e2ef7ae67a756af62c19532fcbcbd3de484ccec60da8b6c7543b0f7bc602c678

General

Target

0b0f4774332a528d538ba8f5657b1576.exe
Size

324KB
MD5

0b0f4774332a528d538ba8f5657b1576
SHA1

9a084a946021ed0e11466f39d4976fc13f11a723
SHA256

e2ef7ae67a756af62c19532fcbcbd3de484ccec60da8b6c7543b0f7bc602c678
SHA512

e0b8255b94ae6c6aed523252816e26316f0d66e61d1d17ce0a4f141adbce1025cb117b96742fdc35b0d75b3cad561edf3d5562f651a2a17aac5fbeb91969f32d
SSDEEP

6144:d9OLCr50OaSjg6H3qBC1hJI26sQwO0yRJJ5JDVoYKQIDKT3cKamM9p6HprBIvDAy:uLCFUSj7Ha0JI7sbyRJJ5pKLKDymMgBh

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2668	mEdEaAe01827.exe

Executes dropped EXE 1 IoCs

pid	Process
2668	mEdEaAe01827.exe

Loads dropped DLL 2 IoCs

pid	Process
2980	0b0f4774332a528d538ba8f5657b1576.exe
2980	0b0f4774332a528d538ba8f5657b1576.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2980-1-0x0000000000400000-0x00000000005BD000-memory.dmp	upx
behavioral1/memory/2668-14-0x0000000000400000-0x00000000005BD000-memory.dmp	upx
behavioral1/memory/2980-18-0x0000000000400000-0x00000000005BD000-memory.dmp	upx
behavioral1/memory/2668-19-0x0000000000400000-0x00000000005BD000-memory.dmp	upx
behavioral1/memory/2668-34-0x0000000000400000-0x00000000005BD000-memory.dmp	upx
behavioral1/memory/2980-49-0x0000000000400000-0x00000000005BD000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\mEdEaAe01827 = "C:\\ProgramData\\mEdEaAe01827\\mEdEaAe01827.exe"	mEdEaAe01827.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\Main	mEdEaAe01827.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2980	0b0f4774332a528d538ba8f5657b1576.exe
2980	0b0f4774332a528d538ba8f5657b1576.exe
2668	mEdEaAe01827.exe
2668	mEdEaAe01827.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2980	0b0f4774332a528d538ba8f5657b1576.exe
Token: SeDebugPrivilege	2668	mEdEaAe01827.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2668	mEdEaAe01827.exe
2668	mEdEaAe01827.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
2668	mEdEaAe01827.exe
2668	mEdEaAe01827.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2668	mEdEaAe01827.exe
2668	mEdEaAe01827.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2980 wrote to memory of 2668	2980	0b0f4774332a528d538ba8f5657b1576.exe	27
PID 2980 wrote to memory of 2668	2980	0b0f4774332a528d538ba8f5657b1576.exe	27
PID 2980 wrote to memory of 2668	2980	0b0f4774332a528d538ba8f5657b1576.exe	27
PID 2980 wrote to memory of 2668	2980	0b0f4774332a528d538ba8f5657b1576.exe	27

C:\Users\Admin\AppData\Local\Temp\0b0f4774332a528d538ba8f5657b1576.exe
"C:\Users\Admin\AppData\Local\Temp\0b0f4774332a528d538ba8f5657b1576.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2980
- C:\ProgramData\mEdEaAe01827\mEdEaAe01827.exe
  "C:\ProgramData\mEdEaAe01827\mEdEaAe01827.exe" "C:\Users\Admin\AppData\Local\Temp\0b0f4774332a528d538ba8f5657b1576.exe"
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Adds Run key to start application
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:2668

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\mEdEaAe01827\mEdEaAe01827.exe

Filesize
223KB

MD5
9b37dd22bdb4112f81365580fa6cea02

SHA1
e3bb3580b51ef8ee7e614688487a98489649687c

SHA256
2786cd81398d351bc561db490c9daf03888cae377d3e5a173587591fc3e999ba

SHA512
d84d9a3bb4045709bce293aab4b32dbaf5ba9356bc594135a78ba7d5e3d101beb41519655dc0b2631a28389da75359f189e90d33167e444039d6c9d3515461ec

Download Submit
C:\ProgramData\mEdEaAe01827\mEdEaAe01827.exe

Filesize
181KB

MD5
84ea274b1eba115d307aa55411a1e956

SHA1
0ba5d440096f1ae5821b34aaed4b169d8e2d2455

SHA256
657d2163847cc8fa6c749160ea14675e95113f2cc3e5e9ab1193eca0de8cb6e7

SHA512
a11413b52c7e736c3dba3a592e4aa7d82ab2b50d5a94afce0cc158b53366b88becc7ea451d1222aa8516c831ca332185d125896056ffc83a53b1f34e295d7db4

Download Submit
C:\ProgramData\mEdEaAe01827\mEdEaAe01827.exe

Filesize
248KB

MD5
ae62866e86b2088d4aa8cef732fdf0db

SHA1
e686d041b34d9a7666bc616394b42a4f7447f34f

SHA256
6b7f81e218857ada0f528cdf78040eea9a8007b82d16e3e9a385476a57da537b

SHA512
21c832777e219fabc431e968b8532241cdc74915ba25a7424e17dd601b5cc8acf4447cc4176317aa53c02cc26d18bd552eb9e5ab993e6d6ffc73d706319f956d

Download Submit
\ProgramData\mEdEaAe01827\mEdEaAe01827.exe

Filesize
176KB

MD5
cd9de02f0b232d1ccb5103fd32d6487f

SHA1
5b6b7d23b48708b66ee6f7fa822ac972b0f620de

SHA256
2c125531746618138f314315659396642616d5f38769e64ea16fc03cbe701565

SHA512
cb18ecb3e41ee1d30b62c5a76d00f86efdfc106d8ca11c617db4bbe4a5b73b66c2432211662047f46a18cbdc9d815c6c5ec701fbba9429145489bc895e87b2f2

Download Submit
\ProgramData\mEdEaAe01827\mEdEaAe01827.exe

Filesize
204KB

MD5
c9f7fe0f79cd02e6ff069135415b979e

SHA1
9b7bd495cec8d1357a40a4ad85145db83b62b89c

SHA256
b2ede0b99c9965c811936b1d03f3b09708d4b08c26460952f71c5df45e9ccb53

SHA512
56e4b9a1c1337eba14326f5508d9efbe9f025289971ae7c65774cd43af1ac3e5b3219ba9d52de420ec73eb19dc4da58b3258cd3f24d4a9efe31f2d2bfd063acb

Download Submit
memory/2668-14-0x0000000000400000-0x00000000005BD000-memory.dmp

Filesize
1.7MB

Download
memory/2668-19-0x0000000000400000-0x00000000005BD000-memory.dmp

Filesize
1.7MB

Download
memory/2668-34-0x0000000000400000-0x00000000005BD000-memory.dmp

Filesize
1.7MB

Download
memory/2980-0-0x0000000000220000-0x000000000026E000-memory.dmp

Filesize
312KB

Download
memory/2980-1-0x0000000000400000-0x00000000005BD000-memory.dmp

Filesize
1.7MB

Download
memory/2980-18-0x0000000000400000-0x00000000005BD000-memory.dmp

Filesize
1.7MB

Download
memory/2980-49-0x0000000000400000-0x00000000005BD000-memory.dmp

Filesize
1.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads