fd104f3f7db7d307e6a588d24bac5fe761b91c54a2bf2fa4084c6be14b74f982

General

Target

2d663c27cecfcd91ec866772a45a6e67.exe
Size

15.9MB
MD5

2d663c27cecfcd91ec866772a45a6e67
SHA1

9c14b401db69850b446264ad9a8693b4736c89b5
SHA256

fd104f3f7db7d307e6a588d24bac5fe761b91c54a2bf2fa4084c6be14b74f982
SHA512

34629771281d648e596ec328c17c3703affacdb500bb349f6b8ae546bc10ebe7058d75dd4ea322994e71fd753955a2cad0bc3f458e529ffae2e95e67a81cffdb
SSDEEP

393216:Eg7u2g7u2g7u2g7u2g7u2g7u2g7u2g7uN:ZSbSbSbSbSbSbSbSN

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
2756	7D57AD13E21.exe
2684	Scegli_nome_allegato.exe
2320	7D57AD13E21.exe

Loads dropped DLL 3 IoCs

pid	Process
3036	2d663c27cecfcd91ec866772a45a6e67.exe
3036	2d663c27cecfcd91ec866772a45a6e67.exe
3036	2d663c27cecfcd91ec866772a45a6e67.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Roaming\\7D57AD13E21.exe"	reg.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2756 set thread context of 2320	2756	7D57AD13E21.exe	33

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Main	Scegli_nome_allegato.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	Scegli_nome_allegato.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	Scegli_nome_allegato.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
2760	reg.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2684	Scegli_nome_allegato.exe
2684	Scegli_nome_allegato.exe
2684	Scegli_nome_allegato.exe
2320	7D57AD13E21.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 3036 wrote to memory of 2760	3036	2d663c27cecfcd91ec866772a45a6e67.exe	28
PID 3036 wrote to memory of 2760	3036	2d663c27cecfcd91ec866772a45a6e67.exe	28
PID 3036 wrote to memory of 2760	3036	2d663c27cecfcd91ec866772a45a6e67.exe	28
PID 3036 wrote to memory of 2760	3036	2d663c27cecfcd91ec866772a45a6e67.exe	28
PID 3036 wrote to memory of 2756	3036	2d663c27cecfcd91ec866772a45a6e67.exe	30
PID 3036 wrote to memory of 2756	3036	2d663c27cecfcd91ec866772a45a6e67.exe	30
PID 3036 wrote to memory of 2756	3036	2d663c27cecfcd91ec866772a45a6e67.exe	30
PID 3036 wrote to memory of 2756	3036	2d663c27cecfcd91ec866772a45a6e67.exe	30
PID 3036 wrote to memory of 2684	3036	2d663c27cecfcd91ec866772a45a6e67.exe	31
PID 3036 wrote to memory of 2684	3036	2d663c27cecfcd91ec866772a45a6e67.exe	31
PID 3036 wrote to memory of 2684	3036	2d663c27cecfcd91ec866772a45a6e67.exe	31
PID 3036 wrote to memory of 2684	3036	2d663c27cecfcd91ec866772a45a6e67.exe	31
PID 2756 wrote to memory of 2320	2756	7D57AD13E21.exe	33
PID 2756 wrote to memory of 2320	2756	7D57AD13E21.exe	33
PID 2756 wrote to memory of 2320	2756	7D57AD13E21.exe	33
PID 2756 wrote to memory of 2320	2756	7D57AD13E21.exe	33
PID 2756 wrote to memory of 2320	2756	7D57AD13E21.exe	33
PID 2756 wrote to memory of 2320	2756	7D57AD13E21.exe	33

C:\Users\Admin\AppData\Local\Temp\2d663c27cecfcd91ec866772a45a6e67.exe
"C:\Users\Admin\AppData\Local\Temp\2d663c27cecfcd91ec866772a45a6e67.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3036
- C:\Windows\SysWOW64\reg.exe
  "C:\Windows\System32\reg.exe" ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "Windows Update" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\7D57AD13E21.exe" /f
  2⤵
  - Adds Run key to start application
  - Modifies registry key
  PID:2760
- C:\Users\Admin\AppData\Roaming\7D57AD13E21.exe
  "C:\Users\Admin\AppData\Roaming\7D57AD13E21.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:2756
- - C:\Users\Admin\AppData\Roaming\7D57AD13E21.exe
    "C:\Users\Admin\AppData\Roaming\7D57AD13E21.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2320
- C:\Users\Admin\AppData\Roaming\Scegli_nome_allegato.exe
  "C:\Users\Admin\AppData\Roaming\Scegli_nome_allegato.exe"
  2⤵
  - Executes dropped EXE
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2684

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

3

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\7D57AD13E21.exe

Filesize
413KB

MD5
3174fbd0d84a6f9173267221cbcd4eb2

SHA1
e0168303449812e74b49773e495614b54e58acd6

SHA256
d92b56b4db9c0ed85e45335f33605767cc9c4ac9f0719b223782854b48163dd5

SHA512
b2575ca46cb3484ac22532e6ab5bea0d4de5882f993ef9be29b242b98b1f73ddf66f3480567af5e433148910171d97019b1edf7cc353a7f26f828965e605595e

Download Submit
C:\Users\Admin\AppData\Roaming\7D57AD13E21.exe

Filesize
4.7MB

MD5
64965d127637848d43e91019a27c4df9

SHA1
a935ac69d028e6a086380afd161a850d1ddb2d29

SHA256
1bef309757e35b52b82d2dea1bc5f0df971151dbfa8d89132a6978019db16984

SHA512
c7863bcbe1e15629b64e2dd463c2b9f1c128c85bc029475e089a1668211955402e76f064daf270c68220614d61996f665b297be6164fe3ce07762746b2f270d4

Download Submit
C:\Users\Admin\AppData\Roaming\7D57AD13E21.exe

Filesize
6.7MB

MD5
3a4c54fc736f1daa47beddc6c9dda930

SHA1
7a9b29154475e0bc69340049fd68ece38b93bf46

SHA256
4441ae74337c99b987943de263d8e6722b8ae8cf61bb05c236a08ae095d6f049

SHA512
fab994b7bbebd5c9722dbe0d1e89909da81aa9962a7557e274bc3de81ba0254ebfaae18096c313705db86ffae24a5f7a9c2ee8e3040de8f2bae772fdd7a78bf3

Download Submit
C:\Users\Admin\AppData\Roaming\7D57AD13E21.exe

Filesize
414KB

MD5
2cd29e0d4158632102b0fda8b24a502b

SHA1
c54268e4cf5686c443c35517c590345869753945

SHA256
cc4669af0051cbe7681d9f6d39ff768887abb8af271ced8a847fac5290ede29d

SHA512
0b9dfff026d50ff2ebc1efc3a157b73d86fe81bf9ae9df89414904b39ccfd8a19525e8b5116abc3fb08f558905d7f217bab445981b2b6e61b4abd47bea7c7293

Download Submit
\Users\Admin\AppData\Roaming\7D57AD13E21.exe

Filesize
1.3MB

MD5
6719857328f0d1b13d0fcab03f6833bb

SHA1
ce73502771a7d1b2bee885a270f97473b4b24c56

SHA256
da16677974cc6e64565ab5bfaea84fb02eedcdce4509c18efc6460dd29225676

SHA512
4f5608f3e6fed8b9d777d95c53f6238cf3adcf86cfb94dbc9eb4a58f24f25880fdbc973472ba43a0edf0ba041f0fcc35561219f3e46bb26e8c4eb20bef2e499a

Download Submit
\Users\Admin\AppData\Roaming\7D57AD13E21.exe

Filesize
686KB

MD5
b81c66acda0589065fde64df917c7fcc

SHA1
d949e16c80dd3b7cd2f55a5291c335226870b483

SHA256
9ba0754c2f54f496bb808720c158b2a4bea1b57775080d9eac04d447649b145a

SHA512
632a338dbad8e2554925d1f5c25828569b056fabb2c0929149b7b1304498d111048145db02f234ebb9aeb8df4c61c8300cfccf57022b4d607e0b35021f2c7f3f

Download Submit
\Users\Admin\AppData\Roaming\Scegli_nome_allegato.exe

Filesize
1.0MB

MD5
a2f259ceb892d3b0d1d121997c8927e3

SHA1
6e0a7239822b8d365d690a314f231286355f6cc6

SHA256
ab01a333f38605cbcebd80e0a84ffae2803a9b4f6bebb1e9f773e949a87cb420

SHA512
5ae1b60390c94c9e79d3b500a55b775d82556e599963d533170b9f35ad5cfa2df1b7d24de1890acf8e1e2c356830396091d46632dbc6ee43a7d042d4facb5dad

Download Submit
memory/2320-43-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/2320-51-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/2320-57-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/2320-60-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2320-54-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/2320-55-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2320-50-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/2320-45-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2320-47-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/2684-26-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/2684-41-0x0000000000400000-0x00000000004FB000-memory.dmp

Filesize
1004KB

Download
memory/2684-53-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2684-21-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2756-49-0x0000000000400000-0x0000000000601000-memory.dmp

Filesize
2.0MB

Download
memory/2756-40-0x0000000000400000-0x0000000000601000-memory.dmp

Filesize
2.0MB

Download
memory/2756-13-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/3036-0-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/3036-19-0x0000000000400000-0x0000000000601000-memory.dmp

Filesize
2.0MB

Download
memory/3036-12-0x0000000000400000-0x0000000000601000-memory.dmp

Filesize
2.0MB

Download
memory/3036-1-0x0000000000400000-0x0000000000601000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads