d18a7c5dc32f830b0c6e9124f8ff5629843ddb74ae1ccecdf3a470974716096f

General

Target

04185736c245fa94c62b4bb31528caff.exe
Size

658KB
MD5

04185736c245fa94c62b4bb31528caff
SHA1

cee2b3a3dd38d8c570ce3f781ea36a9f066680dd
SHA256

d18a7c5dc32f830b0c6e9124f8ff5629843ddb74ae1ccecdf3a470974716096f
SHA512

5acc676e9d7e0d15c3fcc6d31a0bc89f5d4166b803cca7c15ed151858485d8444f66cbd0ffe30b671b485a458a8d11d0aaab4636ea0310ffa4f96d8b6b692aa4
SSDEEP

12288:C6eeHVx4www0DhZirPmLtdIrCQRvRMDF3Z4mxxuDqVTVOCOMlwZ4R:CJeHHww01Eh8QmX9VTz/Uw

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2668	windows.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\windows.exe	04185736c245fa94c62b4bb31528caff.exe
File created	C:\Windows\DELME.BAT	04185736c245fa94c62b4bb31528caff.exe
File created	C:\Windows\windows.exe	04185736c245fa94c62b4bb31528caff.exe

Modifies data under HKEY_USERS 5 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	windows.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	windows.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	windows.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	windows.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	windows.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3988	04185736c245fa94c62b4bb31528caff.exe
Token: SeDebugPrivilege	2668	windows.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2668	windows.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 3988 wrote to memory of 4784	3988	04185736c245fa94c62b4bb31528caff.exe	98
PID 3988 wrote to memory of 4784	3988	04185736c245fa94c62b4bb31528caff.exe	98
PID 3988 wrote to memory of 4784	3988	04185736c245fa94c62b4bb31528caff.exe	98
PID 2668 wrote to memory of 1096	2668	windows.exe	97
PID 2668 wrote to memory of 1096	2668	windows.exe	97

C:\Users\Admin\AppData\Local\Temp\04185736c245fa94c62b4bb31528caff.exe
"C:\Users\Admin\AppData\Local\Temp\04185736c245fa94c62b4bb31528caff.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3988
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\DELME.BAT
  2⤵
  PID:4784

C:\Windows\windows.exe
C:\Windows\windows.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2668
- C:\Program Files\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
  2⤵
  PID:1096

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\DELME.BAT

Filesize
190B

MD5
a0b1bb18ca06c64e6b2742f878a0fc25

SHA1
0df70fb448cc0332ec9e9812b6d7fd588bbadc3a

SHA256
4baea608c625c89572922b6bb9d64c83782d5aaa0e11258bad3818d4164db258

SHA512
4003e7402a551fd06b1b9370d90e34107ec057c8f833a51c27a50827b35bb94c7037728a28846a883711c5ed6aaec049ebc96dd0be6c0927280ff2f97f3fdbe9

Download Submit
C:\Windows\windows.exe

Filesize
658KB

MD5
04185736c245fa94c62b4bb31528caff

SHA1
cee2b3a3dd38d8c570ce3f781ea36a9f066680dd

SHA256
d18a7c5dc32f830b0c6e9124f8ff5629843ddb74ae1ccecdf3a470974716096f

SHA512
5acc676e9d7e0d15c3fcc6d31a0bc89f5d4166b803cca7c15ed151858485d8444f66cbd0ffe30b671b485a458a8d11d0aaab4636ea0310ffa4f96d8b6b692aa4

Download Submit
memory/2668-38-0x0000000000DC0000-0x0000000000E14000-memory.dmp

Filesize
336KB

Download
memory/2668-36-0x0000000000400000-0x000000000051F000-memory.dmp

Filesize
1.1MB

Download
memory/2668-25-0x0000000000DC0000-0x0000000000E14000-memory.dmp

Filesize
336KB

Download
memory/2668-29-0x0000000002170000-0x0000000002171000-memory.dmp

Filesize
4KB

Download
memory/2668-32-0x00000000020A0000-0x00000000020A1000-memory.dmp

Filesize
4KB

Download
memory/2668-31-0x00000000020B0000-0x00000000020B1000-memory.dmp

Filesize
4KB

Download
memory/2668-33-0x0000000002090000-0x0000000002091000-memory.dmp

Filesize
4KB

Download
memory/2668-34-0x00000000011E0000-0x00000000011E1000-memory.dmp

Filesize
4KB

Download
memory/2668-27-0x0000000002080000-0x0000000002081000-memory.dmp

Filesize
4KB

Download
memory/3988-10-0x00000000025A0000-0x00000000025A1000-memory.dmp

Filesize
4KB

Download
memory/3988-21-0x0000000002720000-0x0000000002721000-memory.dmp

Filesize
4KB

Download
memory/3988-16-0x0000000000B40000-0x0000000000B41000-memory.dmp

Filesize
4KB

Download
memory/3988-15-0x0000000000B30000-0x0000000000B31000-memory.dmp

Filesize
4KB

Download
memory/3988-14-0x0000000003600000-0x0000000003601000-memory.dmp

Filesize
4KB

Download
memory/3988-13-0x0000000003500000-0x0000000003503000-memory.dmp

Filesize
12KB

Download
memory/3988-12-0x0000000003510000-0x0000000003511000-memory.dmp

Filesize
4KB

Download
memory/3988-11-0x0000000002530000-0x0000000002531000-memory.dmp

Filesize
4KB

Download
memory/3988-18-0x0000000003530000-0x0000000003531000-memory.dmp

Filesize
4KB

Download
memory/3988-19-0x0000000003520000-0x0000000003521000-memory.dmp

Filesize
4KB

Download
memory/3988-20-0x0000000002520000-0x0000000002521000-memory.dmp

Filesize
4KB

Download
memory/3988-17-0x0000000003540000-0x0000000003541000-memory.dmp

Filesize
4KB

Download
memory/3988-0-0x0000000000400000-0x000000000051F000-memory.dmp

Filesize
1.1MB

Download
memory/3988-7-0x0000000002570000-0x0000000002571000-memory.dmp

Filesize
4KB

Download
memory/3988-6-0x0000000002580000-0x0000000002581000-memory.dmp

Filesize
4KB

Download
memory/3988-5-0x0000000002510000-0x0000000002511000-memory.dmp

Filesize
4KB

Download
memory/3988-30-0x0000000000B50000-0x0000000000BA4000-memory.dmp

Filesize
336KB

Download
memory/3988-3-0x0000000002540000-0x0000000002541000-memory.dmp

Filesize
4KB

Download
memory/3988-28-0x0000000000400000-0x000000000051F000-memory.dmp

Filesize
1.1MB

Download
memory/3988-4-0x0000000002590000-0x0000000002591000-memory.dmp

Filesize
4KB

Download
memory/3988-2-0x0000000002560000-0x0000000002561000-memory.dmp

Filesize
4KB

Download
memory/3988-1-0x0000000000B50000-0x0000000000BA4000-memory.dmp

Filesize
336KB

Download

Analysis

Sharing