343fae5e5bf25b278a74c8dc57d672ffd7cf5f54a3d061d651b385df2c900c7e

Analysis

max time kernel
117s
max time network
122s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
29-12-2023 23:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

06b3cbd52d502c676db8b42001d38692.exe
Size

36KB
MD5

06b3cbd52d502c676db8b42001d38692
SHA1

8446de8b07fcb8e4ec24d895fda2c2c33f5ce7d8
SHA256

343fae5e5bf25b278a74c8dc57d672ffd7cf5f54a3d061d651b385df2c900c7e
SHA512

4ba9a94a839e4c21b2317343d1df704524922d85bf1832dda2f7f1cfcff9cf11ae745de0387adef7e0e05fbd77618c2040dacae518a89943b55e9e7144e8505b
SSDEEP

384:YS4D6rHawTTpfxMaMM/NJE5NQ4b9GeQCLOl/UNZLWndnDdyEyLxr6r:g6vTpJMaMcvUNQ8tQCLOazOJsT96

Score

7^/10

spyware stealer

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Modifies Internet Explorer settings 1 TTPs 33 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{C8872041-A6E0-11EE-94C2-56B3956C75C7} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 704790a4ed3ada01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d80bef292bee784c8e3c940d61fdfeb80000000002000000000010660000000100002000000040b8334a0cd0e27ac0eb5cb8b1acb349046525825aedaa62b1f35e0ccb0c97ea000000000e8000000002000020000000e004e000cf0f1f6ad16e91540520fb1b2b27a22b9905af04efe9101167e23b8a900000003bfe8869d075064e7312c1a5dfdcbf89eec1e94a019a5f847fd0b5a420553a609fae0db2bb3edbc94b313e306dc0dedc60a5fb8f47e885dad184ac5159a4e8312d27172cb068d2a1aed55138e0709667eedd03d41c60e726e8106084879d5dfc5f6a670e77cf69e82dbe4ea6f5921e86c7362ea25b38acfdbf45c08321f4cca225f06f71923eedc713105e06753883e4400000008f4ab61cf694f674ad87c8c2704f5a49d2ee23faa0b5acb58d36203223a198feb92c37ea6b75b25bb1cb280e107d9989557ab3d6e7e0447fc162162593a345ea	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d80bef292bee784c8e3c940d61fdfeb800000000020000000000106600000001000020000000e029431d139d72e1fc0005a573c9c0e70cbbf10046cdd00f4ebb4cb843081ce4000000000e80000000020000200000002eba5bb7710f10d52c0c994e00680bb7077ebdb86ac9d948c8e965b743fbf63b200000006c26270115716490dc5089156e10defc2d0a39799fb8645b0eb511b72426d8b340000000e4c1ce5bcc7ea5316ed99ecc547713b58f3c0d09cb076fc2e63fad7698d21c2c5cf6613dac4730601d175072177dd4ff0b634add64ae0df9c0e7879c1deb342c	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "410081352"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2164	iexplore.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
2992	06b3cbd52d502c676db8b42001d38692.exe
2164	iexplore.exe
2164	iexplore.exe
2808	IEXPLORE.EXE
2808	IEXPLORE.EXE
2808	IEXPLORE.EXE
2808	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2164 wrote to memory of 2808	2164	iexplore.exe	30
PID 2164 wrote to memory of 2808	2164	iexplore.exe	30
PID 2164 wrote to memory of 2808	2164	iexplore.exe	30
PID 2164 wrote to memory of 2808	2164	iexplore.exe	30

C:\Users\Admin\AppData\Local\Temp\06b3cbd52d502c676db8b42001d38692.exe
"C:\Users\Admin\AppData\Local\Temp\06b3cbd52d502c676db8b42001d38692.exe"
1⤵
- Suspicious use of SetWindowsHookEx
PID:2992

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2164
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2164 CREDAT:275457 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2808

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\kzcnpuah.Admin\prefs.js

Filesize
225B

MD5
c1ce83d6584eb85aa83c830ac48eb78f

SHA1
2d34a78e2a246e6ecbd869008f77d7a07d091eba

SHA256
60757f3f6250f5c83776578c6649082973f0691724db1e9a6daddad5ed0210d1

SHA512
f318b03cf11296124fa9ea02c28745ef674a3c759f3962ed47a459ca8d3a2c64e0ea1774463f2e046656df9975c64e1e4fe57e32e8cd24d491f0ad4fb8dbf422

Download Submit