4a0d16c278af3e1dae3f83145a4e18435988210187b615b04fa79cd115a5dbd8

General

Target

4a0d16c278af3e1dae3f83145a4e18435988210187b615b04fa79cd115a5dbd8.exe
Size

373KB
MD5

807344844ea9ef4c5c5eebf60775f884
SHA1

feb2b4c90077973c337dfa6fd5a96076c8b7b84f
SHA256

4a0d16c278af3e1dae3f83145a4e18435988210187b615b04fa79cd115a5dbd8
SHA512

0c8af5fbac00c2b85b533fcd645392d4c36893caa8b29f1efbf4d86955394b6cea51f0a8a6f545f3927ff788271346f2f889978d5977f63e5ca337e3b58eb0da
SSDEEP

6144:eAXnF5hWN3cPkLCWp+kxLaazQ/rJ6aQ/URjERT2ElYRktprr5h:eA15hy3cPkLXp+k5bzQ/V6a/54eurb

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

hixe.exe

pid process

1408 hixe.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

916 cmd.exe

pid	process
916	cmd.exe

Loads dropped DLL 2 IoCs

Processes:

4a0d16c278af3e1dae3f83145a4e18435988210187b615b04fa79cd115a5dbd8.exe

pid	process
1648	4a0d16c278af3e1dae3f83145a4e18435988210187b615b04fa79cd115a5dbd8.exe
1648	4a0d16c278af3e1dae3f83145a4e18435988210187b615b04fa79cd115a5dbd8.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

hixe.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\Currentversion\Run	hixe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\{7B2FDFC8-3774-AD4D-C411-AE4FF0968D52} = "C:\\Users\\Admin\\AppData\\Roaming\\Joozce\\hixe.exe"	hixe.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

4a0d16c278af3e1dae3f83145a4e18435988210187b615b04fa79cd115a5dbd8.exe

description pid process target process

PID 1648 set thread context of 916 1648 4a0d16c278af3e1dae3f83145a4e18435988210187b615b04fa79cd115a5dbd8.exe cmd.exe

description	pid	process	target process
PID 1648 set thread context of 916	1648	4a0d16c278af3e1dae3f83145a4e18435988210187b615b04fa79cd115a5dbd8.exe	cmd.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

4a0d16c278af3e1dae3f83145a4e18435988210187b615b04fa79cd115a5dbd8.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Privacy	4a0d16c278af3e1dae3f83145a4e18435988210187b615b04fa79cd115a5dbd8.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	4a0d16c278af3e1dae3f83145a4e18435988210187b615b04fa79cd115a5dbd8.exe

Suspicious behavior: EnumeratesProcesses 28 IoCs

Processes:

hixe.exe

pid	process
1408	hixe.exe
1408	hixe.exe
1408	hixe.exe
1408	hixe.exe
1408	hixe.exe
1408	hixe.exe
1408	hixe.exe
1408	hixe.exe
1408	hixe.exe
1408	hixe.exe
1408	hixe.exe
1408	hixe.exe
1408	hixe.exe
1408	hixe.exe
1408	hixe.exe
1408	hixe.exe
1408	hixe.exe
1408	hixe.exe
1408	hixe.exe
1408	hixe.exe
1408	hixe.exe
1408	hixe.exe
1408	hixe.exe
1408	hixe.exe
1408	hixe.exe
1408	hixe.exe
1408	hixe.exe
1408	hixe.exe

Suspicious use of UnmapMainImage 2 IoCs

Processes:

4a0d16c278af3e1dae3f83145a4e18435988210187b615b04fa79cd115a5dbd8.exehixe.exe

pid process

1648 4a0d16c278af3e1dae3f83145a4e18435988210187b615b04fa79cd115a5dbd8.exe
1408 hixe.exe

Suspicious use of WriteProcessMemory 38 IoCs

Processes:

4a0d16c278af3e1dae3f83145a4e18435988210187b615b04fa79cd115a5dbd8.exehixe.exe

description	pid	process	target process
PID 1648 wrote to memory of 1408	1648	4a0d16c278af3e1dae3f83145a4e18435988210187b615b04fa79cd115a5dbd8.exe	hixe.exe
PID 1648 wrote to memory of 1408	1648	4a0d16c278af3e1dae3f83145a4e18435988210187b615b04fa79cd115a5dbd8.exe	hixe.exe
PID 1648 wrote to memory of 1408	1648	4a0d16c278af3e1dae3f83145a4e18435988210187b615b04fa79cd115a5dbd8.exe	hixe.exe
PID 1648 wrote to memory of 1408	1648	4a0d16c278af3e1dae3f83145a4e18435988210187b615b04fa79cd115a5dbd8.exe	hixe.exe
PID 1408 wrote to memory of 1124	1408	hixe.exe	taskhost.exe
PID 1408 wrote to memory of 1124	1408	hixe.exe	taskhost.exe
PID 1408 wrote to memory of 1124	1408	hixe.exe	taskhost.exe
PID 1408 wrote to memory of 1124	1408	hixe.exe	taskhost.exe
PID 1408 wrote to memory of 1124	1408	hixe.exe	taskhost.exe
PID 1408 wrote to memory of 1208	1408	hixe.exe	Dwm.exe
PID 1408 wrote to memory of 1208	1408	hixe.exe	Dwm.exe
PID 1408 wrote to memory of 1208	1408	hixe.exe	Dwm.exe
PID 1408 wrote to memory of 1208	1408	hixe.exe	Dwm.exe
PID 1408 wrote to memory of 1208	1408	hixe.exe	Dwm.exe
PID 1408 wrote to memory of 1244	1408	hixe.exe	Explorer.EXE
PID 1408 wrote to memory of 1244	1408	hixe.exe	Explorer.EXE
PID 1408 wrote to memory of 1244	1408	hixe.exe	Explorer.EXE
PID 1408 wrote to memory of 1244	1408	hixe.exe	Explorer.EXE
PID 1408 wrote to memory of 1244	1408	hixe.exe	Explorer.EXE
PID 1408 wrote to memory of 1648	1408	hixe.exe	4a0d16c278af3e1dae3f83145a4e18435988210187b615b04fa79cd115a5dbd8.exe
PID 1408 wrote to memory of 1648	1408	hixe.exe	4a0d16c278af3e1dae3f83145a4e18435988210187b615b04fa79cd115a5dbd8.exe
PID 1408 wrote to memory of 1648	1408	hixe.exe	4a0d16c278af3e1dae3f83145a4e18435988210187b615b04fa79cd115a5dbd8.exe
PID 1408 wrote to memory of 1648	1408	hixe.exe	4a0d16c278af3e1dae3f83145a4e18435988210187b615b04fa79cd115a5dbd8.exe
PID 1408 wrote to memory of 1648	1408	hixe.exe	4a0d16c278af3e1dae3f83145a4e18435988210187b615b04fa79cd115a5dbd8.exe
PID 1648 wrote to memory of 916	1648	4a0d16c278af3e1dae3f83145a4e18435988210187b615b04fa79cd115a5dbd8.exe	cmd.exe
PID 1648 wrote to memory of 916	1648	4a0d16c278af3e1dae3f83145a4e18435988210187b615b04fa79cd115a5dbd8.exe	cmd.exe
PID 1648 wrote to memory of 916	1648	4a0d16c278af3e1dae3f83145a4e18435988210187b615b04fa79cd115a5dbd8.exe	cmd.exe
PID 1648 wrote to memory of 916	1648	4a0d16c278af3e1dae3f83145a4e18435988210187b615b04fa79cd115a5dbd8.exe	cmd.exe
PID 1648 wrote to memory of 916	1648	4a0d16c278af3e1dae3f83145a4e18435988210187b615b04fa79cd115a5dbd8.exe	cmd.exe
PID 1648 wrote to memory of 916	1648	4a0d16c278af3e1dae3f83145a4e18435988210187b615b04fa79cd115a5dbd8.exe	cmd.exe
PID 1648 wrote to memory of 916	1648	4a0d16c278af3e1dae3f83145a4e18435988210187b615b04fa79cd115a5dbd8.exe	cmd.exe
PID 1648 wrote to memory of 916	1648	4a0d16c278af3e1dae3f83145a4e18435988210187b615b04fa79cd115a5dbd8.exe	cmd.exe
PID 1648 wrote to memory of 916	1648	4a0d16c278af3e1dae3f83145a4e18435988210187b615b04fa79cd115a5dbd8.exe	cmd.exe
PID 1408 wrote to memory of 600	1408	hixe.exe	conhost.exe
PID 1408 wrote to memory of 600	1408	hixe.exe	conhost.exe
PID 1408 wrote to memory of 600	1408	hixe.exe	conhost.exe
PID 1408 wrote to memory of 600	1408	hixe.exe	conhost.exe
PID 1408 wrote to memory of 600	1408	hixe.exe	conhost.exe

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1208

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1244

C:\Users\Admin\AppData\Local\Temp\4a0d16c278af3e1dae3f83145a4e18435988210187b615b04fa79cd115a5dbd8.exe
"C:\Users\Admin\AppData\Local\Temp\4a0d16c278af3e1dae3f83145a4e18435988210187b615b04fa79cd115a5dbd8.exe"
2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1648

C:\Users\Admin\AppData\Roaming\Joozce\hixe.exe
"C:\Users\Admin\AppData\Roaming\Joozce\hixe.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1408

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp51ef7e70.bat"
3⤵
- Deletes itself
PID:916

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1124

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1610666947-6133363717995325851953933309-949269844-1792436431-2088822021-1699625263"
1⤵
PID:600

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\leank.wai
Filesize
837B

MD5
5c4ae110a11ef3ccc52ef53aa850368d

SHA1
eeeec644e2cde80a1e68a314cb81449b52c97812

SHA256
eda2af808a2ab84c891eb5baf058475c0e67a6892083b5d16bcad68ea4098439

SHA512
63b8f0330ce36bb63b27a504b5160b8360d71782458dc486fac3acb186cdbc70b55884be28c45365060547586ff45de75f7cc09c18220c06ad4c535710aed9b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp51ef7e70.bat
Filesize
307B

MD5
70c3af3a9ee9ac969c242cfc7ccefc1e

SHA1
11800624e5e05c4bd7c974ed878441709ff03eb3

SHA256
19abdd782bd1fc323e49798e193a4d33e30b7b43a3a19c8acf27bacf632d0574

SHA512
3352d47a90dc7cd72f5b13173679750038f5db05a001ad5852599c7f7a5ea25fdd5d7eb1902158a70548e61f0b185b76962dce85ec7f0ab48d84bbbb0fa15823

Download Submit
C:\Users\Admin\AppData\Roaming\Joozce\hixe.exe
Filesize
373KB

MD5
6b83acf5671b7a7286e8d4b27113389d

SHA1
bc86852cbe53f90a6f7b7916f208e158f5ad5250

SHA256
9112418bb196351d085613871cbeb2fa4d775de4bbcc6dc96246a053a2c1a1f2

SHA512
e17419324773993d4ac425059228bb705c931b99058e411a9f6603e35b4f9cb5d51f455c8cd09b1249ca2484f84346149df82a837cd7c5fa21ade7051c80dd99

Download Submit
C:\Users\Admin\AppData\Roaming\Joozce\hixe.exe
Filesize
373KB

MD5
6b83acf5671b7a7286e8d4b27113389d

SHA1
bc86852cbe53f90a6f7b7916f208e158f5ad5250

SHA256
9112418bb196351d085613871cbeb2fa4d775de4bbcc6dc96246a053a2c1a1f2

SHA512
e17419324773993d4ac425059228bb705c931b99058e411a9f6603e35b4f9cb5d51f455c8cd09b1249ca2484f84346149df82a837cd7c5fa21ade7051c80dd99

Download Submit
\Users\Admin\AppData\Roaming\Joozce\hixe.exe
Filesize
373KB

MD5
6b83acf5671b7a7286e8d4b27113389d

SHA1
bc86852cbe53f90a6f7b7916f208e158f5ad5250

SHA256
9112418bb196351d085613871cbeb2fa4d775de4bbcc6dc96246a053a2c1a1f2

SHA512
e17419324773993d4ac425059228bb705c931b99058e411a9f6603e35b4f9cb5d51f455c8cd09b1249ca2484f84346149df82a837cd7c5fa21ade7051c80dd99

Download Submit
\Users\Admin\AppData\Roaming\Joozce\hixe.exe
Filesize
373KB

MD5
6b83acf5671b7a7286e8d4b27113389d

SHA1
bc86852cbe53f90a6f7b7916f208e158f5ad5250

SHA256
9112418bb196351d085613871cbeb2fa4d775de4bbcc6dc96246a053a2c1a1f2

SHA512
e17419324773993d4ac425059228bb705c931b99058e411a9f6603e35b4f9cb5d51f455c8cd09b1249ca2484f84346149df82a837cd7c5fa21ade7051c80dd99

Download Submit
memory/600-109-0x00000000000C0000-0x0000000000104000-memory.dmp

Filesize
272KB

Download
memory/600-108-0x00000000000C0000-0x0000000000104000-memory.dmp

Filesize
272KB

Download
memory/600-107-0x00000000000C0000-0x0000000000104000-memory.dmp

Filesize
272KB

Download
memory/600-106-0x00000000000C0000-0x0000000000104000-memory.dmp

Filesize
272KB

Download
memory/916-112-0x0000000000150000-0x0000000000194000-memory.dmp

Filesize
272KB

Download
memory/916-96-0x0000000000150000-0x0000000000194000-memory.dmp

Filesize
272KB

Download
memory/916-101-0x00000000001671E6-mapping.dmp

Download
memory/916-100-0x0000000000150000-0x0000000000194000-memory.dmp

Filesize
272KB

Download
memory/916-99-0x0000000000150000-0x0000000000194000-memory.dmp

Filesize
272KB

Download
memory/916-98-0x0000000000150000-0x0000000000194000-memory.dmp

Filesize
272KB

Download
memory/1124-67-0x0000000001CC0000-0x0000000001D04000-memory.dmp

Filesize
272KB

Download
memory/1124-63-0x0000000001CC0000-0x0000000001D04000-memory.dmp

Filesize
272KB

Download
memory/1124-65-0x0000000001CC0000-0x0000000001D04000-memory.dmp

Filesize
272KB

Download
memory/1124-66-0x0000000001CC0000-0x0000000001D04000-memory.dmp

Filesize
272KB

Download
memory/1124-68-0x0000000001CC0000-0x0000000001D04000-memory.dmp

Filesize
272KB

Download
memory/1208-73-0x00000000001A0000-0x00000000001E4000-memory.dmp

Filesize
272KB

Download
memory/1208-71-0x00000000001A0000-0x00000000001E4000-memory.dmp

Filesize
272KB

Download
memory/1208-72-0x00000000001A0000-0x00000000001E4000-memory.dmp

Filesize
272KB

Download
memory/1208-74-0x00000000001A0000-0x00000000001E4000-memory.dmp

Filesize
272KB

Download
memory/1244-77-0x0000000002B30000-0x0000000002B74000-memory.dmp

Filesize
272KB

Download
memory/1244-78-0x0000000002B30000-0x0000000002B74000-memory.dmp

Filesize
272KB

Download
memory/1244-79-0x0000000002B30000-0x0000000002B74000-memory.dmp

Filesize
272KB

Download
memory/1244-80-0x0000000002B30000-0x0000000002B74000-memory.dmp

Filesize
272KB

Download
memory/1408-59-0x0000000000000000-mapping.dmp

Download
memory/1408-92-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/1408-91-0x0000000000350000-0x00000000003B3000-memory.dmp

Filesize
396KB

Download
memory/1408-90-0x0000000000270000-0x00000000002B4000-memory.dmp

Filesize
272KB

Download
memory/1648-93-0x00000000022C0000-0x0000000002323000-memory.dmp

Filesize
396KB

Download
memory/1648-89-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/1648-88-0x0000000000390000-0x00000000003F3000-memory.dmp

Filesize
396KB

Download
memory/1648-87-0x0000000000270000-0x00000000002B4000-memory.dmp

Filesize
272KB

Download
memory/1648-102-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1648-103-0x00000000022C0000-0x0000000002304000-memory.dmp

Filesize
272KB

Download
memory/1648-54-0x0000000075BE1000-0x0000000075BE3000-memory.dmp

Filesize
8KB

Download
memory/1648-86-0x00000000022C0000-0x0000000002304000-memory.dmp

Filesize
272KB

Download
memory/1648-85-0x00000000022C0000-0x0000000002304000-memory.dmp

Filesize
272KB

Download
memory/1648-84-0x00000000022C0000-0x0000000002304000-memory.dmp

Filesize
272KB

Download
memory/1648-83-0x00000000022C0000-0x0000000002304000-memory.dmp

Filesize
272KB

Download
memory/1648-55-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1648-56-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads