7d3b98b30b454338866bb10ccfac748e41443c1525e74daf30aaf06444077c6d

General

Target

2bed37ad252c97004ea63c48099000fd.exe
Size

479KB
MD5

2bed37ad252c97004ea63c48099000fd
SHA1

a3f18c7b526772f8f014d2582a0d24c6756e8d8e
SHA256

7d3b98b30b454338866bb10ccfac748e41443c1525e74daf30aaf06444077c6d
SHA512

86b6dddff6323efc6f616791ea133688608b61b385afa8c70133162603ec7012c1a940e6041c0ad1236a1885a0fd95a8639a354dbe241cdad61bb9aa8f300a75
SSDEEP

12288:rtOzkjUBvCkfmvz756FGtkeSUknzp7tRuvftbOb8:RwkjUV5a75G0OtXggb8

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 3 IoCs

pid	Process
2172	2bed37ad252c97004ea63c48099000fd.exe
2172	2bed37ad252c97004ea63c48099000fd.exe
2172	2bed37ad252c97004ea63c48099000fd.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	2bed37ad252c97004ea63c48099000fd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	2bed37ad252c97004ea63c48099000fd.exe
Key created	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Main	2bed37ad252c97004ea63c48099000fd.exe
Key created	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	2bed37ad252c97004ea63c48099000fd.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2172	2bed37ad252c97004ea63c48099000fd.exe
2172	2bed37ad252c97004ea63c48099000fd.exe

C:\Users\Admin\AppData\Local\Temp\2bed37ad252c97004ea63c48099000fd.exe
"C:\Users\Admin\AppData\Local\Temp\2bed37ad252c97004ea63c48099000fd.exe"
1⤵
- Loads dropped DLL
- Checks whether UAC is enabled
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2172

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IM_47E9.tmp\ActionEngine.dll

Filesize
137KB

MD5
bf2589054e2300fc2ddb1748351df338

SHA1
e2923cfeffb0eb8e1fe5d562eb870e7e068f8268

SHA256
b1191a09c316b234f52f441469b21f6fb7672ddaf7df7fc5fee6a0d2760358a3

SHA512
939c18987160878b83d4e81d1202ad0cd4fff7787ea7b0573defe89409b3e8f36f4c429e23774beafc41843ac736e84f218bf6530a5320045bfb6f8c2f2f39eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IM_47E9.tmp\Gui\jquery-1.3.2.min.js

Filesize
55KB

MD5
bb381e2d19d8eace86b34d20759491a5

SHA1
3dc9f7c2642efff4482e68c9d9df874bf98f5bcb

SHA256
c8370a2d050359e9d505acc411e6f457a49b21360a21e6cbc9229bad3a767899

SHA512
abb2ad8b111271a82a04362940a7ab9930883ecb33497a1c53edcdc49f0634af5bf5b1bc7095bd18db26d212b059aece4577f85040b5f49c4982b468fe973c12

Download Submit
C:\Users\Admin\AppData\Local\Temp\IM_47E9.tmp\Gui\jquery.localisation.min.js

Filesize
1KB

MD5
f1cf73e00c240e9a4283201291d45a07

SHA1
918c49cb6f1de521d91967b2508f19db1f38fea2

SHA256
81bce5ff1003c9d5a688102d5d4c603841ed61c32628823dc48d560ec0d42cd2

SHA512
2242892434a638a9344c87453c3d2a66a880278dcf66f1516f240131dca767248baf663ffc9365acad26550e5b20a742d8115d5976de3a094d0229d60844788f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IM_47E9.tmp\Gui\splash.html

Filesize
1KB

MD5
0d0e0532f51af856688ad83abb889fde

SHA1
a1949b703816fa1bc60cf9c395d6dbb0f6f5c61c

SHA256
a358150647aaf4413fd2738c8ebcc0579b0bd4ccca8ba02738a4332a430f8ec8

SHA512
29322e2446ae5a37a34f113be5924121ce7d8fcfc617818f59c407fe7da01153845a947464345d6b86463b18c75d0adae1cc7dd5f17cf2d29584ef9539d8e0df

Download Submit
C:\Users\Admin\AppData\Local\Temp\IM_47E9.tmp\Gui\splash.js

Filesize
946B

MD5
354dce57695e99df9e6faba76346496f

SHA1
ca364e2daa4a80cfed7412b0f0374f1f82fa7146

SHA256
bb39b6b14ae7f032922366943b342f58be120242020b1fa4dbb3310e39928823

SHA512
8f34ae59e5502c70659e358d03709cfdfd01ec2128110932910e8de16888857896e86707c279b3f67edb54059a08ab6ce05b742342e825e2894580ae4a4639ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\IM_47E9.tmp\Gui\translation.js

Filesize
6KB

MD5
682fea27f4c335defc18be6fb24d5748

SHA1
d4a1743d63508d18af4be59232f3d266228648fb

SHA256
928571317e90c4d6680931dffaaae85f382069be2bc72b875810ceb1f7c2744f

SHA512
ef70ad8c291fe10c8b1d0dc060fc50b4593cf6fabc03a751aa62d5f4e375b1c80184337816a8e50430964960fc56324259f8833707320c7b757e388ecbd28341

Download Submit
C:\Users\Admin\AppData\Local\Temp\IM_47E9.tmp\instlangs.xml

Filesize
17KB

MD5
aa91818150cfadb667ae6f914d43dca0

SHA1
4411bd0038ccd464ed7597f0540cfe04867b9042

SHA256
2aa71646493cf47b38be0920488159b154eaf19193dc4a6ecfa0a6509196c7c5

SHA512
dd1310dc52bb6cc4977341dc34fb6a273e1349602a5fb3037e0b0d087b8f0d2d7a04e2db32e2708379758266c31422d27b5a35f5ba068cd7dbdd211b07893ecd

Download Submit
\Users\Admin\AppData\Local\Temp\IM_47E9.tmp\ActionEngine.dll

Filesize
92KB

MD5
d5bf464233734dfa7f63993efa232f84

SHA1
7413b7d8bb73bc6f127319c81c93d01fe31a7ed2

SHA256
c1558470b5929a3ca418c53ffe9e6a179bbf244c1e3014ec8f436528bc318a49

SHA512
4cdcad5d008db4da53895f560003a47a4497474a03e335ec30b49a8ef53559cc5640623e65f7fe6ae11acc70b699c34bf37129dcfc0d0175b54059c6ea8e0387

Download Submit
memory/2172-103-0x00000000024E0000-0x00000000024E1000-memory.dmp

Filesize
4KB

Download
memory/2172-177-0x00000000024E0000-0x00000000024E1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing