4af4e401db21ef33970a478218267ddf47323dfbe19c278ebaea9d58043bfc40

General

Target

4af4e401db21ef33970a478218267ddf47323dfbe19c278ebaea9d58043bfc40.exe
Size

12.9MB
MD5

020e354655dd3b0719438aeb3882763b
SHA1

f39654a7879a102749ffb228194879e224912859
SHA256

4af4e401db21ef33970a478218267ddf47323dfbe19c278ebaea9d58043bfc40
SHA512

6e352bdba6fb03dc9ff569bc6d7ebabf54040656295671b6950f4d28178aa157fa07e491160e3d158d4a0d38bf2d8985e76742ba0807357062bdcffbc1089929
SSDEEP

393216:APVjNlii85CSbFpzAAkUNyHFctWymUt4PJ9I4tOd:APVBli79JJAALNylSt+LtW

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1956	4af4e401db21ef33970a478218267ddf47323dfbe19c278ebaea9d58043bfc40.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\A:	4af4e401db21ef33970a478218267ddf47323dfbe19c278ebaea9d58043bfc40.exe
File opened (read-only)	\??\L:	4af4e401db21ef33970a478218267ddf47323dfbe19c278ebaea9d58043bfc40.exe
File opened (read-only)	\??\Q:	4af4e401db21ef33970a478218267ddf47323dfbe19c278ebaea9d58043bfc40.exe
File opened (read-only)	\??\Z:	4af4e401db21ef33970a478218267ddf47323dfbe19c278ebaea9d58043bfc40.exe
File opened (read-only)	\??\F:	4af4e401db21ef33970a478218267ddf47323dfbe19c278ebaea9d58043bfc40.exe
File opened (read-only)	\??\B:	4af4e401db21ef33970a478218267ddf47323dfbe19c278ebaea9d58043bfc40.exe
File opened (read-only)	\??\I:	4af4e401db21ef33970a478218267ddf47323dfbe19c278ebaea9d58043bfc40.exe
File opened (read-only)	\??\O:	4af4e401db21ef33970a478218267ddf47323dfbe19c278ebaea9d58043bfc40.exe
File opened (read-only)	\??\T:	4af4e401db21ef33970a478218267ddf47323dfbe19c278ebaea9d58043bfc40.exe
File opened (read-only)	\??\Y:	4af4e401db21ef33970a478218267ddf47323dfbe19c278ebaea9d58043bfc40.exe
File opened (read-only)	\??\N:	4af4e401db21ef33970a478218267ddf47323dfbe19c278ebaea9d58043bfc40.exe
File opened (read-only)	\??\R:	4af4e401db21ef33970a478218267ddf47323dfbe19c278ebaea9d58043bfc40.exe
File opened (read-only)	\??\S:	4af4e401db21ef33970a478218267ddf47323dfbe19c278ebaea9d58043bfc40.exe
File opened (read-only)	\??\E:	4af4e401db21ef33970a478218267ddf47323dfbe19c278ebaea9d58043bfc40.exe
File opened (read-only)	\??\H:	4af4e401db21ef33970a478218267ddf47323dfbe19c278ebaea9d58043bfc40.exe
File opened (read-only)	\??\J:	4af4e401db21ef33970a478218267ddf47323dfbe19c278ebaea9d58043bfc40.exe
File opened (read-only)	\??\K:	4af4e401db21ef33970a478218267ddf47323dfbe19c278ebaea9d58043bfc40.exe
File opened (read-only)	\??\M:	4af4e401db21ef33970a478218267ddf47323dfbe19c278ebaea9d58043bfc40.exe
File opened (read-only)	\??\X:	4af4e401db21ef33970a478218267ddf47323dfbe19c278ebaea9d58043bfc40.exe
File opened (read-only)	\??\G:	4af4e401db21ef33970a478218267ddf47323dfbe19c278ebaea9d58043bfc40.exe
File opened (read-only)	\??\P:	4af4e401db21ef33970a478218267ddf47323dfbe19c278ebaea9d58043bfc40.exe
File opened (read-only)	\??\U:	4af4e401db21ef33970a478218267ddf47323dfbe19c278ebaea9d58043bfc40.exe
File opened (read-only)	\??\V:	4af4e401db21ef33970a478218267ddf47323dfbe19c278ebaea9d58043bfc40.exe
File opened (read-only)	\??\W:	4af4e401db21ef33970a478218267ddf47323dfbe19c278ebaea9d58043bfc40.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 5 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000\Software\Microsoft\Internet Explorer\International\CpMRU	4af4e401db21ef33970a478218267ddf47323dfbe19c278ebaea9d58043bfc40.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000\SOFTWARE\Microsoft\Internet Explorer\International\CpMRU\Enable = "1"	4af4e401db21ef33970a478218267ddf47323dfbe19c278ebaea9d58043bfc40.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000\SOFTWARE\Microsoft\Internet Explorer\International\CpMRU\Size = "10"	4af4e401db21ef33970a478218267ddf47323dfbe19c278ebaea9d58043bfc40.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000\SOFTWARE\Microsoft\Internet Explorer\International\CpMRU\InitHits = "100"	4af4e401db21ef33970a478218267ddf47323dfbe19c278ebaea9d58043bfc40.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000\SOFTWARE\Microsoft\Internet Explorer\International\CpMRU\Factor = "20"	4af4e401db21ef33970a478218267ddf47323dfbe19c278ebaea9d58043bfc40.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
668	4af4e401db21ef33970a478218267ddf47323dfbe19c278ebaea9d58043bfc40.exe
668	4af4e401db21ef33970a478218267ddf47323dfbe19c278ebaea9d58043bfc40.exe
668	4af4e401db21ef33970a478218267ddf47323dfbe19c278ebaea9d58043bfc40.exe
668	4af4e401db21ef33970a478218267ddf47323dfbe19c278ebaea9d58043bfc40.exe
668	4af4e401db21ef33970a478218267ddf47323dfbe19c278ebaea9d58043bfc40.exe
1956	4af4e401db21ef33970a478218267ddf47323dfbe19c278ebaea9d58043bfc40.exe
1956	4af4e401db21ef33970a478218267ddf47323dfbe19c278ebaea9d58043bfc40.exe
1956	4af4e401db21ef33970a478218267ddf47323dfbe19c278ebaea9d58043bfc40.exe
1956	4af4e401db21ef33970a478218267ddf47323dfbe19c278ebaea9d58043bfc40.exe
1956	4af4e401db21ef33970a478218267ddf47323dfbe19c278ebaea9d58043bfc40.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 668 wrote to memory of 1956	668	4af4e401db21ef33970a478218267ddf47323dfbe19c278ebaea9d58043bfc40.exe	86
PID 668 wrote to memory of 1956	668	4af4e401db21ef33970a478218267ddf47323dfbe19c278ebaea9d58043bfc40.exe	86
PID 668 wrote to memory of 1956	668	4af4e401db21ef33970a478218267ddf47323dfbe19c278ebaea9d58043bfc40.exe	86

C:\Users\Admin\AppData\Local\Temp\4af4e401db21ef33970a478218267ddf47323dfbe19c278ebaea9d58043bfc40.exe
"C:\Users\Admin\AppData\Local\Temp\4af4e401db21ef33970a478218267ddf47323dfbe19c278ebaea9d58043bfc40.exe"
1⤵
- Enumerates connected drives
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:668
- F:\4af4e401db21ef33970a478218267ddf47323dfbe19c278ebaea9d58043bfc40\4af4e401db21ef33970a478218267ddf47323dfbe19c278ebaea9d58043bfc40.exe
  F:\4af4e401db21ef33970a478218267ddf47323dfbe19c278ebaea9d58043bfc40\4af4e401db21ef33970a478218267ddf47323dfbe19c278ebaea9d58043bfc40.exe
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1956

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\b0bd3a41b0bc5cd62c38f689f2176677.tmp

Filesize
67B

MD5
43a8548ed24f27f1a53a7a756720c28f

SHA1
a9798d165641d4fd3b20d51371fdbe663311b1e3

SHA256
bc212897b6ce192c7a76422433c60b6700834cecc99517b85c3faf08d143ab15

SHA512
e19449b691ab9fb551402455fff664c090bef75734b4382825c4ab36807de1a79fb5a8144c4a27b8015abde14d8f364418373ecfca9e1e20ab2bf1b4f0fba87c

Download Submit
C:\Users\Admin\AppData\Local\Temp\d2b174ea840ba48545ff5beed4db6193.ini

Filesize
14KB

MD5
e2b656d945b09fb1304c5224ba81ef71

SHA1
c19e4d94d4b536f24b41091e051227cd6e1d2c3a

SHA256
e8c54eb9e37caa9096e8d9f1c233348353cd9508b1569b128f7328c1420d0638

SHA512
1fab7d29de4992e103b6c76635880c707b4d22455d1fcc3d86aff807bda946726d0fb8c222f4377873a618a3a6755c15b9aa39261284db71de5ce38cf13b4924

Download Submit
C:\Users\Admin\AppData\Local\Temp\del.tmp

Filesize
102B

MD5
cba3e1244f1434e37f903672afcab455

SHA1
bb8790cffc2378815f21825f729287d0648b2d30

SHA256
cdac153d845d5a7db9e4ff071c24b41879e187682816131972dd9619c02efc4a

SHA512
f58635264833e0d65802dc1ddb118634a9e96250fb61208c39a4fcc6fab3318b1f69b1049742c61fcf215926d6033820ac9eb767e7ce0f2d53ec87ee61bccbc9

Download Submit
F:\4af4e401db21ef33970a478218267ddf47323dfbe19c278ebaea9d58043bfc40\4af4e401db21ef33970a478218267ddf47323dfbe19c278ebaea9d58043bfc40.exe

Filesize
12.9MB

MD5
020e354655dd3b0719438aeb3882763b

SHA1
f39654a7879a102749ffb228194879e224912859

SHA256
4af4e401db21ef33970a478218267ddf47323dfbe19c278ebaea9d58043bfc40

SHA512
6e352bdba6fb03dc9ff569bc6d7ebabf54040656295671b6950f4d28178aa157fa07e491160e3d158d4a0d38bf2d8985e76742ba0807357062bdcffbc1089929

Download Submit
F:\4af4e401db21ef33970a478218267ddf47323dfbe19c278ebaea9d58043bfc40\4af4e401db21ef33970a478218267ddf47323dfbe19c278ebaea9d58043bfc40.exe

Filesize
12.9MB

MD5
020e354655dd3b0719438aeb3882763b

SHA1
f39654a7879a102749ffb228194879e224912859

SHA256
4af4e401db21ef33970a478218267ddf47323dfbe19c278ebaea9d58043bfc40

SHA512
6e352bdba6fb03dc9ff569bc6d7ebabf54040656295671b6950f4d28178aa157fa07e491160e3d158d4a0d38bf2d8985e76742ba0807357062bdcffbc1089929

Download Submit
memory/668-9-0x0000000000400000-0x0000000000C35000-memory.dmp

Filesize
8.2MB

Download
memory/668-13-0x0000000000CD0000-0x0000000000CD3000-memory.dmp

Filesize
12KB

Download
memory/668-1-0x0000000000CD0000-0x0000000000CD3000-memory.dmp

Filesize
12KB

Download
memory/668-0-0x0000000000400000-0x0000000000C35000-memory.dmp

Filesize
8.2MB

Download
memory/1956-8-0x0000000000D20000-0x0000000000D23000-memory.dmp

Filesize
12KB

Download
memory/1956-196-0x0000000000400000-0x0000000000C35000-memory.dmp

Filesize
8.2MB

Download
memory/1956-197-0x0000000000D20000-0x0000000000D23000-memory.dmp

Filesize
12KB

Download
memory/1956-200-0x0000000000400000-0x0000000000C35000-memory.dmp

Filesize
8.2MB

Download
memory/1956-207-0x0000000000400000-0x0000000000C35000-memory.dmp

Filesize
8.2MB

Download

Analysis

Sharing