1e0fdeb32073187776c4d5a64c612e8d8d6816e7823d37df5142ab9d15f92e55

General

Target

1e0fdeb32073187776c4d5a64c612e8d8d6816e7823d37df5142ab9d15f92e55.exe
Size

376KB
MD5

bec16881261b933d10d475ecac658e62
SHA1

6e819cc4a64e56a9ff96573d3b7fd52f60dfaee2
SHA256

1e0fdeb32073187776c4d5a64c612e8d8d6816e7823d37df5142ab9d15f92e55
SHA512

379253f2b2e14ee82e2886173a359ff0a56077af19abf0db6ed90699366fdde72f6ac9ec47b09485939b0fc3230792e36357134015570456b063ddee983ff655
SSDEEP

6144:uSnPobDUShUmcREtiUcvpKey4Kkb0c/Fnk06hiqP2NXoiyJmEW5c1xZu9MYR3b:dngbDnsREtirRK3LZSey+2NYxM5Cx8SE

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

jOn06504gAjFh06504.exejOn06504gAjFh06504.exe

pid process

1960 jOn06504gAjFh06504.exe
964 jOn06504gAjFh06504.exe
Deletes itself 1 IoCs

Processes:

jOn06504gAjFh06504.exe

pid process

964 jOn06504gAjFh06504.exe

pid	process
1960	jOn06504gAjFh06504.exe
964	jOn06504gAjFh06504.exe

pid	process
964	jOn06504gAjFh06504.exe

Loads dropped DLL 3 IoCs

Processes:

1e0fdeb32073187776c4d5a64c612e8d8d6816e7823d37df5142ab9d15f92e55.exe

pid	process
2020	1e0fdeb32073187776c4d5a64c612e8d8d6816e7823d37df5142ab9d15f92e55.exe
2020	1e0fdeb32073187776c4d5a64c612e8d8d6816e7823d37df5142ab9d15f92e55.exe
2020	1e0fdeb32073187776c4d5a64c612e8d8d6816e7823d37df5142ab9d15f92e55.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

jOn06504gAjFh06504.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\jOn06504gAjFh06504 = "C:\\ProgramData\\jOn06504gAjFh06504\\jOn06504gAjFh06504.exe"	jOn06504gAjFh06504.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

jOn06504gAjFh06504.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main	jOn06504gAjFh06504.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

1e0fdeb32073187776c4d5a64c612e8d8d6816e7823d37df5142ab9d15f92e55.exejOn06504gAjFh06504.exejOn06504gAjFh06504.exe

pid	process
2020	1e0fdeb32073187776c4d5a64c612e8d8d6816e7823d37df5142ab9d15f92e55.exe
1960	jOn06504gAjFh06504.exe
2020	1e0fdeb32073187776c4d5a64c612e8d8d6816e7823d37df5142ab9d15f92e55.exe
1960	jOn06504gAjFh06504.exe
2020	1e0fdeb32073187776c4d5a64c612e8d8d6816e7823d37df5142ab9d15f92e55.exe
1960	jOn06504gAjFh06504.exe
964	jOn06504gAjFh06504.exe
1960	jOn06504gAjFh06504.exe
964	jOn06504gAjFh06504.exe
1960	jOn06504gAjFh06504.exe
964	jOn06504gAjFh06504.exe
1960	jOn06504gAjFh06504.exe
964	jOn06504gAjFh06504.exe
1960	jOn06504gAjFh06504.exe
964	jOn06504gAjFh06504.exe
1960	jOn06504gAjFh06504.exe
964	jOn06504gAjFh06504.exe
1960	jOn06504gAjFh06504.exe
964	jOn06504gAjFh06504.exe
964	jOn06504gAjFh06504.exe
964	jOn06504gAjFh06504.exe
964	jOn06504gAjFh06504.exe
964	jOn06504gAjFh06504.exe
964	jOn06504gAjFh06504.exe
964	jOn06504gAjFh06504.exe
964	jOn06504gAjFh06504.exe
964	jOn06504gAjFh06504.exe
964	jOn06504gAjFh06504.exe
964	jOn06504gAjFh06504.exe
964	jOn06504gAjFh06504.exe
964	jOn06504gAjFh06504.exe
964	jOn06504gAjFh06504.exe
964	jOn06504gAjFh06504.exe
964	jOn06504gAjFh06504.exe
964	jOn06504gAjFh06504.exe
964	jOn06504gAjFh06504.exe
964	jOn06504gAjFh06504.exe
964	jOn06504gAjFh06504.exe
964	jOn06504gAjFh06504.exe
964	jOn06504gAjFh06504.exe
964	jOn06504gAjFh06504.exe
964	jOn06504gAjFh06504.exe
964	jOn06504gAjFh06504.exe
964	jOn06504gAjFh06504.exe
964	jOn06504gAjFh06504.exe
964	jOn06504gAjFh06504.exe
964	jOn06504gAjFh06504.exe
964	jOn06504gAjFh06504.exe
964	jOn06504gAjFh06504.exe
964	jOn06504gAjFh06504.exe
964	jOn06504gAjFh06504.exe
964	jOn06504gAjFh06504.exe
964	jOn06504gAjFh06504.exe
964	jOn06504gAjFh06504.exe
964	jOn06504gAjFh06504.exe
964	jOn06504gAjFh06504.exe
964	jOn06504gAjFh06504.exe
964	jOn06504gAjFh06504.exe
964	jOn06504gAjFh06504.exe
964	jOn06504gAjFh06504.exe
964	jOn06504gAjFh06504.exe
964	jOn06504gAjFh06504.exe
964	jOn06504gAjFh06504.exe
964	jOn06504gAjFh06504.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

1e0fdeb32073187776c4d5a64c612e8d8d6816e7823d37df5142ab9d15f92e55.exejOn06504gAjFh06504.exejOn06504gAjFh06504.exe

description	pid	process
Token: SeDebugPrivilege	2020	1e0fdeb32073187776c4d5a64c612e8d8d6816e7823d37df5142ab9d15f92e55.exe
Token: SeDebugPrivilege	1960	jOn06504gAjFh06504.exe
Token: SeDebugPrivilege	964	jOn06504gAjFh06504.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

jOn06504gAjFh06504.exe

pid process

964 jOn06504gAjFh06504.exe
964 jOn06504gAjFh06504.exe
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

jOn06504gAjFh06504.exe

pid process

964 jOn06504gAjFh06504.exe
964 jOn06504gAjFh06504.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

jOn06504gAjFh06504.exe

pid process

964 jOn06504gAjFh06504.exe
964 jOn06504gAjFh06504.exe

pid	process
964	jOn06504gAjFh06504.exe
964	jOn06504gAjFh06504.exe

pid	process
964	jOn06504gAjFh06504.exe
964	jOn06504gAjFh06504.exe

pid	process
964	jOn06504gAjFh06504.exe
964	jOn06504gAjFh06504.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

1e0fdeb32073187776c4d5a64c612e8d8d6816e7823d37df5142ab9d15f92e55.exe

description	pid	process	target process
PID 2020 wrote to memory of 1960	2020	1e0fdeb32073187776c4d5a64c612e8d8d6816e7823d37df5142ab9d15f92e55.exe	jOn06504gAjFh06504.exe
PID 2020 wrote to memory of 1960	2020	1e0fdeb32073187776c4d5a64c612e8d8d6816e7823d37df5142ab9d15f92e55.exe	jOn06504gAjFh06504.exe
PID 2020 wrote to memory of 1960	2020	1e0fdeb32073187776c4d5a64c612e8d8d6816e7823d37df5142ab9d15f92e55.exe	jOn06504gAjFh06504.exe
PID 2020 wrote to memory of 1960	2020	1e0fdeb32073187776c4d5a64c612e8d8d6816e7823d37df5142ab9d15f92e55.exe	jOn06504gAjFh06504.exe
PID 2020 wrote to memory of 964	2020	1e0fdeb32073187776c4d5a64c612e8d8d6816e7823d37df5142ab9d15f92e55.exe	jOn06504gAjFh06504.exe
PID 2020 wrote to memory of 964	2020	1e0fdeb32073187776c4d5a64c612e8d8d6816e7823d37df5142ab9d15f92e55.exe	jOn06504gAjFh06504.exe
PID 2020 wrote to memory of 964	2020	1e0fdeb32073187776c4d5a64c612e8d8d6816e7823d37df5142ab9d15f92e55.exe	jOn06504gAjFh06504.exe
PID 2020 wrote to memory of 964	2020	1e0fdeb32073187776c4d5a64c612e8d8d6816e7823d37df5142ab9d15f92e55.exe	jOn06504gAjFh06504.exe

C:\Users\Admin\AppData\Local\Temp\1e0fdeb32073187776c4d5a64c612e8d8d6816e7823d37df5142ab9d15f92e55.exe
"C:\Users\Admin\AppData\Local\Temp\1e0fdeb32073187776c4d5a64c612e8d8d6816e7823d37df5142ab9d15f92e55.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2020

C:\ProgramData\jOn06504gAjFh06504\jOn06504gAjFh06504.exe
"C:\ProgramData\jOn06504gAjFh06504\jOn06504gAjFh06504.exe" BOMBARDAMAXIMUM
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1960

C:\ProgramData\jOn06504gAjFh06504\jOn06504gAjFh06504.exe
"C:\ProgramData\jOn06504gAjFh06504\jOn06504gAjFh06504.exe" "C:\Users\Admin\AppData\Local\Temp\1e0fdeb32073187776c4d5a64c612e8d8d6816e7823d37df5142ab9d15f92e55.exe"
2⤵
- Executes dropped EXE
- Deletes itself
- Adds Run key to start application
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:964

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\jOn06504gAjFh06504\jOn06504gAjFh06504
Filesize
192B

MD5
1c95a80a4790a21e3d392d892f93030b

SHA1
4fe226e31b2c41f91c764c968d89d64dba1c7090

SHA256
9d1d526412be9142590eb85f40f8327e20a01539b8145a69f45d0602095fee40

SHA512
53866fb3ecfccb1029822fa595b2b42e39326f659da1d531fc5a22abfa19db0365bfbb5661b9c371805d50f301d84bafbf245b3ccbbe4728de18d2ba6029e4f1

Download Submit
C:\ProgramData\jOn06504gAjFh06504\jOn06504gAjFh06504.exe
Filesize
376KB

MD5
c082c26d100f266182532d2af4331be6

SHA1
7450c798fab44ed69b7ffae40cbc686323ecc2ca

SHA256
79b96b8f2a078a18b81ba7d04059d6d5f818422e2a4a6da0a0dc6fa1a0af2cc9

SHA512
35811a3418795c80897f01669bc3c1828131fa55f1a009e6f1b427b0a553718e282717aed51f04e5fe617fa1609d28c8bba6ab2e84b2bb109a2c6b1d88c42c77

Download Submit
C:\ProgramData\jOn06504gAjFh06504\jOn06504gAjFh06504.exe
Filesize
376KB

MD5
c082c26d100f266182532d2af4331be6

SHA1
7450c798fab44ed69b7ffae40cbc686323ecc2ca

SHA256
79b96b8f2a078a18b81ba7d04059d6d5f818422e2a4a6da0a0dc6fa1a0af2cc9

SHA512
35811a3418795c80897f01669bc3c1828131fa55f1a009e6f1b427b0a553718e282717aed51f04e5fe617fa1609d28c8bba6ab2e84b2bb109a2c6b1d88c42c77

Download Submit
C:\ProgramData\jOn06504gAjFh06504\jOn06504gAjFh06504.exe
Filesize
376KB

MD5
c082c26d100f266182532d2af4331be6

SHA1
7450c798fab44ed69b7ffae40cbc686323ecc2ca

SHA256
79b96b8f2a078a18b81ba7d04059d6d5f818422e2a4a6da0a0dc6fa1a0af2cc9

SHA512
35811a3418795c80897f01669bc3c1828131fa55f1a009e6f1b427b0a553718e282717aed51f04e5fe617fa1609d28c8bba6ab2e84b2bb109a2c6b1d88c42c77

Download Submit
\ProgramData\jOn06504gAjFh06504\jOn06504gAjFh06504.exe
Filesize
376KB

MD5
c082c26d100f266182532d2af4331be6

SHA1
7450c798fab44ed69b7ffae40cbc686323ecc2ca

SHA256
79b96b8f2a078a18b81ba7d04059d6d5f818422e2a4a6da0a0dc6fa1a0af2cc9

SHA512
35811a3418795c80897f01669bc3c1828131fa55f1a009e6f1b427b0a553718e282717aed51f04e5fe617fa1609d28c8bba6ab2e84b2bb109a2c6b1d88c42c77

Download Submit
\ProgramData\jOn06504gAjFh06504\jOn06504gAjFh06504.exe
Filesize
376KB

MD5
c082c26d100f266182532d2af4331be6

SHA1
7450c798fab44ed69b7ffae40cbc686323ecc2ca

SHA256
79b96b8f2a078a18b81ba7d04059d6d5f818422e2a4a6da0a0dc6fa1a0af2cc9

SHA512
35811a3418795c80897f01669bc3c1828131fa55f1a009e6f1b427b0a553718e282717aed51f04e5fe617fa1609d28c8bba6ab2e84b2bb109a2c6b1d88c42c77

Download Submit
\ProgramData\jOn06504gAjFh06504\jOn06504gAjFh06504.exe
Filesize
376KB

MD5
c082c26d100f266182532d2af4331be6

SHA1
7450c798fab44ed69b7ffae40cbc686323ecc2ca

SHA256
79b96b8f2a078a18b81ba7d04059d6d5f818422e2a4a6da0a0dc6fa1a0af2cc9

SHA512
35811a3418795c80897f01669bc3c1828131fa55f1a009e6f1b427b0a553718e282717aed51f04e5fe617fa1609d28c8bba6ab2e84b2bb109a2c6b1d88c42c77

Download Submit
memory/964-65-0x0000000000000000-mapping.dmp

Download
memory/964-72-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download
memory/964-70-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download
memory/1960-57-0x0000000000000000-mapping.dmp

Download
memory/1960-63-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download
memory/1960-71-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download
memory/2020-66-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download
memory/2020-62-0x0000000002100000-0x00000000021D9000-memory.dmp

Filesize
868KB

Download
memory/2020-61-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download
memory/2020-54-0x00000000756B1000-0x00000000756B3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads