238474a6849e58d1afbbba58a0ace99658bb8215981ea91786cf471f60426c5a

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
24/06/2024, 16:51

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

uaa.exe
Size

144KB
MD5

120cb6528cd6cd5d87c8091b549141e0
SHA1

1274d57af7e11f22361df7807ff5c213585b2aee
SHA256

4107ca25f7228c0aa5407b528fa6d48d10734c4ae72088a78857f77c8e289910
SHA512

58cbbeada86393d285b3a9501c226f98d761bd7ac0de67228af1b2a8586a1b81222f3fe8043f0a7ec5a9431b764634d2e1de98b0dce9bef682287cff76716963
SSDEEP

3072:8ozK+rVoJoikcb81aWZveimww4uc72ZIVu/JMLqllXw5Eec/Gv:8AKAQArZvdJw5JZ6LeA

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
5048	Tjpvpo.exe
4836	Tjpvpo.exe
4528	Tjpvpo.exe

Loads dropped DLL 2 IoCs

pid	Process
3460	uaa.exe
5048	Tjpvpo.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Tjpvpo = "C:\\Users\\Admin\\AppData\\Roaming\\Tjpvpo.exe"	uaa.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 3460 set thread context of 3396	3460	uaa.exe	89
PID 3396 set thread context of 4152	3396	uaa.exe	90
PID 5048 set thread context of 4836	5048	Tjpvpo.exe	93
PID 4836 set thread context of 4528	4836	Tjpvpo.exe	94

Modifies Internet Explorer settings 1 TTPs 32 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3833697715"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31114838"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{100C1EC4-324A-11EF-8383-66F8B04B242D} = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3834791876"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31114838"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3833697715"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31114838"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3834791876"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "426012889"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31114838"	IEXPLORE.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4152	uaa.exe
4152	uaa.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4528	Tjpvpo.exe
Token: SeDebugPrivilege	2324	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4660	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
4660	IEXPLORE.EXE
4660	IEXPLORE.EXE
2324	IEXPLORE.EXE
2324	IEXPLORE.EXE
2324	IEXPLORE.EXE
2324	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 49 IoCs

description	pid	Process	procid_target
PID 3460 wrote to memory of 3396	3460	uaa.exe	89
PID 3460 wrote to memory of 3396	3460	uaa.exe	89
PID 3460 wrote to memory of 3396	3460	uaa.exe	89
PID 3460 wrote to memory of 3396	3460	uaa.exe	89
PID 3460 wrote to memory of 3396	3460	uaa.exe	89
PID 3460 wrote to memory of 3396	3460	uaa.exe	89
PID 3460 wrote to memory of 3396	3460	uaa.exe	89
PID 3460 wrote to memory of 3396	3460	uaa.exe	89
PID 3460 wrote to memory of 3396	3460	uaa.exe	89
PID 3396 wrote to memory of 4152	3396	uaa.exe	90
PID 3396 wrote to memory of 4152	3396	uaa.exe	90
PID 3396 wrote to memory of 4152	3396	uaa.exe	90
PID 3396 wrote to memory of 4152	3396	uaa.exe	90
PID 3396 wrote to memory of 4152	3396	uaa.exe	90
PID 3396 wrote to memory of 4152	3396	uaa.exe	90
PID 3396 wrote to memory of 4152	3396	uaa.exe	90
PID 3396 wrote to memory of 4152	3396	uaa.exe	90
PID 3396 wrote to memory of 4152	3396	uaa.exe	90
PID 4152 wrote to memory of 5048	4152	uaa.exe	91
PID 4152 wrote to memory of 5048	4152	uaa.exe	91
PID 4152 wrote to memory of 5048	4152	uaa.exe	91
PID 5048 wrote to memory of 4836	5048	Tjpvpo.exe	93
PID 5048 wrote to memory of 4836	5048	Tjpvpo.exe	93
PID 5048 wrote to memory of 4836	5048	Tjpvpo.exe	93
PID 5048 wrote to memory of 4836	5048	Tjpvpo.exe	93
PID 5048 wrote to memory of 4836	5048	Tjpvpo.exe	93
PID 5048 wrote to memory of 4836	5048	Tjpvpo.exe	93
PID 5048 wrote to memory of 4836	5048	Tjpvpo.exe	93
PID 5048 wrote to memory of 4836	5048	Tjpvpo.exe	93
PID 5048 wrote to memory of 4836	5048	Tjpvpo.exe	93
PID 4836 wrote to memory of 4528	4836	Tjpvpo.exe	94
PID 4836 wrote to memory of 4528	4836	Tjpvpo.exe	94
PID 4836 wrote to memory of 4528	4836	Tjpvpo.exe	94
PID 4836 wrote to memory of 4528	4836	Tjpvpo.exe	94
PID 4836 wrote to memory of 4528	4836	Tjpvpo.exe	94
PID 4836 wrote to memory of 4528	4836	Tjpvpo.exe	94
PID 4836 wrote to memory of 4528	4836	Tjpvpo.exe	94
PID 4836 wrote to memory of 4528	4836	Tjpvpo.exe	94
PID 4836 wrote to memory of 4528	4836	Tjpvpo.exe	94
PID 4528 wrote to memory of 4956	4528	Tjpvpo.exe	96
PID 4528 wrote to memory of 4956	4528	Tjpvpo.exe	96
PID 4528 wrote to memory of 4956	4528	Tjpvpo.exe	96
PID 4956 wrote to memory of 4660	4956	iexplore.exe	97
PID 4956 wrote to memory of 4660	4956	iexplore.exe	97
PID 4660 wrote to memory of 2324	4660	IEXPLORE.EXE	98
PID 4660 wrote to memory of 2324	4660	IEXPLORE.EXE	98
PID 4660 wrote to memory of 2324	4660	IEXPLORE.EXE	98
PID 4528 wrote to memory of 2324	4528	Tjpvpo.exe	98
PID 4528 wrote to memory of 2324	4528	Tjpvpo.exe	98

C:\Users\Admin\AppData\Local\Temp\uaa.exe
"C:\Users\Admin\AppData\Local\Temp\uaa.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3460
- C:\Users\Admin\AppData\Local\Temp\uaa.exe
  "C:\Users\Admin\AppData\Local\Temp\uaa.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:3396
- - C:\Users\Admin\AppData\Local\Temp\uaa.exe
    "C:\Users\Admin\AppData\Local\Temp\uaa.exe"
    3⤵
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4152
  - - C:\Users\Admin\AppData\Roaming\Tjpvpo.exe
      "C:\Users\Admin\AppData\Roaming\Tjpvpo.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:5048
    - - C:\Users\Admin\AppData\Roaming\Tjpvpo.exe
        
        "C:\Users\Admin\AppData\Roaming\Tjpvpo.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:4836
      - C:\Users\Admin\AppData\Roaming\Tjpvpo.exe
        
        "C:\Users\Admin\AppData\Roaming\Tjpvpo.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4528
        
        C:\Program Files (x86)\Internet Explorer\iexplore.exe
        
        "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:4956
        
        C:\Program Files\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
        8⤵
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4660
        
        C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4660 CREDAT:17410 /prefetch:2
        9⤵
        Modifies Internet Explorer settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2324

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
471B

MD5
06f5f3f6abfa0faa19dac83b5346ccb5

SHA1
28c8b2b412b44c21726132ce9f51aa9e2207f328

SHA256
1f08ea567a623c9f9015efd9b209b823cd5bce6d474256440ffceb4f5ccffd8e

SHA512
dd94f4ddc9e6cd90f1f4ae6c9175d16a6687329b2d1b928d24510229001a5539966b5ac1685d527606084a2cadc1ea856d14209c2e61b7434a699a293ebba448

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
404B

MD5
97e43885a2a6311d1896a8742bfd535a

SHA1
7bb1bae148a7a56635306bf7217a3d23140a6826

SHA256
663652351875a5c80997394d79e1ca02bdd616c8921913997a0d7fc251c55d7c

SHA512
175fc418009a0614a8869d461b0f8dc948eb09c1c2f6b321ac3aa73bf081e185ecb33ca684b3da5e5fc4a1e5046ec88b2cd7ec3d26a786b01029a7fa3ace5cf8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\verD0FC.tmp

Filesize
15KB

MD5
1a545d0052b581fbb2ab4c52133846bc

SHA1
62f3266a9b9925cd6d98658b92adec673cbe3dd3

SHA256
557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1

SHA512
bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\REQ5K173\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\ajaaski2144b1ad4syQ.tmp

Filesize
3KB

MD5
2e1058266ffce954a2c25811eb5bfbb3

SHA1
3b449a645a3f34b36bd7baa231df4d675c99daa3

SHA256
e09742c8d9f8ed59268bb24bcebd33fe14e36c8665e2c44bf57a8942a0e7e040

SHA512
c758a661f9ea0df5b43cd46c5d82ee0f4c0c1743f378fcbcf242ecb8345f855c7967e60856fbfef513bd1f11d81bc5f959b843cf58916ac5e838738dc9131ae9

Download Submit
C:\Users\Admin\AppData\Roaming\Tjpvpo.exe

Filesize
144KB

MD5
120cb6528cd6cd5d87c8091b549141e0

SHA1
1274d57af7e11f22361df7807ff5c213585b2aee

SHA256
4107ca25f7228c0aa5407b528fa6d48d10734c4ae72088a78857f77c8e289910

SHA512
58cbbeada86393d285b3a9501c226f98d761bd7ac0de67228af1b2a8586a1b81222f3fe8043f0a7ec5a9431b764634d2e1de98b0dce9bef682287cff76716963

Download Submit
memory/3396-4-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/3396-6-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/3396-7-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/4152-11-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4152-21-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4152-10-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4152-8-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4528-39-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4528-35-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download