734e5219aab0531f3309f3269eb906ec8249796fa4622924e498cd06cb610764

General

Target

734e5219aab0531f3309f3269eb906ec8249796fa4622924e498cd06cb610764.exe
Size

405KB
MD5

cee44d3739132e442a86ec658e6c3053
SHA1

d1d38c2485be83f1ff05e5811f6e8f71125a6819
SHA256

734e5219aab0531f3309f3269eb906ec8249796fa4622924e498cd06cb610764
SHA512

30ee4c0ee8853513eb8b6ab2f408c0ca2120580de3ec3ab1857e35a6759551082ed712044260c0c317306dd35347bddf623f4bf0a5b08f9d28ae73a12e9b1983
SSDEEP

6144:NRtX+DEgy3kZN759jMjxdjevX4Ypml4y1mx8L1fUv+iGSS9RTF:HFSE4LjjK9evXC48mxrGiGnfF

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 1 IoCs

pid	Process
1552	734e5219aab0531f3309f3269eb906ec8249796fa4622924e498cd06cb610764.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run	734e5219aab0531f3309f3269eb906ec8249796fa4622924e498cd06cb610764.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\KepfIddih = "regsvr32.exe \"C:\\ProgramData\\KepfIddih\\KepfIddih.dat\""	734e5219aab0531f3309f3269eb906ec8249796fa4622924e498cd06cb610764.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\KepfIddih = "regsvr32.exe \"C:\\ProgramData\\KepfIddih\\KepfIddih.dat\""	Explorer.EXE

Modifies Internet Explorer Protected Mode 1 TTPs 1 IoCs

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500 = "3"	Explorer.EXE

Modifies Internet Explorer Protected Mode Banner 1 TTPs 1 IoCs

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\NoProtectedModeBanner = "1"	Explorer.EXE

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\TabProcGrowth = "0"	Explorer.EXE

Modifies registry class 6 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\CLSID\{38775CF8-6A05-495F-B542-7B8054000DF2}	734e5219aab0531f3309f3269eb906ec8249796fa4622924e498cd06cb610764.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\CLSID\{38775CF8-6A05-495F-B542-7B8054000DF2}\#sd = 433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c54656d705c373334653532313961616230353331663333303966333236396562393036656338323439373936666134363232393234653439386364303663623631303736342e65786500	734e5219aab0531f3309f3269eb906ec8249796fa4622924e498cd06cb610764.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\CLSID\{38775CF8-6A05-495F-B542-7B8054000DF2}	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\CLSID\{49A72C38-3E54-46C9-AC81-0BC553AB4609}	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\CLSID\{49A72C38-3E54-46C9-AC81-0BC553AB4609}\{1F2C17BB-2416-471C-873A-67065426105D} = 823b9bb0	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\CLSID\{38775CF8-6A05-495F-B542-7B8054000DF2}\#cert = 31	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1552	734e5219aab0531f3309f3269eb906ec8249796fa4622924e498cd06cb610764.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1220	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeCreateGlobalPrivilege	1552	734e5219aab0531f3309f3269eb906ec8249796fa4622924e498cd06cb610764.exe
Token: SeDebugPrivilege	1552	734e5219aab0531f3309f3269eb906ec8249796fa4622924e498cd06cb610764.exe
Token: SeCreateGlobalPrivilege	1220	Explorer.EXE
Token: SeShutdownPrivilege	1220	Explorer.EXE
Token: SeDebugPrivilege	1220	Explorer.EXE

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
1552	734e5219aab0531f3309f3269eb906ec8249796fa4622924e498cd06cb610764.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1552 wrote to memory of 1040	1552	734e5219aab0531f3309f3269eb906ec8249796fa4622924e498cd06cb610764.exe	18
PID 1552 wrote to memory of 1040	1552	734e5219aab0531f3309f3269eb906ec8249796fa4622924e498cd06cb610764.exe	18
PID 1552 wrote to memory of 1220	1552	734e5219aab0531f3309f3269eb906ec8249796fa4622924e498cd06cb610764.exe	15
PID 1552 wrote to memory of 1220	1552	734e5219aab0531f3309f3269eb906ec8249796fa4622924e498cd06cb610764.exe	15
PID 1552 wrote to memory of 1032	1552	734e5219aab0531f3309f3269eb906ec8249796fa4622924e498cd06cb610764.exe	12
PID 1552 wrote to memory of 1032	1552	734e5219aab0531f3309f3269eb906ec8249796fa4622924e498cd06cb610764.exe	12

C:\Windows\system32\sppsvc.exe
C:\Windows\system32\sppsvc.exe
1⤵
PID:1032

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Adds Run key to start application
- Modifies Internet Explorer Protected Mode
- Modifies Internet Explorer Protected Mode Banner
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1220
- C:\Users\Admin\AppData\Local\Temp\734e5219aab0531f3309f3269eb906ec8249796fa4622924e498cd06cb610764.exe
  "C:\Users\Admin\AppData\Local\Temp\734e5219aab0531f3309f3269eb906ec8249796fa4622924e498cd06cb610764.exe"
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:1552

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:1040

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

4

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\KepfIddih\KepfIddih.dat

Filesize
265KB

MD5
ae6cdbbb0660ce28202631f6e4da4dfc

SHA1
e3323820def5e7287c08c7fdef896e89b75fa3d4

SHA256
5f1647abd2bb3241852d8658d815229701c9553b5313841e62038d4f31e9db80

SHA512
400b9dfec973f723de85c6a491a6bf05fce655cbdc66253321bb9529c9c50cbf39f85e3565808a7976fc20b259f94a6891ccc70a9a8325d85a8c324f0a294531

Download Submit
\ProgramData\KepfIddih\KepfIddih.dat

Filesize
265KB

MD5
ae6cdbbb0660ce28202631f6e4da4dfc

SHA1
e3323820def5e7287c08c7fdef896e89b75fa3d4

SHA256
5f1647abd2bb3241852d8658d815229701c9553b5313841e62038d4f31e9db80

SHA512
400b9dfec973f723de85c6a491a6bf05fce655cbdc66253321bb9529c9c50cbf39f85e3565808a7976fc20b259f94a6891ccc70a9a8325d85a8c324f0a294531

Download Submit
memory/1040-61-0x0000000001D60000-0x0000000001DB3000-memory.dmp

Filesize
332KB

Download
memory/1220-72-0x0000000002C70000-0x0000000002CDB000-memory.dmp

Filesize
428KB

Download
memory/1220-71-0x0000000002AA0000-0x0000000002AF3000-memory.dmp

Filesize
332KB

Download
memory/1552-59-0x0000000010000000-0x0000000010032000-memory.dmp

Filesize
200KB

Download
memory/1552-58-0x0000000000400000-0x00000000004D1000-memory.dmp

Filesize
836KB

Download
memory/1552-55-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1552-70-0x0000000010000000-0x000000001006A000-memory.dmp

Filesize
424KB

Download
memory/1552-54-0x0000000075681000-0x0000000075683000-memory.dmp

Filesize
8KB

Download
memory/1552-73-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1552-74-0x0000000010000000-0x0000000010032000-memory.dmp

Filesize
200KB

Download
memory/1552-75-0x0000000001E90000-0x0000000001EE3000-memory.dmp

Filesize
332KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads