72a79699a43ce05cbcc4f15f1ecff9de7284de4d45d683a633a3bfb98d76c457

General

Target

72a79699a43ce05cbcc4f15f1ecff9de7284de4d45d683a633a3bfb98d76c457.exe
Size

117KB
MD5

71e5a2db05aa8f422f576b189ee2aee5
SHA1

e512ab85bc704ed8cc1779d0627f039bd746fb8b
SHA256

72a79699a43ce05cbcc4f15f1ecff9de7284de4d45d683a633a3bfb98d76c457
SHA512

b660e80690673487adbc6e052ee4e7c9ed7eca9f8653fd578a73e44ba232cf83679c8a64cccef97378b53c7cdfb3d32c5c8033cb9923ea0dbd8b6e24a300d634
SSDEEP

1536:+jNKkW4Krw2GGY3aKzqHA12Gswa/S5Lzj3zyatZc9fAEm10RvEW2qGjpZ6zdPJ1y:UKTFM23ejbswaa1j3+yhP1Yvyq0rYj

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	72a79699a43ce05cbcc4f15f1ecff9de7284de4d45d683a633a3bfb98d76c457.exe
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Main	72a79699a43ce05cbcc4f15f1ecff9de7284de4d45d683a633a3bfb98d76c457.exe
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	72a79699a43ce05cbcc4f15f1ecff9de7284de4d45d683a633a3bfb98d76c457.exe

Modifies registry class 6 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6F5BDD97-6BE4-4d53-862F-33A21494CB0E}\Implemented Categories\{A50EE9ED-3B7C-4a3b-BF99-266FC26E5F6E}	72a79699a43ce05cbcc4f15f1ecff9de7284de4d45d683a633a3bfb98d76c457.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	72a79699a43ce05cbcc4f15f1ecff9de7284de4d45d683a633a3bfb98d76c457.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	72a79699a43ce05cbcc4f15f1ecff9de7284de4d45d683a633a3bfb98d76c457.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6F5BDD97-6BE4-4d53-862F-33A21494CB0E}	72a79699a43ce05cbcc4f15f1ecff9de7284de4d45d683a633a3bfb98d76c457.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6F5BDD97-6BE4-4d53-862F-33A21494CB0E}\Implemented Categories	72a79699a43ce05cbcc4f15f1ecff9de7284de4d45d683a633a3bfb98d76c457.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6F5BDD97-6BE4-4d53-862F-33A21494CB0E}\Implemented Categories\{A50EE9ED-3B7C-4a3b-BF99-266FC26E5F6E}\ = "E1E2D454BB934c6182691F2B36CDD134"	72a79699a43ce05cbcc4f15f1ecff9de7284de4d45d683a633a3bfb98d76c457.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2208	72a79699a43ce05cbcc4f15f1ecff9de7284de4d45d683a633a3bfb98d76c457.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2208	72a79699a43ce05cbcc4f15f1ecff9de7284de4d45d683a633a3bfb98d76c457.exe
2208	72a79699a43ce05cbcc4f15f1ecff9de7284de4d45d683a633a3bfb98d76c457.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
2208	72a79699a43ce05cbcc4f15f1ecff9de7284de4d45d683a633a3bfb98d76c457.exe
2208	72a79699a43ce05cbcc4f15f1ecff9de7284de4d45d683a633a3bfb98d76c457.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
2208	72a79699a43ce05cbcc4f15f1ecff9de7284de4d45d683a633a3bfb98d76c457.exe
2208	72a79699a43ce05cbcc4f15f1ecff9de7284de4d45d683a633a3bfb98d76c457.exe
2208	72a79699a43ce05cbcc4f15f1ecff9de7284de4d45d683a633a3bfb98d76c457.exe
2208	72a79699a43ce05cbcc4f15f1ecff9de7284de4d45d683a633a3bfb98d76c457.exe
2208	72a79699a43ce05cbcc4f15f1ecff9de7284de4d45d683a633a3bfb98d76c457.exe
2208	72a79699a43ce05cbcc4f15f1ecff9de7284de4d45d683a633a3bfb98d76c457.exe
2208	72a79699a43ce05cbcc4f15f1ecff9de7284de4d45d683a633a3bfb98d76c457.exe
2208	72a79699a43ce05cbcc4f15f1ecff9de7284de4d45d683a633a3bfb98d76c457.exe

C:\Users\Admin\AppData\Local\Temp\72a79699a43ce05cbcc4f15f1ecff9de7284de4d45d683a633a3bfb98d76c457.exe
"C:\Users\Admin\AppData\Local\Temp\72a79699a43ce05cbcc4f15f1ecff9de7284de4d45d683a633a3bfb98d76c457.exe"
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2208

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\default.htm

Filesize
1KB

MD5
456b0554a6fcdc5085c68bd017bb4315

SHA1
65e8bf37a4b9c93f296c1b79aa071b53e1de5dfd

SHA256
bbc857efbf3786d8bf8920be8410bb511ff69a50a7346a9be99353b97933375a

SHA512
c7ca8aa20e519ec9e73d1aabf42589d943ce51b8a94f73d7ed9e1faa16c6a1df41e20f0c111005bf410bfbc5cad94be7b129da10c6ebd80f2bc38239ae36fffa

Download Submit
memory/2208-84-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/2208-87-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/2208-79-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/2208-80-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/2208-81-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/2208-82-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/2208-78-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/2208-85-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/2208-83-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/2208-86-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/2208-54-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/2208-88-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/2208-89-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/2208-90-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/2208-91-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download

Analysis

Sharing