157d3a0ae88b9013acc82b5fb1bf64f0de9ebb573fadd00d67984f15fb26e53d

General

Target

157d3a0ae88b9013acc82b5fb1bf64f0de9ebb573fadd00d67984f15fb26e53d.exe
Size

294KB
MD5

44df3d079e11faf3510b7d884a6d9c2d
SHA1

5ee87ce44a0c5c70286081b020b54870901d2c60
SHA256

157d3a0ae88b9013acc82b5fb1bf64f0de9ebb573fadd00d67984f15fb26e53d
SHA512

b323b555655cd3cedd45e76b9a0c61ff7101e19b8341abc146f1d472f9bc3c1cbe7d3e0cae056506bb6fdec5ce9c309751a4f58756e04e8284dd0cf032e795b2
SSDEEP

6144:cdYgxDh5luzMm2mBiXS6S9JSelDyX2UFLstcAyXRU0ODDoB:tgxDh3uLTKSH9flD74sK60ODDoB

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

157d3a0ae88b9013acc82b5fb1bf64f0de9ebb573fadd00d67984f15fb26e53d.tmp

pid process

1260 157d3a0ae88b9013acc82b5fb1bf64f0de9ebb573fadd00d67984f15fb26e53d.tmp

pid	process
1260	157d3a0ae88b9013acc82b5fb1bf64f0de9ebb573fadd00d67984f15fb26e53d.tmp

Loads dropped DLL 3 IoCs

Processes:

157d3a0ae88b9013acc82b5fb1bf64f0de9ebb573fadd00d67984f15fb26e53d.exe157d3a0ae88b9013acc82b5fb1bf64f0de9ebb573fadd00d67984f15fb26e53d.tmp

pid	process
1124	157d3a0ae88b9013acc82b5fb1bf64f0de9ebb573fadd00d67984f15fb26e53d.exe
1260	157d3a0ae88b9013acc82b5fb1bf64f0de9ebb573fadd00d67984f15fb26e53d.tmp
1260	157d3a0ae88b9013acc82b5fb1bf64f0de9ebb573fadd00d67984f15fb26e53d.tmp

Modifies Internet Explorer settings 1 TTPs 1 IoCs
adware spyware

Modify Registry
T1112

Processes:

regedit.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Main regedit.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Main	regedit.exe

Modifies Internet Explorer start page 1 TTPs 1 IoCs

stealer

Modify Registry

T1112

Processes:

regedit.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.hae123.com"	regedit.exe

Runs regedit.exe 1 IoCs

Processes:

regedit.exe

pid process

936 regedit.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

157d3a0ae88b9013acc82b5fb1bf64f0de9ebb573fadd00d67984f15fb26e53d.tmp

pid process

1260 157d3a0ae88b9013acc82b5fb1bf64f0de9ebb573fadd00d67984f15fb26e53d.tmp

pid	process
936	regedit.exe

pid	process
1260	157d3a0ae88b9013acc82b5fb1bf64f0de9ebb573fadd00d67984f15fb26e53d.tmp

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

157d3a0ae88b9013acc82b5fb1bf64f0de9ebb573fadd00d67984f15fb26e53d.exe157d3a0ae88b9013acc82b5fb1bf64f0de9ebb573fadd00d67984f15fb26e53d.tmp

description	pid	process	target process
PID 1124 wrote to memory of 1260	1124	157d3a0ae88b9013acc82b5fb1bf64f0de9ebb573fadd00d67984f15fb26e53d.exe	157d3a0ae88b9013acc82b5fb1bf64f0de9ebb573fadd00d67984f15fb26e53d.tmp
PID 1124 wrote to memory of 1260	1124	157d3a0ae88b9013acc82b5fb1bf64f0de9ebb573fadd00d67984f15fb26e53d.exe	157d3a0ae88b9013acc82b5fb1bf64f0de9ebb573fadd00d67984f15fb26e53d.tmp
PID 1124 wrote to memory of 1260	1124	157d3a0ae88b9013acc82b5fb1bf64f0de9ebb573fadd00d67984f15fb26e53d.exe	157d3a0ae88b9013acc82b5fb1bf64f0de9ebb573fadd00d67984f15fb26e53d.tmp
PID 1124 wrote to memory of 1260	1124	157d3a0ae88b9013acc82b5fb1bf64f0de9ebb573fadd00d67984f15fb26e53d.exe	157d3a0ae88b9013acc82b5fb1bf64f0de9ebb573fadd00d67984f15fb26e53d.tmp
PID 1260 wrote to memory of 936	1260	157d3a0ae88b9013acc82b5fb1bf64f0de9ebb573fadd00d67984f15fb26e53d.tmp	regedit.exe
PID 1260 wrote to memory of 936	1260	157d3a0ae88b9013acc82b5fb1bf64f0de9ebb573fadd00d67984f15fb26e53d.tmp	regedit.exe
PID 1260 wrote to memory of 936	1260	157d3a0ae88b9013acc82b5fb1bf64f0de9ebb573fadd00d67984f15fb26e53d.tmp	regedit.exe
PID 1260 wrote to memory of 936	1260	157d3a0ae88b9013acc82b5fb1bf64f0de9ebb573fadd00d67984f15fb26e53d.tmp	regedit.exe

C:\Users\Admin\AppData\Local\Temp\157d3a0ae88b9013acc82b5fb1bf64f0de9ebb573fadd00d67984f15fb26e53d.exe
"C:\Users\Admin\AppData\Local\Temp\157d3a0ae88b9013acc82b5fb1bf64f0de9ebb573fadd00d67984f15fb26e53d.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1124

C:\Users\Admin\AppData\Local\Temp\is-3B2TL.tmp\157d3a0ae88b9013acc82b5fb1bf64f0de9ebb573fadd00d67984f15fb26e53d.tmp
"C:\Users\Admin\AppData\Local\Temp\is-3B2TL.tmp\157d3a0ae88b9013acc82b5fb1bf64f0de9ebb573fadd00d67984f15fb26e53d.tmp" /SL5="$70122,51915,51712,C:\Users\Admin\AppData\Local\Temp\157d3a0ae88b9013acc82b5fb1bf64f0de9ebb573fadd00d67984f15fb26e53d.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1260

C:\Windows\SysWOW64\regedit.exe
"C:\Windows\Regedit.exe" -s C:\Adobe\info.desc
3⤵
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Runs regedit.exe
PID:936

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Adobe\info.desc

Filesize
280B

MD5
a0fd44bf16c285a195d371ba2404dc0a

SHA1
1880991f3f49d2f35e86ce2575d7535517a10f28

SHA256
686ea1ff46449d5412e6454ca7329a6f03e777714e35d502640c61ac16849613

SHA512
3477a190eda4b3fd79319ebeab24c3a62cdaffeb4d58f65488713f23e370f8a906365985dad5a8bd39a5d2e047c6f1da40af1d952cb3899c9809a32fb03b970a

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-3B2TL.tmp\157d3a0ae88b9013acc82b5fb1bf64f0de9ebb573fadd00d67984f15fb26e53d.tmp

Filesize
706KB

MD5
1a6c2b578c69b9388e22d38afa16a7fb

SHA1
186370d5438b1f5f3d75891aa8412e8edd00981c

SHA256
86ac18632bfdca026df9fe12a1d4df2de64bbdc1d2d7e42d2dcbf7809cbbebb3

SHA512
fb868c629cd0255b7620c9260bb5712b6622f53f0b7de3d6125c295e02d16f03584ce3a90eccb02b65ce9825885aa1bca5f68c7cc09dc0c09e7c208fcef54714

Download Submit
\Users\Admin\AppData\Local\Temp\is-3B2TL.tmp\157d3a0ae88b9013acc82b5fb1bf64f0de9ebb573fadd00d67984f15fb26e53d.tmp

Filesize
706KB

MD5
1a6c2b578c69b9388e22d38afa16a7fb

SHA1
186370d5438b1f5f3d75891aa8412e8edd00981c

SHA256
86ac18632bfdca026df9fe12a1d4df2de64bbdc1d2d7e42d2dcbf7809cbbebb3

SHA512
fb868c629cd0255b7620c9260bb5712b6622f53f0b7de3d6125c295e02d16f03584ce3a90eccb02b65ce9825885aa1bca5f68c7cc09dc0c09e7c208fcef54714

Download Submit
\Users\Admin\AppData\Local\Temp\is-J8I1N.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-J8I1N.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
memory/936-65-0x0000000000000000-mapping.dmp

Download
memory/1124-54-0x0000000075591000-0x0000000075593000-memory.dmp

Filesize
8KB

Download
memory/1124-55-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1124-63-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1124-66-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1260-58-0x0000000000000000-mapping.dmp

Download
memory/1260-64-0x0000000074C81000-0x0000000074C83000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads