c3d2d68d600411ee67795ff92c54896789c55e22e02448bf89f889ece0a73978

General

Target

408ad5005c7300fbac2a6152cf6d6823.exe
Size

383KB
MD5

408ad5005c7300fbac2a6152cf6d6823
SHA1

b0183a8b7f02218758b630306ec534d2b6b6d101
SHA256

c3d2d68d600411ee67795ff92c54896789c55e22e02448bf89f889ece0a73978
SHA512

936f50bf6706283aeb4e8d614683f2a80a44f1c23a9c4117e1143ad563a484af72b75741664fa6d219e47886ffdd599a2c35a68d86ab099f47766c1a3602da05
SSDEEP

6144:9F1ZusedZSXAjedtGD4ZDNW6h/hMmD7Qde9u09YI6XRcsZXmgyejfk2WGSc2bb/x:P1uDSw8UDkRvhMmD0de9dYcsZXmocmSk

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2528	pEpBk07000.exe

Loads dropped DLL 1 IoCs

pid	Process
1272	408ad5005c7300fbac2a6152cf6d6823.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1272-1-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral1/memory/2528-13-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral1/memory/1272-18-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral1/memory/2528-19-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral1/memory/2528-34-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral1/memory/1272-35-0x0000000000400000-0x00000000004B5000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\pEpBk07000 = "C:\\ProgramData\\pEpBk07000\\pEpBk07000.exe"	pEpBk07000.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Main	pEpBk07000.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1272	408ad5005c7300fbac2a6152cf6d6823.exe
Token: SeDebugPrivilege	2528	pEpBk07000.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2528	pEpBk07000.exe
2528	pEpBk07000.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
2528	pEpBk07000.exe
2528	pEpBk07000.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2528	pEpBk07000.exe
2528	pEpBk07000.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1272 wrote to memory of 2528	1272	408ad5005c7300fbac2a6152cf6d6823.exe	28
PID 1272 wrote to memory of 2528	1272	408ad5005c7300fbac2a6152cf6d6823.exe	28
PID 1272 wrote to memory of 2528	1272	408ad5005c7300fbac2a6152cf6d6823.exe	28
PID 1272 wrote to memory of 2528	1272	408ad5005c7300fbac2a6152cf6d6823.exe	28

C:\Users\Admin\AppData\Local\Temp\408ad5005c7300fbac2a6152cf6d6823.exe
"C:\Users\Admin\AppData\Local\Temp\408ad5005c7300fbac2a6152cf6d6823.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1272
- C:\ProgramData\pEpBk07000\pEpBk07000.exe
  "C:\ProgramData\pEpBk07000\pEpBk07000.exe" "C:\Users\Admin\AppData\Local\Temp\408ad5005c7300fbac2a6152cf6d6823.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Modifies Internet Explorer settings
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:2528

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\pEpBk07000\pEpBk07000.exe

Filesize
92KB

MD5
9e523f9ff695a510f04b68c86fc95e5b

SHA1
00412cc04781effc9b21f5f5042a49a2ce51f8c3

SHA256
73431ad0d2d4300be3f681169d984c3f2fd3e7b0c1e01e8e58409caef00b4a5c

SHA512
066276b17a590b54348cfe68d6f96e78b948b96c4ede6f354fbea961b086d28f0ece0eac3c5295f4dd28ec2e509de22235fb637391f4c61f68b37092648e4556

Download Submit
C:\ProgramData\pEpBk07000\pEpBk07000.exe

Filesize
383KB

MD5
37633952bd4a0423775eb853b6c0f0b8

SHA1
fd8807485be7d35c33f088a6f86ea27f5cbd02a1

SHA256
32b417bdffd7e6893b8374c4b6bcd5a30a5a90484f3c7dc169f05149d0eac4ed

SHA512
b5caba5919eaafda945c86bed742e0f2b91ffe5e704b5b365cb3b3b2ba8d53aef60327865bbbed74e26cb3a4116df480c94a4aa23ae42f346059f65afc2267dd

Download Submit
\ProgramData\pEpBk07000\pEpBk07000.exe

Filesize
137KB

MD5
a3bcb6623405a20fab5f0fefead92257

SHA1
abcb9d8683b2c3c5d4ca6c7257e4838cdceb360e

SHA256
9895000e7a5b3eadf0a9b669fedc1edc3ba7b48e084afec39b8158a7faf65261

SHA512
b63237cc1afe061857d3fc0ada1de569974204e8d2af77a12348f96bdf3c6ba7a37dc2a71648c43899b37886ee06b0cdfcc42d0ff21ebdf6caeaa6d08e7ce986

Download Submit
memory/1272-2-0x0000000000540000-0x0000000000640000-memory.dmp

Filesize
1024KB

Download
memory/1272-1-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/1272-18-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/1272-21-0x0000000000540000-0x0000000000640000-memory.dmp

Filesize
1024KB

Download
memory/1272-35-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2528-14-0x00000000005E0000-0x00000000006E0000-memory.dmp

Filesize
1024KB

Download
memory/2528-13-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2528-19-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2528-23-0x00000000005E0000-0x00000000006E0000-memory.dmp

Filesize
1024KB

Download
memory/2528-34-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads