d7083f1007834bbc16f0b6d2ee0e1e2b9e79a04af2a2e21f2d2682c9dff939eb

General

Target

4d712b5dc93ea0ef4c153dfa30aacd25.exe
Size

285KB
MD5

4d712b5dc93ea0ef4c153dfa30aacd25
SHA1

a6a4179eee29bf8e05dd34dda07c27b60a894465
SHA256

d7083f1007834bbc16f0b6d2ee0e1e2b9e79a04af2a2e21f2d2682c9dff939eb
SHA512

3e69b19b9314d84097e5b98802c76e6b9892bd167bcc57699fc5d574f6976bb4820bd38c3613130382fb477aefe55d3ec18d6abb9482af8828f6a5d3b0461144

Score

8^/10

persistence spyware

Malware Config

Signatures

System policy modification 1 TTPs 1 IoCs
evasion

Modify Registry
T1112

Processes:

control.exe

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer control.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	control.exe

Suspicious use of SetThreadContext 7 IoCs

Processes:

4d712b5dc93ea0ef4c153dfa30aacd25.exeRegAsm.execontrol.exe4d712b5dc93ea0ef4c153dfa30aacd25.exeRegAsm.exe4d712b5dc93ea0ef4c153dfa30aacd25.exeRegAsm.exe

description	pid	process	target process
PID 384 set thread context of 3792	384	4d712b5dc93ea0ef4c153dfa30aacd25.exe	RegAsm.exe
PID 3792 set thread context of 2992	3792	RegAsm.exe	Explorer.EXE
PID 3808 set thread context of 2992	3808	control.exe	Explorer.EXE
PID 3780 set thread context of 1252	3780	4d712b5dc93ea0ef4c153dfa30aacd25.exe	RegAsm.exe
PID 1252 set thread context of 2992	1252	RegAsm.exe	Explorer.EXE
PID 1492 set thread context of 2140	1492	4d712b5dc93ea0ef4c153dfa30aacd25.exe	RegAsm.exe
PID 2140 set thread context of 2992	2140	RegAsm.exe	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 17 IoCs

Processes:

4d712b5dc93ea0ef4c153dfa30aacd25.exeRegAsm.execontrol.exeExplorer.EXE4d712b5dc93ea0ef4c153dfa30aacd25.exeRegAsm.exenetsh.exe4d712b5dc93ea0ef4c153dfa30aacd25.exeRegAsm.exenetsh.exe

description	pid	process
Token: SeDebugPrivilege	384	4d712b5dc93ea0ef4c153dfa30aacd25.exe
Token: SeDebugPrivilege	3792	RegAsm.exe
Token: SeDebugPrivilege	3808	control.exe
Token: SeShutdownPrivilege	2992	Explorer.EXE
Token: SeCreatePagefilePrivilege	2992	Explorer.EXE
Token: SeShutdownPrivilege	2992	Explorer.EXE
Token: SeCreatePagefilePrivilege	2992	Explorer.EXE
Token: SeShutdownPrivilege	2992	Explorer.EXE
Token: SeCreatePagefilePrivilege	2992	Explorer.EXE
Token: SeShutdownPrivilege	2992	Explorer.EXE
Token: SeCreatePagefilePrivilege	2992	Explorer.EXE
Token: SeDebugPrivilege	3780	4d712b5dc93ea0ef4c153dfa30aacd25.exe
Token: SeDebugPrivilege	1252	RegAsm.exe
Token: SeDebugPrivilege	1852	netsh.exe
Token: SeDebugPrivilege	1492	4d712b5dc93ea0ef4c153dfa30aacd25.exe
Token: SeDebugPrivilege	2140	RegAsm.exe
Token: SeDebugPrivilege	3400	netsh.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

control.exe

description	ioc	process
Key created	\Registry\User\S-1-5-21-2066881839-3229799743-3576549721-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	control.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Drops file in Program Files directory 1 IoCs

Processes:

control.exe

description ioc process

File opened for modification C:\Program Files (x86)\Hql7\vtaxpnji8g08x.exe control.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Hql7\vtaxpnji8g08x.exe	control.exe

Suspicious use of WriteProcessMemory 39 IoCs

Processes:

4d712b5dc93ea0ef4c153dfa30aacd25.exeExplorer.EXEcontrol.exe4d712b5dc93ea0ef4c153dfa30aacd25.exe4d712b5dc93ea0ef4c153dfa30aacd25.exe

description	pid	process	target process
PID 384 wrote to memory of 3792	384	4d712b5dc93ea0ef4c153dfa30aacd25.exe	RegAsm.exe
PID 384 wrote to memory of 3792	384	4d712b5dc93ea0ef4c153dfa30aacd25.exe	RegAsm.exe
PID 384 wrote to memory of 3792	384	4d712b5dc93ea0ef4c153dfa30aacd25.exe	RegAsm.exe
PID 384 wrote to memory of 3792	384	4d712b5dc93ea0ef4c153dfa30aacd25.exe	RegAsm.exe
PID 384 wrote to memory of 3780	384	4d712b5dc93ea0ef4c153dfa30aacd25.exe	4d712b5dc93ea0ef4c153dfa30aacd25.exe
PID 384 wrote to memory of 3780	384	4d712b5dc93ea0ef4c153dfa30aacd25.exe	4d712b5dc93ea0ef4c153dfa30aacd25.exe
PID 384 wrote to memory of 3780	384	4d712b5dc93ea0ef4c153dfa30aacd25.exe	4d712b5dc93ea0ef4c153dfa30aacd25.exe
PID 2992 wrote to memory of 3808	2992	Explorer.EXE	control.exe
PID 2992 wrote to memory of 3808	2992	Explorer.EXE	control.exe
PID 2992 wrote to memory of 3808	2992	Explorer.EXE	control.exe
PID 3808 wrote to memory of 3864	3808	control.exe	cmd.exe
PID 3808 wrote to memory of 3864	3808	control.exe	cmd.exe
PID 3808 wrote to memory of 3864	3808	control.exe	cmd.exe
PID 3808 wrote to memory of 996	3808	control.exe	cmd.exe
PID 3808 wrote to memory of 996	3808	control.exe	cmd.exe
PID 3808 wrote to memory of 996	3808	control.exe	cmd.exe
PID 3808 wrote to memory of 1240	3808	control.exe	Firefox.exe
PID 3808 wrote to memory of 1240	3808	control.exe	Firefox.exe
PID 3780 wrote to memory of 1252	3780	4d712b5dc93ea0ef4c153dfa30aacd25.exe	RegAsm.exe
PID 3780 wrote to memory of 1252	3780	4d712b5dc93ea0ef4c153dfa30aacd25.exe	RegAsm.exe
PID 3780 wrote to memory of 1252	3780	4d712b5dc93ea0ef4c153dfa30aacd25.exe	RegAsm.exe
PID 3780 wrote to memory of 1252	3780	4d712b5dc93ea0ef4c153dfa30aacd25.exe	RegAsm.exe
PID 3780 wrote to memory of 1492	3780	4d712b5dc93ea0ef4c153dfa30aacd25.exe	4d712b5dc93ea0ef4c153dfa30aacd25.exe
PID 3780 wrote to memory of 1492	3780	4d712b5dc93ea0ef4c153dfa30aacd25.exe	4d712b5dc93ea0ef4c153dfa30aacd25.exe
PID 3780 wrote to memory of 1492	3780	4d712b5dc93ea0ef4c153dfa30aacd25.exe	4d712b5dc93ea0ef4c153dfa30aacd25.exe
PID 3808 wrote to memory of 1240	3808	control.exe	Firefox.exe
PID 2992 wrote to memory of 1852	2992	Explorer.EXE	netsh.exe
PID 2992 wrote to memory of 1852	2992	Explorer.EXE	netsh.exe
PID 2992 wrote to memory of 1852	2992	Explorer.EXE	netsh.exe
PID 1492 wrote to memory of 2140	1492	4d712b5dc93ea0ef4c153dfa30aacd25.exe	RegAsm.exe
PID 1492 wrote to memory of 2140	1492	4d712b5dc93ea0ef4c153dfa30aacd25.exe	RegAsm.exe
PID 1492 wrote to memory of 2140	1492	4d712b5dc93ea0ef4c153dfa30aacd25.exe	RegAsm.exe
PID 1492 wrote to memory of 2140	1492	4d712b5dc93ea0ef4c153dfa30aacd25.exe	RegAsm.exe
PID 1492 wrote to memory of 2556	1492	4d712b5dc93ea0ef4c153dfa30aacd25.exe	4d712b5dc93ea0ef4c153dfa30aacd25.exe
PID 1492 wrote to memory of 2556	1492	4d712b5dc93ea0ef4c153dfa30aacd25.exe	4d712b5dc93ea0ef4c153dfa30aacd25.exe
PID 1492 wrote to memory of 2556	1492	4d712b5dc93ea0ef4c153dfa30aacd25.exe	4d712b5dc93ea0ef4c153dfa30aacd25.exe
PID 2992 wrote to memory of 3400	2992	Explorer.EXE	netsh.exe
PID 2992 wrote to memory of 3400	2992	Explorer.EXE	netsh.exe
PID 2992 wrote to memory of 3400	2992	Explorer.EXE	netsh.exe

Suspicious behavior: MapViewOfSection 16 IoCs

Processes:

4d712b5dc93ea0ef4c153dfa30aacd25.exeRegAsm.execontrol.exe4d712b5dc93ea0ef4c153dfa30aacd25.exeRegAsm.exe4d712b5dc93ea0ef4c153dfa30aacd25.exeRegAsm.exe

pid	process
384	4d712b5dc93ea0ef4c153dfa30aacd25.exe
3792	RegAsm.exe
3792	RegAsm.exe
3792	RegAsm.exe
3808	control.exe
3808	control.exe
3808	control.exe
3780	4d712b5dc93ea0ef4c153dfa30aacd25.exe
3808	control.exe
1252	RegAsm.exe
1252	RegAsm.exe
1252	RegAsm.exe
1492	4d712b5dc93ea0ef4c153dfa30aacd25.exe
2140	RegAsm.exe
2140	RegAsm.exe
2140	RegAsm.exe

Suspicious behavior: EnumeratesProcesses 7295 IoCs

Processes:

4d712b5dc93ea0ef4c153dfa30aacd25.exe

pid	process
384	4d712b5dc93ea0ef4c153dfa30aacd25.exe
384	4d712b5dc93ea0ef4c153dfa30aacd25.exe
384	4d712b5dc93ea0ef4c153dfa30aacd25.exe
384	4d712b5dc93ea0ef4c153dfa30aacd25.exe
384	4d712b5dc93ea0ef4c153dfa30aacd25.exe
384	4d712b5dc93ea0ef4c153dfa30aacd25.exe
384	4d712b5dc93ea0ef4c153dfa30aacd25.exe
384	4d712b5dc93ea0ef4c153dfa30aacd25.exe
384	4d712b5dc93ea0ef4c153dfa30aacd25.exe
384	4d712b5dc93ea0ef4c153dfa30aacd25.exe
384	4d712b5dc93ea0ef4c153dfa30aacd25.exe
384	4d712b5dc93ea0ef4c153dfa30aacd25.exe
384	4d712b5dc93ea0ef4c153dfa30aacd25.exe
384	4d712b5dc93ea0ef4c153dfa30aacd25.exe
384	4d712b5dc93ea0ef4c153dfa30aacd25.exe
384	4d712b5dc93ea0ef4c153dfa30aacd25.exe
384	4d712b5dc93ea0ef4c153dfa30aacd25.exe
384	4d712b5dc93ea0ef4c153dfa30aacd25.exe
384	4d712b5dc93ea0ef4c153dfa30aacd25.exe
384	4d712b5dc93ea0ef4c153dfa30aacd25.exe
384	4d712b5dc93ea0ef4c153dfa30aacd25.exe
384	4d712b5dc93ea0ef4c153dfa30aacd25.exe
384	4d712b5dc93ea0ef4c153dfa30aacd25.exe
384	4d712b5dc93ea0ef4c153dfa30aacd25.exe
384	4d712b5dc93ea0ef4c153dfa30aacd25.exe
384	4d712b5dc93ea0ef4c153dfa30aacd25.exe
384	4d712b5dc93ea0ef4c153dfa30aacd25.exe
384	4d712b5dc93ea0ef4c153dfa30aacd25.exe
384	4d712b5dc93ea0ef4c153dfa30aacd25.exe
384	4d712b5dc93ea0ef4c153dfa30aacd25.exe
384	4d712b5dc93ea0ef4c153dfa30aacd25.exe
384	4d712b5dc93ea0ef4c153dfa30aacd25.exe
384	4d712b5dc93ea0ef4c153dfa30aacd25.exe
384	4d712b5dc93ea0ef4c153dfa30aacd25.exe
384	4d712b5dc93ea0ef4c153dfa30aacd25.exe
384	4d712b5dc93ea0ef4c153dfa30aacd25.exe
384	4d712b5dc93ea0ef4c153dfa30aacd25.exe
384	4d712b5dc93ea0ef4c153dfa30aacd25.exe
384	4d712b5dc93ea0ef4c153dfa30aacd25.exe
384	4d712b5dc93ea0ef4c153dfa30aacd25.exe
384	4d712b5dc93ea0ef4c153dfa30aacd25.exe
384	4d712b5dc93ea0ef4c153dfa30aacd25.exe
384	4d712b5dc93ea0ef4c153dfa30aacd25.exe
384	4d712b5dc93ea0ef4c153dfa30aacd25.exe
384	4d712b5dc93ea0ef4c153dfa30aacd25.exe
384	4d712b5dc93ea0ef4c153dfa30aacd25.exe
384	4d712b5dc93ea0ef4c153dfa30aacd25.exe
384	4d712b5dc93ea0ef4c153dfa30aacd25.exe
384	4d712b5dc93ea0ef4c153dfa30aacd25.exe
384	4d712b5dc93ea0ef4c153dfa30aacd25.exe
384	4d712b5dc93ea0ef4c153dfa30aacd25.exe
384	4d712b5dc93ea0ef4c153dfa30aacd25.exe
384	4d712b5dc93ea0ef4c153dfa30aacd25.exe
384	4d712b5dc93ea0ef4c153dfa30aacd25.exe
384	4d712b5dc93ea0ef4c153dfa30aacd25.exe
384	4d712b5dc93ea0ef4c153dfa30aacd25.exe
384	4d712b5dc93ea0ef4c153dfa30aacd25.exe
384	4d712b5dc93ea0ef4c153dfa30aacd25.exe
384	4d712b5dc93ea0ef4c153dfa30aacd25.exe
384	4d712b5dc93ea0ef4c153dfa30aacd25.exe
384	4d712b5dc93ea0ef4c153dfa30aacd25.exe
384	4d712b5dc93ea0ef4c153dfa30aacd25.exe
384	4d712b5dc93ea0ef4c153dfa30aacd25.exe
384	4d712b5dc93ea0ef4c153dfa30aacd25.exe

Adds Run entry to policy start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

control.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	control.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\M49L_RCP3NX = "C:\\Program Files (x86)\\Hql7\\vtaxpnji8g08x.exe"	control.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2992

C:\Users\Admin\AppData\Local\Temp\4d712b5dc93ea0ef4c153dfa30aacd25.exe
"C:\Users\Admin\AppData\Local\Temp\4d712b5dc93ea0ef4c153dfa30aacd25.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- Suspicious behavior: MapViewOfSection
- Suspicious behavior: EnumeratesProcesses
PID:384

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: MapViewOfSection
PID:3792

C:\Users\Admin\AppData\Local\Temp\4d712b5dc93ea0ef4c153dfa30aacd25.exe
"C:\Users\Admin\AppData\Local\Temp\4d712b5dc93ea0ef4c153dfa30aacd25.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- Suspicious behavior: MapViewOfSection
PID:3780

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
4⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: MapViewOfSection
PID:1252

C:\Users\Admin\AppData\Local\Temp\4d712b5dc93ea0ef4c153dfa30aacd25.exe
"C:\Users\Admin\AppData\Local\Temp\4d712b5dc93ea0ef4c153dfa30aacd25.exe"
4⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- Suspicious behavior: MapViewOfSection
PID:1492

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
5⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: MapViewOfSection
PID:2140

C:\Users\Admin\AppData\Local\Temp\4d712b5dc93ea0ef4c153dfa30aacd25.exe
"C:\Users\Admin\AppData\Local\Temp\4d712b5dc93ea0ef4c153dfa30aacd25.exe"
5⤵
PID:2556

C:\Windows\SysWOW64\control.exe
"C:\Windows\SysWOW64\control.exe"
2⤵
- System policy modification
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Modifies Internet Explorer settings
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
- Suspicious behavior: MapViewOfSection
- Adds Run entry to policy start application
PID:3808

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:3864

C:\Windows\SysWOW64\cmd.exe
/c copy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V
3⤵
PID:996

C:\Program Files\Mozilla Firefox\Firefox.exe
"C:\Program Files\Mozilla Firefox\Firefox.exe"
3⤵
PID:1240

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\SysWOW64\netsh.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1852

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:2808

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:2816

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:2868

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:3004

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:3480

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\SysWOW64\netsh.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3400

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

3

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DB1

Download Submit
C:\Users\Admin\AppData\Roaming\JN004T3S\JN0logim.jpeg

Download Submit
C:\Users\Admin\AppData\Roaming\JN004T3S\JN0logrf.ini

Download Submit
C:\Users\Admin\AppData\Roaming\JN004T3S\JN0logrg.ini

Download Submit
C:\Users\Admin\AppData\Roaming\JN004T3S\JN0logri.ini

Download Submit
C:\Users\Admin\AppData\Roaming\JN004T3S\JN0logrv.ini

Download Submit
memory/996-8-0x0000000000000000-mapping.dmp

Download
memory/1240-16-0x00007FF770230000-0x00007FF7702C3000-memory.dmp

Filesize
588KB

Download
memory/1240-17-0x00007FF770230000-0x00007FF7702C3000-memory.dmp

Filesize
588KB

Download
memory/1240-14-0x0000000000000000-mapping.dmp

Download
memory/1240-15-0x00007FF770230000-0x00007FF7702C3000-memory.dmp

Filesize
588KB

Download
memory/1252-11-0x000000000041E2F0-mapping.dmp

Download
memory/1492-12-0x0000000000000000-mapping.dmp

Download
memory/1852-20-0x0000000000850000-0x000000000086E000-memory.dmp

Filesize
120KB

Download
memory/1852-18-0x0000000000000000-mapping.dmp

Download
memory/1852-19-0x0000000000850000-0x000000000086E000-memory.dmp

Filesize
120KB

Download
memory/2140-27-0x000000000041E2F0-mapping.dmp

Download
memory/2556-28-0x0000000000000000-mapping.dmp

Download
memory/2992-29-0x0000000004A10000-0x0000000004AD7000-memory.dmp

Filesize
796KB

Download
memory/3400-32-0x0000000000850000-0x000000000086E000-memory.dmp

Filesize
120KB

Download
memory/3400-31-0x0000000000850000-0x000000000086E000-memory.dmp

Filesize
120KB

Download
memory/3400-30-0x0000000000000000-mapping.dmp

Download
memory/3780-2-0x0000000000000000-mapping.dmp

Download
memory/3792-0-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/3792-1-0x000000000041E2F0-mapping.dmp

Download
memory/3808-3-0x0000000000000000-mapping.dmp

Download
memory/3808-4-0x0000000000300000-0x0000000000320000-memory.dmp

Filesize
128KB

Download
memory/3808-5-0x0000000000300000-0x0000000000320000-memory.dmp

Filesize
128KB

Download
memory/3864-6-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads