50bbff0490e96dc349f5391b41beee8372f92e203212112116e288db73856fc2

Analysis

max time kernel
141s
max time network
129s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
05-01-2024 19:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

443acf9ad8b88c741f1ec9ee757a153e.exe
Size

2.0MB
MD5

443acf9ad8b88c741f1ec9ee757a153e
SHA1

dbc3d386427db8697a9d670d692354f16d4d3522
SHA256

50bbff0490e96dc349f5391b41beee8372f92e203212112116e288db73856fc2
SHA512

7df954c9b5abf1b7ecf8c53aae09748dfc8a6248ef83d1aed64f6de75c17864216d481546ece74b5c562a9992410e1851b3aa55db0198c470c8b20fef6eb11ef
SSDEEP

49152:+mFu6m1zkA6u2n1icUmYeEJgc6vZP//4l0X:LPmX0i3mkPKZX/4

Score

7^/10

Malware Config

Signatures

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	443acf9ad8b88c741f1ec9ee757a153e.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	443acf9ad8b88c741f1ec9ee757a153e.exe

Loads dropped DLL 4 IoCs

pid	Process
1320	443acf9ad8b88c741f1ec9ee757a153e.exe
1320	443acf9ad8b88c741f1ec9ee757a153e.exe
1320	443acf9ad8b88c741f1ec9ee757a153e.exe
1320	443acf9ad8b88c741f1ec9ee757a153e.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main	443acf9ad8b88c741f1ec9ee757a153e.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2D17A593-5004-E1B0-B315-9E007341E09F}	443acf9ad8b88c741f1ec9ee757a153e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2D17A593-5004-E1B0-B315-9E007341E09F}\ = "Background Intelligent Transfer Control Class 2.5"	443acf9ad8b88c741f1ec9ee757a153e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2D17A593-5004-E1B0-B315-9E007341E09F}\AppID = "{69AD4AEE-51BE-439b-A92C-86AE490E8B30}"	443acf9ad8b88c741f1ec9ee757a153e.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: 33	1320	443acf9ad8b88c741f1ec9ee757a153e.exe
Token: SeIncBasePriorityPrivilege	1320	443acf9ad8b88c741f1ec9ee757a153e.exe
Token: 33	1320	443acf9ad8b88c741f1ec9ee757a153e.exe
Token: SeIncBasePriorityPrivilege	1320	443acf9ad8b88c741f1ec9ee757a153e.exe
Token: SeDebugPrivilege	1320	443acf9ad8b88c741f1ec9ee757a153e.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
1320	443acf9ad8b88c741f1ec9ee757a153e.exe
1320	443acf9ad8b88c741f1ec9ee757a153e.exe
1320	443acf9ad8b88c741f1ec9ee757a153e.exe
1320	443acf9ad8b88c741f1ec9ee757a153e.exe
1320	443acf9ad8b88c741f1ec9ee757a153e.exe
1320	443acf9ad8b88c741f1ec9ee757a153e.exe
1320	443acf9ad8b88c741f1ec9ee757a153e.exe
1320	443acf9ad8b88c741f1ec9ee757a153e.exe
1320	443acf9ad8b88c741f1ec9ee757a153e.exe
1320	443acf9ad8b88c741f1ec9ee757a153e.exe
1320	443acf9ad8b88c741f1ec9ee757a153e.exe
1320	443acf9ad8b88c741f1ec9ee757a153e.exe
1320	443acf9ad8b88c741f1ec9ee757a153e.exe
1320	443acf9ad8b88c741f1ec9ee757a153e.exe
1320	443acf9ad8b88c741f1ec9ee757a153e.exe
1320	443acf9ad8b88c741f1ec9ee757a153e.exe
1320	443acf9ad8b88c741f1ec9ee757a153e.exe
1320	443acf9ad8b88c741f1ec9ee757a153e.exe
1320	443acf9ad8b88c741f1ec9ee757a153e.exe
1320	443acf9ad8b88c741f1ec9ee757a153e.exe
1320	443acf9ad8b88c741f1ec9ee757a153e.exe
1320	443acf9ad8b88c741f1ec9ee757a153e.exe
1320	443acf9ad8b88c741f1ec9ee757a153e.exe
1320	443acf9ad8b88c741f1ec9ee757a153e.exe
1320	443acf9ad8b88c741f1ec9ee757a153e.exe
1320	443acf9ad8b88c741f1ec9ee757a153e.exe
1320	443acf9ad8b88c741f1ec9ee757a153e.exe
1320	443acf9ad8b88c741f1ec9ee757a153e.exe
1320	443acf9ad8b88c741f1ec9ee757a153e.exe
1320	443acf9ad8b88c741f1ec9ee757a153e.exe
1320	443acf9ad8b88c741f1ec9ee757a153e.exe
1320	443acf9ad8b88c741f1ec9ee757a153e.exe
1320	443acf9ad8b88c741f1ec9ee757a153e.exe
1320	443acf9ad8b88c741f1ec9ee757a153e.exe
1320	443acf9ad8b88c741f1ec9ee757a153e.exe
1320	443acf9ad8b88c741f1ec9ee757a153e.exe
1320	443acf9ad8b88c741f1ec9ee757a153e.exe
1320	443acf9ad8b88c741f1ec9ee757a153e.exe
1320	443acf9ad8b88c741f1ec9ee757a153e.exe
1320	443acf9ad8b88c741f1ec9ee757a153e.exe
1320	443acf9ad8b88c741f1ec9ee757a153e.exe
1320	443acf9ad8b88c741f1ec9ee757a153e.exe
1320	443acf9ad8b88c741f1ec9ee757a153e.exe
1320	443acf9ad8b88c741f1ec9ee757a153e.exe
1320	443acf9ad8b88c741f1ec9ee757a153e.exe
1320	443acf9ad8b88c741f1ec9ee757a153e.exe
1320	443acf9ad8b88c741f1ec9ee757a153e.exe
1320	443acf9ad8b88c741f1ec9ee757a153e.exe
1320	443acf9ad8b88c741f1ec9ee757a153e.exe
1320	443acf9ad8b88c741f1ec9ee757a153e.exe
1320	443acf9ad8b88c741f1ec9ee757a153e.exe
1320	443acf9ad8b88c741f1ec9ee757a153e.exe
1320	443acf9ad8b88c741f1ec9ee757a153e.exe
1320	443acf9ad8b88c741f1ec9ee757a153e.exe
1320	443acf9ad8b88c741f1ec9ee757a153e.exe
1320	443acf9ad8b88c741f1ec9ee757a153e.exe
1320	443acf9ad8b88c741f1ec9ee757a153e.exe
1320	443acf9ad8b88c741f1ec9ee757a153e.exe
1320	443acf9ad8b88c741f1ec9ee757a153e.exe
1320	443acf9ad8b88c741f1ec9ee757a153e.exe
1320	443acf9ad8b88c741f1ec9ee757a153e.exe
1320	443acf9ad8b88c741f1ec9ee757a153e.exe
1320	443acf9ad8b88c741f1ec9ee757a153e.exe
1320	443acf9ad8b88c741f1ec9ee757a153e.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2656 wrote to memory of 1320	2656	443acf9ad8b88c741f1ec9ee757a153e.exe	28
PID 2656 wrote to memory of 1320	2656	443acf9ad8b88c741f1ec9ee757a153e.exe	28
PID 2656 wrote to memory of 1320	2656	443acf9ad8b88c741f1ec9ee757a153e.exe	28
PID 2656 wrote to memory of 1320	2656	443acf9ad8b88c741f1ec9ee757a153e.exe	28
PID 2656 wrote to memory of 1320	2656	443acf9ad8b88c741f1ec9ee757a153e.exe	28
PID 2656 wrote to memory of 1320	2656	443acf9ad8b88c741f1ec9ee757a153e.exe	28

C:\Users\Admin\AppData\Local\Temp\443acf9ad8b88c741f1ec9ee757a153e.exe
"C:\Users\Admin\AppData\Local\Temp\443acf9ad8b88c741f1ec9ee757a153e.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2656
- C:\Users\Admin\AppData\Local\Temp\443acf9ad8b88c741f1ec9ee757a153e.exe
  "C:\Users\Admin\AppData\Local\Temp\443acf9ad8b88c741f1ec9ee757a153e.exe"
  2⤵
  - Checks BIOS information in registry
  - Loads dropped DLL
  - Modifies Internet Explorer settings
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:1320

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\E_4\HtmlView.fne

Filesize
224KB

MD5
59f0a258fa01bce2a69d263bea890e40

SHA1
b12b47e9c7ea859967ed75facdce4b54f9911a41

SHA256
0352856a5f8645f90857baee3d6310e88215f6489b2641b2682ee6cde3b2d4e2

SHA512
588ac395416b3fca6580f5de872b49aa81a21f97ff482eae286072f4bffeeef332170a27fa866b4a425dffdf0f107d659637eaeda5035d8e8458e6d800c11ae3

Download Submit
\Users\Admin\AppData\Local\Temp\E_4\cncnv.fne

Filesize
236KB

MD5
b98981b350e5c583844cfa0bfff2837f

SHA1
64f98c5b2f1b6cde7fb0773af2d5e271773178a3

SHA256
97e0f74137402c896987b3c0e354792ff338a913a47fc43144f48649e1df0008

SHA512
6015ed883babc873274d3c26a74d93d29d98eff4bac90786780e73579555ffcb42a2ae3afe0090f649e80042b77826efcbffce0c1e8e0e9064b92683a583e025

Download Submit
\Users\Admin\AppData\Local\Temp\E_4\iext2.fne

Filesize
472KB

MD5
2d9632ce0389eef75cfdaa1ae0abbec0

SHA1
60972b4e47e3be0520215d454fed7bb33906e36d

SHA256
0ffe314fc3d6fe6b5111195a4cd4df1da7e47b1463bb503331d79beb0557dd3f

SHA512
83a29d6c0bcccc602e3eb34919ad59a35d022d48e5a921c7caca7a437dad15f215efe214cd4cf50c2147265605f20e8e0b0d41d4d7a5ff2504d52fb400e6fe96

Download Submit
\Users\Admin\AppData\Local\Temp\E_4\krnln.fnr

Filesize
1.1MB

MD5
e9a17293fcd7febc44fbfd4d9e3ebb00

SHA1
437666a318d95635edaad29ba3e33411445c9847

SHA256
7a339e0b50ce189beb3653fb972aad5539e3cd76f688951f64f8bbbaf6b95c37

SHA512
93b2e96d3b923ee5da9b5e81591dab84f5448c7f0180366a397a30e3f52cf544396426b3eb158eab21f3868d3ec88a604f4bad3d75fc08854b60aeb46250e65e

Download Submit
memory/1320-10-0x0000000000400000-0x00000000006BB000-memory.dmp

Filesize
2.7MB

Download
memory/1320-31-0x0000000001FA0000-0x0000000001FDB000-memory.dmp

Filesize
236KB

Download
memory/1320-88-0x0000000001F30000-0x0000000001F94000-memory.dmp

Filesize
400KB

Download
memory/1320-11-0x0000000000400000-0x00000000006BB000-memory.dmp

Filesize
2.7MB

Download
memory/1320-12-0x0000000000400000-0x00000000006BB000-memory.dmp

Filesize
2.7MB

Download
memory/1320-13-0x0000000000400000-0x00000000006BB000-memory.dmp

Filesize
2.7MB

Download
memory/1320-14-0x0000000001F30000-0x0000000001F94000-memory.dmp

Filesize
400KB

Download
memory/1320-3-0x0000000001F30000-0x0000000001F94000-memory.dmp

Filesize
400KB

Download
memory/1320-26-0x0000000000400000-0x00000000006BB000-memory.dmp

Filesize
2.7MB

Download
memory/1320-27-0x0000000001F30000-0x0000000001F94000-memory.dmp

Filesize
400KB

Download
memory/1320-4-0x0000000000400000-0x00000000006BB000-memory.dmp

Filesize
2.7MB

Download
memory/1320-9-0x0000000001F30000-0x0000000001F94000-memory.dmp

Filesize
400KB

Download
memory/1320-2-0x0000000000400000-0x00000000006BB000-memory.dmp

Filesize
2.7MB

Download
memory/1320-36-0x0000000004110000-0x0000000004196000-memory.dmp

Filesize
536KB

Download
memory/1320-47-0x0000000006010000-0x0000000006027000-memory.dmp

Filesize
92KB

Download
memory/1320-41-0x0000000002530000-0x000000000256C000-memory.dmp

Filesize
240KB

Download
memory/1320-43-0x00000000055E0000-0x00000000059F2000-memory.dmp

Filesize
4.1MB

Download
memory/1320-44-0x0000000005F70000-0x0000000005F87000-memory.dmp

Filesize
92KB

Download
memory/1320-45-0x0000000005F90000-0x0000000005FCA000-memory.dmp

Filesize
232KB

Download
memory/1320-46-0x0000000005FD0000-0x0000000006008000-memory.dmp

Filesize
224KB

Download
memory/2656-1-0x00000000025C0000-0x000000000287B000-memory.dmp

Filesize
2.7MB

Download
memory/2656-69-0x0000000000400000-0x00000000006BB000-memory.dmp

Filesize
2.7MB

Download
memory/2656-0-0x0000000000400000-0x00000000006BB000-memory.dmp

Filesize
2.7MB

Download