f9e41fe0854e1d2cba512b09924e117b044f23232e621b02e762a0988b044636

Analysis

max time kernel
120s
max time network
121s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
19-03-2024 03:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

$PLUGINSDIR/FindProcDLL.dll
Size

3KB
MD5

b4faf654de4284a89eaf7d073e4e1e63
SHA1

8efcfd1ca648e942cbffd27af429784b7fcf514b
SHA256

c0948b2ec36a69f82c08935fac4b212238b6792694f009b93b4bdb478c4f26e3
SHA512

eef31e332be859cf2a64c928bf3b96442f36fe51f1a372c5628264a0d4b2fc7b3e670323c8fb5ffa72db995b8924da2555198e7de7b4f549d9e0f9e6dbb6b388

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1716	340	WerFault.exe	28

Modifies Internet Explorer settings 1 TTPs 28 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "416979565"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{EEBFD6C1-E59D-11EE-B012-52ADCDCA366E} = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2656	iexplore.exe
2656	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2656	iexplore.exe
2656	iexplore.exe
2696	IEXPLORE.EXE
2696	IEXPLORE.EXE
2696	IEXPLORE.EXE
2696	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2040 wrote to memory of 340	2040	rundll32.exe	28
PID 2040 wrote to memory of 340	2040	rundll32.exe	28
PID 2040 wrote to memory of 340	2040	rundll32.exe	28
PID 2040 wrote to memory of 340	2040	rundll32.exe	28
PID 2040 wrote to memory of 340	2040	rundll32.exe	28
PID 2040 wrote to memory of 340	2040	rundll32.exe	28
PID 2040 wrote to memory of 340	2040	rundll32.exe	28
PID 340 wrote to memory of 1716	340	rundll32.exe	29
PID 340 wrote to memory of 1716	340	rundll32.exe	29
PID 340 wrote to memory of 1716	340	rundll32.exe	29
PID 340 wrote to memory of 1716	340	rundll32.exe	29
PID 2656 wrote to memory of 2696	2656	iexplore.exe	32
PID 2656 wrote to memory of 2696	2656	iexplore.exe	32
PID 2656 wrote to memory of 2696	2656	iexplore.exe	32
PID 2656 wrote to memory of 2696	2656	iexplore.exe	32

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\FindProcDLL.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2040
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\FindProcDLL.dll,#1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:340
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 340 -s 220
    3⤵
    - Program crash
    PID:1716

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2656
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2656 CREDAT:275457 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
67KB

MD5
753df6889fd7410a2e9fe333da83a429

SHA1
3c425f16e8267186061dd48ac1c77c122962456e

SHA256
b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78

SHA512
9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
be1bce77da9d10a948cd125c0e9715de

SHA1
a94aeffbbfe0a054972bc9129622a8e7e440898f

SHA256
e3d05f433e108e1a014c5f804cd2d424e5f0730f1e9e98a2b0131936bf938f5e

SHA512
65167fcb305b94ba666c9417a90068eede28a335efe5c9ae31bf74ab77226920c0ef9e0778ef0ad1d4bbfcb4f83deb44eb8bcce8b3b66840098b1522fc21185c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
8ee19ff43c9e2ed8c2d0551e5fbbda0b

SHA1
46c7cc9675031f33ecd07be9c4cd0f82f0a08641

SHA256
1b6b55c26136bed3577e9ed7b8319644493d58da58cf82ef69d202aa4a2f1e5d

SHA512
7b8958de4852f49daf0f72f33947eb43197108449a0464b6dbda2655bf6e524cecb38fec52f2138514e2c2c922c3ea64c8e9f8a970fde8c8e90ad1d447df440f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
57b322b92526df7a9d2564e69fe968fa

SHA1
db15566384db76bb434354eec0302db854c07106

SHA256
a03e06c245bcae45b8f88f9149abec4779ac18d9273107c148134788c21f739a

SHA512
43c6af9bd44965e7d7094fa97165be4531cfa3f5c73398e727c361387026eb0f50da5c76af9d3a0b4c56a8b4e01e2eae6c85d35a692a0dba588415ae2ac9e894

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
c386d321bcc7480657734e1fd51c7afb

SHA1
3d47ab27d6ceff2b40453c36d7335150c437c751

SHA256
7c7ecad2f0048bb23b0ef33263fabf58be79fdf83fce420e3053e84d395b37f7

SHA512
dc551c14a7e1b2049aa17fe147adbf193ed0fc51c78444fa8fb7499228d2a62cfa01cd525e5c10cc9f8ebdcf501bf8d628ac7e714f2c2c4d3665fa4a0d9c0eff

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e450b761ebdbec5bd059e0a8dde673cb

SHA1
9735f792229d9cf991d33886995f2f38ead1a165

SHA256
7a70b1961dd0baea40cd43b1ba3b25a587f572725ec7c1327fe9a129a2bcfbc6

SHA512
d8986de743cd58670391903d96d44088fceb6625f6162337e807f0005e2579a687a3c341cd5e5edeeb9d2970c5109965a594ae47641803a8b207ff822fee0b5c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
2fe0a1c5803d4a9515597232147a500e

SHA1
5634aa6253b9e70985299bc5a77dba1d063d47e7

SHA256
1b6187caa62a101d892d57bfd2331e09ea7d6ce74abb470efc6219b7185285f4

SHA512
b6000de316f79bb13d48f3b4729d822326970e8f165fafd2aa353dc2608d5afcf7d24353923ca4f645d068b85f47c867926088e5af4e50e8b8cdec4c38af1c5d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
668b01ffca0598afa4d63752960ab494

SHA1
d851a8fcb1b5a74837faa739c88d06ac32029a8f

SHA256
901b75bd7099c79494443cb304de527a65181abc6a2ad3612318e0365877fc51

SHA512
d8bfa91cd7485911eff7cf8cab631008ac4dbdf1b2dae6271b48b539e8be8720dd87f9f64ef9db5e4f1b358cfb5b88a7bc867c9a37c01cf460234a94b92a458a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e34a3c8b230a5174936212f61625ec3e

SHA1
494a41c856ff1c57d8917e0c9b3fb723667a5290

SHA256
86e61a27321b964a6567e4fc11d1cda69e6203a2f5cc3608c6537b20bf49dd71

SHA512
f0104bfed5721c1fbaf513b2936a32af2f0822ffe7e11faff5027e0453dcf10768c303d5dc3e67395b23c304762959145fece396952f79af362cabb3d74d3c2b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e02693af04ceb476203e7cca4054f572

SHA1
d02c41624727a93cc27118bbbd6e8bc27e50c0c4

SHA256
2d3339d159ddfe1dc0b0669d7a2d3560cac157aa41cfb46ed867fdc91e7a108f

SHA512
61020b3557a2102f4d73adfe281c44408640e3f3a1dce52b91ca8d64ac384d98446eb318ccd90b2aa444529d3cc0d7fd42aa29da9ef7282496cb1665b7b34cce

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
82dc5244c90f1bc4f7148f1a5ddad2b1

SHA1
98fb741a2dc1c3bab795c7d4935ffad559cf9bdf

SHA256
a7058d322f82f6932dd1f01f777e6761de9c66c00002e9d67cd1e9cb989e137a

SHA512
3ed5ad963ccb1af080ea278ae5844e5556f07607f9b4c501dbd5f4e639568b47454d31d5acf944bab60f95cf75f6bddaa1897fe996bd919096ee440eb5c33e7a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
783c0cdcc822d141e9f0c6c49b6c640b

SHA1
8794a265d6f6eededf4c60413cc784da17e48c7b

SHA256
a07163515366ff56b768bd275904a64635b8d204753118033c5535835092d6f6

SHA512
ee1cae3c74533f6c8d32bb9798d59d0678e1af239409558e69cfd9f4d612c2359be7529343b2ee2741769979364708f6e9631d20b51e5218c30901079fad5e21

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
6af642b7d8f65efdc00090abd0345fdd

SHA1
1cf642341905e6f0f3c7e5b6d2fe1e7d6fa40316

SHA256
642fa80f40648e28e73ad86341b2bf687352f733af3558806ad81357612b0ad0

SHA512
50c31d0f32eb5547e5dae29a65a432d8e1c651fa7237d05ec7537119d77991a8325878b518e158d0d3fe034947e3bc7bf5dbf613ff6c2db63140bf7a7b895e2b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
2a2c5fd53734ca584cbc8ab9a0511be1

SHA1
78410abed4f92124c0e0f803532bbfd1ad812da4

SHA256
b632169ff362421f0872d19fc27361768176186cdfa6f32ba69d61fe3b639be0

SHA512
2111d4e07b8f5547506113e2ae94786f2869d7ca299c9554e246e2f591d6acfaad1686170f4effaff7119dc2caeebf3eff3c97de04d95baad38fc0c94fc406e3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
503ce87e5dac895ab61c4b8edbbf57af

SHA1
df7c9345c218f8914025833323476fee4e3389e8

SHA256
6fd9d71c0a5f55c21d08cc8892037bd7a2326e036b37ce524b9b1a7b9e32ef03

SHA512
2c53ba2f34b3c7d09054de7aa80ebcd5f545a40abe20c3b787ea608274b5dbcba611f24a7f091fb6c8ff1640327f5dbb4271cac6578ea8b94a79f345db8ff212

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarA858.tmp

Filesize
175KB

MD5
dd73cead4b93366cf3465c8cd32e2796

SHA1
74546226dfe9ceb8184651e920d1dbfb432b314e

SHA256
a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22

SHA512
ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63

Download Submit