e5c6c395352abc7f0e08b1b7cdb65c77385e2ca5fa1dd0dc8f6e23f1da0649f1

Analysis

max time kernel
122s
max time network
146s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
30/12/2023, 02:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0b4695da2b6d8d68aacf6f3490a5dc2c.exe
Size

11KB
MD5

0b4695da2b6d8d68aacf6f3490a5dc2c
SHA1

872ef7a24a54b7e5013d6e16cb58894b68fc646a
SHA256

e5c6c395352abc7f0e08b1b7cdb65c77385e2ca5fa1dd0dc8f6e23f1da0649f1
SHA512

d1ae8241a49c45812ed13ef7ca25d4a96266863c7ac09eb0075157ca18e442e66d6f85e70cd9408508256d4f83266aae950e99d85a85d3263f6e2e84f360366c
SSDEEP

192:oWc77bGOuMzeXqs6+gbVYhNR4MLOnn/IvZ4vHuZVK3FgbA+q4EJHfb7uZ:oWWbGOuoeXF6+M1wGMZrQ3FUl3EJHDCZ

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 30 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{D6675001-A72A-11EE-BA54-D2016227024C} = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "410113165"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1664	IEXPLORE.EXE
1664	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
1664	IEXPLORE.EXE
1664	IEXPLORE.EXE
2552	IEXPLORE.EXE
2552	IEXPLORE.EXE
1664	IEXPLORE.EXE
1664	IEXPLORE.EXE
2852	IEXPLORE.EXE
2852	IEXPLORE.EXE
2852	IEXPLORE.EXE
2852	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1972 wrote to memory of 1664	1972	0b4695da2b6d8d68aacf6f3490a5dc2c.exe	28
PID 1972 wrote to memory of 1664	1972	0b4695da2b6d8d68aacf6f3490a5dc2c.exe	28
PID 1972 wrote to memory of 1664	1972	0b4695da2b6d8d68aacf6f3490a5dc2c.exe	28
PID 1972 wrote to memory of 1664	1972	0b4695da2b6d8d68aacf6f3490a5dc2c.exe	28
PID 1664 wrote to memory of 2552	1664	IEXPLORE.EXE	29
PID 1664 wrote to memory of 2552	1664	IEXPLORE.EXE	29
PID 1664 wrote to memory of 2552	1664	IEXPLORE.EXE	29
PID 1664 wrote to memory of 2552	1664	IEXPLORE.EXE	29
PID 1972 wrote to memory of 1664	1972	0b4695da2b6d8d68aacf6f3490a5dc2c.exe	28
PID 1972 wrote to memory of 2820	1972	0b4695da2b6d8d68aacf6f3490a5dc2c.exe	30
PID 1972 wrote to memory of 2820	1972	0b4695da2b6d8d68aacf6f3490a5dc2c.exe	30
PID 1972 wrote to memory of 2820	1972	0b4695da2b6d8d68aacf6f3490a5dc2c.exe	30
PID 1972 wrote to memory of 2820	1972	0b4695da2b6d8d68aacf6f3490a5dc2c.exe	30
PID 1664 wrote to memory of 2852	1664	IEXPLORE.EXE	31
PID 1664 wrote to memory of 2852	1664	IEXPLORE.EXE	31
PID 1664 wrote to memory of 2852	1664	IEXPLORE.EXE	31
PID 1664 wrote to memory of 2852	1664	IEXPLORE.EXE	31
PID 1972 wrote to memory of 1664	1972	0b4695da2b6d8d68aacf6f3490a5dc2c.exe	28

C:\Users\Admin\AppData\Local\Temp\0b4695da2b6d8d68aacf6f3490a5dc2c.exe
"C:\Users\Admin\AppData\Local\Temp\0b4695da2b6d8d68aacf6f3490a5dc2c.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1972
- C:\Program Files\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1664
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1664 CREDAT:275457 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:2552
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1664 CREDAT:209930 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:2852
- C:\Program Files\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
  2⤵
  PID:2820

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
02b7104ffce3fc3dc70a7ccd9fefdce2

SHA1
2642e1986af3de0ea1a72a9aa149ccadd899434d

SHA256
c4930e1fc92507c053de9ecb0b0d6f51ee194dc35564f2d2b7a8b8da8d6fc142

SHA512
e0fa31feebe332d4291d42029b36fd9a364d266e420329686b1256ff4a2c92338bb28c3ec2cd4b212f424ec4298f944886eeb2a9963bd5a646435124b9e74b97

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
0e517eae32af26e0a6fc90b3d39fc5aa

SHA1
bcd76cf1764447d0de0fd09ef4e194ff6902d838

SHA256
9d0ff1d142fa2ef518097d78bb8f507f4edd18c793b9c64da6cc2678e1ea210f

SHA512
a49d0378c57de3ce28773344d4026051a2a77d5430381e9dde821add0156ccc208c98967a7975d6f431365bf5319e68ee7447b0fb0f70ee50d612b90c2133d6a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
38431134d1eaf72b45fbf7b14b5e0b00

SHA1
e273e4cafa49b863408c7fb7a4bb66c60c9629d9

SHA256
dfd52dbc795a27ea5ef44753b255617a07853d70d4f7f91d34dd15549a2cff7b

SHA512
903fa43dca3ff9b26ff2f658fe9e26310c3d69749fbeac2b6893a7074aac2cf183d8bb95fa6439bbfabce7d13756da2da40d45968cc08c67371091d2c9b2db07

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
9fa1af580386d01ad139dbeac72d4b9e

SHA1
75490c43ff58c9b158403501aca3d3958e2a1f03

SHA256
d0c5f8e55e1a8bdae24b31463f56b76c844b4430fc355cfb65b04a06f9a43274

SHA512
48df74df3e74729b359ca3e0b6f3d7922dd9ff05a8d6516dd4823f711e7e0d0cad2ee56ddd384c3f5979471eb05a334c00e3ce307382761a70392de764a40044

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
75acf096a3ecae95b818f3b97533ccaa

SHA1
5c831925762d4ca8719271b38954e537792346e3

SHA256
961b57216cfda3953d523671a62b4d4de6a7c117491d84ef48f9d244482f0f41

SHA512
8bf6d5580e0f3cf670dba65a1503e55b13f24dc5269fe9f043cf7ee70584bd5f5d0133c6a1e1eb6eacd6e1681c952986972d54a7464a5a6123fd71e5427bbf0d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
4bb441ec87055d22e171279c05100579

SHA1
9882b360ef790b1e163fdc88d15720d6ee7ae4de

SHA256
80b9724cbe137f8ef1b37cac386c18d75e02b2d89c71acc72ae06e8a289676a1

SHA512
920070c293024e25333a5716fc3343bcdfedc275c127182f91fac92c7637be7f5f7ae54f4cff09c7048e3ca4d864c2d1e702a23c2960b2a103e9182460bec3f7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
4475f504190a2c7ec83685a0aa9cbd9e

SHA1
a366fa9885ffe735247167bc4b3d635a3a3528da

SHA256
5c142cb3e2be7d7b2c84ce2a3c0e57d15135d04a096dc69d7acf3d392bd21e9f

SHA512
56231ee57965c772f9f715857b197f9f43720f63bc56517c91ecebd352451d2ae936b6feb0366b50c4bb2ce4ebae8ccaf862c1b9370760a70bc852b183d1b2bb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
7d851ea981673b23a5e1b80b88050d56

SHA1
0d8a6f17ff6248cd1a0bbc14e5d363d9567c8cf1

SHA256
4731e5c81393a39eb1b88f1e6138d3608c825abf15d6748e78e5472dcd70bb57

SHA512
d6c330ee75507a66e748b976449c1e3e2b32ba9b8e5a230ea7f5ae66d658ac9a80197c7cf6102c38df22148570423c38b59b4e00d22c2e06c3cc6b6e2aade874

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
27715f323cc69b749a4569a406d4eb0b

SHA1
ca05bb3331813067c956d998c386412cdea75330

SHA256
9ebdc5652bd7b3154f9ce6efa7d13f997891b93f2f09398e28160122a5f808b7

SHA512
369cd43485dbed1051c9a6eaead42a9247fe441d266c8ced366ba5080a06829f701479302f8ec194f4a3713f2672716dbd75247c6b24bf4700fb59cfeb2700d3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
96a633330eeb58308fdf4c15a152d632

SHA1
539fb1f997369dc089bc94c3bede59c44e1f4936

SHA256
fb7fdff8f0a05ffdc6dfbb7521abb1613701c7e7bad6238971720ed8c18fd305

SHA512
818f73afd90ac7ba1746c7348247e6f89507e1003c2680cb5221112c8ed7760093fbd0eb0615aa6f9c8991d939485cee7bc4d41d1d02bcbc985a7a04fa6c3f1c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
7dff2662c0be3062bbe4477401f2649d

SHA1
e4ce6be51cb4e7059d9d6b180ad35afd054011b2

SHA256
72bf13a0ad7d17cb0805e4e5c3eba9f883ca6cbbce68e443a3b6730a1ccd0d1f

SHA512
9c188f502fbc8e257d6f59284be7c2d3c7304ab1035b914a37e91245d80d671583ec2d9a249ffbb01a7400a31aea932645dcb511155c87b8bc60be34dac3ce97

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
0ef7efa30f6186950a81b0db3efc4cbf

SHA1
e64596e087163bd3ddef6d289a2705c0f51199b2

SHA256
c435088fb4881fdf49d80575019ba1be7e1081471cf8d9236337d90ce8ea950c

SHA512
239a12eb8d4b97cb9bd00cb0e2211e9d6aefd6d98ec78afd05274afaeefa72e1f866c7b359c36c51a393e6fe4487b42f6213d2088207c5c8837623d322de7e95

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
4fef10932ce5c2cfb960ab182f886a5e

SHA1
ce42e51412daa1a3df45d6d38e43be8f9456ae3a

SHA256
a57ee61fbc0f10ac97ab151841cacf1258b6b86d969ae5611ddff817a1fac123

SHA512
14ede638cfb394f7c6f4004fd4f5cfc820c8a8d7344e62a6cfacafc1f9bad21b6bf756231fa3cd692c94722f47a360772656f7f39dda256537b5cf569b6d906c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
29fe8841c55af1fdf47004419dbed314

SHA1
8765227abdb18bb6abd8dcc405834f604b3d36f4

SHA256
d478f7e761a4dab267a7a3bcabae235962dc95ee3e5ab48a2d779c0194adef66

SHA512
9c8aeff1b3efbbfb50dcdd4d50a6eb546801fc20579b525aa8479544a4e6c9e9b5af39a0b11466af97df3bc8c883e3d99fda3040eece7f8f8eb7833f25f705d5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
8046497a691073aa232295d5ccf4c108

SHA1
f095dced90e06eba4a1086f5b4e5416501dd4adb

SHA256
97752ca5d152b150f8bc299321238c8ea4271795c7b1bd24781aff375eae87d9

SHA512
42f7b8c2cce3061e6f47d95e9dd0d6c52938fdaed28c401bb606d8284ca58cf11a546e33b7016f5c81da4456923d115fdcfceb058715f974fd072621c7a1bbc4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
972c6c83a25542af6672e002e0c73954

SHA1
4479e306582ccf292538652d50c7deef17618c33

SHA256
291f1559549e56d60988f3034a154d4ccceffb3e19b6f182962d7be03f09a5d2

SHA512
2311ad0be7c03d49bc9d72c41c297e526f1ce47b9b83c3777040f7660dd0e965545fcf2786fa8334d608611693cafdacc89a53b84f132bae3a3852ff367b711a

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabA0C5.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarA164.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
memory/1972-1-0x0000000013140000-0x0000000013152000-memory.dmp

Filesize
72KB

Download
memory/1972-0-0x0000000013140000-0x0000000013152000-memory.dmp

Filesize
72KB

Download