39d3c6cb8f66539704687d7426e0af6c7ecb16a2598bf5e44ee2c3ef17f35b0d

Analysis

max time kernel
18s
max time network
141s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
31/12/2023, 05:56

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2ada53d6c5e6061c497250fb1669f017.exe
Size

361KB
MD5

2ada53d6c5e6061c497250fb1669f017
SHA1

a77ca0274a50ede8d1bb537923eedc6d1cc5ef7f
SHA256

39d3c6cb8f66539704687d7426e0af6c7ecb16a2598bf5e44ee2c3ef17f35b0d
SHA512

48474344681dea35294f5c1e7a0e4227a79059710e30cfc96a9ac80ce3ce5a6da836c35462cb89e2304fcc9648b0e584213d3d90ccf1ddf417de80c6e4ca7057
SSDEEP

6144:UflfAsiL4lIJjiJcbI03GBc3ucY5DCSjX:UflfAsiVGjSGecvX

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1912	uomgeytrljdyvqoi.exe

Loads dropped DLL 8 IoCs

pid	Process
2508	2ada53d6c5e6061c497250fb1669f017.exe
2612	WerFault.exe
2612	WerFault.exe
2612	WerFault.exe
2612	WerFault.exe
2612	WerFault.exe
2612	WerFault.exe
2612	WerFault.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2612	1912	WerFault.exe	30

Modifies Internet Explorer settings 1 TTPs 24 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{43385281-ABF2-11EE-B432-EEC5CD00071E} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
2508	2ada53d6c5e6061c497250fb1669f017.exe
2508	2ada53d6c5e6061c497250fb1669f017.exe
2508	2ada53d6c5e6061c497250fb1669f017.exe
2508	2ada53d6c5e6061c497250fb1669f017.exe
2508	2ada53d6c5e6061c497250fb1669f017.exe
2508	2ada53d6c5e6061c497250fb1669f017.exe
2508	2ada53d6c5e6061c497250fb1669f017.exe
2508	2ada53d6c5e6061c497250fb1669f017.exe
2508	2ada53d6c5e6061c497250fb1669f017.exe
2508	2ada53d6c5e6061c497250fb1669f017.exe
2508	2ada53d6c5e6061c497250fb1669f017.exe
2508	2ada53d6c5e6061c497250fb1669f017.exe
2508	2ada53d6c5e6061c497250fb1669f017.exe
2508	2ada53d6c5e6061c497250fb1669f017.exe
2508	2ada53d6c5e6061c497250fb1669f017.exe
2508	2ada53d6c5e6061c497250fb1669f017.exe
2508	2ada53d6c5e6061c497250fb1669f017.exe
2508	2ada53d6c5e6061c497250fb1669f017.exe
2508	2ada53d6c5e6061c497250fb1669f017.exe
2508	2ada53d6c5e6061c497250fb1669f017.exe
2508	2ada53d6c5e6061c497250fb1669f017.exe
2508	2ada53d6c5e6061c497250fb1669f017.exe
2508	2ada53d6c5e6061c497250fb1669f017.exe
2508	2ada53d6c5e6061c497250fb1669f017.exe
2508	2ada53d6c5e6061c497250fb1669f017.exe
2508	2ada53d6c5e6061c497250fb1669f017.exe
2508	2ada53d6c5e6061c497250fb1669f017.exe
2508	2ada53d6c5e6061c497250fb1669f017.exe
1912	uomgeytrljdyvqoi.exe
1912	uomgeytrljdyvqoi.exe
1912	uomgeytrljdyvqoi.exe
1912	uomgeytrljdyvqoi.exe
1912	uomgeytrljdyvqoi.exe
1912	uomgeytrljdyvqoi.exe
1912	uomgeytrljdyvqoi.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
476	Process not Found

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2080	iexplore.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2080	iexplore.exe
2080	iexplore.exe
2716	IEXPLORE.EXE
2716	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2508 wrote to memory of 1912	2508	2ada53d6c5e6061c497250fb1669f017.exe	30
PID 2508 wrote to memory of 1912	2508	2ada53d6c5e6061c497250fb1669f017.exe	30
PID 2508 wrote to memory of 1912	2508	2ada53d6c5e6061c497250fb1669f017.exe	30
PID 2508 wrote to memory of 1912	2508	2ada53d6c5e6061c497250fb1669f017.exe	30
PID 2508 wrote to memory of 2080	2508	2ada53d6c5e6061c497250fb1669f017.exe	28
PID 2508 wrote to memory of 2080	2508	2ada53d6c5e6061c497250fb1669f017.exe	28
PID 2508 wrote to memory of 2080	2508	2ada53d6c5e6061c497250fb1669f017.exe	28
PID 2508 wrote to memory of 2080	2508	2ada53d6c5e6061c497250fb1669f017.exe	28
PID 2080 wrote to memory of 2716	2080	iexplore.exe	29
PID 2080 wrote to memory of 2716	2080	iexplore.exe	29
PID 2080 wrote to memory of 2716	2080	iexplore.exe	29
PID 2080 wrote to memory of 2716	2080	iexplore.exe	29
PID 1912 wrote to memory of 2612	1912	uomgeytrljdyvqoi.exe	32
PID 1912 wrote to memory of 2612	1912	uomgeytrljdyvqoi.exe	32
PID 1912 wrote to memory of 2612	1912	uomgeytrljdyvqoi.exe	32
PID 1912 wrote to memory of 2612	1912	uomgeytrljdyvqoi.exe	32

C:\Users\Admin\AppData\Local\Temp\2ada53d6c5e6061c497250fb1669f017.exe
"C:\Users\Admin\AppData\Local\Temp\2ada53d6c5e6061c497250fb1669f017.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2508
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://xytets.com:2345/t.asp?os=home
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2080
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2080 CREDAT:275457 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:2716
- C:\Temp\uomgeytrljdyvqoi.exe
  C:\Temp\uomgeytrljdyvqoi.exe run
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1912
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1912 -s 192
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2612

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f12313c18136bd740ffb8568e8ae1ad3

SHA1
c440964dfaf36e607f74e0d9a842054d7ca81427

SHA256
ad2436d5c5f8eec277415d5223c6ae5e1d4dcd2aaa5d58a2c96c6f258ef75de5

SHA512
cb10a716df06177ab9f73650ae37deaebf5cc8f96d4360ca996ba3fbabfb9bc46126a8f2986f756d881a10715112d0fbc789855f035515765dafa2780638ec8c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
c9b48eea81ab78c93cfee6a33ba8cb04

SHA1
f210bbf1fde97603e609af8d017e771b118854d2

SHA256
452dfec0ac55ed349cb9d0c6c767b413d52ea188a32bbf90bff1e9c06dec9214

SHA512
30a9876776d71d3e992be4690912030031301bd028ed9d611b61eb71d5ffa6fd08646e6952fd418b06586fe07eb1af76a0dba8f1b45380b122cf01a29ef337e0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
683f3df8c33d647fda19d6a5db1d0148

SHA1
d29a17e69ed47ab4585cd9197c85e757a4e4ecd0

SHA256
aa3287d94f2f3bb7e243c54166166d8a1d5b330a72f2f72e5effc96687fc66d7

SHA512
fc4f92919393eee03d8929b56fb188c32d5276c334911636da09546f97d0a14291a447783d504499977cbcfbd35c58c55452241d567e9c3aecb3a9258ad744f6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d083d73ea3c75cb1d2b5385b7dd04ed3

SHA1
73e3450c26244adcaf939878e64c07697b7a91ec

SHA256
81d05fbd3bb80e09dcc4793192f88dd01eed06013182aea2fc6551f82cfb276a

SHA512
7f8a25345637cb40f672954e8709866cfaf2844a54a71d262b4cf2839e5d5974870df03199c42e30c48fe7854c330283826a57228d3b774a02733795b3b16951

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
54bf4597619b232cf0903d6edabf4e6c

SHA1
6d5f8778792d806bb33ddefd0546099f827e52b8

SHA256
5af332692b45278652eb13ada288d82a3f3e4ebb94c6423dde2943e0c33969b8

SHA512
5971b111a9ebb8db7639ca0cff538fcbcef98b52866108199b7a5f99bb5ffc566c3f18e13698afd5fdcaed4979931ac354a6d592c01453be4516ff067a369ad3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
99a6ff2e6611168b2efe44551a48cda5

SHA1
160a70bcd401dc3b8460560c43f40675ba8ba1f4

SHA256
787b3f9153c4e918d828e55a19b54f7b78439909fb0900a66a28e682f6601254

SHA512
2efa9c07997a1ebf093ad39726161a20c6380c81d03458cb7ab480cf0619e17047c1ac4365749b81b732e4fb06a12cc10a01e8d12bc893c63d4bb4a91ba2ab0b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
fd6e673b13a40a062039c0d72bb4efe6

SHA1
a3671c1dc841392c610217e32010a2b28d864c89

SHA256
ec933a5a6a9890879b4ca6b18ddad569ee593c20e84142615dec43149917e2d6

SHA512
8f5a75142f47bf953035b65fe15bd0b9308ade3d0961d05b5342af1b0c36da82474956af498cf9331e36dc1c69f6b3d02f76c1fec1c8a151be497fccc6814042

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab4405.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar4428.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit