241c1b9d35a01c5566921df594690f26b1b368bd34208ad7374df3767c9662b7

General

Target

15b715bf7cb44cc2ab74e1b09fa92175.exe
Size

443KB
MD5

15b715bf7cb44cc2ab74e1b09fa92175
SHA1

027e2b1aa090e4ed2e0b3eade51bc36563268148
SHA256

241c1b9d35a01c5566921df594690f26b1b368bd34208ad7374df3767c9662b7
SHA512

275364676f9fcb35215b85847d182f36f6777ccd6c12026ef4e316059346a27573a03c7c9ba4d5d8d2afd2736b4735ecc4df4b5b2dddfe99c25d2b5d841e477e
SSDEEP

12288:YLgzNdagGlAkn0k+9/TvFuRgcHuYtsrAHyqsN:Y8zNog+0k+TgHNtSAY

Score

7^/10

persistence upx

Malware Config

Signatures

Deletes itself 1 IoCs

Processes:

bL39200GoEfO39200.exe

pid process

2840 bL39200GoEfO39200.exe
Executes dropped EXE 1 IoCs

Processes:

bL39200GoEfO39200.exe

pid process

2840 bL39200GoEfO39200.exe
Loads dropped DLL 2 IoCs

Processes:

15b715bf7cb44cc2ab74e1b09fa92175.exe

pid process

2156 15b715bf7cb44cc2ab74e1b09fa92175.exe
2156 15b715bf7cb44cc2ab74e1b09fa92175.exe

pid	process
2840	bL39200GoEfO39200.exe

pid	process
2840	bL39200GoEfO39200.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2156-1-0x0000000000400000-0x00000000004C2000-memory.dmp	upx
behavioral1/memory/2156-17-0x0000000000400000-0x00000000004C2000-memory.dmp	upx
behavioral1/memory/2840-20-0x0000000000400000-0x00000000004C2000-memory.dmp	upx
behavioral1/memory/2840-30-0x0000000000400000-0x00000000004C2000-memory.dmp	upx
behavioral1/memory/2840-40-0x0000000000400000-0x00000000004C2000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

bL39200GoEfO39200.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\bL39200GoEfO39200 = "C:\\ProgramData\\bL39200GoEfO39200\\bL39200GoEfO39200.exe"	bL39200GoEfO39200.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

bL39200GoEfO39200.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\Main	bL39200GoEfO39200.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

15b715bf7cb44cc2ab74e1b09fa92175.exebL39200GoEfO39200.exe

pid	process
2156	15b715bf7cb44cc2ab74e1b09fa92175.exe
2840	bL39200GoEfO39200.exe
2840	bL39200GoEfO39200.exe
2840	bL39200GoEfO39200.exe
2840	bL39200GoEfO39200.exe
2840	bL39200GoEfO39200.exe
2840	bL39200GoEfO39200.exe
2840	bL39200GoEfO39200.exe
2840	bL39200GoEfO39200.exe
2840	bL39200GoEfO39200.exe
2840	bL39200GoEfO39200.exe
2840	bL39200GoEfO39200.exe
2840	bL39200GoEfO39200.exe
2840	bL39200GoEfO39200.exe
2840	bL39200GoEfO39200.exe
2840	bL39200GoEfO39200.exe
2840	bL39200GoEfO39200.exe
2840	bL39200GoEfO39200.exe
2840	bL39200GoEfO39200.exe
2840	bL39200GoEfO39200.exe
2840	bL39200GoEfO39200.exe
2840	bL39200GoEfO39200.exe
2840	bL39200GoEfO39200.exe
2840	bL39200GoEfO39200.exe
2840	bL39200GoEfO39200.exe
2840	bL39200GoEfO39200.exe
2840	bL39200GoEfO39200.exe
2840	bL39200GoEfO39200.exe
2840	bL39200GoEfO39200.exe
2840	bL39200GoEfO39200.exe
2840	bL39200GoEfO39200.exe
2840	bL39200GoEfO39200.exe
2840	bL39200GoEfO39200.exe
2840	bL39200GoEfO39200.exe
2840	bL39200GoEfO39200.exe
2840	bL39200GoEfO39200.exe
2840	bL39200GoEfO39200.exe
2840	bL39200GoEfO39200.exe
2840	bL39200GoEfO39200.exe
2840	bL39200GoEfO39200.exe
2840	bL39200GoEfO39200.exe
2840	bL39200GoEfO39200.exe
2840	bL39200GoEfO39200.exe
2840	bL39200GoEfO39200.exe
2840	bL39200GoEfO39200.exe
2840	bL39200GoEfO39200.exe
2840	bL39200GoEfO39200.exe
2840	bL39200GoEfO39200.exe
2840	bL39200GoEfO39200.exe
2840	bL39200GoEfO39200.exe
2840	bL39200GoEfO39200.exe
2840	bL39200GoEfO39200.exe
2840	bL39200GoEfO39200.exe
2840	bL39200GoEfO39200.exe
2840	bL39200GoEfO39200.exe
2840	bL39200GoEfO39200.exe
2840	bL39200GoEfO39200.exe
2840	bL39200GoEfO39200.exe
2840	bL39200GoEfO39200.exe
2840	bL39200GoEfO39200.exe
2840	bL39200GoEfO39200.exe
2840	bL39200GoEfO39200.exe
2840	bL39200GoEfO39200.exe
2840	bL39200GoEfO39200.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

15b715bf7cb44cc2ab74e1b09fa92175.exebL39200GoEfO39200.exe

description pid process

Token: SeDebugPrivilege 2156 15b715bf7cb44cc2ab74e1b09fa92175.exe
Token: SeDebugPrivilege 2840 bL39200GoEfO39200.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

bL39200GoEfO39200.exe

pid process

2840 bL39200GoEfO39200.exe
2840 bL39200GoEfO39200.exe
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

bL39200GoEfO39200.exe

pid process

2840 bL39200GoEfO39200.exe
2840 bL39200GoEfO39200.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

bL39200GoEfO39200.exe

pid process

2840 bL39200GoEfO39200.exe
2840 bL39200GoEfO39200.exe

description	pid	process
Token: SeDebugPrivilege	2156	15b715bf7cb44cc2ab74e1b09fa92175.exe
Token: SeDebugPrivilege	2840	bL39200GoEfO39200.exe

pid	process
2840	bL39200GoEfO39200.exe
2840	bL39200GoEfO39200.exe

pid	process
2840	bL39200GoEfO39200.exe
2840	bL39200GoEfO39200.exe

pid	process
2840	bL39200GoEfO39200.exe
2840	bL39200GoEfO39200.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

15b715bf7cb44cc2ab74e1b09fa92175.exe

description	pid	process	target process
PID 2156 wrote to memory of 2840	2156	15b715bf7cb44cc2ab74e1b09fa92175.exe	bL39200GoEfO39200.exe
PID 2156 wrote to memory of 2840	2156	15b715bf7cb44cc2ab74e1b09fa92175.exe	bL39200GoEfO39200.exe
PID 2156 wrote to memory of 2840	2156	15b715bf7cb44cc2ab74e1b09fa92175.exe	bL39200GoEfO39200.exe
PID 2156 wrote to memory of 2840	2156	15b715bf7cb44cc2ab74e1b09fa92175.exe	bL39200GoEfO39200.exe

C:\Users\Admin\AppData\Local\Temp\15b715bf7cb44cc2ab74e1b09fa92175.exe
"C:\Users\Admin\AppData\Local\Temp\15b715bf7cb44cc2ab74e1b09fa92175.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2156

C:\ProgramData\bL39200GoEfO39200\bL39200GoEfO39200.exe
"C:\ProgramData\bL39200GoEfO39200\bL39200GoEfO39200.exe" "C:\Users\Admin\AppData\Local\Temp\15b715bf7cb44cc2ab74e1b09fa92175.exe"
2⤵
- Deletes itself
- Executes dropped EXE
- Adds Run key to start application
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2840

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\bL39200GoEfO39200\bL39200GoEfO39200.exe
Filesize
318KB

MD5
1bed3723cc3676eeeb601216269f8893

SHA1
dfd83b5e096a28dfabae7ec3190817b81ee01157

SHA256
5d9a5b6f02e224473e96602fe6a5686d567ee7db918c373e98af59b47a2993a9

SHA512
bc677a72c2f46f831fb0d44d562a7defd5432f97304f25f6affe4c282c57dae5eeeaa646c9a7d71e892c633a4da91228e44e0594294756df940d9a5528220a6b

Download Submit
\ProgramData\bL39200GoEfO39200\bL39200GoEfO39200.exe
Filesize
443KB

MD5
6c5a68be236b7c6d8296b09a4a52087b

SHA1
41db9e873af59c8fca0b4f659f89fc7edab067c4

SHA256
6d76c237a08c70b188a2970d76273c1c1ba2d7bb11a28773dcf47226079b3944

SHA512
06931db9e06071caa499f584658dda2a8a1a20851900ab7c6eb3a19fe915a57f2669e3675ef52a6a0b9e88c24c02d595a799e06e29f0487fd15f9a95b6c44416

Download Submit
memory/2156-2-0x00000000005F0000-0x00000000006F0000-memory.dmp

Filesize
1024KB

Download
memory/2156-1-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/2156-17-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/2840-20-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/2840-21-0x00000000002C0000-0x00000000003C0000-memory.dmp

Filesize
1024KB

Download
memory/2840-30-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/2840-32-0x00000000002C0000-0x00000000003C0000-memory.dmp

Filesize
1024KB

Download
memory/2840-40-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads