a6196179c44372989a82cd3bc60a87262a4bb6a583f6aa38789b4ecafbe5c7b8

Analysis

max time kernel
69s
max time network
118s
platform
windows10_x64
resource
win10
submitted
09/07/2020, 18:45

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

a6196179c44372989a82cd3bc60a87262a4bb6a583f6aa38789b4ecafbe5c7b8.exe
Size

948KB
MD5

c57bc62ab9bcd1bc57255e8c642cc7b1
SHA1

7318f32a0ab34600640c96f19338891925107419
SHA256

a6196179c44372989a82cd3bc60a87262a4bb6a583f6aa38789b4ecafbe5c7b8
SHA512

deaeac6e7b3802bada13de35e09bd7485a3af8654ea5b39cc7185af181b1f06fd29997433203516c945df01f49020817706d58da47819e34e73fde7beaf23b13

Score

1^/10

Malware Config

Signatures

Runs net.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3100	a6196179c44372989a82cd3bc60a87262a4bb6a583f6aa38789b4ecafbe5c7b8.exe

Suspicious behavior: EnumeratesProcesses 44 IoCs

pid	Process
3100	a6196179c44372989a82cd3bc60a87262a4bb6a583f6aa38789b4ecafbe5c7b8.exe
3100	a6196179c44372989a82cd3bc60a87262a4bb6a583f6aa38789b4ecafbe5c7b8.exe
3100	a6196179c44372989a82cd3bc60a87262a4bb6a583f6aa38789b4ecafbe5c7b8.exe
3100	a6196179c44372989a82cd3bc60a87262a4bb6a583f6aa38789b4ecafbe5c7b8.exe
3100	a6196179c44372989a82cd3bc60a87262a4bb6a583f6aa38789b4ecafbe5c7b8.exe
3100	a6196179c44372989a82cd3bc60a87262a4bb6a583f6aa38789b4ecafbe5c7b8.exe
3100	a6196179c44372989a82cd3bc60a87262a4bb6a583f6aa38789b4ecafbe5c7b8.exe
3100	a6196179c44372989a82cd3bc60a87262a4bb6a583f6aa38789b4ecafbe5c7b8.exe
3100	a6196179c44372989a82cd3bc60a87262a4bb6a583f6aa38789b4ecafbe5c7b8.exe
3100	a6196179c44372989a82cd3bc60a87262a4bb6a583f6aa38789b4ecafbe5c7b8.exe
3100	a6196179c44372989a82cd3bc60a87262a4bb6a583f6aa38789b4ecafbe5c7b8.exe
3100	a6196179c44372989a82cd3bc60a87262a4bb6a583f6aa38789b4ecafbe5c7b8.exe
3100	a6196179c44372989a82cd3bc60a87262a4bb6a583f6aa38789b4ecafbe5c7b8.exe
3100	a6196179c44372989a82cd3bc60a87262a4bb6a583f6aa38789b4ecafbe5c7b8.exe
3100	a6196179c44372989a82cd3bc60a87262a4bb6a583f6aa38789b4ecafbe5c7b8.exe
3100	a6196179c44372989a82cd3bc60a87262a4bb6a583f6aa38789b4ecafbe5c7b8.exe
3100	a6196179c44372989a82cd3bc60a87262a4bb6a583f6aa38789b4ecafbe5c7b8.exe
3100	a6196179c44372989a82cd3bc60a87262a4bb6a583f6aa38789b4ecafbe5c7b8.exe
3100	a6196179c44372989a82cd3bc60a87262a4bb6a583f6aa38789b4ecafbe5c7b8.exe
3100	a6196179c44372989a82cd3bc60a87262a4bb6a583f6aa38789b4ecafbe5c7b8.exe
3100	a6196179c44372989a82cd3bc60a87262a4bb6a583f6aa38789b4ecafbe5c7b8.exe
3100	a6196179c44372989a82cd3bc60a87262a4bb6a583f6aa38789b4ecafbe5c7b8.exe
3100	a6196179c44372989a82cd3bc60a87262a4bb6a583f6aa38789b4ecafbe5c7b8.exe
3100	a6196179c44372989a82cd3bc60a87262a4bb6a583f6aa38789b4ecafbe5c7b8.exe
3100	a6196179c44372989a82cd3bc60a87262a4bb6a583f6aa38789b4ecafbe5c7b8.exe
3100	a6196179c44372989a82cd3bc60a87262a4bb6a583f6aa38789b4ecafbe5c7b8.exe
3100	a6196179c44372989a82cd3bc60a87262a4bb6a583f6aa38789b4ecafbe5c7b8.exe
3100	a6196179c44372989a82cd3bc60a87262a4bb6a583f6aa38789b4ecafbe5c7b8.exe
3100	a6196179c44372989a82cd3bc60a87262a4bb6a583f6aa38789b4ecafbe5c7b8.exe
3100	a6196179c44372989a82cd3bc60a87262a4bb6a583f6aa38789b4ecafbe5c7b8.exe
3100	a6196179c44372989a82cd3bc60a87262a4bb6a583f6aa38789b4ecafbe5c7b8.exe
3100	a6196179c44372989a82cd3bc60a87262a4bb6a583f6aa38789b4ecafbe5c7b8.exe
3100	a6196179c44372989a82cd3bc60a87262a4bb6a583f6aa38789b4ecafbe5c7b8.exe
3100	a6196179c44372989a82cd3bc60a87262a4bb6a583f6aa38789b4ecafbe5c7b8.exe
3100	a6196179c44372989a82cd3bc60a87262a4bb6a583f6aa38789b4ecafbe5c7b8.exe
3100	a6196179c44372989a82cd3bc60a87262a4bb6a583f6aa38789b4ecafbe5c7b8.exe
3100	a6196179c44372989a82cd3bc60a87262a4bb6a583f6aa38789b4ecafbe5c7b8.exe
3100	a6196179c44372989a82cd3bc60a87262a4bb6a583f6aa38789b4ecafbe5c7b8.exe
3100	a6196179c44372989a82cd3bc60a87262a4bb6a583f6aa38789b4ecafbe5c7b8.exe
3100	a6196179c44372989a82cd3bc60a87262a4bb6a583f6aa38789b4ecafbe5c7b8.exe
3100	a6196179c44372989a82cd3bc60a87262a4bb6a583f6aa38789b4ecafbe5c7b8.exe
3100	a6196179c44372989a82cd3bc60a87262a4bb6a583f6aa38789b4ecafbe5c7b8.exe
3100	a6196179c44372989a82cd3bc60a87262a4bb6a583f6aa38789b4ecafbe5c7b8.exe
3100	a6196179c44372989a82cd3bc60a87262a4bb6a583f6aa38789b4ecafbe5c7b8.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeBackupPrivilege	3100	a6196179c44372989a82cd3bc60a87262a4bb6a583f6aa38789b4ecafbe5c7b8.exe
Token: SeBackupPrivilege	3100	a6196179c44372989a82cd3bc60a87262a4bb6a583f6aa38789b4ecafbe5c7b8.exe
Token: SeRestorePrivilege	3100	a6196179c44372989a82cd3bc60a87262a4bb6a583f6aa38789b4ecafbe5c7b8.exe
Token: SeBackupPrivilege	3100	a6196179c44372989a82cd3bc60a87262a4bb6a583f6aa38789b4ecafbe5c7b8.exe
Token: SeBackupPrivilege	3100	a6196179c44372989a82cd3bc60a87262a4bb6a583f6aa38789b4ecafbe5c7b8.exe
Token: SeRestorePrivilege	3100	a6196179c44372989a82cd3bc60a87262a4bb6a583f6aa38789b4ecafbe5c7b8.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 3100 wrote to memory of 3240	3100	a6196179c44372989a82cd3bc60a87262a4bb6a583f6aa38789b4ecafbe5c7b8.exe	68
PID 3100 wrote to memory of 3240	3100	a6196179c44372989a82cd3bc60a87262a4bb6a583f6aa38789b4ecafbe5c7b8.exe	68
PID 3100 wrote to memory of 3240	3100	a6196179c44372989a82cd3bc60a87262a4bb6a583f6aa38789b4ecafbe5c7b8.exe	68
PID 3100 wrote to memory of 3888	3100	a6196179c44372989a82cd3bc60a87262a4bb6a583f6aa38789b4ecafbe5c7b8.exe	69
PID 3100 wrote to memory of 3888	3100	a6196179c44372989a82cd3bc60a87262a4bb6a583f6aa38789b4ecafbe5c7b8.exe	69
PID 3100 wrote to memory of 3888	3100	a6196179c44372989a82cd3bc60a87262a4bb6a583f6aa38789b4ecafbe5c7b8.exe	69
PID 3100 wrote to memory of 3368	3100	a6196179c44372989a82cd3bc60a87262a4bb6a583f6aa38789b4ecafbe5c7b8.exe	70
PID 3100 wrote to memory of 3368	3100	a6196179c44372989a82cd3bc60a87262a4bb6a583f6aa38789b4ecafbe5c7b8.exe	70
PID 3100 wrote to memory of 3368	3100	a6196179c44372989a82cd3bc60a87262a4bb6a583f6aa38789b4ecafbe5c7b8.exe	70
PID 3888 wrote to memory of 3520	3888	net.exe	73
PID 3888 wrote to memory of 3520	3888	net.exe	73
PID 3888 wrote to memory of 3520	3888	net.exe	73
PID 3368 wrote to memory of 3012	3368	cmd.exe	74
PID 3368 wrote to memory of 3012	3368	cmd.exe	74
PID 3368 wrote to memory of 3012	3368	cmd.exe	74

Modifies Internet Explorer settings 1 TTPs 8 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AppMgmt\RequiredPrivileges = 5300650043007200650061007400650047006c006f00620061006c00500072006900760069006c0065006700650000005300650049006d0070006500720073006f006e00610074006500500072006900760069006c0065006700650000005300650049006e00630072006500610073006500510075006f0074006100500072006900760069006c00650067006500000053006500530068007500740064006f0077006e00500072006900760069006c00650067006500000053006500540061006b0065004f0077006e00650072007300680069007000500072006900760069006c00650067006500000053006500410073007300690067006e005000720069006d0061007200790054006f006b0065006e00500072006900760069006c00650067006500000053006500540063006200500072006900760069006c0065006700650000000000	a6196179c44372989a82cd3bc60a87262a4bb6a583f6aa38789b4ecafbe5c7b8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AppMgmt\Parameters\ServiceDll = "C:\\Users\\Public\\ODBC\\ODBC0\\AppMgmt.dll"	a6196179c44372989a82cd3bc60a87262a4bb6a583f6aa38789b4ecafbe5c7b8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AppMgmt	a6196179c44372989a82cd3bc60a87262a4bb6a583f6aa38789b4ecafbe5c7b8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AppMgmt\Start = "2"	a6196179c44372989a82cd3bc60a87262a4bb6a583f6aa38789b4ecafbe5c7b8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AppMgmt\ErrorControl = "0"	a6196179c44372989a82cd3bc60a87262a4bb6a583f6aa38789b4ecafbe5c7b8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AppMgmt\DelayedAutoStart = "0"	a6196179c44372989a82cd3bc60a87262a4bb6a583f6aa38789b4ecafbe5c7b8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AppMgmt\WOW64 = "1"	a6196179c44372989a82cd3bc60a87262a4bb6a583f6aa38789b4ecafbe5c7b8.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AppMgmt\RequiredPrivileges = 5300650043007200650061007400650047006c006f00620061006c00500072006900760069006c0065006700650000005300650049006d0070006500720073006f006e00610074006500500072006900760069006c0065006700650000005300650049006e00630072006500610073006500510075006f0074006100500072006900760069006c00650067006500000053006500530068007500740064006f0077006e00500072006900760069006c00650067006500000053006500540061006b0065004f0077006e00650072007300680069007000500072006900760069006c00650067006500000053006500410073007300690067006e005000720069006d0061007200790054006f006b0065006e00500072006900760069006c0065006700650000000000	a6196179c44372989a82cd3bc60a87262a4bb6a583f6aa38789b4ecafbe5c7b8.exe

C:\Users\Admin\AppData\Local\Temp\a6196179c44372989a82cd3bc60a87262a4bb6a583f6aa38789b4ecafbe5c7b8.exe
"C:\Users\Admin\AppData\Local\Temp\a6196179c44372989a82cd3bc60a87262a4bb6a583f6aa38789b4ecafbe5c7b8.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- Modifies Internet Explorer settings
PID:3100
- C:\Windows\SysWOW64\extrac32.exe
  extrac32 C:\Users\Admin\AppData\Local\Temp\jus1087.tmp /L "C:\Users\Public\ODBC\ODBC0\"
  2⤵
  PID:3240
- C:\Windows\SysWOW64\net.exe
  net start AppMgmt
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3888
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 start AppMgmt
    3⤵
    PID:3520
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\TpTemp\lgt11F0.tmp.cmd
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3368
- - C:\Windows\SysWOW64\chcp.com
    chcp 1252
    3⤵
    PID:3012

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads