81761ffe90b8673e791f6f5ed7d3900c4f986515e740fdcd33f873421d01848d

General

Target

256e6e5b3d613931aa7156237260b96d.exe
Size

1.1MB
MD5

256e6e5b3d613931aa7156237260b96d
SHA1

32477dd0f2042f59f5c9cedfe37a0fd2cacd63cb
SHA256

81761ffe90b8673e791f6f5ed7d3900c4f986515e740fdcd33f873421d01848d
SHA512

a5f93b3f8bd7c6229bd1cf965b53eb4db24a2bdd335b99501a17a4fef08a2726535910693520279142f2fc7a4f11e9af01b5b36c9451db82d440b18607b48dc1
SSDEEP

24576:fnV1I1svSIlrHQR1zdzv6hDo3CoBZ6wg4jse2jPBMT:8s6IlQRpdT6xo3CoP6wg4js5jPBs

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
2352	AGE6PR5.EXE
2796	BASE.EXE
2972	BASE.EXE

Loads dropped DLL 7 IoCs

pid	Process
1112	256e6e5b3d613931aa7156237260b96d.exe
2352	AGE6PR5.EXE
2352	AGE6PR5.EXE
2352	AGE6PR5.EXE
1112	256e6e5b3d613931aa7156237260b96d.exe
1112	256e6e5b3d613931aa7156237260b96d.exe
2796	BASE.EXE

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2796 set thread context of 2972	2796	BASE.EXE	30

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main	AGE6PR5.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2352	AGE6PR5.EXE

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2352	AGE6PR5.EXE
2352	AGE6PR5.EXE

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 1112 wrote to memory of 2352	1112	256e6e5b3d613931aa7156237260b96d.exe	28
PID 1112 wrote to memory of 2352	1112	256e6e5b3d613931aa7156237260b96d.exe	28
PID 1112 wrote to memory of 2352	1112	256e6e5b3d613931aa7156237260b96d.exe	28
PID 1112 wrote to memory of 2352	1112	256e6e5b3d613931aa7156237260b96d.exe	28
PID 1112 wrote to memory of 2352	1112	256e6e5b3d613931aa7156237260b96d.exe	28
PID 1112 wrote to memory of 2352	1112	256e6e5b3d613931aa7156237260b96d.exe	28
PID 1112 wrote to memory of 2352	1112	256e6e5b3d613931aa7156237260b96d.exe	28
PID 1112 wrote to memory of 2796	1112	256e6e5b3d613931aa7156237260b96d.exe	29
PID 1112 wrote to memory of 2796	1112	256e6e5b3d613931aa7156237260b96d.exe	29
PID 1112 wrote to memory of 2796	1112	256e6e5b3d613931aa7156237260b96d.exe	29
PID 1112 wrote to memory of 2796	1112	256e6e5b3d613931aa7156237260b96d.exe	29
PID 2796 wrote to memory of 2972	2796	BASE.EXE	30
PID 2796 wrote to memory of 2972	2796	BASE.EXE	30
PID 2796 wrote to memory of 2972	2796	BASE.EXE	30
PID 2796 wrote to memory of 2972	2796	BASE.EXE	30
PID 2796 wrote to memory of 2972	2796	BASE.EXE	30
PID 2796 wrote to memory of 2972	2796	BASE.EXE	30
PID 2796 wrote to memory of 2972	2796	BASE.EXE	30
PID 2796 wrote to memory of 2972	2796	BASE.EXE	30

C:\Users\Admin\AppData\Local\Temp\256e6e5b3d613931aa7156237260b96d.exe
"C:\Users\Admin\AppData\Local\Temp\256e6e5b3d613931aa7156237260b96d.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1112
- C:\Users\Admin\AppData\Local\Temp\AGE6PR5.EXE
  "C:\Users\Admin\AppData\Local\Temp\AGE6PR5.EXE"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies Internet Explorer settings
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:2352
- C:\Users\Admin\AppData\Local\Temp\BASE.EXE
  "C:\Users\Admin\AppData\Local\Temp\BASE.EXE"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:2796
- - C:\Users\Admin\AppData\Local\Temp\BASE.EXE
    "C:\Users\Admin\AppData\Local\Temp\BASE.EXE"
    3⤵
    - Executes dropped EXE
    PID:2972

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\AGE6PR5.EXE

Filesize
1.1MB

MD5
5828f6bd19748b7652f37437f6c6f90f

SHA1
fcb46d4676f2d736a0ac1c985d839d62721047e9

SHA256
bb34cc7f73b32a5306c4a2957212ac8ebd467712ce2d32226f283601f90755bf

SHA512
4cdc373a1ab782aedf9d9408da71f300ce710e38cdc9f34a10ec92a5073cd3cb591fc1c89b50c8bf01a84db295c90ded1389b59adc1161c3fefec2d1998e5207

Download Submit
\Users\Admin\AppData\Local\Temp\BASE.EXE

Filesize
23KB

MD5
40b1bc83fa5bae38d02e10a3d04cbbf0

SHA1
acd9b38d44f2da8e6492941ccab129c63f8dbb80

SHA256
bac1894038ec278b996c66479394a34d51cec1f50765860f558a233639322f41

SHA512
bc5c1422589462d0eae68b12cb7804987b7299237f96abb6a39b5137ae37fca7efc83d785d233d80014816111501d863f26042a409cedd88042e40425915c9d4

Download Submit
memory/1112-25-0x0000000002500000-0x0000000002508000-memory.dmp

Filesize
32KB

Download
memory/1112-19-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download
memory/1112-14-0x0000000002500000-0x0000000002508000-memory.dmp

Filesize
32KB

Download
memory/2352-51-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2796-34-0x0000000000100000-0x0000000000108000-memory.dmp

Filesize
32KB

Download
memory/2796-23-0x0000000000100000-0x0000000000108000-memory.dmp

Filesize
32KB

Download
memory/2972-24-0x0000000013140000-0x0000000013179000-memory.dmp

Filesize
228KB

Download
memory/2972-29-0x0000000013140000-0x0000000013179000-memory.dmp

Filesize
228KB

Download
memory/2972-30-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2972-27-0x0000000013140000-0x0000000013179000-memory.dmp

Filesize
228KB

Download
memory/2972-26-0x0000000013140000-0x0000000013179000-memory.dmp

Filesize
228KB

Download

Analysis

Sharing