9471aa13ac2fe5143f688a85cbacb3f0ce1798459e530a2f994b49b53249b4c0

General

Target

9471aa13ac2fe5143f688a85cbacb3f0ce1798459e530a2f994b49b53249b4c0.exe
Size

409KB
MD5

35f9fc3d8ca341cd6f65189ce25be1c2
SHA1

cae0189d23c3b22bd0971fc0d194d88b59ce52bb
SHA256

9471aa13ac2fe5143f688a85cbacb3f0ce1798459e530a2f994b49b53249b4c0
SHA512

edabaceb82deb52048d85459b40f52f9ae3d5024aeb0a9461572b07a360cf8a78c0f488aa374c0208249cdfef437f1ca9e9d2a2f77ebe726df291aa3a2d56e87
SSDEEP

6144:YxFnLbgMJRd37/E/NsOdh+vTt7a6TNAVYkDHARU7fXCwXD93FSEqOoNvexyg:Yx1gMrdAxdkvTdT23gRULvSEINvRg

Score

7^/10

persistence

Malware Config

Signatures

Loads dropped DLL 1 IoCs

Processes:

9471aa13ac2fe5143f688a85cbacb3f0ce1798459e530a2f994b49b53249b4c0.exe

pid process

2024 9471aa13ac2fe5143f688a85cbacb3f0ce1798459e530a2f994b49b53249b4c0.exe

pid	process
2024	9471aa13ac2fe5143f688a85cbacb3f0ce1798459e530a2f994b49b53249b4c0.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

9471aa13ac2fe5143f688a85cbacb3f0ce1798459e530a2f994b49b53249b4c0.exeExplorer.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Run	9471aa13ac2fe5143f688a85cbacb3f0ce1798459e530a2f994b49b53249b4c0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Run\DigbElif = "regsvr32.exe \"C:\\ProgramData\\DigbElif\\DigbElif.dat\""	9471aa13ac2fe5143f688a85cbacb3f0ce1798459e530a2f994b49b53249b4c0.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Run	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Run\DigbElif = "regsvr32.exe \"C:\\ProgramData\\DigbElif\\DigbElif.dat\""	Explorer.EXE

Modifies Internet Explorer Protected Mode 1 TTPs 1 IoCs

Modify Registry

T1112

Processes:

Explorer.EXE

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500 = "3"	Explorer.EXE

Modifies Internet Explorer Protected Mode Banner 1 TTPs 1 IoCs

Modify Registry

T1112

Processes:

Explorer.EXE

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Main\NoProtectedModeBanner = "1"	Explorer.EXE

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

Explorer.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Main	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Main\TabProcGrowth = "0"	Explorer.EXE

Modifies registry class 6 IoCs

Processes:

Explorer.EXE9471aa13ac2fe5143f688a85cbacb3f0ce1798459e530a2f994b49b53249b4c0.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000_CLASSES\CLSID\{28FB7CC1-5F8E-4F7F-9E91-5CDF46D923E7}\{1EBB0F7B-13F8-42FB-BE71-18C2312A3987} = f62865f6	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000_CLASSES\CLSID\{6C9C60E4-6F96-4D8F-AF6A-08B869A703F2}\#cert = 31	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000_CLASSES\CLSID\{6C9C60E4-6F96-4D8F-AF6A-08B869A703F2}	9471aa13ac2fe5143f688a85cbacb3f0ce1798459e530a2f994b49b53249b4c0.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000_CLASSES\CLSID\{6C9C60E4-6F96-4D8F-AF6A-08B869A703F2}\#sd = 433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c54656d705c393437316161313361633266653531343366363838613835636261636233663063653137393834353965353330613266393934623439623533323439623463302e65786500	9471aa13ac2fe5143f688a85cbacb3f0ce1798459e530a2f994b49b53249b4c0.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000_CLASSES\CLSID\{6C9C60E4-6F96-4D8F-AF6A-08B869A703F2}	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000_CLASSES\CLSID\{28FB7CC1-5F8E-4F7F-9E91-5CDF46D923E7}	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

9471aa13ac2fe5143f688a85cbacb3f0ce1798459e530a2f994b49b53249b4c0.exe

pid process

2024 9471aa13ac2fe5143f688a85cbacb3f0ce1798459e530a2f994b49b53249b4c0.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

1372 Explorer.EXE

pid	process
2024	9471aa13ac2fe5143f688a85cbacb3f0ce1798459e530a2f994b49b53249b4c0.exe

pid	process
1372	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

9471aa13ac2fe5143f688a85cbacb3f0ce1798459e530a2f994b49b53249b4c0.exeExplorer.EXE

description	pid	process
Token: SeCreateGlobalPrivilege	2024	9471aa13ac2fe5143f688a85cbacb3f0ce1798459e530a2f994b49b53249b4c0.exe
Token: SeDebugPrivilege	2024	9471aa13ac2fe5143f688a85cbacb3f0ce1798459e530a2f994b49b53249b4c0.exe
Token: SeCreateGlobalPrivilege	1372	Explorer.EXE
Token: SeShutdownPrivilege	1372	Explorer.EXE
Token: SeDebugPrivilege	1372	Explorer.EXE
Token: SeShutdownPrivilege	1372	Explorer.EXE
Token: SeShutdownPrivilege	1372	Explorer.EXE

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

9471aa13ac2fe5143f688a85cbacb3f0ce1798459e530a2f994b49b53249b4c0.exe

description	pid	process	target process
PID 2024 wrote to memory of 300	2024	9471aa13ac2fe5143f688a85cbacb3f0ce1798459e530a2f994b49b53249b4c0.exe	spoolsv.exe
PID 2024 wrote to memory of 300	2024	9471aa13ac2fe5143f688a85cbacb3f0ce1798459e530a2f994b49b53249b4c0.exe	spoolsv.exe
PID 2024 wrote to memory of 1372	2024	9471aa13ac2fe5143f688a85cbacb3f0ce1798459e530a2f994b49b53249b4c0.exe	Explorer.EXE
PID 2024 wrote to memory of 1372	2024	9471aa13ac2fe5143f688a85cbacb3f0ce1798459e530a2f994b49b53249b4c0.exe	Explorer.EXE
PID 2024 wrote to memory of 760	2024	9471aa13ac2fe5143f688a85cbacb3f0ce1798459e530a2f994b49b53249b4c0.exe	sppsvc.exe
PID 2024 wrote to memory of 760	2024	9471aa13ac2fe5143f688a85cbacb3f0ce1798459e530a2f994b49b53249b4c0.exe	sppsvc.exe
PID 2024 wrote to memory of 1936	2024	9471aa13ac2fe5143f688a85cbacb3f0ce1798459e530a2f994b49b53249b4c0.exe	WMIADAP.EXE
PID 2024 wrote to memory of 1936	2024	9471aa13ac2fe5143f688a85cbacb3f0ce1798459e530a2f994b49b53249b4c0.exe	WMIADAP.EXE

\\?\C:\Windows\system32\wbem\WMIADAP.EXE
wmiadap.exe /F /T /R
1⤵
PID:1936

C:\Windows\system32\sppsvc.exe
C:\Windows\system32\sppsvc.exe
1⤵
PID:760

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Adds Run key to start application
- Modifies Internet Explorer Protected Mode
- Modifies Internet Explorer Protected Mode Banner
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1372

C:\Users\Admin\AppData\Local\Temp\9471aa13ac2fe5143f688a85cbacb3f0ce1798459e530a2f994b49b53249b4c0.exe
"C:\Users\Admin\AppData\Local\Temp\9471aa13ac2fe5143f688a85cbacb3f0ce1798459e530a2f994b49b53249b4c0.exe"
2⤵
- Loads dropped DLL
- Adds Run key to start application
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2024

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:300

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

4

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\DigbElif\DigbElif.dat

Filesize
276KB

MD5
1e74f0a3622261ab8072cd76f5f7bd89

SHA1
a534edb09915f95065d0f8379a18926583695715

SHA256
27ff45f4358c0f3ebb775fcbf205f785d24fb0070ffb04fc3ee24d83c1b1bb0e

SHA512
cb40f6c8b04d75a1b13ee48887e861a324bdc7a496a2cd83954a71af2d0dd5644532b3d4e5d2c377c5d87b02041736b5f9f0f59c6d08c21abf29f9cef5504fe0

Download Submit
\ProgramData\DigbElif\DigbElif.dat

Filesize
276KB

MD5
1e74f0a3622261ab8072cd76f5f7bd89

SHA1
a534edb09915f95065d0f8379a18926583695715

SHA256
27ff45f4358c0f3ebb775fcbf205f785d24fb0070ffb04fc3ee24d83c1b1bb0e

SHA512
cb40f6c8b04d75a1b13ee48887e861a324bdc7a496a2cd83954a71af2d0dd5644532b3d4e5d2c377c5d87b02041736b5f9f0f59c6d08c21abf29f9cef5504fe0

Download Submit
memory/300-60-0x0000000001C30000-0x0000000001C84000-memory.dmp

Filesize
336KB

Download
memory/1372-72-0x0000000002690000-0x00000000026E4000-memory.dmp

Filesize
336KB

Download
memory/1372-73-0x00000000026F0000-0x000000000275B000-memory.dmp

Filesize
428KB

Download
memory/2024-54-0x0000000076691000-0x0000000076693000-memory.dmp

Filesize
8KB

Download
memory/2024-55-0x0000000001E80000-0x0000000001EA5000-memory.dmp

Filesize
148KB

Download
memory/2024-56-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2024-58-0x0000000010000000-0x0000000010033000-memory.dmp

Filesize
204KB

Download
memory/2024-71-0x0000000010000000-0x000000001006E000-memory.dmp

Filesize
440KB

Download
memory/2024-74-0x0000000001E80000-0x0000000001EA5000-memory.dmp

Filesize
148KB

Download
memory/2024-75-0x0000000010000000-0x0000000010033000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads