36b82a5cd0b075172f361d11a9715d8659ce58d464d180f50c8be34312a8d308

Analysis

max time kernel
121s
max time network
143s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
15/03/2024, 02:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ca44dc4e847228a5933e61f8fa1f6786.exe
Size

94KB
MD5

ca44dc4e847228a5933e61f8fa1f6786
SHA1

4c472ba9650b9314c594214ce580a2ca3bb94a5d
SHA256

36b82a5cd0b075172f361d11a9715d8659ce58d464d180f50c8be34312a8d308
SHA512

bf682f5cccd94f8d7bedff853cb652250962d2e9fd266f9e9054a62efbad7c5a2532fb24878fec7785894515dfc396f81c6464dceffee7fa956e27a5af7eaceb
SSDEEP

1536:Zv6QFiwYlh1o0PSqbe3j7d0Yl7TyC9R6z8W3J7PVsuiZae/fx2N4Yj:DFi3h1zaqi3uO7hQJ7PyHZ9/bU

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 28 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "416632186"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{1E43C951-E275-11EE-A1D2-729E5AF85804} = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2840	ca44dc4e847228a5933e61f8fa1f6786.exe
2840	ca44dc4e847228a5933e61f8fa1f6786.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2840	ca44dc4e847228a5933e61f8fa1f6786.exe
Token: SeDebugPrivilege	2840	ca44dc4e847228a5933e61f8fa1f6786.exe
Token: SeDebugPrivilege	2672	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2988	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2988	IEXPLORE.EXE
2988	IEXPLORE.EXE
2672	IEXPLORE.EXE
2672	IEXPLORE.EXE
2672	IEXPLORE.EXE
2672	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2840 wrote to memory of 3060	2840	ca44dc4e847228a5933e61f8fa1f6786.exe	28
PID 2840 wrote to memory of 3060	2840	ca44dc4e847228a5933e61f8fa1f6786.exe	28
PID 2840 wrote to memory of 3060	2840	ca44dc4e847228a5933e61f8fa1f6786.exe	28
PID 2840 wrote to memory of 3060	2840	ca44dc4e847228a5933e61f8fa1f6786.exe	28
PID 3060 wrote to memory of 2988	3060	iexplore.exe	29
PID 3060 wrote to memory of 2988	3060	iexplore.exe	29
PID 3060 wrote to memory of 2988	3060	iexplore.exe	29
PID 3060 wrote to memory of 2988	3060	iexplore.exe	29
PID 2988 wrote to memory of 2672	2988	IEXPLORE.EXE	31
PID 2988 wrote to memory of 2672	2988	IEXPLORE.EXE	31
PID 2988 wrote to memory of 2672	2988	IEXPLORE.EXE	31
PID 2988 wrote to memory of 2672	2988	IEXPLORE.EXE	31
PID 2840 wrote to memory of 2672	2840	ca44dc4e847228a5933e61f8fa1f6786.exe	31
PID 2840 wrote to memory of 2672	2840	ca44dc4e847228a5933e61f8fa1f6786.exe	31

C:\Users\Admin\AppData\Local\Temp\ca44dc4e847228a5933e61f8fa1f6786.exe
"C:\Users\Admin\AppData\Local\Temp\ca44dc4e847228a5933e61f8fa1f6786.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2840
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3060
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2988
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2988 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:2672

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
67KB

MD5
753df6889fd7410a2e9fe333da83a429

SHA1
3c425f16e8267186061dd48ac1c77c122962456e

SHA256
b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78

SHA512
9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
034fb20951c1abe3dfba511374bbb544

SHA1
af099f131f9b9047abb49f474a5c4f30b640817b

SHA256
0dccfc7d2b7405d3dc5e62fa90e63638d90f38a73fc273dffdd67dc7bbc289d2

SHA512
ad891c1e4053b2a3985fdfc7338dc48027c4e0b4a4502c5fe30feff9e4cfe64d994ab0b35f5d16968fe32424329d1de6994adc1e9f2b0095f05107a5478ea1fe

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
90a5ee8f8cf5f88471199872590ec4d6

SHA1
bc64a6ce390e1dd00f95372de84a128dd18f06a8

SHA256
eedb7ebce862d31f844f2638b7d0d6c494f44e1653fbbd87dee0f1ba66069657

SHA512
08a95fcf216812329310563d91322214aaccc744082340cb7f51a66b9305602f664ab38fd336ff9fd5e99487f5b81b11be4cb73e70b45ac735252630888a0212

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e8492d8223207b8b0d522d0db7669108

SHA1
566fa947793f1cd897dd2c99c59b35ee813121c5

SHA256
dfc91d8b1e6632fef0e26256042f7dc7f2d16d502c181fe1ccfdbf77cf58ddb6

SHA512
1250698acb115871b79e79f8f131c74b39e623b1eee6a0af2a3ae416494cc71016d147090edbbd96eac2850a533673623f18a3c0fbbadcbb629809ece252f061

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
bef2fd6bb82ae30124c9de86e8c9a95a

SHA1
d324e3928b9bfde0a897432c93ad527ccd985c79

SHA256
c9fef5ba1b9e1853d6b27b03385f61afcbd71ac8cb129af7ee1b53e2a0962494

SHA512
85f3c6010391edcde0fc26258219280336dacf67d0379fcf3ebbc951f08cc5f46db5c8c667f32a60a4b4380ea23f213c99e0c5f6b3000b277d9f93cea3626dd3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
1883caf14d0c853c11424a7959b1b928

SHA1
c2b7220b323bae836fc6deb8303be799b8b7335d

SHA256
0835c7774787c79c16ec6b29d60016bf7721c7db6ea937b5e70540beca1077c1

SHA512
d853531fde7f0cad408eea8d4b0a32d26a96bf796d32f51f5f8500a57a063bbaf58a243b974ea3935bab238cffa51056c8ad6b1a45114ad33918058df11f73e2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
240e2fac1df62618d7c0d1a87cdfe1ee

SHA1
9a1fad2f524dea2802162e12dc4b174ed4f7ad04

SHA256
58acc494009e789e11f0773dfbaf28428d983967bb02e4fcfa2456953aa52fb2

SHA512
fa87bec7e468c54636f6965e3095ba098e84ccdeb54192aef7a00f4ae5e36e3de22136e1563f44211019a4e79e6d2df4ffa80ca0ce09ed1e451383da23d5d9a0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
341e483bc78112cf12900a4978e551d7

SHA1
80edabed487513582131e7cf99fae5c09fe5ffd0

SHA256
33c632a96221bbbb97a17e7bc1587a6a66808d030ca47f17aa3457cf08b66c28

SHA512
e93814af1838a375a38c766e54da15e2aeca3686f9451cb3e4d30e587c9706f401bd50299f85c1ef765541f4f02d180933f6edcaea9cf88f68f338b6258bb77d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
74c3e9ed6ffb968e484b0da1c9a6d08d

SHA1
c72e91c2d1fabc97d5517c8ade332b1144a6e48e

SHA256
1ed8311b07f5c9c9f8113b6703ff19aebd3b42a13fa088d64b40041f68f1150c

SHA512
897196ca009c1e23adb18da95c87f25a499916cb3bb40371422ff57a903e949d8a56a0760037465e6feaa58d9df694ddf3d8d999d80196f652adc27e20c8cf2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab94F1.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar9A66.tmp

Filesize
175KB

MD5
dd73cead4b93366cf3465c8cd32e2796

SHA1
74546226dfe9ceb8184651e920d1dbfb432b314e

SHA256
a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22

SHA512
ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63

Download Submit
memory/2840-55-0x0000000000310000-0x000000000035E000-memory.dmp

Filesize
312KB

Download
memory/2840-49-0x0000000000310000-0x000000000035E000-memory.dmp

Filesize
312KB

Download
memory/2840-33-0x0000000000310000-0x000000000035E000-memory.dmp

Filesize
312KB

Download
memory/2840-35-0x0000000000310000-0x000000000035E000-memory.dmp

Filesize
312KB

Download
memory/2840-37-0x0000000000310000-0x000000000035E000-memory.dmp

Filesize
312KB

Download
memory/2840-39-0x0000000000310000-0x000000000035E000-memory.dmp

Filesize
312KB

Download
memory/2840-41-0x0000000000310000-0x000000000035E000-memory.dmp

Filesize
312KB

Download
memory/2840-43-0x0000000000310000-0x000000000035E000-memory.dmp

Filesize
312KB

Download
memory/2840-47-0x0000000000310000-0x000000000035E000-memory.dmp

Filesize
312KB

Download
memory/2840-51-0x0000000000310000-0x000000000035E000-memory.dmp

Filesize
312KB

Download
memory/2840-53-0x0000000000310000-0x000000000035E000-memory.dmp

Filesize
312KB

Download
memory/2840-0-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2840-57-0x0000000000310000-0x000000000035E000-memory.dmp

Filesize
312KB

Download
memory/2840-61-0x0000000000310000-0x000000000035E000-memory.dmp

Filesize
312KB

Download
memory/2840-65-0x0000000000310000-0x000000000035E000-memory.dmp

Filesize
312KB

Download
memory/2840-63-0x0000000000310000-0x000000000035E000-memory.dmp

Filesize
312KB

Download
memory/2840-59-0x0000000000310000-0x000000000035E000-memory.dmp

Filesize
312KB

Download
memory/2840-31-0x0000000000310000-0x000000000035E000-memory.dmp

Filesize
312KB

Download
memory/2840-45-0x0000000000310000-0x000000000035E000-memory.dmp

Filesize
312KB

Download
memory/2840-21-0x0000000000310000-0x000000000035E000-memory.dmp

Filesize
312KB

Download
memory/2840-15-0x00000000774EF000-0x00000000774F0000-memory.dmp

Filesize
4KB

Download
memory/2840-14-0x0000000000310000-0x000000000035E000-memory.dmp

Filesize
312KB

Download
memory/2840-10-0x00000000774EF000-0x00000000774F0000-memory.dmp

Filesize
4KB

Download
memory/2840-9-0x0000000000310000-0x000000000035E000-memory.dmp

Filesize
312KB

Download
memory/2840-69-0x0000000000310000-0x000000000035E000-memory.dmp

Filesize
312KB

Download
memory/2840-29-0x0000000000310000-0x000000000035E000-memory.dmp

Filesize
312KB

Download
memory/2840-25-0x0000000000310000-0x000000000035E000-memory.dmp

Filesize
312KB

Download
memory/2840-27-0x0000000000310000-0x000000000035E000-memory.dmp

Filesize
312KB

Download
memory/2840-23-0x0000000000310000-0x000000000035E000-memory.dmp

Filesize
312KB

Download
memory/2840-19-0x0000000000310000-0x000000000035E000-memory.dmp

Filesize
312KB

Download
memory/2840-17-0x0000000000310000-0x000000000035E000-memory.dmp

Filesize
312KB

Download
memory/2840-12-0x0000000000310000-0x000000000035E000-memory.dmp

Filesize
312KB

Download
memory/2840-7-0x0000000000310000-0x000000000035E000-memory.dmp

Filesize
312KB

Download
memory/2840-5-0x0000000000310000-0x000000000035E000-memory.dmp

Filesize
312KB

Download
memory/2840-4-0x0000000000310000-0x000000000035E000-memory.dmp

Filesize
312KB

Download
memory/2840-2-0x0000000000310000-0x000000000035E000-memory.dmp

Filesize
312KB

Download