ade18f4a294b6c03ef1b9d695e2edbd4b07084a8ddc2889b963f929be44f8d11

Analysis

max time kernel
133s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
12-10-2022 17:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ade18f4a294b6c03ef1b9d695e2edbd4b07084a8ddc2889b963f929be44f8d11.exe
Size

392KB
MD5

6627fc1d33e5b0445cc390e53a3c3b88
SHA1

978497fdc330b925aade2690e5be9c09899b6bb4
SHA256

ade18f4a294b6c03ef1b9d695e2edbd4b07084a8ddc2889b963f929be44f8d11
SHA512

f4f5d57b613434740b2bfd52bd00ad9923d6cd89826588370d758442bbec08abd85faaba301b30433148ad7f0d6a70f09a2dd6f987b8b44bb955574e03b1ceda
SSDEEP

12288:xcbvS+ScjNJcMjrkzg2MDk1isKMJim4Pm1hFgWohLiUsoXYW30FsE0fG:r/1wJkFsE0e

Score

8^/10

persistence upx

Malware Config

Signatures

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1732-132-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral2/memory/4404-138-0x0000000000400000-0x0000000000463000-memory.dmp	upx

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows\CurrentVersion\Run	ade18f4a294b6c03ef1b9d695e2edbd4b07084a8ddc2889b963f929be44f8d11.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CE8SIIFGSU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ade18f4a294b6c03ef1b9d695e2edbd4b07084a8ddc2889b963f929be44f8d11.exe"	ade18f4a294b6c03ef1b9d695e2edbd4b07084a8ddc2889b963f929be44f8d11.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows\CurrentVersion\Run	ade18f4a294b6c03ef1b9d695e2edbd4b07084a8ddc2889b963f929be44f8d11.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CE8SIIFGSU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ade18f4a294b6c03ef1b9d695e2edbd4b07084a8ddc2889b963f929be44f8d11.exe"	ade18f4a294b6c03ef1b9d695e2edbd4b07084a8ddc2889b963f929be44f8d11.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\{22116563-108C-42c0-A7CE-60161B75E508}.job	ade18f4a294b6c03ef1b9d695e2edbd4b07084a8ddc2889b963f929be44f8d11.exe
File opened for modification	C:\Windows\Tasks\{22116563-108C-42c0-A7CE-60161B75E508}.job	ade18f4a294b6c03ef1b9d695e2edbd4b07084a8ddc2889b963f929be44f8d11.exe
File created	C:\Windows\Tasks\{22116563-108C-42c0-A7CE-60161B75E508}.job	ade18f4a294b6c03ef1b9d695e2edbd4b07084a8ddc2889b963f929be44f8d11.exe
File opened for modification	C:\Windows\Tasks\{22116563-108C-42c0-A7CE-60161B75E508}.job	ade18f4a294b6c03ef1b9d695e2edbd4b07084a8ddc2889b963f929be44f8d11.exe

Program crash 2 IoCs

pid	pid_target	Process	procid_target
1756	1732	WerFault.exe	79
740	4404	WerFault.exe	91

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Main	ade18f4a294b6c03ef1b9d695e2edbd4b07084a8ddc2889b963f929be44f8d11.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Main	ade18f4a294b6c03ef1b9d695e2edbd4b07084a8ddc2889b963f929be44f8d11.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1732	ade18f4a294b6c03ef1b9d695e2edbd4b07084a8ddc2889b963f929be44f8d11.exe
1732	ade18f4a294b6c03ef1b9d695e2edbd4b07084a8ddc2889b963f929be44f8d11.exe
1732	ade18f4a294b6c03ef1b9d695e2edbd4b07084a8ddc2889b963f929be44f8d11.exe
1732	ade18f4a294b6c03ef1b9d695e2edbd4b07084a8ddc2889b963f929be44f8d11.exe
1732	ade18f4a294b6c03ef1b9d695e2edbd4b07084a8ddc2889b963f929be44f8d11.exe
1732	ade18f4a294b6c03ef1b9d695e2edbd4b07084a8ddc2889b963f929be44f8d11.exe
1732	ade18f4a294b6c03ef1b9d695e2edbd4b07084a8ddc2889b963f929be44f8d11.exe
1732	ade18f4a294b6c03ef1b9d695e2edbd4b07084a8ddc2889b963f929be44f8d11.exe
1732	ade18f4a294b6c03ef1b9d695e2edbd4b07084a8ddc2889b963f929be44f8d11.exe
1732	ade18f4a294b6c03ef1b9d695e2edbd4b07084a8ddc2889b963f929be44f8d11.exe
1732	ade18f4a294b6c03ef1b9d695e2edbd4b07084a8ddc2889b963f929be44f8d11.exe
1732	ade18f4a294b6c03ef1b9d695e2edbd4b07084a8ddc2889b963f929be44f8d11.exe
1732	ade18f4a294b6c03ef1b9d695e2edbd4b07084a8ddc2889b963f929be44f8d11.exe
1732	ade18f4a294b6c03ef1b9d695e2edbd4b07084a8ddc2889b963f929be44f8d11.exe
1732	ade18f4a294b6c03ef1b9d695e2edbd4b07084a8ddc2889b963f929be44f8d11.exe
1732	ade18f4a294b6c03ef1b9d695e2edbd4b07084a8ddc2889b963f929be44f8d11.exe
1732	ade18f4a294b6c03ef1b9d695e2edbd4b07084a8ddc2889b963f929be44f8d11.exe
1732	ade18f4a294b6c03ef1b9d695e2edbd4b07084a8ddc2889b963f929be44f8d11.exe
1732	ade18f4a294b6c03ef1b9d695e2edbd4b07084a8ddc2889b963f929be44f8d11.exe
1732	ade18f4a294b6c03ef1b9d695e2edbd4b07084a8ddc2889b963f929be44f8d11.exe
1732	ade18f4a294b6c03ef1b9d695e2edbd4b07084a8ddc2889b963f929be44f8d11.exe
1732	ade18f4a294b6c03ef1b9d695e2edbd4b07084a8ddc2889b963f929be44f8d11.exe
1732	ade18f4a294b6c03ef1b9d695e2edbd4b07084a8ddc2889b963f929be44f8d11.exe
1732	ade18f4a294b6c03ef1b9d695e2edbd4b07084a8ddc2889b963f929be44f8d11.exe
1732	ade18f4a294b6c03ef1b9d695e2edbd4b07084a8ddc2889b963f929be44f8d11.exe
1732	ade18f4a294b6c03ef1b9d695e2edbd4b07084a8ddc2889b963f929be44f8d11.exe
1732	ade18f4a294b6c03ef1b9d695e2edbd4b07084a8ddc2889b963f929be44f8d11.exe
1732	ade18f4a294b6c03ef1b9d695e2edbd4b07084a8ddc2889b963f929be44f8d11.exe
1732	ade18f4a294b6c03ef1b9d695e2edbd4b07084a8ddc2889b963f929be44f8d11.exe
1732	ade18f4a294b6c03ef1b9d695e2edbd4b07084a8ddc2889b963f929be44f8d11.exe
1732	ade18f4a294b6c03ef1b9d695e2edbd4b07084a8ddc2889b963f929be44f8d11.exe
1732	ade18f4a294b6c03ef1b9d695e2edbd4b07084a8ddc2889b963f929be44f8d11.exe
1732	ade18f4a294b6c03ef1b9d695e2edbd4b07084a8ddc2889b963f929be44f8d11.exe
1732	ade18f4a294b6c03ef1b9d695e2edbd4b07084a8ddc2889b963f929be44f8d11.exe
1732	ade18f4a294b6c03ef1b9d695e2edbd4b07084a8ddc2889b963f929be44f8d11.exe
1732	ade18f4a294b6c03ef1b9d695e2edbd4b07084a8ddc2889b963f929be44f8d11.exe
1732	ade18f4a294b6c03ef1b9d695e2edbd4b07084a8ddc2889b963f929be44f8d11.exe
1732	ade18f4a294b6c03ef1b9d695e2edbd4b07084a8ddc2889b963f929be44f8d11.exe
1732	ade18f4a294b6c03ef1b9d695e2edbd4b07084a8ddc2889b963f929be44f8d11.exe
1732	ade18f4a294b6c03ef1b9d695e2edbd4b07084a8ddc2889b963f929be44f8d11.exe
1732	ade18f4a294b6c03ef1b9d695e2edbd4b07084a8ddc2889b963f929be44f8d11.exe
1732	ade18f4a294b6c03ef1b9d695e2edbd4b07084a8ddc2889b963f929be44f8d11.exe
1732	ade18f4a294b6c03ef1b9d695e2edbd4b07084a8ddc2889b963f929be44f8d11.exe
1732	ade18f4a294b6c03ef1b9d695e2edbd4b07084a8ddc2889b963f929be44f8d11.exe
1732	ade18f4a294b6c03ef1b9d695e2edbd4b07084a8ddc2889b963f929be44f8d11.exe
1732	ade18f4a294b6c03ef1b9d695e2edbd4b07084a8ddc2889b963f929be44f8d11.exe
1732	ade18f4a294b6c03ef1b9d695e2edbd4b07084a8ddc2889b963f929be44f8d11.exe
1732	ade18f4a294b6c03ef1b9d695e2edbd4b07084a8ddc2889b963f929be44f8d11.exe
1732	ade18f4a294b6c03ef1b9d695e2edbd4b07084a8ddc2889b963f929be44f8d11.exe
1732	ade18f4a294b6c03ef1b9d695e2edbd4b07084a8ddc2889b963f929be44f8d11.exe
1732	ade18f4a294b6c03ef1b9d695e2edbd4b07084a8ddc2889b963f929be44f8d11.exe
1732	ade18f4a294b6c03ef1b9d695e2edbd4b07084a8ddc2889b963f929be44f8d11.exe
1732	ade18f4a294b6c03ef1b9d695e2edbd4b07084a8ddc2889b963f929be44f8d11.exe
1732	ade18f4a294b6c03ef1b9d695e2edbd4b07084a8ddc2889b963f929be44f8d11.exe
1732	ade18f4a294b6c03ef1b9d695e2edbd4b07084a8ddc2889b963f929be44f8d11.exe
1732	ade18f4a294b6c03ef1b9d695e2edbd4b07084a8ddc2889b963f929be44f8d11.exe
1732	ade18f4a294b6c03ef1b9d695e2edbd4b07084a8ddc2889b963f929be44f8d11.exe
1732	ade18f4a294b6c03ef1b9d695e2edbd4b07084a8ddc2889b963f929be44f8d11.exe
1732	ade18f4a294b6c03ef1b9d695e2edbd4b07084a8ddc2889b963f929be44f8d11.exe
1732	ade18f4a294b6c03ef1b9d695e2edbd4b07084a8ddc2889b963f929be44f8d11.exe
1732	ade18f4a294b6c03ef1b9d695e2edbd4b07084a8ddc2889b963f929be44f8d11.exe
1732	ade18f4a294b6c03ef1b9d695e2edbd4b07084a8ddc2889b963f929be44f8d11.exe
1732	ade18f4a294b6c03ef1b9d695e2edbd4b07084a8ddc2889b963f929be44f8d11.exe
1732	ade18f4a294b6c03ef1b9d695e2edbd4b07084a8ddc2889b963f929be44f8d11.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1732	ade18f4a294b6c03ef1b9d695e2edbd4b07084a8ddc2889b963f929be44f8d11.exe
1732	ade18f4a294b6c03ef1b9d695e2edbd4b07084a8ddc2889b963f929be44f8d11.exe
4404	ade18f4a294b6c03ef1b9d695e2edbd4b07084a8ddc2889b963f929be44f8d11.exe
4404	ade18f4a294b6c03ef1b9d695e2edbd4b07084a8ddc2889b963f929be44f8d11.exe

C:\Users\Admin\AppData\Local\Temp\ade18f4a294b6c03ef1b9d695e2edbd4b07084a8ddc2889b963f929be44f8d11.exe
"C:\Users\Admin\AppData\Local\Temp\ade18f4a294b6c03ef1b9d695e2edbd4b07084a8ddc2889b963f929be44f8d11.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1732
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1732 -s 1448
  2⤵
  - Program crash
  PID:1756

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 1732 -ip 1732
1⤵
PID:1836

C:\Users\Admin\AppData\Local\Temp\ade18f4a294b6c03ef1b9d695e2edbd4b07084a8ddc2889b963f929be44f8d11.exe
C:\Users\Admin\AppData\Local\Temp\ade18f4a294b6c03ef1b9d695e2edbd4b07084a8ddc2889b963f929be44f8d11.exe
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:4404
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4404 -s 1460
  2⤵
  - Program crash
  PID:740

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4404 -ip 4404
1⤵
PID:4764

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Tasks\{22116563-108C-42c0-A7CE-60161B75E508}.job

Filesize
426B

MD5
24870845dd706a864aa84c76593518f5

SHA1
f1c95f889154a984babd3af97718dd018d26dcb4

SHA256
073d78b33d3f788a668e7869de839839283d984107b5fb56320659e3f927e2ad

SHA512
480835c34c62587c2d068e74959fc84ffc6a5720b5941822927945cabee80435b420f370ffc96a8baf848b18a8449c4db206c0d83fad5e56a8e95c089a461f23

Download Submit
memory/1732-132-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/1732-135-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1732-136-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/1732-137-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4404-138-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/4404-141-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4404-143-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download