94a9b2348dcaf66e2b2da811f99cb50df6765c06d080869e4c445b0ee6137070

Analysis

max time kernel
152s
max time network
173s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
31/12/2023, 00:29 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

21bce9823b577c12a97729da023d6cfb.dll
Size

18KB
MD5

21bce9823b577c12a97729da023d6cfb
SHA1

39cc9482b777b779855bb6b60099092acf690a56
SHA256

94a9b2348dcaf66e2b2da811f99cb50df6765c06d080869e4c445b0ee6137070
SHA512

14aedc6336b37b92fb8e9f22770a1b5e00cdba365dfd27e8ba37cc3b7f9061c0a902c975e15509418c5dc85045c35e27f1c7b63af4d860d2ff0b1db8cf175433
SSDEEP

192:rrgwjWz0YbjomkHB5L7+4MYTkvTleLheknzRvg7g6jRWhSIrY3r1lXLxMRCic0bt:AwjWbkmC7DATMTzuF3r1Ft5icSA20

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 28 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{C5EA4F81-A8BE-11EE-8568-DED0D00124D2} = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "410286663"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2752	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
2752	IEXPLORE.EXE
2752	IEXPLORE.EXE
2840	IEXPLORE.EXE
2840	IEXPLORE.EXE
2700	rundll32.exe
2840	IEXPLORE.EXE
2840	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2884 wrote to memory of 2700	2884	rundll32.exe	28
PID 2884 wrote to memory of 2700	2884	rundll32.exe	28
PID 2884 wrote to memory of 2700	2884	rundll32.exe	28
PID 2884 wrote to memory of 2700	2884	rundll32.exe	28
PID 2884 wrote to memory of 2700	2884	rundll32.exe	28
PID 2884 wrote to memory of 2700	2884	rundll32.exe	28
PID 2884 wrote to memory of 2700	2884	rundll32.exe	28
PID 2700 wrote to memory of 2752	2700	rundll32.exe	29
PID 2700 wrote to memory of 2752	2700	rundll32.exe	29
PID 2700 wrote to memory of 2752	2700	rundll32.exe	29
PID 2700 wrote to memory of 2752	2700	rundll32.exe	29
PID 2752 wrote to memory of 2840	2752	IEXPLORE.EXE	30
PID 2752 wrote to memory of 2840	2752	IEXPLORE.EXE	30
PID 2752 wrote to memory of 2840	2752	IEXPLORE.EXE	30
PID 2752 wrote to memory of 2840	2752	IEXPLORE.EXE	30

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\21bce9823b577c12a97729da023d6cfb.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2884
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\21bce9823b577c12a97729da023d6cfb.dll,#1
  2⤵
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2700
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2752
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2752 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2840

Network

DNS

api.bing.com

IEXPLORE.EXE

Remote address:

8.8.8.8:53

Request

api.bing.com

IN A

Response

api.bing.com

IN CNAME

api-bing-com.e-0001.e-msedge.net

api-bing-com.e-0001.e-msedge.net

IN CNAME

e-0001.e-msedge.net

e-0001.e-msedge.net

IN A

13.107.5.80
DNS

api.bing.com

IEXPLORE.EXE

Remote address:

8.8.8.8:53

Request

api.bing.com

IN A

204.79.197.200:443

ieonline.microsoft.com

tls

IEXPLORE.EXE

1.6kB
7.9kB
16
14
204.79.197.200:443

ieonline.microsoft.com

tls

IEXPLORE.EXE

1.8kB
9.4kB
17
16
204.79.197.200:443

ieonline.microsoft.com

tls

IEXPLORE.EXE

785 B
7.9kB
9
13

8.8.8.8:53

api.bing.com

dns

IEXPLORE.EXE

116 B
134 B
2
1

DNS Request

api.bing.com

DNS Request

api.bing.com

DNS Response

13.107.5.80

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
aba67fa94698f8811a7f11a14aafdbd8

SHA1
fe6ba85c917be20559c6cd99e0f5ab012312d1d4

SHA256
865c4e52c4c7abf6648e3bc211e326bc5d21a50470ed2bdd077ca20794fba9f6

SHA512
f9ff89e5c15be3b85ca2961a9642fc6a4d5c66f485641f2265d95dddd0c77fba714533d5c25654cbc8be1c5c2042b4d8192d51bf72bbdf280bc553c6f4d47b27

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e4ddc7a7342c2520678888d802defb08

SHA1
8cde51d9a740b7e5d7a81df35533bcd9c43f4e74

SHA256
a5e595aee64edc69a1b51a49bb0f07d000844f12d14fc9b7e20ca0232151ca49

SHA512
c4f99e4422288051df2ad776b40fb57a118d15d1380e731305feb0059318a0e6a4c44a2cbd81d2a5642412751013b2690a0583049ea95c2e8690eeb703ed65e2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
8d8c59ea614c256cc9d897240858bf58

SHA1
47cd0fd09254bea17fa0d36957b40b0105773638

SHA256
60b2c88edf3210eafd2f9f915b359b7a7772981bfcd647f8e812ee460789a3a1

SHA512
383d39518c7581dee04f793870d8d456784fe03167069f36ea15fff96557353a57b50ea59e5ef9fc38811611767d3204559659aceff50c26082dee312cff721c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
809fef35fb1098a5d5b25a9d8706f61e

SHA1
490a0f5fd05900ec3b8d683ca774c0f3f1bd597b

SHA256
f261cb8408fcfc9c6922661d017a0994c75b4f8fb754614a330d7335cb8de871

SHA512
baba0c82bcde22e37b2d99eacdfb9e0b46de92bdffe5d8ee11b54bd7a58ab9f9b4c5f97d3b1876c1c30d6fc66d1d924039d67f37f8e4642ae45717ebc3798b39

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
05a88224d1ba4484d5ab245c61c9a603

SHA1
82320ed95c1621456b593721f14f125f3c03b88b

SHA256
6d4e4f38d465cd2ff087d545411948fb4c9c9847998e70b582c547f00b8e61ad

SHA512
fa56b9d095bf23f11dd4ed11067415d3f73980019157913ce6bdfb8c936ed18fc0444cfcb62f426f68c154d2265a580583f913983276690ac5f956da4264ec38

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
53053555380e150af43b99086d9f9325

SHA1
2e5ed26bd4f12f6f81498daf970745d919262212

SHA256
65fe3d83a0d732f9b0472b892f8078fd7561dca73baf2f7e8ade1ab68f2f6434

SHA512
ff129a3158b7e8102cd80aa03bdeeee5439427ead714f1a180156c1a239b7dfa1ac60b2735988ac183b04b1a64a779bb39c28ab9f41b4436ab5b0c987b07655d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
87193883cf9def92539fc21b6a2fa11d

SHA1
cca5a43777ea9d3afd3086992aab36db5a611c9b

SHA256
53999375beb8059acaeb30804c582fb58535be9bd6687b597b6aa10859d6286c

SHA512
bdff2f6f79bf65d72a36a41b7fefa101b10ab068c5a6ff1191cb597d575c1761139686c3c89d9f8de07c5f9bd4d14ab6635906f72e047c284894f917c9659d04

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e4d9552b96daf3acdfe8b4f33d060216

SHA1
d64d3a878b350126fd6198e41d02c0b00809d43a

SHA256
8387776200a6a68e9ab9b80f3f9d80fe584cd832ea5ed73d529e00a3b2ac3fce

SHA512
6d29f491d7f2103155fd0c62382047fca6eaf30028b7597bcc825f05e454b0abf1aa311a6520e5833d4e7ca130a4744ab66626a009958a37eba33d7055ba9364

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
1546c5cafff0aaa42c442323fc79a728

SHA1
d63dc416f1e92e96caae2ca20ce3d29e6f1213a8

SHA256
425b0ed47d42cf82fb08cc0d155d53bb15290c561b5802ac7d62c986a8a61ee8

SHA512
496d1d6c0be2e5f9bbb6d8fc390bc8b9e56c91fbec05cfbf2624b88fa972462589a58c8aabfb4a71d7ade5d0902eba6b3a0b3669efde818d693178a24d9d77b9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
5bdaa7d4d089956d9f82754d29425226

SHA1
067c27b922b07a021596d1c97b1e747a40bb6eec

SHA256
60543bd81e44b25e45c9f5e6f765a00386e6c28c28998c2a4e2549321ef3d40d

SHA512
a23d6f6685b19e30b145e2392b13596e9adf5f7032637c21f9a8b441f7e5c5b364c4c4b42b34988e5e005f67106aaf5763aa2dfd0c380eb4107f06835f98c802

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
26ccd061a47001ffcb00e6ca172d14cc

SHA1
e81b2648c53827f3a10e6ec62ce0d33b376b28d7

SHA256
3fd3e3617c321ad4ca8824447072eb86c69ac8d0f7da6d77298d17e9e3c61704

SHA512
ea3af11f1ff641839549055a7af5e062e0e9ada2a7655fafa05252948c82a34193d4e72573d751f8605c50bf29a7c5cadca6c9b1507e270840c9ae74ea0a9a4b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d8deef99a5dbadea5b681c881eb4b8d5

SHA1
1e70f47f1d68b76c212ed541bf1278108ceb004f

SHA256
c32b36fd07b5c820cd71fff0583ea23f93f39a1c42367d07d08f201dd241e150

SHA512
b0e7ef3575680b4d4910bca6b43a87ba8d0cf9b41e3a1ccc67b2e315c129bc0e7ff619ddb76d42edff47438959b31a1b49f2a90f401ed79b9aa903c28410ec0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabBE43.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarBE85.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
memory/2700-1-0x0000000010000000-0x0000000010007000-memory.dmp

Filesize
28KB

Download
memory/2700-0-0x0000000010000000-0x0000000010007000-memory.dmp

Filesize
28KB

Download