975b410b54a1db61756d202ebd23917cd99345458925ba973782050db2d12220

General

Target

975b410b54a1db61756d202ebd23917cd99345458925ba973782050db2d12220.exe
Size

121KB
MD5

dc6db1a9855eafd3001f50291d47f49d
SHA1

0355661943513151698ebf4508452104c29bfc0d
SHA256

975b410b54a1db61756d202ebd23917cd99345458925ba973782050db2d12220
SHA512

cec7b10baaea29bfba31b90f3cdc6d6e764b1e76a22f9851e33c1238894d517737ec0fff7998ebf59f74d025770729769350d340e48f13ce98cef002852766a5
SSDEEP

3072:A5urm0irBIlvbLbe7m52FADA2oSSNgA7fIjuu:wuySlTfMm52aD4u

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1316	msa.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4948-132-0x0000000000400000-0x0000000000441000-memory.dmp	upx
behavioral2/memory/1316-137-0x0000000000400000-0x0000000000441000-memory.dmp	upx
behavioral2/memory/1316-138-0x0000000000400000-0x0000000000441000-memory.dmp	upx
behavioral2/memory/4948-139-0x0000000000400000-0x0000000000441000-memory.dmp	upx

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\msa.exe	975b410b54a1db61756d202ebd23917cd99345458925ba973782050db2d12220.exe
File created	C:\Windows\Tasks\{5B57CF47-0BFA-43c6-ACF9-3B3653DCADBA}.job	msa.exe
File opened for modification	C:\Windows\Tasks\{5B57CF47-0BFA-43c6-ACF9-3B3653DCADBA}.job	msa.exe
File created	C:\Windows\Tasks\{5B57CF47-0BFA-43c6-ACF9-3B3653DCADBA}.job	975b410b54a1db61756d202ebd23917cd99345458925ba973782050db2d12220.exe
File opened for modification	C:\Windows\Tasks\{5B57CF47-0BFA-43c6-ACF9-3B3653DCADBA}.job	975b410b54a1db61756d202ebd23917cd99345458925ba973782050db2d12220.exe
File created	C:\Windows\msa.exe	975b410b54a1db61756d202ebd23917cd99345458925ba973782050db2d12220.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\International	975b410b54a1db61756d202ebd23917cd99345458925ba973782050db2d12220.exe

Suspicious use of SetWindowsHookEx 28 IoCs

pid	Process
4948	975b410b54a1db61756d202ebd23917cd99345458925ba973782050db2d12220.exe
4948	975b410b54a1db61756d202ebd23917cd99345458925ba973782050db2d12220.exe
4948	975b410b54a1db61756d202ebd23917cd99345458925ba973782050db2d12220.exe
4948	975b410b54a1db61756d202ebd23917cd99345458925ba973782050db2d12220.exe
4948	975b410b54a1db61756d202ebd23917cd99345458925ba973782050db2d12220.exe
4948	975b410b54a1db61756d202ebd23917cd99345458925ba973782050db2d12220.exe
4948	975b410b54a1db61756d202ebd23917cd99345458925ba973782050db2d12220.exe
4948	975b410b54a1db61756d202ebd23917cd99345458925ba973782050db2d12220.exe
4948	975b410b54a1db61756d202ebd23917cd99345458925ba973782050db2d12220.exe
4948	975b410b54a1db61756d202ebd23917cd99345458925ba973782050db2d12220.exe
4948	975b410b54a1db61756d202ebd23917cd99345458925ba973782050db2d12220.exe
4948	975b410b54a1db61756d202ebd23917cd99345458925ba973782050db2d12220.exe
4948	975b410b54a1db61756d202ebd23917cd99345458925ba973782050db2d12220.exe
4948	975b410b54a1db61756d202ebd23917cd99345458925ba973782050db2d12220.exe
4948	975b410b54a1db61756d202ebd23917cd99345458925ba973782050db2d12220.exe
4948	975b410b54a1db61756d202ebd23917cd99345458925ba973782050db2d12220.exe
4948	975b410b54a1db61756d202ebd23917cd99345458925ba973782050db2d12220.exe
4948	975b410b54a1db61756d202ebd23917cd99345458925ba973782050db2d12220.exe
4948	975b410b54a1db61756d202ebd23917cd99345458925ba973782050db2d12220.exe
4948	975b410b54a1db61756d202ebd23917cd99345458925ba973782050db2d12220.exe
4948	975b410b54a1db61756d202ebd23917cd99345458925ba973782050db2d12220.exe
4948	975b410b54a1db61756d202ebd23917cd99345458925ba973782050db2d12220.exe
4948	975b410b54a1db61756d202ebd23917cd99345458925ba973782050db2d12220.exe
4948	975b410b54a1db61756d202ebd23917cd99345458925ba973782050db2d12220.exe
4948	975b410b54a1db61756d202ebd23917cd99345458925ba973782050db2d12220.exe
4948	975b410b54a1db61756d202ebd23917cd99345458925ba973782050db2d12220.exe
4948	975b410b54a1db61756d202ebd23917cd99345458925ba973782050db2d12220.exe
4948	975b410b54a1db61756d202ebd23917cd99345458925ba973782050db2d12220.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4948 wrote to memory of 1316	4948	975b410b54a1db61756d202ebd23917cd99345458925ba973782050db2d12220.exe	81
PID 4948 wrote to memory of 1316	4948	975b410b54a1db61756d202ebd23917cd99345458925ba973782050db2d12220.exe	81
PID 4948 wrote to memory of 1316	4948	975b410b54a1db61756d202ebd23917cd99345458925ba973782050db2d12220.exe	81

C:\Users\Admin\AppData\Local\Temp\975b410b54a1db61756d202ebd23917cd99345458925ba973782050db2d12220.exe
"C:\Users\Admin\AppData\Local\Temp\975b410b54a1db61756d202ebd23917cd99345458925ba973782050db2d12220.exe"
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4948
- C:\Windows\msa.exe
  C:\Windows\msa.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  PID:1316

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Tasks\{5B57CF47-0BFA-43c6-ACF9-3B3653DCADBA}.job

Filesize
426B

MD5
351f41c8088e17182ae1daec33c226de

SHA1
7f410b004620dae45b59ffdd0b58276ef16c927c

SHA256
5e8ff0298f94fca58ad74d1fc76a736e5e4b3037254534e8bc8045856e5c35a4

SHA512
edd80a2408bf542ae4066943d19ea7de67eb252bcbfa4a2c2a026b281c232c713324c72ecdde274ad8cac36082215811385b659cf9b9eba9771cb7f6968ecbcb

Download Submit
C:\Windows\msa.exe

Filesize
121KB

MD5
dc6db1a9855eafd3001f50291d47f49d

SHA1
0355661943513151698ebf4508452104c29bfc0d

SHA256
975b410b54a1db61756d202ebd23917cd99345458925ba973782050db2d12220

SHA512
cec7b10baaea29bfba31b90f3cdc6d6e764b1e76a22f9851e33c1238894d517737ec0fff7998ebf59f74d025770729769350d340e48f13ce98cef002852766a5

Download Submit
C:\Windows\msa.exe

Filesize
121KB

MD5
dc6db1a9855eafd3001f50291d47f49d

SHA1
0355661943513151698ebf4508452104c29bfc0d

SHA256
975b410b54a1db61756d202ebd23917cd99345458925ba973782050db2d12220

SHA512
cec7b10baaea29bfba31b90f3cdc6d6e764b1e76a22f9851e33c1238894d517737ec0fff7998ebf59f74d025770729769350d340e48f13ce98cef002852766a5

Download Submit
memory/1316-137-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1316-138-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4948-132-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4948-139-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download

Analysis

Sharing