087e96273c5189a818cecfb5aeb040e1fd8e3bfb2270123b1462c3a18956c3c3

Analysis

max time kernel
140s
max time network
125s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
10/06/2024, 18:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

087e96273c5189a818cecfb5aeb040e1fd8e3bfb2270123b1462c3a18956c3c3.exe
Size

7.9MB
MD5

9c99b106c17bf79e0bea2d277b5a58f7
SHA1

61e0d359386ca6e53cb3342db08c3b129a420efd
SHA256

087e96273c5189a818cecfb5aeb040e1fd8e3bfb2270123b1462c3a18956c3c3
SHA512

e59da36c59a75b9904ec3a35947f690bd37ed452ef02082504f1f16465800051b9fbcfe7d180130bd1768ea7d85cff8264def467b0e5c74f3b9773b990812654
SSDEEP

196608:2QUsGt/hlfOzFewvf1RVuI/XZP1JuAyIFk+0X29fnDTRZ:XGnfOzPV3uIfZtJPBf0X29bTRZ

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
3044	087e96273c5189a818cecfb5aeb040e1fd8e3bfb2270123b1462c3a18956c3c3.tmp
2456	unzip.exe
3020	unzip.exe

Loads dropped DLL 7 IoCs

pid	Process
1584	087e96273c5189a818cecfb5aeb040e1fd8e3bfb2270123b1462c3a18956c3c3.exe
3044	087e96273c5189a818cecfb5aeb040e1fd8e3bfb2270123b1462c3a18956c3c3.tmp
3044	087e96273c5189a818cecfb5aeb040e1fd8e3bfb2270123b1462c3a18956c3c3.tmp
3044	087e96273c5189a818cecfb5aeb040e1fd8e3bfb2270123b1462c3a18956c3c3.tmp
3044	087e96273c5189a818cecfb5aeb040e1fd8e3bfb2270123b1462c3a18956c3c3.tmp
3044	087e96273c5189a818cecfb5aeb040e1fd8e3bfb2270123b1462c3a18956c3c3.tmp
3044	087e96273c5189a818cecfb5aeb040e1fd8e3bfb2270123b1462c3a18956c3c3.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main	087e96273c5189a818cecfb5aeb040e1fd8e3bfb2270123b1462c3a18956c3c3.tmp
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	087e96273c5189a818cecfb5aeb040e1fd8e3bfb2270123b1462c3a18956c3c3.tmp
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	087e96273c5189a818cecfb5aeb040e1fd8e3bfb2270123b1462c3a18956c3c3.tmp

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3044	087e96273c5189a818cecfb5aeb040e1fd8e3bfb2270123b1462c3a18956c3c3.tmp

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3044	087e96273c5189a818cecfb5aeb040e1fd8e3bfb2270123b1462c3a18956c3c3.tmp
3044	087e96273c5189a818cecfb5aeb040e1fd8e3bfb2270123b1462c3a18956c3c3.tmp

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1584 wrote to memory of 3044	1584	087e96273c5189a818cecfb5aeb040e1fd8e3bfb2270123b1462c3a18956c3c3.exe	28
PID 1584 wrote to memory of 3044	1584	087e96273c5189a818cecfb5aeb040e1fd8e3bfb2270123b1462c3a18956c3c3.exe	28
PID 1584 wrote to memory of 3044	1584	087e96273c5189a818cecfb5aeb040e1fd8e3bfb2270123b1462c3a18956c3c3.exe	28
PID 1584 wrote to memory of 3044	1584	087e96273c5189a818cecfb5aeb040e1fd8e3bfb2270123b1462c3a18956c3c3.exe	28
PID 1584 wrote to memory of 3044	1584	087e96273c5189a818cecfb5aeb040e1fd8e3bfb2270123b1462c3a18956c3c3.exe	28
PID 1584 wrote to memory of 3044	1584	087e96273c5189a818cecfb5aeb040e1fd8e3bfb2270123b1462c3a18956c3c3.exe	28
PID 1584 wrote to memory of 3044	1584	087e96273c5189a818cecfb5aeb040e1fd8e3bfb2270123b1462c3a18956c3c3.exe	28
PID 3044 wrote to memory of 2456	3044	087e96273c5189a818cecfb5aeb040e1fd8e3bfb2270123b1462c3a18956c3c3.tmp	29
PID 3044 wrote to memory of 2456	3044	087e96273c5189a818cecfb5aeb040e1fd8e3bfb2270123b1462c3a18956c3c3.tmp	29
PID 3044 wrote to memory of 2456	3044	087e96273c5189a818cecfb5aeb040e1fd8e3bfb2270123b1462c3a18956c3c3.tmp	29
PID 3044 wrote to memory of 2456	3044	087e96273c5189a818cecfb5aeb040e1fd8e3bfb2270123b1462c3a18956c3c3.tmp	29
PID 3044 wrote to memory of 3020	3044	087e96273c5189a818cecfb5aeb040e1fd8e3bfb2270123b1462c3a18956c3c3.tmp	31
PID 3044 wrote to memory of 3020	3044	087e96273c5189a818cecfb5aeb040e1fd8e3bfb2270123b1462c3a18956c3c3.tmp	31
PID 3044 wrote to memory of 3020	3044	087e96273c5189a818cecfb5aeb040e1fd8e3bfb2270123b1462c3a18956c3c3.tmp	31
PID 3044 wrote to memory of 3020	3044	087e96273c5189a818cecfb5aeb040e1fd8e3bfb2270123b1462c3a18956c3c3.tmp	31

C:\Users\Admin\AppData\Local\Temp\087e96273c5189a818cecfb5aeb040e1fd8e3bfb2270123b1462c3a18956c3c3.exe
"C:\Users\Admin\AppData\Local\Temp\087e96273c5189a818cecfb5aeb040e1fd8e3bfb2270123b1462c3a18956c3c3.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1584
- C:\Users\Admin\AppData\Local\Temp\is-3VDJA.tmp\087e96273c5189a818cecfb5aeb040e1fd8e3bfb2270123b1462c3a18956c3c3.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-3VDJA.tmp\087e96273c5189a818cecfb5aeb040e1fd8e3bfb2270123b1462c3a18956c3c3.tmp" /SL5="$50150,7384214,1089536,C:\Users\Admin\AppData\Local\Temp\087e96273c5189a818cecfb5aeb040e1fd8e3bfb2270123b1462c3a18956c3c3.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies Internet Explorer settings
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3044
- - C:\Users\Admin\AppData\Local\Temp\is-N74BD.tmp\unzip.exe
    "C:\Users\Admin\AppData\Local\Temp\is-N74BD.tmp\unzip.exe" -o C:\Users\Admin\AppData\Local\Temp\is-N74BD.tmp\view.zip -d C:\Users\Admin\AppData\Local\Temp\
    3⤵
    - Executes dropped EXE
    PID:2456
- - C:\Users\Admin\AppData\Local\Temp\is-N74BD.tmp\unzip.exe
    "C:\Users\Admin\AppData\Local\Temp\is-N74BD.tmp\unzip.exe" -o C:\Users\Admin\AppData\Local\Temp\is-N74BD.tmp\exe.zip -d C:\Users\Admin\AppData\Local\Temp\
    3⤵
    - Executes dropped EXE
    PID:3020

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\install\0\img_0.png

Filesize
146KB

MD5
a5c15bd1f89d690caf9e7be8479ec77d

SHA1
bbba53d96ba72fb5789a69426c87e4a60fd45d52

SHA256
61c6e0dbe1bfd83a776da2f59240ba502495e5c4c12589a8b638f170ab0dee82

SHA512
0435428325ce67eb29a3a07cfbc6b0dfd0149729a6799e4f7f32d8285fe779fcef9d85b6f8ae19a88f8517171319de020ad70edb8fa3c91bb5584de618e086d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\install\0\main.js

Filesize
815B

MD5
38b80ddc5d86558761f7823417cd9140

SHA1
b3b37909a882de2a05ccd0954da54273896b59f5

SHA256
8dc4c40a3a6cc600e847bac105426dd10e2fb45b20a871514019bc0408563575

SHA512
cc838c462f2cd5e2eafc5bf7ac51348618bee0cc0141b23d60d6f296f13840d0f4ff5692842b8911cb84f975ce603c378aae247d83b2cb3c5c5f7d6a987de67f

Download Submit
C:\Users\Admin\AppData\Local\Temp\install\0\offer0.html

Filesize
4KB

MD5
c595a0dda80e4e5b980e0fc60b911c45

SHA1
530340c57fe0f3a08d122f11f0967522ba6766dd

SHA256
b98e04462a4284fd45d66be5433e3ab1f73d44161f7e3def53fe059e09f3e0ec

SHA512
aa7e5df2ae981047cde1526fd372ac46760073bd0c3a5521949d862f8e230a6e308081d5d1a3c7855d8aa5f5f6d28f8ff152cfdce96911884554ad6c18e75dce

Download Submit
C:\Users\Admin\AppData\Local\Temp\install\info.xml

Filesize
2KB

MD5
681c8c4d6692da490b0e493c2502fade

SHA1
8dcf7e265ff7fd9acb97d76f8eac0a1933c0a55a

SHA256
b1f485180b515fd79bb6c07dc77d4366f2b1d09e9426771589cb1bc05d6e7999

SHA512
0d1d80419155748eb5e11a5ea7e0a87ff3eb4b2915de93bf4b6dac78410eb76139355ead447c3e798faae15ca7f50aaa2b707d303b01528050c1e45dc98b4479

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-N74BD.tmp\exe.zip

Filesize
2.6MB

MD5
2af16d70186906d29f4551f0b73a5dad

SHA1
0d87e798c08858801abef135d2be378247637d5c

SHA256
c71a3980755aa1e65c4291eec55c48a928789d50d4d12a6721dc4499692905c3

SHA512
4282d70dd2d007a0b980ca8d792b9d1870c80969aa4ad06e8d160fc7c1554750ece56298288cb6efab28d3eccf844a906ce57009f6256eee6bfe535e7d81aa61

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-N74BD.tmp\jquery.min.js

Filesize
90KB

MD5
8b057f40439a72781f73283c16d305ce

SHA1
b6fe8c7431a5f54d3df475c252ef268fd411ec08

SHA256
c7363832ac7f22d24a42dc1856365688a42fc7cbc37c76d1142f64921f2568bf

SHA512
90a2ac43e6ca6b39c15c33a5174ad3f210c21a4a7200308248aa9b59a3ea71cb72339a6431ae6b72e1ee4bba458e9fc33ea21f1fb269d6d4b0fe4c9f845f875b

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-N74BD.tmp\start.htm

Filesize
4KB

MD5
f501eeaed481413924e104a9ecb52f60

SHA1
3bf5cd9416079cca399cdb56ca333839dcdb135f

SHA256
464285fb17139b17f559dc53a4b837b3e2327c4aa89c7952e207b36ecae739b9

SHA512
9675486ca4df32c2a8fec4f03d61af6f3bfd2f5b6c2c20271d375c29e292dfc7b9c03effe6e4d49cb3dc5f792b3a5377dc72e217726f0ca11d0667358443e7a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-N74BD.tmp\view.zip

Filesize
153KB

MD5
40cde179b0be44d921d7978181dc860c

SHA1
ebfbd56f571599c81a5db82f0d2c4839c2bc707b

SHA256
0953f102fb06e53e169938f49dde5075c48176797c95a44cda45b748c573d90c

SHA512
047c7a34d6c9d63c5f13f509fff84a15d5b06e08becfc82d1e870ddfebd0ad9c2dd986fd0816c51d62a11de4edd8da41c3c51e51662a4747832955bb11c2494b

Download Submit
\Users\Admin\AppData\Local\Temp\is-3VDJA.tmp\087e96273c5189a818cecfb5aeb040e1fd8e3bfb2270123b1462c3a18956c3c3.tmp

Filesize
2.8MB

MD5
3aa1f23d37fbe8294e60758160e07922

SHA1
29910070973b20b31e28b71d8f344be68d42ca18

SHA256
6b16d8c13c02faa8dd4ec0f7b4db2ab5cd7652a88e89b86ecd63b010652dfe03

SHA512
e65aee6f12ab5315fe08903ef1245435eab823b1e37b6c30bab95fb71a46e7ed117c00552016f89263262e0e06660f267e36767e6f0bc8d8df2db1be645c0348

Download Submit
\Users\Admin\AppData\Local\Temp\is-N74BD.tmp\ewb.dll

Filesize
1.4MB

MD5
9a0329ad9e2dd88a0aacbd8898a4c29b

SHA1
24a6a75c7c1ce8548ab2ccf9eaf175d5621d66c4

SHA256
dc8621a7ca55e139602b5a0b4544c0189853717c8d73eef12700cc1439e38a14

SHA512
5aaef9c5899e71920cd18b13b6155ef6430a624aae6fbf2830ce1069eb5e77424f836ac2838b5d4d54d5cbe8e7555e21bff817f366fb0f4d59034ef1c4f8bc68

Download Submit
\Users\Admin\AppData\Local\Temp\is-N74BD.tmp\innocallback.dll

Filesize
63KB

MD5
1c55ae5ef9980e3b1028447da6105c75

SHA1
f85218e10e6aa23b2f5a3ed512895b437e41b45c

SHA256
6afa2d104be6efe3d9a2ab96dbb75db31565dad64dd0b791e402ecc25529809f

SHA512
1ec4d52f49747b29cfd83e1a75fc6ae4101add68ada0b9add5770c10be6dffb004bb47d0854d50871ed8d77acf67d4e0445e97f0548a95c182e83b94ddf2eb6b

Download Submit
\Users\Admin\AppData\Local\Temp\is-N74BD.tmp\unzip.exe

Filesize
164KB

MD5
75375c22c72f1beb76bea39c22a1ed68

SHA1
e1652b058195db3f5f754b7ab430652ae04a50b8

SHA256
8d9b5190aace52a1db1ac73a65ee9999c329157c8e88f61a772433323d6b7a4a

SHA512
1b396e78e189185eefb8c6058aa7e6dfe1b8f2dff8babfe4ffbee93805467bf45760eea6efb8d9bb2040d0eaa56841d457b1976dcfe13ed67931ade01419f55a

Download Submit
memory/1584-2-0x0000000000401000-0x00000000004A9000-memory.dmp

Filesize
672KB

Download
memory/1584-0-0x0000000000400000-0x0000000000518000-memory.dmp

Filesize
1.1MB

Download
memory/1584-109-0x0000000000400000-0x0000000000518000-memory.dmp

Filesize
1.1MB

Download
memory/3044-12-0x0000000002150000-0x0000000002165000-memory.dmp

Filesize
84KB

Download
memory/3044-9-0x0000000000400000-0x00000000006D3000-memory.dmp

Filesize
2.8MB

Download
memory/3044-111-0x0000000002150000-0x0000000002165000-memory.dmp

Filesize
84KB

Download
memory/3044-110-0x0000000000400000-0x00000000006D3000-memory.dmp

Filesize
2.8MB

Download