515f8ead699cf2caf94564c5e11f012b9e99e64fb7cdb53a4d45a243c71478ce

General

Target

515f8ead699cf2caf94564c5e11f012b9e99e64fb7cdb53a4d45a243c71478ce.exe
Size

437KB
MD5

6c6a28acb9d1dbfe89ed59d1d786c9c8
SHA1

4c878dd5646078d7261ca9373ae9ed0e24102c3b
SHA256

515f8ead699cf2caf94564c5e11f012b9e99e64fb7cdb53a4d45a243c71478ce
SHA512

b6b4532f3c7b1791b470810de5f4fe6dab6cbab03db29ea659c8d58fa8f162153b315394b5b3cea266f97f3f646fe106e9c20cf5ecc9ad377956a4bee8a1bf75
SSDEEP

6144:nrwUiVaaRW/nkrhZXzyqtRd6HCzDzt62u5znxwiHBAMnLiemMD:nrwUiIqGY3jyqtfPDB0Rxw8rnLiel

Score

8^/10

persistence upx

Malware Config

Signatures

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1808-54-0x0000000000400000-0x000000000046E000-memory.dmp	upx

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run	515f8ead699cf2caf94564c5e11f012b9e99e64fb7cdb53a4d45a243c71478ce.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\JP595IR86O = "C:\\Users\\Admin\\AppData\\Local\\Temp\\515f8ead699cf2caf94564c5e11f012b9e99e64fb7cdb53a4d45a243c71478ce.exe"	515f8ead699cf2caf94564c5e11f012b9e99e64fb7cdb53a4d45a243c71478ce.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run	515f8ead699cf2caf94564c5e11f012b9e99e64fb7cdb53a4d45a243c71478ce.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\JP595IR86O = "C:\\Users\\Admin\\AppData\\Local\\Temp\\515f8ead699cf2caf94564c5e11f012b9e99e64fb7cdb53a4d45a243c71478ce.exe"	515f8ead699cf2caf94564c5e11f012b9e99e64fb7cdb53a4d45a243c71478ce.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\609416191	515f8ead699cf2caf94564c5e11f012b9e99e64fb7cdb53a4d45a243c71478ce.exe
File opened for modification	C:\Windows\SysWOW64\1624973549	515f8ead699cf2caf94564c5e11f012b9e99e64fb7cdb53a4d45a243c71478ce.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\{22116563-108C-42c0-A7CE-60161B75E508}.job	515f8ead699cf2caf94564c5e11f012b9e99e64fb7cdb53a4d45a243c71478ce.exe
File opened for modification	C:\Windows\Tasks\{22116563-108C-42c0-A7CE-60161B75E508}.job	515f8ead699cf2caf94564c5e11f012b9e99e64fb7cdb53a4d45a243c71478ce.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main	515f8ead699cf2caf94564c5e11f012b9e99e64fb7cdb53a4d45a243c71478ce.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main	515f8ead699cf2caf94564c5e11f012b9e99e64fb7cdb53a4d45a243c71478ce.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
1808	515f8ead699cf2caf94564c5e11f012b9e99e64fb7cdb53a4d45a243c71478ce.exe
1808	515f8ead699cf2caf94564c5e11f012b9e99e64fb7cdb53a4d45a243c71478ce.exe
1808	515f8ead699cf2caf94564c5e11f012b9e99e64fb7cdb53a4d45a243c71478ce.exe
1808	515f8ead699cf2caf94564c5e11f012b9e99e64fb7cdb53a4d45a243c71478ce.exe
1808	515f8ead699cf2caf94564c5e11f012b9e99e64fb7cdb53a4d45a243c71478ce.exe
1808	515f8ead699cf2caf94564c5e11f012b9e99e64fb7cdb53a4d45a243c71478ce.exe
1504	515f8ead699cf2caf94564c5e11f012b9e99e64fb7cdb53a4d45a243c71478ce.exe
1504	515f8ead699cf2caf94564c5e11f012b9e99e64fb7cdb53a4d45a243c71478ce.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
1808	515f8ead699cf2caf94564c5e11f012b9e99e64fb7cdb53a4d45a243c71478ce.exe
1504	515f8ead699cf2caf94564c5e11f012b9e99e64fb7cdb53a4d45a243c71478ce.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1808	515f8ead699cf2caf94564c5e11f012b9e99e64fb7cdb53a4d45a243c71478ce.exe
1808	515f8ead699cf2caf94564c5e11f012b9e99e64fb7cdb53a4d45a243c71478ce.exe
1504	515f8ead699cf2caf94564c5e11f012b9e99e64fb7cdb53a4d45a243c71478ce.exe
1504	515f8ead699cf2caf94564c5e11f012b9e99e64fb7cdb53a4d45a243c71478ce.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1808	515f8ead699cf2caf94564c5e11f012b9e99e64fb7cdb53a4d45a243c71478ce.exe
1504	515f8ead699cf2caf94564c5e11f012b9e99e64fb7cdb53a4d45a243c71478ce.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2008 wrote to memory of 1504	2008	taskeng.exe	30
PID 2008 wrote to memory of 1504	2008	taskeng.exe	30
PID 2008 wrote to memory of 1504	2008	taskeng.exe	30
PID 2008 wrote to memory of 1504	2008	taskeng.exe	30
PID 2008 wrote to memory of 1504	2008	taskeng.exe	30
PID 2008 wrote to memory of 1504	2008	taskeng.exe	30
PID 2008 wrote to memory of 1504	2008	taskeng.exe	30

C:\Users\Admin\AppData\Local\Temp\515f8ead699cf2caf94564c5e11f012b9e99e64fb7cdb53a4d45a243c71478ce.exe
"C:\Users\Admin\AppData\Local\Temp\515f8ead699cf2caf94564c5e11f012b9e99e64fb7cdb53a4d45a243c71478ce.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of UnmapMainImage
PID:1808

C:\Windows\system32\taskeng.exe
taskeng.exe {D06B857F-C94D-49AC-B9D8-6AE390FDE601} S-1-5-21-2292972927-2705560509-2768824231-1000:GRXNNIIE\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2008
- C:\Users\Admin\AppData\Local\Temp\515f8ead699cf2caf94564c5e11f012b9e99e64fb7cdb53a4d45a243c71478ce.exe
  C:\Users\Admin\AppData\Local\Temp\515f8ead699cf2caf94564c5e11f012b9e99e64fb7cdb53a4d45a243c71478ce.exe
  2⤵
  - Adds Run key to start application
  - Drops file in System32 directory
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of UnmapMainImage
  PID:1504

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Tasks\{22116563-108C-42c0-A7CE-60161B75E508}.job

Filesize
408B

MD5
7f2af89a63808c694273afaf7bc5e1df

SHA1
7a154210bc9518598aabeb2b0be45f21a20d541e

SHA256
5898fe3bfad565a4af2862d66bd4de92d7d4d765a83866bf8f03663474f2141f

SHA512
33b31f2e62c17f2a95bba72dc55b6f50cc55b4501c8080dd03f879b67b251481e3ca580b9ecf4a14c3e588ffcc7a50aab0eaf834314b539b0fad01e5502c8251

Download Submit
memory/1504-67-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1504-69-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1808-54-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/1808-55-0x0000000075211000-0x0000000075213000-memory.dmp

Filesize
8KB

Download
memory/1808-58-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1808-59-0x0000000000230000-0x000000000029E000-memory.dmp

Filesize
440KB

Download
memory/1808-60-0x0000000000230000-0x000000000029E000-memory.dmp

Filesize
440KB

Download
memory/1808-61-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1808-62-0x0000000000230000-0x000000000023D000-memory.dmp

Filesize
52KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads