e49c6973ddcc601cfb85b451e122903b1a9c036c8baafc35cb327f76b998c537

General

Target

e49c6973ddcc601cfb85b451e122903b1a9c036c8baafc35cb327f76b998c537
Sample

191028-1w9b61jzc2
SHA256

e49c6973ddcc601cfb85b451e122903b1a9c036c8baafc35cb327f76b998c537

Score

N/A

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 13 IoCs

adware spyware

Modify Registry

T1112

description	ioc	pid	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	1164	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{B77AF2C1-F976-11E9-85C4-D26393670EA7} = "0"	1164	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	1164	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	1164	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	1164	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	1164	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	1808	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	1164	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000009aa4f4faf1a8e341b8de4356d522d0ee00000000020000000000106600000001000020000000688d545ce0bf1b39d036a649675ef9e0bbcab6afddd8af2b401f3b8bdebad8a6000000000e80000000020000200000005d9ac038c90d3054143270e7f26b65d93bc5ac2ec58414afcc554c6ad59e86942000000047ada0bb071122c7baf0fcd3f802f2e10a80af1f6a80293b2fff868ee903dd4d40000000e1c2018803a8c5d70f05170b7e4e2ae8985a90cbcfd489bb9eadf47964fc4e18d8136851f8bde7d87220bcaae566dbf91f5fe7e0ae15a567ee4ec0bb469f9d04	1164	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 8079208f838dd501	1164	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000009aa4f4faf1a8e341b8de4356d522d0ee0000000002000000000010660000000100002000000097e25da2d0873e0ae3dc218dcd0c8c9aa5f54bdd03313f68afe02fd9f9ca621e000000000e8000000002000020000000eb90581e8389cfd95e42af463cd6091b132ecbbef2f192b2e851882d9871567e90000000c770938033c9b9d9594c94b0f118bdd2334066deedbefa8eccc71cd0aef7736f2f1680067f944b9a51cd32a1e465c6ccdd73d9a62c18e77e0c9828dd83f843456ab35742535c45178125828ff4942f9ba07de041abec2c69f53b0f04b0b13ca92778a9ac5387e1ff6a6c49adf6bdea58d1d14725594b6aeeefe34b2bd7a7e1de779220c5223a192f9f0a88633a82f0c8400000007fe448e18cb2151e2c60a6c969b75784e72168c7f956134621f935644148e00299090a47e393c86ff990068bcf61fb3d1f9ef6558f477b27171760acaeebecec	1164	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	1164	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "279027366"	1164	iexplore.exe

Deletes itself 1 IoCs

pid	Process
1792	cmd.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	1184	e49c6973ddcc601cfb85b451e122903b1a9c036c8baafc35cb327f76b998c537.exe
Token: SeTakeOwnershipPrivilege	1184	e49c6973ddcc601cfb85b451e122903b1a9c036c8baafc35cb327f76b998c537.exe
Token: SeBackupPrivilege	1184	e49c6973ddcc601cfb85b451e122903b1a9c036c8baafc35cb327f76b998c537.exe
Token: SeRestorePrivilege	1184	e49c6973ddcc601cfb85b451e122903b1a9c036c8baafc35cb327f76b998c537.exe
Token: SeBackupPrivilege	452	vssvc.exe
Token: SeRestorePrivilege	452	vssvc.exe
Token: SeAuditPrivilege	452	vssvc.exe

Deletes shadow copies 2 TTPs 1 IoCs

ransomware

Inhibit System Recovery

T1490

pid	Process
1232	vssadmin.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1124 wrote to memory of 1232	1124	taskeng.exe	28
PID 1184 wrote to memory of 1164	1184	e49c6973ddcc601cfb85b451e122903b1a9c036c8baafc35cb327f76b998c537.exe	33
PID 1184 wrote to memory of 1792	1184	e49c6973ddcc601cfb85b451e122903b1a9c036c8baafc35cb327f76b998c537.exe	36
PID 1164 wrote to memory of 1808	1164	iexplore.exe	38

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	pid	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\asasin.bmp"	1184	e49c6973ddcc601cfb85b451e122903b1a9c036c8baafc35cb327f76b998c537.exe

Drops file in system dir 1 IoCs

description	ioc	pid	Process
File opened for modification	C:\Windows\SysWOW64\GDIPFONTCACHEV1.DAT	232	DllHost.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1164	iexplore.exe
232	DllHost.exe

Drops Office document 20 IoCs

dropper exploiter maldoc

description	ioc	pid	Process
File opened for modification	\??\c:\Users\Admin\Documents\ConvertSubmit.xls	1184	e49c6973ddcc601cfb85b451e122903b1a9c036c8baafc35cb327f76b998c537.exe
File opened for modification	\??\c:\Users\Admin\Desktop\DisableReceive.ppt	1184	e49c6973ddcc601cfb85b451e122903b1a9c036c8baafc35cb327f76b998c537.exe
File opened for modification	\??\c:\Users\Admin\Documents\PopRevoke.potx	1184	e49c6973ddcc601cfb85b451e122903b1a9c036c8baafc35cb327f76b998c537.exe
File opened for modification	\??\c:\Users\Admin\Documents\UnblockUnprotect.xlsx	1184	e49c6973ddcc601cfb85b451e122903b1a9c036c8baafc35cb327f76b998c537.exe
File opened for modification	\??\c:\Users\Admin\Music\ApproveTest.xlt	1184	e49c6973ddcc601cfb85b451e122903b1a9c036c8baafc35cb327f76b998c537.exe
File opened for modification	\??\c:\Users\Admin\Music\LimitGet.xlt	1184	e49c6973ddcc601cfb85b451e122903b1a9c036c8baafc35cb327f76b998c537.exe
File opened for modification	\??\c:\Users\Admin\Desktop\StopUnregister.docx	1184	e49c6973ddcc601cfb85b451e122903b1a9c036c8baafc35cb327f76b998c537.exe
File opened for modification	\??\c:\Users\Admin\Documents\Are.docx	1184	e49c6973ddcc601cfb85b451e122903b1a9c036c8baafc35cb327f76b998c537.exe
File opened for modification	\??\c:\Users\Admin\Documents\Files.docx	1184	e49c6973ddcc601cfb85b451e122903b1a9c036c8baafc35cb327f76b998c537.exe
File opened for modification	\??\c:\Users\Admin\Documents\Opened.docx	1184	e49c6973ddcc601cfb85b451e122903b1a9c036c8baafc35cb327f76b998c537.exe
File opened for modification	\??\c:\Users\Admin\Documents\Recently.docx	1184	e49c6973ddcc601cfb85b451e122903b1a9c036c8baafc35cb327f76b998c537.exe
File opened for modification	\??\c:\Users\Admin\Documents\These.docx	1184	e49c6973ddcc601cfb85b451e122903b1a9c036c8baafc35cb327f76b998c537.exe
File opened for modification	\??\c:\Users\Admin\Documents\WaitSelect.dotm	1184	e49c6973ddcc601cfb85b451e122903b1a9c036c8baafc35cb327f76b998c537.exe
File opened for modification	\??\c:\Users\Admin\Music\MeasureSearch.xltm	1184	e49c6973ddcc601cfb85b451e122903b1a9c036c8baafc35cb327f76b998c537.exe
File opened for modification	\??\c:\Users\Admin\Music\RemoveOut.pot	1184	e49c6973ddcc601cfb85b451e122903b1a9c036c8baafc35cb327f76b998c537.exe
File opened for modification	\??\c:\Users\Admin\Music\RestoreConvertTo.xltm	1184	e49c6973ddcc601cfb85b451e122903b1a9c036c8baafc35cb327f76b998c537.exe
File opened for modification	\??\c:\Users\Admin\Documents\LimitRead.ppt	1184	e49c6973ddcc601cfb85b451e122903b1a9c036c8baafc35cb327f76b998c537.exe
File opened for modification	\??\c:\Users\Admin\Documents\SplitAssert.xls	1184	e49c6973ddcc601cfb85b451e122903b1a9c036c8baafc35cb327f76b998c537.exe
File opened for modification	\??\c:\Users\Admin\Documents\UninstallClear.ppsm	1184	e49c6973ddcc601cfb85b451e122903b1a9c036c8baafc35cb327f76b998c537.exe
File opened for modification	\??\c:\Users\Admin\Documents\ExportPush.dotx	1184	e49c6973ddcc601cfb85b451e122903b1a9c036c8baafc35cb327f76b998c537.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
596	conhost.exe
2044	conhost.exe
1164	iexplore.exe
1808	IEXPLORE.EXE

Modifies control panel 2 IoCs

evasion

description	ioc	pid	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Control Panel\Desktop\WallpaperStyle = "0"	1184	e49c6973ddcc601cfb85b451e122903b1a9c036c8baafc35cb327f76b998c537.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Control Panel\Desktop\TileWallpaper = "0"	1184	e49c6973ddcc601cfb85b451e122903b1a9c036c8baafc35cb327f76b998c537.exe

C:\Users\Admin\AppData\Local\Temp\e49c6973ddcc601cfb85b451e122903b1a9c036c8baafc35cb327f76b998c537.exe
"C:\Users\Admin\AppData\Local\Temp\e49c6973ddcc601cfb85b451e122903b1a9c036c8baafc35cb327f76b998c537.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- Sets desktop wallpaper using registry
- Drops Office document
- Modifies control panel
PID:1184

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:452

C:\Windows\system32\taskeng.exe
taskeng.exe {49E536CB-B20A-4E9D-842B-749ECCB93F6F} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:1124

C:\Windows\system32\vssadmin.exe
C:\Windows\system32\vssadmin.exe Delete Shadows /Quiet /All
1⤵
- Deletes shadow copies
PID:1232

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-6645852501490751141442250007-11559683051625916568-133025947013938712551168422448"
1⤵
- Suspicious use of SetWindowsHookEx
PID:596

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k swprv
1⤵
PID:276

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\asasin.htm
1⤵
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:1164

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- Drops file in system dir
- Suspicious use of FindShellTrayWindow
PID:232

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C del /Q /F "C:\Users\Admin\AppData\Local\Temp\e49c6973ddcc601cfb85b451e122903b1a9c036c8baafc35cb327f76b998c537.exe"
1⤵
- Deletes itself
PID:1792

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "2063053404-2854132222099762677-45583753-1949206537-75580183817319469623359341"
1⤵
- Suspicious use of SetWindowsHookEx
PID:2044

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1164 CREDAT:275457 /prefetch:2
1⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1808

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

1

T1491

Inhibit System Recovery

1

T1490

MITRE ATT&CK Additional techniques

T1107

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

MITRE ATT&CK Additional techniques

Replay Monitor

Loading Replay Monitor...

Downloads