dbadca772d4ac5aa53d6ac9fbdd08e1b784baaa165f8891de75990756b3a9429

Analysis

max time kernel
119s
max time network
147s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
25-12-2023 00:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1e76c0313f13772ee87ac526409f7c43.exe
Size

163KB
MD5

1e76c0313f13772ee87ac526409f7c43
SHA1

09dc10a8153353eda7096f2cf53a9d0684e87272
SHA256

dbadca772d4ac5aa53d6ac9fbdd08e1b784baaa165f8891de75990756b3a9429
SHA512

6dac8d7e54e541cd9c9eeb101624d81088b70db956cfcdaed264b26b02b3b6348621737d6ebb264895f029b5d9b46fa10e5ee8ebb29ff3c2827443aeb859baec
SSDEEP

3072:QZhR3The8f8Rs5Kp/EfdizDMpT5+EDubZ1KTE2RpxaNwUcWu82lg:QZdp0Rs5K4izmiWE2zwNwcL

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "C:\\Windows\\twain32.exe"	1e76c0313f13772ee87ac526409f7c43.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\twain32.exe	1e76c0313f13772ee87ac526409f7c43.exe
File created	C:\Windows\twain32.exe	1e76c0313f13772ee87ac526409f7c43.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 28 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{D8C5EAE1-A307-11EE-9735-D2016227024C} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "409658329"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2068	1e76c0313f13772ee87ac526409f7c43.exe
2068	1e76c0313f13772ee87ac526409f7c43.exe
2068	1e76c0313f13772ee87ac526409f7c43.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2312	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2312	iexplore.exe
2312	iexplore.exe
2804	IEXPLORE.EXE
2804	IEXPLORE.EXE
2804	IEXPLORE.EXE
2804	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2068 wrote to memory of 2312	2068	1e76c0313f13772ee87ac526409f7c43.exe	28
PID 2068 wrote to memory of 2312	2068	1e76c0313f13772ee87ac526409f7c43.exe	28
PID 2068 wrote to memory of 2312	2068	1e76c0313f13772ee87ac526409f7c43.exe	28
PID 2068 wrote to memory of 2312	2068	1e76c0313f13772ee87ac526409f7c43.exe	28
PID 2312 wrote to memory of 2804	2312	iexplore.exe	29
PID 2312 wrote to memory of 2804	2312	iexplore.exe	29
PID 2312 wrote to memory of 2804	2312	iexplore.exe	29
PID 2312 wrote to memory of 2804	2312	iexplore.exe	29
PID 2068 wrote to memory of 2804	2068	1e76c0313f13772ee87ac526409f7c43.exe	29

C:\Users\Admin\AppData\Local\Temp\1e76c0313f13772ee87ac526409f7c43.exe
"C:\Users\Admin\AppData\Local\Temp\1e76c0313f13772ee87ac526409f7c43.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2068
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe"
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2312
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2312 CREDAT:275457 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:2804

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
343348c1ab9ae1093288bd8486cae444

SHA1
7fa92373d88224a36039ace188fd620575fec614

SHA256
7b51500f7ad0179516ca6a7f8dda9a9cbe6408dda4e5bf2e3d2e4bf6f4c62e70

SHA512
941b77e531217d064f1e16e9fffd0fa02592738424bf9b8121714f560067602ff5112e720948e3caee0af4bb538cc3820afc6ec72b986f4774c8c2f8b5ea77e8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d61a09e8fdda6136076c8627344102e4

SHA1
68f9c2e72efe7c804102fc64b81b5111351a4e14

SHA256
0e7dd92eca51546ca6ce00c7fecedb82bfe758785cfa4cfbef7ad3f295830c22

SHA512
f48e8639218e08407b428c571e010fc6433cae171b33e8ba033fa6ce361243367c308e093ef809ac96dacf8bd411d7de9c69aa73ec711d5ed05a5cf6aa090fcf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
08751c063cd4dc77a20c0e1f694eb916

SHA1
f72d89cf81c694f3582a051480cf11b128120659

SHA256
52c361e8991e250838ba6bf39fd794d8def8087aa4f19df95895af735747244b

SHA512
d351889926258bfe4aab50baa225bc11eb9b09b1cc04677e5f01adf6fe6f94fcaf0aa5152f1ed596f80c8b5308d52bb266f41f784641eb766d794534f166dc36

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
0463dc955d4360b00f7dc5b6e8261a56

SHA1
01150da52b302ac5ccdae4ea8194263260e107f9

SHA256
3261c2a041d7a93587983733b82e69915e15f0e254183850a8f26e4f16e1b313

SHA512
986189ac848bb587e21fee333329a0f8e4dff6596b9b391813f41a0ed666736fde3cc60121b21e57695bf79e9598e2e6855a8e66b937bae9839d11c217466221

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
6c119b64579e4bca61644ac22bc2da93

SHA1
175e0fde65c24aa4f0882f04220f4fbdb8349545

SHA256
0fb96329e0f643a1d767cc98d6cfcfc3b8659adc6903dbdff79d0e4e16bc16bb

SHA512
c1defd482e5590c118eb9ad4547cbd3195559477cf5efdf72a7a0367c6649f79086a4cc245ee663a6b29ad400daac204685f99b3934a45d7445453cb9366b52c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
6a83cfb3a1e1d02795023b6424a3eedd

SHA1
14f2cd6230d92ff34f5f3cc514052d025665e008

SHA256
8661c0d08493672b674887bcbd7219581bf2707464cf4e74aa6584ab6a05f3e8

SHA512
19279047441a1cfce38c63cf58ae7561cfcbb229665c55961a0e54499dee7db25fd462b34a95d07124a1b6cc512218c9c03faf16e42c6b689ff51c86120887ca

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
4d0da18b3678d8cb39ef02787f28a8f9

SHA1
1ec8aa504c704e220f48c0cbe9bef73800a85fec

SHA256
993ce206ad6e5647e28a0a6d77b4881e00884faed58d73c74eee35bb7c1b8b68

SHA512
87895d90ef15fa7f90fc33b99a055e25140bc702998399f578a7f94032d26a5988c44c6df2c693aab1e2c06a220452b5084cc28ee8caeb73dbdbbe217617e67b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
5b6811c1c27bade770a448791430c68f

SHA1
6867a20c5e6164a20fa41ecb25aff5c337324006

SHA256
00f072456c3c22f5fb8e22e99e500d77e6d6109534afb792f2df7e39f72ca8af

SHA512
efddebf04be1ae4dfe5fe189a3853e9aa35470c745b2747b6942a0dfc81b26d1f7380ab705127b7d338e79f68c34606758c585a278929b51c27ebff8179e8c4a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
93a3dc5bbdb42c555b799e3f86bcb77d

SHA1
d1cf1ed4da0e0cd02a969365f5580a8eed3fab20

SHA256
7547832b53ba2ba805c416ea30a75873fb816feacf9a3ceee5c3cc9ea64bfb31

SHA512
bd0be2e1ef441035a48ff6381926cf6ced0c7f7364dbd622c4366f1e274a429b1036a62b253b87027eaf78010b6332185cbb65ddc62def35276e3a66d3085cdd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
aea3ddb213076e7938100af5cf72e265

SHA1
e322aa4c2230877dce7faab741f156a11e896842

SHA256
ea79767cd9014f31d6963c9f000f04483cbbd18109430715e311181e98e7051d

SHA512
20fbe461aa8734ab746505f11fb7e84ddacced9850bd69b2a9826c322701af71387bd2deb2c805fe9e7de793d5e6465d1cde75cd98004783cba4b37422718060

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
79c893eac4453d70c3a9f8c96ac69bbc

SHA1
b55466937d629898f84c8594aef778aeda6df368

SHA256
359c288f9d11efbe1f8d6446320ae131f066d59a1124be433d9a100fdf842f7b

SHA512
55d840bdb8b6ab16363f722a47bc730bc5cd6386a0b40ccb586b1f53bc66397b4af89a7ec7f4cb2236eb55f927cd746608f4cdafc8cf112913c0c1806b27012f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
5d31c477e6e97c029250ea0ab26c3c05

SHA1
b52dea20e3ba1755efd9e62756866f9ef94585d7

SHA256
a808cff96a8e53ac9b5e90e1728fa6000c97d055a39f18b8e15b2d2e7fbabdd9

SHA512
c37edf7bfc0bb255a276c924e943b9307d9927ad57c119f607ac56f90ddbddf8e24a61f2fd002bb1592f0386b703ebd5291133518b66eb69e8b6e385e25a951b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
94b541e87260c48923c3634cc155f105

SHA1
cc4df3446bb8850fc9f03c7698b14bfb14f0ea7d

SHA256
5514230173e435166c511bbe5fffae7097883fda656fc6884a479ee201f82061

SHA512
c59eb2b2772f15518cca7009612ce7f09d20d304992ea24615dd5fc8b1ac33100708c7547c7c0f427d199bdbb33aa0c69e2baa75a7271366a57054bd15163508

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
1ecc087b3edd302069b4af7219334d3a

SHA1
3738aa65620bf9c22b3d388eb18175856bff56d8

SHA256
f628308ec2e3d994949d168af97234a3613b737f2e2acba7b048ffe151e51acb

SHA512
da553591d0f40eba5e6b17b4faca3c2381e668043ecb532b69e750e2a08aa0783deecc8f1ecbe05e26fa0426bb1038caaab7b7fe9e0836ec33eb9345b946fa47

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
8130439b9b4687679d4a9f3f1cc19d85

SHA1
0a8ebe625007eb891ce13255d981f3281172b977

SHA256
ce3ccf32a25f2206e68f545e6496478708078283319597ea3abea855286f6cae

SHA512
61e72a05e02210a420925623e11b594911a9e7ad3c5cec8c2b5da6505c3bf2a2e45aec7ca63b159d070af0ab508545e9aa8ac223666102207631ee8065b79e43

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
711d1704fc91f1033865546d69926ab6

SHA1
6d5c239479d3a59114170329eb3b0202028f5b13

SHA256
b14560adcf0637de0337318e5c2e4757ca6117f86120df95ffe75cc1827f370d

SHA512
c0b808761c8f51d1767dbeab6636daf1a4722018b20267ae52e509e01375acbe8131012fd3e5fa749482b7053138f2c612d295de41ddac63c07745caebc121a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab93F9.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar946B.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
memory/2068-5-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/2068-0-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/2068-1-0x0000000000220000-0x0000000000222000-memory.dmp

Filesize
8KB

Download
memory/2068-2-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2068-4-0x00000000030B0000-0x00000000030C0000-memory.dmp

Filesize
64KB

Download