Malware Analysis Report

2025-08-05 21:21

Sample ID 240305-asjxfahh22
Target b3539ef19c283d0c8fc86e19ee189789
SHA256 6c42936a3622c445249955ded10f6ecf2a9bcbfadd9aa825d58f842b4871e453
Tags
aspackv2
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

6c42936a3622c445249955ded10f6ecf2a9bcbfadd9aa825d58f842b4871e453

Threat Level: Shows suspicious behavior

The file b3539ef19c283d0c8fc86e19ee189789 was found to be: Shows suspicious behavior.

Malicious Activity Summary

aspackv2

Deletes itself

ASPack v2.12-2.42

Drops file in System32 directory

Unsigned PE

Modifies Internet Explorer settings

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-05 00:28

Signatures

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-05 00:28

Reported

2024-03-05 00:31

Platform

win7-20240215-en

Max time kernel

117s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b3539ef19c283d0c8fc86e19ee189789.exe"

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\960c6fd92b.dll C:\Users\Admin\AppData\Local\Temp\b3539ef19c283d0c8fc86e19ee189789.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "415760404" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{585A4881-DA87-11EE-A4DC-6EC9990C2B7A} = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1888 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\b3539ef19c283d0c8fc86e19ee189789.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 1888 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\b3539ef19c283d0c8fc86e19ee189789.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 1888 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\b3539ef19c283d0c8fc86e19ee189789.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 1888 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\b3539ef19c283d0c8fc86e19ee189789.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 1888 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\b3539ef19c283d0c8fc86e19ee189789.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 1888 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Temp\b3539ef19c283d0c8fc86e19ee189789.exe C:\Windows\SysWOW64\cmd.exe
PID 1888 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Temp\b3539ef19c283d0c8fc86e19ee189789.exe C:\Windows\SysWOW64\cmd.exe
PID 1888 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Temp\b3539ef19c283d0c8fc86e19ee189789.exe C:\Windows\SysWOW64\cmd.exe
PID 1888 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Temp\b3539ef19c283d0c8fc86e19ee189789.exe C:\Windows\SysWOW64\cmd.exe
PID 2804 wrote to memory of 2696 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2804 wrote to memory of 2696 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2804 wrote to memory of 2696 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2804 wrote to memory of 2696 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\b3539ef19c283d0c8fc86e19ee189789.exe

"C:\Users\Admin\AppData\Local\Temp\b3539ef19c283d0c8fc86e19ee189789.exe"

C:\Program Files\Internet Explorer\IEXPLORE.EXE

"C:\Program Files\Internet Explorer\IEXPLORE.EXE"

C:\Windows\SysWOW64\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\$$30689.bat

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2804 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 udp.hjob123.com udp
CN 182.61.201.91:31801 udp.hjob123.com udp
US 8.8.8.8:53 dnf.rrads.cn udp
US 8.8.8.8:53 dne.rrads.cn udp
US 8.8.8.8:53 dnc.rrads.cn udp
CN 182.61.201.91:31801 udp.hjob123.com udp
US 8.8.8.8:53 api.bing.com udp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

memory/1888-0-0x0000000013140000-0x000000001316C000-memory.dmp

memory/1888-1-0x0000000013140000-0x000000001316C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$30689.bat

MD5 9ff639d0580cfc3c5aab34867d3d35dd
SHA1 ea150cf0608bab1651d0b226a5e4a1d7b90d8b42
SHA256 1491bbb1c506651714a246b9f51aeea213d336f7da33cafb507d715f9d91c90f
SHA512 fe077c16c84c60f23452cbf57232e086126d1bb281a73a93fa6617f1344827d32f20ac048a533d2a7fbfe76f6e46e9660aaf9e272bc735bd9e359537417142d5

memory/1888-9-0x0000000013140000-0x000000001316C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab89EB.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 753df6889fd7410a2e9fe333da83a429
SHA1 3c425f16e8267186061dd48ac1c77c122962456e
SHA256 b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78
SHA512 9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444

C:\Users\Admin\AppData\Local\Temp\Tar8B1A.tmp

MD5 dd73cead4b93366cf3465c8cd32e2796
SHA1 74546226dfe9ceb8184651e920d1dbfb432b314e
SHA256 a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22
SHA512 ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0a0245f756083947d3ac910ba3c955ad
SHA1 f6583b47588f80ec0f61e669bf48c77f4a32885c
SHA256 f488c521e7ab114d56d79681da26f7b4b285551d091ad2ccad02418378b67e2b
SHA512 24de0ec707f7a50edcb15d5b5b78a3680a7db53ea9caddb9092da899c1cd54f3962eb4fb1e61d981d03796684d33d2c1b22ead7d729e26d225194026326f5759

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 568d18d8515b04ddf512063afb4a2950
SHA1 e1cbe9276319dfc6099e8dbdbae5beb49ea9e248
SHA256 535451b7d4a4e0504b559a8f9b2253dacfb444cb6c811e7e5f994ade3313a06f
SHA512 8e9deff8711f1c9d27a530dd43ac8eee9e0bb088fbcefc56c572bcbb81ea642fecfef605ebb1642349f5e4ed547cab9884d9725b4afa7dfe997461fd5067a481

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d49e9de3519e77c1e04055fe70f9da9c
SHA1 8fc1f679636f89535101b34a4222b062b06fd4ac
SHA256 61286f8dfd76264a58d6465fe6060697d1f13ad30e4c4aef098c5cffc7bc349b
SHA512 f707fbc903bb8360952441c9d871ffb8e49a0cd8c66a13eccf2952df29b24cdfdf67cd68314d26314921ca85f3f5f888f4e6303105249c8a70d93533c87f8745

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e5c50d1ad314eb14fd16a73da60319fa
SHA1 980e20bbfe7e29364aa2f90bdeaef1b736dfd07d
SHA256 b9898ebcc7b8bb1ce96570f1da2e588df9da3db8d915d94827a0db28804eee65
SHA512 4897c3f3810fc09ce22333889a3a49669372584e0908d20833d35baa65a694c14ac32fc4b57c8bd29446fe24912044a964873b455e0521f0f64dab58bf272148

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f65227a45af90fa03cecb993977d63d6
SHA1 8aa2dddbc9c1df720ce0ccba1b0b4ea8d80171ae
SHA256 70690cda79372fa1e540f0f93a47b0a946359ae39506d9664df96a33cf789e45
SHA512 4e3eaef93be6608b2b2f6881dce07089a8917cac7cad7b233628549c4c661fd8bcb2948d16ba989945a06d2a261aa219b6c4ac85f7fd5c549f1f34ec6b5ebc05

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 39b6e38bd856bacc9be993bcdbadf263
SHA1 703ab8b08d6ea61278018289d9d5f09ca5e6c7c4
SHA256 a49c140e7da8466a2c8ff59953b1f544b361c3a0377d7e4ea24088bcb30637e8
SHA512 e02fe13fc46242059d1174e57a1e275a1904c6fd668e8ef6b20bcf589f24671b9342b9d9e90505e24fc02da4e638cf4df0d1562df47d99933833ad34dedcb860

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 dda5e00cd5eed9c3568c9abffe25c404
SHA1 5ff2d12dfa755ea9de60c974efe4225fd9182f03
SHA256 226360947bc9b0ca472f47e65c3f5408e7f84b5ff9220321d5418cbad75028c5
SHA512 902e80c25c3d22faeeca27bd4854f2d1460ffde550eb3a0590e74bca3b70614595c83ee30a2848a679b65073a26e8a1ab134298012f364c5ce4c88035cec88a3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1f4d045b47a9b7f550afb26254be37c8
SHA1 272cc53bb49634cf0e75af78b3e1b86b7110a7ec
SHA256 e3679ce0e55b70321b77112a3c279ebb27bba79f19974fc8fb6a312b23638887
SHA512 894c76ce21e69b59852f3d11d38bdea8c89ebbe5cbe62610e01197b7c9f1bbf3b6c1a1c2ae24f9f8ad37d6e0d7df738a0d4cd033241c9ccba0342c819f131043

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3cd06f3379b894fd90af87480568f150
SHA1 7b095ce6abbe86bd7be18c3642ab80f751920fdb
SHA256 24d00b43b921d065ac3a0e3e045a00cf1d7f8711fabef0d08f6530879c35e0d7
SHA512 57cb0a877c9a929516d621d645a4cfc09b71d8c73de4def338fef16c91bcc57863f7ca315a63aab33a2d6db6d97398eff587366902aa1602ad3ac5646263b820

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c890fb08b372c704b0c7022171d87266
SHA1 04f3738685e09fd8f214ebff6e3064127b619e2a
SHA256 65746b3c9db04d475427d13de6914567b56ad0e9accfb4208e14a227e6fdb99e
SHA512 dc250e5f5ccde1b6af7db61e1523508dfdc1790ca347308dd6d9eb835abef34df75ea54d68a4b69b156b000338d981bc11d195ef25d1f0c55c0628c819269961

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1c204b2df53ca65d50d22463fb9f02f7
SHA1 ae562c4094ac9a607cf587d04973409096b93528
SHA256 36d35c405d6863d1e1ff2b446f1df9b571ff89182f0dbe141ed2ab20c4d6c6f0
SHA512 0fc67c8009f06d15166c24195cb5b940c2306571d9fd0112d22ae1d2b786999a8c69f991903c4684dd03761d1f0daa55b1b292274c806d51cfebc760e59c52ce

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6fcddc9e6363f75552293c01a7c58048
SHA1 2437687309c7b2610bf056dddede534639bfa1b8
SHA256 03abd60c01b245caaf83e92f208917608dc2439ddcc07175cf3ad5b8d666371c
SHA512 421e897dab149da6279b52bed37be68787efa6d52af80275cfe8fd2d4d5661675cf55fcd2402a848fd82d38f242d26b24bbd406fd863fdb0b5c3368cd06afb2b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 79dacf68a69d507ed9dfcb0f638fa881
SHA1 bd288813d8e947de3952c529e269e6c5a27bed61
SHA256 835e46ead014a7f785fe59d090f48a48d99c0f2e860d44094b748a6d2fd4b11f
SHA512 d563b88f6eed964283aa8e96601c24c14b4b47fe2406169c05c02a1978c14ba198ffb979d55c5dbc0bde385810c366c75efb91b1c95c2aa98bd679e80f64ca2b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c85464031f2cdd930d052040eb19addd
SHA1 94519e142abbd40241f6440ffb3002f389817b0f
SHA256 0a25fd0623720ddaa57fcf13d2cc6177ef244038c8ca3f09879397fbc7aa370c
SHA512 31afff99798ff9941dd286999265a6a0d1338094a9fdc405174d3605699b2a7fab0000a4f74fbd3c8e7e1f66b43f8584fea51688c3f955273e12f2a5dc430849

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6f89ad4e81c137f0b3a48f16f9cd6f16
SHA1 18d7ab2950f55241bcd9f53f1bd06433fe9d161e
SHA256 1566c10695b50a58a7a80b9cc5173bdc0178931909abe864207ed51cc9070568
SHA512 e81d284441dc0632b6a04cabf9b8ccc63ebcccf42f6895c621b5d45b792508b555962e248d6deffb12681aa5912c289e86cd7d5c9e54ddcfc6087586ee50ef56

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5b7111c6dd315fc6f90ed519a161cb70
SHA1 9069c5c69ec73bcd63b0a2e45a521327a3d724c2
SHA256 e2cd4a6cc1c38a9ac6a0ab67c391b554b174d1416d00fdcbd884c710cdfc5d9d
SHA512 713d2327c6fdf478fc3c6f1c572c060c186f4e38bb3e77d39885c4620af61bfec380ea514b802bcd038eccb2ea1beee2feaef85a0a705fadd6379ebe1a418fd7

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-05 00:28

Reported

2024-03-05 00:31

Platform

win10v2004-20240226-en

Max time kernel

143s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b3539ef19c283d0c8fc86e19ee189789.exe"

Signatures

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\ee81b9d2fb.dll C:\Users\Admin\AppData\Local\Temp\b3539ef19c283d0c8fc86e19ee189789.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31092372" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "416363524" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{5DC9FF6F-DA87-11EE-B9F7-5EE34177FBBF} = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "852394602" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "852394602" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31092372" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31092372" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "945363523" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A

Processes

C:\Users\Admin\AppData\Local\Temp\b3539ef19c283d0c8fc86e19ee189789.exe

"C:\Users\Admin\AppData\Local\Temp\b3539ef19c283d0c8fc86e19ee189789.exe"

C:\Program Files\Internet Explorer\IEXPLORE.EXE

"C:\Program Files\Internet Explorer\IEXPLORE.EXE"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$30689.bat

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:892 CREDAT:17410 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3592 --field-trial-handle=2328,i,5873823382323802923,13134441441264702821,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 udp.hjob123.com udp
CN 182.61.201.91:31801 udp.hjob123.com udp
US 8.8.8.8:53 91.201.61.182.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 dnd.rrads.cn udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 dnd.rrads.cn udp
US 8.8.8.8:53 dnd.rrads.cn udp
CN 182.61.201.91:31801 udp.hjob123.com udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 13.107.253.64:443 tcp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 api.bing.com udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
GB 142.250.200.42:443 chromewebstore.googleapis.com tcp
GB 142.250.200.42:443 chromewebstore.googleapis.com tcp
US 8.8.8.8:53 42.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 161.19.199.152.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 67.112.168.52.in-addr.arpa udp

Files

memory/1256-0-0x0000000013140000-0x000000001316C000-memory.dmp

memory/1256-1-0x0000000013140000-0x000000001316C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$30689.bat

MD5 9ff639d0580cfc3c5aab34867d3d35dd
SHA1 ea150cf0608bab1651d0b226a5e4a1d7b90d8b42
SHA256 1491bbb1c506651714a246b9f51aeea213d336f7da33cafb507d715f9d91c90f
SHA512 fe077c16c84c60f23452cbf57232e086126d1bb281a73a93fa6617f1344827d32f20ac048a533d2a7fbfe76f6e46e9660aaf9e272bc735bd9e359537417142d5

memory/1256-5-0x0000000013140000-0x000000001316C000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\8ZO46T3J\suggestions[1].en-US

MD5 5a34cb996293fde2cb7a4ac89587393a
SHA1 3c96c993500690d1a77873cd62bc639b3a10653f
SHA256 c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512 e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee