1e4669ba8f87c91793f8c9f345033ca74f9ccb3ca717382731e99ead576392c9

General

Target

1e4669ba8f87c91793f8c9f345033ca74f9ccb3ca717382731e99ead576392c9.exe
Size

456KB
MD5

826940dcb269552bc7fc14fac7adf5df
SHA1

be7956b1baad5e54e9f9df9efbc8ed0f23bcbaad
SHA256

1e4669ba8f87c91793f8c9f345033ca74f9ccb3ca717382731e99ead576392c9
SHA512

252550fc4f0202086b67dfa148cbbd35d48deb177cb2188c7fca6debc73a76da6e11fa2d3d7e8fcd5ceadfb9daec7bc639edc9b137da9c97262daccbd8544dfa
SSDEEP

12288:dy/vD028/618D4ODwVc2flmIQfWHV6Tg7lsftzTNBV4D:s/o28CzYXVV66osftzTNBV4D

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer \"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\SendTo\\explore.exe\" Set"	1e4669ba8f87c91793f8c9f345033ca74f9ccb3ca717382731e99ead576392c9.exe

Executes dropped EXE 1 IoCs

pid	Process
588	explore.exe

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\UltraSurf992.exe	1e4669ba8f87c91793f8c9f345033ca74f9ccb3ca717382731e99ead576392c9.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\UltraSurf992.exe	1e4669ba8f87c91793f8c9f345033ca74f9ccb3ca717382731e99ead576392c9.exe

Loads dropped DLL 2 IoCs

pid	Process
1428	1e4669ba8f87c91793f8c9f345033ca74f9ccb3ca717382731e99ead576392c9.exe
1428	1e4669ba8f87c91793f8c9f345033ca74f9ccb3ca717382731e99ead576392c9.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main	explore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main	1e4669ba8f87c91793f8c9f345033ca74f9ccb3ca717382731e99ead576392c9.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1428	1e4669ba8f87c91793f8c9f345033ca74f9ccb3ca717382731e99ead576392c9.exe
1428	1e4669ba8f87c91793f8c9f345033ca74f9ccb3ca717382731e99ead576392c9.exe
1428	1e4669ba8f87c91793f8c9f345033ca74f9ccb3ca717382731e99ead576392c9.exe
588	explore.exe
588	explore.exe
588	explore.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1428 wrote to memory of 588	1428	1e4669ba8f87c91793f8c9f345033ca74f9ccb3ca717382731e99ead576392c9.exe	28
PID 1428 wrote to memory of 588	1428	1e4669ba8f87c91793f8c9f345033ca74f9ccb3ca717382731e99ead576392c9.exe	28
PID 1428 wrote to memory of 588	1428	1e4669ba8f87c91793f8c9f345033ca74f9ccb3ca717382731e99ead576392c9.exe	28
PID 1428 wrote to memory of 588	1428	1e4669ba8f87c91793f8c9f345033ca74f9ccb3ca717382731e99ead576392c9.exe	28

C:\Users\Admin\AppData\Local\Temp\1e4669ba8f87c91793f8c9f345033ca74f9ccb3ca717382731e99ead576392c9.exe
"C:\Users\Admin\AppData\Local\Temp\1e4669ba8f87c91793f8c9f345033ca74f9ccb3ca717382731e99ead576392c9.exe"
1⤵
- Modifies WinLogon for persistence
- Drops startup file
- Loads dropped DLL
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1428
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\explore.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\explore.exe Set
  2⤵
  - Executes dropped EXE
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:588

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

1

T1004

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\explore.exe

Filesize
456KB

MD5
826940dcb269552bc7fc14fac7adf5df

SHA1
be7956b1baad5e54e9f9df9efbc8ed0f23bcbaad

SHA256
1e4669ba8f87c91793f8c9f345033ca74f9ccb3ca717382731e99ead576392c9

SHA512
252550fc4f0202086b67dfa148cbbd35d48deb177cb2188c7fca6debc73a76da6e11fa2d3d7e8fcd5ceadfb9daec7bc639edc9b137da9c97262daccbd8544dfa

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\explore.exe

Filesize
456KB

MD5
826940dcb269552bc7fc14fac7adf5df

SHA1
be7956b1baad5e54e9f9df9efbc8ed0f23bcbaad

SHA256
1e4669ba8f87c91793f8c9f345033ca74f9ccb3ca717382731e99ead576392c9

SHA512
252550fc4f0202086b67dfa148cbbd35d48deb177cb2188c7fca6debc73a76da6e11fa2d3d7e8fcd5ceadfb9daec7bc639edc9b137da9c97262daccbd8544dfa

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\explore.exe

Filesize
456KB

MD5
826940dcb269552bc7fc14fac7adf5df

SHA1
be7956b1baad5e54e9f9df9efbc8ed0f23bcbaad

SHA256
1e4669ba8f87c91793f8c9f345033ca74f9ccb3ca717382731e99ead576392c9

SHA512
252550fc4f0202086b67dfa148cbbd35d48deb177cb2188c7fca6debc73a76da6e11fa2d3d7e8fcd5ceadfb9daec7bc639edc9b137da9c97262daccbd8544dfa

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\explore.exe

Filesize
456KB

MD5
826940dcb269552bc7fc14fac7adf5df

SHA1
be7956b1baad5e54e9f9df9efbc8ed0f23bcbaad

SHA256
1e4669ba8f87c91793f8c9f345033ca74f9ccb3ca717382731e99ead576392c9

SHA512
252550fc4f0202086b67dfa148cbbd35d48deb177cb2188c7fca6debc73a76da6e11fa2d3d7e8fcd5ceadfb9daec7bc639edc9b137da9c97262daccbd8544dfa

Download Submit
memory/588-68-0x0000000000400000-0x00000000004F9000-memory.dmp

Filesize
996KB

Download
memory/588-65-0x0000000000400000-0x00000000004F9000-memory.dmp

Filesize
996KB

Download
memory/588-70-0x00000000034E0000-0x0000000004542000-memory.dmp

Filesize
16.4MB

Download
memory/1428-64-0x0000000002F70000-0x0000000003069000-memory.dmp

Filesize
996KB

Download
memory/1428-66-0x0000000000400000-0x00000000004F9000-memory.dmp

Filesize
996KB

Download
memory/1428-54-0x0000000000400000-0x00000000004F9000-memory.dmp

Filesize
996KB

Download
memory/1428-69-0x0000000003110000-0x0000000004172000-memory.dmp

Filesize
16.4MB

Download
memory/1428-57-0x0000000075591000-0x0000000075593000-memory.dmp

Filesize
8KB

Download
memory/1428-74-0x0000000000400000-0x00000000004F9000-memory.dmp

Filesize
996KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads