86cf60cbedcfc12834bf8f981f835fca618eb873b9c8fd67d16a405ff45d6900

General

Target

86cf60cbedcfc12834bf8f981f835fca618eb873b9c8fd67d16a405ff45d6900.exe
Size

15.3MB
MD5

ffc6ec71fdb2cec54fcf1a14082fcc16
SHA1

944d80d71dddb441f75c716e50810ea317671c58
SHA256

86cf60cbedcfc12834bf8f981f835fca618eb873b9c8fd67d16a405ff45d6900
SHA512

6f7cd64fe69091e548252965965e938d94534f53c13a8f9afe717a9021896a6fd7e7e3e59b788de2ed5c32160b5cfaf42481b477b2ae25204cd5a549360646a1
SSDEEP

393216:mWwdrW0M4mjWU1P33PF9R8wjRUG3SyRMK4a:mW2rFaWU1fPr9RG+wa

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2544	08C11B36.exe

Loads dropped DLL 2 IoCs

pid	Process
1620	86cf60cbedcfc12834bf8f981f835fca618eb873b9c8fd67d16a405ff45d6900.exe
2544	08C11B36.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	86cf60cbedcfc12834bf8f981f835fca618eb873b9c8fd67d16a405ff45d6900.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	86cf60cbedcfc12834bf8f981f835fca618eb873b9c8fd67d16a405ff45d6900.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	86cf60cbedcfc12834bf8f981f835fca618eb873b9c8fd67d16a405ff45d6900.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	86cf60cbedcfc12834bf8f981f835fca618eb873b9c8fd67d16a405ff45d6900.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardProduct	86cf60cbedcfc12834bf8f981f835fca618eb873b9c8fd67d16a405ff45d6900.exe

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\DOMStorage\fk58qa.top	08C11B36.exe
Key created	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\DOMStorage	08C11B36.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\DOMStorage\fk58qa.top\NumberOfSubdomains = "1"	08C11B36.exe
Key created	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total	08C11B36.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\DOMStorage\dlq.fk58qa.top\ = "63"	08C11B36.exe
Key created	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Main	08C11B36.exe
Key created	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\DOMStorage\dlq.fk58qa.top	08C11B36.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\DOMStorage\fk58qa.top\Total = "63"	08C11B36.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "63"	08C11B36.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2544	08C11B36.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1620	86cf60cbedcfc12834bf8f981f835fca618eb873b9c8fd67d16a405ff45d6900.exe
1620	86cf60cbedcfc12834bf8f981f835fca618eb873b9c8fd67d16a405ff45d6900.exe
2544	08C11B36.exe
2544	08C11B36.exe
2544	08C11B36.exe
2544	08C11B36.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1620 wrote to memory of 2544	1620	86cf60cbedcfc12834bf8f981f835fca618eb873b9c8fd67d16a405ff45d6900.exe	28
PID 1620 wrote to memory of 2544	1620	86cf60cbedcfc12834bf8f981f835fca618eb873b9c8fd67d16a405ff45d6900.exe	28
PID 1620 wrote to memory of 2544	1620	86cf60cbedcfc12834bf8f981f835fca618eb873b9c8fd67d16a405ff45d6900.exe	28
PID 1620 wrote to memory of 2544	1620	86cf60cbedcfc12834bf8f981f835fca618eb873b9c8fd67d16a405ff45d6900.exe	28
PID 2544 wrote to memory of 1588	2544	08C11B36.exe	30
PID 2544 wrote to memory of 1588	2544	08C11B36.exe	30
PID 2544 wrote to memory of 1588	2544	08C11B36.exe	30
PID 2544 wrote to memory of 1588	2544	08C11B36.exe	30
PID 2544 wrote to memory of 1592	2544	08C11B36.exe	31
PID 2544 wrote to memory of 1592	2544	08C11B36.exe	31
PID 2544 wrote to memory of 1592	2544	08C11B36.exe	31
PID 2544 wrote to memory of 1592	2544	08C11B36.exe	31

C:\Users\Admin\AppData\Local\Temp\86cf60cbedcfc12834bf8f981f835fca618eb873b9c8fd67d16a405ff45d6900.exe
"C:\Users\Admin\AppData\Local\Temp\86cf60cbedcfc12834bf8f981f835fca618eb873b9c8fd67d16a405ff45d6900.exe"
1⤵
- Loads dropped DLL
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1620
- C:\Users\Admin\AppData\Local\Temp\08C11B36.exe
  C:\Users\Admin\AppData\Local\Temp\08C11B36.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies Internet Explorer settings
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2544
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c del "C:\Users\Admin\AppData\Local\Temp\\*.exe"
    3⤵
    PID:1588
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c del "C:\Users\Admin\AppData\Local\Temp\\*.dll"
    3⤵
    PID:1592

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\08C11B36.exe

Filesize
14.5MB

MD5
7ee08644c2578347d894d74a7339e07d

SHA1
2984dc83d6bb0eec2de893388f5948915c57d46d

SHA256
85b776cec7644866df06ba496bd49506cdc7f61a05c9402278299061d53810ca

SHA512
36f599e489f8a6a9cf21cfc689a6403c1fe8e177bddd3065310c2c79dfdd94e564ac556fbefb042524fbf1c66087e50c21bb721a00d3f95a02a2bc5dcd8317aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\08C11B36.exe

Filesize
14.5MB

MD5
7ee08644c2578347d894d74a7339e07d

SHA1
2984dc83d6bb0eec2de893388f5948915c57d46d

SHA256
85b776cec7644866df06ba496bd49506cdc7f61a05c9402278299061d53810ca

SHA512
36f599e489f8a6a9cf21cfc689a6403c1fe8e177bddd3065310c2c79dfdd94e564ac556fbefb042524fbf1c66087e50c21bb721a00d3f95a02a2bc5dcd8317aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\08C11B36.exepack.tmp

Filesize
2KB

MD5
8b26a59dda868c8c80893010699ad6c0

SHA1
a7d2a2449a937bfe1f582532d7b45c72f7536f4a

SHA256
832c061cf735e4d10685136d26f78a6ec21ffc50f4de477f39652291eb6cc423

SHA512
7c4f032ae0fb858614717fd43ba12a5eb1ce6723fb52afd220f5ed8f87b3acadc8030406c3201576f1bcadec600dd7cc725c9509a058c57eac92ab417e173c0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\b5086ba0d2fa61a2203ab9201781d641.ini

Filesize
1KB

MD5
e031f4c1d0e785fdaf57722209db4c2f

SHA1
796976bc93402f9c6fc69f5e9e4da15353b6c8b9

SHA256
f6cd1744ab2d7eb6e071ae76f8a9ccee394088564d1b8b1b98fd732dc09f33b9

SHA512
0158b310e36cb06ade5b320756534199008aa996e01ebb82a664e3f1d27f2ae63f63d6ca4e2f30b6e64e65fd3babb25a9ee20dd46e7731fb19ed684a200d72a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\b5086ba0d2fa61a2203ab9201781d641A.ini

Filesize
1KB

MD5
8a097fdbe7ebbaf26404fcd04fe42379

SHA1
5ac06e5079cce795ee78853ba19a2adba7662550

SHA256
888aa2c0cc55820056057651328b70cc927c25f4fac021ae6db0f40067c5bf27

SHA512
a48c46fd9735f7992e24d8f366757bac7e94294967b8d443aac0cb244f7b07befc6b5b408e9b26976e2daf59a9a33c879534930d758b50cfa8940817d7e2dc45

Download Submit
\Users\Admin\AppData\Local\Temp\08C11B36.exe

Filesize
14.5MB

MD5
7ee08644c2578347d894d74a7339e07d

SHA1
2984dc83d6bb0eec2de893388f5948915c57d46d

SHA256
85b776cec7644866df06ba496bd49506cdc7f61a05c9402278299061d53810ca

SHA512
36f599e489f8a6a9cf21cfc689a6403c1fe8e177bddd3065310c2c79dfdd94e564ac556fbefb042524fbf1c66087e50c21bb721a00d3f95a02a2bc5dcd8317aa

Download Submit
\Users\Admin\AppData\Local\Temp\08C11B36.exe

Filesize
14.5MB

MD5
7ee08644c2578347d894d74a7339e07d

SHA1
2984dc83d6bb0eec2de893388f5948915c57d46d

SHA256
85b776cec7644866df06ba496bd49506cdc7f61a05c9402278299061d53810ca

SHA512
36f599e489f8a6a9cf21cfc689a6403c1fe8e177bddd3065310c2c79dfdd94e564ac556fbefb042524fbf1c66087e50c21bb721a00d3f95a02a2bc5dcd8317aa

Download Submit
memory/1620-5-0x0000000003D50000-0x0000000005835000-memory.dmp

Filesize
26.9MB

Download
memory/2544-12-0x0000000000400000-0x0000000001EE5000-memory.dmp

Filesize
26.9MB

Download
memory/2544-362-0x0000000000400000-0x0000000001EE5000-memory.dmp

Filesize
26.9MB

Download
memory/2544-11-0x0000000050000000-0x0000000050109000-memory.dmp

Filesize
1.0MB

Download
memory/2544-15-0x0000000000400000-0x0000000001EE5000-memory.dmp

Filesize
26.9MB

Download
memory/2544-8-0x0000000000400000-0x0000000001EE5000-memory.dmp

Filesize
26.9MB

Download
memory/2544-7-0x0000000000400000-0x0000000001EE5000-memory.dmp

Filesize
26.9MB

Download
memory/2544-6-0x00000000001E0000-0x00000000001E3000-memory.dmp

Filesize
12KB

Download
memory/2544-359-0x0000000003A40000-0x0000000003A50000-memory.dmp

Filesize
64KB

Download
memory/2544-360-0x0000000000400000-0x0000000001EE5000-memory.dmp

Filesize
26.9MB

Download
memory/2544-13-0x00000000001E0000-0x00000000001E3000-memory.dmp

Filesize
12KB

Download
memory/2544-394-0x0000000000400000-0x0000000001EE5000-memory.dmp

Filesize
26.9MB

Download
memory/2544-399-0x0000000000400000-0x0000000001EE5000-memory.dmp

Filesize
26.9MB

Download
memory/2544-430-0x0000000000400000-0x0000000001EE5000-memory.dmp

Filesize
26.9MB

Download
memory/2544-431-0x0000000000400000-0x0000000001EE5000-memory.dmp

Filesize
26.9MB

Download
memory/2544-433-0x0000000000400000-0x0000000001EE5000-memory.dmp

Filesize
26.9MB

Download
memory/2544-434-0x0000000000400000-0x0000000001EE5000-memory.dmp

Filesize
26.9MB

Download
memory/2544-435-0x0000000000400000-0x0000000001EE5000-memory.dmp

Filesize
26.9MB

Download
memory/2544-436-0x0000000000400000-0x0000000001EE5000-memory.dmp

Filesize
26.9MB

Download
memory/2544-437-0x0000000003A40000-0x0000000003A50000-memory.dmp

Filesize
64KB

Download
memory/2544-438-0x0000000000400000-0x0000000001EE5000-memory.dmp

Filesize
26.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads