8872f8839f5880fa52826a57d37d09fb24a480dab45fbdb7aabd76eb485e5d0c

General

Target

8872f8839f5880fa52826a57d37d09fb24a480dab45fbdb7aabd76eb485e5d0c.exe
Size

3.0MB
MD5

7f458ac8cf87cb612ed32ef11ee40aa7
SHA1

69de6153f1564ca537287a5b59e0a6e243bfd2af
SHA256

8872f8839f5880fa52826a57d37d09fb24a480dab45fbdb7aabd76eb485e5d0c
SHA512

dd92f42c2b3072305206467b21159689d1b2b19b796c7ca896eb7fe0997773ed23e4cc99d5135553ac989b6c547197f4173df6a2b77b59520b4dca182322640f
SSDEEP

49152:v/VfCrT17laVjpttj442y93IiRim353MgWKbeLmB1VuWGHk+7DH0rVYCAIwznRzN:HUfaVjJ442yqiRlWgWsZuJn7DH0r1w9N

Score

7^/10

upx

Malware Config

Signatures

Loads dropped DLL 1 IoCs

pid	Process
1084	8872f8839f5880fa52826a57d37d09fb24a480dab45fbdb7aabd76eb485e5d0c.exe

UPX packed file 24 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1084-9-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral2/memory/1084-10-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral2/memory/1084-11-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral2/memory/1084-13-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral2/memory/1084-15-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral2/memory/1084-17-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral2/memory/1084-19-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral2/memory/1084-21-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral2/memory/1084-23-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral2/memory/1084-25-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral2/memory/1084-27-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral2/memory/1084-29-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral2/memory/1084-31-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral2/memory/1084-33-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral2/memory/1084-35-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral2/memory/1084-37-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral2/memory/1084-39-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral2/memory/1084-41-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral2/memory/1084-43-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral2/memory/1084-45-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral2/memory/1084-47-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral2/memory/1084-49-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral2/memory/1084-51-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral2/memory/1084-52-0x0000000010000000-0x000000001003D000-memory.dmp	upx

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\HPSocket4C.dll	8872f8839f5880fa52826a57d37d09fb24a480dab45fbdb7aabd76eb485e5d0c.exe
File created	C:\Windows\zlib1.dll	8872f8839f5880fa52826a57d37d09fb24a480dab45fbdb7aabd76eb485e5d0c.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4880	1084	WerFault.exe	84

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-528036852-1341495193-1175965888-1000\SOFTWARE\Microsoft\Internet Explorer\Main\default_page_url = "http://591314.org/?soft"	8872f8839f5880fa52826a57d37d09fb24a480dab45fbdb7aabd76eb485e5d0c.exe

Modifies Internet Explorer start page 1 TTPs 1 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-528036852-1341495193-1175965888-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://591314.org/?soft"	8872f8839f5880fa52826a57d37d09fb24a480dab45fbdb7aabd76eb485e5d0c.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1084	8872f8839f5880fa52826a57d37d09fb24a480dab45fbdb7aabd76eb485e5d0c.exe
1084	8872f8839f5880fa52826a57d37d09fb24a480dab45fbdb7aabd76eb485e5d0c.exe
1084	8872f8839f5880fa52826a57d37d09fb24a480dab45fbdb7aabd76eb485e5d0c.exe
1084	8872f8839f5880fa52826a57d37d09fb24a480dab45fbdb7aabd76eb485e5d0c.exe

C:\Users\Admin\AppData\Local\Temp\8872f8839f5880fa52826a57d37d09fb24a480dab45fbdb7aabd76eb485e5d0c.exe
"C:\Users\Admin\AppData\Local\Temp\8872f8839f5880fa52826a57d37d09fb24a480dab45fbdb7aabd76eb485e5d0c.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Suspicious use of SetWindowsHookEx
PID:1084
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1084 -s 1796
  2⤵
  - Program crash
  PID:4880

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 1084 -ip 1084
1⤵
PID:3208

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\HPSocket4C.dll

Filesize
2.8MB

MD5
1cf6b966365f29d060154fa5eb5c7f72

SHA1
bb110d37a96878c8c024a450d0b09cc28ef03cf0

SHA256
0e11b955048104466ed8d86db346628c1b30118ae116fa0428b0c34f486d8cf3

SHA512
6bc266813f4518f1b5e958c047972072d6d43996add9587b3c3b7ac64e2406784a2240cc9b815f29208b9b3ef77e0b647a1201ef39aab10eb3bec297294d2dad

Download Submit
C:\Windows\HPSocket4C.dll

Filesize
2.8MB

MD5
1cf6b966365f29d060154fa5eb5c7f72

SHA1
bb110d37a96878c8c024a450d0b09cc28ef03cf0

SHA256
0e11b955048104466ed8d86db346628c1b30118ae116fa0428b0c34f486d8cf3

SHA512
6bc266813f4518f1b5e958c047972072d6d43996add9587b3c3b7ac64e2406784a2240cc9b815f29208b9b3ef77e0b647a1201ef39aab10eb3bec297294d2dad

Download Submit
memory/1084-27-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/1084-19-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/1084-11-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/1084-13-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/1084-15-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/1084-17-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/1084-29-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/1084-21-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/1084-23-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/1084-25-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/1084-10-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/1084-9-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/1084-39-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/1084-33-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/1084-35-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/1084-37-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/1084-31-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/1084-41-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/1084-43-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/1084-45-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/1084-47-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/1084-49-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/1084-51-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/1084-52-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads