73ac4082c72f7fbec2dd31c28085480513e95927fcf0449ed4c6392992393412

General

Target

73ac4082c72f7fbec2dd31c28085480513e95927fcf0449ed4c6392992393412.exe
Size

660KB
MD5

c2ba961b46cf1102cff13d11bd86c476
SHA1

8f7dd5ed5fd681a9133811477804b159a7194f03
SHA256

73ac4082c72f7fbec2dd31c28085480513e95927fcf0449ed4c6392992393412
SHA512

b1015bf422b1af6e2990ac00118000c74e0afb0b356f4102b1f07d2da50cc7d4b8d1aa483e777d87541a7c0733518b49db64262430b0b03721f4fd1858e32b67
SSDEEP

12288:jNKy4ghhHYVAe2Z4INVA3pbXB38Vo8pCqbja4TZeO8yc:74ghRYVAe2Z4IDA7sS8JzTZeOj

Score

8^/10

evasion persistence

Malware Config

Signatures

Sets file to hidden 1 TTPs 1 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1158

pid	Process
1924	attrib.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\GooglePx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\GooglePx.exe"	73ac4082c72f7fbec2dd31c28085480513e95927fcf0449ed4c6392992393412.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1988 set thread context of 2012	1988	73ac4082c72f7fbec2dd31c28085480513e95927fcf0449ed4c6392992393412.exe	26

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main	73ac4082c72f7fbec2dd31c28085480513e95927fcf0449ed4c6392992393412.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2012	73ac4082c72f7fbec2dd31c28085480513e95927fcf0449ed4c6392992393412.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
2012	73ac4082c72f7fbec2dd31c28085480513e95927fcf0449ed4c6392992393412.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2012	73ac4082c72f7fbec2dd31c28085480513e95927fcf0449ed4c6392992393412.exe
2012	73ac4082c72f7fbec2dd31c28085480513e95927fcf0449ed4c6392992393412.exe
2012	73ac4082c72f7fbec2dd31c28085480513e95927fcf0449ed4c6392992393412.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1988 wrote to memory of 2012	1988	73ac4082c72f7fbec2dd31c28085480513e95927fcf0449ed4c6392992393412.exe	26
PID 1988 wrote to memory of 2012	1988	73ac4082c72f7fbec2dd31c28085480513e95927fcf0449ed4c6392992393412.exe	26
PID 1988 wrote to memory of 2012	1988	73ac4082c72f7fbec2dd31c28085480513e95927fcf0449ed4c6392992393412.exe	26
PID 1988 wrote to memory of 2012	1988	73ac4082c72f7fbec2dd31c28085480513e95927fcf0449ed4c6392992393412.exe	26
PID 1988 wrote to memory of 2012	1988	73ac4082c72f7fbec2dd31c28085480513e95927fcf0449ed4c6392992393412.exe	26
PID 1988 wrote to memory of 2012	1988	73ac4082c72f7fbec2dd31c28085480513e95927fcf0449ed4c6392992393412.exe	26
PID 1988 wrote to memory of 2012	1988	73ac4082c72f7fbec2dd31c28085480513e95927fcf0449ed4c6392992393412.exe	26
PID 1988 wrote to memory of 2012	1988	73ac4082c72f7fbec2dd31c28085480513e95927fcf0449ed4c6392992393412.exe	26
PID 1988 wrote to memory of 2012	1988	73ac4082c72f7fbec2dd31c28085480513e95927fcf0449ed4c6392992393412.exe	26
PID 1988 wrote to memory of 2012	1988	73ac4082c72f7fbec2dd31c28085480513e95927fcf0449ed4c6392992393412.exe	26
PID 1988 wrote to memory of 2012	1988	73ac4082c72f7fbec2dd31c28085480513e95927fcf0449ed4c6392992393412.exe	26
PID 1988 wrote to memory of 2012	1988	73ac4082c72f7fbec2dd31c28085480513e95927fcf0449ed4c6392992393412.exe	26
PID 2012 wrote to memory of 1924	2012	73ac4082c72f7fbec2dd31c28085480513e95927fcf0449ed4c6392992393412.exe	27
PID 2012 wrote to memory of 1924	2012	73ac4082c72f7fbec2dd31c28085480513e95927fcf0449ed4c6392992393412.exe	27
PID 2012 wrote to memory of 1924	2012	73ac4082c72f7fbec2dd31c28085480513e95927fcf0449ed4c6392992393412.exe	27
PID 2012 wrote to memory of 1924	2012	73ac4082c72f7fbec2dd31c28085480513e95927fcf0449ed4c6392992393412.exe	27

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
1924	attrib.exe

C:\Users\Admin\AppData\Local\Temp\73ac4082c72f7fbec2dd31c28085480513e95927fcf0449ed4c6392992393412.exe
"C:\Users\Admin\AppData\Local\Temp\73ac4082c72f7fbec2dd31c28085480513e95927fcf0449ed4c6392992393412.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1988
- C:\Users\Admin\AppData\Local\Temp\73ac4082c72f7fbec2dd31c28085480513e95927fcf0449ed4c6392992393412.exe
  "C:\Users\Admin\AppData\Local\Temp\73ac4082c72f7fbec2dd31c28085480513e95927fcf0449ed4c6392992393412.exe"
  2⤵
  - Adds Run key to start application
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2012
- - C:\Windows\SysWOW64\attrib.exe
    attrib +r +s +h +a C:\Users\Admin\AppData\Local\Temp\GooglePx.exe
    3⤵
    - Sets file to hidden
    - Views/modifies file attributes
    PID:1924

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

2

T1158

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\GooglePx.exe

Filesize
660KB

MD5
c2ba961b46cf1102cff13d11bd86c476

SHA1
8f7dd5ed5fd681a9133811477804b159a7194f03

SHA256
73ac4082c72f7fbec2dd31c28085480513e95927fcf0449ed4c6392992393412

SHA512
b1015bf422b1af6e2990ac00118000c74e0afb0b356f4102b1f07d2da50cc7d4b8d1aa483e777d87541a7c0733518b49db64262430b0b03721f4fd1858e32b67

Download Submit
memory/2012-61-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2012-54-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2012-62-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2012-64-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2012-68-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2012-69-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2012-59-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2012-66-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2012-70-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2012-55-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2012-72-0x0000000075911000-0x0000000075913000-memory.dmp

Filesize
8KB

Download
memory/2012-57-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2012-74-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads