a86874ea069ab1334b01752cd81d5aa5857c9397b0a321e033b7dc853aba262e

General

Target

0fb5316f798d549ff4d452f3ad0277a4.exe
Size

386KB
MD5

0fb5316f798d549ff4d452f3ad0277a4
SHA1

0ec9704a39cda03d57718fbae1e3448835f25d56
SHA256

a86874ea069ab1334b01752cd81d5aa5857c9397b0a321e033b7dc853aba262e
SHA512

255d44a73c2f0d994e5b9c8b1e1b50b18369491e63d34db9a8fc68623237f2cd295eb78e89b56df043568a6f9ef2653fe68da95b6201a83628121c4070c5daee
SSDEEP

6144:cCHD2hB0WCqB7l+04YmQ71poL5Cgg2GaSppsBUdZeppRSA6G7F3tNyu:LHyhW4BxXmQ71pkCg2aSoaISAxPL

Score

7^/10

persistence upx

Malware Config

Signatures

Deletes itself 1 IoCs

Processes:

oO05366OfAjO05366.exe

pid process

536 oO05366OfAjO05366.exe
Executes dropped EXE 1 IoCs

Processes:

oO05366OfAjO05366.exe

pid process

536 oO05366OfAjO05366.exe
Loads dropped DLL 2 IoCs

Processes:

0fb5316f798d549ff4d452f3ad0277a4.exe

pid process

2212 0fb5316f798d549ff4d452f3ad0277a4.exe
2212 0fb5316f798d549ff4d452f3ad0277a4.exe

pid	process
536	oO05366OfAjO05366.exe

pid	process
536	oO05366OfAjO05366.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2212-1-0x0000000000400000-0x00000000004CF000-memory.dmp	upx
behavioral1/memory/536-86-0x0000000000400000-0x00000000004CF000-memory.dmp	upx
behavioral1/memory/2212-164-0x0000000000400000-0x00000000004CF000-memory.dmp	upx
behavioral1/memory/536-165-0x0000000000400000-0x00000000004CF000-memory.dmp	upx
behavioral1/memory/2212-196-0x0000000000400000-0x00000000004CF000-memory.dmp	upx
behavioral1/memory/536-201-0x0000000000400000-0x00000000004CF000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

oO05366OfAjO05366.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\oO05366OfAjO05366 = "C:\\ProgramData\\oO05366OfAjO05366\\oO05366OfAjO05366.exe"	oO05366OfAjO05366.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

oO05366OfAjO05366.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\Main	oO05366OfAjO05366.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

0fb5316f798d549ff4d452f3ad0277a4.exeoO05366OfAjO05366.exe

pid	process
2212	0fb5316f798d549ff4d452f3ad0277a4.exe
2212	0fb5316f798d549ff4d452f3ad0277a4.exe
2212	0fb5316f798d549ff4d452f3ad0277a4.exe
2212	0fb5316f798d549ff4d452f3ad0277a4.exe
2212	0fb5316f798d549ff4d452f3ad0277a4.exe
2212	0fb5316f798d549ff4d452f3ad0277a4.exe
2212	0fb5316f798d549ff4d452f3ad0277a4.exe
2212	0fb5316f798d549ff4d452f3ad0277a4.exe
2212	0fb5316f798d549ff4d452f3ad0277a4.exe
2212	0fb5316f798d549ff4d452f3ad0277a4.exe
2212	0fb5316f798d549ff4d452f3ad0277a4.exe
2212	0fb5316f798d549ff4d452f3ad0277a4.exe
2212	0fb5316f798d549ff4d452f3ad0277a4.exe
2212	0fb5316f798d549ff4d452f3ad0277a4.exe
2212	0fb5316f798d549ff4d452f3ad0277a4.exe
2212	0fb5316f798d549ff4d452f3ad0277a4.exe
2212	0fb5316f798d549ff4d452f3ad0277a4.exe
2212	0fb5316f798d549ff4d452f3ad0277a4.exe
2212	0fb5316f798d549ff4d452f3ad0277a4.exe
2212	0fb5316f798d549ff4d452f3ad0277a4.exe
2212	0fb5316f798d549ff4d452f3ad0277a4.exe
2212	0fb5316f798d549ff4d452f3ad0277a4.exe
2212	0fb5316f798d549ff4d452f3ad0277a4.exe
536	oO05366OfAjO05366.exe
2212	0fb5316f798d549ff4d452f3ad0277a4.exe
536	oO05366OfAjO05366.exe
2212	0fb5316f798d549ff4d452f3ad0277a4.exe
536	oO05366OfAjO05366.exe
2212	0fb5316f798d549ff4d452f3ad0277a4.exe
536	oO05366OfAjO05366.exe
2212	0fb5316f798d549ff4d452f3ad0277a4.exe
536	oO05366OfAjO05366.exe
2212	0fb5316f798d549ff4d452f3ad0277a4.exe
536	oO05366OfAjO05366.exe
2212	0fb5316f798d549ff4d452f3ad0277a4.exe
536	oO05366OfAjO05366.exe
2212	0fb5316f798d549ff4d452f3ad0277a4.exe
536	oO05366OfAjO05366.exe
2212	0fb5316f798d549ff4d452f3ad0277a4.exe
536	oO05366OfAjO05366.exe
2212	0fb5316f798d549ff4d452f3ad0277a4.exe
536	oO05366OfAjO05366.exe
2212	0fb5316f798d549ff4d452f3ad0277a4.exe
536	oO05366OfAjO05366.exe
2212	0fb5316f798d549ff4d452f3ad0277a4.exe
536	oO05366OfAjO05366.exe
2212	0fb5316f798d549ff4d452f3ad0277a4.exe
536	oO05366OfAjO05366.exe
2212	0fb5316f798d549ff4d452f3ad0277a4.exe
536	oO05366OfAjO05366.exe
2212	0fb5316f798d549ff4d452f3ad0277a4.exe
536	oO05366OfAjO05366.exe
2212	0fb5316f798d549ff4d452f3ad0277a4.exe
536	oO05366OfAjO05366.exe
2212	0fb5316f798d549ff4d452f3ad0277a4.exe
536	oO05366OfAjO05366.exe
2212	0fb5316f798d549ff4d452f3ad0277a4.exe
536	oO05366OfAjO05366.exe
2212	0fb5316f798d549ff4d452f3ad0277a4.exe
536	oO05366OfAjO05366.exe
2212	0fb5316f798d549ff4d452f3ad0277a4.exe
536	oO05366OfAjO05366.exe
2212	0fb5316f798d549ff4d452f3ad0277a4.exe
536	oO05366OfAjO05366.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

0fb5316f798d549ff4d452f3ad0277a4.exeoO05366OfAjO05366.exe

description pid process

Token: SeDebugPrivilege 2212 0fb5316f798d549ff4d452f3ad0277a4.exe
Token: SeDebugPrivilege 536 oO05366OfAjO05366.exe
Suspicious use of FindShellTrayWindow 5 IoCs

Processes:

oO05366OfAjO05366.exe

pid process

536 oO05366OfAjO05366.exe
536 oO05366OfAjO05366.exe
536 oO05366OfAjO05366.exe
536 oO05366OfAjO05366.exe
536 oO05366OfAjO05366.exe
Suspicious use of SendNotifyMessage 5 IoCs

Processes:

oO05366OfAjO05366.exe

pid process

536 oO05366OfAjO05366.exe
536 oO05366OfAjO05366.exe
536 oO05366OfAjO05366.exe
536 oO05366OfAjO05366.exe
536 oO05366OfAjO05366.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

oO05366OfAjO05366.exe

pid process

536 oO05366OfAjO05366.exe
536 oO05366OfAjO05366.exe

description	pid	process
Token: SeDebugPrivilege	2212	0fb5316f798d549ff4d452f3ad0277a4.exe
Token: SeDebugPrivilege	536	oO05366OfAjO05366.exe

pid	process
536	oO05366OfAjO05366.exe
536	oO05366OfAjO05366.exe
536	oO05366OfAjO05366.exe
536	oO05366OfAjO05366.exe
536	oO05366OfAjO05366.exe

pid	process
536	oO05366OfAjO05366.exe
536	oO05366OfAjO05366.exe
536	oO05366OfAjO05366.exe
536	oO05366OfAjO05366.exe
536	oO05366OfAjO05366.exe

pid	process
536	oO05366OfAjO05366.exe
536	oO05366OfAjO05366.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

0fb5316f798d549ff4d452f3ad0277a4.exe

description	pid	process	target process
PID 2212 wrote to memory of 536	2212	0fb5316f798d549ff4d452f3ad0277a4.exe	oO05366OfAjO05366.exe
PID 2212 wrote to memory of 536	2212	0fb5316f798d549ff4d452f3ad0277a4.exe	oO05366OfAjO05366.exe
PID 2212 wrote to memory of 536	2212	0fb5316f798d549ff4d452f3ad0277a4.exe	oO05366OfAjO05366.exe
PID 2212 wrote to memory of 536	2212	0fb5316f798d549ff4d452f3ad0277a4.exe	oO05366OfAjO05366.exe

C:\Users\Admin\AppData\Local\Temp\0fb5316f798d549ff4d452f3ad0277a4.exe
"C:\Users\Admin\AppData\Local\Temp\0fb5316f798d549ff4d452f3ad0277a4.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2212

C:\ProgramData\oO05366OfAjO05366\oO05366OfAjO05366.exe
"C:\ProgramData\oO05366OfAjO05366\oO05366OfAjO05366.exe" "C:\Users\Admin\AppData\Local\Temp\0fb5316f798d549ff4d452f3ad0277a4.exe"
2⤵
- Deletes itself
- Executes dropped EXE
- Adds Run key to start application
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:536

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\oO05366OfAjO05366\oO05366OfAjO05366
Filesize
208B

MD5
e619511e90191d42111b5e1186d54032

SHA1
0c537dd1e1d32ab0648cb081550df392e8498831

SHA256
121ae0ade3f00cc4b0f6be030d58f014918f0fbe35d37d36ec07ac91290ca9c9

SHA512
b83e5925c9329a1496a615f94cc4496178529d56a9adef20e803931e90d6d0d8bc2b178c1deaf4a9fe13a0dc94a375398eb01c9aa4a7f29caa950f73a5160e8f

Download Submit
\ProgramData\oO05366OfAjO05366\oO05366OfAjO05366.exe
Filesize
386KB

MD5
e1e6a9f6d687f5497267b7684bfb1458

SHA1
cba0b8755de77affd499c77c785c610b718b9c2f

SHA256
0b7b5544d516d3ce59f79fd8eacdda140ba9c5075621a894ff50b49eb9a1ffa8

SHA512
0104b4f66859dd2d147017f1e7181f00ad21f3cd7ee3b731e72335b22c4e211b147e5d4cbe5fe0b3499942b25dcd16fcb06ac449364fb93636d604c902faa089

Download Submit
memory/536-86-0x0000000000400000-0x00000000004CF000-memory.dmp

Filesize
828KB

Download
memory/536-87-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/536-165-0x0000000000400000-0x00000000004CF000-memory.dmp

Filesize
828KB

Download
memory/536-201-0x0000000000400000-0x00000000004CF000-memory.dmp

Filesize
828KB

Download
memory/2212-0-0x0000000000240000-0x0000000000243000-memory.dmp

Filesize
12KB

Download
memory/2212-1-0x0000000000400000-0x00000000004CF000-memory.dmp

Filesize
828KB

Download
memory/2212-2-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2212-164-0x0000000000400000-0x00000000004CF000-memory.dmp

Filesize
828KB

Download
memory/2212-196-0x0000000000400000-0x00000000004CF000-memory.dmp

Filesize
828KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads