fb6528937467921b63fcb5eee278f6f4d319a4d4f7a5d42d86187ed5d53211a0

General

Target

fb6528937467921b63fcb5eee278f6f4d319a4d4f7a5d42d86187ed5d53211a0.exe
Size

1.3MB
MD5

144515e30a0a88ce602de68c957ff581
SHA1

3c0c7c4e2886965ffadd0f44ad29d60b0b8eca21
SHA256

fb6528937467921b63fcb5eee278f6f4d319a4d4f7a5d42d86187ed5d53211a0
SHA512

cb9c44eeb80323c98d740dced12a8003ee173fc81892506c449f62adbe657c017ad5e687ec6a2bc5a758a26b92ef0bfe2287288d4c0afec4a13fb215638c6458
SSDEEP

24576:2KyKz4D4ufmwhzA2QoPKCys7JdpmnMlxy9KR8uQcux:2KVzMNuwIKyoBmnMSURNQR

Score

5^/10

Malware Config

Signatures

Suspicious use of SetThreadContext 1 IoCs

Processes:

fb6528937467921b63fcb5eee278f6f4d319a4d4f7a5d42d86187ed5d53211a0.exe

description	pid	process	target process
PID 940 set thread context of 892	940	fb6528937467921b63fcb5eee278f6f4d319a4d4f7a5d42d86187ed5d53211a0.exe	fb6528937467921b63fcb5eee278f6f4d319a4d4f7a5d42d86187ed5d53211a0.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

fb6528937467921b63fcb5eee278f6f4d319a4d4f7a5d42d86187ed5d53211a0.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main	fb6528937467921b63fcb5eee278f6f4d319a4d4f7a5d42d86187ed5d53211a0.exe

Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

fb6528937467921b63fcb5eee278f6f4d319a4d4f7a5d42d86187ed5d53211a0.exe

pid	process
892	fb6528937467921b63fcb5eee278f6f4d319a4d4f7a5d42d86187ed5d53211a0.exe
892	fb6528937467921b63fcb5eee278f6f4d319a4d4f7a5d42d86187ed5d53211a0.exe
892	fb6528937467921b63fcb5eee278f6f4d319a4d4f7a5d42d86187ed5d53211a0.exe
892	fb6528937467921b63fcb5eee278f6f4d319a4d4f7a5d42d86187ed5d53211a0.exe
892	fb6528937467921b63fcb5eee278f6f4d319a4d4f7a5d42d86187ed5d53211a0.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

fb6528937467921b63fcb5eee278f6f4d319a4d4f7a5d42d86187ed5d53211a0.exe

description	pid	process	target process
PID 940 wrote to memory of 892	940	fb6528937467921b63fcb5eee278f6f4d319a4d4f7a5d42d86187ed5d53211a0.exe	fb6528937467921b63fcb5eee278f6f4d319a4d4f7a5d42d86187ed5d53211a0.exe
PID 940 wrote to memory of 892	940	fb6528937467921b63fcb5eee278f6f4d319a4d4f7a5d42d86187ed5d53211a0.exe	fb6528937467921b63fcb5eee278f6f4d319a4d4f7a5d42d86187ed5d53211a0.exe
PID 940 wrote to memory of 892	940	fb6528937467921b63fcb5eee278f6f4d319a4d4f7a5d42d86187ed5d53211a0.exe	fb6528937467921b63fcb5eee278f6f4d319a4d4f7a5d42d86187ed5d53211a0.exe
PID 940 wrote to memory of 892	940	fb6528937467921b63fcb5eee278f6f4d319a4d4f7a5d42d86187ed5d53211a0.exe	fb6528937467921b63fcb5eee278f6f4d319a4d4f7a5d42d86187ed5d53211a0.exe
PID 940 wrote to memory of 892	940	fb6528937467921b63fcb5eee278f6f4d319a4d4f7a5d42d86187ed5d53211a0.exe	fb6528937467921b63fcb5eee278f6f4d319a4d4f7a5d42d86187ed5d53211a0.exe
PID 940 wrote to memory of 892	940	fb6528937467921b63fcb5eee278f6f4d319a4d4f7a5d42d86187ed5d53211a0.exe	fb6528937467921b63fcb5eee278f6f4d319a4d4f7a5d42d86187ed5d53211a0.exe
PID 940 wrote to memory of 892	940	fb6528937467921b63fcb5eee278f6f4d319a4d4f7a5d42d86187ed5d53211a0.exe	fb6528937467921b63fcb5eee278f6f4d319a4d4f7a5d42d86187ed5d53211a0.exe
PID 940 wrote to memory of 892	940	fb6528937467921b63fcb5eee278f6f4d319a4d4f7a5d42d86187ed5d53211a0.exe	fb6528937467921b63fcb5eee278f6f4d319a4d4f7a5d42d86187ed5d53211a0.exe
PID 940 wrote to memory of 892	940	fb6528937467921b63fcb5eee278f6f4d319a4d4f7a5d42d86187ed5d53211a0.exe	fb6528937467921b63fcb5eee278f6f4d319a4d4f7a5d42d86187ed5d53211a0.exe
PID 940 wrote to memory of 892	940	fb6528937467921b63fcb5eee278f6f4d319a4d4f7a5d42d86187ed5d53211a0.exe	fb6528937467921b63fcb5eee278f6f4d319a4d4f7a5d42d86187ed5d53211a0.exe
PID 940 wrote to memory of 892	940	fb6528937467921b63fcb5eee278f6f4d319a4d4f7a5d42d86187ed5d53211a0.exe	fb6528937467921b63fcb5eee278f6f4d319a4d4f7a5d42d86187ed5d53211a0.exe

C:\Users\Admin\AppData\Local\Temp\fb6528937467921b63fcb5eee278f6f4d319a4d4f7a5d42d86187ed5d53211a0.exe
"C:\Users\Admin\AppData\Local\Temp\fb6528937467921b63fcb5eee278f6f4d319a4d4f7a5d42d86187ed5d53211a0.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:940

C:\Users\Admin\AppData\Local\Temp\fb6528937467921b63fcb5eee278f6f4d319a4d4f7a5d42d86187ed5d53211a0.exe
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:892

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/892-54-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/892-55-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/892-57-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/892-59-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/892-63-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/892-61-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/892-65-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/892-66-0x000000000044D5E3-mapping.dmp

Download
memory/892-68-0x0000000075B61000-0x0000000075B63000-memory.dmp

Filesize
8KB

Download
memory/892-69-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/892-70-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/892-72-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/892-73-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads