bd52b5e1c91df33445661eaa62ff429f204af844bba58d33586aa699f5e63eae

General

Target

bd52b5e1c91df33445661eaa62ff429f204af844bba58d33586aa699f5e63eae.exe
Size

427KB
MD5

3ef5813b5efb3411df67db6ccb32327d
SHA1

b36c24e6b100eba841a75c08e189b6df4b93a325
SHA256

bd52b5e1c91df33445661eaa62ff429f204af844bba58d33586aa699f5e63eae
SHA512

69cf938952a33bb3b18a9e6c13c3220029a32ec37062e6fba702abdabd0643e67f92bf7487c1cfd6a430b809035f37b597107615be678c62abba0ba1c3fbf3bb
SSDEEP

6144:tfcwuO3NYDsNAdnQWMAN6l5yjiqXRZtWpfvxs5kiha0Al3EsRy2LaQt:tfc7O3N50BMukyHgG51A5WQ

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
952	hEfIlJe06108.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1996-54-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral1/memory/1996-56-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral1/memory/1996-62-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral1/memory/952-68-0x0000000000400000-0x00000000004B5000-memory.dmp	upx

Loads dropped DLL 2 IoCs

pid	Process
1996	bd52b5e1c91df33445661eaa62ff429f204af844bba58d33586aa699f5e63eae.exe
1996	bd52b5e1c91df33445661eaa62ff429f204af844bba58d33586aa699f5e63eae.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\hEfIlJe06108 = "C:\\ProgramData\\hEfIlJe06108\\hEfIlJe06108.exe"	hEfIlJe06108.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main	hEfIlJe06108.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1996	bd52b5e1c91df33445661eaa62ff429f204af844bba58d33586aa699f5e63eae.exe
Token: SeDebugPrivilege	952	hEfIlJe06108.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
952	hEfIlJe06108.exe
952	hEfIlJe06108.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
952	hEfIlJe06108.exe
952	hEfIlJe06108.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
952	hEfIlJe06108.exe
952	hEfIlJe06108.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1996 wrote to memory of 952	1996	bd52b5e1c91df33445661eaa62ff429f204af844bba58d33586aa699f5e63eae.exe	28
PID 1996 wrote to memory of 952	1996	bd52b5e1c91df33445661eaa62ff429f204af844bba58d33586aa699f5e63eae.exe	28
PID 1996 wrote to memory of 952	1996	bd52b5e1c91df33445661eaa62ff429f204af844bba58d33586aa699f5e63eae.exe	28
PID 1996 wrote to memory of 952	1996	bd52b5e1c91df33445661eaa62ff429f204af844bba58d33586aa699f5e63eae.exe	28

C:\Users\Admin\AppData\Local\Temp\bd52b5e1c91df33445661eaa62ff429f204af844bba58d33586aa699f5e63eae.exe
"C:\Users\Admin\AppData\Local\Temp\bd52b5e1c91df33445661eaa62ff429f204af844bba58d33586aa699f5e63eae.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1996
- C:\ProgramData\hEfIlJe06108\hEfIlJe06108.exe
  "C:\ProgramData\hEfIlJe06108\hEfIlJe06108.exe" "C:\Users\Admin\AppData\Local\Temp\bd52b5e1c91df33445661eaa62ff429f204af844bba58d33586aa699f5e63eae.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Modifies Internet Explorer settings
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:952

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\hEfIlJe06108\hEfIlJe06108.exe

Filesize
427KB

MD5
707bf37a9d0524c1d781cb5ef548b699

SHA1
fa84b0eba289454c4d9cda16c8513b305bb129ef

SHA256
d10709848f334b2c4a6e76372082471e217fc2d07d774870db558d32cad8419a

SHA512
558207062b55b1e6208d15d821a8643cb98127344025bd4522c30879ac3ccf3cbbe0e9668d325e3a8fbbdf4f1dc87997792b3c216a3d721ec18c49ef5a5055b1

Download Submit
C:\ProgramData\hEfIlJe06108\hEfIlJe06108.exe

Filesize
427KB

MD5
707bf37a9d0524c1d781cb5ef548b699

SHA1
fa84b0eba289454c4d9cda16c8513b305bb129ef

SHA256
d10709848f334b2c4a6e76372082471e217fc2d07d774870db558d32cad8419a

SHA512
558207062b55b1e6208d15d821a8643cb98127344025bd4522c30879ac3ccf3cbbe0e9668d325e3a8fbbdf4f1dc87997792b3c216a3d721ec18c49ef5a5055b1

Download Submit
\ProgramData\hEfIlJe06108\hEfIlJe06108.exe

Filesize
427KB

MD5
707bf37a9d0524c1d781cb5ef548b699

SHA1
fa84b0eba289454c4d9cda16c8513b305bb129ef

SHA256
d10709848f334b2c4a6e76372082471e217fc2d07d774870db558d32cad8419a

SHA512
558207062b55b1e6208d15d821a8643cb98127344025bd4522c30879ac3ccf3cbbe0e9668d325e3a8fbbdf4f1dc87997792b3c216a3d721ec18c49ef5a5055b1

Download Submit
\ProgramData\hEfIlJe06108\hEfIlJe06108.exe

Filesize
427KB

MD5
707bf37a9d0524c1d781cb5ef548b699

SHA1
fa84b0eba289454c4d9cda16c8513b305bb129ef

SHA256
d10709848f334b2c4a6e76372082471e217fc2d07d774870db558d32cad8419a

SHA512
558207062b55b1e6208d15d821a8643cb98127344025bd4522c30879ac3ccf3cbbe0e9668d325e3a8fbbdf4f1dc87997792b3c216a3d721ec18c49ef5a5055b1

Download Submit
memory/952-68-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/1996-54-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/1996-56-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/1996-57-0x0000000075631000-0x0000000075633000-memory.dmp

Filesize
8KB

Download
memory/1996-62-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads