1604c283ad453c88122604246b62781049eca81619c3793ee8f84135bf96c7de

General

Target

1604c283ad453c88122604246b62781049eca81619c3793ee8f84135bf96c7de.exe
Size

294KB
MD5

91590bea0ff44c43b4496c8841ec88fa
SHA1

30fa4ec1853100c016a3c4c2d879d9c3069512c3
SHA256

1604c283ad453c88122604246b62781049eca81619c3793ee8f84135bf96c7de
SHA512

285b0229356b0470101b9337d35d0e6b3b9de108398a9ce17faa4da5af75b619459fc949b07b7a8b8640ef68424bbfed807874f8738a02017ecd026eb5bdbd1d
SSDEEP

6144:cdYgxDh5luzMm2mBiXS6S9JSelDyX2UFLstcAyXRU0ODDoZ:tgxDh3uLTKSH9flD74sK60ODDoZ

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1560	1604c283ad453c88122604246b62781049eca81619c3793ee8f84135bf96c7de.tmp

Loads dropped DLL 3 IoCs

pid	Process
1500	1604c283ad453c88122604246b62781049eca81619c3793ee8f84135bf96c7de.exe
1560	1604c283ad453c88122604246b62781049eca81619c3793ee8f84135bf96c7de.tmp
1560	1604c283ad453c88122604246b62781049eca81619c3793ee8f84135bf96c7de.tmp

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main	regedit.exe

Modifies Internet Explorer start page 1 TTPs 1 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.hae123.com"	regedit.exe

Runs regedit.exe 1 IoCs

pid	Process
1116	regedit.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1560	1604c283ad453c88122604246b62781049eca81619c3793ee8f84135bf96c7de.tmp

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1500 wrote to memory of 1560	1500	1604c283ad453c88122604246b62781049eca81619c3793ee8f84135bf96c7de.exe	27
PID 1500 wrote to memory of 1560	1500	1604c283ad453c88122604246b62781049eca81619c3793ee8f84135bf96c7de.exe	27
PID 1500 wrote to memory of 1560	1500	1604c283ad453c88122604246b62781049eca81619c3793ee8f84135bf96c7de.exe	27
PID 1500 wrote to memory of 1560	1500	1604c283ad453c88122604246b62781049eca81619c3793ee8f84135bf96c7de.exe	27
PID 1560 wrote to memory of 1116	1560	1604c283ad453c88122604246b62781049eca81619c3793ee8f84135bf96c7de.tmp	28
PID 1560 wrote to memory of 1116	1560	1604c283ad453c88122604246b62781049eca81619c3793ee8f84135bf96c7de.tmp	28
PID 1560 wrote to memory of 1116	1560	1604c283ad453c88122604246b62781049eca81619c3793ee8f84135bf96c7de.tmp	28
PID 1560 wrote to memory of 1116	1560	1604c283ad453c88122604246b62781049eca81619c3793ee8f84135bf96c7de.tmp	28

C:\Users\Admin\AppData\Local\Temp\1604c283ad453c88122604246b62781049eca81619c3793ee8f84135bf96c7de.exe
"C:\Users\Admin\AppData\Local\Temp\1604c283ad453c88122604246b62781049eca81619c3793ee8f84135bf96c7de.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1500
- C:\Users\Admin\AppData\Local\Temp\is-C53E9.tmp\1604c283ad453c88122604246b62781049eca81619c3793ee8f84135bf96c7de.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-C53E9.tmp\1604c283ad453c88122604246b62781049eca81619c3793ee8f84135bf96c7de.tmp" /SL5="$60124,51915,51712,C:\Users\Admin\AppData\Local\Temp\1604c283ad453c88122604246b62781049eca81619c3793ee8f84135bf96c7de.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:1560
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\Regedit.exe" -s C:\Adobe\info.desc
    3⤵
    - Modifies Internet Explorer settings
    - Modifies Internet Explorer start page
    - Runs regedit.exe
    PID:1116

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Adobe\info.desc

Filesize
280B

MD5
a0fd44bf16c285a195d371ba2404dc0a

SHA1
1880991f3f49d2f35e86ce2575d7535517a10f28

SHA256
686ea1ff46449d5412e6454ca7329a6f03e777714e35d502640c61ac16849613

SHA512
3477a190eda4b3fd79319ebeab24c3a62cdaffeb4d58f65488713f23e370f8a906365985dad5a8bd39a5d2e047c6f1da40af1d952cb3899c9809a32fb03b970a

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-C53E9.tmp\1604c283ad453c88122604246b62781049eca81619c3793ee8f84135bf96c7de.tmp

Filesize
706KB

MD5
1a6c2b578c69b9388e22d38afa16a7fb

SHA1
186370d5438b1f5f3d75891aa8412e8edd00981c

SHA256
86ac18632bfdca026df9fe12a1d4df2de64bbdc1d2d7e42d2dcbf7809cbbebb3

SHA512
fb868c629cd0255b7620c9260bb5712b6622f53f0b7de3d6125c295e02d16f03584ce3a90eccb02b65ce9825885aa1bca5f68c7cc09dc0c09e7c208fcef54714

Download Submit
\Users\Admin\AppData\Local\Temp\is-C53E9.tmp\1604c283ad453c88122604246b62781049eca81619c3793ee8f84135bf96c7de.tmp

Filesize
706KB

MD5
1a6c2b578c69b9388e22d38afa16a7fb

SHA1
186370d5438b1f5f3d75891aa8412e8edd00981c

SHA256
86ac18632bfdca026df9fe12a1d4df2de64bbdc1d2d7e42d2dcbf7809cbbebb3

SHA512
fb868c629cd0255b7620c9260bb5712b6622f53f0b7de3d6125c295e02d16f03584ce3a90eccb02b65ce9825885aa1bca5f68c7cc09dc0c09e7c208fcef54714

Download Submit
\Users\Admin\AppData\Local\Temp\is-SLU2F.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-SLU2F.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
memory/1500-54-0x0000000076201000-0x0000000076203000-memory.dmp

Filesize
8KB

Download
memory/1500-55-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1500-61-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1500-67-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1560-64-0x0000000074711000-0x0000000074713000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads