c910894a32e7c717310aba2c0e0a021a7c53d035d6244284c249016c6b29b514

General

Target

SECURE_D.exe
Size

1.1MB
MD5

c5c552951da0e502f8aaf0881e2d26bc
SHA1

e279549491a1a76105b0a1d5b258e66de16bd956
SHA256

bda7803bc6a630ed5997870eb0b102e590d6f584b11699fb76781564debe9921
SHA512

e8d414bf468adfdf8c704e667bc8425ddbb02bc69fbe8cf48bd163c515bbdcab58507d834c836604ab385fb8d41b6a2b1a7f497b04c0ac905538fa53076a4c9c

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe

Modifies registry class 35 IoCs

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000_Classes\Local Settings	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0 = 4a0031000000000072546c79102054656d700000360008000400efbe6b54fa5872546c792a00000001020000000002000000000000000000000000000000540065006d007000000014000000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = 00000000ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\MRUListEx = 00000000ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 4c003100000000006b545c63100041646d696e00380008000400efbe6b54fa586b545c632a00000033000000000003000000000000000000000000000000410064006d0069006e00000014000000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0 = 4c0031000000000072546d7910204c6f63616c00380008000400efbe6b54fa5872546d792a000000000200000000020000000000000000000000000000004c006f00630061006c00000014000000	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\NodeSlot = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\MuiCache	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 19002f433a5c000000000000000000000000000000000000000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0 = 52003100000000006b54fa58122041707044617461003c0008000400efbe6b54fa586b54fa582a000000ed0100000000020000000000000000000000000000004100700070004400610074006100000016000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 74003100000000006b54fa581100557365727300600008000400efbeee3a851a6b54fa582a000000e601000000000100000000000000000036000000000055007300650072007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100380031003300000014000000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\KnownFolderDerivedFolderType = "{57807898-8C4F-4462-BB63-71042380B109}"	explorer.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

Processes:

SECURE_D.exe

pid process

972 SECURE_D.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

explorer.exe

pid process

292 explorer.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

explorer.exe

pid process

292 explorer.exe
292 explorer.exe

pid	process
972	SECURE_D.exe

pid	process
292	explorer.exe

pid	process
292	explorer.exe
292	explorer.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

cmd.exeexplorer.exe

description	pid	process	target process
PID 1496 wrote to memory of 1832	1496	cmd.exe	explorer.exe
PID 1496 wrote to memory of 1832	1496	cmd.exe	explorer.exe
PID 1496 wrote to memory of 1832	1496	cmd.exe	explorer.exe
PID 292 wrote to memory of 1008	292	explorer.exe	SECURE_D.exe
PID 292 wrote to memory of 1008	292	explorer.exe	SECURE_D.exe
PID 292 wrote to memory of 1008	292	explorer.exe	SECURE_D.exe
PID 292 wrote to memory of 1008	292	explorer.exe	SECURE_D.exe
PID 1496 wrote to memory of 972	1496	cmd.exe	SECURE_D.exe
PID 1496 wrote to memory of 972	1496	cmd.exe	SECURE_D.exe
PID 1496 wrote to memory of 972	1496	cmd.exe	SECURE_D.exe
PID 1496 wrote to memory of 972	1496	cmd.exe	SECURE_D.exe

C:\Users\Admin\AppData\Local\Temp\SECURE_D.exe
"C:\Users\Admin\AppData\Local\Temp\SECURE_D.exe"
1⤵
PID:1840

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1496

C:\Windows\explorer.exe
explorer .
2⤵
PID:1832

C:\Users\Admin\AppData\Local\Temp\SECURE_D.exe
secure_d
2⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:972

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:292

C:\Users\Admin\AppData\Local\Temp\SECURE_D.exe
"C:\Users\Admin\AppData\Local\Temp\SECURE_D.exe"
2⤵
PID:1008

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/292-61-0x0000000003730000-0x0000000003731000-memory.dmp

Filesize
4KB

Download
memory/972-70-0x0000000004E86000-0x0000000004E87000-memory.dmp

Filesize
4KB

Download
memory/972-69-0x0000000004E75000-0x0000000004E86000-memory.dmp

Filesize
68KB

Download
memory/972-67-0x0000000073DD0000-0x00000000744BE000-memory.dmp

Filesize
6.9MB

Download
memory/972-68-0x0000000004E70000-0x0000000004E71000-memory.dmp

Filesize
4KB

Download
memory/972-66-0x0000000000040000-0x000000000015C000-memory.dmp

Filesize
1.1MB

Download
memory/1008-64-0x0000000000300000-0x0000000000301000-memory.dmp

Filesize
4KB

Download
memory/1008-62-0x0000000000FC0000-0x00000000010DC000-memory.dmp

Filesize
1.1MB

Download
memory/1008-65-0x0000000000305000-0x0000000000316000-memory.dmp

Filesize
68KB

Download
memory/1008-63-0x0000000073E00000-0x00000000744EE000-memory.dmp

Filesize
6.9MB

Download
memory/1832-59-0x000007FEFB6D1000-0x000007FEFB6D3000-memory.dmp

Filesize
8KB

Download
memory/1840-54-0x0000000000F30000-0x000000000104C000-memory.dmp

Filesize
1.1MB

Download
memory/1840-58-0x0000000004565000-0x0000000004576000-memory.dmp

Filesize
68KB

Download
memory/1840-57-0x0000000004E60000-0x0000000004F10000-memory.dmp

Filesize
704KB

Download
memory/1840-56-0x0000000004560000-0x0000000004561000-memory.dmp

Filesize
4KB

Download
memory/1840-55-0x00000000740C0000-0x00000000747AE000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads