9bdf281c389d1fa2c2dfde5ef86024c1a17709762d35c1874f383fec5c7490d0

General

Target

9bdf281c389d1fa2c2dfde5ef86024c1a17709762d35c1874f383fec5c7490d0.exe
Size

534KB
MD5

f782704cbc0161e4183e2ecd298b872b
SHA1

375b19dd80d3495bae7bbbce0a65bee1647ccf9a
SHA256

9bdf281c389d1fa2c2dfde5ef86024c1a17709762d35c1874f383fec5c7490d0
SHA512

68231f9c8fb65ba2d3658f811a10e801c621b0fe632a7543fb93785efd0f26e607db19e6922c4df747ad8601ab6c1c9e14eff5cc4fe524c8188d54fca3cd672e
SSDEEP

12288:s5Z7H7aD8d2JySQ4Pc/dP2bw0jbK51pER:6z7aD8AzPc/N2pbKzm

Score

7^/10

persistence

Malware Config

Signatures

Loads dropped DLL 1 IoCs

Processes:

9bdf281c389d1fa2c2dfde5ef86024c1a17709762d35c1874f383fec5c7490d0.exe

pid process

2004 9bdf281c389d1fa2c2dfde5ef86024c1a17709762d35c1874f383fec5c7490d0.exe

pid	process
2004	9bdf281c389d1fa2c2dfde5ef86024c1a17709762d35c1874f383fec5c7490d0.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

9bdf281c389d1fa2c2dfde5ef86024c1a17709762d35c1874f383fec5c7490d0.exeExplorer.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run	9bdf281c389d1fa2c2dfde5ef86024c1a17709762d35c1874f383fec5c7490d0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\LepcEtoxo = "regsvr32.exe \"C:\\ProgramData\\LepcEtoxo\\LepcEtoxo.dat\""	9bdf281c389d1fa2c2dfde5ef86024c1a17709762d35c1874f383fec5c7490d0.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\LepcEtoxo = "regsvr32.exe \"C:\\ProgramData\\LepcEtoxo\\LepcEtoxo.dat\""	Explorer.EXE

Modifies Internet Explorer Protected Mode 1 TTPs 1 IoCs

Modify Registry

T1112

Processes:

Explorer.EXE

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500 = "3"	Explorer.EXE

Modifies Internet Explorer Protected Mode Banner 1 TTPs 1 IoCs

Modify Registry

T1112

Processes:

Explorer.EXE

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\NoProtectedModeBanner = "1"	Explorer.EXE

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

Explorer.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\TabProcGrowth = "0"	Explorer.EXE

Modifies registry class 6 IoCs

Processes:

9bdf281c389d1fa2c2dfde5ef86024c1a17709762d35c1874f383fec5c7490d0.exeExplorer.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\CLSID\{0EF07E83-4213-4878-AA3D-6D875393749B}	9bdf281c389d1fa2c2dfde5ef86024c1a17709762d35c1874f383fec5c7490d0.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\CLSID\{0EF07E83-4213-4878-AA3D-6D875393749B}\#sd = 433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c54656d705c396264663238316333383964316661326332646664653565663836303234633161313737303937363264333563313837346633383366656335633734393064302e65786500	9bdf281c389d1fa2c2dfde5ef86024c1a17709762d35c1874f383fec5c7490d0.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\CLSID\{0EF07E83-4213-4878-AA3D-6D875393749B}	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\CLSID\{5CA76B6F-659C-4978-94EF-62D867DC5D83}	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\CLSID\{5CA76B6F-659C-4978-94EF-62D867DC5D83}\{3BA93C54-1FAB-4194-8441-1E7456E12F6E} = 7fb78de5	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\CLSID\{0EF07E83-4213-4878-AA3D-6D875393749B}\#cert = 31	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

9bdf281c389d1fa2c2dfde5ef86024c1a17709762d35c1874f383fec5c7490d0.exewmiprvse.exe

pid process

2004 9bdf281c389d1fa2c2dfde5ef86024c1a17709762d35c1874f383fec5c7490d0.exe
2036 wmiprvse.exe
2036 wmiprvse.exe

pid	process
2004	9bdf281c389d1fa2c2dfde5ef86024c1a17709762d35c1874f383fec5c7490d0.exe
2036	wmiprvse.exe
2036	wmiprvse.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

9bdf281c389d1fa2c2dfde5ef86024c1a17709762d35c1874f383fec5c7490d0.exeExplorer.EXE

description	pid	process
Token: SeCreateGlobalPrivilege	2004	9bdf281c389d1fa2c2dfde5ef86024c1a17709762d35c1874f383fec5c7490d0.exe
Token: SeDebugPrivilege	2004	9bdf281c389d1fa2c2dfde5ef86024c1a17709762d35c1874f383fec5c7490d0.exe
Token: SeCreateGlobalPrivilege	1372	Explorer.EXE
Token: SeShutdownPrivilege	1372	Explorer.EXE
Token: SeDebugPrivilege	1372	Explorer.EXE
Token: SeShutdownPrivilege	1372	Explorer.EXE
Token: SeShutdownPrivilege	1372	Explorer.EXE

Suspicious use of UnmapMainImage 1 IoCs

Processes:

9bdf281c389d1fa2c2dfde5ef86024c1a17709762d35c1874f383fec5c7490d0.exe

pid process

2004 9bdf281c389d1fa2c2dfde5ef86024c1a17709762d35c1874f383fec5c7490d0.exe

pid	process
2004	9bdf281c389d1fa2c2dfde5ef86024c1a17709762d35c1874f383fec5c7490d0.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

9bdf281c389d1fa2c2dfde5ef86024c1a17709762d35c1874f383fec5c7490d0.exe

description	pid	process	target process
PID 2004 wrote to memory of 328	2004	9bdf281c389d1fa2c2dfde5ef86024c1a17709762d35c1874f383fec5c7490d0.exe	spoolsv.exe
PID 2004 wrote to memory of 328	2004	9bdf281c389d1fa2c2dfde5ef86024c1a17709762d35c1874f383fec5c7490d0.exe	spoolsv.exe
PID 2004 wrote to memory of 1372	2004	9bdf281c389d1fa2c2dfde5ef86024c1a17709762d35c1874f383fec5c7490d0.exe	Explorer.EXE
PID 2004 wrote to memory of 1372	2004	9bdf281c389d1fa2c2dfde5ef86024c1a17709762d35c1874f383fec5c7490d0.exe	Explorer.EXE
PID 2004 wrote to memory of 1172	2004	9bdf281c389d1fa2c2dfde5ef86024c1a17709762d35c1874f383fec5c7490d0.exe	sppsvc.exe
PID 2004 wrote to memory of 1172	2004	9bdf281c389d1fa2c2dfde5ef86024c1a17709762d35c1874f383fec5c7490d0.exe	sppsvc.exe
PID 2004 wrote to memory of 1972	2004	9bdf281c389d1fa2c2dfde5ef86024c1a17709762d35c1874f383fec5c7490d0.exe	WMIADAP.EXE
PID 2004 wrote to memory of 1972	2004	9bdf281c389d1fa2c2dfde5ef86024c1a17709762d35c1874f383fec5c7490d0.exe	WMIADAP.EXE
PID 2004 wrote to memory of 2036	2004	9bdf281c389d1fa2c2dfde5ef86024c1a17709762d35c1874f383fec5c7490d0.exe	wmiprvse.exe
PID 2004 wrote to memory of 2036	2004	9bdf281c389d1fa2c2dfde5ef86024c1a17709762d35c1874f383fec5c7490d0.exe	wmiprvse.exe

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:2036

\\?\C:\Windows\system32\wbem\WMIADAP.EXE
wmiadap.exe /F /T /R
1⤵
PID:1972

C:\Windows\system32\sppsvc.exe
C:\Windows\system32\sppsvc.exe
1⤵
PID:1172

C:\Users\Admin\AppData\Local\Temp\9bdf281c389d1fa2c2dfde5ef86024c1a17709762d35c1874f383fec5c7490d0.exe
"C:\Users\Admin\AppData\Local\Temp\9bdf281c389d1fa2c2dfde5ef86024c1a17709762d35c1874f383fec5c7490d0.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2004

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Adds Run key to start application
- Modifies Internet Explorer Protected Mode
- Modifies Internet Explorer Protected Mode Banner
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:1372

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:328

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

4

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\LepcEtoxo\LepcEtoxo.dat
Filesize
230KB

MD5
ad875d6280dd977fc73bbb36dfab805e

SHA1
9f74587f7b7c88fa2f4ff8a04aad70374d14451d

SHA256
c36526abee5cb89d05159d1471202d3e1555438e2be45b42fe81c9997582ef87

SHA512
9a1d4955f6938b464d1c844246496790ea686aeb0237dd8667656c8226c580672ea9ab86106b8f63d940a5a657bd2035b8f969a0a38e6f4eef8ea6e28a4ce18d

Download Submit
\ProgramData\LepcEtoxo\LepcEtoxo.dat
Filesize
230KB

MD5
ad875d6280dd977fc73bbb36dfab805e

SHA1
9f74587f7b7c88fa2f4ff8a04aad70374d14451d

SHA256
c36526abee5cb89d05159d1471202d3e1555438e2be45b42fe81c9997582ef87

SHA512
9a1d4955f6938b464d1c844246496790ea686aeb0237dd8667656c8226c580672ea9ab86106b8f63d940a5a657bd2035b8f969a0a38e6f4eef8ea6e28a4ce18d

Download Submit
memory/328-60-0x00000000005F0000-0x0000000000644000-memory.dmp

Filesize
336KB

Download
memory/1372-66-0x0000000002700000-0x0000000002754000-memory.dmp

Filesize
336KB

Download
memory/1372-76-0x0000000002990000-0x00000000029FB000-memory.dmp

Filesize
428KB

Download
memory/2004-54-0x0000000075811000-0x0000000075813000-memory.dmp

Filesize
8KB

Download
memory/2004-55-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2004-58-0x0000000074AD0000-0x0000000074B03000-memory.dmp

Filesize
204KB

Download
memory/2004-64-0x0000000000400000-0x0000000000489000-memory.dmp

Filesize
548KB

Download
memory/2004-65-0x0000000074AD0000-0x0000000074B33000-memory.dmp

Filesize
396KB

Download
memory/2004-77-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2004-78-0x0000000074AD0000-0x0000000074B03000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads