e472e59be87ec6837f9a3f5b5f9abd7dac4e774752fc3c17b240b4f8096ad29a

General

Target

e472e59be87ec6837f9a3f5b5f9abd7dac4e774752fc3c17b240b4f8096ad29a.exe
Size

88KB
MD5

51a28057f658bb21ffd3f4960a2a9b59
SHA1

bd9d902a6aa95659c9b420f2cd20cb585b4c1457
SHA256

e472e59be87ec6837f9a3f5b5f9abd7dac4e774752fc3c17b240b4f8096ad29a
SHA512

b402ae9843d04ea835fd141936860ed6c4e211ba6591636c906083eb30c5b2cfab8af29b45cb691cc03b82b297cb824845d6aada083ae040b1d72a88ee673aa1
SSDEEP

1536:3H0HpDCw5w4vGDmKlhlDD/bLxjwO26xOMu8YFNWvSqvy35hsrGcW02+X5x:30HpmkGywzbLxjwO9OMu8YFNWtjKcw+L

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
600	svchost.exe

Deletes itself 1 IoCs

pid	Process
600	svchost.exe

Loads dropped DLL 1 IoCs

pid	Process
1472	e472e59be87ec6837f9a3f5b5f9abd7dac4e774752fc3c17b240b4f8096ad29a.exe

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Nzroexmvss\14690	svchost.exe
File opened for modification	C:\Program Files (x86)\Nzroexmvss\Path.rcd	e472e59be87ec6837f9a3f5b5f9abd7dac4e774752fc3c17b240b4f8096ad29a.exe
File created	C:\Program Files (x86)\Dcsbtj Auguydyy\svchost.exe	e472e59be87ec6837f9a3f5b5f9abd7dac4e774752fc3c17b240b4f8096ad29a.exe
File opened for modification	C:\Program Files (x86)\Dcsbtj Auguydyy\svchost.exe	e472e59be87ec6837f9a3f5b5f9abd7dac4e774752fc3c17b240b4f8096ad29a.exe
File opened for modification	C:\Program Files (x86)\Nzroexmvss\18251	svchost.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
600	svchost.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 1472 wrote to memory of 600	1472	e472e59be87ec6837f9a3f5b5f9abd7dac4e774752fc3c17b240b4f8096ad29a.exe	27
PID 1472 wrote to memory of 600	1472	e472e59be87ec6837f9a3f5b5f9abd7dac4e774752fc3c17b240b4f8096ad29a.exe	27
PID 1472 wrote to memory of 600	1472	e472e59be87ec6837f9a3f5b5f9abd7dac4e774752fc3c17b240b4f8096ad29a.exe	27
PID 1472 wrote to memory of 600	1472	e472e59be87ec6837f9a3f5b5f9abd7dac4e774752fc3c17b240b4f8096ad29a.exe	27
PID 600 wrote to memory of 1164	600	svchost.exe	28
PID 600 wrote to memory of 1164	600	svchost.exe	28
PID 600 wrote to memory of 1164	600	svchost.exe	28
PID 600 wrote to memory of 1164	600	svchost.exe	28
PID 2040 wrote to memory of 1340	2040	explorer.exe	30
PID 2040 wrote to memory of 1340	2040	explorer.exe	30
PID 2040 wrote to memory of 1340	2040	explorer.exe	30

C:\Users\Admin\AppData\Local\Temp\e472e59be87ec6837f9a3f5b5f9abd7dac4e774752fc3c17b240b4f8096ad29a.exe
"C:\Users\Admin\AppData\Local\Temp\e472e59be87ec6837f9a3f5b5f9abd7dac4e774752fc3c17b240b4f8096ad29a.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1472
- C:\Program Files (x86)\Dcsbtj Auguydyy\svchost.exe
  .
  2⤵
  - Executes dropped EXE
  - Deletes itself
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:600
- - C:\Windows\SysWOW64\explorer.exe
    explorer.exe
    3⤵
    PID:1164

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{682159d9-c321-47ca-b3f1-30e36b2ec8b9} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2040
- C:\Windows\system32\ctfmon.exe
  ctfmon.exe
  2⤵
  PID:1340

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Dcsbtj Auguydyy\svchost.exe

Filesize
4.0MB

MD5
716c6bf10a7ecc37fe724b502331b63d

SHA1
3361a93ea73d0651fed0b1b9f47c33585758b9c2

SHA256
89c63b0a59c4b4512b7a8fae81d85621c515f8dfed12b2bedd272c08bb751d98

SHA512
2c37f27b48418e05a27e25be3168a6912cbf241cfea18454e6b5fa06aa5bd1783d95f11ece2590547a81e701aa6a60a62a95f3287b1bc3a2e14c3ee6719d4955

Download Submit
C:\Program Files (x86)\Nzroexmvss\Path.rcd

Filesize
260B

MD5
64c5fd165dadc265cb036254cb2fca4c

SHA1
3ba2a1aee4906786aba00ddbcf2542564fe8a407

SHA256
9ad2d841f6c895af77bfb9d23d0d3d906dfacc9e27f80cf3f9b8ce6c11f841c9

SHA512
23c58a87d95f3658b26ca7fb1528711e1b84375f005d8112bd2c654520add31151099fdbea4bf4cb04e88db162a9f3f72e02eca0dd76539132100c206f35d133

Download Submit
\Program Files (x86)\Dcsbtj Auguydyy\svchost.exe

Filesize
4.0MB

MD5
716c6bf10a7ecc37fe724b502331b63d

SHA1
3361a93ea73d0651fed0b1b9f47c33585758b9c2

SHA256
89c63b0a59c4b4512b7a8fae81d85621c515f8dfed12b2bedd272c08bb751d98

SHA512
2c37f27b48418e05a27e25be3168a6912cbf241cfea18454e6b5fa06aa5bd1783d95f11ece2590547a81e701aa6a60a62a95f3287b1bc3a2e14c3ee6719d4955

Download Submit
memory/600-65-0x0000000073EE1000-0x0000000073EE3000-memory.dmp

Filesize
8KB

Download
memory/1164-62-0x00000000742F1000-0x00000000742F3000-memory.dmp

Filesize
8KB

Download
memory/1472-54-0x0000000074C11000-0x0000000074C13000-memory.dmp

Filesize
8KB

Download
memory/2040-63-0x000007FEFB5D1000-0x000007FEFB5D3000-memory.dmp

Filesize
8KB

Download
memory/2040-66-0x0000000003A50000-0x0000000003A60000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing