b2dd8103be9083c8246d71c31d46beb02a7cc1bbc040beb1c9ca8070357042ef

General

Target

b2dd8103be9083c8246d71c31d46beb02a7cc1bbc040beb1c9ca8070357042ef.exe
Size

361KB
MD5

7089e0e3fb46bc4310e653b69cd0b086
SHA1

cc097e94a2f8fdd936f7bb91c45cf2ddb753cd70
SHA256

b2dd8103be9083c8246d71c31d46beb02a7cc1bbc040beb1c9ca8070357042ef
SHA512

924f9c01ad6fbead19b2e62c944480dc4f57ef09cb324b0a7a20ab3382e97a6ebc60449ffd5be9c887fd94a1f90bc533e1bb8d1a106ceb35028f6662555653b7
SSDEEP

6144:mflfAsiL4lIJjiJcbI03GBc3ucY5DCSjX:mflfAsiVGjSGecvX

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1564	plebuncvrkeatqbu.exe

Loads dropped DLL 1 IoCs

pid	Process
1476	b2dd8103be9083c8246d71c31d46beb02a7cc1bbc040beb1c9ca8070357042ef.exe

Modifies Internet Explorer settings 1 TTPs 13 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
1476	b2dd8103be9083c8246d71c31d46beb02a7cc1bbc040beb1c9ca8070357042ef.exe
1476	b2dd8103be9083c8246d71c31d46beb02a7cc1bbc040beb1c9ca8070357042ef.exe
1476	b2dd8103be9083c8246d71c31d46beb02a7cc1bbc040beb1c9ca8070357042ef.exe
1476	b2dd8103be9083c8246d71c31d46beb02a7cc1bbc040beb1c9ca8070357042ef.exe
1476	b2dd8103be9083c8246d71c31d46beb02a7cc1bbc040beb1c9ca8070357042ef.exe
1476	b2dd8103be9083c8246d71c31d46beb02a7cc1bbc040beb1c9ca8070357042ef.exe
1476	b2dd8103be9083c8246d71c31d46beb02a7cc1bbc040beb1c9ca8070357042ef.exe
1476	b2dd8103be9083c8246d71c31d46beb02a7cc1bbc040beb1c9ca8070357042ef.exe
1476	b2dd8103be9083c8246d71c31d46beb02a7cc1bbc040beb1c9ca8070357042ef.exe
1476	b2dd8103be9083c8246d71c31d46beb02a7cc1bbc040beb1c9ca8070357042ef.exe
1476	b2dd8103be9083c8246d71c31d46beb02a7cc1bbc040beb1c9ca8070357042ef.exe
1476	b2dd8103be9083c8246d71c31d46beb02a7cc1bbc040beb1c9ca8070357042ef.exe
1476	b2dd8103be9083c8246d71c31d46beb02a7cc1bbc040beb1c9ca8070357042ef.exe
1476	b2dd8103be9083c8246d71c31d46beb02a7cc1bbc040beb1c9ca8070357042ef.exe
1476	b2dd8103be9083c8246d71c31d46beb02a7cc1bbc040beb1c9ca8070357042ef.exe
1476	b2dd8103be9083c8246d71c31d46beb02a7cc1bbc040beb1c9ca8070357042ef.exe
1476	b2dd8103be9083c8246d71c31d46beb02a7cc1bbc040beb1c9ca8070357042ef.exe
1564	plebuncvrkeatqbu.exe
1476	b2dd8103be9083c8246d71c31d46beb02a7cc1bbc040beb1c9ca8070357042ef.exe
1564	plebuncvrkeatqbu.exe
1476	b2dd8103be9083c8246d71c31d46beb02a7cc1bbc040beb1c9ca8070357042ef.exe
1564	plebuncvrkeatqbu.exe
1476	b2dd8103be9083c8246d71c31d46beb02a7cc1bbc040beb1c9ca8070357042ef.exe
1564	plebuncvrkeatqbu.exe
1476	b2dd8103be9083c8246d71c31d46beb02a7cc1bbc040beb1c9ca8070357042ef.exe
1564	plebuncvrkeatqbu.exe
1564	plebuncvrkeatqbu.exe
1476	b2dd8103be9083c8246d71c31d46beb02a7cc1bbc040beb1c9ca8070357042ef.exe
1564	plebuncvrkeatqbu.exe
1476	b2dd8103be9083c8246d71c31d46beb02a7cc1bbc040beb1c9ca8070357042ef.exe
1476	b2dd8103be9083c8246d71c31d46beb02a7cc1bbc040beb1c9ca8070357042ef.exe
1476	b2dd8103be9083c8246d71c31d46beb02a7cc1bbc040beb1c9ca8070357042ef.exe
1476	b2dd8103be9083c8246d71c31d46beb02a7cc1bbc040beb1c9ca8070357042ef.exe
1476	b2dd8103be9083c8246d71c31d46beb02a7cc1bbc040beb1c9ca8070357042ef.exe
1476	b2dd8103be9083c8246d71c31d46beb02a7cc1bbc040beb1c9ca8070357042ef.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1476 wrote to memory of 1564	1476	b2dd8103be9083c8246d71c31d46beb02a7cc1bbc040beb1c9ca8070357042ef.exe	28
PID 1476 wrote to memory of 1564	1476	b2dd8103be9083c8246d71c31d46beb02a7cc1bbc040beb1c9ca8070357042ef.exe	28
PID 1476 wrote to memory of 1564	1476	b2dd8103be9083c8246d71c31d46beb02a7cc1bbc040beb1c9ca8070357042ef.exe	28
PID 1476 wrote to memory of 1564	1476	b2dd8103be9083c8246d71c31d46beb02a7cc1bbc040beb1c9ca8070357042ef.exe	28
PID 1476 wrote to memory of 1768	1476	b2dd8103be9083c8246d71c31d46beb02a7cc1bbc040beb1c9ca8070357042ef.exe	29
PID 1476 wrote to memory of 1768	1476	b2dd8103be9083c8246d71c31d46beb02a7cc1bbc040beb1c9ca8070357042ef.exe	29
PID 1476 wrote to memory of 1768	1476	b2dd8103be9083c8246d71c31d46beb02a7cc1bbc040beb1c9ca8070357042ef.exe	29
PID 1476 wrote to memory of 1768	1476	b2dd8103be9083c8246d71c31d46beb02a7cc1bbc040beb1c9ca8070357042ef.exe	29

C:\Users\Admin\AppData\Local\Temp\b2dd8103be9083c8246d71c31d46beb02a7cc1bbc040beb1c9ca8070357042ef.exe
"C:\Users\Admin\AppData\Local\Temp\b2dd8103be9083c8246d71c31d46beb02a7cc1bbc040beb1c9ca8070357042ef.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1476
- C:\Temp\plebuncvrkeatqbu.exe
  C:\Temp\plebuncvrkeatqbu.exe run
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1564
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://xytets.com:2345/t.asp?os=home
  2⤵
  - Modifies Internet Explorer settings
  PID:1768

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Temp\plebuncvrkeatqbu.exe

Filesize
361KB

MD5
92279e6a859fc7b8ccd33f0398b99520

SHA1
2a5da29dc2134ff4bae141972cc2f8ad6b0c7f96

SHA256
ed79c421ab85f2e762474fa460abc656c895f21abe2d7c01d344e0f4513b3812

SHA512
a212e3bf08d97144925335315475ba0dfbea1179022a4817679b633ed8ccbbef89a71ef8559aea222d1a604bfa17f4dce94561aa7a03ac4fa1fb75f9e2320c98

Download Submit
\Temp\plebuncvrkeatqbu.exe

Filesize
361KB

MD5
92279e6a859fc7b8ccd33f0398b99520

SHA1
2a5da29dc2134ff4bae141972cc2f8ad6b0c7f96

SHA256
ed79c421ab85f2e762474fa460abc656c895f21abe2d7c01d344e0f4513b3812

SHA512
a212e3bf08d97144925335315475ba0dfbea1179022a4817679b633ed8ccbbef89a71ef8559aea222d1a604bfa17f4dce94561aa7a03ac4fa1fb75f9e2320c98

Download Submit

Analysis

Sharing