a6d7e5b0abfbf21c4c6e7df8f411d2c0c67caa9f378e07bd5be1c496d0f8b432

General

Target

15b935b9ca1bfa5394400863dc22d6e6.exe
Size

805KB
MD5

15b935b9ca1bfa5394400863dc22d6e6
SHA1

05bb2a272523a3f39907d6cf11d65c86888726dd
SHA256

a6d7e5b0abfbf21c4c6e7df8f411d2c0c67caa9f378e07bd5be1c496d0f8b432
SHA512

64914d31cdedc091421de4f42c52d830ebd68b487ac75bac99164badf8f2b038b14f750c261cbf6e27fcf1e5831370a61e350fd7bae61cade6b1c7c4c54cd87c
SSDEEP

12288:hfp1E31IuRjOCPffwtq0KWXPS9//Lay2yAYNssPgISyknNp1W/FW/bf3diVVuAHf:hfI9FPfV/LV2utSyOrf38VV9YIWe

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2984	setup.exe

Loads dropped DLL 1 IoCs

pid	Process
2852	15b935b9ca1bfa5394400863dc22d6e6.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2852-0-0x0000000000E10000-0x000000000106C000-memory.dmp	upx
behavioral1/files/0x0027000000014b38-2.dat	upx
behavioral1/memory/2852-4-0x0000000002830000-0x0000000002A8C000-memory.dmp	upx
behavioral1/files/0x0027000000014b38-7.dat	upx
behavioral1/files/0x0027000000014b38-6.dat	upx
behavioral1/memory/2852-8-0x0000000000E10000-0x000000000106C000-memory.dmp	upx
behavioral1/memory/2984-9-0x0000000000370000-0x00000000005CC000-memory.dmp	upx
behavioral1/memory/2984-29-0x0000000000370000-0x00000000005CC000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\Main	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	setup.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2984	setup.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
2984	setup.exe

Suspicious use of SetWindowsHookEx 16 IoCs

pid	Process
2852	15b935b9ca1bfa5394400863dc22d6e6.exe
2852	15b935b9ca1bfa5394400863dc22d6e6.exe
2984	setup.exe
2984	setup.exe
2984	setup.exe
2984	setup.exe
2984	setup.exe
2984	setup.exe
2984	setup.exe
2984	setup.exe
2984	setup.exe
2984	setup.exe
2984	setup.exe
2984	setup.exe
2984	setup.exe
2984	setup.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2852 wrote to memory of 2984	2852	15b935b9ca1bfa5394400863dc22d6e6.exe	27
PID 2852 wrote to memory of 2984	2852	15b935b9ca1bfa5394400863dc22d6e6.exe	27
PID 2852 wrote to memory of 2984	2852	15b935b9ca1bfa5394400863dc22d6e6.exe	27
PID 2852 wrote to memory of 2984	2852	15b935b9ca1bfa5394400863dc22d6e6.exe	27
PID 2852 wrote to memory of 2984	2852	15b935b9ca1bfa5394400863dc22d6e6.exe	27
PID 2852 wrote to memory of 2984	2852	15b935b9ca1bfa5394400863dc22d6e6.exe	27
PID 2852 wrote to memory of 2984	2852	15b935b9ca1bfa5394400863dc22d6e6.exe	27

C:\Users\Admin\AppData\Local\Temp\15b935b9ca1bfa5394400863dc22d6e6.exe
"C:\Users\Admin\AppData\Local\Temp\15b935b9ca1bfa5394400863dc22d6e6.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2852
- C:\Users\Admin\AppData\Local\Temp\setup.exe
  C:\Users\Admin\AppData\Local\Temp\setup.exe relaunch
  2⤵
  - Executes dropped EXE
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:2984

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0joXMIdAYs\intro_page.html

Filesize
15KB

MD5
60995d04e55f8d138cf5183e95942906

SHA1
d90f51dd6705b94d7d3915dad623f61a7654a410

SHA256
05b3464493d500473e1370aafd8c0b8db1678bd38353237141997607caf5c132

SHA512
3886ba8025d96b3ba1522def75b997aec503505c14ec3364bba93fa8a5509c792b44bc67a9afbfcc4af9047bad69ae7c9dfd61ec094079cf7ddf3838704af871

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup.exe

Filesize
74KB

MD5
61ca2cbd7d338084b16c20c00b1cfdb4

SHA1
d7ec1367f34b3a262bb9f35a47e04f2abd59fca1

SHA256
df4f5f704bec71bee229e57b6567a1cfb13caf21e601368ff68d9f73b8d56887

SHA512
f13f7eeec650d3534d0a3ef3cf6d68ab25ed5ce8ba233124f5b359bf8b024406dcba2a3c008ccd3f80ce70037695eaf962ba88aad6225220a4ebb77e9482b93e

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup.exe

Filesize
28KB

MD5
2c614b56a42581b606cd717009cee973

SHA1
89662dcac2956b4682aa9f36672351653821c972

SHA256
8b985d99ad504166e1e1d21aac6a5fe314268c6d66ecd4ea806af7d0805105e0

SHA512
2793eada55682c31e5c068b62e87246f59beffed5c07f520a89596219de5c6050eb260af548d15654dea0d47d2a240ad802d0942965482e843ff6e15f4c261bb

Download Submit
\Users\Admin\AppData\Local\Temp\setup.exe

Filesize
214KB

MD5
7f1ba78c08419f65be5d5211373e4e35

SHA1
ccb1f2db762307553b7de110d24cb6b196f98694

SHA256
61043d058f69d78b1c6b2eeca633ce0db5a02e4c0288cc98aebc54bde9745e38

SHA512
04c758773266ba8170d95cba6b0d1154050a4e827b8f3be9ebedfb38673ee4a60f8d7fab9dc88b9ae5c9bbc4a0532b3d9076df167cf286cfa61a8f0801777c2d

Download Submit
memory/2852-0-0x0000000000E10000-0x000000000106C000-memory.dmp

Filesize
2.4MB

Download
memory/2852-4-0x0000000002830000-0x0000000002A8C000-memory.dmp

Filesize
2.4MB

Download
memory/2852-8-0x0000000000E10000-0x000000000106C000-memory.dmp

Filesize
2.4MB

Download
memory/2852-31-0x0000000002830000-0x0000000002A8C000-memory.dmp

Filesize
2.4MB

Download
memory/2984-9-0x0000000000370000-0x00000000005CC000-memory.dmp

Filesize
2.4MB

Download
memory/2984-29-0x0000000000370000-0x00000000005CC000-memory.dmp

Filesize
2.4MB

Download

Analysis

Sharing