5ea4ea7f53f0a78cac22e14d34f09210f02c47459a8d6c706a2e1ee9f4576ed0

General

Target

5ea4ea7f53f0a78cac22e14d34f09210f02c47459a8d6c706a2e1ee9f4576ed0.exe
Size

709KB
MD5

e575eb9ee66c7c2c2071cdf4879b14bc
SHA1

96b9ccace682b268444c945cd9b94c79ac47ba85
SHA256

5ea4ea7f53f0a78cac22e14d34f09210f02c47459a8d6c706a2e1ee9f4576ed0
SHA512

fbbbb7477ecd3878d02ad57f6b4e777960bac65620e52f15c7b5c8fe06cc2b70dd79fba5804f9c0bbe1d6f8d02927f3766c7d6866782714df0678302fc936d6f
SSDEEP

12288:UigqIkHyLkIOeee+fAZwfqDPdM+UULoGTxOk82HmVJZP0a:Uik6yIVeSAZwCCDGTxOB2HEoa

Score

7^/10

Malware Config

Signatures

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	5ea4ea7f53f0a78cac22e14d34f09210f02c47459a8d6c706a2e1ee9f4576ed0.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	5ea4ea7f53f0a78cac22e14d34f09210f02c47459a8d6c706a2e1ee9f4576ed0.exe

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	5ea4ea7f53f0a78cac22e14d34f09210f02c47459a8d6c706a2e1ee9f4576ed0.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	5ea4ea7f53f0a78cac22e14d34f09210f02c47459a8d6c706a2e1ee9f4576ed0.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1708 set thread context of 1696	1708	5ea4ea7f53f0a78cac22e14d34f09210f02c47459a8d6c706a2e1ee9f4576ed0.exe	28

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main	5ea4ea7f53f0a78cac22e14d34f09210f02c47459a8d6c706a2e1ee9f4576ed0.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1696	5ea4ea7f53f0a78cac22e14d34f09210f02c47459a8d6c706a2e1ee9f4576ed0.exe
1696	5ea4ea7f53f0a78cac22e14d34f09210f02c47459a8d6c706a2e1ee9f4576ed0.exe
1696	5ea4ea7f53f0a78cac22e14d34f09210f02c47459a8d6c706a2e1ee9f4576ed0.exe
1696	5ea4ea7f53f0a78cac22e14d34f09210f02c47459a8d6c706a2e1ee9f4576ed0.exe
1696	5ea4ea7f53f0a78cac22e14d34f09210f02c47459a8d6c706a2e1ee9f4576ed0.exe
1696	5ea4ea7f53f0a78cac22e14d34f09210f02c47459a8d6c706a2e1ee9f4576ed0.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 1708 wrote to memory of 1696	1708	5ea4ea7f53f0a78cac22e14d34f09210f02c47459a8d6c706a2e1ee9f4576ed0.exe	28
PID 1708 wrote to memory of 1696	1708	5ea4ea7f53f0a78cac22e14d34f09210f02c47459a8d6c706a2e1ee9f4576ed0.exe	28
PID 1708 wrote to memory of 1696	1708	5ea4ea7f53f0a78cac22e14d34f09210f02c47459a8d6c706a2e1ee9f4576ed0.exe	28
PID 1708 wrote to memory of 1696	1708	5ea4ea7f53f0a78cac22e14d34f09210f02c47459a8d6c706a2e1ee9f4576ed0.exe	28
PID 1708 wrote to memory of 1696	1708	5ea4ea7f53f0a78cac22e14d34f09210f02c47459a8d6c706a2e1ee9f4576ed0.exe	28
PID 1708 wrote to memory of 1696	1708	5ea4ea7f53f0a78cac22e14d34f09210f02c47459a8d6c706a2e1ee9f4576ed0.exe	28
PID 1708 wrote to memory of 1696	1708	5ea4ea7f53f0a78cac22e14d34f09210f02c47459a8d6c706a2e1ee9f4576ed0.exe	28
PID 1708 wrote to memory of 1696	1708	5ea4ea7f53f0a78cac22e14d34f09210f02c47459a8d6c706a2e1ee9f4576ed0.exe	28
PID 1708 wrote to memory of 1696	1708	5ea4ea7f53f0a78cac22e14d34f09210f02c47459a8d6c706a2e1ee9f4576ed0.exe	28
PID 1708 wrote to memory of 1696	1708	5ea4ea7f53f0a78cac22e14d34f09210f02c47459a8d6c706a2e1ee9f4576ed0.exe	28
PID 1708 wrote to memory of 1696	1708	5ea4ea7f53f0a78cac22e14d34f09210f02c47459a8d6c706a2e1ee9f4576ed0.exe	28

C:\Users\Admin\AppData\Local\Temp\5ea4ea7f53f0a78cac22e14d34f09210f02c47459a8d6c706a2e1ee9f4576ed0.exe
"C:\Users\Admin\AppData\Local\Temp\5ea4ea7f53f0a78cac22e14d34f09210f02c47459a8d6c706a2e1ee9f4576ed0.exe"
1⤵
- Checks BIOS information in registry
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1708
- C:\Users\Admin\AppData\Local\Temp\5ea4ea7f53f0a78cac22e14d34f09210f02c47459a8d6c706a2e1ee9f4576ed0.exe
  "C:\Users\Admin\AppData\Local\Temp\5ea4ea7f53f0a78cac22e14d34f09210f02c47459a8d6c706a2e1ee9f4576ed0.exe" Track="0001001000"
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1696

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1696-54-0x0000000000400000-0x00000000004F8000-memory.dmp

Filesize
992KB

Download
memory/1696-55-0x0000000000400000-0x00000000004F8000-memory.dmp

Filesize
992KB

Download
memory/1696-57-0x0000000000400000-0x00000000004F8000-memory.dmp

Filesize
992KB

Download
memory/1696-59-0x0000000000400000-0x00000000004F8000-memory.dmp

Filesize
992KB

Download
memory/1696-61-0x0000000000400000-0x00000000004F8000-memory.dmp

Filesize
992KB

Download
memory/1696-63-0x0000000000400000-0x00000000004F8000-memory.dmp

Filesize
992KB

Download
memory/1696-65-0x0000000000400000-0x00000000004F8000-memory.dmp

Filesize
992KB

Download
memory/1696-68-0x0000000075111000-0x0000000075113000-memory.dmp

Filesize
8KB

Download
memory/1696-69-0x0000000000400000-0x00000000004F8000-memory.dmp

Filesize
992KB

Download
memory/1696-70-0x0000000000400000-0x00000000004F8000-memory.dmp

Filesize
992KB

Download
memory/1696-71-0x0000000000400000-0x00000000004F8000-memory.dmp

Filesize
992KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads