e64aaac86f68daa107b3f286495fb3b54b027714ae0d1693cfab5b3217c67abf

General

Target

e64aaac86f68daa107b3f286495fb3b54b027714ae0d1693cfab5b3217c67abf.exe
Size

1.3MB
MD5

4d48b2a209c7aed9efde9ab61b4ea221
SHA1

0e93b2dc36190692812dafe93233349e911ee719
SHA256

e64aaac86f68daa107b3f286495fb3b54b027714ae0d1693cfab5b3217c67abf
SHA512

a8c04035c3f5ef06e3a192a5858e4700be28febd938db0b368e1a58d7712cc87b8225afabe39df82c4b1cf4efe31948388cba19bf9bb37a2941c2d5ed94097ef
SSDEEP

24576:zrKqlGCPcJKwybUDwEZZODYmR9G+gnbkk6XRJfe3DqYO/KpLwFfngWX4VmJPak3:zrKo4ZwCOnYjVmJPag

Score

5^/10

Malware Config

Signatures

Suspicious use of SetThreadContext 1 IoCs

Processes:

e64aaac86f68daa107b3f286495fb3b54b027714ae0d1693cfab5b3217c67abf.exe

description	pid	process	target process
PID 1884 set thread context of 292	1884	e64aaac86f68daa107b3f286495fb3b54b027714ae0d1693cfab5b3217c67abf.exe	e64aaac86f68daa107b3f286495fb3b54b027714ae0d1693cfab5b3217c67abf.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

e64aaac86f68daa107b3f286495fb3b54b027714ae0d1693cfab5b3217c67abf.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main	e64aaac86f68daa107b3f286495fb3b54b027714ae0d1693cfab5b3217c67abf.exe

Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

e64aaac86f68daa107b3f286495fb3b54b027714ae0d1693cfab5b3217c67abf.exe

pid	process
292	e64aaac86f68daa107b3f286495fb3b54b027714ae0d1693cfab5b3217c67abf.exe
292	e64aaac86f68daa107b3f286495fb3b54b027714ae0d1693cfab5b3217c67abf.exe
292	e64aaac86f68daa107b3f286495fb3b54b027714ae0d1693cfab5b3217c67abf.exe
292	e64aaac86f68daa107b3f286495fb3b54b027714ae0d1693cfab5b3217c67abf.exe
292	e64aaac86f68daa107b3f286495fb3b54b027714ae0d1693cfab5b3217c67abf.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

e64aaac86f68daa107b3f286495fb3b54b027714ae0d1693cfab5b3217c67abf.exe

description	pid	process	target process
PID 1884 wrote to memory of 292	1884	e64aaac86f68daa107b3f286495fb3b54b027714ae0d1693cfab5b3217c67abf.exe	e64aaac86f68daa107b3f286495fb3b54b027714ae0d1693cfab5b3217c67abf.exe
PID 1884 wrote to memory of 292	1884	e64aaac86f68daa107b3f286495fb3b54b027714ae0d1693cfab5b3217c67abf.exe	e64aaac86f68daa107b3f286495fb3b54b027714ae0d1693cfab5b3217c67abf.exe
PID 1884 wrote to memory of 292	1884	e64aaac86f68daa107b3f286495fb3b54b027714ae0d1693cfab5b3217c67abf.exe	e64aaac86f68daa107b3f286495fb3b54b027714ae0d1693cfab5b3217c67abf.exe
PID 1884 wrote to memory of 292	1884	e64aaac86f68daa107b3f286495fb3b54b027714ae0d1693cfab5b3217c67abf.exe	e64aaac86f68daa107b3f286495fb3b54b027714ae0d1693cfab5b3217c67abf.exe
PID 1884 wrote to memory of 292	1884	e64aaac86f68daa107b3f286495fb3b54b027714ae0d1693cfab5b3217c67abf.exe	e64aaac86f68daa107b3f286495fb3b54b027714ae0d1693cfab5b3217c67abf.exe
PID 1884 wrote to memory of 292	1884	e64aaac86f68daa107b3f286495fb3b54b027714ae0d1693cfab5b3217c67abf.exe	e64aaac86f68daa107b3f286495fb3b54b027714ae0d1693cfab5b3217c67abf.exe
PID 1884 wrote to memory of 292	1884	e64aaac86f68daa107b3f286495fb3b54b027714ae0d1693cfab5b3217c67abf.exe	e64aaac86f68daa107b3f286495fb3b54b027714ae0d1693cfab5b3217c67abf.exe
PID 1884 wrote to memory of 292	1884	e64aaac86f68daa107b3f286495fb3b54b027714ae0d1693cfab5b3217c67abf.exe	e64aaac86f68daa107b3f286495fb3b54b027714ae0d1693cfab5b3217c67abf.exe
PID 1884 wrote to memory of 292	1884	e64aaac86f68daa107b3f286495fb3b54b027714ae0d1693cfab5b3217c67abf.exe	e64aaac86f68daa107b3f286495fb3b54b027714ae0d1693cfab5b3217c67abf.exe
PID 1884 wrote to memory of 292	1884	e64aaac86f68daa107b3f286495fb3b54b027714ae0d1693cfab5b3217c67abf.exe	e64aaac86f68daa107b3f286495fb3b54b027714ae0d1693cfab5b3217c67abf.exe
PID 1884 wrote to memory of 292	1884	e64aaac86f68daa107b3f286495fb3b54b027714ae0d1693cfab5b3217c67abf.exe	e64aaac86f68daa107b3f286495fb3b54b027714ae0d1693cfab5b3217c67abf.exe

C:\Users\Admin\AppData\Local\Temp\e64aaac86f68daa107b3f286495fb3b54b027714ae0d1693cfab5b3217c67abf.exe
"C:\Users\Admin\AppData\Local\Temp\e64aaac86f68daa107b3f286495fb3b54b027714ae0d1693cfab5b3217c67abf.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1884

C:\Users\Admin\AppData\Local\Temp\e64aaac86f68daa107b3f286495fb3b54b027714ae0d1693cfab5b3217c67abf.exe
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:292

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/292-54-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download
memory/292-55-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download
memory/292-57-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download
memory/292-59-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download
memory/292-61-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download
memory/292-63-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download
memory/292-65-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download
memory/292-66-0x000000000044E057-mapping.dmp

Download
memory/292-68-0x0000000076941000-0x0000000076943000-memory.dmp

Filesize
8KB

Download
memory/292-69-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download
memory/292-70-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download
memory/292-71-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download
memory/292-73-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads