e24eeb6b7bf9a4ebf42cbaaa8974604ad7e7ec14460455496f40c37eb6b9a8cf

General

Target

e24eeb6b7bf9a4ebf42cbaaa8974604ad7e7ec14460455496f40c37eb6b9a8cf.exe
Size

294KB
MD5

218fb36acbcea6b58f23e4fd0f819b5c
SHA1

22f00ef1d9e3719922dda34db5a014c6aae9447f
SHA256

e24eeb6b7bf9a4ebf42cbaaa8974604ad7e7ec14460455496f40c37eb6b9a8cf
SHA512

765b46b67c65c2e74aeaf3854ad698e3449bf9faf2b2afbb615b5256d60c66e8847d8052a76f44658dac899c7d4a309544a6b8be5403919c34a825e84ec47412
SSDEEP

6144:cdYgxDExluzMm2mBiXS6S9JSelDyX2UFLstcAyXRU0ODDon:tgxDEvuLTKSH9flD74sK60ODDon

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1504	e24eeb6b7bf9a4ebf42cbaaa8974604ad7e7ec14460455496f40c37eb6b9a8cf.tmp

Deletes itself 1 IoCs

pid	Process
1928	cmd.exe

Loads dropped DLL 3 IoCs

pid	Process
2016	e24eeb6b7bf9a4ebf42cbaaa8974604ad7e7ec14460455496f40c37eb6b9a8cf.exe
1504	e24eeb6b7bf9a4ebf42cbaaa8974604ad7e7ec14460455496f40c37eb6b9a8cf.tmp
1504	e24eeb6b7bf9a4ebf42cbaaa8974604ad7e7ec14460455496f40c37eb6b9a8cf.tmp

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Progra~1\TaoBao\is-GMBR9.tmp	e24eeb6b7bf9a4ebf42cbaaa8974604ad7e7ec14460455496f40c37eb6b9a8cf.tmp

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main	regedit.exe

Modifies Internet Explorer start page 1 TTPs 1 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.hae123.com"	regedit.exe

Runs regedit.exe 1 IoCs

pid	Process
588	regedit.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1504	e24eeb6b7bf9a4ebf42cbaaa8974604ad7e7ec14460455496f40c37eb6b9a8cf.tmp

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2016 wrote to memory of 1504	2016	e24eeb6b7bf9a4ebf42cbaaa8974604ad7e7ec14460455496f40c37eb6b9a8cf.exe	28
PID 2016 wrote to memory of 1504	2016	e24eeb6b7bf9a4ebf42cbaaa8974604ad7e7ec14460455496f40c37eb6b9a8cf.exe	28
PID 2016 wrote to memory of 1504	2016	e24eeb6b7bf9a4ebf42cbaaa8974604ad7e7ec14460455496f40c37eb6b9a8cf.exe	28
PID 2016 wrote to memory of 1504	2016	e24eeb6b7bf9a4ebf42cbaaa8974604ad7e7ec14460455496f40c37eb6b9a8cf.exe	28
PID 1504 wrote to memory of 588	1504	e24eeb6b7bf9a4ebf42cbaaa8974604ad7e7ec14460455496f40c37eb6b9a8cf.tmp	29
PID 1504 wrote to memory of 588	1504	e24eeb6b7bf9a4ebf42cbaaa8974604ad7e7ec14460455496f40c37eb6b9a8cf.tmp	29
PID 1504 wrote to memory of 588	1504	e24eeb6b7bf9a4ebf42cbaaa8974604ad7e7ec14460455496f40c37eb6b9a8cf.tmp	29
PID 1504 wrote to memory of 588	1504	e24eeb6b7bf9a4ebf42cbaaa8974604ad7e7ec14460455496f40c37eb6b9a8cf.tmp	29
PID 1504 wrote to memory of 1928	1504	e24eeb6b7bf9a4ebf42cbaaa8974604ad7e7ec14460455496f40c37eb6b9a8cf.tmp	30
PID 1504 wrote to memory of 1928	1504	e24eeb6b7bf9a4ebf42cbaaa8974604ad7e7ec14460455496f40c37eb6b9a8cf.tmp	30
PID 1504 wrote to memory of 1928	1504	e24eeb6b7bf9a4ebf42cbaaa8974604ad7e7ec14460455496f40c37eb6b9a8cf.tmp	30
PID 1504 wrote to memory of 1928	1504	e24eeb6b7bf9a4ebf42cbaaa8974604ad7e7ec14460455496f40c37eb6b9a8cf.tmp	30

C:\Users\Admin\AppData\Local\Temp\e24eeb6b7bf9a4ebf42cbaaa8974604ad7e7ec14460455496f40c37eb6b9a8cf.exe
"C:\Users\Admin\AppData\Local\Temp\e24eeb6b7bf9a4ebf42cbaaa8974604ad7e7ec14460455496f40c37eb6b9a8cf.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2016
- C:\Users\Admin\AppData\Local\Temp\is-K5EQ4.tmp\e24eeb6b7bf9a4ebf42cbaaa8974604ad7e7ec14460455496f40c37eb6b9a8cf.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-K5EQ4.tmp\e24eeb6b7bf9a4ebf42cbaaa8974604ad7e7ec14460455496f40c37eb6b9a8cf.tmp" /SL5="$70122,51915,51712,C:\Users\Admin\AppData\Local\Temp\e24eeb6b7bf9a4ebf42cbaaa8974604ad7e7ec14460455496f40c37eb6b9a8cf.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:1504
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\Regedit.exe" -s C:\Progra~1\TaoBao\info.desc
    3⤵
    - Modifies Internet Explorer settings
    - Modifies Internet Explorer start page
    - Runs regedit.exe
    PID:588
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\e24eeb6b7bf9a4ebf42cbaaa8974604ad7e7ec14460455496f40c37eb6b9a8cf.exe"
    3⤵
    - Deletes itself
    PID:1928

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\TaoBao\info.desc

Filesize
280B

MD5
a0fd44bf16c285a195d371ba2404dc0a

SHA1
1880991f3f49d2f35e86ce2575d7535517a10f28

SHA256
686ea1ff46449d5412e6454ca7329a6f03e777714e35d502640c61ac16849613

SHA512
3477a190eda4b3fd79319ebeab24c3a62cdaffeb4d58f65488713f23e370f8a906365985dad5a8bd39a5d2e047c6f1da40af1d952cb3899c9809a32fb03b970a

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-K5EQ4.tmp\e24eeb6b7bf9a4ebf42cbaaa8974604ad7e7ec14460455496f40c37eb6b9a8cf.tmp

Filesize
706KB

MD5
1a6c2b578c69b9388e22d38afa16a7fb

SHA1
186370d5438b1f5f3d75891aa8412e8edd00981c

SHA256
86ac18632bfdca026df9fe12a1d4df2de64bbdc1d2d7e42d2dcbf7809cbbebb3

SHA512
fb868c629cd0255b7620c9260bb5712b6622f53f0b7de3d6125c295e02d16f03584ce3a90eccb02b65ce9825885aa1bca5f68c7cc09dc0c09e7c208fcef54714

Download Submit
\Users\Admin\AppData\Local\Temp\is-K5EQ4.tmp\e24eeb6b7bf9a4ebf42cbaaa8974604ad7e7ec14460455496f40c37eb6b9a8cf.tmp

Filesize
706KB

MD5
1a6c2b578c69b9388e22d38afa16a7fb

SHA1
186370d5438b1f5f3d75891aa8412e8edd00981c

SHA256
86ac18632bfdca026df9fe12a1d4df2de64bbdc1d2d7e42d2dcbf7809cbbebb3

SHA512
fb868c629cd0255b7620c9260bb5712b6622f53f0b7de3d6125c295e02d16f03584ce3a90eccb02b65ce9825885aa1bca5f68c7cc09dc0c09e7c208fcef54714

Download Submit
\Users\Admin\AppData\Local\Temp\is-P9VJH.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-P9VJH.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
memory/1504-64-0x0000000074531000-0x0000000074533000-memory.dmp

Filesize
8KB

Download
memory/2016-58-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2016-54-0x00000000760C1000-0x00000000760C3000-memory.dmp

Filesize
8KB

Download
memory/2016-69-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2016-55-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads