6895c0f64fe889d881edcf9c486c0608505875bb783f49398161d4ede5920f6d

Analysis

max time kernel
117s
max time network
147s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
31/12/2023, 01:57

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2396859a309913c6874eb9b61903e3c2.exe
Size

1.7MB
MD5

2396859a309913c6874eb9b61903e3c2
SHA1

499e0842fe9aec8700f489b2068a4dda70ad0af0
SHA256

6895c0f64fe889d881edcf9c486c0608505875bb783f49398161d4ede5920f6d
SHA512

68246869d9a8aff953008fd3740380d7597ddab9dd8430005bb669d4e62360aeef2521691815e66b728daea970e6edf5c3831861ac794838afe19b483cb9432b
SSDEEP

49152:6UBxSxIiRNiQnrWn9dfLYGzuTqP4HWOQin:Fy3trW9d8GzuI4N

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 37 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Main	2396859a309913c6874eb9b61903e3c2.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000046332ab722508540bf00312f0a24f120000000000200000000001066000000010000200000000b4e94763efa7702f2e9ae102828e623dac91956780ceb8c7bb68b5602853f0b000000000e8000000002000020000000977d748dc500ee68353d80da53034bff4ba5e90ac334bf4677bca6064384dc2120000000ffe1cffaf575f15453b136ff11104f6056f2ea5134f1b9fc099cad1a5b7938ba40000000092e767bc67ae748a476b2a1d2c3a782527b09c587a6c332a753eadef9c832867e1904a72061e6db3447b4b56a5136c434bf85e2769f481ba957de42ec907d9d	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = d01e54ccf53cda01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\FaviconPath = "C:\\Users\\Admin\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\Services\\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{F50DBF71-A8E8-11EE-880B-5628A0CAC84B} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "410304769"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000046332ab722508540bf00312f0a24f120000000000200000000001066000000010000200000008c1dfe7835bd1ea132123e683f8d4a6d47c04c66ed712d1630637dc025791eed000000000e80000000020000200000005ec7206d71cac287d997da48335c30d89c794d73535a9648ea8bda65e13c3be19000000022b078ae2fdf4e0089ff288cc8d718048fb5f301a1857ba8a1310fb7a3381fc6779528f9ff44922186af8c98fafd9feb762c23fedb99d00325a63bf20f99420f0e142c8cba70f6645ff1c935dfc7b6b2001f4fa965aa54acdcb93c9b27e0dcbdf251091e0210a954aa33ffe41fd72da3aa62ee114ff169263294fcd729d4a002c544c2a11af79e3c8728decc490c0df64000000055621902f5fd5691b5b077b18dbec270a7ae9aa7d78d0501db7f8825277a42adafab13f635b8281e52284625b12bd97204e92d8e27d2a1d5a74897ccb0103f68	iexplore.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C	2396859a309913c6874eb9b61903e3c2.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802025300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c00b000000010000001600000047006c006f00620061006c005300690067006e000000140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	2396859a309913c6874eb9b61903e3c2.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 190000000100000010000000a823b4a20180beb460cab955c24d7e21030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b0b000000010000001600000047006c006f00620061006c005300690067006e0000005300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802020f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	2396859a309913c6874eb9b61903e3c2.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2376	2396859a309913c6874eb9b61903e3c2.exe
2376	2396859a309913c6874eb9b61903e3c2.exe
2376	2396859a309913c6874eb9b61903e3c2.exe
2376	2396859a309913c6874eb9b61903e3c2.exe
2376	2396859a309913c6874eb9b61903e3c2.exe
2376	2396859a309913c6874eb9b61903e3c2.exe
2376	2396859a309913c6874eb9b61903e3c2.exe
2376	2396859a309913c6874eb9b61903e3c2.exe
2376	2396859a309913c6874eb9b61903e3c2.exe
2376	2396859a309913c6874eb9b61903e3c2.exe
2376	2396859a309913c6874eb9b61903e3c2.exe
2376	2396859a309913c6874eb9b61903e3c2.exe
2376	2396859a309913c6874eb9b61903e3c2.exe
2376	2396859a309913c6874eb9b61903e3c2.exe
2376	2396859a309913c6874eb9b61903e3c2.exe
2376	2396859a309913c6874eb9b61903e3c2.exe
2376	2396859a309913c6874eb9b61903e3c2.exe
2376	2396859a309913c6874eb9b61903e3c2.exe
2376	2396859a309913c6874eb9b61903e3c2.exe
2376	2396859a309913c6874eb9b61903e3c2.exe
2376	2396859a309913c6874eb9b61903e3c2.exe
2376	2396859a309913c6874eb9b61903e3c2.exe
2376	2396859a309913c6874eb9b61903e3c2.exe
2376	2396859a309913c6874eb9b61903e3c2.exe
2376	2396859a309913c6874eb9b61903e3c2.exe
2376	2396859a309913c6874eb9b61903e3c2.exe
2376	2396859a309913c6874eb9b61903e3c2.exe
2376	2396859a309913c6874eb9b61903e3c2.exe
2376	2396859a309913c6874eb9b61903e3c2.exe
2376	2396859a309913c6874eb9b61903e3c2.exe
2376	2396859a309913c6874eb9b61903e3c2.exe
2376	2396859a309913c6874eb9b61903e3c2.exe
2376	2396859a309913c6874eb9b61903e3c2.exe
2376	2396859a309913c6874eb9b61903e3c2.exe
2376	2396859a309913c6874eb9b61903e3c2.exe
2376	2396859a309913c6874eb9b61903e3c2.exe
2376	2396859a309913c6874eb9b61903e3c2.exe
2376	2396859a309913c6874eb9b61903e3c2.exe
2376	2396859a309913c6874eb9b61903e3c2.exe
2376	2396859a309913c6874eb9b61903e3c2.exe
2376	2396859a309913c6874eb9b61903e3c2.exe
2376	2396859a309913c6874eb9b61903e3c2.exe
2376	2396859a309913c6874eb9b61903e3c2.exe
2376	2396859a309913c6874eb9b61903e3c2.exe
2376	2396859a309913c6874eb9b61903e3c2.exe
2376	2396859a309913c6874eb9b61903e3c2.exe
2376	2396859a309913c6874eb9b61903e3c2.exe
2376	2396859a309913c6874eb9b61903e3c2.exe
2376	2396859a309913c6874eb9b61903e3c2.exe
2376	2396859a309913c6874eb9b61903e3c2.exe
2376	2396859a309913c6874eb9b61903e3c2.exe
2376	2396859a309913c6874eb9b61903e3c2.exe
2376	2396859a309913c6874eb9b61903e3c2.exe
2376	2396859a309913c6874eb9b61903e3c2.exe
2376	2396859a309913c6874eb9b61903e3c2.exe
2376	2396859a309913c6874eb9b61903e3c2.exe
2376	2396859a309913c6874eb9b61903e3c2.exe
2376	2396859a309913c6874eb9b61903e3c2.exe
2376	2396859a309913c6874eb9b61903e3c2.exe
2376	2396859a309913c6874eb9b61903e3c2.exe
2376	2396859a309913c6874eb9b61903e3c2.exe
2376	2396859a309913c6874eb9b61903e3c2.exe
2376	2396859a309913c6874eb9b61903e3c2.exe
2376	2396859a309913c6874eb9b61903e3c2.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: 33	2376	2396859a309913c6874eb9b61903e3c2.exe
Token: SeIncBasePriorityPrivilege	2376	2396859a309913c6874eb9b61903e3c2.exe
Token: 33	2376	2396859a309913c6874eb9b61903e3c2.exe
Token: SeIncBasePriorityPrivilege	2376	2396859a309913c6874eb9b61903e3c2.exe
Token: 33	2376	2396859a309913c6874eb9b61903e3c2.exe
Token: SeIncBasePriorityPrivilege	2376	2396859a309913c6874eb9b61903e3c2.exe
Token: 33	2376	2396859a309913c6874eb9b61903e3c2.exe
Token: SeIncBasePriorityPrivilege	2376	2396859a309913c6874eb9b61903e3c2.exe
Token: 33	2376	2396859a309913c6874eb9b61903e3c2.exe
Token: SeIncBasePriorityPrivilege	2376	2396859a309913c6874eb9b61903e3c2.exe
Token: 33	2376	2396859a309913c6874eb9b61903e3c2.exe
Token: SeIncBasePriorityPrivilege	2376	2396859a309913c6874eb9b61903e3c2.exe
Token: 33	2376	2396859a309913c6874eb9b61903e3c2.exe
Token: SeIncBasePriorityPrivilege	2376	2396859a309913c6874eb9b61903e3c2.exe
Token: 33	2376	2396859a309913c6874eb9b61903e3c2.exe
Token: SeIncBasePriorityPrivilege	2376	2396859a309913c6874eb9b61903e3c2.exe
Token: 33	2376	2396859a309913c6874eb9b61903e3c2.exe
Token: SeIncBasePriorityPrivilege	2376	2396859a309913c6874eb9b61903e3c2.exe
Token: 33	2376	2396859a309913c6874eb9b61903e3c2.exe
Token: SeIncBasePriorityPrivilege	2376	2396859a309913c6874eb9b61903e3c2.exe
Token: 33	2376	2396859a309913c6874eb9b61903e3c2.exe
Token: SeIncBasePriorityPrivilege	2376	2396859a309913c6874eb9b61903e3c2.exe
Token: 33	2376	2396859a309913c6874eb9b61903e3c2.exe
Token: SeIncBasePriorityPrivilege	2376	2396859a309913c6874eb9b61903e3c2.exe
Token: 33	2376	2396859a309913c6874eb9b61903e3c2.exe
Token: SeIncBasePriorityPrivilege	2376	2396859a309913c6874eb9b61903e3c2.exe
Token: 33	2376	2396859a309913c6874eb9b61903e3c2.exe
Token: SeIncBasePriorityPrivilege	2376	2396859a309913c6874eb9b61903e3c2.exe
Token: 33	2376	2396859a309913c6874eb9b61903e3c2.exe
Token: SeIncBasePriorityPrivilege	2376	2396859a309913c6874eb9b61903e3c2.exe
Token: 33	2376	2396859a309913c6874eb9b61903e3c2.exe
Token: SeIncBasePriorityPrivilege	2376	2396859a309913c6874eb9b61903e3c2.exe
Token: 33	2376	2396859a309913c6874eb9b61903e3c2.exe
Token: SeIncBasePriorityPrivilege	2376	2396859a309913c6874eb9b61903e3c2.exe
Token: 33	2376	2396859a309913c6874eb9b61903e3c2.exe
Token: SeIncBasePriorityPrivilege	2376	2396859a309913c6874eb9b61903e3c2.exe
Token: 33	2376	2396859a309913c6874eb9b61903e3c2.exe
Token: SeIncBasePriorityPrivilege	2376	2396859a309913c6874eb9b61903e3c2.exe
Token: 33	2376	2396859a309913c6874eb9b61903e3c2.exe
Token: SeIncBasePriorityPrivilege	2376	2396859a309913c6874eb9b61903e3c2.exe
Token: 33	2376	2396859a309913c6874eb9b61903e3c2.exe
Token: SeIncBasePriorityPrivilege	2376	2396859a309913c6874eb9b61903e3c2.exe
Token: 33	2376	2396859a309913c6874eb9b61903e3c2.exe
Token: SeIncBasePriorityPrivilege	2376	2396859a309913c6874eb9b61903e3c2.exe
Token: 33	2376	2396859a309913c6874eb9b61903e3c2.exe
Token: SeIncBasePriorityPrivilege	2376	2396859a309913c6874eb9b61903e3c2.exe
Token: 33	2376	2396859a309913c6874eb9b61903e3c2.exe
Token: SeIncBasePriorityPrivilege	2376	2396859a309913c6874eb9b61903e3c2.exe
Token: 33	2376	2396859a309913c6874eb9b61903e3c2.exe
Token: SeIncBasePriorityPrivilege	2376	2396859a309913c6874eb9b61903e3c2.exe
Token: 33	2376	2396859a309913c6874eb9b61903e3c2.exe
Token: SeIncBasePriorityPrivilege	2376	2396859a309913c6874eb9b61903e3c2.exe
Token: 33	2376	2396859a309913c6874eb9b61903e3c2.exe
Token: SeIncBasePriorityPrivilege	2376	2396859a309913c6874eb9b61903e3c2.exe
Token: 33	2376	2396859a309913c6874eb9b61903e3c2.exe
Token: SeIncBasePriorityPrivilege	2376	2396859a309913c6874eb9b61903e3c2.exe
Token: 33	2376	2396859a309913c6874eb9b61903e3c2.exe
Token: SeIncBasePriorityPrivilege	2376	2396859a309913c6874eb9b61903e3c2.exe
Token: 33	2376	2396859a309913c6874eb9b61903e3c2.exe
Token: SeIncBasePriorityPrivilege	2376	2396859a309913c6874eb9b61903e3c2.exe
Token: 33	2376	2396859a309913c6874eb9b61903e3c2.exe
Token: SeIncBasePriorityPrivilege	2376	2396859a309913c6874eb9b61903e3c2.exe
Token: 33	2376	2396859a309913c6874eb9b61903e3c2.exe
Token: SeIncBasePriorityPrivilege	2376	2396859a309913c6874eb9b61903e3c2.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1444	iexplore.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
2376	2396859a309913c6874eb9b61903e3c2.exe
2376	2396859a309913c6874eb9b61903e3c2.exe
2376	2396859a309913c6874eb9b61903e3c2.exe
2376	2396859a309913c6874eb9b61903e3c2.exe
1444	iexplore.exe
1444	iexplore.exe
2636	IEXPLORE.EXE
2636	IEXPLORE.EXE
2636	IEXPLORE.EXE
2636	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2376 wrote to memory of 1444	2376	2396859a309913c6874eb9b61903e3c2.exe	29
PID 2376 wrote to memory of 1444	2376	2396859a309913c6874eb9b61903e3c2.exe	29
PID 2376 wrote to memory of 1444	2376	2396859a309913c6874eb9b61903e3c2.exe	29
PID 2376 wrote to memory of 1444	2376	2396859a309913c6874eb9b61903e3c2.exe	29
PID 1444 wrote to memory of 2636	1444	iexplore.exe	30
PID 1444 wrote to memory of 2636	1444	iexplore.exe	30
PID 1444 wrote to memory of 2636	1444	iexplore.exe	30
PID 1444 wrote to memory of 2636	1444	iexplore.exe	30

C:\Users\Admin\AppData\Local\Temp\2396859a309913c6874eb9b61903e3c2.exe
"C:\Users\Admin\AppData\Local\Temp\2396859a309913c6874eb9b61903e3c2.exe"
1⤵
- Modifies Internet Explorer settings
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2376
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://www.cfhaha.com/
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1444
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1444 CREDAT:275457 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:2636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
252B

MD5
1545dc0de4cf3a5a8e70d4b528c2539b

SHA1
9c8040c13b0dd5290e3949d63e056afd94540dbb

SHA256
65593620983c978dce22bf9f6576d36400bd89673b62a953ddb065e426fbb458

SHA512
ae729acc6cfd8253257edc82a68e9bf922e9c3c203fb337431ecc2da766dfa4697f3e4bce992e4b454dc70556a384f588f163893014e63a55e9109f1320f2155

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ec0352258107c458895e8ed61f915875

SHA1
92e638d54e9d286e4671c3ded013cb2d206aaa03

SHA256
9d1539ccb0eb41cdc0ec6e513ba535282aa0a276de0bcf5ea07f8cfa2366e2fb

SHA512
adae72528b3b2f091d85ef1ad0cc0c4c2a69229857c947819b19bb99c9ce024db034d02ae265fd039566e02feb51a7c50903b8ddf17b4aa8904e67262f89b22a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
4dc4e22790cde2369562fec17483d21b

SHA1
9c5d210d2ae3dafd2dd18e2c7906e2890ed45e19

SHA256
86a9e7a4cf21db5dd7801391d98c82f134d8e2f18ea55eae9af332ef7bd22dd4

SHA512
f513006e14f66ae503c95919e91f142042122b219e3119af71853712c6fbf19dce921f8d5fda54a07a4888ee6a7a8990f7e96f247d0ef69226ea1a22e4280176

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
6bf830f1c95cd4b4e8721379c9126cff

SHA1
af69a13fa86b6d45257c7789f178c44b3708bc88

SHA256
749e2135b8687e23f96b393ed843d34811bc40f4d24aa27ff47a40bd172fdc78

SHA512
2763115756f8fc716ebd4c45778bf6258a7058e238767fb77c4008a9860db88aba261332686821754da814d52c91895f6f6535cc1844e237a36917e34a792b2e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
0254dfdc48e99c0598dab7eb98ea4b50

SHA1
cca7b1313be6c43808f5284f6532d7d710730eab

SHA256
06a59cf7f5da3140d74efc152d57b5a6a3d0caa4a6360c7f06b41ff74f7a26e3

SHA512
87731bcf9145a554bbe92a2ac65e18151957cc09edc0e66ea18ed69effe7815eb6fa3f21bdef5ca9ee89a5caa25a7dfaa04a5acc7245cf0048b1973ebb860bf3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
c4b2d611f1f6622e48fb23467e177b64

SHA1
e7d4d1d74ab4ce6727ee6cf212b785924152f236

SHA256
59df35660727a371a9142b677a55a441c7aa8edbb4c601cd54659ccc1c6b47a1

SHA512
36256f0351949ab9dbe8352ce96325437e1e5c53436a50baf56fb918c75adc193c23573ce76e547fcb0641a0687e6e06a2f43ae0d426c8f59e0cc6de52a3a6e6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e5a0115a985555dd861752d2472d2d5b

SHA1
5e84bbef198c60cdd6e675d3d35e51bca60fd31a

SHA256
fcdfeafc58b3c775ab7fb694099d27818abb392e9111820de8e0b986e5bee0d9

SHA512
334b6563103da14aeda48adfa5b3bf19b502b946da4f4a28b55ba145eaa21ec4b4c9795701eb0d9b98736963b700bd5cd33482733ffa8da6c2f4a21c60f6b84a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
1db598e3e15763708cddc2a533a17236

SHA1
a99fd76a7d4780d358f582fd6586aeca9a3f527b

SHA256
0692733c0d5521f21814c8b07b31843eb3c3ce3715e8c74b60543571d76ddf49

SHA512
976f8b639bb2a6d1aec4094b1a57d8fb73e2383ee6f3e9fb551881df14ff40430a5f111ee5a72759ac6fd4aec9657adab356b23f1fd047dbe63892670904b99a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
229b1fbd6ef72b12bee24179ebc57bef

SHA1
48227f7356664d094d68ae722825f921f2700701

SHA256
dd460cd0dfb01f64ebdddafc65c59cf153e0cf0bad1543acb43f7a4b7e83b2f4

SHA512
0b5b227733520757878a1c65d66fa49b85d35453844a89309483343301d2e64f96e39b476c58ac3948f9154cbc2c40e4c4dd21f97566651fa9432bf9bf22c6b9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
679c27957f57da215c75810f8fd24717

SHA1
53a9433aaa6cef1e2b7b68dd2885d86ec197b069

SHA256
1bca61a2514c3ae387bc64f2d7ded36c0239cec73afb84a32d4bc0037f4fad92

SHA512
d0aa607c1873c5abddceabe5d72658d985e2cf3cf6c253343f71a1567baaaf2b03fce2480a0257d93cfc423cd92738d5425c3de7cae38da84c0945d2766ec36f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
8d380a6fc4c49789fc1975e002685cbb

SHA1
ebe70845bed89b9aece58ef9d9c7c7cd8a2e062e

SHA256
8da3e8b07f501a9dcc9df9a2d952cfc744204a374fb6ae70025e5142b4664a51

SHA512
5b14928fea47ae0c03922182d378ad33a9f9597bfa6c40b213447309b40d77f79423ff78d5efc5cd9741aea277a066b25d27c748cc335bc0d80a9409a864440f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
513f5b7d0ead91d9a96cde265a0698cb

SHA1
ee3ea38fecd49759a1ca31c79c01eefd08e0b601

SHA256
3438b2211f189a4ce7b0ec1af173978c011df4299234f3a2e34ecb9c209ca607

SHA512
4a0c0e1b9a6751967cba1279fc97cb6f720f9e11a1ce5853d1343d50882374d1fa1c514833b5ea082fbf644508d9b54534d783b594260f8c1038582bea161d16

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d7f375a43bdfb002b67d6738558585f8

SHA1
2ddcf15b3e2a9d5bfa915c9aac219e637eb0a224

SHA256
96cfeb0c9ae6ab6a76f4d989e3f692037dccd2400b96a81fdd30dd4fb40ad75a

SHA512
f9b754685d10588ba3590cc77b6e9c27acb4d7ee7d33af8424cbb3849d646d0aae9b7b0cfd6d51563330bc2711e5f35fff4c87972093575831cb54ef22f17af2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e972b840e2db04d7e330af6de7032a30

SHA1
ed67007e1702986a4d056c31f881bc1d56e984c9

SHA256
19ea749c439699394a1826d85790643e00143542e18722e7050b06263bb81260

SHA512
a12e4a2bfbaf250fc6d4ca4bdd639a21b2f841c04e837d417e3f76d454fae8cb641d8694e37e7fb5ad3a4976193bcb9877ab4e90fc11ad682e33d1a4b1e086b9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
c017f6684344504330bd711609e41dd3

SHA1
669ffc1f5a74fd41476bc3222079b496ac46a755

SHA256
f3a01acf2d4045efd1b56d05c205b1af8ac28dae60a369ebe2f653f5a59020a7

SHA512
8169e8d31171ed88bece8127833c9b0406315bdae33955b6c49722f4db12442ef23fc628ce7a99acae62b96e656cca07d20e1bea5fb54cf39afc6b97ead0c2d1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
81bcc09d8dd5eb76cab57d9616129a9b

SHA1
85bab31a14bd815305de1f094793aec395449cc6

SHA256
899d6edc7c3bd18c5e07ce71ce0dde9b884eec32e6dc3493d3d85a19cc3a383b

SHA512
6378cf29166a15d956fefc697de8063818d10f72776a60c5447c8d9cc7d6cfb27a3c1426010ef6f782c71828f465fde2d86fd13ac1126a92ba69b3edbf316c1c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico

Filesize
4KB

MD5
da597791be3b6e732f0bc8b20e38ee62

SHA1
1125c45d285c360542027d7554a5c442288974de

SHA256
5b2c34b3c4e8dd898b664dba6c3786e2ff9869eff55d673aa48361f11325ed07

SHA512
d8dc8358727590a1ed74dc70356aedc0499552c2dc0cd4f7a01853dd85ceb3aead5fbdc7c75d7da36db6af2448ce5abdff64cebdca3533ecad953c061a9b338e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar2AEC.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
memory/2376-78-0x0000000000400000-0x00000000007CF000-memory.dmp

Filesize
3.8MB

Download
memory/2376-0-0x0000000000400000-0x00000000007CF000-memory.dmp

Filesize
3.8MB

Download
memory/2376-1-0x0000000000400000-0x00000000007CF000-memory.dmp

Filesize
3.8MB

Download
memory/2376-2-0x0000000000240000-0x0000000000248000-memory.dmp

Filesize
32KB

Download
memory/2376-76-0x0000000000400000-0x00000000007CF000-memory.dmp

Filesize
3.8MB

Download
memory/2376-79-0x0000000000400000-0x00000000007CF000-memory.dmp

Filesize
3.8MB

Download
memory/2376-80-0x0000000000400000-0x00000000007CF000-memory.dmp

Filesize
3.8MB

Download