8c42414be5a7f5e9a6c815081f30b590ca00d0d849ee9e12584727b731e277ef

General

Target

8c42414be5a7f5e9a6c815081f30b590ca00d0d849ee9e12584727b731e277ef.exe
Size

408KB
MD5

0998745cef26190da843f62db352a540
SHA1

46966f09d513039c5b6311865adddff2e52a88e4
SHA256

8c42414be5a7f5e9a6c815081f30b590ca00d0d849ee9e12584727b731e277ef
SHA512

bcc04fb0800970a82775ebc73ffc88c269961a7b14c77a516516ece1ace709c881fec1e58617ca05b88dc0bc92ec8e7a7f311ca00790dcea91ced2bec88d7aad
SSDEEP

6144:wc1aCuVzCv4u12NtMPiZxWQ6Sro+jAlAbmlMfUcLzH3ljY98rc/b5K:wTzCQhkPyNroybmlotLhY0A5K

Score

7^/10

persistence

Malware Config

Signatures

Loads dropped DLL 1 IoCs

Processes:

8c42414be5a7f5e9a6c815081f30b590ca00d0d849ee9e12584727b731e277ef.exe

pid process

2016 8c42414be5a7f5e9a6c815081f30b590ca00d0d849ee9e12584727b731e277ef.exe

pid	process
2016	8c42414be5a7f5e9a6c815081f30b590ca00d0d849ee9e12584727b731e277ef.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

8c42414be5a7f5e9a6c815081f30b590ca00d0d849ee9e12584727b731e277ef.exeExplorer.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run	8c42414be5a7f5e9a6c815081f30b590ca00d0d849ee9e12584727b731e277ef.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\OxfaHanr = "regsvr32.exe \"C:\\ProgramData\\OxfaHanr\\OxfaHanr.dat\""	8c42414be5a7f5e9a6c815081f30b590ca00d0d849ee9e12584727b731e277ef.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\OxfaHanr = "regsvr32.exe \"C:\\ProgramData\\OxfaHanr\\OxfaHanr.dat\""	Explorer.EXE

Modifies Internet Explorer Protected Mode 1 TTPs 1 IoCs

Modify Registry

T1112

Processes:

Explorer.EXE

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500 = "3"	Explorer.EXE

Modifies Internet Explorer Protected Mode Banner 1 TTPs 1 IoCs

Modify Registry

T1112

Processes:

Explorer.EXE

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\NoProtectedModeBanner = "1"	Explorer.EXE

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

Explorer.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\TabProcGrowth = "0"	Explorer.EXE

Modifies registry class 6 IoCs

Processes:

8c42414be5a7f5e9a6c815081f30b590ca00d0d849ee9e12584727b731e277ef.exeExplorer.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\CLSID\{532B4893-3C63-49C9-B845-553D7FC27BD5}	8c42414be5a7f5e9a6c815081f30b590ca00d0d849ee9e12584727b731e277ef.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\CLSID\{532B4893-3C63-49C9-B845-553D7FC27BD5}\#sd = 433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c54656d705c386334323431346265356137663565396136633831353038316633306235393063613030643064383439656539653132353834373237623733316532373765662e65786500	8c42414be5a7f5e9a6c815081f30b590ca00d0d849ee9e12584727b731e277ef.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\CLSID\{532B4893-3C63-49C9-B845-553D7FC27BD5}	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\CLSID\{4495027C-28B4-4938-9558-526777A140A3}	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\CLSID\{4495027C-28B4-4938-9558-526777A140A3}\{51BE577C-62C7-4444-8ADE-364F34F729F9} = 5b50b263	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\CLSID\{532B4893-3C63-49C9-B845-553D7FC27BD5}\#cert = 31	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

8c42414be5a7f5e9a6c815081f30b590ca00d0d849ee9e12584727b731e277ef.exe

pid process

2016 8c42414be5a7f5e9a6c815081f30b590ca00d0d849ee9e12584727b731e277ef.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

1220 Explorer.EXE

pid	process
2016	8c42414be5a7f5e9a6c815081f30b590ca00d0d849ee9e12584727b731e277ef.exe

pid	process
1220	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

8c42414be5a7f5e9a6c815081f30b590ca00d0d849ee9e12584727b731e277ef.exeExplorer.EXE

description	pid	process
Token: SeCreateGlobalPrivilege	2016	8c42414be5a7f5e9a6c815081f30b590ca00d0d849ee9e12584727b731e277ef.exe
Token: SeDebugPrivilege	2016	8c42414be5a7f5e9a6c815081f30b590ca00d0d849ee9e12584727b731e277ef.exe
Token: SeCreateGlobalPrivilege	1220	Explorer.EXE
Token: SeShutdownPrivilege	1220	Explorer.EXE
Token: SeDebugPrivilege	1220	Explorer.EXE

Suspicious use of UnmapMainImage 1 IoCs

Processes:

8c42414be5a7f5e9a6c815081f30b590ca00d0d849ee9e12584727b731e277ef.exe

pid process

2016 8c42414be5a7f5e9a6c815081f30b590ca00d0d849ee9e12584727b731e277ef.exe

pid	process
2016	8c42414be5a7f5e9a6c815081f30b590ca00d0d849ee9e12584727b731e277ef.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

8c42414be5a7f5e9a6c815081f30b590ca00d0d849ee9e12584727b731e277ef.exe

description	pid	process	target process
PID 2016 wrote to memory of 1028	2016	8c42414be5a7f5e9a6c815081f30b590ca00d0d849ee9e12584727b731e277ef.exe	spoolsv.exe
PID 2016 wrote to memory of 1028	2016	8c42414be5a7f5e9a6c815081f30b590ca00d0d849ee9e12584727b731e277ef.exe	spoolsv.exe
PID 2016 wrote to memory of 1220	2016	8c42414be5a7f5e9a6c815081f30b590ca00d0d849ee9e12584727b731e277ef.exe	Explorer.EXE
PID 2016 wrote to memory of 1220	2016	8c42414be5a7f5e9a6c815081f30b590ca00d0d849ee9e12584727b731e277ef.exe	Explorer.EXE
PID 2016 wrote to memory of 972	2016	8c42414be5a7f5e9a6c815081f30b590ca00d0d849ee9e12584727b731e277ef.exe	sppsvc.exe
PID 2016 wrote to memory of 972	2016	8c42414be5a7f5e9a6c815081f30b590ca00d0d849ee9e12584727b731e277ef.exe	sppsvc.exe
PID 2016 wrote to memory of 1820	2016	8c42414be5a7f5e9a6c815081f30b590ca00d0d849ee9e12584727b731e277ef.exe	WMIADAP.EXE
PID 2016 wrote to memory of 1820	2016	8c42414be5a7f5e9a6c815081f30b590ca00d0d849ee9e12584727b731e277ef.exe	WMIADAP.EXE

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:1028

C:\Windows\system32\sppsvc.exe
C:\Windows\system32\sppsvc.exe
1⤵
PID:972

\\?\C:\Windows\system32\wbem\WMIADAP.EXE
wmiadap.exe /F /T /R
1⤵
PID:1820

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Adds Run key to start application
- Modifies Internet Explorer Protected Mode
- Modifies Internet Explorer Protected Mode Banner
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1220

C:\Users\Admin\AppData\Local\Temp\8c42414be5a7f5e9a6c815081f30b590ca00d0d849ee9e12584727b731e277ef.exe
"C:\Users\Admin\AppData\Local\Temp\8c42414be5a7f5e9a6c815081f30b590ca00d0d849ee9e12584727b731e277ef.exe"
2⤵
- Loads dropped DLL
- Adds Run key to start application
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2016

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

4

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\OxfaHanr\OxfaHanr.dat
Filesize
240KB

MD5
9091f58832d2d1fd2ed95a24c4e27a6a

SHA1
a92545dd660abd2ebd57e38fdd784cc81d6ed48c

SHA256
e4ad24fb445751d486a5058cd996f4b15ccf06935ea8aaf2920154fbdd55793d

SHA512
be031613a4b72187a748e02f21c6107d6f9bc36f6ed60c319902a4e6aaa916ff64bf1699d543ae456bc16b06a5191db286a009ff2f1b9566ee24e3e86e85c3c1

Download Submit
\ProgramData\OxfaHanr\OxfaHanr.dat
Filesize
240KB

MD5
9091f58832d2d1fd2ed95a24c4e27a6a

SHA1
a92545dd660abd2ebd57e38fdd784cc81d6ed48c

SHA256
e4ad24fb445751d486a5058cd996f4b15ccf06935ea8aaf2920154fbdd55793d

SHA512
be031613a4b72187a748e02f21c6107d6f9bc36f6ed60c319902a4e6aaa916ff64bf1699d543ae456bc16b06a5191db286a009ff2f1b9566ee24e3e86e85c3c1

Download Submit
memory/1028-62-0x0000000001D80000-0x0000000001DD2000-memory.dmp

Filesize
328KB

Download
memory/1220-80-0x000007FEE52D0000-0x000007FEE52DA000-memory.dmp

Filesize
40KB

Download
memory/1220-79-0x000007FEFB220000-0x000007FEFB363000-memory.dmp

Filesize
1.3MB

Download
memory/1220-74-0x0000000002B20000-0x0000000002B89000-memory.dmp

Filesize
420KB

Download
memory/1220-73-0x00000000029C0000-0x0000000002A12000-memory.dmp

Filesize
328KB

Download
memory/2016-61-0x0000000075130000-0x0000000075195000-memory.dmp

Filesize
404KB

Download
memory/2016-59-0x0000000075130000-0x0000000075161000-memory.dmp

Filesize
196KB

Download
memory/2016-54-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2016-75-0x00000000003E0000-0x00000000003F9000-memory.dmp

Filesize
100KB

Download
memory/2016-76-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2016-78-0x00000000004B0000-0x0000000000502000-memory.dmp

Filesize
328KB

Download
memory/2016-77-0x0000000075130000-0x0000000075161000-memory.dmp

Filesize
196KB

Download
memory/2016-56-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2016-55-0x00000000757A1000-0x00000000757A3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads