96033c9b424f01cdae4b76e32978efeee1c5b7e32a34beb0ca8b2afd2370ce1c

General

Target

96033c9b424f01cdae4b76e32978efeee1c5b7e32a34beb0ca8b2afd2370ce1c.exe
Size

361KB
MD5

5404ff313dcc124c2b224a53b424e441
SHA1

c68b7482cb999c6d7ed34fabe8c11aaf5240b9eb
SHA256

96033c9b424f01cdae4b76e32978efeee1c5b7e32a34beb0ca8b2afd2370ce1c
SHA512

513c59d723553450eccff3222fbedb12172f771c64c0b1a29427df72812684a31f259884cbd3106115f81e150754e3222d94d55d45b7dc5ef4e5edf47c3e82c4
SSDEEP

6144:UflfAsiL4lIJjiJcbI03GBc3ucY5DCSjX:UflfAsiVGjSGecvX

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
432	dzteauqjczsgatpj.exe

Loads dropped DLL 1 IoCs

pid	Process
268	96033c9b424f01cdae4b76e32978efeee1c5b7e32a34beb0ca8b2afd2370ce1c.exe

Modifies Internet Explorer settings 1 TTPs 13 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
268	96033c9b424f01cdae4b76e32978efeee1c5b7e32a34beb0ca8b2afd2370ce1c.exe
268	96033c9b424f01cdae4b76e32978efeee1c5b7e32a34beb0ca8b2afd2370ce1c.exe
268	96033c9b424f01cdae4b76e32978efeee1c5b7e32a34beb0ca8b2afd2370ce1c.exe
268	96033c9b424f01cdae4b76e32978efeee1c5b7e32a34beb0ca8b2afd2370ce1c.exe
268	96033c9b424f01cdae4b76e32978efeee1c5b7e32a34beb0ca8b2afd2370ce1c.exe
268	96033c9b424f01cdae4b76e32978efeee1c5b7e32a34beb0ca8b2afd2370ce1c.exe
268	96033c9b424f01cdae4b76e32978efeee1c5b7e32a34beb0ca8b2afd2370ce1c.exe
268	96033c9b424f01cdae4b76e32978efeee1c5b7e32a34beb0ca8b2afd2370ce1c.exe
268	96033c9b424f01cdae4b76e32978efeee1c5b7e32a34beb0ca8b2afd2370ce1c.exe
268	96033c9b424f01cdae4b76e32978efeee1c5b7e32a34beb0ca8b2afd2370ce1c.exe
268	96033c9b424f01cdae4b76e32978efeee1c5b7e32a34beb0ca8b2afd2370ce1c.exe
268	96033c9b424f01cdae4b76e32978efeee1c5b7e32a34beb0ca8b2afd2370ce1c.exe
268	96033c9b424f01cdae4b76e32978efeee1c5b7e32a34beb0ca8b2afd2370ce1c.exe
268	96033c9b424f01cdae4b76e32978efeee1c5b7e32a34beb0ca8b2afd2370ce1c.exe
268	96033c9b424f01cdae4b76e32978efeee1c5b7e32a34beb0ca8b2afd2370ce1c.exe
268	96033c9b424f01cdae4b76e32978efeee1c5b7e32a34beb0ca8b2afd2370ce1c.exe
268	96033c9b424f01cdae4b76e32978efeee1c5b7e32a34beb0ca8b2afd2370ce1c.exe
268	96033c9b424f01cdae4b76e32978efeee1c5b7e32a34beb0ca8b2afd2370ce1c.exe
268	96033c9b424f01cdae4b76e32978efeee1c5b7e32a34beb0ca8b2afd2370ce1c.exe
268	96033c9b424f01cdae4b76e32978efeee1c5b7e32a34beb0ca8b2afd2370ce1c.exe
268	96033c9b424f01cdae4b76e32978efeee1c5b7e32a34beb0ca8b2afd2370ce1c.exe
268	96033c9b424f01cdae4b76e32978efeee1c5b7e32a34beb0ca8b2afd2370ce1c.exe
268	96033c9b424f01cdae4b76e32978efeee1c5b7e32a34beb0ca8b2afd2370ce1c.exe
268	96033c9b424f01cdae4b76e32978efeee1c5b7e32a34beb0ca8b2afd2370ce1c.exe
268	96033c9b424f01cdae4b76e32978efeee1c5b7e32a34beb0ca8b2afd2370ce1c.exe
268	96033c9b424f01cdae4b76e32978efeee1c5b7e32a34beb0ca8b2afd2370ce1c.exe
268	96033c9b424f01cdae4b76e32978efeee1c5b7e32a34beb0ca8b2afd2370ce1c.exe
268	96033c9b424f01cdae4b76e32978efeee1c5b7e32a34beb0ca8b2afd2370ce1c.exe
432	dzteauqjczsgatpj.exe
432	dzteauqjczsgatpj.exe
432	dzteauqjczsgatpj.exe
432	dzteauqjczsgatpj.exe
432	dzteauqjczsgatpj.exe
432	dzteauqjczsgatpj.exe
432	dzteauqjczsgatpj.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 268 wrote to memory of 432	268	96033c9b424f01cdae4b76e32978efeee1c5b7e32a34beb0ca8b2afd2370ce1c.exe	28
PID 268 wrote to memory of 432	268	96033c9b424f01cdae4b76e32978efeee1c5b7e32a34beb0ca8b2afd2370ce1c.exe	28
PID 268 wrote to memory of 432	268	96033c9b424f01cdae4b76e32978efeee1c5b7e32a34beb0ca8b2afd2370ce1c.exe	28
PID 268 wrote to memory of 432	268	96033c9b424f01cdae4b76e32978efeee1c5b7e32a34beb0ca8b2afd2370ce1c.exe	28
PID 268 wrote to memory of 1676	268	96033c9b424f01cdae4b76e32978efeee1c5b7e32a34beb0ca8b2afd2370ce1c.exe	29
PID 268 wrote to memory of 1676	268	96033c9b424f01cdae4b76e32978efeee1c5b7e32a34beb0ca8b2afd2370ce1c.exe	29
PID 268 wrote to memory of 1676	268	96033c9b424f01cdae4b76e32978efeee1c5b7e32a34beb0ca8b2afd2370ce1c.exe	29
PID 268 wrote to memory of 1676	268	96033c9b424f01cdae4b76e32978efeee1c5b7e32a34beb0ca8b2afd2370ce1c.exe	29

C:\Users\Admin\AppData\Local\Temp\96033c9b424f01cdae4b76e32978efeee1c5b7e32a34beb0ca8b2afd2370ce1c.exe
"C:\Users\Admin\AppData\Local\Temp\96033c9b424f01cdae4b76e32978efeee1c5b7e32a34beb0ca8b2afd2370ce1c.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:268
- C:\Temp\dzteauqjczsgatpj.exe
  C:\Temp\dzteauqjczsgatpj.exe run
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:432
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://xytets.com:2345/t.asp?os=home
  2⤵
  - Modifies Internet Explorer settings
  PID:1676

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Temp\dzteauqjczsgatpj.exe

Filesize
361KB

MD5
83f86f5843e8ad256b40d98df0c02d0b

SHA1
49b815093c578f004ee8db65d706b524e53e6fd7

SHA256
96af1763bab3ac7d8bced0ad85a592c9ba163f7bd087821b67740fe1c1df855b

SHA512
c74f529ba3b8a560dc070e2bfa6711baccae9ddf2f9b6340240aed0d16c690343a8626dff519845f15852fc9db001a0fd96d05cee8e81921e6d3067abed9e786

Download Submit
\Temp\dzteauqjczsgatpj.exe

Filesize
361KB

MD5
83f86f5843e8ad256b40d98df0c02d0b

SHA1
49b815093c578f004ee8db65d706b524e53e6fd7

SHA256
96af1763bab3ac7d8bced0ad85a592c9ba163f7bd087821b67740fe1c1df855b

SHA512
c74f529ba3b8a560dc070e2bfa6711baccae9ddf2f9b6340240aed0d16c690343a8626dff519845f15852fc9db001a0fd96d05cee8e81921e6d3067abed9e786

Download Submit

Analysis

Sharing