1be70aadab1048bf2cbf71ee7fdb951cf47f04065674e6ad83d114a670f5a170

General

Target

1be70aadab1048bf2cbf71ee7fdb951cf47f04065674e6ad83d114a670f5a170.exe
Size

164KB
MD5

5664b9abe1b27ac646d149a4e0383d3a
SHA1

95ae306087d40d64757c8328d5ecad288025a254
SHA256

1be70aadab1048bf2cbf71ee7fdb951cf47f04065674e6ad83d114a670f5a170
SHA512

478e753a03a9bcb5040acd1122d1f274cef481711d0e9858474c84f36e9dbdc5d5eddab5ee205ff3ab4d8a33872251f0d130ace7f12cf017efe510424576fb7e
SSDEEP

3072:ASpYdBUSchnEDRjIs+IrRiSv4Z9QkDIUCeTxnMwwYeIfB4cOS8oCRcLYB3IMgHZp:1edBUSeWjwwRiMGDIUCe1nMwuIfB4cOy

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

Hmelaa.exe

pid process

224 Hmelaa.exe

pid	process
224	Hmelaa.exe

Drops file in Windows directory 6 IoCs

Processes:

1be70aadab1048bf2cbf71ee7fdb951cf47f04065674e6ad83d114a670f5a170.exeHmelaa.exe

description	ioc	process
File created	C:\Windows\Hmelaa.exe	1be70aadab1048bf2cbf71ee7fdb951cf47f04065674e6ad83d114a670f5a170.exe
File opened for modification	C:\Windows\Hmelaa.exe	1be70aadab1048bf2cbf71ee7fdb951cf47f04065674e6ad83d114a670f5a170.exe
File created	C:\Windows\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job	Hmelaa.exe
File opened for modification	C:\Windows\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job	Hmelaa.exe
File created	C:\Windows\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job	1be70aadab1048bf2cbf71ee7fdb951cf47f04065674e6ad83d114a670f5a170.exe
File opened for modification	C:\Windows\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job	1be70aadab1048bf2cbf71ee7fdb951cf47f04065674e6ad83d114a670f5a170.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

Hmelaa.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Software\Microsoft\Internet Explorer\International	Hmelaa.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

1be70aadab1048bf2cbf71ee7fdb951cf47f04065674e6ad83d114a670f5a170.exeHmelaa.exe

pid	process
2016	1be70aadab1048bf2cbf71ee7fdb951cf47f04065674e6ad83d114a670f5a170.exe
2016	1be70aadab1048bf2cbf71ee7fdb951cf47f04065674e6ad83d114a670f5a170.exe
224	Hmelaa.exe
224	Hmelaa.exe
224	Hmelaa.exe
224	Hmelaa.exe
224	Hmelaa.exe
224	Hmelaa.exe
224	Hmelaa.exe
224	Hmelaa.exe
224	Hmelaa.exe
224	Hmelaa.exe
224	Hmelaa.exe
224	Hmelaa.exe
224	Hmelaa.exe
224	Hmelaa.exe
224	Hmelaa.exe
224	Hmelaa.exe
224	Hmelaa.exe
224	Hmelaa.exe
224	Hmelaa.exe
224	Hmelaa.exe
224	Hmelaa.exe
224	Hmelaa.exe
224	Hmelaa.exe
224	Hmelaa.exe
224	Hmelaa.exe
224	Hmelaa.exe
224	Hmelaa.exe
224	Hmelaa.exe
224	Hmelaa.exe
224	Hmelaa.exe
224	Hmelaa.exe
224	Hmelaa.exe
224	Hmelaa.exe
224	Hmelaa.exe
224	Hmelaa.exe
224	Hmelaa.exe
224	Hmelaa.exe
224	Hmelaa.exe
224	Hmelaa.exe
224	Hmelaa.exe
224	Hmelaa.exe
224	Hmelaa.exe
224	Hmelaa.exe
224	Hmelaa.exe
224	Hmelaa.exe
224	Hmelaa.exe
224	Hmelaa.exe
224	Hmelaa.exe
224	Hmelaa.exe
224	Hmelaa.exe
224	Hmelaa.exe
224	Hmelaa.exe
224	Hmelaa.exe
224	Hmelaa.exe
224	Hmelaa.exe
224	Hmelaa.exe
224	Hmelaa.exe
224	Hmelaa.exe
224	Hmelaa.exe
224	Hmelaa.exe
224	Hmelaa.exe
224	Hmelaa.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

1be70aadab1048bf2cbf71ee7fdb951cf47f04065674e6ad83d114a670f5a170.exe

description	pid	process	target process
PID 2016 wrote to memory of 224	2016	1be70aadab1048bf2cbf71ee7fdb951cf47f04065674e6ad83d114a670f5a170.exe	Hmelaa.exe
PID 2016 wrote to memory of 224	2016	1be70aadab1048bf2cbf71ee7fdb951cf47f04065674e6ad83d114a670f5a170.exe	Hmelaa.exe
PID 2016 wrote to memory of 224	2016	1be70aadab1048bf2cbf71ee7fdb951cf47f04065674e6ad83d114a670f5a170.exe	Hmelaa.exe

C:\Users\Admin\AppData\Local\Temp\1be70aadab1048bf2cbf71ee7fdb951cf47f04065674e6ad83d114a670f5a170.exe
"C:\Users\Admin\AppData\Local\Temp\1be70aadab1048bf2cbf71ee7fdb951cf47f04065674e6ad83d114a670f5a170.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2016

C:\Windows\Hmelaa.exe
C:\Windows\Hmelaa.exe
2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
PID:224

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Hmelaa.exe

Filesize
164KB

MD5
5664b9abe1b27ac646d149a4e0383d3a

SHA1
95ae306087d40d64757c8328d5ecad288025a254

SHA256
1be70aadab1048bf2cbf71ee7fdb951cf47f04065674e6ad83d114a670f5a170

SHA512
478e753a03a9bcb5040acd1122d1f274cef481711d0e9858474c84f36e9dbdc5d5eddab5ee205ff3ab4d8a33872251f0d130ace7f12cf017efe510424576fb7e

Download Submit
C:\Windows\Hmelaa.exe

Filesize
164KB

MD5
5664b9abe1b27ac646d149a4e0383d3a

SHA1
95ae306087d40d64757c8328d5ecad288025a254

SHA256
1be70aadab1048bf2cbf71ee7fdb951cf47f04065674e6ad83d114a670f5a170

SHA512
478e753a03a9bcb5040acd1122d1f274cef481711d0e9858474c84f36e9dbdc5d5eddab5ee205ff3ab4d8a33872251f0d130ace7f12cf017efe510424576fb7e

Download Submit
C:\Windows\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job

Filesize
426B

MD5
fe2ad67a0cbb8f6890b7367518a44b2b

SHA1
c7bf87ed2b3f0a94eed826ccc49d64b4815dace1

SHA256
6d784ac1d5780494fcbe9afbf6260a20193b5011d8a7adf19c12eb62024e1de6

SHA512
719d352d088aa703d44759a8ff546c42a5abcc5489a6d17e7f1b30842775bba355ce83bd0630d7590293fb53db6e2949f54cf41a3c87395f27a97aec940afa62

Download Submit
memory/224-134-0x0000000000000000-mapping.dmp

Download
memory/224-138-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/224-139-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2016-132-0x0000000000490000-0x000000000049E000-memory.dmp

Filesize
56KB

Download
memory/2016-133-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2016-140-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads