b8fadeb328f81a045c6ee83fac2ae7a8256ed2bf4d5ed80636efa3b5d3e26504

General

Target

b8fadeb328f81a045c6ee83fac2ae7a8256ed2bf4d5ed80636efa3b5d3e26504.exe
Size

11.3MB
MD5

bba9f453dcbacebb514bc633c1a62841
SHA1

81f58e3571f2aa2afac8fe1ffd4005a7bdc0bb8a
SHA256

b8fadeb328f81a045c6ee83fac2ae7a8256ed2bf4d5ed80636efa3b5d3e26504
SHA512

f25c080efca85ef2431332b7134b350424557044a48d4cb7f3a231b1d054860f6daf8fe1e9a9eb18fe2213beb4069c513fe2b81ecd74f1f710086317b88614dd
SSDEEP

196608:67wCgMw5S+3vM11Nolsono9t2Ar28q/3fq5hgpDtzjbF7vPj798dZrtdr3u:Ow5T3E11ai2AK8q/3fpvBjj72ZtdTu

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Main	b8fadeb328f81a045c6ee83fac2ae7a8256ed2bf4d5ed80636efa3b5d3e26504.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1720	b8fadeb328f81a045c6ee83fac2ae7a8256ed2bf4d5ed80636efa3b5d3e26504.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1720	b8fadeb328f81a045c6ee83fac2ae7a8256ed2bf4d5ed80636efa3b5d3e26504.exe
1720	b8fadeb328f81a045c6ee83fac2ae7a8256ed2bf4d5ed80636efa3b5d3e26504.exe
1720	b8fadeb328f81a045c6ee83fac2ae7a8256ed2bf4d5ed80636efa3b5d3e26504.exe
1720	b8fadeb328f81a045c6ee83fac2ae7a8256ed2bf4d5ed80636efa3b5d3e26504.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1720 wrote to memory of 2160	1720	b8fadeb328f81a045c6ee83fac2ae7a8256ed2bf4d5ed80636efa3b5d3e26504.exe	28
PID 1720 wrote to memory of 2160	1720	b8fadeb328f81a045c6ee83fac2ae7a8256ed2bf4d5ed80636efa3b5d3e26504.exe	28
PID 1720 wrote to memory of 2160	1720	b8fadeb328f81a045c6ee83fac2ae7a8256ed2bf4d5ed80636efa3b5d3e26504.exe	28
PID 1720 wrote to memory of 2160	1720	b8fadeb328f81a045c6ee83fac2ae7a8256ed2bf4d5ed80636efa3b5d3e26504.exe	28
PID 1720 wrote to memory of 1348	1720	b8fadeb328f81a045c6ee83fac2ae7a8256ed2bf4d5ed80636efa3b5d3e26504.exe	29
PID 1720 wrote to memory of 1348	1720	b8fadeb328f81a045c6ee83fac2ae7a8256ed2bf4d5ed80636efa3b5d3e26504.exe	29
PID 1720 wrote to memory of 1348	1720	b8fadeb328f81a045c6ee83fac2ae7a8256ed2bf4d5ed80636efa3b5d3e26504.exe	29
PID 1720 wrote to memory of 1348	1720	b8fadeb328f81a045c6ee83fac2ae7a8256ed2bf4d5ed80636efa3b5d3e26504.exe	29

C:\Users\Admin\AppData\Local\Temp\b8fadeb328f81a045c6ee83fac2ae7a8256ed2bf4d5ed80636efa3b5d3e26504.exe
"C:\Users\Admin\AppData\Local\Temp\b8fadeb328f81a045c6ee83fac2ae7a8256ed2bf4d5ed80636efa3b5d3e26504.exe"
1⤵
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1720
- C:\Windows\SysWOW64\cmd.exe
  cmd /c del "C:\Users\Admin\AppData\Local\Temp\*adeb328f81a045c6ee83fac2ae7a8256ed2bf4d5ed80636efa3b5d3e26504.exe"
  2⤵
  PID:2160
- C:\Windows\SysWOW64\cmd.exe
  cmd /c del "C:\Users\Admin\AppData\Local\Temp\*.dll"
  2⤵
  PID:1348

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\569267de99575e28b25ac4cc3d057c85.ini

Filesize
1KB

MD5
b2c3747a35e7dfbc1c650c3711bcb42c

SHA1
09e9db927c60f6c406f843b409f915e7bcac06f3

SHA256
75455e60675e12a43a64df6903479b8874f72c2ef577ed182d7843b520e49fda

SHA512
e346553121fe04f78a26bdbff937a94ae64c53805237e04178a2ad2aa70f7f12c34f13e75dfde62bb6fcd01f9464c822c185e66aa2711e5dd1d83749a03cb00a

Download Submit
C:\Users\Admin\AppData\Local\Temp\569267de99575e28b25ac4cc3d057c85A.ini

Filesize
1KB

MD5
8865ffb6ec678c6bf10ed2588d3715e7

SHA1
e3dc9cb3e28a3f640ac2d5c94d73d6a934d94e8d

SHA256
6c5790a9d88fedf2bc0073f9ba0887aef6882b2d063669d64d2bdfd39c907a7b

SHA512
7edfad31e71b15d8eb2b71f63fdd8c59beea31302cc9f06643f3e4bef8bfb9de20ae777b0d0f5f6b8c87ec6a18be44fd90f0702dddc84d87bb6c8e48a4bd41d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\b8fadeb328f81a045c6ee83fac2ae7a8256ed2bf4d5ed80636efa3b5d3e26504.exepack.tmp

Filesize
2KB

MD5
75f1afaf539858702060441ef80ece49

SHA1
1b287052f5d92afac51fd894647bd11a0011c66e

SHA256
315100335c9e5c17856ed37eda609f359b3e82ada225286764d0a5e8f0e38e07

SHA512
67bd5054a69315fbc093fccb3caf1ad69fdc04a48f413feed77d22798856e1b6fec0cc2e85b0cda975465c30d3181f0eff567962f4c85d594cc284221e8cfb92

Download Submit
memory/1720-357-0x0000000050000000-0x0000000050109000-memory.dmp

Filesize
1.0MB

Download
memory/1720-362-0x0000000000400000-0x0000000001EEF000-memory.dmp

Filesize
26.9MB

Download
memory/1720-2-0x0000000000400000-0x0000000001EEF000-memory.dmp

Filesize
26.9MB

Download
memory/1720-1-0x00000000001F0000-0x00000000001F3000-memory.dmp

Filesize
12KB

Download
memory/1720-338-0x0000000003E40000-0x0000000003E50000-memory.dmp

Filesize
64KB

Download
memory/1720-355-0x00000000001F0000-0x00000000001F3000-memory.dmp

Filesize
12KB

Download
memory/1720-356-0x0000000000400000-0x0000000001EEF000-memory.dmp

Filesize
26.9MB

Download
memory/1720-0-0x0000000000400000-0x0000000001EEF000-memory.dmp

Filesize
26.9MB

Download
memory/1720-361-0x0000000000400000-0x0000000001EEF000-memory.dmp

Filesize
26.9MB

Download
memory/1720-5-0x0000000050000000-0x0000000050109000-memory.dmp

Filesize
1.0MB

Download
memory/1720-363-0x0000000000400000-0x0000000001EEF000-memory.dmp

Filesize
26.9MB

Download
memory/1720-364-0x0000000000400000-0x0000000001EEF000-memory.dmp

Filesize
26.9MB

Download
memory/1720-366-0x0000000000400000-0x0000000001EEF000-memory.dmp

Filesize
26.9MB

Download
memory/1720-368-0x0000000000400000-0x0000000001EEF000-memory.dmp

Filesize
26.9MB

Download
memory/1720-369-0x0000000003E40000-0x0000000003E50000-memory.dmp

Filesize
64KB

Download
memory/1720-370-0x0000000000400000-0x0000000001EEF000-memory.dmp

Filesize
26.9MB

Download
memory/1720-371-0x0000000000400000-0x0000000001EEF000-memory.dmp

Filesize
26.9MB

Download
memory/1720-372-0x0000000000400000-0x0000000001EEF000-memory.dmp

Filesize
26.9MB

Download
memory/1720-373-0x0000000000400000-0x0000000001EEF000-memory.dmp

Filesize
26.9MB

Download
memory/1720-374-0x0000000000400000-0x0000000001EEF000-memory.dmp

Filesize
26.9MB

Download

Analysis

Sharing