d99f5cf8535e3f21dbf376e958286fdc7365df589e908d77ad096985a284da65

General

Target

d99f5cf8535e3f21dbf376e958286fdc7365df589e908d77ad096985a284da65.exe
Size

4.9MB
MD5

b439c0b5d2a0103ed22bebc4fe159ae5
SHA1

04e604b487bb5003b94fe39116b64f5fbd896a59
SHA256

d99f5cf8535e3f21dbf376e958286fdc7365df589e908d77ad096985a284da65
SHA512

39b1dc4906b1d9a560426d8709966b13435aa0dac6cb6c303d48f856c845ae2b31fa2b54c84ec0a988e7d75f4e6e4c34ed7b3d9a56216111ffc4ece3306f6676
SSDEEP

98304:PwmjyTMnYvx4NMaD9Sf8KBcd1WTPY+7rG4+rqFPVRHOG1EN9kg37dT4Gi3y6bDzk:oxb5AOSwGrqF/HDY9kg6Gii6b

Score

7^/10

upx

Malware Config

Signatures

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/116-0-0x0000000000400000-0x0000000000B4F000-memory.dmp	upx
behavioral2/memory/116-9223-0x0000000000400000-0x0000000000B4F000-memory.dmp	upx
behavioral2/memory/116-13070-0x0000000000400000-0x0000000000B4F000-memory.dmp	upx
behavioral2/memory/116-13071-0x0000000000400000-0x0000000000B4F000-memory.dmp	upx
behavioral2/memory/116-13079-0x00000000034F0000-0x00000000034FB000-memory.dmp	upx
behavioral2/memory/116-13078-0x00000000034F0000-0x00000000034FB000-memory.dmp	upx
behavioral2/memory/116-13082-0x00000000034F0000-0x00000000034FB000-memory.dmp	upx

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\0306D2.dll	d99f5cf8535e3f21dbf376e958286fdc7365df589e908d77ad096985a284da65.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 35 IoCs

pid	Process
116	d99f5cf8535e3f21dbf376e958286fdc7365df589e908d77ad096985a284da65.exe
116	d99f5cf8535e3f21dbf376e958286fdc7365df589e908d77ad096985a284da65.exe
116	d99f5cf8535e3f21dbf376e958286fdc7365df589e908d77ad096985a284da65.exe
116	d99f5cf8535e3f21dbf376e958286fdc7365df589e908d77ad096985a284da65.exe
116	d99f5cf8535e3f21dbf376e958286fdc7365df589e908d77ad096985a284da65.exe
116	d99f5cf8535e3f21dbf376e958286fdc7365df589e908d77ad096985a284da65.exe
116	d99f5cf8535e3f21dbf376e958286fdc7365df589e908d77ad096985a284da65.exe
116	d99f5cf8535e3f21dbf376e958286fdc7365df589e908d77ad096985a284da65.exe
116	d99f5cf8535e3f21dbf376e958286fdc7365df589e908d77ad096985a284da65.exe
116	d99f5cf8535e3f21dbf376e958286fdc7365df589e908d77ad096985a284da65.exe
116	d99f5cf8535e3f21dbf376e958286fdc7365df589e908d77ad096985a284da65.exe
116	d99f5cf8535e3f21dbf376e958286fdc7365df589e908d77ad096985a284da65.exe
116	d99f5cf8535e3f21dbf376e958286fdc7365df589e908d77ad096985a284da65.exe
116	d99f5cf8535e3f21dbf376e958286fdc7365df589e908d77ad096985a284da65.exe
116	d99f5cf8535e3f21dbf376e958286fdc7365df589e908d77ad096985a284da65.exe
116	d99f5cf8535e3f21dbf376e958286fdc7365df589e908d77ad096985a284da65.exe
116	d99f5cf8535e3f21dbf376e958286fdc7365df589e908d77ad096985a284da65.exe
116	d99f5cf8535e3f21dbf376e958286fdc7365df589e908d77ad096985a284da65.exe
116	d99f5cf8535e3f21dbf376e958286fdc7365df589e908d77ad096985a284da65.exe
116	d99f5cf8535e3f21dbf376e958286fdc7365df589e908d77ad096985a284da65.exe
116	d99f5cf8535e3f21dbf376e958286fdc7365df589e908d77ad096985a284da65.exe
116	d99f5cf8535e3f21dbf376e958286fdc7365df589e908d77ad096985a284da65.exe
116	d99f5cf8535e3f21dbf376e958286fdc7365df589e908d77ad096985a284da65.exe
116	d99f5cf8535e3f21dbf376e958286fdc7365df589e908d77ad096985a284da65.exe
116	d99f5cf8535e3f21dbf376e958286fdc7365df589e908d77ad096985a284da65.exe
116	d99f5cf8535e3f21dbf376e958286fdc7365df589e908d77ad096985a284da65.exe
116	d99f5cf8535e3f21dbf376e958286fdc7365df589e908d77ad096985a284da65.exe
116	d99f5cf8535e3f21dbf376e958286fdc7365df589e908d77ad096985a284da65.exe
116	d99f5cf8535e3f21dbf376e958286fdc7365df589e908d77ad096985a284da65.exe
116	d99f5cf8535e3f21dbf376e958286fdc7365df589e908d77ad096985a284da65.exe
116	d99f5cf8535e3f21dbf376e958286fdc7365df589e908d77ad096985a284da65.exe
116	d99f5cf8535e3f21dbf376e958286fdc7365df589e908d77ad096985a284da65.exe
116	d99f5cf8535e3f21dbf376e958286fdc7365df589e908d77ad096985a284da65.exe
116	d99f5cf8535e3f21dbf376e958286fdc7365df589e908d77ad096985a284da65.exe
116	d99f5cf8535e3f21dbf376e958286fdc7365df589e908d77ad096985a284da65.exe

Modifies Internet Explorer settings 1 TTPs 5 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4272677097-406801653-1594978504-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Default_Page_URL = "http://www.2345.com/?28879"	d99f5cf8535e3f21dbf376e958286fdc7365df589e908d77ad096985a284da65.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Default_Page_URL = "http://www.2345.com/?28879"	d99f5cf8535e3f21dbf376e958286fdc7365df589e908d77ad096985a284da65.exe
Key created	\REGISTRY\USER\S-1-5-21-4272677097-406801653-1594978504-1000\Software\Microsoft\Internet Explorer\Main	d99f5cf8535e3f21dbf376e958286fdc7365df589e908d77ad096985a284da65.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4272677097-406801653-1594978504-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Default_Page_URL	d99f5cf8535e3f21dbf376e958286fdc7365df589e908d77ad096985a284da65.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Default_Page_URL	d99f5cf8535e3f21dbf376e958286fdc7365df589e908d77ad096985a284da65.exe

Modifies Internet Explorer start page 1 TTPs 2 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4272677097-406801653-1594978504-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.2345.com/?28879"	d99f5cf8535e3f21dbf376e958286fdc7365df589e908d77ad096985a284da65.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4272677097-406801653-1594978504-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page	d99f5cf8535e3f21dbf376e958286fdc7365df589e908d77ad096985a284da65.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
116	d99f5cf8535e3f21dbf376e958286fdc7365df589e908d77ad096985a284da65.exe
116	d99f5cf8535e3f21dbf376e958286fdc7365df589e908d77ad096985a284da65.exe
116	d99f5cf8535e3f21dbf376e958286fdc7365df589e908d77ad096985a284da65.exe
116	d99f5cf8535e3f21dbf376e958286fdc7365df589e908d77ad096985a284da65.exe
116	d99f5cf8535e3f21dbf376e958286fdc7365df589e908d77ad096985a284da65.exe
116	d99f5cf8535e3f21dbf376e958286fdc7365df589e908d77ad096985a284da65.exe
116	d99f5cf8535e3f21dbf376e958286fdc7365df589e908d77ad096985a284da65.exe
116	d99f5cf8535e3f21dbf376e958286fdc7365df589e908d77ad096985a284da65.exe
116	d99f5cf8535e3f21dbf376e958286fdc7365df589e908d77ad096985a284da65.exe
116	d99f5cf8535e3f21dbf376e958286fdc7365df589e908d77ad096985a284da65.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
668	Process not Found
668	Process not Found

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
116	d99f5cf8535e3f21dbf376e958286fdc7365df589e908d77ad096985a284da65.exe
116	d99f5cf8535e3f21dbf376e958286fdc7365df589e908d77ad096985a284da65.exe

C:\Users\Admin\AppData\Local\Temp\d99f5cf8535e3f21dbf376e958286fdc7365df589e908d77ad096985a284da65.exe
"C:\Users\Admin\AppData\Local\Temp\d99f5cf8535e3f21dbf376e958286fdc7365df589e908d77ad096985a284da65.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:116

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/116-0-0x0000000000400000-0x0000000000B4F000-memory.dmp

Filesize
7.3MB

Download
memory/116-1-0x0000000076760000-0x0000000076975000-memory.dmp

Filesize
2.1MB

Download
memory/116-3875-0x00000000765C0000-0x0000000076760000-memory.dmp

Filesize
1.6MB

Download
memory/116-5884-0x0000000076F20000-0x0000000076F9A000-memory.dmp

Filesize
488KB

Download
memory/116-9223-0x0000000000400000-0x0000000000B4F000-memory.dmp

Filesize
7.3MB

Download
memory/116-13070-0x0000000000400000-0x0000000000B4F000-memory.dmp

Filesize
7.3MB

Download
memory/116-13071-0x0000000000400000-0x0000000000B4F000-memory.dmp

Filesize
7.3MB

Download
memory/116-13079-0x00000000034F0000-0x00000000034FB000-memory.dmp

Filesize
44KB

Download
memory/116-13078-0x00000000034F0000-0x00000000034FB000-memory.dmp

Filesize
44KB

Download
memory/116-13080-0x0000000002F80000-0x0000000002F81000-memory.dmp

Filesize
4KB

Download
memory/116-13082-0x00000000034F0000-0x00000000034FB000-memory.dmp

Filesize
44KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads