ae3bb4d1a67520467269660489264d9424e0b24ed334aeacc23d1bd9e53fdc1b

General

Target

ae3bb4d1a67520467269660489264d9424e0b24ed334aeacc23d1bd9e53fdc1b.exe
Size

317KB
MD5

083b318840c63ee177519f1b7d45f1af
SHA1

e512fa09d72a2027e7eb5b29989aba6b0d739378
SHA256

ae3bb4d1a67520467269660489264d9424e0b24ed334aeacc23d1bd9e53fdc1b
SHA512

83e8d9e34102831a294e9d259faf405aed442c6a6b47ecbdd6f17213b4ac41288300e5ead32400a14af4d19ea9cf37fa3791933c083046b163163e5aba41e34c
SSDEEP

6144:/Rg2HxuuQagkTj9hBhf+q/R+eDDyVMKOKhWKO9POgVxiarcEqh9D1m:5BHx19g2jfBNWrVtOIWHPR+Eco

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1340	jEbMoGb15301.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1648-54-0x0000000000400000-0x00000000004B4000-memory.dmp	upx
behavioral1/memory/1648-56-0x0000000000400000-0x00000000004B4000-memory.dmp	upx
behavioral1/memory/1648-67-0x0000000000400000-0x00000000004B4000-memory.dmp	upx
behavioral1/memory/1340-68-0x0000000000400000-0x00000000004B4000-memory.dmp	upx
behavioral1/memory/1340-69-0x0000000000400000-0x00000000004B4000-memory.dmp	upx

Loads dropped DLL 2 IoCs

pid	Process
1648	ae3bb4d1a67520467269660489264d9424e0b24ed334aeacc23d1bd9e53fdc1b.exe
1648	ae3bb4d1a67520467269660489264d9424e0b24ed334aeacc23d1bd9e53fdc1b.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\jEbMoGb15301 = "C:\\ProgramData\\jEbMoGb15301\\jEbMoGb15301.exe"	jEbMoGb15301.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main	jEbMoGb15301.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1648	ae3bb4d1a67520467269660489264d9424e0b24ed334aeacc23d1bd9e53fdc1b.exe
Token: SeDebugPrivilege	1340	jEbMoGb15301.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1340	jEbMoGb15301.exe
1340	jEbMoGb15301.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1340	jEbMoGb15301.exe
1340	jEbMoGb15301.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1340	jEbMoGb15301.exe
1340	jEbMoGb15301.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1648 wrote to memory of 1340	1648	ae3bb4d1a67520467269660489264d9424e0b24ed334aeacc23d1bd9e53fdc1b.exe	28
PID 1648 wrote to memory of 1340	1648	ae3bb4d1a67520467269660489264d9424e0b24ed334aeacc23d1bd9e53fdc1b.exe	28
PID 1648 wrote to memory of 1340	1648	ae3bb4d1a67520467269660489264d9424e0b24ed334aeacc23d1bd9e53fdc1b.exe	28
PID 1648 wrote to memory of 1340	1648	ae3bb4d1a67520467269660489264d9424e0b24ed334aeacc23d1bd9e53fdc1b.exe	28

C:\Users\Admin\AppData\Local\Temp\ae3bb4d1a67520467269660489264d9424e0b24ed334aeacc23d1bd9e53fdc1b.exe
"C:\Users\Admin\AppData\Local\Temp\ae3bb4d1a67520467269660489264d9424e0b24ed334aeacc23d1bd9e53fdc1b.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1648
- C:\ProgramData\jEbMoGb15301\jEbMoGb15301.exe
  "C:\ProgramData\jEbMoGb15301\jEbMoGb15301.exe" "C:\Users\Admin\AppData\Local\Temp\ae3bb4d1a67520467269660489264d9424e0b24ed334aeacc23d1bd9e53fdc1b.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Modifies Internet Explorer settings
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:1340

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\jEbMoGb15301\jEbMoGb15301.exe

Filesize
317KB

MD5
256113f0c7988074c3e1799d38414765

SHA1
e5ec0e45dc7f0a438e6f958ef7eed4069e16098a

SHA256
19d9eb75dc796c384a034e04d0613aab7546f1ab19af1ff8effccea04e87ef3d

SHA512
3da06eb681c75b9c0d9d2a63a48646fcf20c1b1f189072e8c71454550f8fcfd00dcb9a06ed3e476620aa30e826a2cc2e0ef8f53d6d515041da45f01b69b2355d

Download Submit
C:\ProgramData\jEbMoGb15301\jEbMoGb15301.exe

Filesize
317KB

MD5
256113f0c7988074c3e1799d38414765

SHA1
e5ec0e45dc7f0a438e6f958ef7eed4069e16098a

SHA256
19d9eb75dc796c384a034e04d0613aab7546f1ab19af1ff8effccea04e87ef3d

SHA512
3da06eb681c75b9c0d9d2a63a48646fcf20c1b1f189072e8c71454550f8fcfd00dcb9a06ed3e476620aa30e826a2cc2e0ef8f53d6d515041da45f01b69b2355d

Download Submit
\ProgramData\jEbMoGb15301\jEbMoGb15301.exe

Filesize
317KB

MD5
256113f0c7988074c3e1799d38414765

SHA1
e5ec0e45dc7f0a438e6f958ef7eed4069e16098a

SHA256
19d9eb75dc796c384a034e04d0613aab7546f1ab19af1ff8effccea04e87ef3d

SHA512
3da06eb681c75b9c0d9d2a63a48646fcf20c1b1f189072e8c71454550f8fcfd00dcb9a06ed3e476620aa30e826a2cc2e0ef8f53d6d515041da45f01b69b2355d

Download Submit
\ProgramData\jEbMoGb15301\jEbMoGb15301.exe

Filesize
317KB

MD5
256113f0c7988074c3e1799d38414765

SHA1
e5ec0e45dc7f0a438e6f958ef7eed4069e16098a

SHA256
19d9eb75dc796c384a034e04d0613aab7546f1ab19af1ff8effccea04e87ef3d

SHA512
3da06eb681c75b9c0d9d2a63a48646fcf20c1b1f189072e8c71454550f8fcfd00dcb9a06ed3e476620aa30e826a2cc2e0ef8f53d6d515041da45f01b69b2355d

Download Submit
memory/1340-68-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/1340-69-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/1648-54-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/1648-56-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/1648-57-0x0000000076091000-0x0000000076093000-memory.dmp

Filesize
8KB

Download
memory/1648-67-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads