619e2715c0200f4bce1414ec347e81d149da2277ef7fbea8c0cc941785eacaa0

General

Target

619e2715c0200f4bce1414ec347e81d149da2277ef7fbea8c0cc941785eacaa0.exe
Size

253KB
MD5

c1617b172c2d59d518dd34e999866293
SHA1

865f0bbc011f39e89f5eb8b6823fced407c4a5fb
SHA256

619e2715c0200f4bce1414ec347e81d149da2277ef7fbea8c0cc941785eacaa0
SHA512

2412c449db446e51446b8f0dc66fd65a4bedba91051aa1553442d13d5c8bda1e81265afd33faa183844cb01396f1292aec0b580d784a6020bbbdeebbce634eec
SSDEEP

6144:Hfj70ySzxkvXBfHz6DSLn/9lcLLUJ2lSUt:748fBfHzRPQQU3t

Score

8^/10

persistence upx

Malware Config

Signatures

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1324-55-0x0000000000400000-0x0000000000485000-memory.dmp	upx
behavioral1/memory/1324-64-0x0000000000400000-0x0000000000485000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

619e2715c0200f4bce1414ec347e81d149da2277ef7fbea8c0cc941785eacaa0.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSTransmissionController = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\Windows\\mstctl32.exe"	619e2715c0200f4bce1414ec347e81d149da2277ef7fbea8c0cc941785eacaa0.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

619e2715c0200f4bce1414ec347e81d149da2277ef7fbea8c0cc941785eacaa0.exe

description	ioc	process
File opened (read-only)	\??\G:	619e2715c0200f4bce1414ec347e81d149da2277ef7fbea8c0cc941785eacaa0.exe
File opened (read-only)	\??\I:	619e2715c0200f4bce1414ec347e81d149da2277ef7fbea8c0cc941785eacaa0.exe
File opened (read-only)	\??\Y:	619e2715c0200f4bce1414ec347e81d149da2277ef7fbea8c0cc941785eacaa0.exe
File opened (read-only)	\??\R:	619e2715c0200f4bce1414ec347e81d149da2277ef7fbea8c0cc941785eacaa0.exe
File opened (read-only)	\??\T:	619e2715c0200f4bce1414ec347e81d149da2277ef7fbea8c0cc941785eacaa0.exe
File opened (read-only)	\??\A:	619e2715c0200f4bce1414ec347e81d149da2277ef7fbea8c0cc941785eacaa0.exe
File opened (read-only)	\??\B:	619e2715c0200f4bce1414ec347e81d149da2277ef7fbea8c0cc941785eacaa0.exe
File opened (read-only)	\??\E:	619e2715c0200f4bce1414ec347e81d149da2277ef7fbea8c0cc941785eacaa0.exe
File opened (read-only)	\??\J:	619e2715c0200f4bce1414ec347e81d149da2277ef7fbea8c0cc941785eacaa0.exe
File opened (read-only)	\??\K:	619e2715c0200f4bce1414ec347e81d149da2277ef7fbea8c0cc941785eacaa0.exe
File opened (read-only)	\??\M:	619e2715c0200f4bce1414ec347e81d149da2277ef7fbea8c0cc941785eacaa0.exe
File opened (read-only)	\??\Z:	619e2715c0200f4bce1414ec347e81d149da2277ef7fbea8c0cc941785eacaa0.exe
File opened (read-only)	\??\F:	619e2715c0200f4bce1414ec347e81d149da2277ef7fbea8c0cc941785eacaa0.exe
File opened (read-only)	\??\L:	619e2715c0200f4bce1414ec347e81d149da2277ef7fbea8c0cc941785eacaa0.exe
File opened (read-only)	\??\Q:	619e2715c0200f4bce1414ec347e81d149da2277ef7fbea8c0cc941785eacaa0.exe
File opened (read-only)	\??\U:	619e2715c0200f4bce1414ec347e81d149da2277ef7fbea8c0cc941785eacaa0.exe
File opened (read-only)	\??\V:	619e2715c0200f4bce1414ec347e81d149da2277ef7fbea8c0cc941785eacaa0.exe
File opened (read-only)	\??\W:	619e2715c0200f4bce1414ec347e81d149da2277ef7fbea8c0cc941785eacaa0.exe
File opened (read-only)	\??\H:	619e2715c0200f4bce1414ec347e81d149da2277ef7fbea8c0cc941785eacaa0.exe
File opened (read-only)	\??\N:	619e2715c0200f4bce1414ec347e81d149da2277ef7fbea8c0cc941785eacaa0.exe
File opened (read-only)	\??\O:	619e2715c0200f4bce1414ec347e81d149da2277ef7fbea8c0cc941785eacaa0.exe
File opened (read-only)	\??\P:	619e2715c0200f4bce1414ec347e81d149da2277ef7fbea8c0cc941785eacaa0.exe
File opened (read-only)	\??\S:	619e2715c0200f4bce1414ec347e81d149da2277ef7fbea8c0cc941785eacaa0.exe
File opened (read-only)	\??\X:	619e2715c0200f4bce1414ec347e81d149da2277ef7fbea8c0cc941785eacaa0.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

619e2715c0200f4bce1414ec347e81d149da2277ef7fbea8c0cc941785eacaa0.exe

description	pid	process	target process
PID 1324 set thread context of 820	1324	619e2715c0200f4bce1414ec347e81d149da2277ef7fbea8c0cc941785eacaa0.exe	619e2715c0200f4bce1414ec347e81d149da2277ef7fbea8c0cc941785eacaa0.exe

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = b0bcdf615e04d901	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "376538029"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000003bad9e5810411a41b405bdc87c3b0eb800000000020000000000106600000001000020000000a35e128f7b092e543b148c20646d5ad8e765e3830a4ff592652f2120ee4447b0000000000e80000000020000200000001502bff52f5f6597c31ab12ee36cf7c31a8bb27f7fb3a2a3fbd2854f4631a56a20000000b863f44790c4ef38e3d1f083f87eebed55b454539665f1d01186b66200ceba0740000000e288c52bd46f49cc9d3a930108fcd6363c51787528660e6b7313696a4ae4f904ec9bcf4d865339d737c6a1c0fb8428391cf8efa799b0960de44317695f2e7acd	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000003bad9e5810411a41b405bdc87c3b0eb80000000002000000000010660000000100002000000062cc77d1724b032286e978badcade6c6cb3b959bc10d536878b077440a60012c000000000e800000000200002000000077f178246d8b08cf32cb5ec833b7c259f2c4009e978596f5c0e7455920365c9390000000e70f6824b0a1c83f450c9ed769cc12600a8d90a741310d6daa9843ad595e417d527f311960aea22ec3758e4c31ef5215f351fe8191957bc3ad71cd635963d74bb59a5972b6ebc2e88137f86fe8bc5c4fbcb9e25036237c9610367f7328bb38e6ae2b8470a87ff2876391af2ba4e9d4f0699b4da564f6b50e34806c5c7419d0011d159eaff5280ca334f674d29eb8d9fb400000005792e8ae0a736ff9e0dd9530e2351819911c40cbd60fcb721b7d61628a2f2d84887b28b3cb057c45aa4f0d9bf46468781f9ff08962d81f0b1b1dc67452c77076	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{69782201-7051-11ED-A101-5A9C998014C3} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

916 iexplore.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

916 iexplore.exe
916 iexplore.exe
2040 IEXPLORE.EXE
2040 IEXPLORE.EXE
2040 IEXPLORE.EXE
2040 IEXPLORE.EXE

pid	process
916	iexplore.exe

pid	process
916	iexplore.exe
916	iexplore.exe
2040	IEXPLORE.EXE
2040	IEXPLORE.EXE
2040	IEXPLORE.EXE
2040	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

619e2715c0200f4bce1414ec347e81d149da2277ef7fbea8c0cc941785eacaa0.exe619e2715c0200f4bce1414ec347e81d149da2277ef7fbea8c0cc941785eacaa0.exeiexplore.exe

description	pid	process	target process
PID 1324 wrote to memory of 820	1324	619e2715c0200f4bce1414ec347e81d149da2277ef7fbea8c0cc941785eacaa0.exe	619e2715c0200f4bce1414ec347e81d149da2277ef7fbea8c0cc941785eacaa0.exe
PID 1324 wrote to memory of 820	1324	619e2715c0200f4bce1414ec347e81d149da2277ef7fbea8c0cc941785eacaa0.exe	619e2715c0200f4bce1414ec347e81d149da2277ef7fbea8c0cc941785eacaa0.exe
PID 1324 wrote to memory of 820	1324	619e2715c0200f4bce1414ec347e81d149da2277ef7fbea8c0cc941785eacaa0.exe	619e2715c0200f4bce1414ec347e81d149da2277ef7fbea8c0cc941785eacaa0.exe
PID 1324 wrote to memory of 820	1324	619e2715c0200f4bce1414ec347e81d149da2277ef7fbea8c0cc941785eacaa0.exe	619e2715c0200f4bce1414ec347e81d149da2277ef7fbea8c0cc941785eacaa0.exe
PID 1324 wrote to memory of 820	1324	619e2715c0200f4bce1414ec347e81d149da2277ef7fbea8c0cc941785eacaa0.exe	619e2715c0200f4bce1414ec347e81d149da2277ef7fbea8c0cc941785eacaa0.exe
PID 1324 wrote to memory of 820	1324	619e2715c0200f4bce1414ec347e81d149da2277ef7fbea8c0cc941785eacaa0.exe	619e2715c0200f4bce1414ec347e81d149da2277ef7fbea8c0cc941785eacaa0.exe
PID 1324 wrote to memory of 820	1324	619e2715c0200f4bce1414ec347e81d149da2277ef7fbea8c0cc941785eacaa0.exe	619e2715c0200f4bce1414ec347e81d149da2277ef7fbea8c0cc941785eacaa0.exe
PID 1324 wrote to memory of 820	1324	619e2715c0200f4bce1414ec347e81d149da2277ef7fbea8c0cc941785eacaa0.exe	619e2715c0200f4bce1414ec347e81d149da2277ef7fbea8c0cc941785eacaa0.exe
PID 820 wrote to memory of 916	820	619e2715c0200f4bce1414ec347e81d149da2277ef7fbea8c0cc941785eacaa0.exe	iexplore.exe
PID 820 wrote to memory of 916	820	619e2715c0200f4bce1414ec347e81d149da2277ef7fbea8c0cc941785eacaa0.exe	iexplore.exe
PID 820 wrote to memory of 916	820	619e2715c0200f4bce1414ec347e81d149da2277ef7fbea8c0cc941785eacaa0.exe	iexplore.exe
PID 820 wrote to memory of 916	820	619e2715c0200f4bce1414ec347e81d149da2277ef7fbea8c0cc941785eacaa0.exe	iexplore.exe
PID 916 wrote to memory of 2040	916	iexplore.exe	IEXPLORE.EXE
PID 916 wrote to memory of 2040	916	iexplore.exe	IEXPLORE.EXE
PID 916 wrote to memory of 2040	916	iexplore.exe	IEXPLORE.EXE
PID 916 wrote to memory of 2040	916	iexplore.exe	IEXPLORE.EXE

C:\Users\Admin\AppData\Local\Temp\619e2715c0200f4bce1414ec347e81d149da2277ef7fbea8c0cc941785eacaa0.exe
"C:\Users\Admin\AppData\Local\Temp\619e2715c0200f4bce1414ec347e81d149da2277ef7fbea8c0cc941785eacaa0.exe"
1⤵
- Adds Run key to start application
- Enumerates connected drives
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1324

C:\Users\Admin\AppData\Local\Temp\619e2715c0200f4bce1414ec347e81d149da2277ef7fbea8c0cc941785eacaa0.exe
"C:\Users\Admin\AppData\Local\Temp\619e2715c0200f4bce1414ec347e81d149da2277ef7fbea8c0cc941785eacaa0.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:820

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=619e2715c0200f4bce1414ec347e81d149da2277ef7fbea8c0cc941785eacaa0.exe&platform=0009&osver=5&isServer=0&shimver=4.0.30319.0
3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:916

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:916 CREDAT:275457 /prefetch:2
4⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2040

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\DW14HWVG.txt
Filesize
608B

MD5
ce2755fc995e1a8424ee922a48d038a6

SHA1
30e18f0072f94f4593a984ced74e5848fa56a4e6

SHA256
4b30e152387f039e0681703e2f1bc4ad9bd2de0ccab7cc4bf467bc0ef3caddac

SHA512
30bb13431bb26b432705f2ed0eebe37b7d97569dcff75d708b5927fe84d5f2d5b0dc3c22d90b7b773310a752001d3357c04254d56c9795dfef4e3512ccfb262f

Download Submit
memory/820-59-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/820-60-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/820-57-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/820-56-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/820-62-0x000000000040CEBE-mapping.dmp

Download
memory/820-61-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/820-65-0x0000000000402000-0x000000000040D000-memory.dmp

Filesize
44KB

Download
memory/820-66-0x0000000000402000-0x000000000040D000-memory.dmp

Filesize
44KB

Download
memory/1324-54-0x00000000761F1000-0x00000000761F3000-memory.dmp

Filesize
8KB

Download
memory/1324-55-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/1324-64-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads