0e68ab3e34dfa5623817f06fccbb868b8496a60167481b78cd9f41a3fab0f426

General

Target

0e68ab3e34dfa5623817f06fccbb868b8496a60167481b78cd9f41a3fab0f426.exe
Size

200KB
MD5

4b5026e255f20e5face38694d37dae1a
SHA1

b0f250730bb8aadacdc3536ede77eeedda25974f
SHA256

0e68ab3e34dfa5623817f06fccbb868b8496a60167481b78cd9f41a3fab0f426
SHA512

5bbaba3ca720e7eca03bb2ca1e28dc1f39cb067f583bca02850dfa152a9f0fb0feafe4da8fbcd4bd804bd56ff1e90622d265b5217c38d47827ca473b1373bdde
SSDEEP

3072:c2L2lSTxGtHsBdtJeWXeiKjuy/IaP7pceKpZx6gSp0Caar4Y0j2TFwR1:c2O4OHs7Xepi4HSeKPkFxkiTFw

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run	0e68ab3e34dfa5623817f06fccbb868b8496a60167481b78cd9f41a3fab0f426.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\CE8SIIFGSU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\0e68ab3e34dfa5623817f06fccbb868b8496a60167481b78cd9f41a3fab0f426.exe"	0e68ab3e34dfa5623817f06fccbb868b8496a60167481b78cd9f41a3fab0f426.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\{22116563-108C-42c0-A7CE-60161B75E508}.job	0e68ab3e34dfa5623817f06fccbb868b8496a60167481b78cd9f41a3fab0f426.exe
File opened for modification	C:\Windows\Tasks\{22116563-108C-42c0-A7CE-60161B75E508}.job	0e68ab3e34dfa5623817f06fccbb868b8496a60167481b78cd9f41a3fab0f426.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main	0e68ab3e34dfa5623817f06fccbb868b8496a60167481b78cd9f41a3fab0f426.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
836	0e68ab3e34dfa5623817f06fccbb868b8496a60167481b78cd9f41a3fab0f426.exe
836	0e68ab3e34dfa5623817f06fccbb868b8496a60167481b78cd9f41a3fab0f426.exe
836	0e68ab3e34dfa5623817f06fccbb868b8496a60167481b78cd9f41a3fab0f426.exe
836	0e68ab3e34dfa5623817f06fccbb868b8496a60167481b78cd9f41a3fab0f426.exe
836	0e68ab3e34dfa5623817f06fccbb868b8496a60167481b78cd9f41a3fab0f426.exe
836	0e68ab3e34dfa5623817f06fccbb868b8496a60167481b78cd9f41a3fab0f426.exe
836	0e68ab3e34dfa5623817f06fccbb868b8496a60167481b78cd9f41a3fab0f426.exe
836	0e68ab3e34dfa5623817f06fccbb868b8496a60167481b78cd9f41a3fab0f426.exe
836	0e68ab3e34dfa5623817f06fccbb868b8496a60167481b78cd9f41a3fab0f426.exe
836	0e68ab3e34dfa5623817f06fccbb868b8496a60167481b78cd9f41a3fab0f426.exe
836	0e68ab3e34dfa5623817f06fccbb868b8496a60167481b78cd9f41a3fab0f426.exe
836	0e68ab3e34dfa5623817f06fccbb868b8496a60167481b78cd9f41a3fab0f426.exe
836	0e68ab3e34dfa5623817f06fccbb868b8496a60167481b78cd9f41a3fab0f426.exe
836	0e68ab3e34dfa5623817f06fccbb868b8496a60167481b78cd9f41a3fab0f426.exe
836	0e68ab3e34dfa5623817f06fccbb868b8496a60167481b78cd9f41a3fab0f426.exe
836	0e68ab3e34dfa5623817f06fccbb868b8496a60167481b78cd9f41a3fab0f426.exe
836	0e68ab3e34dfa5623817f06fccbb868b8496a60167481b78cd9f41a3fab0f426.exe
836	0e68ab3e34dfa5623817f06fccbb868b8496a60167481b78cd9f41a3fab0f426.exe
836	0e68ab3e34dfa5623817f06fccbb868b8496a60167481b78cd9f41a3fab0f426.exe
836	0e68ab3e34dfa5623817f06fccbb868b8496a60167481b78cd9f41a3fab0f426.exe
836	0e68ab3e34dfa5623817f06fccbb868b8496a60167481b78cd9f41a3fab0f426.exe
836	0e68ab3e34dfa5623817f06fccbb868b8496a60167481b78cd9f41a3fab0f426.exe
836	0e68ab3e34dfa5623817f06fccbb868b8496a60167481b78cd9f41a3fab0f426.exe
836	0e68ab3e34dfa5623817f06fccbb868b8496a60167481b78cd9f41a3fab0f426.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
836	0e68ab3e34dfa5623817f06fccbb868b8496a60167481b78cd9f41a3fab0f426.exe
836	0e68ab3e34dfa5623817f06fccbb868b8496a60167481b78cd9f41a3fab0f426.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
836	0e68ab3e34dfa5623817f06fccbb868b8496a60167481b78cd9f41a3fab0f426.exe

C:\Users\Admin\AppData\Local\Temp\0e68ab3e34dfa5623817f06fccbb868b8496a60167481b78cd9f41a3fab0f426.exe
"C:\Users\Admin\AppData\Local\Temp\0e68ab3e34dfa5623817f06fccbb868b8496a60167481b78cd9f41a3fab0f426.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of UnmapMainImage
PID:836

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/836-54-0x0000000075071000-0x0000000075073000-memory.dmp

Filesize
8KB

Download
memory/836-57-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/836-58-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/836-59-0x0000000000230000-0x0000000000299000-memory.dmp

Filesize
420KB

Download
memory/836-60-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/836-61-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/836-62-0x0000000000230000-0x000000000023D000-memory.dmp

Filesize
52KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads