da092850a9b75888edd2cf5d7688d4bc9658d6e9d3e9320eeb64ee88715d69f8

General

Target

da092850a9b75888edd2cf5d7688d4bc9658d6e9d3e9320eeb64ee88715d69f8.exe
Size

1.8MB
MD5

7523786cf4d3cd9ee29e99b87999e9ac
SHA1

18031ff8a806128cd7ff56c8580aeddc1611e618
SHA256

da092850a9b75888edd2cf5d7688d4bc9658d6e9d3e9320eeb64ee88715d69f8
SHA512

ffca1e8364753ba0c93d0924e3f9df97c23114e94796569605c76cd051e155b5831439bde7433d6e695add9d9168a6c15f834747a72ffdcd5880b95cd302f57b
SSDEEP

49152:/pFFyhfbyOGkL7sfLWtkleG2tworeUZ2rcIEgS0:LQdGkLuLWNGoiUZ2rcIf

Score

8^/10

evasion persistence

Malware Config

Signatures

Executes dropped EXE 3 IoCs

Processes:

LocallhYuYIpt_n.exeLocalgFkohTObJR.exeTrojan.exe

pid process

868 LocallhYuYIpt_n.exe
1532 LocalgFkohTObJR.exe
1692 Trojan.exe
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exe

pid process

1360 netsh.exe

pid	process
868	LocallhYuYIpt_n.exe
1532	LocalgFkohTObJR.exe
1692	Trojan.exe

pid	process
1360	netsh.exe

Drops startup file 2 IoCs

Processes:

Trojan.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5cd8f17f4086744065eb0992a09e05a2.exe	Trojan.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5cd8f17f4086744065eb0992a09e05a2.exe	Trojan.exe

Loads dropped DLL 1 IoCs

Processes:

LocallhYuYIpt_n.exe

pid process

868 LocallhYuYIpt_n.exe

pid	process
868	LocallhYuYIpt_n.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Trojan.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Trojan.exe\" .."	Trojan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Trojan.exe\" .."	Trojan.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 30 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXELocalgFkohTObJR.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "376046207"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{4C4362D1-6BD8-11ED-9351-5A21EB137514} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main	LocalgFkohTObJR.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

Trojan.exe

pid process

1692 Trojan.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

Trojan.exe

description pid process

Token: SeDebugPrivilege 1692 Trojan.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

iexplore.exe

pid process

1272 iexplore.exe
1272 iexplore.exe

pid	process
1692	Trojan.exe

description	pid	process
Token: SeDebugPrivilege	1692	Trojan.exe

Suspicious use of SetWindowsHookEx 10 IoCs

Processes:

iexplore.exeIEXPLORE.EXELocalgFkohTObJR.exeIEXPLORE.EXE

pid	process
1272	iexplore.exe
1272	iexplore.exe
1912	IEXPLORE.EXE
1912	IEXPLORE.EXE
1532	LocalgFkohTObJR.exe
1532	LocalgFkohTObJR.exe
1272	iexplore.exe
1272	iexplore.exe
1480	IEXPLORE.EXE
1480	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 33 IoCs

Processes:

da092850a9b75888edd2cf5d7688d4bc9658d6e9d3e9320eeb64ee88715d69f8.exeiexplore.exeLocallhYuYIpt_n.exeTrojan.exe

description	pid	process	target process
PID 1812 wrote to memory of 868	1812	da092850a9b75888edd2cf5d7688d4bc9658d6e9d3e9320eeb64ee88715d69f8.exe	LocallhYuYIpt_n.exe
PID 1812 wrote to memory of 868	1812	da092850a9b75888edd2cf5d7688d4bc9658d6e9d3e9320eeb64ee88715d69f8.exe	LocallhYuYIpt_n.exe
PID 1812 wrote to memory of 868	1812	da092850a9b75888edd2cf5d7688d4bc9658d6e9d3e9320eeb64ee88715d69f8.exe	LocallhYuYIpt_n.exe
PID 1812 wrote to memory of 868	1812	da092850a9b75888edd2cf5d7688d4bc9658d6e9d3e9320eeb64ee88715d69f8.exe	LocallhYuYIpt_n.exe
PID 1812 wrote to memory of 1532	1812	da092850a9b75888edd2cf5d7688d4bc9658d6e9d3e9320eeb64ee88715d69f8.exe	LocalgFkohTObJR.exe
PID 1812 wrote to memory of 1532	1812	da092850a9b75888edd2cf5d7688d4bc9658d6e9d3e9320eeb64ee88715d69f8.exe	LocalgFkohTObJR.exe
PID 1812 wrote to memory of 1532	1812	da092850a9b75888edd2cf5d7688d4bc9658d6e9d3e9320eeb64ee88715d69f8.exe	LocalgFkohTObJR.exe
PID 1812 wrote to memory of 1532	1812	da092850a9b75888edd2cf5d7688d4bc9658d6e9d3e9320eeb64ee88715d69f8.exe	LocalgFkohTObJR.exe
PID 1812 wrote to memory of 1532	1812	da092850a9b75888edd2cf5d7688d4bc9658d6e9d3e9320eeb64ee88715d69f8.exe	LocalgFkohTObJR.exe
PID 1812 wrote to memory of 1532	1812	da092850a9b75888edd2cf5d7688d4bc9658d6e9d3e9320eeb64ee88715d69f8.exe	LocalgFkohTObJR.exe
PID 1812 wrote to memory of 1532	1812	da092850a9b75888edd2cf5d7688d4bc9658d6e9d3e9320eeb64ee88715d69f8.exe	LocalgFkohTObJR.exe
PID 1272 wrote to memory of 1912	1272	iexplore.exe	IEXPLORE.EXE
PID 1272 wrote to memory of 1912	1272	iexplore.exe	IEXPLORE.EXE
PID 1272 wrote to memory of 1912	1272	iexplore.exe	IEXPLORE.EXE
PID 1272 wrote to memory of 1912	1272	iexplore.exe	IEXPLORE.EXE
PID 1272 wrote to memory of 1912	1272	iexplore.exe	IEXPLORE.EXE
PID 1272 wrote to memory of 1912	1272	iexplore.exe	IEXPLORE.EXE
PID 1272 wrote to memory of 1912	1272	iexplore.exe	IEXPLORE.EXE
PID 868 wrote to memory of 1692	868	LocallhYuYIpt_n.exe	Trojan.exe
PID 868 wrote to memory of 1692	868	LocallhYuYIpt_n.exe	Trojan.exe
PID 868 wrote to memory of 1692	868	LocallhYuYIpt_n.exe	Trojan.exe
PID 868 wrote to memory of 1692	868	LocallhYuYIpt_n.exe	Trojan.exe
PID 1692 wrote to memory of 1360	1692	Trojan.exe	netsh.exe
PID 1692 wrote to memory of 1360	1692	Trojan.exe	netsh.exe
PID 1692 wrote to memory of 1360	1692	Trojan.exe	netsh.exe
PID 1692 wrote to memory of 1360	1692	Trojan.exe	netsh.exe
PID 1272 wrote to memory of 1480	1272	iexplore.exe	IEXPLORE.EXE
PID 1272 wrote to memory of 1480	1272	iexplore.exe	IEXPLORE.EXE
PID 1272 wrote to memory of 1480	1272	iexplore.exe	IEXPLORE.EXE
PID 1272 wrote to memory of 1480	1272	iexplore.exe	IEXPLORE.EXE
PID 1272 wrote to memory of 1480	1272	iexplore.exe	IEXPLORE.EXE
PID 1272 wrote to memory of 1480	1272	iexplore.exe	IEXPLORE.EXE
PID 1272 wrote to memory of 1480	1272	iexplore.exe	IEXPLORE.EXE

C:\Users\Admin\AppData\Local\Temp\da092850a9b75888edd2cf5d7688d4bc9658d6e9d3e9320eeb64ee88715d69f8.exe
"C:\Users\Admin\AppData\Local\Temp\da092850a9b75888edd2cf5d7688d4bc9658d6e9d3e9320eeb64ee88715d69f8.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1812

C:\Users\Admin\AppData\LocallhYuYIpt_n.exe
"C:\Users\Admin\AppData\LocallhYuYIpt_n.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:868

C:\Users\Admin\AppData\Local\Temp\Trojan.exe
"C:\Users\Admin\AppData\Local\Temp\Trojan.exe"
3⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1692

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Trojan.exe" "Trojan.exe" ENABLE
4⤵
- Modifies Windows Firewall
PID:1360

C:\Users\Admin\AppData\LocalgFkohTObJR.exe
"C:\Users\Admin\AppData\LocalgFkohTObJR.exe"
2⤵
- Executes dropped EXE
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1532

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1272

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1272 CREDAT:275457 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1912

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1272 CREDAT:275461 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1480

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Trojan.exe

Filesize
43KB

MD5
2ee9941d7431c806528d0d41684af6ed

SHA1
12912e1a3b5b013012540684e16c8e0c50d2429d

SHA256
1fe868b0a509a0b98808fe2e017387ee098199827786a024576b7943af3f3663

SHA512
5cb68e85d9a38a629978e9fc8d0864b7428e154b1ced1df84bb2a4424c4664f63234a14a119b610126879216eafb9d047a3788c6d9b7e8c758145a317ede45ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\Trojan.exe

Filesize
43KB

MD5
2ee9941d7431c806528d0d41684af6ed

SHA1
12912e1a3b5b013012540684e16c8e0c50d2429d

SHA256
1fe868b0a509a0b98808fe2e017387ee098199827786a024576b7943af3f3663

SHA512
5cb68e85d9a38a629978e9fc8d0864b7428e154b1ced1df84bb2a4424c4664f63234a14a119b610126879216eafb9d047a3788c6d9b7e8c758145a317ede45ce

Download Submit
C:\Users\Admin\AppData\LocalgFkohTObJR.exe

Filesize
1.7MB

MD5
54ac60001d5e3337a88aeb87842df721

SHA1
6a9e2690998a216a352fb9f4561d6069bb22b7ec

SHA256
f4120e1d8e98f3100d05e76d4ec4e5bebc194bfde09aa0800ef09600475bc1b8

SHA512
f6298dab0d74ac219221cc15ae22c0f063344098f1cd0eb6e9cc4bf09d6c211fba349e32f5a551bcdae4c3b7fcc1a1fc3825ce5c74b42649feafb495f922c44d

Download Submit
C:\Users\Admin\AppData\LocalgFkohTObJR.exe

Filesize
1.7MB

MD5
54ac60001d5e3337a88aeb87842df721

SHA1
6a9e2690998a216a352fb9f4561d6069bb22b7ec

SHA256
f4120e1d8e98f3100d05e76d4ec4e5bebc194bfde09aa0800ef09600475bc1b8

SHA512
f6298dab0d74ac219221cc15ae22c0f063344098f1cd0eb6e9cc4bf09d6c211fba349e32f5a551bcdae4c3b7fcc1a1fc3825ce5c74b42649feafb495f922c44d

Download Submit
C:\Users\Admin\AppData\LocallhYuYIpt_n.exe

Filesize
43KB

MD5
2ee9941d7431c806528d0d41684af6ed

SHA1
12912e1a3b5b013012540684e16c8e0c50d2429d

SHA256
1fe868b0a509a0b98808fe2e017387ee098199827786a024576b7943af3f3663

SHA512
5cb68e85d9a38a629978e9fc8d0864b7428e154b1ced1df84bb2a4424c4664f63234a14a119b610126879216eafb9d047a3788c6d9b7e8c758145a317ede45ce

Download Submit
C:\Users\Admin\AppData\LocallhYuYIpt_n.exe

Filesize
43KB

MD5
2ee9941d7431c806528d0d41684af6ed

SHA1
12912e1a3b5b013012540684e16c8e0c50d2429d

SHA256
1fe868b0a509a0b98808fe2e017387ee098199827786a024576b7943af3f3663

SHA512
5cb68e85d9a38a629978e9fc8d0864b7428e154b1ced1df84bb2a4424c4664f63234a14a119b610126879216eafb9d047a3788c6d9b7e8c758145a317ede45ce

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\YDWZV5OL.txt

Filesize
603B

MD5
8c8f191b47b02d3d72ed11330481592d

SHA1
bb2d28d0bc0c7ea6a3cf1bdc39b0ed4691a4a145

SHA256
de70290aa53c79471c433a861679ce4f63c3471bc40287c301a67190bf2aabfe

SHA512
0d14016e7724e44461101d4cbb9e73593e1e2aa3491bb23b09d72a4c1e9e7cc0f6dc69584ad0bee404a0ab0a96788a2828ce4f3b02443853f2f7cad023a57d40

Download Submit
\Users\Admin\AppData\Local\Temp\Trojan.exe

Filesize
43KB

MD5
2ee9941d7431c806528d0d41684af6ed

SHA1
12912e1a3b5b013012540684e16c8e0c50d2429d

SHA256
1fe868b0a509a0b98808fe2e017387ee098199827786a024576b7943af3f3663

SHA512
5cb68e85d9a38a629978e9fc8d0864b7428e154b1ced1df84bb2a4424c4664f63234a14a119b610126879216eafb9d047a3788c6d9b7e8c758145a317ede45ce

Download Submit
memory/868-56-0x0000000000000000-mapping.dmp

Download
memory/868-70-0x00000000744B0000-0x0000000074A5B000-memory.dmp

Filesize
5.7MB

Download
memory/1360-69-0x0000000000000000-mapping.dmp

Download
memory/1532-61-0x0000000076091000-0x0000000076093000-memory.dmp

Filesize
8KB

Download
memory/1532-59-0x0000000000000000-mapping.dmp

Download
memory/1692-65-0x0000000000000000-mapping.dmp

Download
memory/1692-72-0x00000000744B0000-0x0000000074A5B000-memory.dmp

Filesize
5.7MB

Download
memory/1692-80-0x00000000744B0000-0x0000000074A5B000-memory.dmp

Filesize
5.7MB

Download
memory/1812-55-0x000007FEFBCA1000-0x000007FEFBCA3000-memory.dmp

Filesize
8KB

Download
memory/1812-54-0x000007FEF3710000-0x000007FEF4133000-memory.dmp

Filesize
10.1MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads