462e1b1f16bc5251cd55d766ee0a7b64b2411188a7efd46ebafe525447aeba25

Analysis

max time kernel
31s
max time network
123s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
31/12/2023, 15:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3a46abcabab9104b22e321a67af421bb.exe
Size

336KB
MD5

3a46abcabab9104b22e321a67af421bb
SHA1

d5fcfe8414c4e95206fcd41c4b5da5cf28740e3c
SHA256

462e1b1f16bc5251cd55d766ee0a7b64b2411188a7efd46ebafe525447aeba25
SHA512

5c19db2858b331ec5ea5f9dca0e5ed77e14b41885ef7f6ffc61a2ee10413a25a877b61d1410d514675205b76847026924fd6a87d55c6f944036bbeea6a2925bc
SSDEEP

6144:PLbxUBoTHgtTPymnphhjzu8vg3npex+2LQKHK0hHTQKPl:PLbxvax+2LVpRPl

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\wmplayer = "C:\\MessengerPlus\\mplayer2.exe"	3a46abcabab9104b22e321a67af421bb.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 27 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Download	3a46abcabab9104b22e321a67af421bb.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Download\RunInvalidSignatures = "00000001"	3a46abcabab9104b22e321a67af421bb.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{8FC28DD1-B004-11EE-8AA0-CE9B5D0C5DE4} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Download\CheckExeSignatures = "no"	3a46abcabab9104b22e321a67af421bb.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe

Suspicious behavior: EnumeratesProcesses 19 IoCs

pid	Process
2516	3a46abcabab9104b22e321a67af421bb.exe
2516	3a46abcabab9104b22e321a67af421bb.exe
2516	3a46abcabab9104b22e321a67af421bb.exe
2516	3a46abcabab9104b22e321a67af421bb.exe
2516	3a46abcabab9104b22e321a67af421bb.exe
2516	3a46abcabab9104b22e321a67af421bb.exe
2516	3a46abcabab9104b22e321a67af421bb.exe
2516	3a46abcabab9104b22e321a67af421bb.exe
2516	3a46abcabab9104b22e321a67af421bb.exe
2516	3a46abcabab9104b22e321a67af421bb.exe
2516	3a46abcabab9104b22e321a67af421bb.exe
2516	3a46abcabab9104b22e321a67af421bb.exe
2516	3a46abcabab9104b22e321a67af421bb.exe
2516	3a46abcabab9104b22e321a67af421bb.exe
2516	3a46abcabab9104b22e321a67af421bb.exe
2516	3a46abcabab9104b22e321a67af421bb.exe
2516	3a46abcabab9104b22e321a67af421bb.exe
2516	3a46abcabab9104b22e321a67af421bb.exe
2516	3a46abcabab9104b22e321a67af421bb.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2200	iexplore.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
2516	3a46abcabab9104b22e321a67af421bb.exe
2200	iexplore.exe
2200	iexplore.exe
2708	IEXPLORE.EXE
2708	IEXPLORE.EXE
2708	IEXPLORE.EXE
2708	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2516 wrote to memory of 2200	2516	3a46abcabab9104b22e321a67af421bb.exe	30
PID 2516 wrote to memory of 2200	2516	3a46abcabab9104b22e321a67af421bb.exe	30
PID 2516 wrote to memory of 2200	2516	3a46abcabab9104b22e321a67af421bb.exe	30
PID 2516 wrote to memory of 2200	2516	3a46abcabab9104b22e321a67af421bb.exe	30
PID 2200 wrote to memory of 2708	2200	iexplore.exe	28
PID 2200 wrote to memory of 2708	2200	iexplore.exe	28
PID 2200 wrote to memory of 2708	2200	iexplore.exe	28
PID 2200 wrote to memory of 2708	2200	iexplore.exe	28

C:\Users\Admin\AppData\Local\Temp\3a46abcabab9104b22e321a67af421bb.exe
"C:\Users\Admin\AppData\Local\Temp\3a46abcabab9104b22e321a67af421bb.exe"
1⤵
- Adds Run key to start application
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2516
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://www.videosengracados.org/ver_video.asp?video=6830
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2200

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2200 CREDAT:275457 /prefetch:2
1⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
6c3bb06c2b66386c08a8a58dd8031f31

SHA1
d342b8ed0d99e03a303a723619187560270de7e7

SHA256
f204932e883a72692dbbd5a2bfea96874baa0efee4914acef9dd798faecac3d3

SHA512
b3dee218ea870212b7dbb01616e6f103a75b254ee27b17a9d791220c4034f789014bfa9f943f88dadbbe90279bdfe221a82611416a014b3b1670ac8ee9820da9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
42d11a2a375ee52296155be9db4b76c1

SHA1
ff72f69114c036addfa189a4385d00ce5185b182

SHA256
81df9245e82a6d3de5fe6a3a32c57ea27bffa2d089c6b8d12069709ff14b6504

SHA512
49eaed3d010e951086add489dae7784bc25ef988693ac0a3cad1a04218446ef43ab2d04f9855eac2144d6b9c242aae1efb6a5a48dd41c5beb6337f921b88565f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
11fe7ed1e9bc196b385da3ec27ed22de

SHA1
f40427ea6a57d69b038b4c95baa80aa2f389726a

SHA256
507d9eca3cd41d022ee033969eb8b5819746a29276d9eba10ab7afc6097de7d4

SHA512
9f2531c357119aa4ae0d1c1c1b5a06cae5371d667b2dc4cdcff449edcb2fbf959725787f3415260eb655072758029777aa8683b87cd44f5ad08e2ed409aa95cc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
c28d04f5c1a5560db1559c5ae69ce501

SHA1
f88f0d6fde8d9317707eae7dd2070c4c1d9b9d93

SHA256
02eeee4fd537672231d640e9009e9908d3a4e58eeb0c44b5682e91f9c5683d47

SHA512
96e7be82f0ed6f25f0869a4952cf3a5a97bcca16f3baf701e300f2724ae7b3a8aa9be4436ab6ef36f49a9820c7e0ac7949e0cf8d28607c8106e7f15bf30b6cd2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
62d70c44689482652c1eb1d3d10e305c

SHA1
29523f3f61d073d8812e912e554c80770c934efc

SHA256
2f2daa6b43913e7d4fd8e03b92a6e998beb9d061dc54cbf1ffdee78cb1a4e2b0

SHA512
9b42cea5adc20aef2359ed7b6c5d51fe70b095c7c6837c4501db55c3ba25d3d7faaa8ab556a5c2eb2c46984373e5e212f4f131638babda013a7a966bffad199b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d34805b1efc2839c2f3ace8739663995

SHA1
805f82ef6d1da38f597942e49afba7d5c811b484

SHA256
c9c42b526847ccfebd83267448d72f7cae99a5655a11ed0661301d1a0712ca51

SHA512
0cf1682cc392492cec70150f85ab85542b5e9efbd05d9ecdfffbb80919d546354a269abf9ab8cef2e915b256958cc486ace928c48172de840ff92412fc410308

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
1ac8eaae28f5aeb2e7da4b7c961a9d34

SHA1
4c9502fdcf5bc30e9c590d0bc2573867fce949ab

SHA256
06a31175c9a301df60a8b4cb34c82973b836c3d41e880c2d420e22a113f217ea

SHA512
1636c37e6b15fb2addcaad0c7c0fbd09a09e43737a8ff1de3c117ebd13215f5be02ade2a6b79b2e04ce9a5801251cc630082cc1b0bed5e87b3283bb35b7a026a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab76A9.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar76AC.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
memory/2516-0-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2516-3-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download