5fcd0308a78a885c5f67027b0fa1481f7a18e0ed7e69b8e1be971eb070ff0c4f

General

Target

5fcd0308a78a885c5f67027b0fa1481f7a18e0ed7e69b8e1be971eb070ff0c4f.exe
Size

260KB
MD5

6b7e0b1a5174d379e637ee4757def810
SHA1

ae194b6b468b23f7b33c4fb16a67a37ebef01465
SHA256

5fcd0308a78a885c5f67027b0fa1481f7a18e0ed7e69b8e1be971eb070ff0c4f
SHA512

be8aa0b334fb04ccf564a4ff898c387b03ee7c1997e218780974d3213af0a9e1214bfd48a916d5dfd9851f7c7bc29a276db405be07e2770faf2298b36a2fcde4
SSDEEP

3072:CK7lRzz/lpftcfTQeF7JKVFir8GKsoOiLSjEpxi1KoaPI9cYvEBWHPvAVYpYvEJm:fRzjl7+JSFirTK+mfpxi4FSH9I/Lz

Score

6^/10

adware persistence stealer

Malware Config

Signatures

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\Int_Moni = "c:\\windows\\in_termoni\\IntMonitor.exe"	5fcd0308a78a885c5f67027b0fa1481f7a18e0ed7e69b8e1be971eb070ff0c4f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\N_etwork = "c:\\program files\\net\\network.exe"	5fcd0308a78a885c5f67027b0fa1481f7a18e0ed7e69b8e1be971eb070ff0c4f.exe

Installs/modifies Browser Helper Object 2 TTPs 1 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{250E95D8-263D-418F-9242-A72BCABF8D65}	5fcd0308a78a885c5f67027b0fa1481f7a18e0ed7e69b8e1be971eb070ff0c4f.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	\??\c:\windows\in_termoni\IntMonitor.exe	5fcd0308a78a885c5f67027b0fa1481f7a18e0ed7e69b8e1be971eb070ff0c4f.exe
File opened for modification	\??\c:\windows\in_termoni\IntMonitor.exe	5fcd0308a78a885c5f67027b0fa1481f7a18e0ed7e69b8e1be971eb070ff0c4f.exe

Modifies registry class 19 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{250E95D8-263D-418F-9242-A72BCABF8D65}	5fcd0308a78a885c5f67027b0fa1481f7a18e0ed7e69b8e1be971eb070ff0c4f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{250E95D8-263D-418F-9242-A72BCABF8D65}\ = "Flash ä¯ÀÀÆ÷¸¨Öú²å¼þ"	5fcd0308a78a885c5f67027b0fa1481f7a18e0ed7e69b8e1be971eb070ff0c4f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{250E95D8-263D-418F-9242-A72BCABF8D65}\VersionIndependentProgID	5fcd0308a78a885c5f67027b0fa1481f7a18e0ed7e69b8e1be971eb070ff0c4f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{250E95D8-263D-418F-9242-A72BCABF8D65}\VersionIndependentProgID\ = "Flash ä¯ÀÀÆ÷¸¨Öú²å¼þ"	5fcd0308a78a885c5f67027b0fa1481f7a18e0ed7e69b8e1be971eb070ff0c4f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\1.0.0.1\CLSID = "{250E95D8-263D-418F-9242-A72BCABF8D65}"	5fcd0308a78a885c5f67027b0fa1481f7a18e0ed7e69b8e1be971eb070ff0c4f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{250E95D8-263D-418F-9242-A72BCABF8D65}\InprocServer32\ = "c:\\windows\\users\\FlashsAssistant.dll"	5fcd0308a78a885c5f67027b0fa1481f7a18e0ed7e69b8e1be971eb070ff0c4f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{250E95D8-263D-418F-9242-A72BCABF8D65}\InprocServer32\ThreadingModel = "Apartment"	5fcd0308a78a885c5f67027b0fa1481f7a18e0ed7e69b8e1be971eb070ff0c4f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{250E95D8-263D-418F-9242-A72BCABF8D65}\ProgID	5fcd0308a78a885c5f67027b0fa1481f7a18e0ed7e69b8e1be971eb070ff0c4f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\1.0.0.1	5fcd0308a78a885c5f67027b0fa1481f7a18e0ed7e69b8e1be971eb070ff0c4f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Flash ä¯ÀÀÆ÷¸¨Öú²å¼þ	5fcd0308a78a885c5f67027b0fa1481f7a18e0ed7e69b8e1be971eb070ff0c4f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{250E95D8-263D-418F-9242-A72BCABF8D65}\InprocServer32	5fcd0308a78a885c5f67027b0fa1481f7a18e0ed7e69b8e1be971eb070ff0c4f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{250E95D8-263D-418F-9242-A72BCABF8D65}\TypeLib	5fcd0308a78a885c5f67027b0fa1481f7a18e0ed7e69b8e1be971eb070ff0c4f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\1.0.0.1\ = "Flash ä¯ÀÀÆ÷¸¨Öú²å¼þ"	5fcd0308a78a885c5f67027b0fa1481f7a18e0ed7e69b8e1be971eb070ff0c4f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Flash ä¯ÀÀÆ÷¸¨Öú²å¼þ\CLSID = "{250E95D8-263D-418F-9242-A72BCABF8D65}"	5fcd0308a78a885c5f67027b0fa1481f7a18e0ed7e69b8e1be971eb070ff0c4f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Flash ä¯ÀÀÆ÷¸¨Öú²å¼þ\CurVer = "1.0.0.1"	5fcd0308a78a885c5f67027b0fa1481f7a18e0ed7e69b8e1be971eb070ff0c4f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{250E95D8-263D-418F-9242-A72BCABF8D65}\ProgID\ = "1.0.0.1"	5fcd0308a78a885c5f67027b0fa1481f7a18e0ed7e69b8e1be971eb070ff0c4f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{250E95D8-263D-418F-9242-A72BCABF8D65}\Programmable	5fcd0308a78a885c5f67027b0fa1481f7a18e0ed7e69b8e1be971eb070ff0c4f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{250E95D8-263D-418F-9242-A72BCABF8D65}\TypeLib\ = "{FB3A5A93-2EEE-1AFC-B2CD-D837E9A3E9D1}"	5fcd0308a78a885c5f67027b0fa1481f7a18e0ed7e69b8e1be971eb070ff0c4f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Flash ä¯ÀÀÆ÷¸¨Öú²å¼þ\ = "Flash ä¯ÀÀÆ÷¸¨Öú²å¼þ"	5fcd0308a78a885c5f67027b0fa1481f7a18e0ed7e69b8e1be971eb070ff0c4f.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
368	5fcd0308a78a885c5f67027b0fa1481f7a18e0ed7e69b8e1be971eb070ff0c4f.exe
368	5fcd0308a78a885c5f67027b0fa1481f7a18e0ed7e69b8e1be971eb070ff0c4f.exe

C:\Users\Admin\AppData\Local\Temp\5fcd0308a78a885c5f67027b0fa1481f7a18e0ed7e69b8e1be971eb070ff0c4f.exe
"C:\Users\Admin\AppData\Local\Temp\5fcd0308a78a885c5f67027b0fa1481f7a18e0ed7e69b8e1be971eb070ff0c4f.exe"
1⤵
- Adds Run key to start application
- Installs/modifies Browser Helper Object
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:368

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Browser Extensions

1

T1176

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/368-54-0x0000000075021000-0x0000000075023000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads