fcca408ed8d51bc5fb88906b21ec223a27ddf279d2a6f0589ac5735c0d78e642

General

Target

fcca408ed8d51bc5fb88906b21ec223a27ddf279d2a6f0589ac5735c0d78e642.exe
Size

376KB
MD5

344445e567c46fa7afb6a53bfb13ac3f
SHA1

d610a4649d9c47fb2efe12b16158ba5262398bdd
SHA256

fcca408ed8d51bc5fb88906b21ec223a27ddf279d2a6f0589ac5735c0d78e642
SHA512

537205e5ad00625eebad5dddeda4b2cceb228be09d6a4209e9fb5b490560ffcb86fe280235ca37653fb8df94463aad6a30b5062a3a661c9826f5c12f61a92f63
SSDEEP

6144:KAwhHMZ1iPD9TRvA6HRpLCd2+CavQFX152HhPtH:K/hi1ipTu6xwpIFD2Ft

Score

7^/10

persistence

Malware Config

Signatures

Loads dropped DLL 1 IoCs

Processes:

fcca408ed8d51bc5fb88906b21ec223a27ddf279d2a6f0589ac5735c0d78e642.exe

pid process

1944 fcca408ed8d51bc5fb88906b21ec223a27ddf279d2a6f0589ac5735c0d78e642.exe

pid	process
1944	fcca408ed8d51bc5fb88906b21ec223a27ddf279d2a6f0589ac5735c0d78e642.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

fcca408ed8d51bc5fb88906b21ec223a27ddf279d2a6f0589ac5735c0d78e642.exeExplorer.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run	fcca408ed8d51bc5fb88906b21ec223a27ddf279d2a6f0589ac5735c0d78e642.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\WegbaQfopi = "regsvr32.exe \"C:\\ProgramData\\WegbaQfopi\\WegbaQfopi.dat\""	fcca408ed8d51bc5fb88906b21ec223a27ddf279d2a6f0589ac5735c0d78e642.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\WegbaQfopi = "regsvr32.exe \"C:\\ProgramData\\WegbaQfopi\\WegbaQfopi.dat\""	Explorer.EXE

Modifies Internet Explorer Protected Mode 1 TTPs 1 IoCs

Modify Registry

T1112

Processes:

Explorer.EXE

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500 = "3"	Explorer.EXE

Modifies Internet Explorer Protected Mode Banner 1 TTPs 1 IoCs

Modify Registry

T1112

Processes:

Explorer.EXE

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\NoProtectedModeBanner = "1"	Explorer.EXE

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

Explorer.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\TabProcGrowth = "0"	Explorer.EXE

Modifies registry class 6 IoCs

Processes:

Explorer.EXEfcca408ed8d51bc5fb88906b21ec223a27ddf279d2a6f0589ac5735c0d78e642.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\CLSID\{1AAC033C-066C-44ED-B52C-156305541963}	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\CLSID\{1AAC033C-066C-44ED-B52C-156305541963}\{707D348B-42C0-45B4-BE11-337A513111E7} = ae017140	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\CLSID\{20104D6F-423F-45B5-8B94-276431210C0C}\#cert = 31	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\CLSID\{20104D6F-423F-45B5-8B94-276431210C0C}	fcca408ed8d51bc5fb88906b21ec223a27ddf279d2a6f0589ac5735c0d78e642.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\CLSID\{20104D6F-423F-45B5-8B94-276431210C0C}\#sd = 433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c54656d705c666363613430386564386435316263356662383839303662323165633232336132376464663237396432613666303538396163353733356330643738653634322e65786500	fcca408ed8d51bc5fb88906b21ec223a27ddf279d2a6f0589ac5735c0d78e642.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\CLSID\{20104D6F-423F-45B5-8B94-276431210C0C}	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

fcca408ed8d51bc5fb88906b21ec223a27ddf279d2a6f0589ac5735c0d78e642.exewmiprvse.exe

pid process

1944 fcca408ed8d51bc5fb88906b21ec223a27ddf279d2a6f0589ac5735c0d78e642.exe
1956 wmiprvse.exe
1956 wmiprvse.exe

pid	process
1944	fcca408ed8d51bc5fb88906b21ec223a27ddf279d2a6f0589ac5735c0d78e642.exe
1956	wmiprvse.exe
1956	wmiprvse.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

fcca408ed8d51bc5fb88906b21ec223a27ddf279d2a6f0589ac5735c0d78e642.exeExplorer.EXE

description	pid	process
Token: SeCreateGlobalPrivilege	1944	fcca408ed8d51bc5fb88906b21ec223a27ddf279d2a6f0589ac5735c0d78e642.exe
Token: SeDebugPrivilege	1944	fcca408ed8d51bc5fb88906b21ec223a27ddf279d2a6f0589ac5735c0d78e642.exe
Token: SeCreateGlobalPrivilege	1220	Explorer.EXE
Token: SeShutdownPrivilege	1220	Explorer.EXE
Token: SeDebugPrivilege	1220	Explorer.EXE

Suspicious use of UnmapMainImage 1 IoCs

Processes:

fcca408ed8d51bc5fb88906b21ec223a27ddf279d2a6f0589ac5735c0d78e642.exe

pid process

1944 fcca408ed8d51bc5fb88906b21ec223a27ddf279d2a6f0589ac5735c0d78e642.exe

pid	process
1944	fcca408ed8d51bc5fb88906b21ec223a27ddf279d2a6f0589ac5735c0d78e642.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

fcca408ed8d51bc5fb88906b21ec223a27ddf279d2a6f0589ac5735c0d78e642.exe

description	pid	process	target process
PID 1944 wrote to memory of 1028	1944	fcca408ed8d51bc5fb88906b21ec223a27ddf279d2a6f0589ac5735c0d78e642.exe	spoolsv.exe
PID 1944 wrote to memory of 1028	1944	fcca408ed8d51bc5fb88906b21ec223a27ddf279d2a6f0589ac5735c0d78e642.exe	spoolsv.exe
PID 1944 wrote to memory of 1220	1944	fcca408ed8d51bc5fb88906b21ec223a27ddf279d2a6f0589ac5735c0d78e642.exe	Explorer.EXE
PID 1944 wrote to memory of 1220	1944	fcca408ed8d51bc5fb88906b21ec223a27ddf279d2a6f0589ac5735c0d78e642.exe	Explorer.EXE
PID 1944 wrote to memory of 984	1944	fcca408ed8d51bc5fb88906b21ec223a27ddf279d2a6f0589ac5735c0d78e642.exe	sppsvc.exe
PID 1944 wrote to memory of 984	1944	fcca408ed8d51bc5fb88906b21ec223a27ddf279d2a6f0589ac5735c0d78e642.exe	sppsvc.exe
PID 1944 wrote to memory of 1668	1944	fcca408ed8d51bc5fb88906b21ec223a27ddf279d2a6f0589ac5735c0d78e642.exe	WMIADAP.EXE
PID 1944 wrote to memory of 1668	1944	fcca408ed8d51bc5fb88906b21ec223a27ddf279d2a6f0589ac5735c0d78e642.exe	WMIADAP.EXE
PID 1944 wrote to memory of 1956	1944	fcca408ed8d51bc5fb88906b21ec223a27ddf279d2a6f0589ac5735c0d78e642.exe	wmiprvse.exe
PID 1944 wrote to memory of 1956	1944	fcca408ed8d51bc5fb88906b21ec223a27ddf279d2a6f0589ac5735c0d78e642.exe	wmiprvse.exe

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:1956

\\?\C:\Windows\system32\wbem\WMIADAP.EXE
wmiadap.exe /F /T /R
1⤵
PID:1668

C:\Windows\system32\sppsvc.exe
C:\Windows\system32\sppsvc.exe
1⤵
PID:984

C:\Users\Admin\AppData\Local\Temp\fcca408ed8d51bc5fb88906b21ec223a27ddf279d2a6f0589ac5735c0d78e642.exe
"C:\Users\Admin\AppData\Local\Temp\fcca408ed8d51bc5fb88906b21ec223a27ddf279d2a6f0589ac5735c0d78e642.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1944

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Adds Run key to start application
- Modifies Internet Explorer Protected Mode
- Modifies Internet Explorer Protected Mode Banner
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:1220

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:1028

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

4

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\WegbaQfopi\WegbaQfopi.dat

Filesize
253KB

MD5
b4b7a9a783dbe7cc2bb0559ca9d48d58

SHA1
55e7adb825f6ef6c61494e19efaf9027f6f8a6cc

SHA256
0102c0f39d8c7843cd734cec173c36d03218f5f08d52a30635dbb2aa77674806

SHA512
76b0bd2217fb8207baaf752180c001a2ec2f3436c594d37a7c2e8305806168d92559bd3fe544950425d9af55786626800aecc3e154daef5c1a86f46a260bb7ba

Download Submit
\ProgramData\WegbaQfopi\WegbaQfopi.dat

Filesize
253KB

MD5
b4b7a9a783dbe7cc2bb0559ca9d48d58

SHA1
55e7adb825f6ef6c61494e19efaf9027f6f8a6cc

SHA256
0102c0f39d8c7843cd734cec173c36d03218f5f08d52a30635dbb2aa77674806

SHA512
76b0bd2217fb8207baaf752180c001a2ec2f3436c594d37a7c2e8305806168d92559bd3fe544950425d9af55786626800aecc3e154daef5c1a86f46a260bb7ba

Download Submit
memory/1028-61-0x0000000001CB0000-0x0000000001D04000-memory.dmp

Filesize
336KB

Download
memory/1220-76-0x0000000002B00000-0x0000000002B6B000-memory.dmp

Filesize
428KB

Download
memory/1220-75-0x00000000029B0000-0x0000000002A04000-memory.dmp

Filesize
336KB

Download
memory/1944-54-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1944-55-0x00000000753C1000-0x00000000753C3000-memory.dmp

Filesize
8KB

Download
memory/1944-56-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1944-59-0x0000000074B00000-0x0000000074B33000-memory.dmp

Filesize
204KB

Download
memory/1944-74-0x0000000074B00000-0x0000000074B68000-memory.dmp

Filesize
416KB

Download
memory/1944-77-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1944-78-0x0000000074B00000-0x0000000074B33000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads