99317b09be0583cff8c9fa5e4c7a293210c7fa01cf9f23eb2f3ca86a4f8c24da

General

Target

99317b09be0583cff8c9fa5e4c7a293210c7fa01cf9f23eb2f3ca86a4f8c24da.exe
Size

416KB
MD5

338173dfd00cfa43f6978182ba69d6b0
SHA1

5495a84a842beca91e1be7bd360cee440df0c467
SHA256

99317b09be0583cff8c9fa5e4c7a293210c7fa01cf9f23eb2f3ca86a4f8c24da
SHA512

8d632cc2e29244f1d3b617fe8a8c847237cca49c78ac4fa0c4ea404d3fb14e418e6676c0d54b16ff06d88e723c6c3064b398247527682bd11dd86f5facc1d3d7
SSDEEP

6144:bvLxlRBLwCpiD4kXWUu3pmi9ITPNe6oZLKV9VZXDDP9xVDk:bvNlPwCpu44gmewN9gWDh

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 1 IoCs

pid	Process
1668	99317b09be0583cff8c9fa5e4c7a293210c7fa01cf9f23eb2f3ca86a4f8c24da.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run	99317b09be0583cff8c9fa5e4c7a293210c7fa01cf9f23eb2f3ca86a4f8c24da.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\EzcoYowij = "regsvr32.exe \"C:\\ProgramData\\EzcoYowij.dat\""	99317b09be0583cff8c9fa5e4c7a293210c7fa01cf9f23eb2f3ca86a4f8c24da.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\EzcoYowij = "regsvr32.exe \"C:\\ProgramData\\EzcoYowij.dat\""	Explorer.EXE

Modifies Internet Explorer Protected Mode 1 TTPs 1 IoCs

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500 = "3"	Explorer.EXE

Modifies Internet Explorer Protected Mode Banner 1 TTPs 1 IoCs

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\NoProtectedModeBanner = "1"	Explorer.EXE

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\TabProcGrowth = "0"	Explorer.EXE

Modifies registry class 8 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\CLSID\{11283A06-51BB-48DF-891F-56090A36011F}\{758A1287-7BC2-42A9-9CA0-3F6A4EF22AD6} = f1db737c	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\CLSID\{3E483FD8-5631-4137-B860-02E8493D12A4}\#cert = 31	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Wow6432Node\CLSID\{3E483FD8-5631-4137-B860-02E8493D12A4}	99317b09be0583cff8c9fa5e4c7a293210c7fa01cf9f23eb2f3ca86a4f8c24da.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Wow6432Node	99317b09be0583cff8c9fa5e4c7a293210c7fa01cf9f23eb2f3ca86a4f8c24da.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Wow6432Node\CLSID	99317b09be0583cff8c9fa5e4c7a293210c7fa01cf9f23eb2f3ca86a4f8c24da.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Wow6432Node\CLSID\{3E483FD8-5631-4137-B860-02E8493D12A4}\#sd = 433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c54656d705c393933313762303962653035383363666638633966613565346337613239333231306337666130316366396632336562326633636138366134663863323464612e65786500	99317b09be0583cff8c9fa5e4c7a293210c7fa01cf9f23eb2f3ca86a4f8c24da.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\CLSID\{3E483FD8-5631-4137-B860-02E8493D12A4}	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\CLSID\{11283A06-51BB-48DF-891F-56090A36011F}	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1668	99317b09be0583cff8c9fa5e4c7a293210c7fa01cf9f23eb2f3ca86a4f8c24da.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeCreateGlobalPrivilege	1256	Explorer.EXE
Token: SeShutdownPrivilege	1256	Explorer.EXE
Token: SeDebugPrivilege	1256	Explorer.EXE

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
1668	99317b09be0583cff8c9fa5e4c7a293210c7fa01cf9f23eb2f3ca86a4f8c24da.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 1668 wrote to memory of 1256	1668	99317b09be0583cff8c9fa5e4c7a293210c7fa01cf9f23eb2f3ca86a4f8c24da.exe	15
PID 1668 wrote to memory of 1256	1668	99317b09be0583cff8c9fa5e4c7a293210c7fa01cf9f23eb2f3ca86a4f8c24da.exe	15

C:\Users\Admin\AppData\Local\Temp\99317b09be0583cff8c9fa5e4c7a293210c7fa01cf9f23eb2f3ca86a4f8c24da.exe
"C:\Users\Admin\AppData\Local\Temp\99317b09be0583cff8c9fa5e4c7a293210c7fa01cf9f23eb2f3ca86a4f8c24da.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1668

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Adds Run key to start application
- Modifies Internet Explorer Protected Mode
- Modifies Internet Explorer Protected Mode Banner
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:1256

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

4

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\EzcoYowij.dat

Filesize
273KB

MD5
d40ad083d38b788a4f0109a71df8c842

SHA1
e216e871888e9717b571952ea535ccbe10d9829f

SHA256
9c41d5a72c93f46b134f79ed15d99944340288e062faa56e3c8b5170109d9c8e

SHA512
db87477865db94563dcd38cae7e6352a4a9a8559530a19b6fe97385557102f36f5e0eb1a2c7455425b3511897da51c384f8e9c17554684cd3df9c9021911dde7

Download Submit
\ProgramData\EzcoYowij.dat

Filesize
273KB

MD5
d40ad083d38b788a4f0109a71df8c842

SHA1
e216e871888e9717b571952ea535ccbe10d9829f

SHA256
9c41d5a72c93f46b134f79ed15d99944340288e062faa56e3c8b5170109d9c8e

SHA512
db87477865db94563dcd38cae7e6352a4a9a8559530a19b6fe97385557102f36f5e0eb1a2c7455425b3511897da51c384f8e9c17554684cd3df9c9021911dde7

Download Submit
memory/1256-60-0x0000000002190000-0x00000000021DF000-memory.dmp

Filesize
316KB

Download
memory/1256-67-0x0000000002190000-0x00000000021DF000-memory.dmp

Filesize
316KB

Download
memory/1256-68-0x0000000002B40000-0x0000000002BA9000-memory.dmp

Filesize
420KB

Download
memory/1668-54-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1668-56-0x0000000075241000-0x0000000075243000-memory.dmp

Filesize
8KB

Download
memory/1668-58-0x0000000010000000-0x000000001002F000-memory.dmp

Filesize
188KB

Download
memory/1668-65-0x0000000000400000-0x00000000004AB000-memory.dmp

Filesize
684KB

Download
memory/1668-66-0x0000000010000000-0x0000000010054000-memory.dmp

Filesize
336KB

Download
memory/1668-69-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1668-70-0x0000000010000000-0x000000001002F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads