a807a670420f124b0feeceb1d937d5effded8cb1df245927f024a1c187fe02b6

General

Target

a807a670420f124b0feeceb1d937d5effded8cb1df245927f024a1c187fe02b6.exe
Size

9.4MB
MD5

f9bd5acb9ce5486488df9fd1cf450f86
SHA1

607f09f6520e99e6a03d4e84613b7c82f7550c8c
SHA256

a807a670420f124b0feeceb1d937d5effded8cb1df245927f024a1c187fe02b6
SHA512

b17bf5b167f2f07aa44f0ccc3e06348e128a0a77118e97d3797d0f227f0e813538daf1760d54d4b19fd0b184d33ba75b7cb2a429a458aa31e166d258d28f1d5a
SSDEEP

196608:YVK3iLPy/eJ9O9+5DWPHfbhVma0UE98msIl8JjsBa4g6bOzB+ik0VWOFFqoTOuir:t3iOWo+5CffbhVmj8p+8JABa4gJ920Vq

Score

10^/10

phishing

Malware Config

Signatures

Detected phishing page
phishing
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4308	780	WerFault.exe	84

Modifies Internet Explorer settings 1 TTPs 5 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Internet Explorer\International\CpMRU\Size = "10"	a807a670420f124b0feeceb1d937d5effded8cb1df245927f024a1c187fe02b6.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Internet Explorer\International\CpMRU\InitHits = "100"	a807a670420f124b0feeceb1d937d5effded8cb1df245927f024a1c187fe02b6.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Internet Explorer\International\CpMRU\Factor = "20"	a807a670420f124b0feeceb1d937d5effded8cb1df245927f024a1c187fe02b6.exe
Key created	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Software\Microsoft\Internet Explorer\International\CpMRU	a807a670420f124b0feeceb1d937d5effded8cb1df245927f024a1c187fe02b6.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Internet Explorer\International\CpMRU\Enable = "1"	a807a670420f124b0feeceb1d937d5effded8cb1df245927f024a1c187fe02b6.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
780	a807a670420f124b0feeceb1d937d5effded8cb1df245927f024a1c187fe02b6.exe
780	a807a670420f124b0feeceb1d937d5effded8cb1df245927f024a1c187fe02b6.exe
780	a807a670420f124b0feeceb1d937d5effded8cb1df245927f024a1c187fe02b6.exe
780	a807a670420f124b0feeceb1d937d5effded8cb1df245927f024a1c187fe02b6.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 780 wrote to memory of 5012	780	a807a670420f124b0feeceb1d937d5effded8cb1df245927f024a1c187fe02b6.exe	88
PID 780 wrote to memory of 5012	780	a807a670420f124b0feeceb1d937d5effded8cb1df245927f024a1c187fe02b6.exe	88
PID 780 wrote to memory of 5012	780	a807a670420f124b0feeceb1d937d5effded8cb1df245927f024a1c187fe02b6.exe	88
PID 780 wrote to memory of 5056	780	a807a670420f124b0feeceb1d937d5effded8cb1df245927f024a1c187fe02b6.exe	89
PID 780 wrote to memory of 5056	780	a807a670420f124b0feeceb1d937d5effded8cb1df245927f024a1c187fe02b6.exe	89
PID 780 wrote to memory of 5056	780	a807a670420f124b0feeceb1d937d5effded8cb1df245927f024a1c187fe02b6.exe	89

C:\Users\Admin\AppData\Local\Temp\a807a670420f124b0feeceb1d937d5effded8cb1df245927f024a1c187fe02b6.exe
"C:\Users\Admin\AppData\Local\Temp\a807a670420f124b0feeceb1d937d5effded8cb1df245927f024a1c187fe02b6.exe"
1⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:780
- C:\Windows\SysWOW64\cmd.exe
  cmd /c del "C:\Users\Admin\AppData\Local\Temp\*7a670420f124b0feeceb1d937d5effded8cb1df245927f024a1c187fe02b6.exe"
  2⤵
  PID:5012
- C:\Windows\SysWOW64\cmd.exe
  cmd /c del "C:\Users\Admin\AppData\Local\Temp\*.dll"
  2⤵
  PID:5056
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 780 -s 2612
  2⤵
  - Program crash
  PID:4308

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 780 -ip 780
1⤵
PID:4504

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\a807a670420f124b0feeceb1d937d5effded8cb1df245927f024a1c187fe02b6.exepack.tmp

Filesize
2KB

MD5
1e9aa49dfc0f270141464dfb112b1014

SHA1
66ae598af6629377bb48312b50ae60f2ce6b4856

SHA256
492ec7c6fb2d7abcdf2c91838043e8c93e26d84c50c15cce19db15da492ce473

SHA512
da61093f173540a8c96361067f7554183b1b732d30aece418c62c6dc98600f02c91ceedead2574f724cee1905342d2f15ca2b66fea51c935f22eceab6fa567b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\f335b29165184452e9cd1b0258eba6b1.ini

Filesize
1KB

MD5
95566e343047442fba9b30c409a8d357

SHA1
887e8c4ff8e90a94bc9d5dc42732ed3f0bc349db

SHA256
d8e278b00512b721439ab533a7999d578a367f1cbf421dad9d9313ea98827187

SHA512
9d3af259cf79a0fa45ff3b8f7d4a83b0d91827ad195250c38357c10ace714c625b6abc386b5dc2552a17a757958f2d04ed365a17231e5e2850e30e8351f189bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\f335b29165184452e9cd1b0258eba6b1A.ini

Filesize
1KB

MD5
43448a5eb23e9b620b362b823ad48362

SHA1
238a0456e00a9d53688e6295de04b80b61a9c470

SHA256
ed1e933d53e44ae7f0d6b745ce370c638c7b19f72c91e70b161d735be8010b65

SHA512
c3fbe34a486c96c514b43ce808d865f5c4f99558bdbce0adf1d7ee0c233c5e8e76b47bddf81bb8415171ca5427fdb9f5f72fe5cf936c6ea34547de317828f5fc

Download Submit
memory/780-0-0x0000000000400000-0x0000000001EFF000-memory.dmp

Filesize
27.0MB

Download
memory/780-1-0x00000000024D0000-0x00000000024D3000-memory.dmp

Filesize
12KB

Download
memory/780-2-0x0000000000400000-0x0000000001EFF000-memory.dmp

Filesize
27.0MB

Download
memory/780-5-0x0000000050000000-0x0000000050109000-memory.dmp

Filesize
1.0MB

Download
memory/780-336-0x0000000000400000-0x0000000001EFF000-memory.dmp

Filesize
27.0MB

Download
memory/780-337-0x00000000024D0000-0x00000000024D3000-memory.dmp

Filesize
12KB

Download
memory/780-338-0x0000000050000000-0x0000000050109000-memory.dmp

Filesize
1.0MB

Download
memory/780-344-0x0000000000400000-0x0000000001EFF000-memory.dmp

Filesize
27.0MB

Download

Analysis

Sharing