f9bfea4949144d94d582f90d05a64200b35f08ef5f9090dc2151159948c71c73

General

Target

f9bfea4949144d94d582f90d05a64200b35f08ef5f9090dc2151159948c71c73.exe
Size

479KB
MD5

f96c5ab24260ea3e65e0154fc04c0a6a
SHA1

b4b8ad8fdca5ad5f6ac9a63d47656d6f290b49fb
SHA256

f9bfea4949144d94d582f90d05a64200b35f08ef5f9090dc2151159948c71c73
SHA512

26c0b2b6e5600cbeec41fd4b659d25afe148b876dfd2ba8369b345f7ad81c755fc7ffe392205dbd673a2ce2ad5efa125e0a32d75f201c04cdbc13fab3fc02f1d
SSDEEP

12288:Sc//////idXwxOKGX67rLnn6T6i0Ckb8HeRKaslx457:Sc//////i6JGX67rL6ObCalRKa6m57

Score

8^/10

upx

Malware Config

Signatures

UPX packed file 26 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/1972-136-0x0000000002350000-0x000000000238D000-memory.dmp	upx
behavioral2/memory/1972-138-0x0000000002350000-0x000000000238D000-memory.dmp	upx
behavioral2/memory/1972-139-0x0000000002350000-0x000000000238D000-memory.dmp	upx
behavioral2/memory/1972-140-0x0000000002350000-0x000000000238D000-memory.dmp	upx
behavioral2/memory/1972-141-0x0000000002350000-0x000000000238D000-memory.dmp	upx
behavioral2/memory/1972-143-0x0000000002350000-0x000000000238D000-memory.dmp	upx
behavioral2/memory/1972-145-0x0000000002350000-0x000000000238D000-memory.dmp	upx
behavioral2/memory/1972-147-0x0000000002350000-0x000000000238D000-memory.dmp	upx
behavioral2/memory/1972-149-0x0000000002350000-0x000000000238D000-memory.dmp	upx
behavioral2/memory/1972-151-0x0000000002350000-0x000000000238D000-memory.dmp	upx
behavioral2/memory/1972-153-0x0000000002350000-0x000000000238D000-memory.dmp	upx
behavioral2/memory/1972-155-0x0000000002350000-0x000000000238D000-memory.dmp	upx
behavioral2/memory/1972-157-0x0000000002350000-0x000000000238D000-memory.dmp	upx
behavioral2/memory/1972-159-0x0000000002350000-0x000000000238D000-memory.dmp	upx
behavioral2/memory/1972-161-0x0000000002350000-0x000000000238D000-memory.dmp	upx
behavioral2/memory/1972-166-0x0000000002350000-0x000000000238D000-memory.dmp	upx
behavioral2/memory/1972-163-0x0000000002350000-0x000000000238D000-memory.dmp	upx
behavioral2/memory/1972-168-0x0000000002350000-0x000000000238D000-memory.dmp	upx
behavioral2/memory/1972-170-0x0000000002350000-0x000000000238D000-memory.dmp	upx
behavioral2/memory/1972-172-0x0000000002350000-0x000000000238D000-memory.dmp	upx
behavioral2/memory/1972-174-0x0000000002350000-0x000000000238D000-memory.dmp	upx
behavioral2/memory/1972-176-0x0000000002350000-0x000000000238D000-memory.dmp	upx
behavioral2/memory/1972-178-0x0000000002350000-0x000000000238D000-memory.dmp	upx
behavioral2/memory/1972-180-0x0000000002350000-0x000000000238D000-memory.dmp	upx
behavioral2/memory/1972-182-0x0000000002350000-0x000000000238D000-memory.dmp	upx
behavioral2/memory/1972-184-0x0000000002350000-0x000000000238D000-memory.dmp	upx

Suspicious use of SetThreadContext 1 IoCs

Processes:

f9bfea4949144d94d582f90d05a64200b35f08ef5f9090dc2151159948c71c73.exe

description	pid	process	target process
PID 4052 set thread context of 1972	4052	f9bfea4949144d94d582f90d05a64200b35f08ef5f9090dc2151159948c71c73.exe	f9bfea4949144d94d582f90d05a64200b35f08ef5f9090dc2151159948c71c73.exe

Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid	pid_target	process	target process
4032	1972	WerFault.exe	f9bfea4949144d94d582f90d05a64200b35f08ef5f9090dc2151159948c71c73.exe
4276	1972	WerFault.exe	f9bfea4949144d94d582f90d05a64200b35f08ef5f9090dc2151159948c71c73.exe

Modifies Internet Explorer settings 1 TTPs 5 IoCs

adware spyware

Modify Registry

T1112

Processes:

f9bfea4949144d94d582f90d05a64200b35f08ef5f9090dc2151159948c71c73.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Default_Page_URL = "http://www.2345.com/?28879"	f9bfea4949144d94d582f90d05a64200b35f08ef5f9090dc2151159948c71c73.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Default_Page_URL = "http://www.2345.com/?28879"	f9bfea4949144d94d582f90d05a64200b35f08ef5f9090dc2151159948c71c73.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Internet Explorer\Main	f9bfea4949144d94d582f90d05a64200b35f08ef5f9090dc2151159948c71c73.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Default_Page_URL	f9bfea4949144d94d582f90d05a64200b35f08ef5f9090dc2151159948c71c73.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Default_Page_URL	f9bfea4949144d94d582f90d05a64200b35f08ef5f9090dc2151159948c71c73.exe

Modifies Internet Explorer start page 1 TTPs 2 IoCs

stealer

Modify Registry

T1112

Processes:

f9bfea4949144d94d582f90d05a64200b35f08ef5f9090dc2151159948c71c73.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.2345.com/?28879"	f9bfea4949144d94d582f90d05a64200b35f08ef5f9090dc2151159948c71c73.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page	f9bfea4949144d94d582f90d05a64200b35f08ef5f9090dc2151159948c71c73.exe

Suspicious behavior: EnumeratesProcesses 52 IoCs

Processes:

f9bfea4949144d94d582f90d05a64200b35f08ef5f9090dc2151159948c71c73.exe

pid	process
1972	f9bfea4949144d94d582f90d05a64200b35f08ef5f9090dc2151159948c71c73.exe
1972	f9bfea4949144d94d582f90d05a64200b35f08ef5f9090dc2151159948c71c73.exe
1972	f9bfea4949144d94d582f90d05a64200b35f08ef5f9090dc2151159948c71c73.exe
1972	f9bfea4949144d94d582f90d05a64200b35f08ef5f9090dc2151159948c71c73.exe
1972	f9bfea4949144d94d582f90d05a64200b35f08ef5f9090dc2151159948c71c73.exe
1972	f9bfea4949144d94d582f90d05a64200b35f08ef5f9090dc2151159948c71c73.exe
1972	f9bfea4949144d94d582f90d05a64200b35f08ef5f9090dc2151159948c71c73.exe
1972	f9bfea4949144d94d582f90d05a64200b35f08ef5f9090dc2151159948c71c73.exe
1972	f9bfea4949144d94d582f90d05a64200b35f08ef5f9090dc2151159948c71c73.exe
1972	f9bfea4949144d94d582f90d05a64200b35f08ef5f9090dc2151159948c71c73.exe
1972	f9bfea4949144d94d582f90d05a64200b35f08ef5f9090dc2151159948c71c73.exe
1972	f9bfea4949144d94d582f90d05a64200b35f08ef5f9090dc2151159948c71c73.exe
1972	f9bfea4949144d94d582f90d05a64200b35f08ef5f9090dc2151159948c71c73.exe
1972	f9bfea4949144d94d582f90d05a64200b35f08ef5f9090dc2151159948c71c73.exe
1972	f9bfea4949144d94d582f90d05a64200b35f08ef5f9090dc2151159948c71c73.exe
1972	f9bfea4949144d94d582f90d05a64200b35f08ef5f9090dc2151159948c71c73.exe
1972	f9bfea4949144d94d582f90d05a64200b35f08ef5f9090dc2151159948c71c73.exe
1972	f9bfea4949144d94d582f90d05a64200b35f08ef5f9090dc2151159948c71c73.exe
1972	f9bfea4949144d94d582f90d05a64200b35f08ef5f9090dc2151159948c71c73.exe
1972	f9bfea4949144d94d582f90d05a64200b35f08ef5f9090dc2151159948c71c73.exe
1972	f9bfea4949144d94d582f90d05a64200b35f08ef5f9090dc2151159948c71c73.exe
1972	f9bfea4949144d94d582f90d05a64200b35f08ef5f9090dc2151159948c71c73.exe
1972	f9bfea4949144d94d582f90d05a64200b35f08ef5f9090dc2151159948c71c73.exe
1972	f9bfea4949144d94d582f90d05a64200b35f08ef5f9090dc2151159948c71c73.exe
1972	f9bfea4949144d94d582f90d05a64200b35f08ef5f9090dc2151159948c71c73.exe
1972	f9bfea4949144d94d582f90d05a64200b35f08ef5f9090dc2151159948c71c73.exe
1972	f9bfea4949144d94d582f90d05a64200b35f08ef5f9090dc2151159948c71c73.exe
1972	f9bfea4949144d94d582f90d05a64200b35f08ef5f9090dc2151159948c71c73.exe
1972	f9bfea4949144d94d582f90d05a64200b35f08ef5f9090dc2151159948c71c73.exe
1972	f9bfea4949144d94d582f90d05a64200b35f08ef5f9090dc2151159948c71c73.exe
1972	f9bfea4949144d94d582f90d05a64200b35f08ef5f9090dc2151159948c71c73.exe
1972	f9bfea4949144d94d582f90d05a64200b35f08ef5f9090dc2151159948c71c73.exe
1972	f9bfea4949144d94d582f90d05a64200b35f08ef5f9090dc2151159948c71c73.exe
1972	f9bfea4949144d94d582f90d05a64200b35f08ef5f9090dc2151159948c71c73.exe
1972	f9bfea4949144d94d582f90d05a64200b35f08ef5f9090dc2151159948c71c73.exe
1972	f9bfea4949144d94d582f90d05a64200b35f08ef5f9090dc2151159948c71c73.exe
1972	f9bfea4949144d94d582f90d05a64200b35f08ef5f9090dc2151159948c71c73.exe
1972	f9bfea4949144d94d582f90d05a64200b35f08ef5f9090dc2151159948c71c73.exe
1972	f9bfea4949144d94d582f90d05a64200b35f08ef5f9090dc2151159948c71c73.exe
1972	f9bfea4949144d94d582f90d05a64200b35f08ef5f9090dc2151159948c71c73.exe
1972	f9bfea4949144d94d582f90d05a64200b35f08ef5f9090dc2151159948c71c73.exe
1972	f9bfea4949144d94d582f90d05a64200b35f08ef5f9090dc2151159948c71c73.exe
1972	f9bfea4949144d94d582f90d05a64200b35f08ef5f9090dc2151159948c71c73.exe
1972	f9bfea4949144d94d582f90d05a64200b35f08ef5f9090dc2151159948c71c73.exe
1972	f9bfea4949144d94d582f90d05a64200b35f08ef5f9090dc2151159948c71c73.exe
1972	f9bfea4949144d94d582f90d05a64200b35f08ef5f9090dc2151159948c71c73.exe
1972	f9bfea4949144d94d582f90d05a64200b35f08ef5f9090dc2151159948c71c73.exe
1972	f9bfea4949144d94d582f90d05a64200b35f08ef5f9090dc2151159948c71c73.exe
1972	f9bfea4949144d94d582f90d05a64200b35f08ef5f9090dc2151159948c71c73.exe
1972	f9bfea4949144d94d582f90d05a64200b35f08ef5f9090dc2151159948c71c73.exe
1972	f9bfea4949144d94d582f90d05a64200b35f08ef5f9090dc2151159948c71c73.exe
1972	f9bfea4949144d94d582f90d05a64200b35f08ef5f9090dc2151159948c71c73.exe

Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

652

pid	process
652

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

f9bfea4949144d94d582f90d05a64200b35f08ef5f9090dc2151159948c71c73.exe

pid	process
1972	f9bfea4949144d94d582f90d05a64200b35f08ef5f9090dc2151159948c71c73.exe
1972	f9bfea4949144d94d582f90d05a64200b35f08ef5f9090dc2151159948c71c73.exe
1972	f9bfea4949144d94d582f90d05a64200b35f08ef5f9090dc2151159948c71c73.exe

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

f9bfea4949144d94d582f90d05a64200b35f08ef5f9090dc2151159948c71c73.exe

description	pid	process	target process
PID 4052 wrote to memory of 1972	4052	f9bfea4949144d94d582f90d05a64200b35f08ef5f9090dc2151159948c71c73.exe	f9bfea4949144d94d582f90d05a64200b35f08ef5f9090dc2151159948c71c73.exe
PID 4052 wrote to memory of 1972	4052	f9bfea4949144d94d582f90d05a64200b35f08ef5f9090dc2151159948c71c73.exe	f9bfea4949144d94d582f90d05a64200b35f08ef5f9090dc2151159948c71c73.exe
PID 4052 wrote to memory of 1972	4052	f9bfea4949144d94d582f90d05a64200b35f08ef5f9090dc2151159948c71c73.exe	f9bfea4949144d94d582f90d05a64200b35f08ef5f9090dc2151159948c71c73.exe
PID 4052 wrote to memory of 1972	4052	f9bfea4949144d94d582f90d05a64200b35f08ef5f9090dc2151159948c71c73.exe	f9bfea4949144d94d582f90d05a64200b35f08ef5f9090dc2151159948c71c73.exe
PID 4052 wrote to memory of 1972	4052	f9bfea4949144d94d582f90d05a64200b35f08ef5f9090dc2151159948c71c73.exe	f9bfea4949144d94d582f90d05a64200b35f08ef5f9090dc2151159948c71c73.exe

C:\Users\Admin\AppData\Local\Temp\f9bfea4949144d94d582f90d05a64200b35f08ef5f9090dc2151159948c71c73.exe
"C:\Users\Admin\AppData\Local\Temp\f9bfea4949144d94d582f90d05a64200b35f08ef5f9090dc2151159948c71c73.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4052

C:\Users\Admin\AppData\Local\Temp\f9bfea4949144d94d582f90d05a64200b35f08ef5f9090dc2151159948c71c73.exe
C:\Users\Admin\AppData\Local\Temp\f9bfea4949144d94d582f90d05a64200b35f08ef5f9090dc2151159948c71c73.exe
2⤵
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1972

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1972 -s 864
3⤵
- Program crash
PID:4032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1972 -s 884
3⤵
- Program crash
PID:4276

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 1972 -ip 1972
1⤵
PID:2300

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 1972 -ip 1972
1⤵
PID:3784

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1972-132-0x0000000000000000-mapping.dmp

Download
memory/1972-133-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/1972-135-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/1972-136-0x0000000002350000-0x000000000238D000-memory.dmp

Filesize
244KB

Download
memory/1972-138-0x0000000002350000-0x000000000238D000-memory.dmp

Filesize
244KB

Download
memory/1972-139-0x0000000002350000-0x000000000238D000-memory.dmp

Filesize
244KB

Download
memory/1972-140-0x0000000002350000-0x000000000238D000-memory.dmp

Filesize
244KB

Download
memory/1972-141-0x0000000002350000-0x000000000238D000-memory.dmp

Filesize
244KB

Download
memory/1972-143-0x0000000002350000-0x000000000238D000-memory.dmp

Filesize
244KB

Download
memory/1972-145-0x0000000002350000-0x000000000238D000-memory.dmp

Filesize
244KB

Download
memory/1972-147-0x0000000002350000-0x000000000238D000-memory.dmp

Filesize
244KB

Download
memory/1972-149-0x0000000002350000-0x000000000238D000-memory.dmp

Filesize
244KB

Download
memory/1972-151-0x0000000002350000-0x000000000238D000-memory.dmp

Filesize
244KB

Download
memory/1972-153-0x0000000002350000-0x000000000238D000-memory.dmp

Filesize
244KB

Download
memory/1972-155-0x0000000002350000-0x000000000238D000-memory.dmp

Filesize
244KB

Download
memory/1972-157-0x0000000002350000-0x000000000238D000-memory.dmp

Filesize
244KB

Download
memory/1972-159-0x0000000002350000-0x000000000238D000-memory.dmp

Filesize
244KB

Download
memory/1972-161-0x0000000002350000-0x000000000238D000-memory.dmp

Filesize
244KB

Download
memory/1972-164-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/1972-166-0x0000000002350000-0x000000000238D000-memory.dmp

Filesize
244KB

Download
memory/1972-163-0x0000000002350000-0x000000000238D000-memory.dmp

Filesize
244KB

Download
memory/1972-168-0x0000000002350000-0x000000000238D000-memory.dmp

Filesize
244KB

Download
memory/1972-170-0x0000000002350000-0x000000000238D000-memory.dmp

Filesize
244KB

Download
memory/1972-172-0x0000000002350000-0x000000000238D000-memory.dmp

Filesize
244KB

Download
memory/1972-174-0x0000000002350000-0x000000000238D000-memory.dmp

Filesize
244KB

Download
memory/1972-176-0x0000000002350000-0x000000000238D000-memory.dmp

Filesize
244KB

Download
memory/1972-178-0x0000000002350000-0x000000000238D000-memory.dmp

Filesize
244KB

Download
memory/1972-180-0x0000000002350000-0x000000000238D000-memory.dmp

Filesize
244KB

Download
memory/1972-182-0x0000000002350000-0x000000000238D000-memory.dmp

Filesize
244KB

Download
memory/1972-183-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/1972-184-0x0000000002350000-0x000000000238D000-memory.dmp

Filesize
244KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads