e41f62a9c4d1b1ae913f67e7c4bdf8aa8d6aa7a1a8763e51f412d0bd4e729452

General

Target

e41f62a9c4d1b1ae913f67e7c4bdf8aa8d6aa7a1a8763e51f412d0bd4e729452.exe
Size

1.6MB
MD5

b5685d6ca84dae41089f02d95d2f5a0f
SHA1

129f4e3d8d04fef2c9fe7c7729799eb58c5d3cf0
SHA256

e41f62a9c4d1b1ae913f67e7c4bdf8aa8d6aa7a1a8763e51f412d0bd4e729452
SHA512

4cf37013ce05d66ad584e50657689dbdfb97d101d73b67c5b203c156974bb5e6e804015cd3240ef5922127c58e30162b7233c2e23e1a0d4c558e0c9e0d1cd4d4
SSDEEP

49152:BtVEuKErHwwPI2bgyHPgLj9CnDEqso1I8p:BtyE7TpGJWDEqso1I8p

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
840	10431_~1.EXE
2020	WINRAR~1.EXE
1288	Process not Found

Loads dropped DLL 2 IoCs

pid	Process
1112	e41f62a9c4d1b1ae913f67e7c4bdf8aa8d6aa7a1a8763e51f412d0bd4e729452.exe
1112	e41f62a9c4d1b1ae913f67e7c4bdf8aa8d6aa7a1a8763e51f412d0bd4e729452.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	e41f62a9c4d1b1ae913f67e7c4bdf8aa8d6aa7a1a8763e51f412d0bd4e729452.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	e41f62a9c4d1b1ae913f67e7c4bdf8aa8d6aa7a1a8763e51f412d0bd4e729452.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main	WINRAR~1.EXE

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2020	WINRAR~1.EXE
2020	WINRAR~1.EXE

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1112 wrote to memory of 840	1112	e41f62a9c4d1b1ae913f67e7c4bdf8aa8d6aa7a1a8763e51f412d0bd4e729452.exe	28
PID 1112 wrote to memory of 840	1112	e41f62a9c4d1b1ae913f67e7c4bdf8aa8d6aa7a1a8763e51f412d0bd4e729452.exe	28
PID 1112 wrote to memory of 840	1112	e41f62a9c4d1b1ae913f67e7c4bdf8aa8d6aa7a1a8763e51f412d0bd4e729452.exe	28
PID 1112 wrote to memory of 840	1112	e41f62a9c4d1b1ae913f67e7c4bdf8aa8d6aa7a1a8763e51f412d0bd4e729452.exe	28
PID 1112 wrote to memory of 2020	1112	e41f62a9c4d1b1ae913f67e7c4bdf8aa8d6aa7a1a8763e51f412d0bd4e729452.exe	29
PID 1112 wrote to memory of 2020	1112	e41f62a9c4d1b1ae913f67e7c4bdf8aa8d6aa7a1a8763e51f412d0bd4e729452.exe	29
PID 1112 wrote to memory of 2020	1112	e41f62a9c4d1b1ae913f67e7c4bdf8aa8d6aa7a1a8763e51f412d0bd4e729452.exe	29
PID 1112 wrote to memory of 2020	1112	e41f62a9c4d1b1ae913f67e7c4bdf8aa8d6aa7a1a8763e51f412d0bd4e729452.exe	29

C:\Users\Admin\AppData\Local\Temp\e41f62a9c4d1b1ae913f67e7c4bdf8aa8d6aa7a1a8763e51f412d0bd4e729452.exe
"C:\Users\Admin\AppData\Local\Temp\e41f62a9c4d1b1ae913f67e7c4bdf8aa8d6aa7a1a8763e51f412d0bd4e729452.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1112
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\10431_~1.EXE
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\10431_~1.EXE
  2⤵
  - Executes dropped EXE
  PID:840
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WINRAR~1.EXE
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WINRAR~1.EXE
  2⤵
  - Executes dropped EXE
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2020

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\10431_~1.EXE

Filesize
94KB

MD5
e2190379f71212166de9f6d1fc8a0a05

SHA1
0ab1bc4c71dce873dadfd788f88b5487a0be7edc

SHA256
0995aad996125ac90a26a846f10861605db1753e952a1c786bd1b5208f5f3e05

SHA512
328a72d017f6bb8a4bfb50cfb81df119313d722cdbf080cb2125458e61f1550ae0faa03055b3f20e788d2530292d6c1552efeaa1d95892508ffe99f12248dce6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WINRAR~1.EXE

Filesize
1.5MB

MD5
8921e5b9d17d09d76283076c0cca478c

SHA1
f0488cefe5a24fa98733a6214f963511bc36f28a

SHA256
c4a6ff143342d0a84c9821d38a3e03c0c81de26eac7c65d31a7f704b38051f41

SHA512
fb0ce760092f70c21f59597aae61e894a7d2be4b9c3977f69453de5b5b8becba7eae9a547f47a091c2a8f4b5353bd393f9308c40d4a429a1ee013cdd34d558dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WINRAR~1.EXE

Filesize
1.5MB

MD5
8921e5b9d17d09d76283076c0cca478c

SHA1
f0488cefe5a24fa98733a6214f963511bc36f28a

SHA256
c4a6ff143342d0a84c9821d38a3e03c0c81de26eac7c65d31a7f704b38051f41

SHA512
fb0ce760092f70c21f59597aae61e894a7d2be4b9c3977f69453de5b5b8becba7eae9a547f47a091c2a8f4b5353bd393f9308c40d4a429a1ee013cdd34d558dd

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\10431_~1.EXE

Filesize
94KB

MD5
e2190379f71212166de9f6d1fc8a0a05

SHA1
0ab1bc4c71dce873dadfd788f88b5487a0be7edc

SHA256
0995aad996125ac90a26a846f10861605db1753e952a1c786bd1b5208f5f3e05

SHA512
328a72d017f6bb8a4bfb50cfb81df119313d722cdbf080cb2125458e61f1550ae0faa03055b3f20e788d2530292d6c1552efeaa1d95892508ffe99f12248dce6

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\WINRAR~1.EXE

Filesize
1.5MB

MD5
8921e5b9d17d09d76283076c0cca478c

SHA1
f0488cefe5a24fa98733a6214f963511bc36f28a

SHA256
c4a6ff143342d0a84c9821d38a3e03c0c81de26eac7c65d31a7f704b38051f41

SHA512
fb0ce760092f70c21f59597aae61e894a7d2be4b9c3977f69453de5b5b8becba7eae9a547f47a091c2a8f4b5353bd393f9308c40d4a429a1ee013cdd34d558dd

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\WINRAR~1.EXE

Filesize
1.5MB

MD5
8921e5b9d17d09d76283076c0cca478c

SHA1
f0488cefe5a24fa98733a6214f963511bc36f28a

SHA256
c4a6ff143342d0a84c9821d38a3e03c0c81de26eac7c65d31a7f704b38051f41

SHA512
fb0ce760092f70c21f59597aae61e894a7d2be4b9c3977f69453de5b5b8becba7eae9a547f47a091c2a8f4b5353bd393f9308c40d4a429a1ee013cdd34d558dd

Download Submit
memory/840-57-0x0000000076DC1000-0x0000000076DC3000-memory.dmp

Filesize
8KB

Download
memory/2020-61-0x000007FEFC481000-0x000007FEFC483000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads