7fbde55aebcbb096dd62041cdd5d08fcfd5777fc2ccefc35eb071ef27573e123

General

Target

459917e891be89478c96c6a2f3ba8c60.exe
Size

633KB
MD5

459917e891be89478c96c6a2f3ba8c60
SHA1

e480cfc229e89d2ace912c6529a61d54b272066c
SHA256

7fbde55aebcbb096dd62041cdd5d08fcfd5777fc2ccefc35eb071ef27573e123
SHA512

4fd7c8ba5ca55636a6782fc074cccac3f4134464cac0ea9d0fa66f48f9ff4cb47f9e03d29a37c5b56ae2ef69a5c660c1022795972bb27d2caba32671916cfaee
SSDEEP

12288:yhC6c2p68zXGZXmVIPRdu5mcHdF3Z4mxxP/zll/EpM/MlCD:yhC6ciepdul9QmX3zkA

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3832	svchost.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	svchost.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	svchost.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	svchost.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5	svchost.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\svchost.exe	459917e891be89478c96c6a2f3ba8c60.exe
File opened for modification	C:\Windows\svchost.exe	459917e891be89478c96c6a2f3ba8c60.exe
File created	C:\Windows\uninstal.bat	459917e891be89478c96c6a2f3ba8c60.exe

Modifies data under HKEY_USERS 8 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	svchost.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2600	459917e891be89478c96c6a2f3ba8c60.exe
Token: SeDebugPrivilege	3832	svchost.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3832	svchost.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 3832 wrote to memory of 2556	3832	svchost.exe	94
PID 3832 wrote to memory of 2556	3832	svchost.exe	94
PID 2600 wrote to memory of 4848	2600	459917e891be89478c96c6a2f3ba8c60.exe	96
PID 2600 wrote to memory of 4848	2600	459917e891be89478c96c6a2f3ba8c60.exe	96
PID 2600 wrote to memory of 4848	2600	459917e891be89478c96c6a2f3ba8c60.exe	96

C:\Users\Admin\AppData\Local\Temp\459917e891be89478c96c6a2f3ba8c60.exe
"C:\Users\Admin\AppData\Local\Temp\459917e891be89478c96c6a2f3ba8c60.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2600
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\uninstal.bat
  2⤵
  PID:4848

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3832
- C:\Program Files\Internet Explorer\IexplOrE.ExE
  "C:\Program Files\Internet Explorer\IexplOrE.ExE"
  2⤵
  PID:2556

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\svchost.exe

Filesize
98KB

MD5
5157ccfa48e3f370d0aca0934e45c0ba

SHA1
160374bfd93fa39a673b0cf823a93131db78db3d

SHA256
ee4736b694d57b2ffcde29aff843889caea79a8556bddf1f5fbb4ccdbd9547dc

SHA512
821c4cc095185469bd5ad7696484040ff8ff527358c7ad4479aa1c8634ba86b9bf8709129fc3bb5efc20f1cc0167d0e2728a7cbb98f8dca44baf02e295f22e9f

Download Submit
C:\Windows\svchost.exe

Filesize
386KB

MD5
f0c1b2ac311b5b0135a1202db67d9a22

SHA1
7bc662540a809c38ff96d08ab67625c87501b09d

SHA256
2b9d42374c2b0c2f8aca5ef4eb1182915f549f50e253b2f8137a10f8acd405ad

SHA512
28abd4c5e02f7b21942ade90d36c7d7fc5a0cde2898124bd00ab4381356e3653e03ad9bd5d905b2ea20e51c0501439524002605c36dda1dc5c11e678c95a9197

Download Submit
C:\Windows\uninstal.bat

Filesize
190B

MD5
b8cf0c8f7dba670d1d48eaf685c45f43

SHA1
b7d2ebc99188d18b4f3758ea2b7bba1f24c2ad07

SHA256
359469f116ea279abf6a03064e8822e3665e94548ecf8039f52017337491f9bf

SHA512
c0383381c8488b4cce8b13af9b4bf2aabeb671bea935fd5122ab8262d7c0320445131e8c4e7ff153a5742c6872789f46bcea6b00bcfaaa0a3ae84c351c7628e3

Download Submit
memory/2600-18-0x0000000003540000-0x0000000003541000-memory.dmp

Filesize
4KB

Download
memory/2600-16-0x00000000007A0000-0x00000000007A1000-memory.dmp

Filesize
4KB

Download
memory/2600-6-0x0000000002520000-0x0000000002521000-memory.dmp

Filesize
4KB

Download
memory/2600-5-0x0000000002530000-0x0000000002531000-memory.dmp

Filesize
4KB

Download
memory/2600-7-0x0000000002590000-0x0000000002591000-memory.dmp

Filesize
4KB

Download
memory/2600-8-0x0000000002580000-0x0000000002581000-memory.dmp

Filesize
4KB

Download
memory/2600-21-0x0000000002720000-0x0000000002721000-memory.dmp

Filesize
4KB

Download
memory/2600-10-0x0000000002540000-0x0000000002541000-memory.dmp

Filesize
4KB

Download
memory/2600-11-0x0000000003510000-0x0000000003511000-memory.dmp

Filesize
4KB

Download
memory/2600-12-0x0000000003500000-0x0000000003503000-memory.dmp

Filesize
12KB

Download
memory/2600-13-0x0000000003600000-0x0000000003601000-memory.dmp

Filesize
4KB

Download
memory/2600-2-0x0000000002570000-0x0000000002571000-memory.dmp

Filesize
4KB

Download
memory/2600-17-0x0000000000AF0000-0x0000000000AF1000-memory.dmp

Filesize
4KB

Download
memory/2600-0-0x0000000000400000-0x000000000051C000-memory.dmp

Filesize
1.1MB

Download
memory/2600-19-0x0000000003530000-0x0000000003531000-memory.dmp

Filesize
4KB

Download
memory/2600-4-0x00000000025A0000-0x00000000025A1000-memory.dmp

Filesize
4KB

Download
memory/2600-9-0x00000000025B0000-0x00000000025B1000-memory.dmp

Filesize
4KB

Download
memory/2600-3-0x0000000002550000-0x0000000002551000-memory.dmp

Filesize
4KB

Download
memory/2600-20-0x0000000003520000-0x0000000003521000-memory.dmp

Filesize
4KB

Download
memory/2600-33-0x0000000000400000-0x000000000051C000-memory.dmp

Filesize
1.1MB

Download
memory/2600-1-0x0000000002330000-0x0000000002384000-memory.dmp

Filesize
336KB

Download
memory/2600-34-0x0000000002330000-0x0000000002384000-memory.dmp

Filesize
336KB

Download
memory/3832-36-0x0000000000400000-0x000000000051C000-memory.dmp

Filesize
1.1MB

Download
memory/3832-26-0x0000000002660000-0x0000000002661000-memory.dmp

Filesize
4KB

Download
memory/3832-25-0x0000000002570000-0x0000000002571000-memory.dmp

Filesize
4KB

Download
memory/3832-27-0x00000000025A0000-0x00000000025A1000-memory.dmp

Filesize
4KB

Download
memory/3832-28-0x0000000002590000-0x0000000002591000-memory.dmp

Filesize
4KB

Download
memory/3832-29-0x0000000002580000-0x0000000002581000-memory.dmp

Filesize
4KB

Download
memory/3832-30-0x00000000016D0000-0x00000000016D1000-memory.dmp

Filesize
4KB

Download
memory/3832-24-0x0000000001400000-0x0000000001454000-memory.dmp

Filesize
336KB

Download
memory/3832-37-0x0000000001400000-0x0000000001454000-memory.dmp

Filesize
336KB

Download
memory/3832-38-0x00000000016D0000-0x00000000016D1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing