2f1491bf133179621beefec6dba653bfa5d76a312321abcd09f7e034f92f75d9

General

Target

2f1491bf133179621beefec6dba653bfa5d76a312321abcd09f7e034f92f75d9.exe
Size

379KB
MD5

e0c3c103be7ed0a2781c82d379dc0780
SHA1

318ca5646da574f9115ac579c35f54382bc740ad
SHA256

2f1491bf133179621beefec6dba653bfa5d76a312321abcd09f7e034f92f75d9
SHA512

08f8476e4572d8326cf34459b6a5ec8ca2c0b4d91eb1f77ddc5de897b59dd1fae683e2ba621d8375ee0ab1f3337b4ed0cfad3e0ae70dcfa2b1c9f77ef9512d60
SSDEEP

6144:23nuEiAWEIyTBkRalU35uSHG33A1lFx2CTN9k+g:gTNODHG33ATJbg

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

alter.exe

pid process

968 alter.exe
Deletes itself 1 IoCs

Processes:

alter.exe

pid process

968 alter.exe
Loads dropped DLL 1 IoCs

Processes:

2f1491bf133179621beefec6dba653bfa5d76a312321abcd09f7e034f92f75d9.exe

pid process

1104 2f1491bf133179621beefec6dba653bfa5d76a312321abcd09f7e034f92f75d9.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

alter.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run	alter.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\ = "C:\\Users\\Admin\\AppData\\Local\\alter.exe"	alter.exe

Drops file in System32 directory 3 IoCs

Processes:

description	ioc	process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\whr458da.db
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\whr458da.db
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat

Drops file in Windows directory 2 IoCs

Processes:

2f1491bf133179621beefec6dba653bfa5d76a312321abcd09f7e034f92f75d9.exealter.exe

description	ioc	process
File opened for modification	C:\Windows\2f1491bf133179621beefec6dba653bfa5d76a312321abcd09f7e034f92f75d9.INI	2f1491bf133179621beefec6dba653bfa5d76a312321abcd09f7e034f92f75d9.exe
File opened for modification	C:\Windows\alter.INI	alter.exe

Modifies data under HKEY_USERS 24 IoCs

Processes:

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C1ED4F0F-FC3F-453B-BED4-A556520609DB}
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C1ED4F0F-FC3F-453B-BED4-A556520609DB}\WpadNetworkName = "Network 2"
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\9a-cf-1c-b7-13-a2
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\9a-cf-1c-b7-13-a2\WpadDecisionReason = "1"
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C1ED4F0F-FC3F-453B-BED4-A556520609DB}\9a-cf-1c-b7-13-a2
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\9a-cf-1c-b7-13-a2\WpadDecision = "0"
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C1ED4F0F-FC3F-453B-BED4-A556520609DB}\WpadDecisionReason = "1"
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C1ED4F0F-FC3F-453B-BED4-A556520609DB}\WpadDecision = "0"
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0015000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\9a-cf-1c-b7-13-a2\WpadDecisionTime = 10a1e45f5dffd801
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C1ED4F0F-FC3F-453B-BED4-A556520609DB}\WpadDecisionTime = 10a1e45f5dffd801

Suspicious behavior: EnumeratesProcesses 49 IoCs

Processes:

alter.exe

pid	process
968	alter.exe
968	alter.exe
576
576
576
576
576
576
576
576
576
576
576
576
576
576
576
576
576
576
576
576
576
576
576
576
576
576
576
576
576
576
576
576
576
576
576
576
576
576
576
576
576
576
576
576
576
576
576

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

alter.exe

pid process

968 alter.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

alter.exe

description pid process

Token: SeDebugPrivilege 968 alter.exe
Token: SeDebugPrivilege 576

description	pid	process
Token: SeDebugPrivilege	968	alter.exe
Token: SeDebugPrivilege	576

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

2f1491bf133179621beefec6dba653bfa5d76a312321abcd09f7e034f92f75d9.exealter.exe

pid	process
1104	2f1491bf133179621beefec6dba653bfa5d76a312321abcd09f7e034f92f75d9.exe
1104	2f1491bf133179621beefec6dba653bfa5d76a312321abcd09f7e034f92f75d9.exe
968	alter.exe
968	alter.exe

Suspicious use of UnmapMainImage 2 IoCs

Processes:

2f1491bf133179621beefec6dba653bfa5d76a312321abcd09f7e034f92f75d9.exealter.exe

pid process

1104 2f1491bf133179621beefec6dba653bfa5d76a312321abcd09f7e034f92f75d9.exe
968 alter.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

2f1491bf133179621beefec6dba653bfa5d76a312321abcd09f7e034f92f75d9.exe

description	pid	process	target process
PID 1104 wrote to memory of 968	1104	2f1491bf133179621beefec6dba653bfa5d76a312321abcd09f7e034f92f75d9.exe	alter.exe
PID 1104 wrote to memory of 968	1104	2f1491bf133179621beefec6dba653bfa5d76a312321abcd09f7e034f92f75d9.exe	alter.exe
PID 1104 wrote to memory of 968	1104	2f1491bf133179621beefec6dba653bfa5d76a312321abcd09f7e034f92f75d9.exe	alter.exe
PID 1104 wrote to memory of 968	1104	2f1491bf133179621beefec6dba653bfa5d76a312321abcd09f7e034f92f75d9.exe	alter.exe

C:\Users\Admin\AppData\Local\Temp\2f1491bf133179621beefec6dba653bfa5d76a312321abcd09f7e034f92f75d9.exe
"C:\Users\Admin\AppData\Local\Temp\2f1491bf133179621beefec6dba653bfa5d76a312321abcd09f7e034f92f75d9.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1104
- C:\Users\Admin\AppData\Local\alter.exe
  C:\Users\Admin\AppData\Local\Temp\2f1491bf133179621beefec6dba653bfa5d76a312321abcd09f7e034f92f75d9.exe
  2⤵
  - Executes dropped EXE
  - Deletes itself
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of UnmapMainImage
  PID:968

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\alter.exe

Filesize
379KB

MD5
e0c3c103be7ed0a2781c82d379dc0780

SHA1
318ca5646da574f9115ac579c35f54382bc740ad

SHA256
2f1491bf133179621beefec6dba653bfa5d76a312321abcd09f7e034f92f75d9

SHA512
08f8476e4572d8326cf34459b6a5ec8ca2c0b4d91eb1f77ddc5de897b59dd1fae683e2ba621d8375ee0ab1f3337b4ed0cfad3e0ae70dcfa2b1c9f77ef9512d60

Download Submit
\Users\Admin\AppData\Local\alter.exe

Filesize
379KB

MD5
e0c3c103be7ed0a2781c82d379dc0780

SHA1
318ca5646da574f9115ac579c35f54382bc740ad

SHA256
2f1491bf133179621beefec6dba653bfa5d76a312321abcd09f7e034f92f75d9

SHA512
08f8476e4572d8326cf34459b6a5ec8ca2c0b4d91eb1f77ddc5de897b59dd1fae683e2ba621d8375ee0ab1f3337b4ed0cfad3e0ae70dcfa2b1c9f77ef9512d60

Download Submit
memory/576-65-0x0000000000520000-0x000000000054D000-memory.dmp

Filesize
180KB

Download
memory/576-66-0x0000000000550000-0x0000000000583000-memory.dmp

Filesize
204KB

Download
memory/576-68-0x000007FEFBDB1000-0x000007FEFBDB3000-memory.dmp

Filesize
8KB

Download
memory/968-58-0x0000000000000000-mapping.dmp

Download
memory/968-64-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/968-67-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1104-54-0x0000000075BB1000-0x0000000075BB3000-memory.dmp

Filesize
8KB

Download
memory/1104-55-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1104-59-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads