAGMoiJm/XPrIlCuqmhVbgW4xy2yh+:n0oOLX8YD7hPp/Vo071AN+xUbD402yQ

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 4 IoCs

pid	Process
2240	rundll32.exe
2240	rundll32.exe
2240	rundll32.exe
2240	rundll32.exe

Modifies Internet Explorer settings 1 TTPs 19 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{111EAAF1-A2DE-11EE-8A73-D2C28B9FE739} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2636	iexplore.exe
2636	iexplore.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2660 wrote to memory of 2240	2660	0947feea86fa77fa91b1723b67559ef3.exe	16
PID 2660 wrote to memory of 2240	2660	0947feea86fa77fa91b1723b67559ef3.exe	16
PID 2660 wrote to memory of 2240	2660	0947feea86fa77fa91b1723b67559ef3.exe	16
PID 2660 wrote to memory of 2240	2660	0947feea86fa77fa91b1723b67559ef3.exe	16
PID 2660 wrote to memory of 2240	2660	0947feea86fa77fa91b1723b67559ef3.exe	16
PID 2660 wrote to memory of 2240	2660	0947feea86fa77fa91b1723b67559ef3.exe	16
PID 2660 wrote to memory of 2240	2660	0947feea86fa77fa91b1723b67559ef3.exe	16
PID 2636 wrote to memory of 2492	2636	iexplore.exe	30
PID 2636 wrote to memory of 2492	2636	iexplore.exe	30
PID 2636 wrote to memory of 2492	2636	iexplore.exe	30
PID 2636 wrote to memory of 2492	2636	iexplore.exe	30

C:\Users\Admin\AppData\Local\Temp\0947feea86fa77fa91b1723b67559ef3.exe
"C:\Users\Admin\AppData\Local\Temp\0947feea86fa77fa91b1723b67559ef3.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2660
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe "C:\Users\Admin\AppData\Roaming\dlped.dll",ARawDecodeInit
  2⤵
  - Loads dropped DLL
  PID:2240

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2636 CREDAT:275457 /prefetch:2
1⤵
PID:2492

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2636
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2636 CREDAT:406533 /prefetch:2
  2⤵
  PID:2768
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2636 CREDAT:537607 /prefetch:2
  2⤵
  PID:2560

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
1KB

MD5
1f1a3b101012e27df35286ed1cf74aa6

SHA1
46f36d1c9715589e45558bd53b721e8f7f52a888

SHA256
7f0b1fe38c7502bea9c056e7a462ab9f507dd9124f84b1d4666fb7d37cf1b83c

SHA512
d6f6787de85049d884bf8906292b0df134287cc548f9f3fadd60d44545652d55c296ed50e72687f776f0bf6b131102b4bf9b33143998cb897f21427fbc8306a3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
252B

MD5
c63d56931151fc0efc33741217028dfa

SHA1
845947528904c2d19d9671d320efd9cc3679f229

SHA256
72065451cdc5ed0f10ae648f79461f3eed2bd4521eca8b54c3942cf09cf97a0a

SHA512
d7fcafffc2fc1f1c77b2716b44eb18b8d7690af77a9fe6989eb906e82d49fac187d004184ba4be901afa1057cf9d5d1b206ea901ec41a353b608487b905a9220

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
53188e258fb747259f05da154341a680

SHA1
3ef5abf909ff37bbda8e859ad495adcb3e3af146

SHA256
783a22e168db53c759aa441fc67db5f381c96dfc50ea91c07d3349738288f71d

SHA512
746514f6b6db28a18b028764e5ac4a38c96b4663b6e4fb5682f7443ac47c73535e13e47b1b2ad82fadd5fa1d6f6ac67325e24c95aa27bc8cb9ab468daba880b9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
1f48d84671660133f83c8e917dc66b81

SHA1
3fa98ea9d4c8d547089d41b898a2e59570303141

SHA256
a1e9d8cdb2e99e05a74510eeacd9fe5131e0e57f4f5e64b1a1567d87a40930ac

SHA512
a76b588f1f1ef3665a406e407ecd9d613f9f644071d058edab539e51731e3800dc1e0b2fec258c58fe686bc418d0db46026d8c7726633fb85150aeb5e84749d0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
b450c2475972a665431e98491011cf5e

SHA1
70f3747dce885393afa746d7cb5379fd47b7af62

SHA256
910e002921e8fb451fb8adf275e441fa6e71a2a3aa8a9213112cbbfea1915cc2

SHA512
6032537ff73dac22972a3ce214edf6d1658b10ba15572cbfdc891f9143371c2895746e85bb2d9c3fc3651ac961ba945690cc5742a4da1246d1935cf917a3eb81

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
b3c6b5138c39cdb098cba599a5e01fea

SHA1
a5a965b07d35363708155fd7cbf43664dac30891

SHA256
e872990bbb7e6cc55a7282c2d11b7ded15eebf79e2bf5afa241ae0488cf2ff47

SHA512
911826abe66ebdb5a18d53f59992b44bc7fc923a59e4ff633b848bdc90eef5266b131c6dbfc65c5e8d47bf574396c285319a9c5b6d61a744678d9aa7c064b60d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
01021d3c82a8de62a1eaa0409a957da3

SHA1
c1de5d53265d5f596dcae3de0b6b76cb3ba54c2e

SHA256
2b2194c07c8a58217d857e2ee96ec2d03b48c84ae8f19089309c6252605b4dd8

SHA512
5ad8de2a989ec4b0a167bff0ee4267de11921ea171eca36a39cd09ca5e96de1db7308e2846b4bee961a82eeeb5163aceca45335ca8b076f7646f4abafb4ee3f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar5A17.tmp

Filesize
96KB

MD5
50a1fa420a3fa255cac692f90bacdfab

SHA1
c8c1b5a0ff026bdec01d619706933102dc1dacf9

SHA256
e3da2ab20b8ee23e7ba4b7c1d16ec53bcf41d7fe7ac871957b196fcbd46ebccb

SHA512
5ceb0b29691a04d259aa34f19142f392045ae0aca1d4333766b4725d75082132c6864c946a3b448d3e7f591a16b6a8c3b3435a4c6d2bd4bd52fcf34645771527

Download Submit
C:\Users\Admin\AppData\Roaming\dlped.dll

Filesize
53KB

MD5
1f7f97a5e58da7cd25451d5e5ee9c3fa

SHA1
49e34823ca74eb89d129c7cc6690c1bf1da1ac12

SHA256
24833ee9f51bef463ee13b030eefec8399d4d70b79f4e53a17a98e83aecb0805

SHA512
38887dcc1cb6575c54fde72dbca797dc4e892d4c85da945a78e4debbb46a76714558c5e9f214574a361c65686a89f9aec108610784edd31826116e50f2966ee4

Download Submit
\Users\Admin\AppData\Roaming\dlped.dll

Filesize
124KB

MD5
0ecb36ea9239fe52e7dfc7eaa21e43e9

SHA1
6ca4465e808d6919a5de17804e638778627a3d53

SHA256
fa5f714e8f9f6e1d805f277d76a834d5b8702aae630e6fe282aa713ce7420a60

SHA512
550bf6b2c77068ad6e1755bf81ac1387c436eafa8c30588c1648348a83abe23e9c0bd2226a59f09af26a06b815b7f2b67731e332028304c0b88a982f8dc9e932

Download Submit
\Users\Admin\AppData\Roaming\dlped.dll

Filesize
37KB

MD5
cbc644db62842ef542a14e9eb7e655a1

SHA1
e9ad1a477d714b395b25b035b8a25098df2c5763

SHA256
ab7d1323c8f0cff1d5dc5df403836bb4065eea319b0e297f649890c222bebc6f

SHA512
a11891bea359347232ceec6b95e0ef45f5f7f953130fd8a48e20444c1a790d726cf7c322de6854e9001ebb628299a8634667aed75eae177e10ab17c3279e9f08

Download Submit
\Users\Admin\AppData\Roaming\dlped.dll

Filesize
35KB

MD5
63a65c9dfd8a349192fec8207bfe329e

SHA1
ea1b6ace3f4d5c3229ee1358486fd266164bc60c

SHA256
6a8f91ab55d4a722e8bcf61965c1b26ac89aa8fedf2d17b88cd946cd0f4abc2c

SHA512
035079dcab1b1a8a7c2e92b280a933e7b791849fead993b80a01a3a0cf9e854a66b79f4ef9094c24e4da215ac36a4fad563ea93a8240411c5a776a6779cec611

Download Submit
\Users\Admin\AppData\Roaming\dlped.dll

Filesize
85KB

MD5
9cfb3cd9f06a434a9db095ee0a0d1408

SHA1
ba9e77abde8bff1bb7be8a71980b6121a93280fe

SHA256
b313d26bd94e15ac0dc3ea353cd5894b749741693b4391680a703df8e16f26a5

SHA512
615f7633715ea9d45e3532d1a991928ab66b1d1e11d5564f200f5cdfcc5afd05e5df22dc36f0407358f3ae59f5a1c62b8f2bf96f4196758561015172187325a6

Download Submit
\Users\Admin\AppData\Roaming\dlped.dll

Filesize
76KB

MD5
a7053694fc0fedb60de8da83bb59b180

SHA1
b6cad8696a2aa720df5c21bfdd5fa967cbd9aacc

SHA256
dc13efbad9573af9bd2f9141452c58dc23bf155d10f1bea89fa5eb969fefaf28

SHA512
b9ebc32eb97e434dee0795a8fbf4d0e9c6a440b2390482315886b71457556f49e02cc11859222e179a827fb0f4a179140d1b3dfc15730bd12eaeb80c48f193bf

Download Submit
\Users\Admin\AppData\Roaming\dlped.dll

Filesize
4KB

MD5
5106d7528ad7cf9541d01e651c9f601c

SHA1
63d21a7e3a21642b1811ce5d6676be61086f2baf

SHA256
b06042e012c9ed2826016bab48c94c7e17f14212ba388709adf70803ae5f9961

SHA512
ce696aad0904582f4bafb9c2d9e8cb943ec941e368e8e72043637ebf04bfc6fd41885808c2dbb09a28f62d68c6a0be311f04073b75125aed5ccd0635e0f997bf

Download Submit
memory/2240-15-0x0000000000190000-0x00000000001A6000-memory.dmp

Filesize
88KB

Download
memory/2240-21-0x0000000000270000-0x0000000000272000-memory.dmp

Filesize
8KB

Download
memory/2240-22-0x0000000000190000-0x00000000001A6000-memory.dmp

Filesize
88KB

Download
memory/2240-16-0x0000000000240000-0x000000000026D000-memory.dmp

Filesize
180KB

Download
memory/2660-20-0x0000000000240000-0x0000000000256000-memory.dmp

Filesize
88KB

Download
memory/2660-2-0x0000000000270000-0x000000000029D000-memory.dmp

Filesize
180KB

Download
memory/2660-1-0x0000000000240000-0x0000000000256000-memory.dmp

Filesize
88KB

Download
memory/2660-0-0x0000000000240000-0x0000000000256000-memory.dmp

Filesize
88KB

Download