107f98a350f0932f5912cce2f30ee471ccc9242801f7fe864ce424e7ab283f6d

Analysis

max time kernel
147s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
14-06-2024 15:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Appdater.exe
Size

3.4MB
MD5

c163cdba001008bfeebab14dce7a5875
SHA1

e6eea0b04e221f491d70a3d910d5cda55ead43ec
SHA256

3847d0e464b8ed843f973c3609935fa03571936377f54e09424fc421ddc0afb4
SHA512

6f0b370c96179dd11b26d2f57b932a4ba24421c48a73f84ac0d18caa6963ce1636425a28ce74b2d0b9dae04dc9865f50b5f25abee55c60f01920e734d55efe80
SSDEEP

49152:a5APhegSLUTwIve1dkQPG35ZTwqk+bwLUd9Si3inY9:lfwIv+G357ZUwiC

Score

6^/10

evasion trojan

Malware Config

Signatures

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Appdater.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3540	5000	WerFault.exe	80

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\127.0.0.1\NumberOfSubdomains = "1"	Appdater.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Internet Explorer\DOMStorage\127.0.0.1	Appdater.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage	Appdater.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\127.0.0.1	Appdater.exe

Suspicious use of FindShellTrayWindow 7 IoCs

pid	Process
5000	Appdater.exe
5000	Appdater.exe
5000	Appdater.exe
5000	Appdater.exe
5000	Appdater.exe
5000	Appdater.exe
5000	Appdater.exe

Suspicious use of SendNotifyMessage 4 IoCs

pid	Process
5000	Appdater.exe
5000	Appdater.exe
5000	Appdater.exe
5000	Appdater.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
5000	Appdater.exe
5000	Appdater.exe
5000	Appdater.exe
5000	Appdater.exe

C:\Users\Admin\AppData\Local\Temp\Appdater.exe
"C:\Users\Admin\AppData\Local\Temp\Appdater.exe"
1⤵
- Checks whether UAC is enabled
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:5000
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5000 -s 1160
  2⤵
  - Program crash
  PID:3540

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5000 -ip 5000
1⤵
PID:2772

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\3YK18YAR\bootstrap-f35e4fa1b9.min[1].css

Filesize
114KB

MD5
f35e4fa1b95d2e7ec542f896034518e4

SHA1
4572d500c8f773d282b3b2a285dc1c4a28354b69

SHA256
7914e378a14dd7a620079ba0b8eaf270c71ea6173ca0b3e93225ab6fa2e306dd

SHA512
807108a1d3fc74bb9783a0e7e63c4f962aee4929c160a1ca971e3ff27b923ad8f0961b7552f4c8e0ac4d012a03f325be45de7d685b1bc84c7d32f1d012a67606

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\3YK18YAR\bootstrap-switch-5bea993f5e.min[1].css

Filesize
5KB

MD5
5bea993f5e8d6407806ee343c43cfbd4

SHA1
2c2bf31db07e18015d8e67b76bada6f07fb690ac

SHA256
74b1ca5843a5a7f68e664703f272d14990636a224831c73c0dc23859303339b7

SHA512
9f3c5460096283a5c9438ef7ed0917dd5af3817e91d0acc55e4be77c5083e170ee8932cbe074f14761ef19646b459c13cb5214b74e1c3891e17ecf0bd2953ba0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\3YK18YAR\select2-1872ae0a4a.min[1].css

Filesize
14KB

MD5
1872ae0a4a9e542e3386cbf518ca67c6

SHA1
0284553f02da3390b686e84edaeb25945cdfd665

SHA256
72ccf5f402cf292e7d36fdb6c23fe6329dbeecd698ca609c5b63048b4d23a340

SHA512
338d7d538dc256fc23a50e521c5861102f50e2725a2f90164a99089e1375b9344c16a05a6235d63bb7943bc82893ffe918d7d9f882802d7c2325ab16a6ded3e1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\6E1TJXL2\owl-59ff5015eb.carousel.min[1].css

Filesize
2KB

MD5
59ff5015eb4179e6a710198be613cd06

SHA1
2060bd4d56f4fd58b15a5d9c0a21919497a91b35

SHA256
7880904f6ff901ecc6905270ea298d46d25b04121d18361f44cc41e8505d71ff

SHA512
73ccbc46a588df6c5118d3b9308a51d8516141455c18fdbc9061b1127c47bbb3affebdc3b83ea856af7c1d7adf0fc3c25e43abab3cac2f3063a54c58760bc31e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\6E1TJXL2\styles-fe7635cb9d[1].css

Filesize
74KB

MD5
3a747a70fb33af543eccfa611103bbff

SHA1
d44a594d923168cd3466460ef5eb04895458a7ef

SHA256
fc93a176647a82555856f67bd5b4f530d922d82457637907e6a9282355d4ae47

SHA512
cd78dbcccbb579c9390a8d6c74402bb1e79844ec3e38ec9a526d4c36d2433adec703a744c0b4a0eb4335a6553420449cf2ab33da000a62c48a257ed3f4099411

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\FEHPE754\application-6f3357cfce[1].js

Filesize
182KB

MD5
6f3357cfce0afccacc9fa08357cc5986

SHA1
bd283c36bba46f77440df5ecd61b02a18d731b6d

SHA256
df0a43c949f570202db904706fd95bc17dba494cf32a92023c7f0c368dbf9c2c

SHA512
1c8dc9f4de83b69a121deb315c979cb4d7cc4f793cd7662e50d5d5e197f79f27632a8763fdd129ea9e7815d471f9b07a480f5e5c535089733b20f8fc12dd8a02

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\ZURVPW13\jquery-f4f04050a6.mmenu.all[1].css

Filesize
45KB

MD5
f4f04050a6e2c42e7ee23cacf7a10f9d

SHA1
baf6c0c21554f5520be0719708d29fc272cb4aa5

SHA256
eda9dde126d7ba0308064a60f0fa7f0e8df01d51dacfc9743db9203a6392533f

SHA512
e8dfb2cc38cd676880abfa51ec565d1b21ab6664b264f8e1912a7be1b7bc3b4683fe9c73026128f59ab7fc8f3167cd1b28499b30574744d9302af7a58d638435

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\ZURVPW13\libs-f609eb939f[1].js

Filesize
802KB

MD5
f609eb939f5a53fd146a8662116400b7

SHA1
4aca17a4d53a19d915f8718741ee62c5e653e6c7

SHA256
233bc992a41903cb2f022eddb65d7ff0ffcc798398ce56dbe52e9dec707b6597

SHA512
b55cc7ccfa9a01bbeff9a107d8ac65961baa64b1e711c15b1a2777ef614509f58042f2cf5cfbc95e1fada4fc17fa53cc95d75ef22baa54404665709ff9486226

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\ZURVPW13\partials-16dc7c142f[2].js

Filesize
75KB

MD5
16dc7c142fa61100bf520631825d9483

SHA1
7c44cd3d9a2cd674edf11fe84b9ce349ac893b0c

SHA256
94b5f7cfabdd912f284366ca6cb54b75fb5f1fd9eca1ba29fea5ae37dd84b0a2

SHA512
c4f962735510b294199f1dc38df4448ccf6805fda7935168264046138fdd5378011b6370a2cc0cbe17309064edc1bd2ae0980bdff65eb2cec8bfb5716e5266a3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\ZURVPW13\templates-78ca868266[1].js

Filesize
261KB

MD5
011876389b85e0c40ac0ee99029773dc

SHA1
a52a37711b64b549ec14e2aeabb3fa2e885125f3

SHA256
7bff61ba97c997af24ecdefcc4ca5a884b7607d23f6b735450628281578f3121

SHA512
2557d99bd3c90998691a75bebae2a0aec6170a7036b099330d4fdb8d834e7c43443b1a47fbce874c168c9c7cc32bc9b1b7c14428361f30e3837a71481a7ce398

Download Submit
memory/5000-13-0x0000000000400000-0x0000000000796000-memory.dmp

Filesize
3.6MB

Download
memory/5000-12-0x0000000000400000-0x0000000000796000-memory.dmp

Filesize
3.6MB

Download
memory/5000-1-0x0000000000415000-0x0000000000416000-memory.dmp

Filesize
4KB

Download
memory/5000-0-0x00000000025A0000-0x00000000025A1000-memory.dmp

Filesize
4KB

Download
memory/5000-2-0x0000000000400000-0x0000000000796000-memory.dmp

Filesize
3.6MB

Download
memory/5000-94-0x0000000000400000-0x0000000000796000-memory.dmp

Filesize
3.6MB

Download