4283e7a75225a81a845aa138639b1fa5084f79d2e48835a1d42bbc001917c73e

General

Target

4283e7a75225a81a845aa138639b1fa5084f79d2e48835a1d42bbc001917c73e.exe
Size

282KB
MD5

a3bb10facad7933c29ba398d5ca7b220
SHA1

4039f6f4e9c36311644a0fbd3875e12f214a425e
SHA256

4283e7a75225a81a845aa138639b1fa5084f79d2e48835a1d42bbc001917c73e
SHA512

eee6c567e1222bf53c0e7fea80a4b3b4a9a401c7efadec7415031b2f91a6b8443af71d8da05e65d8248fba2c542a911b45e519d221c90a159e8df6663ba6c12e
SSDEEP

6144:CU8/ILk1M3cOaRi1QZ9j8rMgPJGl2mQytjogJzrqaYajv4wKK:LiS2i1QHj8MgPglBzPnqkQw1

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 1 IoCs

pid	Process
2020	4283e7a75225a81a845aa138639b1fa5084f79d2e48835a1d42bbc001917c73e.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run	4283e7a75225a81a845aa138639b1fa5084f79d2e48835a1d42bbc001917c73e.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\vgyloblp = "regsvr32.exe \"C:\\ProgramData\\vgyloblp.dat\""	4283e7a75225a81a845aa138639b1fa5084f79d2e48835a1d42bbc001917c73e.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\vgyloblp = "regsvr32.exe \"C:\\ProgramData\\vgyloblp.dat\""	Explorer.EXE

Modifies Internet Explorer Protected Mode 1 TTPs 1 IoCs

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500 = "3"	Explorer.EXE

Modifies Internet Explorer Protected Mode Banner 1 TTPs 1 IoCs

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\NoProtectedModeBanner = "1"	Explorer.EXE

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\TabProcGrowth = "0"	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2020	4283e7a75225a81a845aa138639b1fa5084f79d2e48835a1d42bbc001917c73e.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeCreateGlobalPrivilege	1412	Explorer.EXE
Token: SeShutdownPrivilege	1412	Explorer.EXE
Token: SeDebugPrivilege	1412	Explorer.EXE

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 2020 wrote to memory of 1412	2020	4283e7a75225a81a845aa138639b1fa5084f79d2e48835a1d42bbc001917c73e.exe	8
PID 2020 wrote to memory of 1412	2020	4283e7a75225a81a845aa138639b1fa5084f79d2e48835a1d42bbc001917c73e.exe	8

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Adds Run key to start application
- Modifies Internet Explorer Protected Mode
- Modifies Internet Explorer Protected Mode Banner
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
PID:1412
- C:\Users\Admin\AppData\Local\Temp\4283e7a75225a81a845aa138639b1fa5084f79d2e48835a1d42bbc001917c73e.exe
  "C:\Users\Admin\AppData\Local\Temp\4283e7a75225a81a845aa138639b1fa5084f79d2e48835a1d42bbc001917c73e.exe"
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2020

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

4

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\vgyloblp.dat

Filesize
240KB

MD5
a2dac01b4bc349637c68d56fdab0920e

SHA1
9afbf51e1a39bdd7d653920b859375c086507566

SHA256
3fe5cdc6dd9f331dc370114b34f5796b8ed9d4220dc01ce878ea8bf57ba6a453

SHA512
15af3db09b3492cfad1913087d502761ff0873d3a0daf4c35758562a4556f591084a420690ef438ff35bb9d4b4c3a66852af490d498819eafb7b3b1019a6595c

Download Submit
\ProgramData\vgyloblp.dat

Filesize
240KB

MD5
a2dac01b4bc349637c68d56fdab0920e

SHA1
9afbf51e1a39bdd7d653920b859375c086507566

SHA256
3fe5cdc6dd9f331dc370114b34f5796b8ed9d4220dc01ce878ea8bf57ba6a453

SHA512
15af3db09b3492cfad1913087d502761ff0873d3a0daf4c35758562a4556f591084a420690ef438ff35bb9d4b4c3a66852af490d498819eafb7b3b1019a6595c

Download Submit
memory/1412-61-0x0000000002650000-0x000000000269D000-memory.dmp

Filesize
308KB

Download
memory/1412-66-0x0000000002650000-0x000000000269D000-memory.dmp

Filesize
308KB

Download
memory/1412-67-0x0000000003D00000-0x0000000003D68000-memory.dmp

Filesize
416KB

Download
memory/2020-54-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2020-55-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2020-56-0x0000000075451000-0x0000000075453000-memory.dmp

Filesize
8KB

Download
memory/2020-58-0x0000000010000000-0x000000001004B000-memory.dmp

Filesize
300KB

Download
memory/2020-59-0x0000000010000000-0x000000001002E000-memory.dmp

Filesize
184KB

Download
memory/2020-68-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2020-69-0x0000000010000000-0x000000001002E000-memory.dmp

Filesize
184KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads