ea79b8ead2593eb7d36bd4f040661d7cf802d1bbe8c111433ba574b291e3fadd

Analysis

max time kernel
156s
max time network
146s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
15-03-2024 02:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ca3a7e0c644661e3f2ceab91d593462c.exe
Size

291KB
MD5

ca3a7e0c644661e3f2ceab91d593462c
SHA1

69c5dd3bab11d165aa9dbd65f67ba50c9e461b7e
SHA256

ea79b8ead2593eb7d36bd4f040661d7cf802d1bbe8c111433ba574b291e3fadd
SHA512

4c604581ae849e539b451500a0ac10700145af42219cea9a0dd7b735cd85e1d91b75dbb40a4023b97f9addcabe291c71c74d1d4f90fdfd11c889241b7f881969
SSDEEP

6144:CpyC6GUBnntydTWiAEMgJaVosKlgLU4lrv4sc:CpyCOntydKhHgio3g44Jv4D

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1136	www.sexy-roots.com.exe

Loads dropped DLL 2 IoCs

pid	Process
2684	ca3a7e0c644661e3f2ceab91d593462c.exe
2684	ca3a7e0c644661e3f2ceab91d593462c.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2684-0-0x0000000000400000-0x0000000000788000-memory.dmp	upx
behavioral1/files/0x000d0000000122f6-4.dat	upx
behavioral1/memory/1136-12-0x0000000000400000-0x0000000000788000-memory.dmp	upx
behavioral1/memory/2684-17-0x0000000000400000-0x0000000000788000-memory.dmp	upx
behavioral1/memory/1136-137-0x0000000000400000-0x0000000000788000-memory.dmp	upx

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "416630902"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = f0cf03f77e76da01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000009d182698a4727943a65bc6c9ecfd0fc500000000020000000000106600000001000020000000c322ddf3d2b04b7e425b236f6d0af6d9854c4a4ebd3cb3e4eb652b1e6de7d281000000000e8000000002000020000000acdaa219c7cb5fe8d9a83b5a2c4b262fddf742ccf98ee6b58c4c5f60d42e8c4320000000b4d4721dca3f60d2b188e3adba0bc4d85c2a5b6d9abc52030e867d841ec3c37140000000018a6804d9c74b3ffd1624820cbef8ca34591214add570c70790a6d451cb947f70b11b75c24f03efd9e216f7116ae2c7dba9ed012e21bef90cdc21ae4e3d7d59	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000009d182698a4727943a65bc6c9ecfd0fc5000000000200000000001066000000010000200000008ac6bbe2cc37152645596db70ab7964bca84b877d42a1f932c7d28a9233613f7000000000e80000000020000200000002e10de478bf0c708aa219d1dee1e430beaab271841d31ecf5a753d6bb6442d3890000000927a3af9597db5aa8ead4884485b091fb97015035d11c2983691262ee66b38b6561b3472a5ca6c693cd440cf0b7002ed24f2247fd5e9c7c109dab408075a20da99b34ca319fad5e67eb14a3b81f996eb3fda0e5f30134e6cee6bf3b8a3f199971791e409bfd04af2cece131ddce7574ef3b5c0c778a34129fef8b9a6e52b2c2cd5473a1fd5c301dd3809384d28f453ce4000000028dabfb2a70eb3b527f3422f39c6bf4b87f845841756a2b67331fcd0b7abde9f7cd74db8ec266138952e5ca12303a2b1679b58e52182e8230257b1fc61e36abd	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{22179CD1-E272-11EE-A8B8-66DD11CD6629} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2648	iexplore.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
2684	ca3a7e0c644661e3f2ceab91d593462c.exe
1136	www.sexy-roots.com.exe
2648	iexplore.exe
2648	iexplore.exe
2144	IEXPLORE.EXE
2144	IEXPLORE.EXE
2144	IEXPLORE.EXE
2144	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2684 wrote to memory of 1136	2684	ca3a7e0c644661e3f2ceab91d593462c.exe	27
PID 2684 wrote to memory of 1136	2684	ca3a7e0c644661e3f2ceab91d593462c.exe	27
PID 2684 wrote to memory of 1136	2684	ca3a7e0c644661e3f2ceab91d593462c.exe	27
PID 2684 wrote to memory of 1136	2684	ca3a7e0c644661e3f2ceab91d593462c.exe	27
PID 2684 wrote to memory of 2648	2684	ca3a7e0c644661e3f2ceab91d593462c.exe	28
PID 2684 wrote to memory of 2648	2684	ca3a7e0c644661e3f2ceab91d593462c.exe	28
PID 2684 wrote to memory of 2648	2684	ca3a7e0c644661e3f2ceab91d593462c.exe	28
PID 2684 wrote to memory of 2648	2684	ca3a7e0c644661e3f2ceab91d593462c.exe	28
PID 2648 wrote to memory of 2144	2648	iexplore.exe	30
PID 2648 wrote to memory of 2144	2648	iexplore.exe	30
PID 2648 wrote to memory of 2144	2648	iexplore.exe	30
PID 2648 wrote to memory of 2144	2648	iexplore.exe	30

C:\Users\Admin\AppData\Local\Temp\ca3a7e0c644661e3f2ceab91d593462c.exe
"C:\Users\Admin\AppData\Local\Temp\ca3a7e0c644661e3f2ceab91d593462c.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2684
- C:\Users\Admin\AppData\Roaming\Microsoft\Protect\www.sexy-roots.com.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Protect\www.sexy-roots.com.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1136
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://www.sexy-roots.com/member/exe_contact.php
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2648
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2648 CREDAT:275457 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:2144

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
67KB

MD5
753df6889fd7410a2e9fe333da83a429

SHA1
3c425f16e8267186061dd48ac1c77c122962456e

SHA256
b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78

SHA512
9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
1a508b89a8aa23d3c377854b3ee1f544

SHA1
a3b151ccf9e28d5fc99dc702b7ce096430bc112e

SHA256
c8b6435a630a601c6d33f843a98d65efbb2dc7500e763086154c7f0488116343

SHA512
c16dcb4c7ff45af32fb593ac98827673be430d7a790e912d9aecea43fcf6ddd87d93831da0185c93282a01536f700f32db6a910fc824463bbedef58ab880c17a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
cce85674259938d4d1b721b189f6eccf

SHA1
768957b57ba385caf73a627c4d06d8c42ba05ecc

SHA256
7e370ad95213865c209bb5d42fb5494630531846eaded5e8ec9276697a7f4d6f

SHA512
7ed5e1b879d913179abe7a1b83b7c2ad94f9cdf495635f2b9783f5a5058e2b6958f733e9a5e2f055d0e2100a433900bae1f5a47815e3638540c92196f6d54289

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
3c823570962aee47dfc396ee7ad6046e

SHA1
3e2f20a3b077a0a1196cb6b45eeb3f99919bfa97

SHA256
4d3124014c6d20c6891d75ffcd0d2b5e4b090e4831a7d17a11501e63c3258993

SHA512
e37c18cb0099ccd4707c1f76617b41fdfddf5823e0893ea1c370ba06c18b51f8ed40cdc31a3691a2f9620fd1446ac7c5f5075c0df8b5bd1da00dd62decc8287b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
bfb9b1653853e790a46ae6014945ccda

SHA1
988d0236ed9dcd5922eab6651ec4d6bf20262e0d

SHA256
f2e1a168ca432f7f3d97ea4f799b86ff5faf65d9236ddc6b0a00b448821eb3b2

SHA512
9923450176127edb8ede5f24d21a7dc24fca263f245f86614022cb9fa48ca20dbc8b4ae681315d54e2a67c4eada8f4b3b042b3383849396919d1ed11e8925895

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
8db79b34ead19408d9b1cddb0cb434d6

SHA1
19a0dc3368fb1a969ba7e9befe12bef35edfd129

SHA256
91c36eab5d8cfef803efdee468f002896959aa52a272937796dc7a5554ed0b62

SHA512
b88663d2af83402e4cd1486acc75bad86da569a94b5109410b1c3adff36e7a3113e4b15797918da894ea737069a10dbd8061e274fa2aa56c86dcea8fea0c2a3c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e6d656d3b357fe67f5f37476de8006ef

SHA1
e5f8a8f3406a830c945f059c9486e6f14292377e

SHA256
a401cd094a3f49716591000cbb7767319335762268b572b8989d427ad9726562

SHA512
22af7ccecb2690f337920dbb26ad0820ef648666343a22f13fb7c60d649670f0dfbd92933de4599c0ae85325f1354e7fd1dbb2d580d8ed6458592929f50aa68b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
354bd5938bbbca6d67f159c4c44794da

SHA1
b5b56ed8114d5add3fce37387519853e6b0e6e16

SHA256
d852deb37f422c8f365b7589f77debdef5a1d708331880b8640ba160d0f3a999

SHA512
9ffa36c5e5281f4f36476e8d7e6c38792af79b318e811e3f1def9313f8faec929fefbac71c315d8c99a9cffe11c534a346ee0b4d5600f06dfb5ef5f4b9bebdd9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
3fcca9dd81a9134218d72ce67558d647

SHA1
d5278c9aa8ebcd8f4d962b1661a02fb85715e4f2

SHA256
1bbb74190ac274dfc4218dee54c619159c75cc4c9c56844a903945b22a5010b3

SHA512
2a1f744f1782e772fbe0aecbdf0ffcd7f991014c1b847eb91fa3996bb1764a3979b8cba7b4699360beeced30ba83aefc81bf86ede91d9c6729f52d24324f267e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
9e0864810e12b031c2c208cd07a122b9

SHA1
8ae0e84130bf60a50810699e629668dd016a6a8e

SHA256
e1742c32ce47bdd97887d74451e0892a6d4a64cc7f33cc920df5339eafb49c93

SHA512
22ef4cf11f67eda972110321a2197f2c97e45e534387f6f438a6ce154f16362cd5cd4d018078b753f798126e5b846e462cecd94b49edf1d9d114b28f98a26514

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
94babdd1b3443ecdea6140096dd58649

SHA1
ee2e6b7af93102a816e96873649691f7795d531c

SHA256
1a261e49621217502455a39a5c0b96d245e5236378929c9ca383a00e661bdffc

SHA512
885cbacbf91c33b37386960bbddce07b4fa1a70badc3b4fe32525b8f932a1e46938e83e8db7fda5cce90063047c5031c44f1a02a51d1224289b0f4d8875340fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab9F10.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarA197.tmp

Filesize
175KB

MD5
dd73cead4b93366cf3465c8cd32e2796

SHA1
74546226dfe9ceb8184651e920d1dbfb432b314e

SHA256
a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22

SHA512
ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Protect\www.sexy-roots.com.exe

Filesize
291KB

MD5
ca3a7e0c644661e3f2ceab91d593462c

SHA1
69c5dd3bab11d165aa9dbd65f67ba50c9e461b7e

SHA256
ea79b8ead2593eb7d36bd4f040661d7cf802d1bbe8c111433ba574b291e3fadd

SHA512
4c604581ae849e539b451500a0ac10700145af42219cea9a0dd7b735cd85e1d91b75dbb40a4023b97f9addcabe291c71c74d1d4f90fdfd11c889241b7f881969

Download Submit
memory/1136-137-0x0000000000400000-0x0000000000788000-memory.dmp

Filesize
3.5MB

Download
memory/1136-12-0x0000000000400000-0x0000000000788000-memory.dmp

Filesize
3.5MB

Download
memory/2684-0-0x0000000000400000-0x0000000000788000-memory.dmp

Filesize
3.5MB

Download
memory/2684-18-0x0000000002850000-0x000000000285D000-memory.dmp

Filesize
52KB

Download
memory/2684-17-0x0000000000400000-0x0000000000788000-memory.dmp

Filesize
3.5MB

Download
memory/2684-16-0x0000000002850000-0x0000000002860000-memory.dmp

Filesize
64KB

Download
memory/2684-11-0x0000000003330000-0x00000000036B8000-memory.dmp

Filesize
3.5MB

Download