6b5315d5569d448773a9d4c334f22475bf820132f65c824b733a5a9fefa4f845

General

Target

3f65a714f4db1d2f7d585abc7d60656d.exe
Size

168KB
MD5

3f65a714f4db1d2f7d585abc7d60656d
SHA1

cb96a4d2eddde21a89e3d8ae98fc82fcbd5a1bdc
SHA256

6b5315d5569d448773a9d4c334f22475bf820132f65c824b733a5a9fefa4f845
SHA512

e64ad49d79fc59d98734766cf731d5c431635e960b023f288e2c3cd5214d13d54d303296eb0cf0f7d8c41da66e963293082ba7c261cd112f0260d19c9d474497
SSDEEP

3072:8B/yfWqIm2ToinfY86s+g0Sfh2WYhdH2eluFkVZH7SLmRYqC:8ofU3tfpj0gRUdH2etB+L

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 3 IoCs

Processes:

Rmigix.exeRmigix.exeRmigix.exe

pid process

3900 Rmigix.exe
4320 Rmigix.exe
1236 Rmigix.exe
Loads dropped DLL 2 IoCs

Processes:

3f65a714f4db1d2f7d585abc7d60656d.exeRmigix.exe

pid process

4596 3f65a714f4db1d2f7d585abc7d60656d.exe
3900 Rmigix.exe

pid	process
3900	Rmigix.exe
4320	Rmigix.exe
1236	Rmigix.exe

pid	process
4596	3f65a714f4db1d2f7d585abc7d60656d.exe
3900	Rmigix.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

3f65a714f4db1d2f7d585abc7d60656d.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Rmigix = "C:\\Users\\Admin\\AppData\\Roaming\\Rmigix.exe"	3f65a714f4db1d2f7d585abc7d60656d.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

3f65a714f4db1d2f7d585abc7d60656d.exe3f65a714f4db1d2f7d585abc7d60656d.exeRmigix.exeRmigix.exe

description	pid	process	target process
PID 4596 set thread context of 2332	4596	3f65a714f4db1d2f7d585abc7d60656d.exe	3f65a714f4db1d2f7d585abc7d60656d.exe
PID 2332 set thread context of 228	2332	3f65a714f4db1d2f7d585abc7d60656d.exe	3f65a714f4db1d2f7d585abc7d60656d.exe
PID 3900 set thread context of 4320	3900	Rmigix.exe	Rmigix.exe
PID 4320 set thread context of 1236	4320	Rmigix.exe	Rmigix.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs
adware spyware

Modify Registry
T1112

Processes:

IEXPLORE.EXE

description ioc process

Key created \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

3f65a714f4db1d2f7d585abc7d60656d.exe

pid process

228 3f65a714f4db1d2f7d585abc7d60656d.exe
228 3f65a714f4db1d2f7d585abc7d60656d.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

Rmigix.exe

description pid process

Token: SeDebugPrivilege 1236 Rmigix.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE

pid	process
228	3f65a714f4db1d2f7d585abc7d60656d.exe
228	3f65a714f4db1d2f7d585abc7d60656d.exe

description	pid	process
Token: SeDebugPrivilege	1236	Rmigix.exe

Suspicious use of WriteProcessMemory 44 IoCs

Processes:

3f65a714f4db1d2f7d585abc7d60656d.exe3f65a714f4db1d2f7d585abc7d60656d.exe3f65a714f4db1d2f7d585abc7d60656d.exeRmigix.exeRmigix.exeRmigix.exeiexplore.exe

description	pid	process	target process
PID 4596 wrote to memory of 2332	4596	3f65a714f4db1d2f7d585abc7d60656d.exe	3f65a714f4db1d2f7d585abc7d60656d.exe
PID 4596 wrote to memory of 2332	4596	3f65a714f4db1d2f7d585abc7d60656d.exe	3f65a714f4db1d2f7d585abc7d60656d.exe
PID 4596 wrote to memory of 2332	4596	3f65a714f4db1d2f7d585abc7d60656d.exe	3f65a714f4db1d2f7d585abc7d60656d.exe
PID 4596 wrote to memory of 2332	4596	3f65a714f4db1d2f7d585abc7d60656d.exe	3f65a714f4db1d2f7d585abc7d60656d.exe
PID 4596 wrote to memory of 2332	4596	3f65a714f4db1d2f7d585abc7d60656d.exe	3f65a714f4db1d2f7d585abc7d60656d.exe
PID 4596 wrote to memory of 2332	4596	3f65a714f4db1d2f7d585abc7d60656d.exe	3f65a714f4db1d2f7d585abc7d60656d.exe
PID 4596 wrote to memory of 2332	4596	3f65a714f4db1d2f7d585abc7d60656d.exe	3f65a714f4db1d2f7d585abc7d60656d.exe
PID 4596 wrote to memory of 2332	4596	3f65a714f4db1d2f7d585abc7d60656d.exe	3f65a714f4db1d2f7d585abc7d60656d.exe
PID 4596 wrote to memory of 2332	4596	3f65a714f4db1d2f7d585abc7d60656d.exe	3f65a714f4db1d2f7d585abc7d60656d.exe
PID 2332 wrote to memory of 228	2332	3f65a714f4db1d2f7d585abc7d60656d.exe	3f65a714f4db1d2f7d585abc7d60656d.exe
PID 2332 wrote to memory of 228	2332	3f65a714f4db1d2f7d585abc7d60656d.exe	3f65a714f4db1d2f7d585abc7d60656d.exe
PID 2332 wrote to memory of 228	2332	3f65a714f4db1d2f7d585abc7d60656d.exe	3f65a714f4db1d2f7d585abc7d60656d.exe
PID 2332 wrote to memory of 228	2332	3f65a714f4db1d2f7d585abc7d60656d.exe	3f65a714f4db1d2f7d585abc7d60656d.exe
PID 2332 wrote to memory of 228	2332	3f65a714f4db1d2f7d585abc7d60656d.exe	3f65a714f4db1d2f7d585abc7d60656d.exe
PID 2332 wrote to memory of 228	2332	3f65a714f4db1d2f7d585abc7d60656d.exe	3f65a714f4db1d2f7d585abc7d60656d.exe
PID 2332 wrote to memory of 228	2332	3f65a714f4db1d2f7d585abc7d60656d.exe	3f65a714f4db1d2f7d585abc7d60656d.exe
PID 2332 wrote to memory of 228	2332	3f65a714f4db1d2f7d585abc7d60656d.exe	3f65a714f4db1d2f7d585abc7d60656d.exe
PID 2332 wrote to memory of 228	2332	3f65a714f4db1d2f7d585abc7d60656d.exe	3f65a714f4db1d2f7d585abc7d60656d.exe
PID 228 wrote to memory of 3900	228	3f65a714f4db1d2f7d585abc7d60656d.exe	Rmigix.exe
PID 228 wrote to memory of 3900	228	3f65a714f4db1d2f7d585abc7d60656d.exe	Rmigix.exe
PID 228 wrote to memory of 3900	228	3f65a714f4db1d2f7d585abc7d60656d.exe	Rmigix.exe
PID 3900 wrote to memory of 4320	3900	Rmigix.exe	Rmigix.exe
PID 3900 wrote to memory of 4320	3900	Rmigix.exe	Rmigix.exe
PID 3900 wrote to memory of 4320	3900	Rmigix.exe	Rmigix.exe
PID 3900 wrote to memory of 4320	3900	Rmigix.exe	Rmigix.exe
PID 3900 wrote to memory of 4320	3900	Rmigix.exe	Rmigix.exe
PID 3900 wrote to memory of 4320	3900	Rmigix.exe	Rmigix.exe
PID 3900 wrote to memory of 4320	3900	Rmigix.exe	Rmigix.exe
PID 3900 wrote to memory of 4320	3900	Rmigix.exe	Rmigix.exe
PID 3900 wrote to memory of 4320	3900	Rmigix.exe	Rmigix.exe
PID 4320 wrote to memory of 1236	4320	Rmigix.exe	Rmigix.exe
PID 4320 wrote to memory of 1236	4320	Rmigix.exe	Rmigix.exe
PID 4320 wrote to memory of 1236	4320	Rmigix.exe	Rmigix.exe
PID 4320 wrote to memory of 1236	4320	Rmigix.exe	Rmigix.exe
PID 4320 wrote to memory of 1236	4320	Rmigix.exe	Rmigix.exe
PID 4320 wrote to memory of 1236	4320	Rmigix.exe	Rmigix.exe
PID 4320 wrote to memory of 1236	4320	Rmigix.exe	Rmigix.exe
PID 4320 wrote to memory of 1236	4320	Rmigix.exe	Rmigix.exe
PID 4320 wrote to memory of 1236	4320	Rmigix.exe	Rmigix.exe
PID 1236 wrote to memory of 2500	1236	Rmigix.exe	iexplore.exe
PID 1236 wrote to memory of 2500	1236	Rmigix.exe	iexplore.exe
PID 1236 wrote to memory of 2500	1236	Rmigix.exe	iexplore.exe
PID 2500 wrote to memory of 2276	2500	iexplore.exe	IEXPLORE.EXE
PID 2500 wrote to memory of 2276	2500	iexplore.exe	IEXPLORE.EXE

C:\Users\Admin\AppData\Local\Temp\3f65a714f4db1d2f7d585abc7d60656d.exe
"C:\Users\Admin\AppData\Local\Temp\3f65a714f4db1d2f7d585abc7d60656d.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4596

C:\Users\Admin\AppData\Local\Temp\3f65a714f4db1d2f7d585abc7d60656d.exe
"C:\Users\Admin\AppData\Local\Temp\3f65a714f4db1d2f7d585abc7d60656d.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2332

C:\Users\Admin\AppData\Local\Temp\3f65a714f4db1d2f7d585abc7d60656d.exe
"C:\Users\Admin\AppData\Local\Temp\3f65a714f4db1d2f7d585abc7d60656d.exe"
3⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:228

C:\Users\Admin\AppData\Roaming\Rmigix.exe
"C:\Users\Admin\AppData\Roaming\Rmigix.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3900

C:\Users\Admin\AppData\Roaming\Rmigix.exe
"C:\Users\Admin\AppData\Roaming\Rmigix.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4320

C:\Users\Admin\AppData\Roaming\Rmigix.exe
"C:\Users\Admin\AppData\Roaming\Rmigix.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1236

C:\Program Files (x86)\Internet Explorer\iexplore.exe
"C:\Program Files (x86)\Internet Explorer\iexplore.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:2500

C:\Program Files\Internet Explorer\IEXPLORE.EXE
"C:\Program Files\Internet Explorer\IEXPLORE.EXE"
4⤵
- Modifies Internet Explorer settings
PID:2276

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2276 CREDAT:17410 /prefetch:2
5⤵
PID:3220

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\9ALL181V\suggestions[1].en-US
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/228-10-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/228-11-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/228-8-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/228-20-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1236-34-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1236-38-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2332-7-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2332-6-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2332-4-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads