e216ac06d0fde7a4e4c8b57641d9d6f2929039537e3b53745a776354f598fad1

General

Target

e216ac06d0fde7a4e4c8b57641d9d6f2929039537e3b53745a776354f598fad1.exe
Size

534KB
MD5

6b97b75dd6eb688db2934f2250ecc9f8
SHA1

49fc3a3e3164f8bae7eae1069b11fb99ec74fab2
SHA256

e216ac06d0fde7a4e4c8b57641d9d6f2929039537e3b53745a776354f598fad1
SHA512

6c377d76fe46f67ff97ed660b3c32140ddb4501dce08ecd1f783a0905a4eec2a689df2d010d6b83e4dfb0c1de84375d65674b937c7fc0d1823cbf09352bfa75a
SSDEEP

12288:1JZ7H7AQTmNBt8XlBLglAfNpQofcyw35139Gu:Vz7AQKNBtm/QoUN3A

Score

7^/10

persistence

Malware Config

Signatures

Loads dropped DLL 1 IoCs

Processes:

e216ac06d0fde7a4e4c8b57641d9d6f2929039537e3b53745a776354f598fad1.exe

pid process

1792 e216ac06d0fde7a4e4c8b57641d9d6f2929039537e3b53745a776354f598fad1.exe

pid	process
1792	e216ac06d0fde7a4e4c8b57641d9d6f2929039537e3b53745a776354f598fad1.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

e216ac06d0fde7a4e4c8b57641d9d6f2929039537e3b53745a776354f598fad1.exeExplorer.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run	e216ac06d0fde7a4e4c8b57641d9d6f2929039537e3b53745a776354f598fad1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\XormiCmogu = "regsvr32.exe \"C:\\ProgramData\\XormiCmogu\\XormiCmogu.dat\""	e216ac06d0fde7a4e4c8b57641d9d6f2929039537e3b53745a776354f598fad1.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\XormiCmogu = "regsvr32.exe \"C:\\ProgramData\\XormiCmogu\\XormiCmogu.dat\""	Explorer.EXE

Modifies Internet Explorer Protected Mode 1 TTPs 1 IoCs

Modify Registry

T1112

Processes:

Explorer.EXE

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500 = "3"	Explorer.EXE

Modifies Internet Explorer Protected Mode Banner 1 TTPs 1 IoCs

Modify Registry

T1112

Processes:

Explorer.EXE

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\NoProtectedModeBanner = "1"	Explorer.EXE

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

Explorer.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\TabProcGrowth = "0"	Explorer.EXE

Modifies registry class 6 IoCs

Processes:

Explorer.EXEe216ac06d0fde7a4e4c8b57641d9d6f2929039537e3b53745a776354f598fad1.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\CLSID\{6CB56B09-6C98-43F5-B4B2-7D3615EA1DB8}	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\CLSID\{6CB56B09-6C98-43F5-B4B2-7D3615EA1DB8}\{168329AF-2CEF-4C93-926C-2FC3338F1B63} = 5f0fc2bb	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\CLSID\{4DA10656-61FC-4970-80D1-1AAB319A01FB}\#cert = 31	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\CLSID\{4DA10656-61FC-4970-80D1-1AAB319A01FB}	e216ac06d0fde7a4e4c8b57641d9d6f2929039537e3b53745a776354f598fad1.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\CLSID\{4DA10656-61FC-4970-80D1-1AAB319A01FB}\#sd = 433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c54656d705c653231366163303664306664653761346534633862353736343164396436663239323930333935333765336235333734356137373633353466353938666164312e65786500	e216ac06d0fde7a4e4c8b57641d9d6f2929039537e3b53745a776354f598fad1.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\CLSID\{4DA10656-61FC-4970-80D1-1AAB319A01FB}	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

e216ac06d0fde7a4e4c8b57641d9d6f2929039537e3b53745a776354f598fad1.exewmiprvse.exe

pid process

1792 e216ac06d0fde7a4e4c8b57641d9d6f2929039537e3b53745a776354f598fad1.exe
1764 wmiprvse.exe
1764 wmiprvse.exe

pid	process
1792	e216ac06d0fde7a4e4c8b57641d9d6f2929039537e3b53745a776354f598fad1.exe
1764	wmiprvse.exe
1764	wmiprvse.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

e216ac06d0fde7a4e4c8b57641d9d6f2929039537e3b53745a776354f598fad1.exeExplorer.EXE

description	pid	process
Token: SeCreateGlobalPrivilege	1792	e216ac06d0fde7a4e4c8b57641d9d6f2929039537e3b53745a776354f598fad1.exe
Token: SeDebugPrivilege	1792	e216ac06d0fde7a4e4c8b57641d9d6f2929039537e3b53745a776354f598fad1.exe
Token: SeCreateGlobalPrivilege	1236	Explorer.EXE
Token: SeShutdownPrivilege	1236	Explorer.EXE
Token: SeDebugPrivilege	1236	Explorer.EXE

Suspicious use of UnmapMainImage 1 IoCs

Processes:

e216ac06d0fde7a4e4c8b57641d9d6f2929039537e3b53745a776354f598fad1.exe

pid process

1792 e216ac06d0fde7a4e4c8b57641d9d6f2929039537e3b53745a776354f598fad1.exe

pid	process
1792	e216ac06d0fde7a4e4c8b57641d9d6f2929039537e3b53745a776354f598fad1.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

e216ac06d0fde7a4e4c8b57641d9d6f2929039537e3b53745a776354f598fad1.exe

description	pid	process	target process
PID 1792 wrote to memory of 328	1792	e216ac06d0fde7a4e4c8b57641d9d6f2929039537e3b53745a776354f598fad1.exe	spoolsv.exe
PID 1792 wrote to memory of 328	1792	e216ac06d0fde7a4e4c8b57641d9d6f2929039537e3b53745a776354f598fad1.exe	spoolsv.exe
PID 1792 wrote to memory of 1236	1792	e216ac06d0fde7a4e4c8b57641d9d6f2929039537e3b53745a776354f598fad1.exe	Explorer.EXE
PID 1792 wrote to memory of 1236	1792	e216ac06d0fde7a4e4c8b57641d9d6f2929039537e3b53745a776354f598fad1.exe	Explorer.EXE
PID 1792 wrote to memory of 1816	1792	e216ac06d0fde7a4e4c8b57641d9d6f2929039537e3b53745a776354f598fad1.exe	sppsvc.exe
PID 1792 wrote to memory of 1816	1792	e216ac06d0fde7a4e4c8b57641d9d6f2929039537e3b53745a776354f598fad1.exe	sppsvc.exe
PID 1792 wrote to memory of 1672	1792	e216ac06d0fde7a4e4c8b57641d9d6f2929039537e3b53745a776354f598fad1.exe	WMIADAP.EXE
PID 1792 wrote to memory of 1672	1792	e216ac06d0fde7a4e4c8b57641d9d6f2929039537e3b53745a776354f598fad1.exe	WMIADAP.EXE
PID 1792 wrote to memory of 1764	1792	e216ac06d0fde7a4e4c8b57641d9d6f2929039537e3b53745a776354f598fad1.exe	wmiprvse.exe
PID 1792 wrote to memory of 1764	1792	e216ac06d0fde7a4e4c8b57641d9d6f2929039537e3b53745a776354f598fad1.exe	wmiprvse.exe

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:1764

\\?\C:\Windows\system32\wbem\WMIADAP.EXE
wmiadap.exe /F /T /R
1⤵
PID:1672

C:\Windows\system32\sppsvc.exe
C:\Windows\system32\sppsvc.exe
1⤵
PID:1816

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Adds Run key to start application
- Modifies Internet Explorer Protected Mode
- Modifies Internet Explorer Protected Mode Banner
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:1236

C:\Users\Admin\AppData\Local\Temp\e216ac06d0fde7a4e4c8b57641d9d6f2929039537e3b53745a776354f598fad1.exe
"C:\Users\Admin\AppData\Local\Temp\e216ac06d0fde7a4e4c8b57641d9d6f2929039537e3b53745a776354f598fad1.exe"
2⤵
- Loads dropped DLL
- Adds Run key to start application
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1792

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:328

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

4

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\XormiCmogu\XormiCmogu.dat
Filesize
230KB

MD5
db5b4f5393ccac3c258ff3ef2426cf9f

SHA1
663850789045684209da01d5d752a0b34304e3b7

SHA256
05ce901af1a0ae28f0a20dda1c34c808eb7a4422fe7a9cb638cb097e7cacafaf

SHA512
a73c07af8a14f9be737890bed1e53a7a610726bb6636bc88f06383e84df5917a21a1238c3bc1c53e100ea3d78a7b6e8e5b77b1802319a658dcaa6ac6e6793154

Download Submit
\ProgramData\XormiCmogu\XormiCmogu.dat
Filesize
230KB

MD5
db5b4f5393ccac3c258ff3ef2426cf9f

SHA1
663850789045684209da01d5d752a0b34304e3b7

SHA256
05ce901af1a0ae28f0a20dda1c34c808eb7a4422fe7a9cb638cb097e7cacafaf

SHA512
a73c07af8a14f9be737890bed1e53a7a610726bb6636bc88f06383e84df5917a21a1238c3bc1c53e100ea3d78a7b6e8e5b77b1802319a658dcaa6ac6e6793154

Download Submit
memory/328-60-0x0000000001EC0000-0x0000000001F14000-memory.dmp

Filesize
336KB

Download
memory/1236-75-0x00000000029A0000-0x00000000029F4000-memory.dmp

Filesize
336KB

Download
memory/1236-76-0x0000000002A60000-0x0000000002ACB000-memory.dmp

Filesize
428KB

Download
memory/1792-54-0x0000000076321000-0x0000000076323000-memory.dmp

Filesize
8KB

Download
memory/1792-55-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1792-58-0x0000000074DB0000-0x0000000074DE3000-memory.dmp

Filesize
204KB

Download
memory/1792-73-0x0000000000400000-0x0000000000489000-memory.dmp

Filesize
548KB

Download
memory/1792-74-0x0000000074DB0000-0x0000000074E13000-memory.dmp

Filesize
396KB

Download
memory/1792-77-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1792-78-0x0000000074DB0000-0x0000000074DE3000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads