40fd30c5a5a79e47f1ace8e0decb3215ab147feff6d75e006078cb81f982c28d

General

Target

40fd30c5a5a79e47f1ace8e0decb3215ab147feff6d75e006078cb81f982c28d.exe
Size

1.1MB
MD5

e2d787e878ceb09f951997b4a530a30d
SHA1

27fd85f0f3e874e0ee9a38561bf32faab5cd72ef
SHA256

40fd30c5a5a79e47f1ace8e0decb3215ab147feff6d75e006078cb81f982c28d
SHA512

4c4df1a2475146526bba41d82ad7efbee5e904fecebe1ee45fb577f7a7f2677299728e7d4f35fcf4c9cb955ad295528941c9456efbd1092b3ee69cc853a80804
SSDEEP

24576:CF/QS8oTXrxf4XQjfxYE3ncjq5E8TIc4+nDCg1:CNHTtf4XkQq5E8gQ2U

Score

5^/10

Malware Config

Signatures

Suspicious use of SetThreadContext 1 IoCs

Processes:

40fd30c5a5a79e47f1ace8e0decb3215ab147feff6d75e006078cb81f982c28d.exe

description	pid	process	target process
PID 1280 set thread context of 2004	1280	40fd30c5a5a79e47f1ace8e0decb3215ab147feff6d75e006078cb81f982c28d.exe	40fd30c5a5a79e47f1ace8e0decb3215ab147feff6d75e006078cb81f982c28d.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

40fd30c5a5a79e47f1ace8e0decb3215ab147feff6d75e006078cb81f982c28d.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main	40fd30c5a5a79e47f1ace8e0decb3215ab147feff6d75e006078cb81f982c28d.exe

Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

40fd30c5a5a79e47f1ace8e0decb3215ab147feff6d75e006078cb81f982c28d.exe

pid	process
2004	40fd30c5a5a79e47f1ace8e0decb3215ab147feff6d75e006078cb81f982c28d.exe
2004	40fd30c5a5a79e47f1ace8e0decb3215ab147feff6d75e006078cb81f982c28d.exe
2004	40fd30c5a5a79e47f1ace8e0decb3215ab147feff6d75e006078cb81f982c28d.exe
2004	40fd30c5a5a79e47f1ace8e0decb3215ab147feff6d75e006078cb81f982c28d.exe
2004	40fd30c5a5a79e47f1ace8e0decb3215ab147feff6d75e006078cb81f982c28d.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

40fd30c5a5a79e47f1ace8e0decb3215ab147feff6d75e006078cb81f982c28d.exe

description	pid	process	target process
PID 1280 wrote to memory of 2004	1280	40fd30c5a5a79e47f1ace8e0decb3215ab147feff6d75e006078cb81f982c28d.exe	40fd30c5a5a79e47f1ace8e0decb3215ab147feff6d75e006078cb81f982c28d.exe
PID 1280 wrote to memory of 2004	1280	40fd30c5a5a79e47f1ace8e0decb3215ab147feff6d75e006078cb81f982c28d.exe	40fd30c5a5a79e47f1ace8e0decb3215ab147feff6d75e006078cb81f982c28d.exe
PID 1280 wrote to memory of 2004	1280	40fd30c5a5a79e47f1ace8e0decb3215ab147feff6d75e006078cb81f982c28d.exe	40fd30c5a5a79e47f1ace8e0decb3215ab147feff6d75e006078cb81f982c28d.exe
PID 1280 wrote to memory of 2004	1280	40fd30c5a5a79e47f1ace8e0decb3215ab147feff6d75e006078cb81f982c28d.exe	40fd30c5a5a79e47f1ace8e0decb3215ab147feff6d75e006078cb81f982c28d.exe
PID 1280 wrote to memory of 2004	1280	40fd30c5a5a79e47f1ace8e0decb3215ab147feff6d75e006078cb81f982c28d.exe	40fd30c5a5a79e47f1ace8e0decb3215ab147feff6d75e006078cb81f982c28d.exe
PID 1280 wrote to memory of 2004	1280	40fd30c5a5a79e47f1ace8e0decb3215ab147feff6d75e006078cb81f982c28d.exe	40fd30c5a5a79e47f1ace8e0decb3215ab147feff6d75e006078cb81f982c28d.exe
PID 1280 wrote to memory of 2004	1280	40fd30c5a5a79e47f1ace8e0decb3215ab147feff6d75e006078cb81f982c28d.exe	40fd30c5a5a79e47f1ace8e0decb3215ab147feff6d75e006078cb81f982c28d.exe
PID 1280 wrote to memory of 2004	1280	40fd30c5a5a79e47f1ace8e0decb3215ab147feff6d75e006078cb81f982c28d.exe	40fd30c5a5a79e47f1ace8e0decb3215ab147feff6d75e006078cb81f982c28d.exe
PID 1280 wrote to memory of 2004	1280	40fd30c5a5a79e47f1ace8e0decb3215ab147feff6d75e006078cb81f982c28d.exe	40fd30c5a5a79e47f1ace8e0decb3215ab147feff6d75e006078cb81f982c28d.exe
PID 1280 wrote to memory of 2004	1280	40fd30c5a5a79e47f1ace8e0decb3215ab147feff6d75e006078cb81f982c28d.exe	40fd30c5a5a79e47f1ace8e0decb3215ab147feff6d75e006078cb81f982c28d.exe
PID 1280 wrote to memory of 2004	1280	40fd30c5a5a79e47f1ace8e0decb3215ab147feff6d75e006078cb81f982c28d.exe	40fd30c5a5a79e47f1ace8e0decb3215ab147feff6d75e006078cb81f982c28d.exe

C:\Users\Admin\AppData\Local\Temp\40fd30c5a5a79e47f1ace8e0decb3215ab147feff6d75e006078cb81f982c28d.exe
"C:\Users\Admin\AppData\Local\Temp\40fd30c5a5a79e47f1ace8e0decb3215ab147feff6d75e006078cb81f982c28d.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1280
- C:\Users\Admin\AppData\Local\Temp\40fd30c5a5a79e47f1ace8e0decb3215ab147feff6d75e006078cb81f982c28d.exe
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2004

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2004-54-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/2004-55-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/2004-57-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/2004-59-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/2004-61-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/2004-63-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/2004-65-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/2004-66-0x000000000044E28C-mapping.dmp

Download
memory/2004-68-0x0000000075811000-0x0000000075813000-memory.dmp

Filesize
8KB

Download
memory/2004-69-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/2004-70-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/2004-71-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/2004-73-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads