36f828fc51e022714a6fd634e6b663919f332b67e9505ceb05d5c3b9398c6a00

General

Target

d27b20602db59697c20293d02aef1e433f98baf4.exe
Size

1.2MB
MD5

9190513275b80db066cc1a2275c01af1
SHA1

d27b20602db59697c20293d02aef1e433f98baf4
SHA256

36f828fc51e022714a6fd634e6b663919f332b67e9505ceb05d5c3b9398c6a00
SHA512

c425f57e05af494687b7b7d81252a5345d61554860a41d398346b5ca31fa229003c3ff0d570749d2eec146f142e701725724e279110c77df52ae7b4e6524f2dc
SSDEEP

12288:3Cw0bu5zZm+Sxkxm/X7hddTg1k8WtEGPObozGVzrj2roUVxAvWkZxsqJyMkZ6yEe:3ClP78fLPTu69tCT/4jwCv

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 1 IoCs

pid	Process
960	ipconfig.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 1516 set thread context of 760	1516	d27b20602db59697c20293d02aef1e433f98baf4.exe	31
PID 760 set thread context of 1260	760	jsc.exe	15
PID 960 set thread context of 1260	960	ipconfig.exe	15

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command-Line Interface

T1059

pid	Process
960	ipconfig.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\Registry\User\S-1-5-21-999675638-2867687379-27515722-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	ipconfig.exe

Suspicious behavior: EnumeratesProcesses 30 IoCs

pid	Process
1516	d27b20602db59697c20293d02aef1e433f98baf4.exe
1516	d27b20602db59697c20293d02aef1e433f98baf4.exe
1516	d27b20602db59697c20293d02aef1e433f98baf4.exe
760	jsc.exe
760	jsc.exe
760	jsc.exe
760	jsc.exe
960	ipconfig.exe
960	ipconfig.exe
960	ipconfig.exe
960	ipconfig.exe
960	ipconfig.exe
960	ipconfig.exe
960	ipconfig.exe
960	ipconfig.exe
960	ipconfig.exe
960	ipconfig.exe
960	ipconfig.exe
960	ipconfig.exe
960	ipconfig.exe
960	ipconfig.exe
960	ipconfig.exe
960	ipconfig.exe
960	ipconfig.exe
960	ipconfig.exe
960	ipconfig.exe
960	ipconfig.exe
960	ipconfig.exe
960	ipconfig.exe
960	ipconfig.exe

Suspicious behavior: MapViewOfSection 7 IoCs

pid	Process
760	jsc.exe
760	jsc.exe
760	jsc.exe
960	ipconfig.exe
960	ipconfig.exe
960	ipconfig.exe
960	ipconfig.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1516	d27b20602db59697c20293d02aef1e433f98baf4.exe
Token: SeDebugPrivilege	760	jsc.exe
Token: SeDebugPrivilege	960	ipconfig.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1260	Explorer.EXE
1260	Explorer.EXE

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1260	Explorer.EXE
1260	Explorer.EXE

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 1516 wrote to memory of 240	1516	d27b20602db59697c20293d02aef1e433f98baf4.exe	28
PID 1516 wrote to memory of 240	1516	d27b20602db59697c20293d02aef1e433f98baf4.exe	28
PID 1516 wrote to memory of 240	1516	d27b20602db59697c20293d02aef1e433f98baf4.exe	28
PID 1516 wrote to memory of 1608	1516	d27b20602db59697c20293d02aef1e433f98baf4.exe	29
PID 1516 wrote to memory of 1608	1516	d27b20602db59697c20293d02aef1e433f98baf4.exe	29
PID 1516 wrote to memory of 1608	1516	d27b20602db59697c20293d02aef1e433f98baf4.exe	29
PID 1516 wrote to memory of 1716	1516	d27b20602db59697c20293d02aef1e433f98baf4.exe	30
PID 1516 wrote to memory of 1716	1516	d27b20602db59697c20293d02aef1e433f98baf4.exe	30
PID 1516 wrote to memory of 1716	1516	d27b20602db59697c20293d02aef1e433f98baf4.exe	30
PID 1516 wrote to memory of 760	1516	d27b20602db59697c20293d02aef1e433f98baf4.exe	31
PID 1516 wrote to memory of 760	1516	d27b20602db59697c20293d02aef1e433f98baf4.exe	31
PID 1516 wrote to memory of 760	1516	d27b20602db59697c20293d02aef1e433f98baf4.exe	31
PID 1516 wrote to memory of 760	1516	d27b20602db59697c20293d02aef1e433f98baf4.exe	31
PID 1516 wrote to memory of 760	1516	d27b20602db59697c20293d02aef1e433f98baf4.exe	31
PID 1516 wrote to memory of 760	1516	d27b20602db59697c20293d02aef1e433f98baf4.exe	31
PID 1516 wrote to memory of 760	1516	d27b20602db59697c20293d02aef1e433f98baf4.exe	31
PID 1260 wrote to memory of 960	1260	Explorer.EXE	32
PID 1260 wrote to memory of 960	1260	Explorer.EXE	32
PID 1260 wrote to memory of 960	1260	Explorer.EXE	32
PID 1260 wrote to memory of 960	1260	Explorer.EXE	32
PID 960 wrote to memory of 964	960	ipconfig.exe	35
PID 960 wrote to memory of 964	960	ipconfig.exe	35
PID 960 wrote to memory of 964	960	ipconfig.exe	35
PID 960 wrote to memory of 964	960	ipconfig.exe	35
PID 960 wrote to memory of 964	960	ipconfig.exe	35

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1260
- C:\Users\Admin\AppData\Local\Temp\d27b20602db59697c20293d02aef1e433f98baf4.exe
  "C:\Users\Admin\AppData\Local\Temp\d27b20602db59697c20293d02aef1e433f98baf4.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1516
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe"
    3⤵
    PID:240
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe"
    3⤵
    PID:1608
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WsatConfig.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WsatConfig.exe"
    3⤵
    PID:1716
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    PID:760
- C:\Windows\SysWOW64\ipconfig.exe
  "C:\Windows\SysWOW64\ipconfig.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Gathers network information
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:960
- - C:\Program Files\Mozilla Firefox\Firefox.exe
    "C:\Program Files\Mozilla Firefox\Firefox.exe"
    3⤵
    PID:964

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

1

T1059

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\sqlite3.dll

Filesize
819KB

MD5
eda40ea55ff2eb2a2e5aca836bb1cc26

SHA1
6de11b4b121bc8b9b87b05ddbdd6eda4e9442c37

SHA256
330b88eacb778b86dff1a90189121e8b3280723be9fbf4e55174ede2bbf74af0

SHA512
caf63f50931f76ec919528dedfb8b6ee14590f5aa33f91a6b9c24f63c0f3851cffdc16eab976ee7d6140f383050050d26f3547743b5ae772001b8f6199f0a4fc

Download Submit
memory/760-61-0x0000000000130000-0x0000000000140000-memory.dmp

Filesize
64KB

Download
memory/760-56-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/760-58-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/760-59-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/760-60-0x0000000000990000-0x0000000000C93000-memory.dmp

Filesize
3.0MB

Download
memory/960-65-0x0000000000680000-0x000000000068A000-memory.dmp

Filesize
40KB

Download
memory/960-64-0x0000000075BD1000-0x0000000075BD3000-memory.dmp

Filesize
8KB

Download
memory/960-66-0x0000000000080000-0x00000000000AD000-memory.dmp

Filesize
180KB

Download
memory/960-67-0x0000000001F40000-0x0000000002243000-memory.dmp

Filesize
3.0MB

Download
memory/960-68-0x0000000000530000-0x00000000005BF000-memory.dmp

Filesize
572KB

Download
memory/1260-62-0x0000000003E90000-0x0000000003F44000-memory.dmp

Filesize
720KB

Download
memory/1260-69-0x0000000004320000-0x0000000004404000-memory.dmp

Filesize
912KB

Download
memory/1260-70-0x0000000004320000-0x0000000004404000-memory.dmp

Filesize
912KB

Download
memory/1516-54-0x0000000000B60000-0x0000000000C98000-memory.dmp

Filesize
1.2MB

Download
memory/1516-55-0x00000000009D0000-0x0000000000A42000-memory.dmp

Filesize
456KB

Download

Analysis

Sharing