bc46f35e8aff39c24d168bd3df1abb15f9e8bac53efc86c51642e60e1b426e8f

General

Target

bc46f35e8aff39c24d168bd3df1abb15f9e8bac53efc86c51642e60e1b426e8f.exe
Size

210KB
MD5

e4b58c1be22b062c0a1a789fff0effed
SHA1

223d248b85f6ad2d6fdd30a9ea9cd5791241d2cb
SHA256

bc46f35e8aff39c24d168bd3df1abb15f9e8bac53efc86c51642e60e1b426e8f
SHA512

192d98eb2a4c3d7c618df25f9947b02cd9a37f13384f3c410f8c8c29a7617c5bc43280acfbc175f2a20b99ed990aea041a343f79fb0d0fb65b65d1f34e6aad89
SSDEEP

3072:vzp5TiwzWmkHv25l4c+a3Fs45a90WYJl48YZY:vzjTisWmuvOl4c+OF/q0WYv3Y

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\Llumux = "C:\\Users\\Admin\\AppData\\Roaming\\Llumux.scr"	iexplore.exe

Modifies Internet Explorer settings 1 TTPs 28 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "376885120"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{86C10091-7379-11ED-A964-EAF6071D98F9} = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1248	bc46f35e8aff39c24d168bd3df1abb15f9e8bac53efc86c51642e60e1b426e8f.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	1248	bc46f35e8aff39c24d168bd3df1abb15f9e8bac53efc86c51642e60e1b426e8f.exe
Token: SeDebugPrivilege	1248	bc46f35e8aff39c24d168bd3df1abb15f9e8bac53efc86c51642e60e1b426e8f.exe
Token: SeDebugPrivilege	1220	iexplore.exe
Token: SeDebugPrivilege	1724	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1176	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1176	IEXPLORE.EXE
1176	IEXPLORE.EXE
1724	IEXPLORE.EXE
1724	IEXPLORE.EXE
1724	IEXPLORE.EXE
1724	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1248 wrote to memory of 1220	1248	bc46f35e8aff39c24d168bd3df1abb15f9e8bac53efc86c51642e60e1b426e8f.exe	26
PID 1248 wrote to memory of 1220	1248	bc46f35e8aff39c24d168bd3df1abb15f9e8bac53efc86c51642e60e1b426e8f.exe	26
PID 1248 wrote to memory of 1220	1248	bc46f35e8aff39c24d168bd3df1abb15f9e8bac53efc86c51642e60e1b426e8f.exe	26
PID 1248 wrote to memory of 1220	1248	bc46f35e8aff39c24d168bd3df1abb15f9e8bac53efc86c51642e60e1b426e8f.exe	26
PID 1220 wrote to memory of 1176	1220	iexplore.exe	27
PID 1220 wrote to memory of 1176	1220	iexplore.exe	27
PID 1220 wrote to memory of 1176	1220	iexplore.exe	27
PID 1220 wrote to memory of 1176	1220	iexplore.exe	27
PID 1176 wrote to memory of 1724	1176	IEXPLORE.EXE	29
PID 1176 wrote to memory of 1724	1176	IEXPLORE.EXE	29
PID 1176 wrote to memory of 1724	1176	IEXPLORE.EXE	29
PID 1176 wrote to memory of 1724	1176	IEXPLORE.EXE	29
PID 1248 wrote to memory of 1220	1248	bc46f35e8aff39c24d168bd3df1abb15f9e8bac53efc86c51642e60e1b426e8f.exe	26
PID 1248 wrote to memory of 1220	1248	bc46f35e8aff39c24d168bd3df1abb15f9e8bac53efc86c51642e60e1b426e8f.exe	26
PID 1248 wrote to memory of 1724	1248	bc46f35e8aff39c24d168bd3df1abb15f9e8bac53efc86c51642e60e1b426e8f.exe	29
PID 1248 wrote to memory of 1724	1248	bc46f35e8aff39c24d168bd3df1abb15f9e8bac53efc86c51642e60e1b426e8f.exe	29

C:\Users\Admin\AppData\Local\Temp\bc46f35e8aff39c24d168bd3df1abb15f9e8bac53efc86c51642e60e1b426e8f.exe
"C:\Users\Admin\AppData\Local\Temp\bc46f35e8aff39c24d168bd3df1abb15f9e8bac53efc86c51642e60e1b426e8f.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1248
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
  2⤵
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1220
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1176
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1176 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:1724

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\8YE4UIIK.txt

Filesize
537B

MD5
b0a7e9b8f5f2c8b5de2ffc9e036f8458

SHA1
ed624f3f6283fea78f11a8095c96d5a0c659a292

SHA256
aa0dde3d644137461450949b6eb47120a184078388db4f407b54ede687e80a2e

SHA512
8cb9247bc75fbc675766bb11c7639b2c5711bb8d0cb98e22cfa4ef7abcefcf8572817c3e370726aa4e372e6f891c85d4032572e967ae2362ac4a9bb8104b39d1

Download Submit
memory/1248-88-0x0000000000460000-0x00000000004AE000-memory.dmp

Filesize
312KB

Download
memory/1248-54-0x0000000075351000-0x0000000075353000-memory.dmp

Filesize
8KB

Download
memory/1248-58-0x0000000000460000-0x00000000004AE000-memory.dmp

Filesize
312KB

Download
memory/1248-60-0x0000000000460000-0x00000000004AE000-memory.dmp

Filesize
312KB

Download
memory/1248-62-0x0000000000460000-0x00000000004AE000-memory.dmp

Filesize
312KB

Download
memory/1248-64-0x0000000000460000-0x00000000004AE000-memory.dmp

Filesize
312KB

Download
memory/1248-66-0x0000000000460000-0x00000000004AE000-memory.dmp

Filesize
312KB

Download
memory/1248-68-0x0000000000460000-0x00000000004AE000-memory.dmp

Filesize
312KB

Download
memory/1248-70-0x0000000000460000-0x00000000004AE000-memory.dmp

Filesize
312KB

Download
memory/1248-72-0x0000000000460000-0x00000000004AE000-memory.dmp

Filesize
312KB

Download
memory/1248-74-0x0000000000460000-0x00000000004AE000-memory.dmp

Filesize
312KB

Download
memory/1248-76-0x0000000000460000-0x00000000004AE000-memory.dmp

Filesize
312KB

Download
memory/1248-78-0x0000000000460000-0x00000000004AE000-memory.dmp

Filesize
312KB

Download
memory/1248-80-0x0000000000460000-0x00000000004AE000-memory.dmp

Filesize
312KB

Download
memory/1248-86-0x0000000000460000-0x00000000004AE000-memory.dmp

Filesize
312KB

Download
memory/1248-84-0x0000000000460000-0x00000000004AE000-memory.dmp

Filesize
312KB

Download
memory/1248-56-0x0000000000460000-0x00000000004AE000-memory.dmp

Filesize
312KB

Download
memory/1248-82-0x0000000000460000-0x00000000004AE000-memory.dmp

Filesize
312KB

Download
memory/1248-98-0x0000000000460000-0x00000000004AE000-memory.dmp

Filesize
312KB

Download
memory/1248-96-0x0000000000460000-0x00000000004AE000-memory.dmp

Filesize
312KB

Download
memory/1248-94-0x0000000000460000-0x00000000004AE000-memory.dmp

Filesize
312KB

Download
memory/1248-92-0x0000000000460000-0x00000000004AE000-memory.dmp

Filesize
312KB

Download
memory/1248-104-0x0000000000460000-0x00000000004AE000-memory.dmp

Filesize
312KB

Download
memory/1248-102-0x0000000000460000-0x00000000004AE000-memory.dmp

Filesize
312KB

Download
memory/1248-110-0x0000000000460000-0x00000000004AE000-memory.dmp

Filesize
312KB

Download
memory/1248-108-0x0000000000460000-0x00000000004AE000-memory.dmp

Filesize
312KB

Download
memory/1248-106-0x0000000000460000-0x00000000004AE000-memory.dmp

Filesize
312KB

Download
memory/1248-100-0x0000000000460000-0x00000000004AE000-memory.dmp

Filesize
312KB

Download
memory/1248-90-0x0000000000460000-0x00000000004AE000-memory.dmp

Filesize
312KB

Download
memory/1248-114-0x0000000000460000-0x00000000004AE000-memory.dmp

Filesize
312KB

Download
memory/1248-112-0x0000000000460000-0x00000000004AE000-memory.dmp

Filesize
312KB

Download
memory/1248-116-0x0000000000460000-0x00000000004AE000-memory.dmp

Filesize
312KB

Download
memory/1248-119-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/1248-118-0x0000000000460000-0x00000000004AE000-memory.dmp

Filesize
312KB

Download
memory/1248-55-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads