be180d5c22c0e3ebd84ab5113da84778086ead4731a1c4ae42b39f1c3dc3136e

Analysis

max time kernel
122s
max time network
126s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
30/12/2023, 06:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

114395e49757ade9c36b31ce01601b59.exe
Size

673KB
MD5

114395e49757ade9c36b31ce01601b59
SHA1

f03d45795717946b4d47fa121b249437eae3506a
SHA256

be180d5c22c0e3ebd84ab5113da84778086ead4731a1c4ae42b39f1c3dc3136e
SHA512

e54d19c9756d076f577ad8009382eecc67934f593aa2bb428760862cbf2ed06a525f0800b23358a401a41b6a16ca32e0905c6e6be4f3b5c8641a6c29d709acf3
SSDEEP

12288:D3H0IlCZh0NKWuxqPLioyJM7tTupnAUQj95oVn:DX0IlCZh0NKNqziktTu5ZQj95oVn

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 2 IoCs

pid	Process
1808	114395e49757ade9c36b31ce01601b59.exe
1808	114395e49757ade9c36b31ce01601b59.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File opened for modification	C:\PROGRAM FILES (X86)\INTERNET EXPLORER\IEXPLORE.EXE	114395e49757ade9c36b31ce01601b59.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\Main	114395e49757ade9c36b31ce01601b59.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1808	114395e49757ade9c36b31ce01601b59.exe

Suspicious behavior: MapViewOfSection 21 IoCs

pid	Process
1808	114395e49757ade9c36b31ce01601b59.exe
1808	114395e49757ade9c36b31ce01601b59.exe
1808	114395e49757ade9c36b31ce01601b59.exe
1808	114395e49757ade9c36b31ce01601b59.exe
1808	114395e49757ade9c36b31ce01601b59.exe
1808	114395e49757ade9c36b31ce01601b59.exe
1808	114395e49757ade9c36b31ce01601b59.exe
1808	114395e49757ade9c36b31ce01601b59.exe
1808	114395e49757ade9c36b31ce01601b59.exe
1808	114395e49757ade9c36b31ce01601b59.exe
1808	114395e49757ade9c36b31ce01601b59.exe
1808	114395e49757ade9c36b31ce01601b59.exe
1808	114395e49757ade9c36b31ce01601b59.exe
1808	114395e49757ade9c36b31ce01601b59.exe
1808	114395e49757ade9c36b31ce01601b59.exe
1808	114395e49757ade9c36b31ce01601b59.exe
1808	114395e49757ade9c36b31ce01601b59.exe
1808	114395e49757ade9c36b31ce01601b59.exe
1808	114395e49757ade9c36b31ce01601b59.exe
1808	114395e49757ade9c36b31ce01601b59.exe
1808	114395e49757ade9c36b31ce01601b59.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeDebugPrivilege	1808	114395e49757ade9c36b31ce01601b59.exe
Token: SeTakeOwnershipPrivilege	1808	114395e49757ade9c36b31ce01601b59.exe
Token: SeRestorePrivilege	1808	114395e49757ade9c36b31ce01601b59.exe
Token: SeBackupPrivilege	1808	114395e49757ade9c36b31ce01601b59.exe
Token: SeChangeNotifyPrivilege	1808	114395e49757ade9c36b31ce01601b59.exe
Token: SeTakeOwnershipPrivilege	1808	114395e49757ade9c36b31ce01601b59.exe
Token: SeRestorePrivilege	1808	114395e49757ade9c36b31ce01601b59.exe
Token: SeBackupPrivilege	1808	114395e49757ade9c36b31ce01601b59.exe
Token: SeChangeNotifyPrivilege	1808	114395e49757ade9c36b31ce01601b59.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1808	114395e49757ade9c36b31ce01601b59.exe
1808	114395e49757ade9c36b31ce01601b59.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1808 wrote to memory of 372	1808	114395e49757ade9c36b31ce01601b59.exe	2
PID 1808 wrote to memory of 372	1808	114395e49757ade9c36b31ce01601b59.exe	2
PID 1808 wrote to memory of 372	1808	114395e49757ade9c36b31ce01601b59.exe	2
PID 1808 wrote to memory of 372	1808	114395e49757ade9c36b31ce01601b59.exe	2
PID 1808 wrote to memory of 372	1808	114395e49757ade9c36b31ce01601b59.exe	2
PID 1808 wrote to memory of 384	1808	114395e49757ade9c36b31ce01601b59.exe	1
PID 1808 wrote to memory of 384	1808	114395e49757ade9c36b31ce01601b59.exe	1
PID 1808 wrote to memory of 384	1808	114395e49757ade9c36b31ce01601b59.exe	1
PID 1808 wrote to memory of 384	1808	114395e49757ade9c36b31ce01601b59.exe	1
PID 1808 wrote to memory of 384	1808	114395e49757ade9c36b31ce01601b59.exe	1
PID 1808 wrote to memory of 420	1808	114395e49757ade9c36b31ce01601b59.exe	5
PID 1808 wrote to memory of 420	1808	114395e49757ade9c36b31ce01601b59.exe	5
PID 1808 wrote to memory of 420	1808	114395e49757ade9c36b31ce01601b59.exe	5
PID 1808 wrote to memory of 420	1808	114395e49757ade9c36b31ce01601b59.exe	5
PID 1808 wrote to memory of 420	1808	114395e49757ade9c36b31ce01601b59.exe	5
PID 1808 wrote to memory of 468	1808	114395e49757ade9c36b31ce01601b59.exe	7
PID 1808 wrote to memory of 468	1808	114395e49757ade9c36b31ce01601b59.exe	7
PID 1808 wrote to memory of 468	1808	114395e49757ade9c36b31ce01601b59.exe	7
PID 1808 wrote to memory of 468	1808	114395e49757ade9c36b31ce01601b59.exe	7
PID 1808 wrote to memory of 468	1808	114395e49757ade9c36b31ce01601b59.exe	7
PID 1808 wrote to memory of 476	1808	114395e49757ade9c36b31ce01601b59.exe	6
PID 1808 wrote to memory of 476	1808	114395e49757ade9c36b31ce01601b59.exe	6
PID 1808 wrote to memory of 476	1808	114395e49757ade9c36b31ce01601b59.exe	6
PID 1808 wrote to memory of 476	1808	114395e49757ade9c36b31ce01601b59.exe	6
PID 1808 wrote to memory of 476	1808	114395e49757ade9c36b31ce01601b59.exe	6
PID 1808 wrote to memory of 484	1808	114395e49757ade9c36b31ce01601b59.exe	8
PID 1808 wrote to memory of 484	1808	114395e49757ade9c36b31ce01601b59.exe	8
PID 1808 wrote to memory of 484	1808	114395e49757ade9c36b31ce01601b59.exe	8
PID 1808 wrote to memory of 484	1808	114395e49757ade9c36b31ce01601b59.exe	8
PID 1808 wrote to memory of 484	1808	114395e49757ade9c36b31ce01601b59.exe	8
PID 1808 wrote to memory of 596	1808	114395e49757ade9c36b31ce01601b59.exe	26
PID 1808 wrote to memory of 596	1808	114395e49757ade9c36b31ce01601b59.exe	26
PID 1808 wrote to memory of 596	1808	114395e49757ade9c36b31ce01601b59.exe	26
PID 1808 wrote to memory of 596	1808	114395e49757ade9c36b31ce01601b59.exe	26
PID 1808 wrote to memory of 596	1808	114395e49757ade9c36b31ce01601b59.exe	26
PID 1808 wrote to memory of 672	1808	114395e49757ade9c36b31ce01601b59.exe	25
PID 1808 wrote to memory of 672	1808	114395e49757ade9c36b31ce01601b59.exe	25
PID 1808 wrote to memory of 672	1808	114395e49757ade9c36b31ce01601b59.exe	25
PID 1808 wrote to memory of 672	1808	114395e49757ade9c36b31ce01601b59.exe	25
PID 1808 wrote to memory of 672	1808	114395e49757ade9c36b31ce01601b59.exe	25
PID 1808 wrote to memory of 748	1808	114395e49757ade9c36b31ce01601b59.exe	9
PID 1808 wrote to memory of 748	1808	114395e49757ade9c36b31ce01601b59.exe	9
PID 1808 wrote to memory of 748	1808	114395e49757ade9c36b31ce01601b59.exe	9
PID 1808 wrote to memory of 748	1808	114395e49757ade9c36b31ce01601b59.exe	9
PID 1808 wrote to memory of 748	1808	114395e49757ade9c36b31ce01601b59.exe	9
PID 1808 wrote to memory of 808	1808	114395e49757ade9c36b31ce01601b59.exe	24
PID 1808 wrote to memory of 808	1808	114395e49757ade9c36b31ce01601b59.exe	24
PID 1808 wrote to memory of 808	1808	114395e49757ade9c36b31ce01601b59.exe	24
PID 1808 wrote to memory of 808	1808	114395e49757ade9c36b31ce01601b59.exe	24
PID 1808 wrote to memory of 808	1808	114395e49757ade9c36b31ce01601b59.exe	24
PID 1808 wrote to memory of 856	1808	114395e49757ade9c36b31ce01601b59.exe	23
PID 1808 wrote to memory of 856	1808	114395e49757ade9c36b31ce01601b59.exe	23
PID 1808 wrote to memory of 856	1808	114395e49757ade9c36b31ce01601b59.exe	23
PID 1808 wrote to memory of 856	1808	114395e49757ade9c36b31ce01601b59.exe	23
PID 1808 wrote to memory of 856	1808	114395e49757ade9c36b31ce01601b59.exe	23
PID 1808 wrote to memory of 968	1808	114395e49757ade9c36b31ce01601b59.exe	22
PID 1808 wrote to memory of 968	1808	114395e49757ade9c36b31ce01601b59.exe	22
PID 1808 wrote to memory of 968	1808	114395e49757ade9c36b31ce01601b59.exe	22
PID 1808 wrote to memory of 968	1808	114395e49757ade9c36b31ce01601b59.exe	22
PID 1808 wrote to memory of 968	1808	114395e49757ade9c36b31ce01601b59.exe	22
PID 1808 wrote to memory of 276	1808	114395e49757ade9c36b31ce01601b59.exe	21
PID 1808 wrote to memory of 276	1808	114395e49757ade9c36b31ce01601b59.exe	21
PID 1808 wrote to memory of 276	1808	114395e49757ade9c36b31ce01601b59.exe	21
PID 1808 wrote to memory of 276	1808	114395e49757ade9c36b31ce01601b59.exe	21

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
PID:384

C:\Windows\system32\wininit.exe
wininit.exe
1⤵
PID:372
- C:\Windows\system32\lsass.exe
  C:\Windows\system32\lsass.exe
  2⤵
  PID:476
- C:\Windows\system32\services.exe
  C:\Windows\system32\services.exe
  2⤵
  PID:468
- - C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    3⤵
    PID:748
- - C:\Windows\System32\spoolsv.exe
    C:\Windows\System32\spoolsv.exe
    3⤵
    PID:1020
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    3⤵
    PID:1032
- - C:\Windows\system32\sppsvc.exe
    C:\Windows\system32\sppsvc.exe
    3⤵
    PID:1600
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    3⤵
    PID:2072
- - C:\Windows\system32\taskhost.exe
    "taskhost.exe"
    3⤵
    PID:1120
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k NetworkService
    3⤵
    PID:276
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalService
    3⤵
    PID:968
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k netsvcs
    3⤵
    PID:856
- - C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    3⤵
    PID:808
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k RPCSS
    3⤵
    PID:672
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    3⤵
    PID:596
- C:\Windows\system32\lsm.exe
  C:\Windows\system32\lsm.exe
  2⤵
  PID:484

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:420

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1280

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:2516

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1344
- C:\Users\Admin\AppData\Local\Temp\114395e49757ade9c36b31ce01601b59.exe
  "C:\Users\Admin\AppData\Local\Temp\114395e49757ade9c36b31ce01601b59.exe"
  2⤵
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1808

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Program Files (x86)\Internet Explorer\iexplore.exe

Filesize
779KB

MD5
4f9ae08cb17e527d724791d09aadbd7d

SHA1
c9229956d5ebfe24496df31778c7d4dd018eb0c1

SHA256
b82262fcaab0cc428deafb1e60c407fe73ec2cd34bf314cf07f593b6ccfce610

SHA512
092b710928f70db45d64da911f2b6a589b2cfbabc3d95a07659e113fa84f028f2694e67a3e7604a0bbe98d402e030bd21bc22198de0ff693a744f6e8a3ea0468

Download Submit
\Program Files (x86)\Internet Explorer\iexplore.exe

Filesize
787KB

MD5
68106b3e6c9653ed529131ca6161170f

SHA1
ae81ebe7336718cc59e1262617528f8a804dbc45

SHA256
85c9bcb2c1d2ba5316c4ea0eb105557632048e835f7a8e0636364d42e8e50a3d

SHA512
6db6d9150802814e38030f09715254edbb6df8f3b41abf08a03dee82846d62983b0a05d1d706a07d04f4da9ccc5fc4d9ed823262c93bb24ac14e1364d82e9d91

Download Submit
memory/1808-0-0x0000000000400000-0x0000000000518000-memory.dmp

Filesize
1.1MB

Download
memory/1808-2-0x0000000076FEF000-0x0000000076FF0000-memory.dmp

Filesize
4KB

Download
memory/1808-1-0x0000000076FF0000-0x0000000076FF1000-memory.dmp

Filesize
4KB

Download
memory/1808-12-0x0000000000400000-0x0000000000518000-memory.dmp

Filesize
1.1MB

Download