77867995d1e8388230c9f71fee5e835b346bfcfef3fde418c6a773eea11b4afd

General

Target

eTPiv.exe
Size

941KB
MD5

c126b47388c127334162f17ab4e0cb2c
SHA1

d74b2309be4af77691bd424ea8ab5055af89e587
SHA256

77867995d1e8388230c9f71fee5e835b346bfcfef3fde418c6a773eea11b4afd
SHA512

7abdf106235dfe7311bcc1a1d847a2b4c9223aa3e59c59c486c4cb310e535de71b3680c937695210be0013c7158aaca97e2e664bb89a8dd5c7306a6cf1c9537a

Score

8^/10

persistence spyware discovery

Malware Config

Signatures

Suspicious use of FindShellTrayWindow 6 IoCs

Processes:

SgrmBroker.comSgrmBroker.com

pid process

1068 SgrmBroker.com
1068 SgrmBroker.com
1068 SgrmBroker.com
1056 SgrmBroker.com
1056 SgrmBroker.com
1056 SgrmBroker.com
Suspicious use of SetThreadContext 1 IoCs

Processes:

SgrmBroker.com

description pid process target process

PID 1056 set thread context of 1836 1056 SgrmBroker.com ipconfig.exe
Executes dropped EXE 2 IoCs

Processes:

SgrmBroker.comSgrmBroker.com

pid process

1068 SgrmBroker.com
1056 SgrmBroker.com
Loads dropped DLL 2 IoCs

Processes:

cmd.exeSgrmBroker.com

pid process

1616 cmd.exe
1068 SgrmBroker.com
Suspicious use of SendNotifyMessage 6 IoCs

Processes:

SgrmBroker.comSgrmBroker.com

pid process

1068 SgrmBroker.com
1068 SgrmBroker.com
1068 SgrmBroker.com
1056 SgrmBroker.com
1056 SgrmBroker.com
1056 SgrmBroker.com
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

SgrmBroker.com

pid process

1056 SgrmBroker.com

pid	process
1068	SgrmBroker.com
1068	SgrmBroker.com
1068	SgrmBroker.com
1056	SgrmBroker.com
1056	SgrmBroker.com
1056	SgrmBroker.com

description	pid	process	target process
PID 1056 set thread context of 1836	1056	SgrmBroker.com	ipconfig.exe

pid	process
1068	SgrmBroker.com
1056	SgrmBroker.com

pid	process
1616	cmd.exe
1068	SgrmBroker.com

pid	process
1068	SgrmBroker.com
1068	SgrmBroker.com
1068	SgrmBroker.com
1056	SgrmBroker.com
1056	SgrmBroker.com
1056	SgrmBroker.com

pid	process
1056	SgrmBroker.com

Adds Run entry to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

eTPiv.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	eTPiv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	eTPiv.exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXE

pid process

1696 PING.EXE
1972 PING.EXE
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

pid	process
1696	PING.EXE
1972	PING.EXE

Checks for installed software on the system 1 TTPs 29 IoCs

discovery

Query Registry

T1012

Processes:

ipconfig.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2549743\DisplayName	ipconfig.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2565063\DisplayName	ipconfig.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{BB8B979E-E336-47E7-96BC-1031C1B94561}\DisplayName	ipconfig.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Adobe AIR\DisplayName	ipconfig.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx\DisplayName	ipconfig.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IEData\DisplayName	ipconfig.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\DisplayName	ipconfig.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent\DisplayName	ipconfig.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB982573\DisplayName	ipconfig.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\DisplayName	ipconfig.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-1033-7B44-A90000000001}\DisplayName	ipconfig.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName	ipconfig.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{00203668-8170-44A0-BE44-B632FA4D780F}\DisplayName	ipconfig.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2524860\DisplayName	ipconfig.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2544655\DisplayName	ipconfig.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore\DisplayName	ipconfig.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2151757\DisplayName	ipconfig.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2467173\DisplayName	ipconfig.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager\DisplayName	ipconfig.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook\DisplayName	ipconfig.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX\DisplayName	ipconfig.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack\DisplayName	ipconfig.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{92FB6C44-E685-45AD-9B20-CADF4CABA132}.KB4087364\DisplayName	ipconfig.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall	ipconfig.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE40\DisplayName	ipconfig.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\WIC\DisplayName	ipconfig.exe
Key enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall	ipconfig.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data\DisplayName	ipconfig.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\DisplayName	ipconfig.exe

Suspicious use of WriteProcessMemory 33 IoCs

Processes:

eTPiv.execmd.exeSgrmBroker.comSgrmBroker.comipconfig.execmd.exe

description	pid	process	target process
PID 112 wrote to memory of 1616	112	eTPiv.exe	cmd.exe
PID 112 wrote to memory of 1616	112	eTPiv.exe	cmd.exe
PID 112 wrote to memory of 1616	112	eTPiv.exe	cmd.exe
PID 112 wrote to memory of 1616	112	eTPiv.exe	cmd.exe
PID 1616 wrote to memory of 740	1616	cmd.exe	certutil.exe
PID 1616 wrote to memory of 740	1616	cmd.exe	certutil.exe
PID 1616 wrote to memory of 740	1616	cmd.exe	certutil.exe
PID 1616 wrote to memory of 740	1616	cmd.exe	certutil.exe
PID 1616 wrote to memory of 1068	1616	cmd.exe	SgrmBroker.com
PID 1616 wrote to memory of 1068	1616	cmd.exe	SgrmBroker.com
PID 1616 wrote to memory of 1068	1616	cmd.exe	SgrmBroker.com
PID 1616 wrote to memory of 1068	1616	cmd.exe	SgrmBroker.com
PID 1068 wrote to memory of 1056	1068	SgrmBroker.com	SgrmBroker.com
PID 1068 wrote to memory of 1056	1068	SgrmBroker.com	SgrmBroker.com
PID 1068 wrote to memory of 1056	1068	SgrmBroker.com	SgrmBroker.com
PID 1068 wrote to memory of 1056	1068	SgrmBroker.com	SgrmBroker.com
PID 1616 wrote to memory of 1696	1616	cmd.exe	PING.EXE
PID 1616 wrote to memory of 1696	1616	cmd.exe	PING.EXE
PID 1616 wrote to memory of 1696	1616	cmd.exe	PING.EXE
PID 1616 wrote to memory of 1696	1616	cmd.exe	PING.EXE
PID 1056 wrote to memory of 1836	1056	SgrmBroker.com	ipconfig.exe
PID 1056 wrote to memory of 1836	1056	SgrmBroker.com	ipconfig.exe
PID 1056 wrote to memory of 1836	1056	SgrmBroker.com	ipconfig.exe
PID 1056 wrote to memory of 1836	1056	SgrmBroker.com	ipconfig.exe
PID 1056 wrote to memory of 1836	1056	SgrmBroker.com	ipconfig.exe
PID 1836 wrote to memory of 2024	1836	ipconfig.exe	cmd.exe
PID 1836 wrote to memory of 2024	1836	ipconfig.exe	cmd.exe
PID 1836 wrote to memory of 2024	1836	ipconfig.exe	cmd.exe
PID 1836 wrote to memory of 2024	1836	ipconfig.exe	cmd.exe
PID 2024 wrote to memory of 1972	2024	cmd.exe	PING.EXE
PID 2024 wrote to memory of 1972	2024	cmd.exe	PING.EXE
PID 2024 wrote to memory of 1972	2024	cmd.exe	PING.EXE
PID 2024 wrote to memory of 1972	2024	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\eTPiv.exe
"C:\Users\Admin\AppData\Local\Temp\eTPiv.exe"
1⤵
- Adds Run entry to start application
- Suspicious use of WriteProcessMemory
PID:112

C:\Windows\SysWOW64\cmd.exe
cmd /c <nul set /p ="M" > SgrmBroker.com & type JDhB.com >> SgrmBroker.com & del JDhB.com & certutil -decode GiEs.com A & SgrmBroker.com A & ping 127.0.0.1 -n 3
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1616

C:\Windows\SysWOW64\certutil.exe
certutil -decode GiEs.com A
3⤵
PID:740

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SgrmBroker.com
SgrmBroker.com A
3⤵
- Suspicious use of FindShellTrayWindow
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1068

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SgrmBroker.com
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SgrmBroker.com A
4⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetThreadContext
- Executes dropped EXE
- Suspicious use of SendNotifyMessage
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1056

C:\Windows\SysWOW64\ipconfig.exe
"C:\Windows\SysWOW64\ipconfig.exe"
5⤵
- Checks for installed software on the system
- Suspicious use of WriteProcessMemory
PID:1836

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c ping google.com && erase C:\Windows\SysWOW64\ipconfig.exe
6⤵
- Suspicious use of WriteProcessMemory
PID:2024

C:\Windows\SysWOW64\PING.EXE
ping google.com
7⤵
- Runs ping.exe
PID:1972

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 3
3⤵
- Runs ping.exe
PID:1696

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Remote System Discovery

1

T1018

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\A

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\GiEs.com

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\JDhB.com

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\QJPvK.com

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SgrmBroker.com

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SgrmBroker.com

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SgrmBroker.com

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\SgrmBroker.com

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\SgrmBroker.com

Download Submit
memory/740-2-0x0000000000000000-mapping.dmp

Download
memory/1056-10-0x0000000000000000-mapping.dmp

Download
memory/1068-5-0x0000000000000000-mapping.dmp

Download
memory/1616-0-0x0000000000000000-mapping.dmp

Download
memory/1696-13-0x0000000000000000-mapping.dmp

Download
memory/1836-14-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1836-15-0x00000000004258D4-mapping.dmp

Download
memory/1836-16-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1972-18-0x0000000000000000-mapping.dmp

Download
memory/2024-17-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads