d5a4bb3ce57c02e64df46ca11c08320d98fde566ce6de11fc1064c2fe5446ff0

General

Target

d5a4bb3ce57c02e64df46ca11c08320d98fde566ce6de11fc1064c2fe5446ff0.exe
Size

1.3MB
MD5

38d919705b527e80454a351e80636ea4
SHA1

14cf860f2dc6d6b0c9896cfb2b1b43dcab72deb7
SHA256

d5a4bb3ce57c02e64df46ca11c08320d98fde566ce6de11fc1064c2fe5446ff0
SHA512

3ee551371d691a89b4503f4aefa107204aa5c1c9dda4c02e21c1710d22109105e6597e91fb5cd8ff7e53a83fb63fb41747653699116f4368b3c8a6d8fedb21ae
SSDEEP

24576:brKqlGCPcJKwybUDwEZZODYmR9G+gnbkk6XRJfe3DqYO/KpLwFfngWX4VmJPak5:brKo4ZwCOnYjVmJPam

Score

5^/10

Malware Config

Signatures

Suspicious use of SetThreadContext 1 IoCs

Processes:

d5a4bb3ce57c02e64df46ca11c08320d98fde566ce6de11fc1064c2fe5446ff0.exe

description	pid	process	target process
PID 1940 set thread context of 672	1940	d5a4bb3ce57c02e64df46ca11c08320d98fde566ce6de11fc1064c2fe5446ff0.exe	d5a4bb3ce57c02e64df46ca11c08320d98fde566ce6de11fc1064c2fe5446ff0.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

d5a4bb3ce57c02e64df46ca11c08320d98fde566ce6de11fc1064c2fe5446ff0.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Main	d5a4bb3ce57c02e64df46ca11c08320d98fde566ce6de11fc1064c2fe5446ff0.exe

Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

d5a4bb3ce57c02e64df46ca11c08320d98fde566ce6de11fc1064c2fe5446ff0.exe

pid	process
672	d5a4bb3ce57c02e64df46ca11c08320d98fde566ce6de11fc1064c2fe5446ff0.exe
672	d5a4bb3ce57c02e64df46ca11c08320d98fde566ce6de11fc1064c2fe5446ff0.exe
672	d5a4bb3ce57c02e64df46ca11c08320d98fde566ce6de11fc1064c2fe5446ff0.exe
672	d5a4bb3ce57c02e64df46ca11c08320d98fde566ce6de11fc1064c2fe5446ff0.exe
672	d5a4bb3ce57c02e64df46ca11c08320d98fde566ce6de11fc1064c2fe5446ff0.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

d5a4bb3ce57c02e64df46ca11c08320d98fde566ce6de11fc1064c2fe5446ff0.exe

description	pid	process	target process
PID 1940 wrote to memory of 672	1940	d5a4bb3ce57c02e64df46ca11c08320d98fde566ce6de11fc1064c2fe5446ff0.exe	d5a4bb3ce57c02e64df46ca11c08320d98fde566ce6de11fc1064c2fe5446ff0.exe
PID 1940 wrote to memory of 672	1940	d5a4bb3ce57c02e64df46ca11c08320d98fde566ce6de11fc1064c2fe5446ff0.exe	d5a4bb3ce57c02e64df46ca11c08320d98fde566ce6de11fc1064c2fe5446ff0.exe
PID 1940 wrote to memory of 672	1940	d5a4bb3ce57c02e64df46ca11c08320d98fde566ce6de11fc1064c2fe5446ff0.exe	d5a4bb3ce57c02e64df46ca11c08320d98fde566ce6de11fc1064c2fe5446ff0.exe
PID 1940 wrote to memory of 672	1940	d5a4bb3ce57c02e64df46ca11c08320d98fde566ce6de11fc1064c2fe5446ff0.exe	d5a4bb3ce57c02e64df46ca11c08320d98fde566ce6de11fc1064c2fe5446ff0.exe
PID 1940 wrote to memory of 672	1940	d5a4bb3ce57c02e64df46ca11c08320d98fde566ce6de11fc1064c2fe5446ff0.exe	d5a4bb3ce57c02e64df46ca11c08320d98fde566ce6de11fc1064c2fe5446ff0.exe
PID 1940 wrote to memory of 672	1940	d5a4bb3ce57c02e64df46ca11c08320d98fde566ce6de11fc1064c2fe5446ff0.exe	d5a4bb3ce57c02e64df46ca11c08320d98fde566ce6de11fc1064c2fe5446ff0.exe
PID 1940 wrote to memory of 672	1940	d5a4bb3ce57c02e64df46ca11c08320d98fde566ce6de11fc1064c2fe5446ff0.exe	d5a4bb3ce57c02e64df46ca11c08320d98fde566ce6de11fc1064c2fe5446ff0.exe
PID 1940 wrote to memory of 672	1940	d5a4bb3ce57c02e64df46ca11c08320d98fde566ce6de11fc1064c2fe5446ff0.exe	d5a4bb3ce57c02e64df46ca11c08320d98fde566ce6de11fc1064c2fe5446ff0.exe
PID 1940 wrote to memory of 672	1940	d5a4bb3ce57c02e64df46ca11c08320d98fde566ce6de11fc1064c2fe5446ff0.exe	d5a4bb3ce57c02e64df46ca11c08320d98fde566ce6de11fc1064c2fe5446ff0.exe
PID 1940 wrote to memory of 672	1940	d5a4bb3ce57c02e64df46ca11c08320d98fde566ce6de11fc1064c2fe5446ff0.exe	d5a4bb3ce57c02e64df46ca11c08320d98fde566ce6de11fc1064c2fe5446ff0.exe
PID 1940 wrote to memory of 672	1940	d5a4bb3ce57c02e64df46ca11c08320d98fde566ce6de11fc1064c2fe5446ff0.exe	d5a4bb3ce57c02e64df46ca11c08320d98fde566ce6de11fc1064c2fe5446ff0.exe

C:\Users\Admin\AppData\Local\Temp\d5a4bb3ce57c02e64df46ca11c08320d98fde566ce6de11fc1064c2fe5446ff0.exe
"C:\Users\Admin\AppData\Local\Temp\d5a4bb3ce57c02e64df46ca11c08320d98fde566ce6de11fc1064c2fe5446ff0.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1940

C:\Users\Admin\AppData\Local\Temp\d5a4bb3ce57c02e64df46ca11c08320d98fde566ce6de11fc1064c2fe5446ff0.exe
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:672

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/672-54-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download
memory/672-55-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download
memory/672-57-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download
memory/672-59-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download
memory/672-61-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download
memory/672-63-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download
memory/672-65-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download
memory/672-66-0x000000000044E057-mapping.dmp

Download
memory/672-68-0x0000000075441000-0x0000000075443000-memory.dmp

Filesize
8KB

Download
memory/672-69-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download
memory/672-70-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download
memory/672-72-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads