42a63fe99861ed6bb09167730a383db9b4c2e829bd0e122d662648b0bfa5dddc

Analysis

max time kernel
17s
max time network
144s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
08-01-2024 04:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4a6e402b32e9aa511971fe9fed794e3d.exe
Size

144KB
MD5

4a6e402b32e9aa511971fe9fed794e3d
SHA1

d0a06b802a768cef53420db8d2cac5fe89394839
SHA256

42a63fe99861ed6bb09167730a383db9b4c2e829bd0e122d662648b0bfa5dddc
SHA512

42c42c7aa850818227f0eaa61aefd800691274999fcca40a68bf38449a7391ba63f735a1f1776ecf20276aae026c962295a235e3ec792eb0c217a7a933f7628a
SSDEEP

3072:tv/q95gcctBXqO7Gdxl2430X8+xWyiXWVGb6awiM7b:w+6zf24A8+xidLwBb

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1800	Irvsva.exe
2364	Irvsva.exe

Loads dropped DLL 3 IoCs

pid	Process
1760	4a6e402b32e9aa511971fe9fed794e3d.exe
1760	4a6e402b32e9aa511971fe9fed794e3d.exe
1800	Irvsva.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\Irvsva = "C:\\Users\\Admin\\AppData\\Roaming\\Irvsva.exe"	4a6e402b32e9aa511971fe9fed794e3d.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2224 set thread context of 1760	2224	4a6e402b32e9aa511971fe9fed794e3d.exe	14
PID 1800 set thread context of 2364	1800	Irvsva.exe	29

Modifies Internet Explorer settings 1 TTPs 24 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{C586E611-ADDD-11EE-8CE9-D2016227024C} = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1760	4a6e402b32e9aa511971fe9fed794e3d.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2364	Irvsva.exe
Token: SeDebugPrivilege	2712	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2144	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2224	4a6e402b32e9aa511971fe9fed794e3d.exe
1800	Irvsva.exe
2144	IEXPLORE.EXE
2144	IEXPLORE.EXE
2712	IEXPLORE.EXE
2712	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 38 IoCs

description	pid	Process	procid_target
PID 2224 wrote to memory of 1760	2224	4a6e402b32e9aa511971fe9fed794e3d.exe	14
PID 2224 wrote to memory of 1760	2224	4a6e402b32e9aa511971fe9fed794e3d.exe	14
PID 2224 wrote to memory of 1760	2224	4a6e402b32e9aa511971fe9fed794e3d.exe	14
PID 2224 wrote to memory of 1760	2224	4a6e402b32e9aa511971fe9fed794e3d.exe	14
PID 2224 wrote to memory of 1760	2224	4a6e402b32e9aa511971fe9fed794e3d.exe	14
PID 2224 wrote to memory of 1760	2224	4a6e402b32e9aa511971fe9fed794e3d.exe	14
PID 2224 wrote to memory of 1760	2224	4a6e402b32e9aa511971fe9fed794e3d.exe	14
PID 2224 wrote to memory of 1760	2224	4a6e402b32e9aa511971fe9fed794e3d.exe	14
PID 2224 wrote to memory of 1760	2224	4a6e402b32e9aa511971fe9fed794e3d.exe	14
PID 2224 wrote to memory of 1760	2224	4a6e402b32e9aa511971fe9fed794e3d.exe	14
PID 1760 wrote to memory of 1800	1760	4a6e402b32e9aa511971fe9fed794e3d.exe	30
PID 1760 wrote to memory of 1800	1760	4a6e402b32e9aa511971fe9fed794e3d.exe	30
PID 1760 wrote to memory of 1800	1760	4a6e402b32e9aa511971fe9fed794e3d.exe	30
PID 1760 wrote to memory of 1800	1760	4a6e402b32e9aa511971fe9fed794e3d.exe	30
PID 1800 wrote to memory of 2364	1800	Irvsva.exe	29
PID 1800 wrote to memory of 2364	1800	Irvsva.exe	29
PID 1800 wrote to memory of 2364	1800	Irvsva.exe	29
PID 1800 wrote to memory of 2364	1800	Irvsva.exe	29
PID 1800 wrote to memory of 2364	1800	Irvsva.exe	29
PID 1800 wrote to memory of 2364	1800	Irvsva.exe	29
PID 1800 wrote to memory of 2364	1800	Irvsva.exe	29
PID 1800 wrote to memory of 2364	1800	Irvsva.exe	29
PID 1800 wrote to memory of 2364	1800	Irvsva.exe	29
PID 1800 wrote to memory of 2364	1800	Irvsva.exe	29
PID 2364 wrote to memory of 2352	2364	Irvsva.exe	32
PID 2364 wrote to memory of 2352	2364	Irvsva.exe	32
PID 2364 wrote to memory of 2352	2364	Irvsva.exe	32
PID 2364 wrote to memory of 2352	2364	Irvsva.exe	32
PID 2352 wrote to memory of 2144	2352	iexplore.exe	31
PID 2352 wrote to memory of 2144	2352	iexplore.exe	31
PID 2352 wrote to memory of 2144	2352	iexplore.exe	31
PID 2352 wrote to memory of 2144	2352	iexplore.exe	31
PID 2144 wrote to memory of 2712	2144	IEXPLORE.EXE	33
PID 2144 wrote to memory of 2712	2144	IEXPLORE.EXE	33
PID 2144 wrote to memory of 2712	2144	IEXPLORE.EXE	33
PID 2144 wrote to memory of 2712	2144	IEXPLORE.EXE	33
PID 2364 wrote to memory of 2712	2364	Irvsva.exe	33
PID 2364 wrote to memory of 2712	2364	Irvsva.exe	33

C:\Users\Admin\AppData\Local\Temp\4a6e402b32e9aa511971fe9fed794e3d.exe
C:\Users\Admin\AppData\Local\Temp\4a6e402b32e9aa511971fe9fed794e3d.exe
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1760
- C:\Users\Admin\AppData\Roaming\Irvsva.exe
  "C:\Users\Admin\AppData\Roaming\Irvsva.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1800

C:\Users\Admin\AppData\Local\Temp\4a6e402b32e9aa511971fe9fed794e3d.exe
"C:\Users\Admin\AppData\Local\Temp\4a6e402b32e9aa511971fe9fed794e3d.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2224

C:\Users\Admin\AppData\Roaming\Irvsva.exe
C:\Users\Admin\AppData\Roaming\Irvsva.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2364
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2352

C:\Program Files\Internet Explorer\IEXPLORE.EXE
"C:\Program Files\Internet Explorer\IEXPLORE.EXE"
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2144
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2144 CREDAT:275457 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2712

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
2ef863514302fad269622bee7ecb7116

SHA1
680badd5165e05badef81bd4713d8ab6539d160a

SHA256
3fe78ee341278587a84eb8aa85c66f269c7a9ac8ea4fbaebeb40d1c7be6cfb93

SHA512
0b9e30ec39fcaf98dbc0e0b468794a3e9064b9d759215ba5d168dcf990d066b4ffc0351b434433478b24738c6ed86f8c7f2c460b7a970276b05c142cbd8a97de

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f4e55e38731868fe23e45bc8d0c6e922

SHA1
2b27d5b40f909849bb9a46498eba17ded3111eb3

SHA256
3e76989d250ad7599967418a2fbaeca445b607a86398ac0a7a72d24a2ab05fc0

SHA512
9a6ed514df2d3839fe61437c3e9ee6e7cd1cfb9b8a9d30ac7de3acbd712c1b4aacb066df6de15bdb7ff8a35a6ced81bf6c9c40e395d54a404d4b6f6db5d8044b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
c6f4bdeeee17e435cacc51c81e919a61

SHA1
24a8057d581af02d0561ef96b269c4840021de62

SHA256
e82297151a19a5ba407ffa99a872eeb7c7dca6ee7c71a0d24811371782f04099

SHA512
e85ea78e6ec152ad0084d610f0491a2502736fe0452926d6bfa6d070d3bff64777ad1dfdea63e5d17c92a183dc14d203fb342e3aa2fdf1a0c9812bd7bc536d7f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
97b9a70552808c54c2aef6b3b6cc1659

SHA1
12c0b5b0da573e12f14a9839b91d5773f05ff943

SHA256
9af923356101e5408e5dc723aef3ec7c6278c63769589da431b0706157e05269

SHA512
bfeb4d5a3e66b321504a1c1e5d39b5e39a223ee67466e7de834240db28e1799af8a3716942dd3d9dbfe693e111416a7a32e8a447803f38b9e0833b8e968ef680

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f2912ca9fc542063c64e19f822f825d5

SHA1
6e6d8f267c28ea1ebb973e700cae13f52a60673c

SHA256
b47598572965ff31eaaeb4492f5eee47be68e2717356e5520c1bdc9a4864ca03

SHA512
13bff1a8568891f1fa49bebf47f54673c64e964a78e0f9bdd0b2b947cc37f43f4062c0b95d36840856e770c78231b246b199c474d558def85fdbd69e22bd725e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
79028d1b3b1aa35550e2b0c778f37c84

SHA1
6983b44c0ead6502f57e669cfd957b5066085ad7

SHA256
e4aaa1e5e393648742115977d144d1feae5859a9d86db1a995784ec3317d7237

SHA512
5f16308d984cff59f1cc9efed5ff42e860ecb821eb29db263e3f326caf27bccc7e4e3b3a24161cd4edd117d63d0e4814eec0b2e08bf30cb29a7dfa1c509f66c7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
332efce1b72496822cbbeede0585cbd3

SHA1
4d1cf45faaf75f6d890cc746f81cc9eadcf6cbc9

SHA256
c13bb5c68be7a133fdd4a1ff0a8c233331415a540c531c70b89aecd83ee71b7a

SHA512
3913146b83dbf40daa9ccfb5e8ef4a07c030d3da0e5732747a9cb2208ee210e36d81259beaea1c9bb603eb02990b39327eba780b7f3640aed26d7ef8ed47d852

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab5CF2.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar5D04.tmp

Filesize
99KB

MD5
fa178920e56586a7d673ef62ab4575c0

SHA1
cfd02c6a6b26f3407a1f9a91411f6f4467b1ee54

SHA256
777c3d087168f5f42bbd550047ecf607a3a375eb621d7e30a38e9c8803a861b9

SHA512
12b20ccc55780883d3b4c36366e335a8d07d9581a2684de3e1c05055b6fff4dd3e0124cc210e93f5f4306c37a163a92584047d5eb0ff5d71f04ee30c593a836f

Download Submit
C:\Users\Admin\AppData\Roaming\Irvsva.exe

Filesize
144KB

MD5
4a6e402b32e9aa511971fe9fed794e3d

SHA1
d0a06b802a768cef53420db8d2cac5fe89394839

SHA256
42a63fe99861ed6bb09167730a383db9b4c2e829bd0e122d662648b0bfa5dddc

SHA512
42c42c7aa850818227f0eaa61aefd800691274999fcca40a68bf38449a7391ba63f735a1f1776ecf20276aae026c962295a235e3ec792eb0c217a7a933f7628a

Download Submit
memory/1760-5-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1760-14-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1760-2-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1760-4-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2364-26-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2364-25-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download