a6196179c44372989a82cd3bc60a87262a4bb6a583f6aa38789b4ecafbe5c7b8

General

Target

a6196179c44372989a82cd3bc60a87262a4bb6a583f6aa38789b4ecafbe5c7b8.exe
Size

948KB
MD5

c57bc62ab9bcd1bc57255e8c642cc7b1
SHA1

7318f32a0ab34600640c96f19338891925107419
SHA256

a6196179c44372989a82cd3bc60a87262a4bb6a583f6aa38789b4ecafbe5c7b8
SHA512

deaeac6e7b3802bada13de35e09bd7485a3af8654ea5b39cc7185af181b1f06fd29997433203516c945df01f49020817706d58da47819e34e73fde7beaf23b13

Score

7^/10

Malware Config

Signatures

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1496 wrote to memory of 1860	1496	a6196179c44372989a82cd3bc60a87262a4bb6a583f6aa38789b4ecafbe5c7b8.exe	25
PID 1496 wrote to memory of 1860	1496	a6196179c44372989a82cd3bc60a87262a4bb6a583f6aa38789b4ecafbe5c7b8.exe	25
PID 1496 wrote to memory of 1860	1496	a6196179c44372989a82cd3bc60a87262a4bb6a583f6aa38789b4ecafbe5c7b8.exe	25
PID 1496 wrote to memory of 1860	1496	a6196179c44372989a82cd3bc60a87262a4bb6a583f6aa38789b4ecafbe5c7b8.exe	25
PID 1496 wrote to memory of 1888	1496	a6196179c44372989a82cd3bc60a87262a4bb6a583f6aa38789b4ecafbe5c7b8.exe	26
PID 1496 wrote to memory of 1888	1496	a6196179c44372989a82cd3bc60a87262a4bb6a583f6aa38789b4ecafbe5c7b8.exe	26
PID 1496 wrote to memory of 1888	1496	a6196179c44372989a82cd3bc60a87262a4bb6a583f6aa38789b4ecafbe5c7b8.exe	26
PID 1496 wrote to memory of 1888	1496	a6196179c44372989a82cd3bc60a87262a4bb6a583f6aa38789b4ecafbe5c7b8.exe	26
PID 1496 wrote to memory of 1904	1496	a6196179c44372989a82cd3bc60a87262a4bb6a583f6aa38789b4ecafbe5c7b8.exe	28
PID 1496 wrote to memory of 1904	1496	a6196179c44372989a82cd3bc60a87262a4bb6a583f6aa38789b4ecafbe5c7b8.exe	28
PID 1496 wrote to memory of 1904	1496	a6196179c44372989a82cd3bc60a87262a4bb6a583f6aa38789b4ecafbe5c7b8.exe	28
PID 1496 wrote to memory of 1904	1496	a6196179c44372989a82cd3bc60a87262a4bb6a583f6aa38789b4ecafbe5c7b8.exe	28
PID 1888 wrote to memory of 1936	1888	net.exe	30
PID 1888 wrote to memory of 1936	1888	net.exe	30
PID 1888 wrote to memory of 1936	1888	net.exe	30
PID 1888 wrote to memory of 1936	1888	net.exe	30
PID 1904 wrote to memory of 1952	1904	cmd.exe	31
PID 1904 wrote to memory of 1952	1904	cmd.exe	31
PID 1904 wrote to memory of 1952	1904	cmd.exe	31
PID 1904 wrote to memory of 1952	1904	cmd.exe	31

Deletes itself 1 IoCs

pid	Process
1904	cmd.exe

Modifies Internet Explorer settings 1 TTPs 8 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\AppMgmt\DelayedAutoStart = "0"	a6196179c44372989a82cd3bc60a87262a4bb6a583f6aa38789b4ecafbe5c7b8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\AppMgmt\WOW64 = "1"	a6196179c44372989a82cd3bc60a87262a4bb6a583f6aa38789b4ecafbe5c7b8.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\AppMgmt\RequiredPrivileges = 5300650043007200650061007400650047006c006f00620061006c00500072006900760069006c0065006700650000005300650049006d0070006500720073006f006e00610074006500500072006900760069006c0065006700650000005300650049006e00630072006500610073006500510075006f0074006100500072006900760069006c00650067006500000053006500530068007500740064006f0077006e00500072006900760069006c00650067006500000053006500540061006b0065004f0077006e00650072007300680069007000500072006900760069006c00650067006500000053006500410073007300690067006e005000720069006d0061007200790054006f006b0065006e00500072006900760069006c0065006700650000000000	a6196179c44372989a82cd3bc60a87262a4bb6a583f6aa38789b4ecafbe5c7b8.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\AppMgmt\RequiredPrivileges = 5300650043007200650061007400650047006c006f00620061006c00500072006900760069006c0065006700650000005300650049006d0070006500720073006f006e00610074006500500072006900760069006c0065006700650000005300650049006e00630072006500610073006500510075006f0074006100500072006900760069006c00650067006500000053006500530068007500740064006f0077006e00500072006900760069006c00650067006500000053006500540061006b0065004f0077006e00650072007300680069007000500072006900760069006c00650067006500000053006500410073007300690067006e005000720069006d0061007200790054006f006b0065006e00500072006900760069006c00650067006500000053006500540063006200500072006900760069006c0065006700650000000000	a6196179c44372989a82cd3bc60a87262a4bb6a583f6aa38789b4ecafbe5c7b8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\AppMgmt\Parameters\ServiceDll = "C:\\Users\\Public\\ODBC\\ODBC0\\AppMgmt.dll"	a6196179c44372989a82cd3bc60a87262a4bb6a583f6aa38789b4ecafbe5c7b8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\AppMgmt	a6196179c44372989a82cd3bc60a87262a4bb6a583f6aa38789b4ecafbe5c7b8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\AppMgmt\Start = "2"	a6196179c44372989a82cd3bc60a87262a4bb6a583f6aa38789b4ecafbe5c7b8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\AppMgmt\ErrorControl = "0"	a6196179c44372989a82cd3bc60a87262a4bb6a583f6aa38789b4ecafbe5c7b8.exe

Runs net.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1496	a6196179c44372989a82cd3bc60a87262a4bb6a583f6aa38789b4ecafbe5c7b8.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

pid	Process
1496	a6196179c44372989a82cd3bc60a87262a4bb6a583f6aa38789b4ecafbe5c7b8.exe
1496	a6196179c44372989a82cd3bc60a87262a4bb6a583f6aa38789b4ecafbe5c7b8.exe
1496	a6196179c44372989a82cd3bc60a87262a4bb6a583f6aa38789b4ecafbe5c7b8.exe
1496	a6196179c44372989a82cd3bc60a87262a4bb6a583f6aa38789b4ecafbe5c7b8.exe
1496	a6196179c44372989a82cd3bc60a87262a4bb6a583f6aa38789b4ecafbe5c7b8.exe
1496	a6196179c44372989a82cd3bc60a87262a4bb6a583f6aa38789b4ecafbe5c7b8.exe
1496	a6196179c44372989a82cd3bc60a87262a4bb6a583f6aa38789b4ecafbe5c7b8.exe
1496	a6196179c44372989a82cd3bc60a87262a4bb6a583f6aa38789b4ecafbe5c7b8.exe
1496	a6196179c44372989a82cd3bc60a87262a4bb6a583f6aa38789b4ecafbe5c7b8.exe
1496	a6196179c44372989a82cd3bc60a87262a4bb6a583f6aa38789b4ecafbe5c7b8.exe
1496	a6196179c44372989a82cd3bc60a87262a4bb6a583f6aa38789b4ecafbe5c7b8.exe
1496	a6196179c44372989a82cd3bc60a87262a4bb6a583f6aa38789b4ecafbe5c7b8.exe
1496	a6196179c44372989a82cd3bc60a87262a4bb6a583f6aa38789b4ecafbe5c7b8.exe
1496	a6196179c44372989a82cd3bc60a87262a4bb6a583f6aa38789b4ecafbe5c7b8.exe
1496	a6196179c44372989a82cd3bc60a87262a4bb6a583f6aa38789b4ecafbe5c7b8.exe
1496	a6196179c44372989a82cd3bc60a87262a4bb6a583f6aa38789b4ecafbe5c7b8.exe
1496	a6196179c44372989a82cd3bc60a87262a4bb6a583f6aa38789b4ecafbe5c7b8.exe
1496	a6196179c44372989a82cd3bc60a87262a4bb6a583f6aa38789b4ecafbe5c7b8.exe
1496	a6196179c44372989a82cd3bc60a87262a4bb6a583f6aa38789b4ecafbe5c7b8.exe
1496	a6196179c44372989a82cd3bc60a87262a4bb6a583f6aa38789b4ecafbe5c7b8.exe
1496	a6196179c44372989a82cd3bc60a87262a4bb6a583f6aa38789b4ecafbe5c7b8.exe
1496	a6196179c44372989a82cd3bc60a87262a4bb6a583f6aa38789b4ecafbe5c7b8.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeBackupPrivilege	1496	a6196179c44372989a82cd3bc60a87262a4bb6a583f6aa38789b4ecafbe5c7b8.exe
Token: SeBackupPrivilege	1496	a6196179c44372989a82cd3bc60a87262a4bb6a583f6aa38789b4ecafbe5c7b8.exe
Token: SeRestorePrivilege	1496	a6196179c44372989a82cd3bc60a87262a4bb6a583f6aa38789b4ecafbe5c7b8.exe
Token: SeBackupPrivilege	1496	a6196179c44372989a82cd3bc60a87262a4bb6a583f6aa38789b4ecafbe5c7b8.exe
Token: SeBackupPrivilege	1496	a6196179c44372989a82cd3bc60a87262a4bb6a583f6aa38789b4ecafbe5c7b8.exe
Token: SeRestorePrivilege	1496	a6196179c44372989a82cd3bc60a87262a4bb6a583f6aa38789b4ecafbe5c7b8.exe

C:\Users\Admin\AppData\Local\Temp\a6196179c44372989a82cd3bc60a87262a4bb6a583f6aa38789b4ecafbe5c7b8.exe
"C:\Users\Admin\AppData\Local\Temp\a6196179c44372989a82cd3bc60a87262a4bb6a583f6aa38789b4ecafbe5c7b8.exe"
1⤵
- Suspicious use of WriteProcessMemory
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1496
- C:\Windows\SysWOW64\extrac32.exe
  extrac32 C:\Users\Admin\AppData\Local\Temp\jus47DA.tmp /L "C:\Users\Public\ODBC\ODBC0\"
  2⤵
  PID:1860
- C:\Windows\SysWOW64\net.exe
  net start AppMgmt
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1888
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 start AppMgmt
    3⤵
    PID:1936
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\TpTemp\lgt4923.tmp.cmd
  2⤵
  - Suspicious use of WriteProcessMemory
  - Deletes itself
  PID:1904
- - C:\Windows\SysWOW64\chcp.com
    chcp 1252
    3⤵
    PID:1952

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads