39878155e060d6e9d159965fcbb3395e7d9cca3f17ff0164fbc22863e4341df1

General

Target

39878155e060d6e9d159965fcbb3395e7d9cca3f17ff0164fbc22863e4341df1.exe
Size

357KB
MD5

2f802d2af925bf481342e2930a0a1bbc
SHA1

357dce5f3fed2d67ab6eb51a3c971f6cf5397d89
SHA256

39878155e060d6e9d159965fcbb3395e7d9cca3f17ff0164fbc22863e4341df1
SHA512

64786ee942f491bff598b252e67df93ffff8a4cec87ab89e0d70de4533fe4519410e15826369ebf682f8ec837ffebd18547120bc7af45f1a1efd8298d9fd6aa2
SSDEEP

6144:C4//qpBmFHs3czyOxW8RjSqjAvzxCaQHkRw0ZjOEd4xEtpzbpk:C46pBiHs3czfxW8B7jAv1CaXuIGGb2

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

ewal.exe

pid process

1320 ewal.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

308 cmd.exe

pid	process
308	cmd.exe

Loads dropped DLL 2 IoCs

Processes:

39878155e060d6e9d159965fcbb3395e7d9cca3f17ff0164fbc22863e4341df1.exe

pid	process
1832	39878155e060d6e9d159965fcbb3395e7d9cca3f17ff0164fbc22863e4341df1.exe
1832	39878155e060d6e9d159965fcbb3395e7d9cca3f17ff0164fbc22863e4341df1.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

ewal.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\Currentversion\Run	ewal.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\{7BD94DA8-4FEF-AD4D-5225-887A4931AB67} = "C:\\Users\\Admin\\AppData\\Roaming\\Kieg\\ewal.exe"	ewal.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

39878155e060d6e9d159965fcbb3395e7d9cca3f17ff0164fbc22863e4341df1.exe

description pid process target process

PID 1832 set thread context of 308 1832 39878155e060d6e9d159965fcbb3395e7d9cca3f17ff0164fbc22863e4341df1.exe cmd.exe

description	pid	process	target process
PID 1832 set thread context of 308	1832	39878155e060d6e9d159965fcbb3395e7d9cca3f17ff0164fbc22863e4341df1.exe	cmd.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

39878155e060d6e9d159965fcbb3395e7d9cca3f17ff0164fbc22863e4341df1.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Privacy	39878155e060d6e9d159965fcbb3395e7d9cca3f17ff0164fbc22863e4341df1.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	39878155e060d6e9d159965fcbb3395e7d9cca3f17ff0164fbc22863e4341df1.exe

Suspicious behavior: EnumeratesProcesses 27 IoCs

Processes:

ewal.exe

pid	process
1320	ewal.exe
1320	ewal.exe
1320	ewal.exe
1320	ewal.exe
1320	ewal.exe
1320	ewal.exe
1320	ewal.exe
1320	ewal.exe
1320	ewal.exe
1320	ewal.exe
1320	ewal.exe
1320	ewal.exe
1320	ewal.exe
1320	ewal.exe
1320	ewal.exe
1320	ewal.exe
1320	ewal.exe
1320	ewal.exe
1320	ewal.exe
1320	ewal.exe
1320	ewal.exe
1320	ewal.exe
1320	ewal.exe
1320	ewal.exe
1320	ewal.exe
1320	ewal.exe
1320	ewal.exe

Suspicious use of UnmapMainImage 2 IoCs

Processes:

39878155e060d6e9d159965fcbb3395e7d9cca3f17ff0164fbc22863e4341df1.exeewal.exe

pid process

1832 39878155e060d6e9d159965fcbb3395e7d9cca3f17ff0164fbc22863e4341df1.exe
1320 ewal.exe

Suspicious use of WriteProcessMemory 33 IoCs

Processes:

39878155e060d6e9d159965fcbb3395e7d9cca3f17ff0164fbc22863e4341df1.exeewal.exe

description	pid	process	target process
PID 1832 wrote to memory of 1320	1832	39878155e060d6e9d159965fcbb3395e7d9cca3f17ff0164fbc22863e4341df1.exe	ewal.exe
PID 1832 wrote to memory of 1320	1832	39878155e060d6e9d159965fcbb3395e7d9cca3f17ff0164fbc22863e4341df1.exe	ewal.exe
PID 1832 wrote to memory of 1320	1832	39878155e060d6e9d159965fcbb3395e7d9cca3f17ff0164fbc22863e4341df1.exe	ewal.exe
PID 1832 wrote to memory of 1320	1832	39878155e060d6e9d159965fcbb3395e7d9cca3f17ff0164fbc22863e4341df1.exe	ewal.exe
PID 1320 wrote to memory of 1116	1320	ewal.exe	taskhost.exe
PID 1320 wrote to memory of 1116	1320	ewal.exe	taskhost.exe
PID 1320 wrote to memory of 1116	1320	ewal.exe	taskhost.exe
PID 1320 wrote to memory of 1116	1320	ewal.exe	taskhost.exe
PID 1320 wrote to memory of 1116	1320	ewal.exe	taskhost.exe
PID 1320 wrote to memory of 1188	1320	ewal.exe	Dwm.exe
PID 1320 wrote to memory of 1188	1320	ewal.exe	Dwm.exe
PID 1320 wrote to memory of 1188	1320	ewal.exe	Dwm.exe
PID 1320 wrote to memory of 1188	1320	ewal.exe	Dwm.exe
PID 1320 wrote to memory of 1188	1320	ewal.exe	Dwm.exe
PID 1320 wrote to memory of 1216	1320	ewal.exe	Explorer.EXE
PID 1320 wrote to memory of 1216	1320	ewal.exe	Explorer.EXE
PID 1320 wrote to memory of 1216	1320	ewal.exe	Explorer.EXE
PID 1320 wrote to memory of 1216	1320	ewal.exe	Explorer.EXE
PID 1320 wrote to memory of 1216	1320	ewal.exe	Explorer.EXE
PID 1320 wrote to memory of 1832	1320	ewal.exe	39878155e060d6e9d159965fcbb3395e7d9cca3f17ff0164fbc22863e4341df1.exe
PID 1320 wrote to memory of 1832	1320	ewal.exe	39878155e060d6e9d159965fcbb3395e7d9cca3f17ff0164fbc22863e4341df1.exe
PID 1320 wrote to memory of 1832	1320	ewal.exe	39878155e060d6e9d159965fcbb3395e7d9cca3f17ff0164fbc22863e4341df1.exe
PID 1320 wrote to memory of 1832	1320	ewal.exe	39878155e060d6e9d159965fcbb3395e7d9cca3f17ff0164fbc22863e4341df1.exe
PID 1320 wrote to memory of 1832	1320	ewal.exe	39878155e060d6e9d159965fcbb3395e7d9cca3f17ff0164fbc22863e4341df1.exe
PID 1832 wrote to memory of 308	1832	39878155e060d6e9d159965fcbb3395e7d9cca3f17ff0164fbc22863e4341df1.exe	cmd.exe
PID 1832 wrote to memory of 308	1832	39878155e060d6e9d159965fcbb3395e7d9cca3f17ff0164fbc22863e4341df1.exe	cmd.exe
PID 1832 wrote to memory of 308	1832	39878155e060d6e9d159965fcbb3395e7d9cca3f17ff0164fbc22863e4341df1.exe	cmd.exe
PID 1832 wrote to memory of 308	1832	39878155e060d6e9d159965fcbb3395e7d9cca3f17ff0164fbc22863e4341df1.exe	cmd.exe
PID 1832 wrote to memory of 308	1832	39878155e060d6e9d159965fcbb3395e7d9cca3f17ff0164fbc22863e4341df1.exe	cmd.exe
PID 1832 wrote to memory of 308	1832	39878155e060d6e9d159965fcbb3395e7d9cca3f17ff0164fbc22863e4341df1.exe	cmd.exe
PID 1832 wrote to memory of 308	1832	39878155e060d6e9d159965fcbb3395e7d9cca3f17ff0164fbc22863e4341df1.exe	cmd.exe
PID 1832 wrote to memory of 308	1832	39878155e060d6e9d159965fcbb3395e7d9cca3f17ff0164fbc22863e4341df1.exe	cmd.exe
PID 1832 wrote to memory of 308	1832	39878155e060d6e9d159965fcbb3395e7d9cca3f17ff0164fbc22863e4341df1.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1216

C:\Users\Admin\AppData\Local\Temp\39878155e060d6e9d159965fcbb3395e7d9cca3f17ff0164fbc22863e4341df1.exe
"C:\Users\Admin\AppData\Local\Temp\39878155e060d6e9d159965fcbb3395e7d9cca3f17ff0164fbc22863e4341df1.exe"
2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1832

C:\Users\Admin\AppData\Roaming\Kieg\ewal.exe
"C:\Users\Admin\AppData\Roaming\Kieg\ewal.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1320

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpa7d51ad6.bat"
3⤵
- Deletes itself
PID:308

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1188

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1116

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpa7d51ad6.bat

Filesize
307B

MD5
2d6087d31e84aea8fe87dbbcb5219856

SHA1
c64e391c7ff984356a4b23275aefee9391c0b66a

SHA256
2b1ae0e7cf0fa906725e8531373dfbbd4a5f1ca5e97f8c944fec83fcc100c976

SHA512
c6b2330646d0a2ebfebe1e73d979083c3f0fb8bc74a1a71307eea4a0fed1824d3bf7c5f3bb285f5a559d83c470d6c43e0c9e87fb9422b2b7741e8a2795f018f7

Download Submit
C:\Users\Admin\AppData\Roaming\Kieg\ewal.exe

Filesize
357KB

MD5
bb4108bd9bb779e4376a1e797c97d692

SHA1
9b7dde23a27fda0e2dc4db9c3461f51dd99be6e9

SHA256
7978d6cff34caca0f8a005f249261e24c8702148bde1076f7d10d261e50df452

SHA512
76e06c3364295b0005b17e4b58ae34f831479cb5bdcc41e8ecb1f92612d2853a83e27278a1556e89f996a9724a498dbce423e12ba9c5ec2230bf42514725eb35

Download Submit
C:\Users\Admin\AppData\Roaming\Kieg\ewal.exe

Filesize
357KB

MD5
bb4108bd9bb779e4376a1e797c97d692

SHA1
9b7dde23a27fda0e2dc4db9c3461f51dd99be6e9

SHA256
7978d6cff34caca0f8a005f249261e24c8702148bde1076f7d10d261e50df452

SHA512
76e06c3364295b0005b17e4b58ae34f831479cb5bdcc41e8ecb1f92612d2853a83e27278a1556e89f996a9724a498dbce423e12ba9c5ec2230bf42514725eb35

Download Submit
\Users\Admin\AppData\Roaming\Kieg\ewal.exe

Filesize
357KB

MD5
bb4108bd9bb779e4376a1e797c97d692

SHA1
9b7dde23a27fda0e2dc4db9c3461f51dd99be6e9

SHA256
7978d6cff34caca0f8a005f249261e24c8702148bde1076f7d10d261e50df452

SHA512
76e06c3364295b0005b17e4b58ae34f831479cb5bdcc41e8ecb1f92612d2853a83e27278a1556e89f996a9724a498dbce423e12ba9c5ec2230bf42514725eb35

Download Submit
\Users\Admin\AppData\Roaming\Kieg\ewal.exe

Filesize
357KB

MD5
bb4108bd9bb779e4376a1e797c97d692

SHA1
9b7dde23a27fda0e2dc4db9c3461f51dd99be6e9

SHA256
7978d6cff34caca0f8a005f249261e24c8702148bde1076f7d10d261e50df452

SHA512
76e06c3364295b0005b17e4b58ae34f831479cb5bdcc41e8ecb1f92612d2853a83e27278a1556e89f996a9724a498dbce423e12ba9c5ec2230bf42514725eb35

Download Submit
memory/308-100-0x0000000000050000-0x0000000000094000-memory.dmp

Filesize
272KB

Download
memory/308-105-0x0000000000050000-0x0000000000094000-memory.dmp

Filesize
272KB

Download
memory/308-101-0x00000000000671E6-mapping.dmp

Download
memory/308-98-0x0000000000050000-0x0000000000094000-memory.dmp

Filesize
272KB

Download
memory/308-99-0x0000000000050000-0x0000000000094000-memory.dmp

Filesize
272KB

Download
memory/308-96-0x0000000000050000-0x0000000000094000-memory.dmp

Filesize
272KB

Download
memory/1116-66-0x0000000001DB0000-0x0000000001DF4000-memory.dmp

Filesize
272KB

Download
memory/1116-68-0x0000000001DB0000-0x0000000001DF4000-memory.dmp

Filesize
272KB

Download
memory/1116-67-0x0000000001DB0000-0x0000000001DF4000-memory.dmp

Filesize
272KB

Download
memory/1116-65-0x0000000001DB0000-0x0000000001DF4000-memory.dmp

Filesize
272KB

Download
memory/1116-63-0x0000000001DB0000-0x0000000001DF4000-memory.dmp

Filesize
272KB

Download
memory/1188-71-0x0000000000130000-0x0000000000174000-memory.dmp

Filesize
272KB

Download
memory/1188-72-0x0000000000130000-0x0000000000174000-memory.dmp

Filesize
272KB

Download
memory/1188-73-0x0000000000130000-0x0000000000174000-memory.dmp

Filesize
272KB

Download
memory/1188-74-0x0000000000130000-0x0000000000174000-memory.dmp

Filesize
272KB

Download
memory/1216-80-0x00000000029C0000-0x0000000002A04000-memory.dmp

Filesize
272KB

Download
memory/1216-77-0x00000000029C0000-0x0000000002A04000-memory.dmp

Filesize
272KB

Download
memory/1216-78-0x00000000029C0000-0x0000000002A04000-memory.dmp

Filesize
272KB

Download
memory/1216-79-0x00000000029C0000-0x0000000002A04000-memory.dmp

Filesize
272KB

Download
memory/1320-92-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1320-106-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1320-59-0x0000000000000000-mapping.dmp

Download
memory/1320-91-0x00000000004D0000-0x0000000000530000-memory.dmp

Filesize
384KB

Download
memory/1320-90-0x0000000000280000-0x00000000002C4000-memory.dmp

Filesize
272KB

Download
memory/1832-89-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1832-93-0x00000000004F0000-0x0000000000534000-memory.dmp

Filesize
272KB

Download
memory/1832-88-0x0000000000360000-0x00000000003C0000-memory.dmp

Filesize
384KB

Download
memory/1832-54-0x00000000751A1000-0x00000000751A3000-memory.dmp

Filesize
8KB

Download
memory/1832-83-0x00000000004F0000-0x0000000000534000-memory.dmp

Filesize
272KB

Download
memory/1832-87-0x0000000000310000-0x0000000000354000-memory.dmp

Filesize
272KB

Download
memory/1832-86-0x00000000004F0000-0x0000000000534000-memory.dmp

Filesize
272KB

Download
memory/1832-85-0x00000000004F0000-0x0000000000534000-memory.dmp

Filesize
272KB

Download
memory/1832-102-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1832-56-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1832-55-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1832-84-0x00000000004F0000-0x0000000000534000-memory.dmp

Filesize
272KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads