c16bb1dc143768fd447c7058af1e049ec4da42ee7ab705f0f6e492b5c5f04657

General

Target

Vale_Presente.exe
Size

1.7MB
MD5

ea6ffad92153412e5237665c82c78799
SHA1

db71dca3183cb79d10cde3153d2c7eab4d6ad7d2
SHA256

f5a5f9093b00de4ab3740188f75612847e94551cba90878519637d86b5355e01
SHA512

ed13c783bfc614d2ed1c3b31e22cef33234c5ad77d1017f9368d5a6542a98325496f119a78fdc80bc92f1faa31ef06f079d8023e154ea6f987479bc06add5ae3
SSDEEP

3072:dwvqbFtkEyWvXFPmy/DA/cZd0SzsZpzbwgWamdUHGNFopPF1XeRBIytGVXi8FrTN:jDycXI6lZij/1TGFo5F1DXRDXy1

Score

10^/10

adware evasion persistence stealer trojan

Malware Config

Signatures

UAC bypass 3 TTPs 1 IoCs
evasion trojan

Bypass User Account Control
T1088

Disabling Security Tools
T1089

Modify Registry
T1112

Processes:

26112022.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 26112022.exe
Executes dropped EXE 1 IoCs

Processes:

26112022.exe

pid process

680 26112022.exe
Loads dropped DLL 3 IoCs

Processes:

Vale_Presente.exe26112022.exe

pid process

1736 Vale_Presente.exe
1736 Vale_Presente.exe
680 26112022.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	26112022.exe

pid	process
680	26112022.exe

pid	process
1736	Vale_Presente.exe
1736	Vale_Presente.exe
680	26112022.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

26112022.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	26112022.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\IxplorerStart = "C:\\Program Files\\Internet Explorer\\iexplore.exe"	26112022.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

26112022.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 26112022.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	26112022.exe

Installs/modifies Browser Helper Object 2 TTPs 2 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

Processes:

26112022.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2957A774-1BFE-41B6-B3E0-352AD2736B68}	26112022.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{2957A774-1BFE-41B6-B3E0-352AD2736B68}\NoExplorer = "1"	26112022.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Modifies Internet Explorer settings 1 TTPs 1 IoCs
adware spyware

Modify Registry
T1112

Processes:

26112022.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main 26112022.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main	26112022.exe

Modifies registry class 45 IoCs

Processes:

26112022.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2317D35D-2345-4C2C-A898-3B1FABCFD7B1}\1.0\0	26112022.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2317D35D-2345-4C2C-A898-3B1FABCFD7B1}\1.0\HELPDIR	26112022.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2957A774-1BFE-41B6-B3E0-352AD2736B68}\ProgID\ = "Micronews.ClsMicronews"	26112022.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Micronews.ClsMicronews\ = "Micronews.ClsMicronews"	26112022.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2957A774-1BFE-41B6-B3E0-352AD2736B68}\Implemented Categories	26112022.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2317D35D-2345-4C2C-A898-3B1FABCFD7B1}\1.0\0\win32	26112022.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{664ADD2C-104E-4B6C-9F4E-600E71D99AAA}\ProxyStubClsid32	26112022.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2957A774-1BFE-41B6-B3E0-352AD2736B68}\Implemented Categories\{40FC6ED5-2438-11CF-A3DB-080036F12502}	26112022.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2317D35D-2345-4C2C-A898-3B1FABCFD7B1}\1.0	26112022.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{664ADD2C-104E-4B6C-9F4E-600E71D99AAA}\TypeLib	26112022.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{664ADD2C-104E-4B6C-9F4E-600E71D99AAA}\TypeLib\Version = "1.0"	26112022.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2957A774-1BFE-41B6-B3E0-352AD2736B68}\InprocServer32\ThreadingModel = "Apartment"	26112022.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2957A774-1BFE-41B6-B3E0-352AD2736B68}\TypeLib\ = "{2317D35D-2345-4C2C-A898-3B1FABCFD7B1}"	26112022.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Micronews.ClsMicronews\Clsid\ = "{2957A774-1BFE-41B6-B3E0-352AD2736B68}"	26112022.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2317D35D-2345-4C2C-A898-3B1FABCFD7B1}	26112022.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2317D35D-2345-4C2C-A898-3B1FABCFD7B1}\1.0\FLAGS	26112022.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{664ADD2C-104E-4B6C-9F4E-600E71D99AAA}	26112022.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{664ADD2C-104E-4B6C-9F4E-600E71D99AAA}\TypeLib	26112022.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{664ADD2C-104E-4B6C-9F4E-600E71D99AAA}\ = "ClsMicronews"	26112022.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{664ADD2C-104E-4B6C-9F4E-600E71D99AAA}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}"	26112022.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Micronews.ClsMicronews	26112022.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{664ADD2C-104E-4B6C-9F4E-600E71D99AAA}\ProxyStubClsid	26112022.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2317D35D-2345-4C2C-A898-3B1FABCFD7B1}\1.0\HELPDIR\ = "c:\\Users\\Admin\\jdjoosvd"	26112022.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{664ADD2C-104E-4B6C-9F4E-600E71D99AAA}\ = "_ClsMicronews"	26112022.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{664ADD2C-104E-4B6C-9F4E-600E71D99AAA}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	26112022.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{664ADD2C-104E-4B6C-9F4E-600E71D99AAA}\TypeLib\ = "{2317D35D-2345-4C2C-A898-3B1FABCFD7B1}"	26112022.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2957A774-1BFE-41B6-B3E0-352AD2736B68}\ = "Micronews.ClsMicronews"	26112022.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2957A774-1BFE-41B6-B3E0-352AD2736B68}\InprocServer32\ = "c:\\Users\\Admin\\jdjoosvd\\jdjoosvd.tmp"	26112022.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{664ADD2C-104E-4B6C-9F4E-600E71D99AAA}\TypeLib\Version = "1.0"	26112022.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{664ADD2C-104E-4B6C-9F4E-600E71D99AAA}\ = "_ClsMicronews"	26112022.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{664ADD2C-104E-4B6C-9F4E-600E71D99AAA}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	26112022.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2957A774-1BFE-41B6-B3E0-352AD2736B68}\InprocServer32	26112022.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Micronews.ClsMicronews\Clsid	26112022.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2957A774-1BFE-41B6-B3E0-352AD2736B68}\Programmable	26112022.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2317D35D-2345-4C2C-A898-3B1FABCFD7B1}\1.0\ = "Micronews"	26112022.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2317D35D-2345-4C2C-A898-3B1FABCFD7B1}\1.0\FLAGS\ = "0"	26112022.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{664ADD2C-104E-4B6C-9F4E-600E71D99AAA}\ProxyStubClsid32	26112022.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{664ADD2C-104E-4B6C-9F4E-600E71D99AAA}\TypeLib\ = "{2317D35D-2345-4C2C-A898-3B1FABCFD7B1}"	26112022.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2957A774-1BFE-41B6-B3E0-352AD2736B68}\VERSION	26112022.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2957A774-1BFE-41B6-B3E0-352AD2736B68}\VERSION\ = "1.0"	26112022.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2317D35D-2345-4C2C-A898-3B1FABCFD7B1}\1.0\0\win32\ = "c:\\Users\\Admin\\jdjoosvd\\jdjoosvd.tmp"	26112022.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{664ADD2C-104E-4B6C-9F4E-600E71D99AAA}	26112022.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2957A774-1BFE-41B6-B3E0-352AD2736B68}	26112022.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2957A774-1BFE-41B6-B3E0-352AD2736B68}\ProgID	26112022.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2957A774-1BFE-41B6-B3E0-352AD2736B68}\TypeLib	26112022.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

AUDIODG.EXEshutdown.exe

description	pid	process
Token: 33	688	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	688	AUDIODG.EXE
Token: 33	688	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	688	AUDIODG.EXE
Token: SeShutdownPrivilege	304	shutdown.exe
Token: SeRemoteShutdownPrivilege	304	shutdown.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

26112022.exe

pid process

680 26112022.exe
680 26112022.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

Vale_Presente.exe26112022.exe

pid process

1736 Vale_Presente.exe
1736 Vale_Presente.exe
1736 Vale_Presente.exe
680 26112022.exe
680 26112022.exe
680 26112022.exe

pid	process
680	26112022.exe
680	26112022.exe

pid	process
1736	Vale_Presente.exe
1736	Vale_Presente.exe
1736	Vale_Presente.exe
680	26112022.exe
680	26112022.exe
680	26112022.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

Vale_Presente.exe26112022.exe

description	pid	process	target process
PID 1736 wrote to memory of 680	1736	Vale_Presente.exe	26112022.exe
PID 1736 wrote to memory of 680	1736	Vale_Presente.exe	26112022.exe
PID 1736 wrote to memory of 680	1736	Vale_Presente.exe	26112022.exe
PID 1736 wrote to memory of 680	1736	Vale_Presente.exe	26112022.exe
PID 680 wrote to memory of 304	680	26112022.exe	shutdown.exe
PID 680 wrote to memory of 304	680	26112022.exe	shutdown.exe
PID 680 wrote to memory of 304	680	26112022.exe	shutdown.exe
PID 680 wrote to memory of 304	680	26112022.exe	shutdown.exe

System policy modification 1 TTPs 4 IoCs

evasion

Modify Registry

T1112

Processes:

26112022.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID	26112022.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{2957A774-1BFE-41B6-B3E0-352AD2736B68} = "1"	26112022.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	26112022.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	26112022.exe

C:\Users\Admin\AppData\Local\Temp\Vale_Presente.exe
"C:\Users\Admin\AppData\Local\Temp\Vale_Presente.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1736

C:\Users\Admin\26112022.exe
"C:\Users\Admin\26112022.exe"
2⤵
- UAC bypass
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Installs/modifies Browser Helper Object
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:680

C:\Windows\SysWOW64\shutdown.exe
shutdown.exe -r -f -t 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:304

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x1b8
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:688

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:2004

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
1⤵
PID:1700

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Browser Extensions

1

T1176

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Bypass User Account Control

1

T1088

Defense Evasion

Bypass User Account Control

1

T1088

Disabling Security Tools

Modify Registry

Credential Access

Discovery

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\26112022.exe
Filesize
1.7MB

MD5
ea6ffad92153412e5237665c82c78799

SHA1
db71dca3183cb79d10cde3153d2c7eab4d6ad7d2

SHA256
f5a5f9093b00de4ab3740188f75612847e94551cba90878519637d86b5355e01

SHA512
ed13c783bfc614d2ed1c3b31e22cef33234c5ad77d1017f9368d5a6542a98325496f119a78fdc80bc92f1faa31ef06f079d8023e154ea6f987479bc06add5ae3

Download Submit
C:\Users\Admin\26112022.exe
Filesize
1.7MB

MD5
ea6ffad92153412e5237665c82c78799

SHA1
db71dca3183cb79d10cde3153d2c7eab4d6ad7d2

SHA256
f5a5f9093b00de4ab3740188f75612847e94551cba90878519637d86b5355e01

SHA512
ed13c783bfc614d2ed1c3b31e22cef33234c5ad77d1017f9368d5a6542a98325496f119a78fdc80bc92f1faa31ef06f079d8023e154ea6f987479bc06add5ae3

Download Submit
C:\Users\Admin\26112022.tmp
Filesize
55B

MD5
929ed09ec05257e4b2852823a571ca47

SHA1
5ead69983eeda06dbf09b24df8264b95d0f4738c

SHA256
c2b80186cc569e5dcdd394d4c0e71a38a2470f4415e2d2bddd33f1785d4dec74

SHA512
ea9638246d19a8ceccb832744cba27fa1b056e53f8a1d032774d766e55cdcaf3dd7a87dfa0344fd22c5212bdfd539b301bc82c157a8b7a721c8688863aa322b8

Download Submit
\Users\Admin\26112022.exe
Filesize
1.7MB

MD5
ea6ffad92153412e5237665c82c78799

SHA1
db71dca3183cb79d10cde3153d2c7eab4d6ad7d2

SHA256
f5a5f9093b00de4ab3740188f75612847e94551cba90878519637d86b5355e01

SHA512
ed13c783bfc614d2ed1c3b31e22cef33234c5ad77d1017f9368d5a6542a98325496f119a78fdc80bc92f1faa31ef06f079d8023e154ea6f987479bc06add5ae3

Download Submit
\Users\Admin\26112022.exe
Filesize
1.7MB

MD5
ea6ffad92153412e5237665c82c78799

SHA1
db71dca3183cb79d10cde3153d2c7eab4d6ad7d2

SHA256
f5a5f9093b00de4ab3740188f75612847e94551cba90878519637d86b5355e01

SHA512
ed13c783bfc614d2ed1c3b31e22cef33234c5ad77d1017f9368d5a6542a98325496f119a78fdc80bc92f1faa31ef06f079d8023e154ea6f987479bc06add5ae3

Download Submit
\Users\Admin\jdjoosvd\jdjoosvd.tmp
Filesize
560KB

MD5
44f7d31463d79dd60560195e8fa33b29

SHA1
27ecd3fa4fe68f5e72f9a1d25887d2ff1e082140

SHA256
4a3774c66e6c46a99f610aecd533224331303ae4eb0582ee8e0653b4bd7971d0

SHA512
57977f4ed1a5801e48e060ef282407411b31f3cc2a2fc47af08259faadc4190abf188a6916fcd6c3c8d034bed873da48e90c16988500a76fca7fffa4c2cbc790

Download Submit
memory/304-69-0x0000000000000000-mapping.dmp

Download
memory/680-59-0x0000000000000000-mapping.dmp

Download
memory/680-67-0x0000000071CA1000-0x0000000071CA3000-memory.dmp

Filesize
8KB

Download
memory/1736-56-0x0000000076041000-0x0000000076043000-memory.dmp

Filesize
8KB

Download
memory/2004-70-0x000007FEFBE91000-0x000007FEFBE93000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads