d2e573203edafedb47f6bbdecdf538a2a2c3e763cb25178604c49691b5233c2e

Analysis

max time kernel
150s
max time network
124s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
06-01-2024 10:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

45fbda8dcf7d68ac3ced36afe512052e.exe
Size

140KB
MD5

45fbda8dcf7d68ac3ced36afe512052e
SHA1

8f91626d71ffce512d0fe76927914205e3f801ad
SHA256

d2e573203edafedb47f6bbdecdf538a2a2c3e763cb25178604c49691b5233c2e
SHA512

452a5fbf61296f4069a02ed84bdbb99c606bbcc70cd878cfa83d248788fd72b6fb8f54af1fda54df47e76c877ddd72e3d52065b3e884d82a938c74b2e2d8983e
SSDEEP

3072:0EamHrX3oZYw+yL6M8XT8viIQi88phTD27ZLbFTKSPi5Uj+BnYTRavcrhcXyOke:XX4234ZQ70pJ5eYYTAct+

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
2652	51b105.exe
2624	gggg25.exe
2544	ddddy4.exe

Loads dropped DLL 14 IoCs

pid	Process
2056	45fbda8dcf7d68ac3ced36afe512052e.exe
2056	45fbda8dcf7d68ac3ced36afe512052e.exe
2652	51b105.exe
2652	51b105.exe
2652	51b105.exe
2652	51b105.exe
2652	51b105.exe
2652	51b105.exe
2652	51b105.exe
2652	51b105.exe
2056	45fbda8dcf7d68ac3ced36afe512052e.exe
2056	45fbda8dcf7d68ac3ced36afe512052e.exe
2056	45fbda8dcf7d68ac3ced36afe512052e.exe
2056	45fbda8dcf7d68ac3ced36afe512052e.exe

Drops file in System32 directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\MSWINSCK.OCX	45fbda8dcf7d68ac3ced36afe512052e.exe
File opened for modification	C:\Windows\SysWOW64\MSINET.OCX	45fbda8dcf7d68ac3ced36afe512052e.exe
File opened for modification	C:\Windows\SysWOW64\51b105.exe	45fbda8dcf7d68ac3ced36afe512052e.exe
File opened for modification	C:\Windows\SysWOW64\gggg25.exe	45fbda8dcf7d68ac3ced36afe512052e.exe
File opened for modification	C:\Windows\SysWOW64\ddddy4.exe	45fbda8dcf7d68ac3ced36afe512052e.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main	gggg25.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main	51b105.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main	ddddy4.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	51b105.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\InetCtls.Inet\CLSID	51b105.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib	51b105.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\MiscStatus\ = "0"	51b105.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories\{0DE86A57-2BAA-11CF-A229-00AA003D7352}	51b105.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib	51b105.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\TypeLib	51b105.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock.1\CLSID	51b105.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\VersionIndependentProgID	51b105.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32	51b105.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ = "DMSWinsockControlEvents"	51b105.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{48E59292-9880-11CF-9754-00AA00C00908}\ = "DInetEvents"	51b105.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Version\ = "1.0"	51b105.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\Control	51b105.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{48E59295-9880-11CF-9754-00AA00C00908}\InprocServer32\ = "C:\\Windows\\SysWOW64\\MSINET.OCX"	51b105.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{48E59290-9880-11CF-9754-00AA00C00908}\1.0\0\win32\ = "C:\\Windows\\SysWOW64\\MSINET.OCX"	51b105.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\0\win32	51b105.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}	51b105.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\ = "{248DD890-BB45-11CF-9ABC-0080C7E7B78D}"	51b105.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\ = "{248DD890-BB45-11CF-9ABC-0080C7E7B78D}"	51b105.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\InetCtls.Inet\CurVer	51b105.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\InetCtls.Inet.1	51b105.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{48E59291-9880-11CF-9754-00AA00C00908}\TypeLib\ = "{48E59290-9880-11CF-9754-00AA00C00908}"	51b105.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\MiscStatus\1	51b105.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories\{0DE86A53-2BAA-11CF-A229-00AA003D7352}	51b105.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{48E59292-9880-11CF-9754-00AA00C00908}\TypeLib\ = "{48E59290-9880-11CF-9754-00AA00C00908}"	51b105.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\ = "Microsoft Winsock Control 6.0"	51b105.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32	51b105.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\InetCtls.Inet\ = "Microsoft Internet Transfer Control, version 6.0"	51b105.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\ToolboxBitmap32	51b105.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\Implemented Categories\{0DE86A57-2BAA-11CF-A229-00AA003D7352}	51b105.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{48E59295-9880-11CF-9754-00AA00C00908}\ = "Internet Control URL Property Page Object"	51b105.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{48E59292-9880-11CF-9754-00AA00C00908}	51b105.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\Version = "1.0"	51b105.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\MiscStatus\ = "0"	51b105.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\Implemented Categories\{0DE86A53-2BAA-11CF-A229-00AA003D7352}	51b105.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{48E59294-9880-11CF-9754-00AA00C00908}\ = "Internet Control General Property Page Object"	51b105.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{48E59295-9880-11CF-9754-00AA00C00908}	51b105.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{48E59292-9880-11CF-9754-00AA00C00908}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	51b105.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\VersionIndependentProgID	51b105.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{48E59290-9880-11CF-9754-00AA00C00908}\1.0\FLAGS\ = "2"	51b105.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{48E59291-9880-11CF-9754-00AA00C00908}\ = "IInet"	51b105.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock.1\CLSID\ = "{248DD896-BB45-11CF-9ABC-0080C7E7B78D}"	51b105.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\MiscStatus	51b105.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\Implemented Categories\{0DE86A52-2BAA-11CF-A229-00AA003D7352}	51b105.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{48E59290-9880-11CF-9754-00AA00C00908}\1.0\HELPDIR	51b105.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	51b105.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}	51b105.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories	51b105.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ToolboxBitmap32	51b105.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}\ = "Winsock General Property Page Object"	51b105.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32\ = "C:\\Windows\\SysWOW64\\MSWINSCK.OCX"	51b105.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{48E59291-9880-11CF-9754-00AA00C00908}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	51b105.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{48E59291-9880-11CF-9754-00AA00C00908}\TypeLib\Version = "1.0"	51b105.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\MiscStatus\1\ = "132497"	51b105.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\InetCtls.Inet	51b105.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\Implemented Categories\{40FC6ED5-2438-11CF-A3DB-080036F12502}	51b105.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\Implemented Categories\{40FC6ED4-2438-11CF-A3DB-080036F12502}	51b105.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{48E59295-9880-11CF-9754-00AA00C00908}\InprocServer32	51b105.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{48E59290-9880-11CF-9754-00AA00C00908}\1.0\FLAGS	51b105.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ = "IMSWinsockControl"	51b105.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}	51b105.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\ = "Microsoft Internet Transfer Control, version 6.0"	51b105.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{48E59291-9880-11CF-9754-00AA00C00908}	51b105.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2056	45fbda8dcf7d68ac3ced36afe512052e.exe
2056	45fbda8dcf7d68ac3ced36afe512052e.exe
2056	45fbda8dcf7d68ac3ced36afe512052e.exe
2056	45fbda8dcf7d68ac3ced36afe512052e.exe
2056	45fbda8dcf7d68ac3ced36afe512052e.exe
2056	45fbda8dcf7d68ac3ced36afe512052e.exe
2056	45fbda8dcf7d68ac3ced36afe512052e.exe
2056	45fbda8dcf7d68ac3ced36afe512052e.exe
2056	45fbda8dcf7d68ac3ced36afe512052e.exe
2056	45fbda8dcf7d68ac3ced36afe512052e.exe
2056	45fbda8dcf7d68ac3ced36afe512052e.exe
2056	45fbda8dcf7d68ac3ced36afe512052e.exe
2056	45fbda8dcf7d68ac3ced36afe512052e.exe
2056	45fbda8dcf7d68ac3ced36afe512052e.exe
2056	45fbda8dcf7d68ac3ced36afe512052e.exe
2056	45fbda8dcf7d68ac3ced36afe512052e.exe
2056	45fbda8dcf7d68ac3ced36afe512052e.exe
2056	45fbda8dcf7d68ac3ced36afe512052e.exe
2056	45fbda8dcf7d68ac3ced36afe512052e.exe
2056	45fbda8dcf7d68ac3ced36afe512052e.exe
2056	45fbda8dcf7d68ac3ced36afe512052e.exe
2056	45fbda8dcf7d68ac3ced36afe512052e.exe
2056	45fbda8dcf7d68ac3ced36afe512052e.exe
2056	45fbda8dcf7d68ac3ced36afe512052e.exe
2056	45fbda8dcf7d68ac3ced36afe512052e.exe
2056	45fbda8dcf7d68ac3ced36afe512052e.exe
2056	45fbda8dcf7d68ac3ced36afe512052e.exe
2056	45fbda8dcf7d68ac3ced36afe512052e.exe
2056	45fbda8dcf7d68ac3ced36afe512052e.exe
2056	45fbda8dcf7d68ac3ced36afe512052e.exe
2056	45fbda8dcf7d68ac3ced36afe512052e.exe
2056	45fbda8dcf7d68ac3ced36afe512052e.exe
2056	45fbda8dcf7d68ac3ced36afe512052e.exe
2056	45fbda8dcf7d68ac3ced36afe512052e.exe
2056	45fbda8dcf7d68ac3ced36afe512052e.exe
2056	45fbda8dcf7d68ac3ced36afe512052e.exe
2056	45fbda8dcf7d68ac3ced36afe512052e.exe
2056	45fbda8dcf7d68ac3ced36afe512052e.exe
2056	45fbda8dcf7d68ac3ced36afe512052e.exe
2056	45fbda8dcf7d68ac3ced36afe512052e.exe
2056	45fbda8dcf7d68ac3ced36afe512052e.exe
2056	45fbda8dcf7d68ac3ced36afe512052e.exe
2056	45fbda8dcf7d68ac3ced36afe512052e.exe
2056	45fbda8dcf7d68ac3ced36afe512052e.exe
2056	45fbda8dcf7d68ac3ced36afe512052e.exe
2056	45fbda8dcf7d68ac3ced36afe512052e.exe
2056	45fbda8dcf7d68ac3ced36afe512052e.exe
2056	45fbda8dcf7d68ac3ced36afe512052e.exe
2056	45fbda8dcf7d68ac3ced36afe512052e.exe
2056	45fbda8dcf7d68ac3ced36afe512052e.exe
2056	45fbda8dcf7d68ac3ced36afe512052e.exe
2056	45fbda8dcf7d68ac3ced36afe512052e.exe
2056	45fbda8dcf7d68ac3ced36afe512052e.exe
2056	45fbda8dcf7d68ac3ced36afe512052e.exe
2056	45fbda8dcf7d68ac3ced36afe512052e.exe
2056	45fbda8dcf7d68ac3ced36afe512052e.exe
2056	45fbda8dcf7d68ac3ced36afe512052e.exe
2056	45fbda8dcf7d68ac3ced36afe512052e.exe
2056	45fbda8dcf7d68ac3ced36afe512052e.exe
2056	45fbda8dcf7d68ac3ced36afe512052e.exe
2056	45fbda8dcf7d68ac3ced36afe512052e.exe
2056	45fbda8dcf7d68ac3ced36afe512052e.exe
2056	45fbda8dcf7d68ac3ced36afe512052e.exe
2056	45fbda8dcf7d68ac3ced36afe512052e.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeSystemtimePrivilege	2056	45fbda8dcf7d68ac3ced36afe512052e.exe
Token: SeSystemtimePrivilege	2056	45fbda8dcf7d68ac3ced36afe512052e.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
2056	45fbda8dcf7d68ac3ced36afe512052e.exe
2056	45fbda8dcf7d68ac3ced36afe512052e.exe
2056	45fbda8dcf7d68ac3ced36afe512052e.exe
2652	51b105.exe
2652	51b105.exe
2652	51b105.exe
2624	gggg25.exe
2624	gggg25.exe
2624	gggg25.exe
2544	ddddy4.exe
2544	ddddy4.exe
2544	ddddy4.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2056 wrote to memory of 2652	2056	45fbda8dcf7d68ac3ced36afe512052e.exe	28
PID 2056 wrote to memory of 2652	2056	45fbda8dcf7d68ac3ced36afe512052e.exe	28
PID 2056 wrote to memory of 2652	2056	45fbda8dcf7d68ac3ced36afe512052e.exe	28
PID 2056 wrote to memory of 2652	2056	45fbda8dcf7d68ac3ced36afe512052e.exe	28
PID 2056 wrote to memory of 2624	2056	45fbda8dcf7d68ac3ced36afe512052e.exe	32
PID 2056 wrote to memory of 2624	2056	45fbda8dcf7d68ac3ced36afe512052e.exe	32
PID 2056 wrote to memory of 2624	2056	45fbda8dcf7d68ac3ced36afe512052e.exe	32
PID 2056 wrote to memory of 2624	2056	45fbda8dcf7d68ac3ced36afe512052e.exe	32
PID 2056 wrote to memory of 2544	2056	45fbda8dcf7d68ac3ced36afe512052e.exe	33
PID 2056 wrote to memory of 2544	2056	45fbda8dcf7d68ac3ced36afe512052e.exe	33
PID 2056 wrote to memory of 2544	2056	45fbda8dcf7d68ac3ced36afe512052e.exe	33
PID 2056 wrote to memory of 2544	2056	45fbda8dcf7d68ac3ced36afe512052e.exe	33

C:\Users\Admin\AppData\Local\Temp\45fbda8dcf7d68ac3ced36afe512052e.exe
"C:\Users\Admin\AppData\Local\Temp\45fbda8dcf7d68ac3ced36afe512052e.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2056
- C:\Windows\SysWOW64\51b105.exe
  C:\Windows\system32\51b105.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies Internet Explorer settings
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:2652
- C:\Windows\SysWOW64\gggg25.exe
  C:\Windows\system32\gggg25.exe
  2⤵
  - Executes dropped EXE
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2624
- C:\Windows\SysWOW64\ddddy4.exe
  C:\Windows\system32\ddddy4.exe
  2⤵
  - Executes dropped EXE
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2544

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\53STNJLW\background_gradient[1]

Filesize
453B

MD5
20f0110ed5e4e0d5384a496e4880139b

SHA1
51f5fc61d8bf19100df0f8aadaa57fcd9c086255

SHA256
1471693be91e53c2640fe7baeecbc624530b088444222d93f2815dfce1865d5b

SHA512
5f52c117e346111d99d3b642926139178a80b9ec03147c00e27f07aab47fe38e9319fe983444f3e0e36def1e86dd7c56c25e44b14efdc3f13b45ededa064db5a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\53STNJLW\bullet[1]

Filesize
447B

MD5
26f971d87ca00e23bd2d064524aef838

SHA1
7440beff2f4f8fabc9315608a13bf26cabad27d9

SHA256
1d8e5fd3c1fd384c0a7507e7283c7fe8f65015e521b84569132a7eabedc9d41d

SHA512
c62eb51be301bb96c80539d66a73cd17ca2021d5d816233853a37db72e04050271e581cc99652f3d8469b390003ca6c62dad2a9d57164c620b7777ae99aa1b15

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\HJ0GGVIM\ErrorPageTemplate[1]

Filesize
2KB

MD5
f4fe1cb77e758e1ba56b8a8ec20417c5

SHA1
f4eda06901edb98633a686b11d02f4925f827bf0

SHA256
8d018639281b33da8eb3ce0b21d11e1d414e59024c3689f92be8904eb5779b5f

SHA512
62514ab345b6648c5442200a8e9530dfb88a0355e262069e0a694289c39a4a1c06c6143e5961074bfac219949102a416c09733f24e8468984b96843dc222b436

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\HJ0GGVIM\info_48[1]

Filesize
4KB

MD5
5565250fcc163aa3a79f0b746416ce69

SHA1
b97cc66471fcdee07d0ee36c7fb03f342c231f8f

SHA256
51129c6c98a82ea491f89857c31146ecec14c4af184517450a7a20c699c84859

SHA512
e60ea153b0fece4d311769391d3b763b14b9a140105a36a13dad23c2906735eaab9092236deb8c68ef078e8864d6e288bef7ef1731c1e9f1ad9b0170b95ac134

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\M2VO416U\errorPageStrings[1]

Filesize
2KB

MD5
e3e4a98353f119b80b323302f26b78fa

SHA1
20ee35a370cdd3a8a7d04b506410300fd0a6a864

SHA256
9466d620dc57835a2475f8f71e304f54aee7160e134ba160baae0f19e5e71e66

SHA512
d8e4d73c76804a5abebd5dbc3a86dcdb6e73107b873175a8de67332c113fb7c4899890bf7972e467866fa4cd100a7e2a10a770e5a9c41cbf23b54351b771dcee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\M2VO416U\httpErrorPagesScripts[1]

Filesize
8KB

MD5
3f57b781cb3ef114dd0b665151571b7b

SHA1
ce6a63f996df3a1cccb81720e21204b825e0238c

SHA256
46e019fa34465f4ed096a9665d1827b54553931ad82e98be01edb1ddbc94d3ad

SHA512
8cbf4ef582332ae7ea605f910ad6f8a4bc28513482409fa84f08943a72cac2cf0fa32b6af4c20c697e1fac2c5ba16b5a64a23af0c11eefbf69625b8f9f90c8fa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\W79VKSP8\navcancl[1]

Filesize
2KB

MD5
4bcfe9f8db04948cddb5e31fe6a7f984

SHA1
42464c70fc16f3f361c2419751acd57d51613cdf

SHA256
bee0439fcf31de76d6e2d7fd377a24a34ac8763d5bf4114da5e1663009e24228

SHA512
bb0ef3d32310644285f4062ad5f27f30649c04c5a442361a5dbe3672bd8cb585160187070872a31d9f30b70397d81449623510365a371e73bda580e00eef0e4e

Download Submit
C:\Windows\SysWOW64\MSINET.OCX

Filesize
112KB

MD5
7bec181a21753498b6bd001c42a42722

SHA1
3249f233657dc66632c0539c47895bfcee5770cc

SHA256
73da54b69911bdd08ea8bbbd508f815ef7cfa59c4684d75c1c602252ec88ee31

SHA512
d671e25ae5e02a55f444d253f0e4a42af6a5362d9759fb243ad6d2c333976ab3e98669621ec0850ad915ee06acbe8e70d77b084128fc275462223f4f5ab401bc

Download Submit
C:\Windows\SysWOW64\MSWINSCK.OCX

Filesize
105KB

MD5
9484c04258830aa3c2f2a70eb041414c

SHA1
b242a4fb0e9dcf14cb51dc36027baff9a79cb823

SHA256
bf7e47c16d7e1c0e88534f4ef95e09d0fd821ed1a06b0d95a389b35364b63ff5

SHA512
9d0e9f0d88594746ba41ea4a61a53498619eda596e12d8ec37d01cfe8ceb08be13e3727c83d630a6d9e6d03066f62444bb94ea5a0d2ed9d21a270e612db532a0

Download Submit
C:\Windows\SysWOW64\ddddy4.exe

Filesize
9KB

MD5
60f5cf15f2276d018dff890b5ca504ee

SHA1
7250ce7ce25c9dd1efa22c97d5903f72fae2fdd2

SHA256
a6d461dcb677e432c5d646c9d99b093addff6fed8fc2def5c48c553b74b88277

SHA512
57fb7948450ee07bc4cf00aae1aa17a0f28e41e3878539d92e6941e994bb8020c1702ddf39978dcd640352332d5095c02745ee65294e44e89db159b9e6084008

Download Submit
\Windows\SysWOW64\51b105.exe

Filesize
36KB

MD5
cadf9900371257e6625e9d83b867245e

SHA1
7ebb314c54978496780c9c914ded4bc1a91e11f3

SHA256
dce2dc20ef6cdb1b1906eec4b105f8490db08890c0e01db08b8a1413202211ae

SHA512
38c2bc723b725a44c598c7afee4560a62c81c4c6c9bebac490de307eafae044110ec5211e3814768d68c0a951704b7ab54ad892b74796c67d746a1f7398d92b6

Download Submit
\Windows\SysWOW64\gggg25.exe

Filesize
11KB

MD5
b0037c80184d270bb3d8575bc5a971f4

SHA1
6950fd4e8a27fcb5e979661fd966c456d57eb97b

SHA256
1517e794753eaf2c06a8a08c8c19f6f724ac0ff68565ebc35a7f6c6bf5790492

SHA512
850c18deeb483a08ecb977e4cf93b2c119601cd36e1897af8d8ae7f94ab7883060cc0f5d99c0897d8f5eb865dd5bd38091a1bcea80d3dde520aa1c39763a0c50

Download Submit
memory/2544-101-0x00000000048C0000-0x0000000004CD2000-memory.dmp

Filesize
4.1MB

Download
memory/2624-48-0x0000000004650000-0x0000000004A62000-memory.dmp

Filesize
4.1MB

Download
memory/2652-65-0x0000000004F60000-0x0000000005372000-memory.dmp

Filesize
4.1MB

Download