5e6f43e6260ee03b35c010f90909108a0b2cba96615ac1174d5e373d09c02050

General

Target

5e6f43e6260ee03b35c010f90909108a0b2cba96615ac1174d5e373d09c02050.exe
Size

323KB
MD5

0a646c7eddb377017672fd782a89c081
SHA1

e39e1758fbb1a10b94e1e5dfdd2a6849fa66901e
SHA256

5e6f43e6260ee03b35c010f90909108a0b2cba96615ac1174d5e373d09c02050
SHA512

50dbe326b60716554615daf9cf68f82a189d67bb3f84739251d8aa85ca1ea282e8a2d017dd04d6b4edf907f415979589b19a0aa8fcfd72b1f34edb96628580b9
SSDEEP

6144:Dqfawfwd99vxoYC7+Li9IBCiiortLeY9ZvLmE7JWAN:Wfaos9DodvorsYzCQJBN

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

teidp.exe

pid process

1144 teidp.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1756 cmd.exe
Loads dropped DLL 4 IoCs

Processes:

5e6f43e6260ee03b35c010f90909108a0b2cba96615ac1174d5e373d09c02050.exeteidp.exe

pid process

1508 5e6f43e6260ee03b35c010f90909108a0b2cba96615ac1174d5e373d09c02050.exe
1144 teidp.exe
1144 teidp.exe
1144 teidp.exe

pid	process
1756	cmd.exe

pid	process
1508	5e6f43e6260ee03b35c010f90909108a0b2cba96615ac1174d5e373d09c02050.exe
1144	teidp.exe
1144	teidp.exe
1144	teidp.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

teidp.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\Currentversion\Run	teidp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\{7B4F18C8-4FEF-AD4D-3A07-B8B71A0C9BAA} = "C:\\Users\\Admin\\AppData\\Roaming\\Yzxyar\\teidp.exe"	teidp.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

5e6f43e6260ee03b35c010f90909108a0b2cba96615ac1174d5e373d09c02050.exe

description	pid	process	target process
PID 1508 set thread context of 1756	1508	5e6f43e6260ee03b35c010f90909108a0b2cba96615ac1174d5e373d09c02050.exe	cmd.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

5e6f43e6260ee03b35c010f90909108a0b2cba96615ac1174d5e373d09c02050.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Privacy	5e6f43e6260ee03b35c010f90909108a0b2cba96615ac1174d5e373d09c02050.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	5e6f43e6260ee03b35c010f90909108a0b2cba96615ac1174d5e373d09c02050.exe

Suspicious behavior: EnumeratesProcesses 27 IoCs

Processes:

teidp.exe

pid	process
1144	teidp.exe
1144	teidp.exe
1144	teidp.exe
1144	teidp.exe
1144	teidp.exe
1144	teidp.exe
1144	teidp.exe
1144	teidp.exe
1144	teidp.exe
1144	teidp.exe
1144	teidp.exe
1144	teidp.exe
1144	teidp.exe
1144	teidp.exe
1144	teidp.exe
1144	teidp.exe
1144	teidp.exe
1144	teidp.exe
1144	teidp.exe
1144	teidp.exe
1144	teidp.exe
1144	teidp.exe
1144	teidp.exe
1144	teidp.exe
1144	teidp.exe
1144	teidp.exe
1144	teidp.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

5e6f43e6260ee03b35c010f90909108a0b2cba96615ac1174d5e373d09c02050.exe

description	pid	process
Token: SeSecurityPrivilege	1508	5e6f43e6260ee03b35c010f90909108a0b2cba96615ac1174d5e373d09c02050.exe
Token: SeSecurityPrivilege	1508	5e6f43e6260ee03b35c010f90909108a0b2cba96615ac1174d5e373d09c02050.exe
Token: SeSecurityPrivilege	1508	5e6f43e6260ee03b35c010f90909108a0b2cba96615ac1174d5e373d09c02050.exe

Suspicious use of UnmapMainImage 2 IoCs

Processes:

5e6f43e6260ee03b35c010f90909108a0b2cba96615ac1174d5e373d09c02050.exeteidp.exe

pid process

1508 5e6f43e6260ee03b35c010f90909108a0b2cba96615ac1174d5e373d09c02050.exe
1144 teidp.exe

pid	process
1508	5e6f43e6260ee03b35c010f90909108a0b2cba96615ac1174d5e373d09c02050.exe
1144	teidp.exe

Suspicious use of WriteProcessMemory 39 IoCs

Processes:

5e6f43e6260ee03b35c010f90909108a0b2cba96615ac1174d5e373d09c02050.exeteidp.exe

description	pid	process	target process
PID 1508 wrote to memory of 1144	1508	5e6f43e6260ee03b35c010f90909108a0b2cba96615ac1174d5e373d09c02050.exe	teidp.exe
PID 1508 wrote to memory of 1144	1508	5e6f43e6260ee03b35c010f90909108a0b2cba96615ac1174d5e373d09c02050.exe	teidp.exe
PID 1508 wrote to memory of 1144	1508	5e6f43e6260ee03b35c010f90909108a0b2cba96615ac1174d5e373d09c02050.exe	teidp.exe
PID 1508 wrote to memory of 1144	1508	5e6f43e6260ee03b35c010f90909108a0b2cba96615ac1174d5e373d09c02050.exe	teidp.exe
PID 1508 wrote to memory of 1144	1508	5e6f43e6260ee03b35c010f90909108a0b2cba96615ac1174d5e373d09c02050.exe	teidp.exe
PID 1508 wrote to memory of 1144	1508	5e6f43e6260ee03b35c010f90909108a0b2cba96615ac1174d5e373d09c02050.exe	teidp.exe
PID 1508 wrote to memory of 1144	1508	5e6f43e6260ee03b35c010f90909108a0b2cba96615ac1174d5e373d09c02050.exe	teidp.exe
PID 1144 wrote to memory of 1128	1144	teidp.exe	taskhost.exe
PID 1144 wrote to memory of 1128	1144	teidp.exe	taskhost.exe
PID 1144 wrote to memory of 1128	1144	teidp.exe	taskhost.exe
PID 1144 wrote to memory of 1128	1144	teidp.exe	taskhost.exe
PID 1144 wrote to memory of 1128	1144	teidp.exe	taskhost.exe
PID 1144 wrote to memory of 1244	1144	teidp.exe	Dwm.exe
PID 1144 wrote to memory of 1244	1144	teidp.exe	Dwm.exe
PID 1144 wrote to memory of 1244	1144	teidp.exe	Dwm.exe
PID 1144 wrote to memory of 1244	1144	teidp.exe	Dwm.exe
PID 1144 wrote to memory of 1244	1144	teidp.exe	Dwm.exe
PID 1144 wrote to memory of 1276	1144	teidp.exe	Explorer.EXE
PID 1144 wrote to memory of 1276	1144	teidp.exe	Explorer.EXE
PID 1144 wrote to memory of 1276	1144	teidp.exe	Explorer.EXE
PID 1144 wrote to memory of 1276	1144	teidp.exe	Explorer.EXE
PID 1144 wrote to memory of 1276	1144	teidp.exe	Explorer.EXE
PID 1144 wrote to memory of 1508	1144	teidp.exe	5e6f43e6260ee03b35c010f90909108a0b2cba96615ac1174d5e373d09c02050.exe
PID 1144 wrote to memory of 1508	1144	teidp.exe	5e6f43e6260ee03b35c010f90909108a0b2cba96615ac1174d5e373d09c02050.exe
PID 1144 wrote to memory of 1508	1144	teidp.exe	5e6f43e6260ee03b35c010f90909108a0b2cba96615ac1174d5e373d09c02050.exe
PID 1144 wrote to memory of 1508	1144	teidp.exe	5e6f43e6260ee03b35c010f90909108a0b2cba96615ac1174d5e373d09c02050.exe
PID 1144 wrote to memory of 1508	1144	teidp.exe	5e6f43e6260ee03b35c010f90909108a0b2cba96615ac1174d5e373d09c02050.exe
PID 1508 wrote to memory of 1756	1508	5e6f43e6260ee03b35c010f90909108a0b2cba96615ac1174d5e373d09c02050.exe	cmd.exe
PID 1508 wrote to memory of 1756	1508	5e6f43e6260ee03b35c010f90909108a0b2cba96615ac1174d5e373d09c02050.exe	cmd.exe
PID 1508 wrote to memory of 1756	1508	5e6f43e6260ee03b35c010f90909108a0b2cba96615ac1174d5e373d09c02050.exe	cmd.exe
PID 1508 wrote to memory of 1756	1508	5e6f43e6260ee03b35c010f90909108a0b2cba96615ac1174d5e373d09c02050.exe	cmd.exe
PID 1508 wrote to memory of 1756	1508	5e6f43e6260ee03b35c010f90909108a0b2cba96615ac1174d5e373d09c02050.exe	cmd.exe
PID 1508 wrote to memory of 1756	1508	5e6f43e6260ee03b35c010f90909108a0b2cba96615ac1174d5e373d09c02050.exe	cmd.exe
PID 1508 wrote to memory of 1756	1508	5e6f43e6260ee03b35c010f90909108a0b2cba96615ac1174d5e373d09c02050.exe	cmd.exe
PID 1508 wrote to memory of 1756	1508	5e6f43e6260ee03b35c010f90909108a0b2cba96615ac1174d5e373d09c02050.exe	cmd.exe
PID 1508 wrote to memory of 1756	1508	5e6f43e6260ee03b35c010f90909108a0b2cba96615ac1174d5e373d09c02050.exe	cmd.exe
PID 1508 wrote to memory of 1756	1508	5e6f43e6260ee03b35c010f90909108a0b2cba96615ac1174d5e373d09c02050.exe	cmd.exe
PID 1508 wrote to memory of 1756	1508	5e6f43e6260ee03b35c010f90909108a0b2cba96615ac1174d5e373d09c02050.exe	cmd.exe
PID 1508 wrote to memory of 1756	1508	5e6f43e6260ee03b35c010f90909108a0b2cba96615ac1174d5e373d09c02050.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1276

C:\Users\Admin\AppData\Local\Temp\5e6f43e6260ee03b35c010f90909108a0b2cba96615ac1174d5e373d09c02050.exe
"C:\Users\Admin\AppData\Local\Temp\5e6f43e6260ee03b35c010f90909108a0b2cba96615ac1174d5e373d09c02050.exe"
2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1508

C:\Users\Admin\AppData\Roaming\Yzxyar\teidp.exe
"C:\Users\Admin\AppData\Roaming\Yzxyar\teidp.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1144

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp57565eb4.bat"
3⤵
- Deletes itself
PID:1756

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1244

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1128

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp57565eb4.bat
Filesize
307B

MD5
c2cbf881b89fa306a96446f8ee6dda18

SHA1
40151244ead0427ee6382bfee65f6b258121dbfb

SHA256
c7d8b3ec9a6c2445b04669eabcf02c016fef1ac89d4616d143a54335c8cd1646

SHA512
51314ab963e6326625b6b11a1b676b5cb378c1f551f6d1859dfccc6b02b034a7d5df331a5aac28099ec70e4d37a7a3036e27db751aa81ba4c783ea5ef9b9f9a0

Download Submit
C:\Users\Admin\AppData\Roaming\Irotd\azby.yct
Filesize
398B

MD5
4851a0fa0891e60a6bce8db9e18f153d

SHA1
33eb44b5a8ebb1b8247d522aee0ff770c09a311d

SHA256
d0736b351d04af8f93fa23136cadf80ea63f896523192cff21ab2a7261731460

SHA512
9b7f7ec8a2c2565adcb4c25f4e6bf7416d5100e8999f820a923143cbe939537b89ddb3c08eed55be09c3afdfe0ef453d15c62e39038d737f3a8049cd2d4d5b8b

Download Submit
C:\Users\Admin\AppData\Roaming\Yzxyar\teidp.exe
Filesize
323KB

MD5
cdbe41608fda096a357c47b8211464ed

SHA1
5a603cea07c9f1433a3482f2478052cae89db24b

SHA256
e96d3fa1280be624962c841bbaf652b02267ed902eb01234c0e75883b0f20674

SHA512
a91f9797464a2c7d986f61382a2ff06eefc50d4bfec933e6a63efbdca7734988a769369391e6f84f4364e6b538ece921d0fa949d047757f0246b7823081d9488

Download Submit
C:\Users\Admin\AppData\Roaming\Yzxyar\teidp.exe
Filesize
323KB

MD5
cdbe41608fda096a357c47b8211464ed

SHA1
5a603cea07c9f1433a3482f2478052cae89db24b

SHA256
e96d3fa1280be624962c841bbaf652b02267ed902eb01234c0e75883b0f20674

SHA512
a91f9797464a2c7d986f61382a2ff06eefc50d4bfec933e6a63efbdca7734988a769369391e6f84f4364e6b538ece921d0fa949d047757f0246b7823081d9488

Download Submit
\Users\Admin\AppData\Roaming\Yzxyar\teidp.exe
Filesize
323KB

MD5
cdbe41608fda096a357c47b8211464ed

SHA1
5a603cea07c9f1433a3482f2478052cae89db24b

SHA256
e96d3fa1280be624962c841bbaf652b02267ed902eb01234c0e75883b0f20674

SHA512
a91f9797464a2c7d986f61382a2ff06eefc50d4bfec933e6a63efbdca7734988a769369391e6f84f4364e6b538ece921d0fa949d047757f0246b7823081d9488

Download Submit
\Users\Admin\AppData\Roaming\Yzxyar\teidp.exe
Filesize
323KB

MD5
cdbe41608fda096a357c47b8211464ed

SHA1
5a603cea07c9f1433a3482f2478052cae89db24b

SHA256
e96d3fa1280be624962c841bbaf652b02267ed902eb01234c0e75883b0f20674

SHA512
a91f9797464a2c7d986f61382a2ff06eefc50d4bfec933e6a63efbdca7734988a769369391e6f84f4364e6b538ece921d0fa949d047757f0246b7823081d9488

Download Submit
\Users\Admin\AppData\Roaming\Yzxyar\teidp.exe
Filesize
323KB

MD5
cdbe41608fda096a357c47b8211464ed

SHA1
5a603cea07c9f1433a3482f2478052cae89db24b

SHA256
e96d3fa1280be624962c841bbaf652b02267ed902eb01234c0e75883b0f20674

SHA512
a91f9797464a2c7d986f61382a2ff06eefc50d4bfec933e6a63efbdca7734988a769369391e6f84f4364e6b538ece921d0fa949d047757f0246b7823081d9488

Download Submit
\Users\Admin\AppData\Roaming\Yzxyar\teidp.exe
Filesize
323KB

MD5
cdbe41608fda096a357c47b8211464ed

SHA1
5a603cea07c9f1433a3482f2478052cae89db24b

SHA256
e96d3fa1280be624962c841bbaf652b02267ed902eb01234c0e75883b0f20674

SHA512
a91f9797464a2c7d986f61382a2ff06eefc50d4bfec933e6a63efbdca7734988a769369391e6f84f4364e6b538ece921d0fa949d047757f0246b7823081d9488

Download Submit
memory/1128-70-0x0000000001F00000-0x0000000001F41000-memory.dmp

Filesize
260KB

Download
memory/1128-69-0x0000000001F00000-0x0000000001F41000-memory.dmp

Filesize
260KB

Download
memory/1128-65-0x0000000001F00000-0x0000000001F41000-memory.dmp

Filesize
260KB

Download
memory/1128-67-0x0000000001F00000-0x0000000001F41000-memory.dmp

Filesize
260KB

Download
memory/1128-68-0x0000000001F00000-0x0000000001F41000-memory.dmp

Filesize
260KB

Download
memory/1144-91-0x0000000000350000-0x00000000003A3000-memory.dmp

Filesize
332KB

Download
memory/1144-58-0x0000000000000000-mapping.dmp

Download
memory/1144-89-0x00000000002A0000-0x00000000002E1000-memory.dmp

Filesize
260KB

Download
memory/1144-93-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1244-73-0x0000000001BB0000-0x0000000001BF1000-memory.dmp

Filesize
260KB

Download
memory/1244-74-0x0000000001BB0000-0x0000000001BF1000-memory.dmp

Filesize
260KB

Download
memory/1244-75-0x0000000001BB0000-0x0000000001BF1000-memory.dmp

Filesize
260KB

Download
memory/1244-76-0x0000000001BB0000-0x0000000001BF1000-memory.dmp

Filesize
260KB

Download
memory/1276-79-0x00000000029F0000-0x0000000002A31000-memory.dmp

Filesize
260KB

Download
memory/1276-80-0x00000000029F0000-0x0000000002A31000-memory.dmp

Filesize
260KB

Download
memory/1276-81-0x00000000029F0000-0x0000000002A31000-memory.dmp

Filesize
260KB

Download
memory/1276-82-0x00000000029F0000-0x0000000002A31000-memory.dmp

Filesize
260KB

Download
memory/1508-94-0x0000000001E30000-0x0000000001E71000-memory.dmp

Filesize
260KB

Download
memory/1508-105-0x0000000001E30000-0x0000000001E71000-memory.dmp

Filesize
260KB

Download
memory/1508-92-0x0000000001E30000-0x0000000001E71000-memory.dmp

Filesize
260KB

Download
memory/1508-88-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1508-85-0x00000000004F0000-0x0000000000543000-memory.dmp

Filesize
332KB

Download
memory/1508-54-0x0000000074C91000-0x0000000074C93000-memory.dmp

Filesize
8KB

Download
memory/1508-83-0x00000000004A0000-0x00000000004E1000-memory.dmp

Filesize
260KB

Download
memory/1508-87-0x0000000001E30000-0x0000000001E71000-memory.dmp

Filesize
260KB

Download
memory/1508-56-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1508-55-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1508-104-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1508-90-0x0000000001E30000-0x0000000001E71000-memory.dmp

Filesize
260KB

Download
memory/1756-102-0x0000000000050000-0x0000000000091000-memory.dmp

Filesize
260KB

Download
memory/1756-101-0x0000000000050000-0x0000000000091000-memory.dmp

Filesize
260KB

Download
memory/1756-100-0x0000000000050000-0x0000000000091000-memory.dmp

Filesize
260KB

Download
memory/1756-103-0x00000000000720A5-mapping.dmp

Download
memory/1756-98-0x0000000000050000-0x0000000000091000-memory.dmp

Filesize
260KB

Download
memory/1756-108-0x0000000000050000-0x0000000000091000-memory.dmp

Filesize
260KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads