f217913ee09ef29c065b56a87d356a3d34ba1fa48dc9bd35c577e0fc2facf982

Analysis

max time kernel
135s
max time network
133s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
27/03/2024, 07:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e1132a280dcce43b77d41b2eac767c6b.exe
Size

9KB
MD5

e1132a280dcce43b77d41b2eac767c6b
SHA1

5e13894bfbe1a4064893c4d39d9fdac17942e561
SHA256

f217913ee09ef29c065b56a87d356a3d34ba1fa48dc9bd35c577e0fc2facf982
SHA512

d4247751dc33cedc2c5e3fb6cd65092a6f4d5d71d5fbdb274cefd68e65d34fd6a4946a2ecf5862d2a3100ac6989a2a46b7ec40958e74bba928a64d714500edf9
SSDEEP

192:nl1wyvgABQC+Hsn1nNlE/CFpxZq10G1/iB5:Pg4QC+Hsn1s/CFBIn1qT

Score

8^/10

persistence upx

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2bf41072-b2b1-21c1-b5c1-0305f4155515}	e1132a280dcce43b77d41b2eac767c6b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2bf41072-b2b1-21c1-b5c1-0305f4155515}\StubPath = "c:\\temp\\install.pif"	e1132a280dcce43b77d41b2eac767c6b.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2084-0-0x0000000013140000-0x000000001314E000-memory.dmp	upx
behavioral1/memory/2084-1-0x0000000013140000-0x000000001314E000-memory.dmp	upx

Modifies Internet Explorer settings 1 TTPs 28 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "417685186"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{D46EA2D1-EC08-11EE-BB22-FA8378BF1C4A} = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2192	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2192	IEXPLORE.EXE
2192	IEXPLORE.EXE
3036	IEXPLORE.EXE
3036	IEXPLORE.EXE
3036	IEXPLORE.EXE
3036	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2084 wrote to memory of 2192	2084	e1132a280dcce43b77d41b2eac767c6b.exe	28
PID 2084 wrote to memory of 2192	2084	e1132a280dcce43b77d41b2eac767c6b.exe	28
PID 2084 wrote to memory of 2192	2084	e1132a280dcce43b77d41b2eac767c6b.exe	28
PID 2084 wrote to memory of 2192	2084	e1132a280dcce43b77d41b2eac767c6b.exe	28
PID 2192 wrote to memory of 3036	2192	IEXPLORE.EXE	29
PID 2192 wrote to memory of 3036	2192	IEXPLORE.EXE	29
PID 2192 wrote to memory of 3036	2192	IEXPLORE.EXE	29
PID 2192 wrote to memory of 3036	2192	IEXPLORE.EXE	29
PID 2084 wrote to memory of 2192	2084	e1132a280dcce43b77d41b2eac767c6b.exe	28

C:\Users\Admin\AppData\Local\Temp\e1132a280dcce43b77d41b2eac767c6b.exe
"C:\Users\Admin\AppData\Local\Temp\e1132a280dcce43b77d41b2eac767c6b.exe"
1⤵
- Modifies Installed Components in the registry
- Suspicious use of WriteProcessMemory
PID:2084
- C:\Program Files\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2192
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2192 CREDAT:275457 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:3036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
43a60c960fc0d40279afb9a77dba4b72

SHA1
5c8fa642862525579ec5f1cdff34c60e773ffa66

SHA256
c026cf1e0581c9f7ff55446865a374e70ddced37837645019b218bed84e53fed

SHA512
654faab9f06fbc351bdf9dcca9218f6ab53fb7d219064e57bd5b84dd7cd2e10e1d82ae7795ef12a833f803d7f66ca65c98e374f16a84a1d9f45c7ec930b57f86

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
bc1dfd3d65c4159d3c5c44f9870a3a14

SHA1
f6b76af688831fe2112e685734f1782d85f3efe9

SHA256
69a5e4e20a9d3ca9ef69b8673a723a817f725e1dfcedf8e3bc61bbe2c5c28387

SHA512
69ca812bb2991426ce9781b73b546eb931b7b92b98ea5552b62ac5a1d5aef6672cbd0dc28aace05e85626d51e4b5dae702f41822d685238591521cc91c6377b0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
be3bc8ca872643259cafd365f5c4ab85

SHA1
f2626d3f386f55a241deeb3fb7c923c6485f5e6c

SHA256
58a0d268866f498f55e9fcc736594bca643154a299c01a1dcb5f363343a1750b

SHA512
3afb9cb2f8b14a2774323768f29fb375994173c51784d6bba900fad649db5f0a75f90a1b9233577a949b42afb737f614fef2fa3eba638c9f957f653254538a87

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
db3e58faf1c11da54bf2b5df02923e9e

SHA1
3dcb94be2449a9e4c2a5b235cb2fa18d23c5c8cf

SHA256
a7d7e623daaccdc6a8b9b290fd657a38005e23c34c3569bfbdc2706c0ad88d23

SHA512
c5429731818e12fed85f77c5e36f1f237cfa73af6b44d6d0f99a5bdae0d43cf1805cb4519513f4a5a88fe11f53f411c88434a1aa06fc4de7218b589b0614d60c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a7ae2239623181f79a162fe213bef549

SHA1
514200d56845087f43a831505b13355eba7b5e0e

SHA256
8a3f8d4f4762181dc78f147c9513aad9a902cddec80247f886d83440f39e1f4e

SHA512
9c83b553866d81270962df200b7b0eed748e0e0b015ffe1bac9c80f57a7b8446699b740d5e8195b195f6da343598a40661258a911dd7667fd4e69f813f72f23d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
b86e89e5630e0ec31ff720efe09e8c82

SHA1
966789faeaec50a9169c43d1fe4d1b7de9a3b755

SHA256
a402d5a062bf2a22427ab2684c842d6e755ba774131adafd3ff4f650e93b9037

SHA512
ec3c2ab6ff70bbe665275671f95c06492c9783d689091d213de05445b5a867611e5659eaca1ce60107f89a2e2c2822051cdad71b928f2697cdae21b380ae76dd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
c86fc63c4289bd8c95b710c583007cc2

SHA1
421c383f14c640e6221036d9d3ca7a4a8e2b7bf3

SHA256
590a8781446f903b24ed94343bc11a2b5fe3b5153e2e0f67ace59fb13cb75bdd

SHA512
633cf0e51fc72095b32632262b3a6994a7556356f55c12afffacafb4c402f612f3debf20293191b1721f32ad0a99a04947f2cad7031d9fb16d6c4ac90316e3f2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
7cfa62f709a862951fcdc3b205e7505b

SHA1
76cb05d6cc0fe012ee9055dcb0e88a470ce3d4f7

SHA256
9b07eb182d6ae0bf2d8e3a66d235c5a63b3dacfb708d6f054418a8770750d9b3

SHA512
4148d7eb545e66d3599a37db1cbed9c28f6f26f89f7b8867fee552b3f40cd6a7dfdb8ce527d6bff95d0f0043a1434bbd1fd87ff8e8604a22efc670c7dc5eeddc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
aedf7cb2017065308e3e2bbc6558f53e

SHA1
bb10957b17e87b3dce22655f6fdc9561c74a5570

SHA256
b8383d4b3891cc56550da7864e8cb9ce7c18356da8266ff312d80925250424a5

SHA512
07be3c08373772acb975fccb2b01eae9b4f0d99f7bde4bf3a6abfabecc4aa9c8e454bdf587dd823501eaaac1f6ecfc3316cdb25530a0cdfc17914f0b86f8a93a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
7be1bfcaba655de71315a5878cabdbaa

SHA1
de13a01e5a5bc0855cbaeb3fb8b850438696b798

SHA256
7e281f0070c0791f54d6fc75949ed5f2fa3acc90f3b319d857f75b0a8aad7e25

SHA512
5d16e67a421d9f204c780085af94420733b040b62444eca6fbb381bb0e3d207e65309d9d1d786e25a6c17fbb71030b3012a865fe68050222401c4d1300da072c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
095427e681c02fb5299d29a57566ecba

SHA1
a87c713ae76dd17d785581d1b69b8e18ff8f5671

SHA256
eb81c6a836f56947ab5815ed33fd59ab09655fcc1fcb4b131c76f7a730438713

SHA512
ddb556301279107f2176f3d11bf75ccb50c91b01aedcfa5465edcbceb9ca43184caf890ed216c434364042136ebe720479ed07dc244510242e682fbbcd891c46

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a191864be3e2438be949a1090dc20156

SHA1
6c0aecf7f59b6433d8b661f341ca381803803b55

SHA256
cc422135953f194c09d23ee9498bb05789dc0634e2beb3dbb321633227c10ab2

SHA512
24f65190f0379ad12ab2ea353d06e684632aed26ab8723d2e7e96a5612575f25dc64204db00f5702402186cb5a05b86020de2d00101bf51be06e582d0c7491d8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
20cee08fa6ad3a24f3ed9b45a40b6ed5

SHA1
328fb64153943ae647e7ce01af182657e65f7347

SHA256
27025fdd87a811afd25e7fe9ee4f829e0eb6271bc505ec60c3546f37df2cdd84

SHA512
3289d6b41cdbfc5437b0cc72a42ef430573e36153b365a78b48345eb9e9bc683899bb7a560ad735ac0490d12c6ba478a7c7a2f43381d609219590c40d45494c5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
1d50dc0092211ec789144808fccee1da

SHA1
271ddfa5713f1f3d2e9c1c0ee28e9aebd5fc06a9

SHA256
93017e3aae7528603b8ee77388cada1fbdf1d29c43abc5cc53cbf71547a70054

SHA512
7f4b60396fcb0e2ef3f8cec1a92b4cb1540d6e5e304994efef67d2c1023c9f6b562a54f75843baa75e81d9d02a8979f28389b48b3b85cd7ff5d6602968186dd5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d6172033d40190f0c8bffe8d835c6884

SHA1
b715acf53a53a51776b999621b87f4b42cdc91c5

SHA256
af0b9edbc4228d0b73410d07ff6d09327bb047b4a577e32dce1e54eb70acf58d

SHA512
06f9792c9c6fec8247747b63eab967ddacca6b7238950053aebde8c48aaf003cc3b5fef62d8f09546ac684c11cf19045011143fb3c9aae4d2c50f813a1181e2d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
6f2e9b7bdbe78fa948e4734e6a2950dd

SHA1
ac5cad79e1dd10a8eae740129f73f4e1300a32b4

SHA256
6451940bc9df6f1e1755d223e54bcd8e61c7e84d2e13d5f1d5df349e977161e0

SHA512
d1c28f0894e318a21e9c8c10e919fc11754a13b9db4116fedbc0a6dfe6f68661da54f088797667a33cd450e34581e0db70d3edf7e6a6f8801a12a239854ae6ea

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
07a14c98a4ef5634b3298d5b604f4ad1

SHA1
3ed4bdf4df29ec4f4830d14e3ed61a23833f5b6b

SHA256
7496142f4820a933907f269b9ea796d115afef1f981b3e61534dc6d164b525c1

SHA512
5df934f14dcdaebf4c6326e0ae1a79524256a19f4944421fbb57fc5cad7c23d8ca96e654a6f1f311990199be033bb7a62135172260177f6bffe553ddfcd9f90a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
09dc47c1748bcb94df13abb3d288c98d

SHA1
d05df8047918d23c842d4fff63084480dd6799fe

SHA256
4468d6c19069350b146157841140246cbe56a6ed1cd250e58148ba2d009561b2

SHA512
4f174614e3d156fed22adff6bb04f636ebade2477226265ae88eab63cabe9889ec7dbbbdd56a2259156ab2efc7f96a2754942c7a307093d07b89e005463d7260

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar5D26.tmp

Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
memory/2084-1-0x0000000013140000-0x000000001314E000-memory.dmp

Filesize
56KB

Download
memory/2084-0-0x0000000013140000-0x000000001314E000-memory.dmp

Filesize
56KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads