6f9fcf353af16b909e45ddbbab00a4c56205b7b0c3c3a5bb314f50a21be36f33

General

Target

6f9fcf353af16b909e45ddbbab00a4c56205b7b0c3c3a5bb314f50a21be36f33.exe
Size

380KB
MD5

9b7a9bb4e16da87e6fc8bfcfd517e18d
SHA1

4c0c14a5e7f193b00efd361669261e54126a1a93
SHA256

6f9fcf353af16b909e45ddbbab00a4c56205b7b0c3c3a5bb314f50a21be36f33
SHA512

1d6426fae9a4d38618eca5bd13f0454991364d2713a4db2a78cbf4f3104926996280a1fec53ffeae89581d98f6075d2222898ac70cbbd182059dda7fe16c66e9
SSDEEP

6144:O/N8G7t9c98SlByngsN7oXxXr1ux8DMEhHw81BMq8PF3yYBEgaSf+iHXt1L:O/N8p98SKngqDwq81Bf8PAKFH+i3X

Score

8^/10

persistence upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

hF40501ChEiH40501.exe

pid process

1708 hF40501ChEiH40501.exe

pid	process
1708	hF40501ChEiH40501.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1460-55-0x0000000000400000-0x00000000004C1000-memory.dmp	upx
behavioral1/memory/1460-60-0x0000000000400000-0x00000000004C1000-memory.dmp	upx
behavioral1/memory/1708-62-0x0000000000400000-0x00000000004C1000-memory.dmp	upx
behavioral1/memory/1708-64-0x0000000000400000-0x00000000004C1000-memory.dmp	upx

Deletes itself 1 IoCs

Processes:

hF40501ChEiH40501.exe

pid process

1708 hF40501ChEiH40501.exe

pid	process
1708	hF40501ChEiH40501.exe

Loads dropped DLL 2 IoCs

Processes:

6f9fcf353af16b909e45ddbbab00a4c56205b7b0c3c3a5bb314f50a21be36f33.exe

pid	process
1460	6f9fcf353af16b909e45ddbbab00a4c56205b7b0c3c3a5bb314f50a21be36f33.exe
1460	6f9fcf353af16b909e45ddbbab00a4c56205b7b0c3c3a5bb314f50a21be36f33.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

hF40501ChEiH40501.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\hF40501ChEiH40501 = "C:\\ProgramData\\hF40501ChEiH40501\\hF40501ChEiH40501.exe"	hF40501ChEiH40501.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

hF40501ChEiH40501.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main	hF40501ChEiH40501.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

6f9fcf353af16b909e45ddbbab00a4c56205b7b0c3c3a5bb314f50a21be36f33.exehF40501ChEiH40501.exe

pid	process
1460	6f9fcf353af16b909e45ddbbab00a4c56205b7b0c3c3a5bb314f50a21be36f33.exe
1708	hF40501ChEiH40501.exe
1708	hF40501ChEiH40501.exe
1708	hF40501ChEiH40501.exe
1708	hF40501ChEiH40501.exe
1708	hF40501ChEiH40501.exe
1708	hF40501ChEiH40501.exe
1708	hF40501ChEiH40501.exe
1708	hF40501ChEiH40501.exe
1708	hF40501ChEiH40501.exe
1708	hF40501ChEiH40501.exe
1708	hF40501ChEiH40501.exe
1708	hF40501ChEiH40501.exe
1708	hF40501ChEiH40501.exe
1708	hF40501ChEiH40501.exe
1708	hF40501ChEiH40501.exe
1708	hF40501ChEiH40501.exe
1708	hF40501ChEiH40501.exe
1708	hF40501ChEiH40501.exe
1708	hF40501ChEiH40501.exe
1708	hF40501ChEiH40501.exe
1708	hF40501ChEiH40501.exe
1708	hF40501ChEiH40501.exe
1708	hF40501ChEiH40501.exe
1708	hF40501ChEiH40501.exe
1708	hF40501ChEiH40501.exe
1708	hF40501ChEiH40501.exe
1708	hF40501ChEiH40501.exe
1708	hF40501ChEiH40501.exe
1708	hF40501ChEiH40501.exe
1708	hF40501ChEiH40501.exe
1708	hF40501ChEiH40501.exe
1708	hF40501ChEiH40501.exe
1708	hF40501ChEiH40501.exe
1708	hF40501ChEiH40501.exe
1708	hF40501ChEiH40501.exe
1708	hF40501ChEiH40501.exe
1708	hF40501ChEiH40501.exe
1708	hF40501ChEiH40501.exe
1708	hF40501ChEiH40501.exe
1708	hF40501ChEiH40501.exe
1708	hF40501ChEiH40501.exe
1708	hF40501ChEiH40501.exe
1708	hF40501ChEiH40501.exe
1708	hF40501ChEiH40501.exe
1708	hF40501ChEiH40501.exe
1708	hF40501ChEiH40501.exe
1708	hF40501ChEiH40501.exe
1708	hF40501ChEiH40501.exe
1708	hF40501ChEiH40501.exe
1708	hF40501ChEiH40501.exe
1708	hF40501ChEiH40501.exe
1708	hF40501ChEiH40501.exe
1708	hF40501ChEiH40501.exe
1708	hF40501ChEiH40501.exe
1708	hF40501ChEiH40501.exe
1708	hF40501ChEiH40501.exe
1708	hF40501ChEiH40501.exe
1708	hF40501ChEiH40501.exe
1708	hF40501ChEiH40501.exe
1708	hF40501ChEiH40501.exe
1708	hF40501ChEiH40501.exe
1708	hF40501ChEiH40501.exe
1708	hF40501ChEiH40501.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

6f9fcf353af16b909e45ddbbab00a4c56205b7b0c3c3a5bb314f50a21be36f33.exehF40501ChEiH40501.exe

description	pid	process
Token: SeDebugPrivilege	1460	6f9fcf353af16b909e45ddbbab00a4c56205b7b0c3c3a5bb314f50a21be36f33.exe
Token: SeDebugPrivilege	1708	hF40501ChEiH40501.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

hF40501ChEiH40501.exe

pid process

1708 hF40501ChEiH40501.exe
1708 hF40501ChEiH40501.exe
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

hF40501ChEiH40501.exe

pid process

1708 hF40501ChEiH40501.exe
1708 hF40501ChEiH40501.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

hF40501ChEiH40501.exe

pid process

1708 hF40501ChEiH40501.exe
1708 hF40501ChEiH40501.exe

pid	process
1708	hF40501ChEiH40501.exe
1708	hF40501ChEiH40501.exe

pid	process
1708	hF40501ChEiH40501.exe
1708	hF40501ChEiH40501.exe

pid	process
1708	hF40501ChEiH40501.exe
1708	hF40501ChEiH40501.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

6f9fcf353af16b909e45ddbbab00a4c56205b7b0c3c3a5bb314f50a21be36f33.exe

description	pid	process	target process
PID 1460 wrote to memory of 1708	1460	6f9fcf353af16b909e45ddbbab00a4c56205b7b0c3c3a5bb314f50a21be36f33.exe	hF40501ChEiH40501.exe
PID 1460 wrote to memory of 1708	1460	6f9fcf353af16b909e45ddbbab00a4c56205b7b0c3c3a5bb314f50a21be36f33.exe	hF40501ChEiH40501.exe
PID 1460 wrote to memory of 1708	1460	6f9fcf353af16b909e45ddbbab00a4c56205b7b0c3c3a5bb314f50a21be36f33.exe	hF40501ChEiH40501.exe
PID 1460 wrote to memory of 1708	1460	6f9fcf353af16b909e45ddbbab00a4c56205b7b0c3c3a5bb314f50a21be36f33.exe	hF40501ChEiH40501.exe

C:\Users\Admin\AppData\Local\Temp\6f9fcf353af16b909e45ddbbab00a4c56205b7b0c3c3a5bb314f50a21be36f33.exe
"C:\Users\Admin\AppData\Local\Temp\6f9fcf353af16b909e45ddbbab00a4c56205b7b0c3c3a5bb314f50a21be36f33.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1460

C:\ProgramData\hF40501ChEiH40501\hF40501ChEiH40501.exe
"C:\ProgramData\hF40501ChEiH40501\hF40501ChEiH40501.exe" "C:\Users\Admin\AppData\Local\Temp\6f9fcf353af16b909e45ddbbab00a4c56205b7b0c3c3a5bb314f50a21be36f33.exe"
2⤵
- Executes dropped EXE
- Deletes itself
- Adds Run key to start application
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1708

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\hF40501ChEiH40501\hF40501ChEiH40501.exe
Filesize
380KB

MD5
490e31f0cea8bb28aacc931ef523f708

SHA1
0c23a9b080d9ed15c2227371a7938ebb03333422

SHA256
9b9829821250bf6237125008c2734f056ea39c8cf11d5c27dc4b37b0b298deec

SHA512
199b9cec581f62166d54a00f38f5705e67e5eb6ebe939b50a054e4b4ee5ad0479e277f2e8e4118f6c562719af0e8ee18940ad581e697916e2fd41a23e3289b14

Download Submit
C:\ProgramData\hF40501ChEiH40501\hF40501ChEiH40501.exe
Filesize
380KB

MD5
490e31f0cea8bb28aacc931ef523f708

SHA1
0c23a9b080d9ed15c2227371a7938ebb03333422

SHA256
9b9829821250bf6237125008c2734f056ea39c8cf11d5c27dc4b37b0b298deec

SHA512
199b9cec581f62166d54a00f38f5705e67e5eb6ebe939b50a054e4b4ee5ad0479e277f2e8e4118f6c562719af0e8ee18940ad581e697916e2fd41a23e3289b14

Download Submit
\ProgramData\hF40501ChEiH40501\hF40501ChEiH40501.exe
Filesize
380KB

MD5
490e31f0cea8bb28aacc931ef523f708

SHA1
0c23a9b080d9ed15c2227371a7938ebb03333422

SHA256
9b9829821250bf6237125008c2734f056ea39c8cf11d5c27dc4b37b0b298deec

SHA512
199b9cec581f62166d54a00f38f5705e67e5eb6ebe939b50a054e4b4ee5ad0479e277f2e8e4118f6c562719af0e8ee18940ad581e697916e2fd41a23e3289b14

Download Submit
\ProgramData\hF40501ChEiH40501\hF40501ChEiH40501.exe
Filesize
380KB

MD5
490e31f0cea8bb28aacc931ef523f708

SHA1
0c23a9b080d9ed15c2227371a7938ebb03333422

SHA256
9b9829821250bf6237125008c2734f056ea39c8cf11d5c27dc4b37b0b298deec

SHA512
199b9cec581f62166d54a00f38f5705e67e5eb6ebe939b50a054e4b4ee5ad0479e277f2e8e4118f6c562719af0e8ee18940ad581e697916e2fd41a23e3289b14

Download Submit
memory/1460-54-0x0000000075FE1000-0x0000000075FE3000-memory.dmp

Filesize
8KB

Download
memory/1460-55-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/1460-60-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/1708-58-0x0000000000000000-mapping.dmp

Download
memory/1708-62-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/1708-64-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads