4235d9d3e97ce1ec3c183df9f719796399affd3790e22df1f5ae907cf07394bd

General

Target

4235d9d3e97ce1ec3c183df9f719796399affd3790e22df1f5ae907cf07394bd.exe
Size

919KB
MD5

29beaabe26c11c370d40ae6816cae6bc
SHA1

d0e77592b573ebe099e9880a08b7c0da651569ab
SHA256

4235d9d3e97ce1ec3c183df9f719796399affd3790e22df1f5ae907cf07394bd
SHA512

c4d44e997b8f51d9d7b59d4a458cb64f4073c4cf0051038be9b570a5b107c99e1910baf7e590bba7ea3d57db1a920ef9904e788d5187a2d03bedb8e688db03b8
SSDEEP

24576:/Uac7EJEhlpyouGViLlvOdjoJFRJHJ2rHbXza:/27E4LDVQvOdjoRJpOHy

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1800	Setup.exe

Loads dropped DLL 1 IoCs

pid	Process
752	4235d9d3e97ce1ec3c183df9f719796399affd3790e22df1f5ae907cf07394bd.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 7 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_NAVIGATION_SOUNDS	Setup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_NAVIGATION_SOUNDS\Setup.exe = "1"	Setup.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN	Setup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\Setup.exe = "0"	Setup.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_NAVIGATION_SOUNDS	Setup.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Main	Setup.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl	Setup.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 752 wrote to memory of 1800	752	4235d9d3e97ce1ec3c183df9f719796399affd3790e22df1f5ae907cf07394bd.exe	28
PID 752 wrote to memory of 1800	752	4235d9d3e97ce1ec3c183df9f719796399affd3790e22df1f5ae907cf07394bd.exe	28
PID 752 wrote to memory of 1800	752	4235d9d3e97ce1ec3c183df9f719796399affd3790e22df1f5ae907cf07394bd.exe	28
PID 752 wrote to memory of 1800	752	4235d9d3e97ce1ec3c183df9f719796399affd3790e22df1f5ae907cf07394bd.exe	28
PID 752 wrote to memory of 1800	752	4235d9d3e97ce1ec3c183df9f719796399affd3790e22df1f5ae907cf07394bd.exe	28
PID 752 wrote to memory of 1800	752	4235d9d3e97ce1ec3c183df9f719796399affd3790e22df1f5ae907cf07394bd.exe	28
PID 752 wrote to memory of 1800	752	4235d9d3e97ce1ec3c183df9f719796399affd3790e22df1f5ae907cf07394bd.exe	28

C:\Users\Admin\AppData\Local\Temp\4235d9d3e97ce1ec3c183df9f719796399affd3790e22df1f5ae907cf07394bd.exe
"C:\Users\Admin\AppData\Local\Temp\4235d9d3e97ce1ec3c183df9f719796399affd3790e22df1f5ae907cf07394bd.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:752
- C:\Users\Admin\AppData\Local\Temp\a2g0DIPn8b\nKKaaWNn\Setup.exe
  "C:\Users\Admin\AppData\Local\Temp\a2g0DIPn8b\nKKaaWNn\Setup.exe" --relaunch
  2⤵
  - Executes dropped EXE
  - Modifies Internet Explorer settings
  PID:1800

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\a2g0DIPn8b\nKKaaWNn\Setup.exe

Filesize
919KB

MD5
29beaabe26c11c370d40ae6816cae6bc

SHA1
d0e77592b573ebe099e9880a08b7c0da651569ab

SHA256
4235d9d3e97ce1ec3c183df9f719796399affd3790e22df1f5ae907cf07394bd

SHA512
c4d44e997b8f51d9d7b59d4a458cb64f4073c4cf0051038be9b570a5b107c99e1910baf7e590bba7ea3d57db1a920ef9904e788d5187a2d03bedb8e688db03b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\a2g0DIPn8b\nKKaaWNn\Setup.exe

Filesize
919KB

MD5
29beaabe26c11c370d40ae6816cae6bc

SHA1
d0e77592b573ebe099e9880a08b7c0da651569ab

SHA256
4235d9d3e97ce1ec3c183df9f719796399affd3790e22df1f5ae907cf07394bd

SHA512
c4d44e997b8f51d9d7b59d4a458cb64f4073c4cf0051038be9b570a5b107c99e1910baf7e590bba7ea3d57db1a920ef9904e788d5187a2d03bedb8e688db03b8

Download Submit
\Users\Admin\AppData\Local\Temp\a2g0DIPn8b\nKKaaWNn\Setup.exe

Filesize
919KB

MD5
29beaabe26c11c370d40ae6816cae6bc

SHA1
d0e77592b573ebe099e9880a08b7c0da651569ab

SHA256
4235d9d3e97ce1ec3c183df9f719796399affd3790e22df1f5ae907cf07394bd

SHA512
c4d44e997b8f51d9d7b59d4a458cb64f4073c4cf0051038be9b570a5b107c99e1910baf7e590bba7ea3d57db1a920ef9904e788d5187a2d03bedb8e688db03b8

Download Submit
memory/752-54-0x0000000074ED1000-0x0000000074ED3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing