b8001fa7feb004a014da2051b5059bc1ea25f5c0d9fed5add8b064614881a1b6

Analysis

max time kernel
119s
max time network
134s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
27/01/2024, 19:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7b19f0775f2d0614c20e7a00f2eec61b.exe
Size

27KB
MD5

7b19f0775f2d0614c20e7a00f2eec61b
SHA1

1998cb1c40978df979e41cedeed0d7e057fdfb20
SHA256

b8001fa7feb004a014da2051b5059bc1ea25f5c0d9fed5add8b064614881a1b6
SHA512

aa7437f12b3d70b537a1ec17de6737e24d98548139147b505507431b95d6751fbfa72179b2a14ab7d1268419fdbbc04a75fedeb8be72f0d2d8340df09d81b7d7
SSDEEP

384:AmmBX9UBSJWGe6cL1mlZg9hhiU4z6P1pU89/dNQCKCP4DCYAN+Hn:AmmBX9UBSEJmA9hhiUJzS4gDXk+H

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2736	cmd.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2996-0-0x0000000000400000-0x0000000000415000-memory.dmp	upx
behavioral1/memory/2996-3-0x0000000000400000-0x0000000000415000-memory.dmp	upx

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\ntnids32.exe	7b19f0775f2d0614c20e7a00f2eec61b.exe
File opened for modification	C:\Windows\SysWOW64\ntnids32.exe	7b19f0775f2d0614c20e7a00f2eec61b.exe
File created	C:\Windows\SysWOW64\ntnids32.dll	7b19f0775f2d0614c20e7a00f2eec61b.exe

Modifies Internet Explorer settings 1 TTPs 28 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "412546160"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{9AF69C11-BD4B-11EE-A371-5E688C03EF37} = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2996	7b19f0775f2d0614c20e7a00f2eec61b.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
860	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 9 IoCs

pid	Process
2996	7b19f0775f2d0614c20e7a00f2eec61b.exe
2996	7b19f0775f2d0614c20e7a00f2eec61b.exe
2996	7b19f0775f2d0614c20e7a00f2eec61b.exe
860	IEXPLORE.EXE
860	IEXPLORE.EXE
2940	IEXPLORE.EXE
2940	IEXPLORE.EXE
2940	IEXPLORE.EXE
2940	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 2996 wrote to memory of 860	2996	7b19f0775f2d0614c20e7a00f2eec61b.exe	28
PID 2996 wrote to memory of 860	2996	7b19f0775f2d0614c20e7a00f2eec61b.exe	28
PID 2996 wrote to memory of 860	2996	7b19f0775f2d0614c20e7a00f2eec61b.exe	28
PID 2996 wrote to memory of 860	2996	7b19f0775f2d0614c20e7a00f2eec61b.exe	28
PID 860 wrote to memory of 2940	860	IEXPLORE.EXE	29
PID 860 wrote to memory of 2940	860	IEXPLORE.EXE	29
PID 860 wrote to memory of 2940	860	IEXPLORE.EXE	29
PID 860 wrote to memory of 2940	860	IEXPLORE.EXE	29
PID 2996 wrote to memory of 860	2996	7b19f0775f2d0614c20e7a00f2eec61b.exe	28
PID 2996 wrote to memory of 2736	2996	7b19f0775f2d0614c20e7a00f2eec61b.exe	30
PID 2996 wrote to memory of 2736	2996	7b19f0775f2d0614c20e7a00f2eec61b.exe	30
PID 2996 wrote to memory of 2736	2996	7b19f0775f2d0614c20e7a00f2eec61b.exe	30
PID 2996 wrote to memory of 2736	2996	7b19f0775f2d0614c20e7a00f2eec61b.exe	30

C:\Users\Admin\AppData\Local\Temp\7b19f0775f2d0614c20e7a00f2eec61b.exe
"C:\Users\Admin\AppData\Local\Temp\7b19f0775f2d0614c20e7a00f2eec61b.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2996
- C:\Program Files\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:860
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:860 CREDAT:275457 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:2940
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\7B19F0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a521dba4c82b0c9aed90712a6fdaf557

SHA1
68fdf6e57a24967b8b65aa3143178899639beba4

SHA256
33bf4bc4d471b24c4af76a7e9e555d9323de7d58b571d4c688d9f2e3a4926db6

SHA512
9973e250663f8f432d92b1d524ca024b1aac93a367e65fbfa38802bb72f8e24ee5d3b030b0de671641b1513888ad2ffcbbb4eb6fa2192934729ef21fd331b3fa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
9b0d8692681b159e7191568cc75f2151

SHA1
4ea01b7790e68a6f162044eebf6498359b71146b

SHA256
b80aec8379808476451a4d5b6e739ae822e89a6b8216812c85319deb8a0008fe

SHA512
85b6145f0c0f0a0ab5230f4fc35edc10b02682a6eebe63e7b92d84379482d1163fa3060ee71551078c2a1a2502dfd16e185fd7af16c5e55a5d4d0d58ac2ad742

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
793c3beba89506a2525227da05fe32e6

SHA1
5ec24f47378bacb4ed74f5f5aeb8a41315ec6051

SHA256
1a9cea6db83044b4d4b8903557d26246dfbe474432d278547f34bf0acec19456

SHA512
fd456264d12461377fa65b0f308334598df0ff7e414afc297a1f58979a9772304c7a03d5f9b8d419a9a018304782103e2e05efa9f8f61d0a8963b3bf5370bde6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
6a5e1e33045674715d43b33ef94cec83

SHA1
56813f0e495f9e96b008fbda643a09dd0b2ef4c5

SHA256
af87d5f8893e073d6212f5667d0d9cdde76734f0f347d1fa963d10d071ce72de

SHA512
8aa524153fd69bba2c564d13665731bbd00aa882fd48a45d1be9839822ef26eb6031c3e6d6557c9dbcda3f0d0f766aa4039277e8dcb168b2769131db55ff0870

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
888153c4f7ece8e94f45393763c908f0

SHA1
438c11ec282c3e45ad50afcaeaa2ad9725e74fd5

SHA256
48f35592746dd7f0ccc2d0cb536628e8aa48e08e9966415f700cb1611e057196

SHA512
3130fa5a9ca1e620d3a18673b9d853d2c1c3085306d3d50e97f424858440eaf7c86ce83105fe95329fbb7576f382553631c96843cdfc485f48d7a599e372241d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
0d966ae8abfe2cadc29f436120d17804

SHA1
75f325796cad70a79c6c53b2996d185ace247152

SHA256
dcc581afcdbd93034c5284c5156e7505b58914e5f2197b94ad1c89263ffdef6c

SHA512
454a1e43cc26e982f06d9eedef3b388b728ec900ca1c30822984f3c68894551482afa694c1ce3764d9b63d433e5f5ee172acbc6ab5a2351bb7cd3622593b659d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
c00835f14f0873d8b79521ddb69b2d1a

SHA1
40565dea70ea5663679f83b40d3465771d725c5b

SHA256
63b389b74144fb1a8722f6dbf48b0ae9c61396305a42413bee1e81dc9670568e

SHA512
a0ac790fdac0687313b6f8a6a8581c8266e6f592dde4b640e481a22f5cf51d9d4ab0909e95000fec86de19ef9a9b2ea35b81006c4dad26c72f7334b3bf5f1520

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f13f05501c6ad55ad62a49cb1f89b91d

SHA1
46b8ce085aaeb0cb05a57de00fc72656653ab500

SHA256
a0dde4992ab73ba16844f78afd42fabcea176d4668b3d2e24469d73ccb308efa

SHA512
6e09ee9ea2eb4ad7b7508961bdd01de99765aeef000db90ca84d844e82263a7ce5e7011386f55858462f81be893416e7bfca38937011e9df4609979989b60e0c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
30af2e06097a1a6f66aa23fdc00ef03c

SHA1
57a050ab2f25b2d130e583dc4f6737ff70c3bc83

SHA256
e2e6c8f47ef9afaf04c83bc86fa5fdf7ef7599a293e435258a0d76cd7edb9d82

SHA512
964f6e14c395e95f44deb5ec700201133fa18992341c09ca10672bb10f530cedae4f4c0bfa0c6157022bae58b24ce9694b8c77fc975d0a6dcada6381298825a4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
1c52fba09f2d8a0d3f071e0f9d081956

SHA1
7f11b652082244ef0ecda9ab9069a903a123172c

SHA256
9fd9c4e13187d28da57b8545e20063f952085d94243b8085666caff2f136f6fc

SHA512
ad3529928dfb3d82c3f09a4f8a109f6fc82a0bced7e9403b35d8c580987a418bc66da5b560ebdec0bc64aa776ed9317c036f94964006ab25aad8af3585a153d4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a261c8ef19f59ccdf50e537ba92519b7

SHA1
61504007db584cc05fa5f62042e3d96d905d1c29

SHA256
29ad241434d8d2d5dd0695df4d5ec357dd27ae50d511c5e7fd0f1cd7dfcdb829

SHA512
2c5c7a644f2ca5dcac21509395db4160bfe9bb9bf7af3945bc5cf6460722775037bafc8b7101d426194ceaeddbad160600bc087cca1f056d881438091f857936

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
8426c794036c130a87af114ce970bb44

SHA1
664406b61f8c4106a7a20403db0075dff556e08a

SHA256
8ed69a17c85bd20024f575bbfadecda13fcbb64bddb2074df6919c1e76f5d1b7

SHA512
a79b36f0a05753e17f33fb1b028367b5ccdbda09b0471c55504ea7dd6c290a26a5d25e9971c7b364f8f5ca81d0b715a3c376c70a84e1220e99cb0d637d8db023

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
20eb96fdbe93c274c0db3cef2f8a8f94

SHA1
29a2605e3d3675d6e4c95971a68ff78fc5248d4e

SHA256
0a2cf58e6aac00711f0662343ed8088006bc51a45febbf9351c352b9a1123d1b

SHA512
6d3eb319184d01723124e05c3d96de953e03ccad8e7a1543781df4054b1336a9c55df4d23440e8923a5f03de7e26df45c9e3f5d16c8ca3ed5619d76861055d35

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d66a82376a346e4b22d641dca964fb0e

SHA1
d07f1afa11004a08c173c77fbe1f7823a9760b56

SHA256
fb8961843d0a1b78870c6e53597cbdec9558a84e028cdf7dfb12ade7ab032e6f

SHA512
ffb648402de3f838301d256e7cd961178250bb9d071124a1845236e5e0d5b724aa8044c7367028d4d9ac25c82b98d11d92eb42654e161e799f3a1ea503d0453a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab92F0.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar93CD.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
memory/2996-0-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2996-3-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download