979e6cae1a7cece38a51f18416d469c90b8da28cda1f37305de8730f268a12f8

General

Target

MasterModz27/vietclan1.exe
Size

999KB
MD5

74875414286f38026ba797089abcc4f1
SHA1

77455ecc3f3e1db1249bdc214c254196ecec0120
SHA256

0ff2fecd3d8db67aba33704e7a6cbc92ccf8381ca04616dc6078427428f28d92
SHA512

1b25b62423acbdc9159c4475b9bbd2528d39392dde4473a6cfc9ab59132349499aee07b7abc0cf4d9e6d61f213888799bc034987e66d212b1a5fee43fb765b3b
SSDEEP

24576:1tviYFCFAbEj390uf8oC/mgkrNEaEEmcuRAo80PE:P5IACdf+jaVfJ

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 17 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	RunDll32.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main	vietclan1.exe
Key deleted	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\TypedURLs	RunDll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\IECompatVersionLow = "0"	RunDll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\CVListXMLVersionHigh = "268435456"	RunDll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\IECompatVersionLow = "395168194"	RunDll32.exe
Key deleted	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\IntelliForms\Storage2	RunDll32.exe
Key deleted	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	RunDll32.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main	RunDll32.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\BrowserEmulation	RunDll32.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	RunDll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\IECompatVersionHigh = "0"	RunDll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\StaleCompatCache = "1"	RunDll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Cleared_TIMESTAMP = 40c6135303ccda01	RunDll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\CVListXMLVersionLow = "395168194"	RunDll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\IECompatVersionHigh = "268435456"	RunDll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Cleared = "1"	RunDll32.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2112	RunDll32.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2552	vietclan1.exe
2552	vietclan1.exe
2552	vietclan1.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2552 wrote to memory of 2112	2552	vietclan1.exe	28
PID 2552 wrote to memory of 2112	2552	vietclan1.exe	28
PID 2552 wrote to memory of 2112	2552	vietclan1.exe	28
PID 2552 wrote to memory of 2112	2552	vietclan1.exe	28
PID 2552 wrote to memory of 2112	2552	vietclan1.exe	28
PID 2552 wrote to memory of 2112	2552	vietclan1.exe	28
PID 2552 wrote to memory of 2112	2552	vietclan1.exe	28
PID 2112 wrote to memory of 540	2112	RunDll32.exe	30
PID 2112 wrote to memory of 540	2112	RunDll32.exe	30
PID 2112 wrote to memory of 540	2112	RunDll32.exe	30
PID 2112 wrote to memory of 540	2112	RunDll32.exe	30

C:\Users\Admin\AppData\Local\Temp\MasterModz27\vietclan1.exe
"C:\Users\Admin\AppData\Local\Temp\MasterModz27\vietclan1.exe"
1⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2552
- C:\Windows\SysWOW64\RunDll32.exe
  RunDll32.exe InetCpl.cpl,ClearMyTracksByProcess 4351
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2112
- - C:\Program Files (x86)\Internet Explorer\iexplore.exe
    "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -ResetDestinationList
    3⤵
    PID:540

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\2XHJXO3H\errorPageStrings[1]

Filesize
2KB

MD5
e3e4a98353f119b80b323302f26b78fa

SHA1
20ee35a370cdd3a8a7d04b506410300fd0a6a864

SHA256
9466d620dc57835a2475f8f71e304f54aee7160e134ba160baae0f19e5e71e66

SHA512
d8e4d73c76804a5abebd5dbc3a86dcdb6e73107b873175a8de67332c113fb7c4899890bf7972e467866fa4cd100a7e2a10a770e5a9c41cbf23b54351b771dcee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\IW68H88T\dnserrordiagoff[2]

Filesize
1KB

MD5
47f581b112d58eda23ea8b2e08cf0ff0

SHA1
6ec1df5eaec1439573aef0fb96dabfc953305e5b

SHA256
b1c947d00db5fce43314c56c663dbeae0ffa13407c9c16225c17ccefc3afa928

SHA512
187383eef3d646091e9f68eff680a11c7947b3d9b54a78cc6de4a04629d7037e9c97673ac054a6f1cf591235c110ca181a6b69ecba0e5032168f56f4486fff92

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\NVDR4C1U\NewErrorPageTemplate[1]

Filesize
1KB

MD5
cdf81e591d9cbfb47a7f97a2bcdb70b9

SHA1
8f12010dfaacdecad77b70a3e781c707cf328496

SHA256
204d95c6fb161368c795bb63e538fe0b11f9e406494bb5758b3b0d60c5f651bd

SHA512
977dcc2c6488acaf0e5970cef1a7a72c9f9dc6bb82da54f057e0853c8e939e4ab01b163eb7a5058e093a8bc44ecad9d06880fdc883e67e28ac67fee4d070a4cc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\NVDR4C1U\httpErrorPagesScripts[1]

Filesize
8KB

MD5
3f57b781cb3ef114dd0b665151571b7b

SHA1
ce6a63f996df3a1cccb81720e21204b825e0238c

SHA256
46e019fa34465f4ed096a9665d1827b54553931ad82e98be01edb1ddbc94d3ad

SHA512
8cbf4ef582332ae7ea605f910ad6f8a4bc28513482409fa84f08943a72cac2cf0fa32b6af4c20c697e1fac2c5ba16b5a64a23af0c11eefbf69625b8f9f90c8fa

Download Submit
memory/2552-1-0x0000000000020000-0x0000000000023000-memory.dmp

Filesize
12KB

Download
memory/2552-0-0x0000000000400000-0x0000000000AEB000-memory.dmp

Filesize
6.9MB

Download
memory/2552-4-0x0000000004F10000-0x0000000005F72000-memory.dmp

Filesize
16.4MB

Download
memory/2552-41-0x0000000000020000-0x0000000000023000-memory.dmp

Filesize
12KB

Download
memory/2552-40-0x0000000000400000-0x0000000000AEB000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing