General
Target

ed1b8ecb82dcdf896791aadeb9d85344b7e8229f4355dcf24e7c7cee39818f63.exe

Filesize

5MB

Completed

20-05-2022 18:09

Task

behavioral1

Score
7/10
MD5

0a2480dee0105e3cf1bacf79d6bc279c

SHA1

79caa6e3dd9615e8d4d4157d37738bafdc3d7925

SHA256

ed1b8ecb82dcdf896791aadeb9d85344b7e8229f4355dcf24e7c7cee39818f63

SHA256

a843363292f5c96d02a046b4b95b188d374930234a2dfce1391a0c3bb4292662d2e961f716d6901b6b70c4543d5e8b9cf286398ffee8f8133d2da65d5866116a

Malware Config
Signatures 4

Filter: none

Defense Evasion
Persistence
  • Loads dropped DLL
    ed1b8ecb82dcdf896791aadeb9d85344b7e8229f4355dcf24e7c7cee39818f63.exe

    Reported IOCs

    pidprocess
    1928ed1b8ecb82dcdf896791aadeb9d85344b7e8229f4355dcf24e7c7cee39818f63.exe
    1928ed1b8ecb82dcdf896791aadeb9d85344b7e8229f4355dcf24e7c7cee39818f63.exe
    1928ed1b8ecb82dcdf896791aadeb9d85344b7e8229f4355dcf24e7c7cee39818f63.exe
    1928ed1b8ecb82dcdf896791aadeb9d85344b7e8229f4355dcf24e7c7cee39818f63.exe
    1928ed1b8ecb82dcdf896791aadeb9d85344b7e8229f4355dcf24e7c7cee39818f63.exe
    1928ed1b8ecb82dcdf896791aadeb9d85344b7e8229f4355dcf24e7c7cee39818f63.exe
    1928ed1b8ecb82dcdf896791aadeb9d85344b7e8229f4355dcf24e7c7cee39818f63.exe
    1928ed1b8ecb82dcdf896791aadeb9d85344b7e8229f4355dcf24e7c7cee39818f63.exe
    1928ed1b8ecb82dcdf896791aadeb9d85344b7e8229f4355dcf24e7c7cee39818f63.exe
  • Adds Run key to start application
    ed1b8ecb82dcdf896791aadeb9d85344b7e8229f4355dcf24e7c7cee39818f63.exe

    TTPs

    Registry Run Keys / Startup FolderModify Registry

    Reported IOCs

    descriptioniocprocess
    Set value (str)\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicrosoftUpdateXX = "C:\\Users\\Public\\Libraries\\adobeflashplayer.exe"ed1b8ecb82dcdf896791aadeb9d85344b7e8229f4355dcf24e7c7cee39818f63.exe
  • Suspicious use of SetWindowsHookEx
    ed1b8ecb82dcdf896791aadeb9d85344b7e8229f4355dcf24e7c7cee39818f63.exe

    Reported IOCs

    pidprocess
    1928ed1b8ecb82dcdf896791aadeb9d85344b7e8229f4355dcf24e7c7cee39818f63.exe
  • Suspicious use of WriteProcessMemory
    ed1b8ecb82dcdf896791aadeb9d85344b7e8229f4355dcf24e7c7cee39818f63.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 1976 wrote to memory of 19281976ed1b8ecb82dcdf896791aadeb9d85344b7e8229f4355dcf24e7c7cee39818f63.exeed1b8ecb82dcdf896791aadeb9d85344b7e8229f4355dcf24e7c7cee39818f63.exe
    PID 1976 wrote to memory of 19281976ed1b8ecb82dcdf896791aadeb9d85344b7e8229f4355dcf24e7c7cee39818f63.exeed1b8ecb82dcdf896791aadeb9d85344b7e8229f4355dcf24e7c7cee39818f63.exe
    PID 1976 wrote to memory of 19281976ed1b8ecb82dcdf896791aadeb9d85344b7e8229f4355dcf24e7c7cee39818f63.exeed1b8ecb82dcdf896791aadeb9d85344b7e8229f4355dcf24e7c7cee39818f63.exe
    PID 1976 wrote to memory of 19281976ed1b8ecb82dcdf896791aadeb9d85344b7e8229f4355dcf24e7c7cee39818f63.exeed1b8ecb82dcdf896791aadeb9d85344b7e8229f4355dcf24e7c7cee39818f63.exe
Processes 2
  • C:\Users\Admin\AppData\Local\Temp\ed1b8ecb82dcdf896791aadeb9d85344b7e8229f4355dcf24e7c7cee39818f63.exe
    "C:\Users\Admin\AppData\Local\Temp\ed1b8ecb82dcdf896791aadeb9d85344b7e8229f4355dcf24e7c7cee39818f63.exe"
    Suspicious use of WriteProcessMemory
    PID:1976
    • C:\Users\Admin\AppData\Local\Temp\ed1b8ecb82dcdf896791aadeb9d85344b7e8229f4355dcf24e7c7cee39818f63.exe
      "C:\Users\Admin\AppData\Local\Temp\ed1b8ecb82dcdf896791aadeb9d85344b7e8229f4355dcf24e7c7cee39818f63.exe"
      Loads dropped DLL
      Adds Run key to start application
      Suspicious use of SetWindowsHookEx
      PID:1928
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
        Discovery
          Execution
            Exfiltration
              Impact
                Initial Access
                  Lateral Movement
                    Privilege Escalation
                      Replay Monitor
                      00:00 00:00
                      Downloads
                      • C:\Users\Admin\AppData\Local\Temp\_MEI19762\k.exe.manifest

                        MD5

                        ff71392394fc9b65d543b274b6081d09

                        SHA1

                        17600db41d78108ba44c38254ce513cc4a7384cd

                        SHA256

                        2914ccc346196be3e1bfd13e9fec870c9f775b6f18484faf757b7b7957f69d80

                        SHA512

                        7dbc1cd28bed46ad637d91e9934e9b4186d255074129eae1388e432f546731a204eb1c63d3ba0786385d85e33f12f18ab2eb60a24fab166c049fcc6ce070d42f

                      • C:\Users\Admin\AppData\Local\Temp\_MEI19762\python27.dll

                        MD5

                        797f4566d81c04ed5f21637d2d64197f

                        SHA1

                        63b3fc75231fafbd40a973a37812f1771ed4b5bf

                        SHA256

                        441caf8a1aed00caf6e9b28fec67a25c0af16fc1150c3caf848148397cc48e0e

                        SHA512

                        93f2370d600f35dafaadea426c65479e05246204513c28839903206ba3fa7b2c847a427a76ed3e522d5a27f251b5926d2f23506073fe182cac8546dab4d13e28

                      • C:\Users\Admin\AppData\Local\Temp\_MEI19~1\_hashlib.pyd

                        MD5

                        ca928e89b3153a303b20db5bb02171a6

                        SHA1

                        a843d0cf34367441c64b27bef35d2a0cc3bd479b

                        SHA256

                        8b0a26be2cdf95351f27d407f3ddb235f803bb0abb3004c73b5a53f614a559ee

                        SHA512

                        defbf4ad1a00b9867e7934bb5edc5f157d2fcf6d3567604084ea168deb4db7c22477b252b739b0987ed421f8651aa87136ca4e1e77515a36d5d764336d926aa2

                      • C:\Users\Admin\AppData\Local\Temp\_MEI19~1\_socket.pyd

                        MD5

                        c09b45502b40e17ea85da99b45c97bb9

                        SHA1

                        0578ad2993c827502f47f78184cb640a3029a368

                        SHA256

                        67b9dc047566250da1905751c96208bc78b2d558446e4e447ed32dbfdd399c13

                        SHA512

                        3c66d3f8ab7aa2930b3ba78f06711d107c9016d202a67de8d2d3806bab536549dd82f83c0331b44ff9ac5231273876515e0034bdbde7436853d17c16903150a1

                      • C:\Users\Admin\AppData\Local\Temp\_MEI19~1\_ssl.pyd

                        MD5

                        f12a4d8a3bb4d4c589cebc25373ca1ff

                        SHA1

                        3e018b0b54bec184c182de381a02aaadece97a39

                        SHA256

                        01a11ad86603f47ee4b5aac18d6534d43865a16978aa245ebbc29ba68d701078

                        SHA512

                        6928c03b242a658bd61e443b39ac5f98e6ca590f29be30ec6c9f3505aae3da98307b01c38ac6f294e7ea59765c6302f9c27bbe05a13a167aa90559487cb865ec

                      • C:\Users\Admin\AppData\Local\Temp\_MEI19~1\pyHook._cpyHook.pyd

                        MD5

                        3c7cb79171e636137acd8fdf42ea10df

                        SHA1

                        1eec5cf28be22f9cc64ae640d584daeb35601403

                        SHA256

                        03a59137ca8f9dda395079daddd7fcf0636543f41cc0c2fcf19bea492eb4ad80

                        SHA512

                        dc161bbecec77c86a3c70f1a7c2d5c7d029c8cfad8e1606b90372da5a49d601f3146cf52fb56d453637195c1bcabe66f633c5dca1c5b106bb33025d5f9704d14

                      • C:\Users\Admin\AppData\Local\Temp\_MEI19~1\pythoncom27.dll

                        MD5

                        52b865ec9937c6b1f6ba686b7e21258d

                        SHA1

                        b9e108968574577364048c18d4d6b21912bd4454

                        SHA256

                        5df515976d0f2955ae4be1e19990de644e5461db98b0ce91ca6b0e22851fea52

                        SHA512

                        6c172889a48aa3fef43250fe52b97911e79aa153e14471fce95aff5340c4646b1cf9b89942849c50e2903ee21ec345295989d49899fc6bf5782421e087d9c219

                      • C:\Users\Admin\AppData\Local\Temp\_MEI19~1\pywintypes27.dll

                        MD5

                        a28653caf591fc7b4c7971821deb9a56

                        SHA1

                        5ff590e23cbb45ae4a441eeecf2d0609103eec08

                        SHA256

                        88d8eb5894c47990b4ff88e94a75f59c498cfd16b0f29894f0947f5ed2a862f3

                        SHA512

                        c1bbb29e2aaa6181aeccd19d2843646e1e2dd7d33e7ace04f9df215ec5bdc604ce170e5ee6cefbe646663c278e0e9e1332c4fd63f241d2db0e66bcd7950bdd92

                      • C:\Users\Admin\AppData\Local\Temp\_MEI19~1\win32api.pyd

                        MD5

                        04e34bf4a5bb715c7263401f0415cc3c

                        SHA1

                        0a2ec0b7a02ecfb2c4423aac0fa80565b03fd9dd

                        SHA256

                        3f85787b2d9ccded7176fd564cde748fd73cc79c0812ecf0d87d7bb0e92f88d2

                        SHA512

                        5e642e62cb9ef92a2894ee0258ca89188d1875dfb37700cd9474fe9c99bef85df718469885b98f56b44082ed3b76f4a33b27e6bf1cfacbea7f731d31f49d19c7

                      • C:\Users\Admin\AppData\Local\Temp\_MEI19~1\win32event.pyd

                        MD5

                        dc7a5c18901f304260ce1bb4507494d8

                        SHA1

                        519393c319d28207c89f416bfa8ed2a7feed2dfd

                        SHA256

                        b1fc1d89f5c4d7c5af342107e9460eccbc638608077298bafcefa50889f172da

                        SHA512

                        17564adbb4ded84e3c38087510f067de1342f9960df4bc639ea94bb2034fc8c09d8fc6f7670d9b6f0c6957147f3822adea373189dcd33b8374d7a64b4fb4cb04

                      • \Users\Admin\AppData\Local\Temp\_MEI19762\python27.dll

                        MD5

                        797f4566d81c04ed5f21637d2d64197f

                        SHA1

                        63b3fc75231fafbd40a973a37812f1771ed4b5bf

                        SHA256

                        441caf8a1aed00caf6e9b28fec67a25c0af16fc1150c3caf848148397cc48e0e

                        SHA512

                        93f2370d600f35dafaadea426c65479e05246204513c28839903206ba3fa7b2c847a427a76ed3e522d5a27f251b5926d2f23506073fe182cac8546dab4d13e28

                      • \Users\Admin\AppData\Local\Temp\_MEI19~1\_hashlib.pyd

                        MD5

                        ca928e89b3153a303b20db5bb02171a6

                        SHA1

                        a843d0cf34367441c64b27bef35d2a0cc3bd479b

                        SHA256

                        8b0a26be2cdf95351f27d407f3ddb235f803bb0abb3004c73b5a53f614a559ee

                        SHA512

                        defbf4ad1a00b9867e7934bb5edc5f157d2fcf6d3567604084ea168deb4db7c22477b252b739b0987ed421f8651aa87136ca4e1e77515a36d5d764336d926aa2

                      • \Users\Admin\AppData\Local\Temp\_MEI19~1\_socket.pyd

                        MD5

                        c09b45502b40e17ea85da99b45c97bb9

                        SHA1

                        0578ad2993c827502f47f78184cb640a3029a368

                        SHA256

                        67b9dc047566250da1905751c96208bc78b2d558446e4e447ed32dbfdd399c13

                        SHA512

                        3c66d3f8ab7aa2930b3ba78f06711d107c9016d202a67de8d2d3806bab536549dd82f83c0331b44ff9ac5231273876515e0034bdbde7436853d17c16903150a1

                      • \Users\Admin\AppData\Local\Temp\_MEI19~1\_ssl.pyd

                        MD5

                        f12a4d8a3bb4d4c589cebc25373ca1ff

                        SHA1

                        3e018b0b54bec184c182de381a02aaadece97a39

                        SHA256

                        01a11ad86603f47ee4b5aac18d6534d43865a16978aa245ebbc29ba68d701078

                        SHA512

                        6928c03b242a658bd61e443b39ac5f98e6ca590f29be30ec6c9f3505aae3da98307b01c38ac6f294e7ea59765c6302f9c27bbe05a13a167aa90559487cb865ec

                      • \Users\Admin\AppData\Local\Temp\_MEI19~1\pyHook._cpyHook.pyd

                        MD5

                        3c7cb79171e636137acd8fdf42ea10df

                        SHA1

                        1eec5cf28be22f9cc64ae640d584daeb35601403

                        SHA256

                        03a59137ca8f9dda395079daddd7fcf0636543f41cc0c2fcf19bea492eb4ad80

                        SHA512

                        dc161bbecec77c86a3c70f1a7c2d5c7d029c8cfad8e1606b90372da5a49d601f3146cf52fb56d453637195c1bcabe66f633c5dca1c5b106bb33025d5f9704d14

                      • \Users\Admin\AppData\Local\Temp\_MEI19~1\pythoncom27.dll

                        MD5

                        52b865ec9937c6b1f6ba686b7e21258d

                        SHA1

                        b9e108968574577364048c18d4d6b21912bd4454

                        SHA256

                        5df515976d0f2955ae4be1e19990de644e5461db98b0ce91ca6b0e22851fea52

                        SHA512

                        6c172889a48aa3fef43250fe52b97911e79aa153e14471fce95aff5340c4646b1cf9b89942849c50e2903ee21ec345295989d49899fc6bf5782421e087d9c219

                      • \Users\Admin\AppData\Local\Temp\_MEI19~1\pywintypes27.dll

                        MD5

                        a28653caf591fc7b4c7971821deb9a56

                        SHA1

                        5ff590e23cbb45ae4a441eeecf2d0609103eec08

                        SHA256

                        88d8eb5894c47990b4ff88e94a75f59c498cfd16b0f29894f0947f5ed2a862f3

                        SHA512

                        c1bbb29e2aaa6181aeccd19d2843646e1e2dd7d33e7ace04f9df215ec5bdc604ce170e5ee6cefbe646663c278e0e9e1332c4fd63f241d2db0e66bcd7950bdd92

                      • \Users\Admin\AppData\Local\Temp\_MEI19~1\win32api.pyd

                        MD5

                        04e34bf4a5bb715c7263401f0415cc3c

                        SHA1

                        0a2ec0b7a02ecfb2c4423aac0fa80565b03fd9dd

                        SHA256

                        3f85787b2d9ccded7176fd564cde748fd73cc79c0812ecf0d87d7bb0e92f88d2

                        SHA512

                        5e642e62cb9ef92a2894ee0258ca89188d1875dfb37700cd9474fe9c99bef85df718469885b98f56b44082ed3b76f4a33b27e6bf1cfacbea7f731d31f49d19c7

                      • \Users\Admin\AppData\Local\Temp\_MEI19~1\win32event.pyd

                        MD5

                        dc7a5c18901f304260ce1bb4507494d8

                        SHA1

                        519393c319d28207c89f416bfa8ed2a7feed2dfd

                        SHA256

                        b1fc1d89f5c4d7c5af342107e9460eccbc638608077298bafcefa50889f172da

                        SHA512

                        17564adbb4ded84e3c38087510f067de1342f9960df4bc639ea94bb2034fc8c09d8fc6f7670d9b6f0c6957147f3822adea373189dcd33b8374d7a64b4fb4cb04

                      • memory/1928-58-0x00000000757C1000-0x00000000757C3000-memory.dmp

                      • memory/1928-54-0x0000000000000000-mapping.dmp