a9905cff617afc9d8186192e22deeca1472cb3b9dccc1fccb0e401c23fdce141

Analysis

max time kernel
121s
max time network
134s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
18/03/2024, 16:31

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

AutoMax v1.0.5 - Cracked by ElectroHeavenVN/AutoMaxManager.exe.xml
Size

330B
MD5

38602c0c755abf6e28390c1ef361e55a
SHA1

866da18e4b951e3892963e20b04ab2ef6e43bf24
SHA256

1e820ec72ad84cd3b31e1ebc0316ef8d982b0ba2e8da01a96937d98230d38cfa
SHA512

b504a2d5b4e98e49e216ccba2d5b5ab44a516b355c624218c362d7790e7679a932ec62d5ddffa9f4579779484de564735b02c88078c5fe4d3d2eafafd728dc4b

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{605C3D91-E545-11EE-AC8A-E60682B688C9} = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 10da1f355279da01	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "416941540"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000ffebb09deeb747419e902f1accea58f7000000000200000000001066000000010000200000007aefeafc88aad85411852279c692b67271e0e1f047857a1efb68ae2a601b9d7e000000000e80000000020000200000002116a3d19962cf9e935e645bbf41a61dc2e2bdb71055809877f64fd2b89b42f32000000088e9c0fec7d35a05816b5cf494c3bb7773dd60431df9d0bc1aabb35d3cd7440140000000f530545187b78d372b5edca3f8cf77cd9bb2964f14d4b860558ae9c758f15508f0b89882d075beeb2164509777968587c796c6f50f52a7c23d9ede8e366c6e68	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000ffebb09deeb747419e902f1accea58f700000000020000000000106600000001000020000000b38ea01abe2200294af41e08253d061a68dae7f5a451803dff9b04eeb2a1ae19000000000e800000000200002000000094a1371612bb33f4b8baefcb32b90bdb810acb973563967de3890fdcbe85ceda90000000ba970ebe9213391dc11c8e23b42842d62b36248d8082195f2ddc29bc5831b63872e50a21759b76e106bef984a5ec07848121930572bc092380ee80c6c251f6fef78701ae928627e076045a01ef711f9d392b285128ff2455ed893971b4d15565409653c67b74148921230b07d8b36f82975703d8f3389480a629fda9a537784e2c7b123be1d3e4eaa80b91394274099e400000007f7ff98410cf52f559aff1d85aae586d1c6896c429d6fa513e3f69992f34a6d3b656b378fc1cdd0c5aae4105ea1b3f2b2051eb4d466118bdc598d8ae67a9870d	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2432	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2432	IEXPLORE.EXE
2432	IEXPLORE.EXE
2628	IEXPLORE.EXE
2628	IEXPLORE.EXE
2628	IEXPLORE.EXE
2628	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2540 wrote to memory of 2556	2540	MSOXMLED.EXE	30
PID 2540 wrote to memory of 2556	2540	MSOXMLED.EXE	30
PID 2540 wrote to memory of 2556	2540	MSOXMLED.EXE	30
PID 2540 wrote to memory of 2556	2540	MSOXMLED.EXE	30
PID 2556 wrote to memory of 2432	2556	iexplore.exe	31
PID 2556 wrote to memory of 2432	2556	iexplore.exe	31
PID 2556 wrote to memory of 2432	2556	iexplore.exe	31
PID 2556 wrote to memory of 2432	2556	iexplore.exe	31
PID 2432 wrote to memory of 2628	2432	IEXPLORE.EXE	32
PID 2432 wrote to memory of 2628	2432	IEXPLORE.EXE	32
PID 2432 wrote to memory of 2628	2432	IEXPLORE.EXE	32
PID 2432 wrote to memory of 2628	2432	IEXPLORE.EXE	32

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\AutoMax v1.0.5 - Cracked by ElectroHeavenVN\AutoMaxManager.exe.xml"
1⤵
- Suspicious use of WriteProcessMemory
PID:2540
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2556
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2432
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2432 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
67KB

MD5
753df6889fd7410a2e9fe333da83a429

SHA1
3c425f16e8267186061dd48ac1c77c122962456e

SHA256
b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78

SHA512
9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
932b1c314f22127b9bc1d30e312dcc11

SHA1
7a530722ab274867a8731dc5cf6fb65505b36baf

SHA256
a3d811893f18791f4ac5b5eb1afbfbb5e08797d5e7752057fb6cc45eebf81aaf

SHA512
a53300e61ffa29b6632c98ecd970ea83503f17e5cd82397f04eb03af0116239006a9af615a8411a2334ab283bb1239a72a26ce955fc81a95d7be40f7c297d985

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
51306420fe8ac59cb22145fc3ccf8219

SHA1
4f776dc73e78953a3e214714a7b9646cd0185adc

SHA256
c48e8a572fa6ebac978ddb6b19387d60491d75fbd4f302fbd56b45de9db53e5a

SHA512
e79b73b533663672ca8e772a06ce6f25118d370bcc202b17df66941e1445eafaae7e0634de86a5515be37d704e43f99cca796fb3d3d15ad8d1b3b6db2ee1f877

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
00ff538fe5b6172c7371a6a0d5b484c4

SHA1
f60d57707bdfb8b9d07fda984412033c8d611756

SHA256
9d06c740e8f0d4e7d8ecab1f917e7f4022a4b1a0d5a657415a0b3e069fbce204

SHA512
9737ec07136dce7a98e8c2094fb7e4ca43ec025ad8e64aacc70105b150d0c9eafc213b86ecb5b41d8a8e08fcafa0d6fdffddecdd9df735d65701c06b2f366a99

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
1801481ef3baf8ed421e06753e9676f1

SHA1
8dcf34bd7ac3ff1312eb5a93daec3a389afaf9cd

SHA256
13940201af4bcbf69fadd220769f1620bfa2b15ee4fb2160a6db685d4907476c

SHA512
22ffe39c6e59d1c7b4e1367cfb93b2f2b52f32c18b2138af8368f4dcdfc401565474672887f6ac196a491552437a3d9cb60f295c61da73055beb0efcc4d30b20

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
7699609824de9696e8357df37b5be6a8

SHA1
523c69e5802d61da8abdcd64056a95026962dbe3

SHA256
e6ce6e9f046da826beb633d01212c903f85c367f586fdf2e04b7e81707a4ba8a

SHA512
5128b4ed3c61eecfb9e65fe28b59f96bb7bfd7cb9cc8c474e8c8e59ce8f863ca8ce8226e9c7ce97e9c732b1e25350ed8536834a723ba8eb7f2c4599cc9f0923f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
09d48a2edcbcfc1cc4d995694b55b552

SHA1
8619958a9be799673294600d7558e231cf5acd1b

SHA256
b404c582630d009ca9d1ad1af6f87966429aa24984c8351e334a062298351301

SHA512
acc6f89a4d431553003eb4539a6bce718c1e48d444b306522dd63de047d4a029a4cbb44163d6b9e29810b339a54f1c47115eec7989aa394c41e18d3ea7d70127

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
39687603336ea687cd9dfd87c427ecb0

SHA1
e621475549cc4a9e28086d45ec3a4b3f4f454102

SHA256
bbc58a8c31bf42eb285949ad1dbec009f73b69445935fef95c57670366560109

SHA512
7332701ca526a62f62dec4d660466f21fd2f7d0db8ccf6a578ea6e5cdc6f13fe31f182f65e4ecd3c7305e1e43680d40b63bd9c0c4155a8accce23a510cb5eb36

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f06614d26cc015be7b8ec7c01dd5b7fd

SHA1
a95b22cade2ad1c22d6949025966d84a840f5736

SHA256
36baf77eec56d96e212fcccd2a710a12c61846ff28c5c1949cf26e9d51616b3d

SHA512
0a0000714265b164cbbe8b1dd6cf7bb68854dbd739bd7c3f783ac41a5dd3e84f9b4e6fc49c0c660a97ad9e2daaf6a61374602ee3c9f02fe848ca1ee616b66acb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ae7139239d6ea902165b16a4566f9363

SHA1
bd4e7eafff73883e65953672522fda372d741a4c

SHA256
81aa91af7ecb3100e08487f463b4cd8227df9ef48f57f2478ca179c61f2a2a7e

SHA512
ab40cef45c36265ad576ece82e353e67e643334253ee175ef45238a50fa5e1e39bdc270084ad6ef29ea0a59eac23fbce21ff3730758b4dde16b3335960cb9706

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab446.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar91F.tmp

Filesize
175KB

MD5
dd73cead4b93366cf3465c8cd32e2796

SHA1
74546226dfe9ceb8184651e920d1dbfb432b314e

SHA256
a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22

SHA512
ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63

Download Submit