8c31d4b80007f74ab7e969a356112507aefe98f3454e70d0101b61fcbc9c9e83

Analysis

max time kernel
133s
max time network
166s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
31/10/2022, 01:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8c31d4b80007f74ab7e969a356112507aefe98f3454e70d0101b61fcbc9c9e83.exe
Size

480KB
MD5

923053a88b53cca4058aaa6ef90e7500
SHA1

da09f7f9fa53e53e626d9522cb011ae6521cebbe
SHA256

8c31d4b80007f74ab7e969a356112507aefe98f3454e70d0101b61fcbc9c9e83
SHA512

f09653e97782a0d0e942909c54f8057ba6316b9a56b453949e687b5a53f727878797c924b2a54bc2b2d4d52df88aaf9b399f47aa82a0c5b5dafe3a9142ef5330
SSDEEP

12288:0QR17ZoiA6aq0/9FzC+jnDWF0UBLcRRWU:5ZoizMlI+jnCFj4aU

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1060	fljjqlwglbiro.exe

Loads dropped DLL 2 IoCs

pid	Process
1932	8c31d4b80007f74ab7e969a356112507aefe98f3454e70d0101b61fcbc9c9e83.exe
1932	8c31d4b80007f74ab7e969a356112507aefe98f3454e70d0101b61fcbc9c9e83.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main	fljjqlwglbiro.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1060	fljjqlwglbiro.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1060	fljjqlwglbiro.exe
1060	fljjqlwglbiro.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1932 wrote to memory of 1060	1932	8c31d4b80007f74ab7e969a356112507aefe98f3454e70d0101b61fcbc9c9e83.exe	27
PID 1932 wrote to memory of 1060	1932	8c31d4b80007f74ab7e969a356112507aefe98f3454e70d0101b61fcbc9c9e83.exe	27
PID 1932 wrote to memory of 1060	1932	8c31d4b80007f74ab7e969a356112507aefe98f3454e70d0101b61fcbc9c9e83.exe	27
PID 1932 wrote to memory of 1060	1932	8c31d4b80007f74ab7e969a356112507aefe98f3454e70d0101b61fcbc9c9e83.exe	27

C:\Users\Admin\AppData\Local\Temp\8c31d4b80007f74ab7e969a356112507aefe98f3454e70d0101b61fcbc9c9e83.exe
"C:\Users\Admin\AppData\Local\Temp\8c31d4b80007f74ab7e969a356112507aefe98f3454e70d0101b61fcbc9c9e83.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1932
- C:\Users\Admin\AppData\Local\Temp\fljjqlwglbiro.exe
  "C:\Users\Admin\AppData\Local\Temp\\fljjqlwglbiro.exe"
  2⤵
  - Executes dropped EXE
  - Modifies Internet Explorer settings
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:1060

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\fljjqlwglbiro.exe

Filesize
28KB

MD5
6c79a5e5b8a37cec9415e05eab462cd9

SHA1
5da1fae87d972b3ee228ff808ca49363600f4fd6

SHA256
9119ab6b4e5380bd22d9ff3dabba99d8b8fce2afa6ce160e3c2678f39309a693

SHA512
ca32def74afc99009d88c42f3f6263fbd0908ffa31a19721fec0bd062b40b62dd107959c4a3fe1e345fcc220a7f6924e558a0f97c4487f2907f683120c445446

Download Submit
C:\Users\Admin\AppData\Local\Temp\fljjqlwglbiro.exe

Filesize
28KB

MD5
6c79a5e5b8a37cec9415e05eab462cd9

SHA1
5da1fae87d972b3ee228ff808ca49363600f4fd6

SHA256
9119ab6b4e5380bd22d9ff3dabba99d8b8fce2afa6ce160e3c2678f39309a693

SHA512
ca32def74afc99009d88c42f3f6263fbd0908ffa31a19721fec0bd062b40b62dd107959c4a3fe1e345fcc220a7f6924e558a0f97c4487f2907f683120c445446

Download Submit
C:\Users\Admin\AppData\Local\Temp\parent.txt

Filesize
480KB

MD5
923053a88b53cca4058aaa6ef90e7500

SHA1
da09f7f9fa53e53e626d9522cb011ae6521cebbe

SHA256
8c31d4b80007f74ab7e969a356112507aefe98f3454e70d0101b61fcbc9c9e83

SHA512
f09653e97782a0d0e942909c54f8057ba6316b9a56b453949e687b5a53f727878797c924b2a54bc2b2d4d52df88aaf9b399f47aa82a0c5b5dafe3a9142ef5330

Download Submit
\Users\Admin\AppData\Local\Temp\fljjqlwglbiro.exe

Filesize
28KB

MD5
6c79a5e5b8a37cec9415e05eab462cd9

SHA1
5da1fae87d972b3ee228ff808ca49363600f4fd6

SHA256
9119ab6b4e5380bd22d9ff3dabba99d8b8fce2afa6ce160e3c2678f39309a693

SHA512
ca32def74afc99009d88c42f3f6263fbd0908ffa31a19721fec0bd062b40b62dd107959c4a3fe1e345fcc220a7f6924e558a0f97c4487f2907f683120c445446

Download Submit
\Users\Admin\AppData\Local\Temp\fljjqlwglbiro.exe

Filesize
28KB

MD5
6c79a5e5b8a37cec9415e05eab462cd9

SHA1
5da1fae87d972b3ee228ff808ca49363600f4fd6

SHA256
9119ab6b4e5380bd22d9ff3dabba99d8b8fce2afa6ce160e3c2678f39309a693

SHA512
ca32def74afc99009d88c42f3f6263fbd0908ffa31a19721fec0bd062b40b62dd107959c4a3fe1e345fcc220a7f6924e558a0f97c4487f2907f683120c445446

Download Submit
memory/1060-59-0x000007FEF49F0000-0x000007FEF5413000-memory.dmp

Filesize
10.1MB

Download
memory/1060-60-0x000007FEF3710000-0x000007FEF47A6000-memory.dmp

Filesize
16.6MB

Download
memory/1060-62-0x000007FEFC4E1000-0x000007FEFC4E3000-memory.dmp

Filesize
8KB

Download