c42d7fdc625fb5243ec2f9685120aec1059dcd753f735460b9b4ad180f97cd2b

General

Target

GuiClass.exe
Size

2.5MB
MD5

454de462d777b0cea86001dada13a25b
SHA1

72834474faf292f1d2b84ef6f13ca5f46b1927dc
SHA256

c42d7fdc625fb5243ec2f9685120aec1059dcd753f735460b9b4ad180f97cd2b
SHA512

3d38bc87eb967b912b1e5daad6434893bd82579bd07d78778e75268e042fa8791adbfbc9b3d06ea3e19fd469d9466e0d572b8bbcbcd3182b37d4f2f512424553
SSDEEP

24576:wFRhNUk40pnJRiwxOVf3OOOPI8w8q5EDkc8bTxZlYgUlrrP58CY9Q3YtfKVdLNuW:OddnqvdY74Q3gnaXwIXPb3

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 26 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4092317236-2027488869-1227795436-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{30CB1CB3-FD78-11EE-8F38-6EC2EB28F027} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4092317236-2027488869-1227795436-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4092317236-2027488869-1227795436-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4092317236-2027488869-1227795436-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4092317236-2027488869-1227795436-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4092317236-2027488869-1227795436-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4092317236-2027488869-1227795436-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4092317236-2027488869-1227795436-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4092317236-2027488869-1227795436-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4092317236-2027488869-1227795436-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4092317236-2027488869-1227795436-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4092317236-2027488869-1227795436-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000ed66077336b33547b86ad527160cdd32000000000200000000001066000000010000200000008c412645e03dbbcafb15e1093a6c4b1b3bdb3ad98ad6b17997a36f7eef3e96eb000000000e80000000020000200000007279d2845a8f0afde7cceea50775021829a754319684cedd96996474e5fe786c20000000c32db011a84d5ba26d1fb6ccedc5c1279029301e8de4e578d19d9152460cfb51400000004a5ec266bd4d547d21f1af9accdbda9b05220ca24b01d900b239863888a38d18c115cb844ad0ea4a56a2dea29ae6ba40badb0219f2a2f279c69199600f1ad03c	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4092317236-2027488869-1227795436-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4092317236-2027488869-1227795436-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4092317236-2027488869-1227795436-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4092317236-2027488869-1227795436-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4092317236-2027488869-1227795436-1000\Software\Microsoft\Internet Explorer\IESettingSync	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4092317236-2027488869-1227795436-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4092317236-2027488869-1227795436-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4092317236-2027488869-1227795436-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4092317236-2027488869-1227795436-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000ed66077336b33547b86ad527160cdd3200000000020000000000106600000001000020000000bb4b7e0a24e5b4563dc386226172cd58d3d4ca761739bd6621224848dfde2d7c000000000e80000000020000200000007b90d25886ebcd3acdb9a40d22b8797f134b57d6aefcbdfaecd9bf06fa602b60200000004f7635ff1bff6906cbc7bbc10e63f96eb4fee7d84ad4efab44c051cb77040398400000009f79c43b04929d87fba3d484fdb95806fca1cb07d4410d1c51aa78a8bae0eca01c86139b3357cdfada944a580beec7c80b009cf89a39c6fb437632fccd2ac61b	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4092317236-2027488869-1227795436-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 802e78098591da01	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4092317236-2027488869-1227795436-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4092317236-2027488869-1227795436-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4092317236-2027488869-1227795436-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 70a87e078591da01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4092317236-2027488869-1227795436-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4844	iexplore.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
936	GuiClass.exe
4844	iexplore.exe
4844	iexplore.exe
620	IEXPLORE.EXE
620	IEXPLORE.EXE
3564	GuiClass.exe
724	GuiClass.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 4844 wrote to memory of 620	4844	iexplore.exe	96
PID 4844 wrote to memory of 620	4844	iexplore.exe	96
PID 4844 wrote to memory of 620	4844	iexplore.exe	96
PID 4680 wrote to memory of 724	4680	cmd.exe	108
PID 4680 wrote to memory of 724	4680	cmd.exe	108

C:\Users\Admin\AppData\Local\Temp\GuiClass.exe
"C:\Users\Admin\AppData\Local\Temp\GuiClass.exe"
1⤵
- Suspicious use of SetWindowsHookEx
PID:936

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1792

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\ExitSync.gif
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4844
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4844 CREDAT:17410 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:620

C:\Users\Admin\AppData\Local\Temp\GuiClass.exe
"C:\Users\Admin\AppData\Local\Temp\GuiClass.exe"
1⤵
- Suspicious use of SetWindowsHookEx
PID:3564

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4680
- C:\Users\Admin\AppData\Local\Temp\GuiClass.exe
  "C:\Users\Admin\AppData\Local\Temp\GuiClass.exe"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:724

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads