4b31a61b4ecb63937bd3ebb531a80d8e274d87af3b268cfca5a521559c58487b

General

Target

4b31a61b4ecb63937bd3ebb531a80d8e274d87af3b268cfca5a521559c58487b.exe
Size

308KB
MD5

5ebe9ea4775ea6316455e8e19eb8b807
SHA1

ce714c1b32c68d19a5303b2bdd436e829516460b
SHA256

4b31a61b4ecb63937bd3ebb531a80d8e274d87af3b268cfca5a521559c58487b
SHA512

d27648ee5891abcd816890acd699e354ebc35b7f12fac73f499c4a6187d8633075035792a392f1e6212dfe6cca1e5d9825a24fa757057c78f95fd9b3aa505d35
SSDEEP

6144:t8hg7V2//I/LOpqLV5HxY3R5n62+kxiO/b/OMM9g:tCkVg/I68V5HxY3b6V+iOKMM2

Score

8^/10

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

Processes:

4b31a61b4ecb63937bd3ebb531a80d8e274d87af3b268cfca5a521559c58487b.exe

description	ioc	process
File opened for modification	C:\WINDOWS\system32\drivers\etc\service5.ini	4b31a61b4ecb63937bd3ebb531a80d8e274d87af3b268cfca5a521559c58487b.exe

Loads dropped DLL 3 IoCs

Processes:

4b31a61b4ecb63937bd3ebb531a80d8e274d87af3b268cfca5a521559c58487b.exe

pid	process
1716	4b31a61b4ecb63937bd3ebb531a80d8e274d87af3b268cfca5a521559c58487b.exe
1716	4b31a61b4ecb63937bd3ebb531a80d8e274d87af3b268cfca5a521559c58487b.exe
1716	4b31a61b4ecb63937bd3ebb531a80d8e274d87af3b268cfca5a521559c58487b.exe

Drops file in Program Files directory 9 IoCs

Processes:

4b31a61b4ecb63937bd3ebb531a80d8e274d87af3b268cfca5a521559c58487b.exe

description	ioc	process
File opened for modification	C:\Program Files\Windows NT\sms_log.txt	4b31a61b4ecb63937bd3ebb531a80d8e274d87af3b268cfca5a521559c58487b.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.txt	4b31a61b4ecb63937bd3ebb531a80d8e274d87af3b268cfca5a521559c58487b.exe
File opened for modification	C:\Program Files\Windows NT\service6.ini	4b31a61b4ecb63937bd3ebb531a80d8e274d87af3b268cfca5a521559c58487b.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\iaanotif.exe	4b31a61b4ecb63937bd3ebb531a80d8e274d87af3b268cfca5a521559c58487b.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\iaanotif.exe	4b31a61b4ecb63937bd3ebb531a80d8e274d87af3b268cfca5a521559c58487b.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe	4b31a61b4ecb63937bd3ebb531a80d8e274d87af3b268cfca5a521559c58487b.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\temp.txt	4b31a61b4ecb63937bd3ebb531a80d8e274d87af3b268cfca5a521559c58487b.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\RCX32B5.tmp	4b31a61b4ecb63937bd3ebb531a80d8e274d87af3b268cfca5a521559c58487b.exe
File created	C:\Program Files\Windows NT\7250520.ini	4b31a61b4ecb63937bd3ebb531a80d8e274d87af3b268cfca5a521559c58487b.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

4b31a61b4ecb63937bd3ebb531a80d8e274d87af3b268cfca5a521559c58487b.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main	4b31a61b4ecb63937bd3ebb531a80d8e274d87af3b268cfca5a521559c58487b.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

4b31a61b4ecb63937bd3ebb531a80d8e274d87af3b268cfca5a521559c58487b.exe

pid process

1716 4b31a61b4ecb63937bd3ebb531a80d8e274d87af3b268cfca5a521559c58487b.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

4b31a61b4ecb63937bd3ebb531a80d8e274d87af3b268cfca5a521559c58487b.exe

pid	process
1716	4b31a61b4ecb63937bd3ebb531a80d8e274d87af3b268cfca5a521559c58487b.exe
1716	4b31a61b4ecb63937bd3ebb531a80d8e274d87af3b268cfca5a521559c58487b.exe
1716	4b31a61b4ecb63937bd3ebb531a80d8e274d87af3b268cfca5a521559c58487b.exe
1716	4b31a61b4ecb63937bd3ebb531a80d8e274d87af3b268cfca5a521559c58487b.exe

C:\Users\Admin\AppData\Local\Temp\4b31a61b4ecb63937bd3ebb531a80d8e274d87af3b268cfca5a521559c58487b.exe
"C:\Users\Admin\AppData\Local\Temp\4b31a61b4ecb63937bd3ebb531a80d8e274d87af3b268cfca5a521559c58487b.exe"
1⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1716

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe

Filesize
308KB

MD5
18a090c62c67272c926bf485b1303e83

SHA1
c3d774f8c0cfb8502b5e891bd206192277f7304e

SHA256
aac14a34a0ad8549b8f2e7f8a7f7993b111f2ca1674bb0461b0f49c0e09c1b12

SHA512
7e0fa6826cbcd91741905b9e38f5dd1c3a9b25ec7a3a4d0311bdf4bb3c6f379c59dcca92ff24351c6c53ff383475dcf86b017488611eec62f7bf7c626d666524

Download Submit
\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe

Filesize
308KB

MD5
18a090c62c67272c926bf485b1303e83

SHA1
c3d774f8c0cfb8502b5e891bd206192277f7304e

SHA256
aac14a34a0ad8549b8f2e7f8a7f7993b111f2ca1674bb0461b0f49c0e09c1b12

SHA512
7e0fa6826cbcd91741905b9e38f5dd1c3a9b25ec7a3a4d0311bdf4bb3c6f379c59dcca92ff24351c6c53ff383475dcf86b017488611eec62f7bf7c626d666524

Download Submit
\Program Files (x86)\Microsoft Office\Office14\iaanotif.exe

Filesize
89KB

MD5
901aa7a38ce13f14b6bbec38c0595698

SHA1
6abd81a46557f72680eb9e5fc74223b8c9c32088

SHA256
1e95f2048e2a1782807d52e9816ed267355718e24d01ff07ace73d965ede388a

SHA512
34bb4f656423021873363ec8dd1908fd1d01017e607ff8bc79fea3176ffb18f3281dcf21f7bedcd96c4ddbcff70bb2943435a18e31ddfb6f6c5bd226bf901672

Download Submit
memory/1716-54-0x00000000757E1000-0x00000000757E3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads