936eeef17fd120b514fbdce3188210157668ea04c1ee03d83f56eb1a53b20de7

Analysis

max time kernel
151s
max time network
162s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
29-12-2023 23:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

074fe9c666b0d841f07dd30861afdbee.exe
Size

33KB
MD5

074fe9c666b0d841f07dd30861afdbee
SHA1

49aa7b7e3235681f8a2375f8c83b7b3bda4c14ab
SHA256

936eeef17fd120b514fbdce3188210157668ea04c1ee03d83f56eb1a53b20de7
SHA512

371bd14e51cb12d3ef3e52331894be3ae80a631cfc9efc2d3984885fef964940063372c426169e7dce91804dc8ccedc327e22b758ee7cecbf0b3909e0062b51c
SSDEEP

768:eF1TWBQTaQDZlYmlCr7RMyZsg+t04mx7/OsWdKpZB5h6aDRdktFDGm9:yT6QllY8kdSn0Tx7/OsWdQIaDsXp9

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2236	services.exe

Loads dropped DLL 64 IoCs

pid	Process
756	074fe9c666b0d841f07dd30861afdbee.exe
756	074fe9c666b0d841f07dd30861afdbee.exe
2236	services.exe
1372	IEXPLORE.EXE
1372	IEXPLORE.EXE
1372	IEXPLORE.EXE
1372	IEXPLORE.EXE
1372	IEXPLORE.EXE
1372	IEXPLORE.EXE
1372	IEXPLORE.EXE
1372	IEXPLORE.EXE
1372	IEXPLORE.EXE
1372	IEXPLORE.EXE
1372	IEXPLORE.EXE
1372	IEXPLORE.EXE
1372	IEXPLORE.EXE
1372	IEXPLORE.EXE
1372	IEXPLORE.EXE
1372	IEXPLORE.EXE
1372	IEXPLORE.EXE
1372	IEXPLORE.EXE
1372	IEXPLORE.EXE
1372	IEXPLORE.EXE
1372	IEXPLORE.EXE
1372	IEXPLORE.EXE
1372	IEXPLORE.EXE
1372	IEXPLORE.EXE
1372	IEXPLORE.EXE
1372	IEXPLORE.EXE
1372	IEXPLORE.EXE
1372	IEXPLORE.EXE
1372	IEXPLORE.EXE
1372	IEXPLORE.EXE
1372	IEXPLORE.EXE
1372	IEXPLORE.EXE
1372	IEXPLORE.EXE
1372	IEXPLORE.EXE
1372	IEXPLORE.EXE
1372	IEXPLORE.EXE
1372	IEXPLORE.EXE
1372	IEXPLORE.EXE
1372	IEXPLORE.EXE
1372	IEXPLORE.EXE
1372	IEXPLORE.EXE
1372	IEXPLORE.EXE
1372	IEXPLORE.EXE
1372	IEXPLORE.EXE
1372	IEXPLORE.EXE
1372	IEXPLORE.EXE
1372	IEXPLORE.EXE
1372	IEXPLORE.EXE
1372	IEXPLORE.EXE
1372	IEXPLORE.EXE
1372	IEXPLORE.EXE
1372	IEXPLORE.EXE
1372	IEXPLORE.EXE
1372	IEXPLORE.EXE
1372	IEXPLORE.EXE
1372	IEXPLORE.EXE
1372	IEXPLORE.EXE
1372	IEXPLORE.EXE
1372	IEXPLORE.EXE
1372	IEXPLORE.EXE
1372	IEXPLORE.EXE

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\Microsoft Shared\MSINFO\services.exe	074fe9c666b0d841f07dd30861afdbee.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSINFO\services.exe	074fe9c666b0d841f07dd30861afdbee.exe
File created	C:\Program Files\Common Files\Microsoft Shared\MSINFO\Down.dll	services.exe

Modifies Internet Explorer settings 1 TTPs 28 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{AF6A4D21-A736-11EE-9776-EE9A2FAC8CC3} = "0"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "410118263"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2844	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
2844	IEXPLORE.EXE
2844	IEXPLORE.EXE
1372	IEXPLORE.EXE
1372	IEXPLORE.EXE
2236	services.exe
1372	IEXPLORE.EXE
1372	IEXPLORE.EXE

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
756	074fe9c666b0d841f07dd30861afdbee.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 756 wrote to memory of 2236	756	074fe9c666b0d841f07dd30861afdbee.exe	28
PID 756 wrote to memory of 2236	756	074fe9c666b0d841f07dd30861afdbee.exe	28
PID 756 wrote to memory of 2236	756	074fe9c666b0d841f07dd30861afdbee.exe	28
PID 756 wrote to memory of 2236	756	074fe9c666b0d841f07dd30861afdbee.exe	28
PID 2236 wrote to memory of 2844	2236	services.exe	29
PID 2236 wrote to memory of 2844	2236	services.exe	29
PID 2236 wrote to memory of 2844	2236	services.exe	29
PID 2236 wrote to memory of 2844	2236	services.exe	29
PID 2844 wrote to memory of 1372	2844	IEXPLORE.EXE	30
PID 2844 wrote to memory of 1372	2844	IEXPLORE.EXE	30
PID 2844 wrote to memory of 1372	2844	IEXPLORE.EXE	30
PID 2844 wrote to memory of 1372	2844	IEXPLORE.EXE	30

C:\Users\Admin\AppData\Local\Temp\074fe9c666b0d841f07dd30861afdbee.exe
"C:\Users\Admin\AppData\Local\Temp\074fe9c666b0d841f07dd30861afdbee.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:756
- C:\Program Files\Common Files\Microsoft Shared\MSINFO\services.exe
  "C:\Program Files\Common Files\Microsoft Shared\MSINFO\services.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2236
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2844
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2844 CREDAT:275457 /prefetch:2
      4⤵
      Loads dropped DLL
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:1372

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
6337da1a3db64b7275bcf0f808531fe0

SHA1
d151c3b4fb9e2ca8b52d57e9afa53c210c23f166

SHA256
37b7e0f1bd55b2ed69b76a520646e104a763a906cbcb492f51619ce6fa9b574a

SHA512
a20a3572dc459effa0cd2c8d0fd233c57c500fef24b1a6815eea9bfa7a643ddd5dd278c42bc5b2bdae57b9fbb85268124f0fae2a76a0864615babbde3904855c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
3d2b7f3ad985c71f745b8c1b8f521ad1

SHA1
4b03025109b732e76657024081a6ad26b4f24485

SHA256
582b838af8235baa33f8d66513c753490287053d70d21506e227b4f002737198

SHA512
90c6cf0f2199f9f7f73bbd48f06b2bfd65ec166bb0b055dad6be720207512187b7de64f1ae4d85b3bff58fda1aa42cfed27a5adc202115e880c115170ddda59c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
4b8659f8742b639bb934865f8973d096

SHA1
1067f3ca61c7bb68bd6f2b61a1b0bd4194580833

SHA256
fd519e81829933a74916b69483e8237b1a6fde25836d17630f620d8aa11c681f

SHA512
a986a0b7baa10b62ddd93193907ad04ae993d548fb5524a90987662a4f8296d54db323691422b1a07547d8b6cbff251a9f1b933f3267b2e594687224f632aef0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
73c152c20b48ceb384d7476938cd861c

SHA1
49afc532770c530982070673cd2321c4b245340b

SHA256
d9437f32758ce2d41885383dfdf50bd91f78ab5306c55eac21293844f151cbfb

SHA512
5b3e6d8e399fbce4420b224e569fd399286274a1c725ebbbd39e849ec9ede171f563aaf5d49d67b180591718a50d325f06cf30cfb422b97629daee2fd1c7a611

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
af66fa71a36f7ecbbd6e544aea164c57

SHA1
cbd80677cf3dea44d256e07e97af50fc4a85e340

SHA256
6e65bf1460c1cb9350a191b9ee3df2e93f6f7470f845d8a375db6f75f44fbf33

SHA512
8472b73704d484f4e05955032f59c5cd685f9f0e5a284bc92c0b32caf1361fa0130bccb4fd3fe67867137fb9d5471350c4cbaa1fda83213569e83436462c2e5e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
73b632c9de1a365298ad63c9d380fd6b

SHA1
7c6e02b44fa739ef45bdc229bd3387857d07d1bb

SHA256
dfa1f4503f6d6c55983046a873040b2cc21f55d47242e4b637a90b68a3c53782

SHA512
dd29282ba1b9752ff6730e629acadb4219363f5b3e369d5234d01e800d6ece2cbb5a8f085db13c04dd43f3d5711c4ecbb651ca114d939d7de0c55ec3c207b75a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
de3e6c42b268683346f4c741e92f5bae

SHA1
83cf579f18c1e67cca42c3b31a028866379c7ee6

SHA256
9ca5a91e9548da658948529312e6d5616ba1e6fd97320e54bdbd97ac46b988ad

SHA512
e47a17ed709ed7803c13dba922fc5a5c8a49d6db5a0ef3cdcca4663c2bde19905b23b5ba9148b25f591b490e9b91e257f593be43e94042998dca00bd779388ea

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
2e79812e8c9cca7b49176da368c5babf

SHA1
08a7d6866b086ec71d3f5bf448116dcefd67846d

SHA256
e01bd4a818089bfbc25a01d8005a9324d22fbddae39f5f5a93b7aa158a8b754e

SHA512
1e1c524049f29ac5400ed0c423cb3eff1f7e7c8c88f6dc0492bacec8162fe1c9494866945c476d4a0918125e8311548af7ba20ca21f9d3a0571ce8659d6fbd98

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d9443b575af6c7507a3c8da144bbe18e

SHA1
eb3d440901160f337b48b2f18493e135884b9b38

SHA256
1a36932a3eda03b4bf19cdf800c235a0830d53eb3d97d8cb884b8c62f3d1a172

SHA512
1c72e8b2f48e424b592b78f2bd2c322bf8a7825ab168348bbde7555ea655a17f93359c42aeab67c2a24672378fbe256c2e143d4e068eca618890be6c50e730fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab8633.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar8655.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
\Program Files\Common Files\Microsoft Shared\MSInfo\Down.dll

Filesize
17KB

MD5
54219800f1c393376203f2b1ee4eda3f

SHA1
7c71f20e83f6ea7e596d88258c049a1523dbe29b

SHA256
c088f40cbcb5e2af6c537fc6b55826421f2c782b0df6619197d55e6e9bd4af6a

SHA512
b38f0bc9db445fa039c93a715c8d06eead3f84cd21847cda23d3f22c5e55bf7252d14d9e47f34401b9309f539c12ec0d7e74d46f27c05080d7ab81c0bfd5625e

Download Submit
\Program Files\Common Files\Microsoft Shared\MSInfo\Down.dll

Filesize
12KB

MD5
ac89cd36fe3338adad4d4b63653afe61

SHA1
4966c5a115a15b50c69a93846921b94faf6819ec

SHA256
d08ea29af115535bb8515443c7c168662eb986a06343954ca96f89306c8734f1

SHA512
7afe1edecce1d2df30035e840556795c0be599f11d728efe8149c8b62b4de513b8c643b0be6ef0f5cd98ef9783464ffd58318fef11bae0bb915070076c37c960

Download Submit
\Program Files\Common Files\Microsoft Shared\MSInfo\Down.dll

Filesize
11KB

MD5
b7903462316807d459d732539ac13040

SHA1
34493460938906730c39dae4a199bd154f66709b

SHA256
5639c41b4afba898e68f8021a6362d3f5bf90d77deced9f92409c7714f259861

SHA512
78a942524901e9335476ee3312bc9eb1d18b4a634181659d5c703a3481f4c26859cb884c834b16972a2b8ca1f8560f0395690d0e3d28ad248a461ad31b7b8dbc

Download Submit
\Program Files\Common Files\Microsoft Shared\MSInfo\Down.dll

Filesize
7KB

MD5
99d6e699c96aac2c7b82ce2afd84eeb9

SHA1
f39b2b7a9537716f6307b9e7d30f7cdafec23704

SHA256
21d3cc0d352a00c78e3f69a7020fb600c2a6319c84075ca2cf1be9228ec6903b

SHA512
a408b8d12e27f390b04299e79c2228e583cda6fadcd237ea39e58d10de8a74bb74798c12d7951ecfd44105819ddf41d25a35aa08a6aec43223a849ad8de9d834

Download Submit
\Program Files\Common Files\Microsoft Shared\MSInfo\services.exe

Filesize
33KB

MD5
074fe9c666b0d841f07dd30861afdbee

SHA1
49aa7b7e3235681f8a2375f8c83b7b3bda4c14ab

SHA256
936eeef17fd120b514fbdce3188210157668ea04c1ee03d83f56eb1a53b20de7

SHA512
371bd14e51cb12d3ef3e52331894be3ae80a631cfc9efc2d3984885fef964940063372c426169e7dce91804dc8ccedc327e22b758ee7cecbf0b3909e0062b51c

Download Submit
memory/756-11-0x00000000002B0000-0x00000000002C9000-memory.dmp

Filesize
100KB

Download
memory/756-0-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/756-1-0x0000000000020000-0x0000000000040000-memory.dmp

Filesize
128KB

Download
memory/756-10-0x00000000002B0000-0x00000000002C9000-memory.dmp

Filesize
100KB

Download
memory/2236-13-0x0000000000020000-0x0000000000040000-memory.dmp

Filesize
128KB

Download
memory/2236-16-0x0000000000220000-0x0000000000230000-memory.dmp

Filesize
64KB

Download
memory/2236-329-0x0000000000220000-0x0000000000230000-memory.dmp

Filesize
64KB

Download
memory/2236-465-0x0000000000020000-0x0000000000040000-memory.dmp

Filesize
128KB

Download
memory/2236-170-0x0000000000020000-0x0000000000040000-memory.dmp

Filesize
128KB

Download
memory/2236-138-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download