7fab547ccdea06a6a4b043e55ec850fb733748c84b3c06e42396efa216c14d9a

General

Target

4cb700e45cc636ee830aeb8ee6cf850c.exe
Size

14.7MB
MD5

4cb700e45cc636ee830aeb8ee6cf850c
SHA1

b67aa9982f7c9cf89937e62f49f200e5b00d055b
SHA256

7fab547ccdea06a6a4b043e55ec850fb733748c84b3c06e42396efa216c14d9a
SHA512

c0012a051a8406dab26d9ceeba690a33162d3ba21025627eef5cef63c9b1b4fe4306b801a24b0bb8e4d1f175ab258ff1ce62900c4fdca709854c266795c408c7
SSDEEP

196608:neaIOwLaIOwo3LaIO1LLLaIO/LaIOwQaIOi:ne9OwL9Owo3L9O1LLL9O/L9OwQ9Oi

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1760	e.exe

Loads dropped DLL 2 IoCs

pid	Process
2640	4cb700e45cc636ee830aeb8ee6cf850c.exe
2640	4cb700e45cc636ee830aeb8ee6cf850c.exe

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2640-0-0x0000000000400000-0x000000000054E000-memory.dmp	upx
behavioral1/files/0x000900000001225b-2.dat	upx
behavioral1/memory/2640-9-0x0000000000400000-0x000000000054E000-memory.dmp	upx
behavioral1/files/0x000900000001225b-10.dat	upx
behavioral1/memory/2640-8-0x0000000002180000-0x00000000022CE000-memory.dmp	upx
behavioral1/files/0x000900000001225b-7.dat	upx
behavioral1/files/0x000900000001225b-4.dat	upx
behavioral1/memory/1760-11-0x0000000000400000-0x000000000054E000-memory.dmp	upx
behavioral1/files/0x000900000001225b-13.dat	upx
behavioral1/memory/1760-19-0x0000000000400000-0x000000000054E000-memory.dmp	upx

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\Main	e.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
1760	e.exe
1760	e.exe
1760	e.exe
1760	e.exe

Suspicious use of SendNotifyMessage 4 IoCs

pid	Process
1760	e.exe
1760	e.exe
1760	e.exe
1760	e.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1760	e.exe
1760	e.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2640 wrote to memory of 1760	2640	4cb700e45cc636ee830aeb8ee6cf850c.exe	28
PID 2640 wrote to memory of 1760	2640	4cb700e45cc636ee830aeb8ee6cf850c.exe	28
PID 2640 wrote to memory of 1760	2640	4cb700e45cc636ee830aeb8ee6cf850c.exe	28
PID 2640 wrote to memory of 1760	2640	4cb700e45cc636ee830aeb8ee6cf850c.exe	28

C:\Users\Admin\AppData\Local\Temp\4cb700e45cc636ee830aeb8ee6cf850c.exe
"C:\Users\Admin\AppData\Local\Temp\4cb700e45cc636ee830aeb8ee6cf850c.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2640
- C:\Users\Admin\AppData\Local\Temp\e.exe
  C:\Users\Admin\AppData\Local\Temp\e.exe -run C:\Users\Admin\AppData\Local\Temp\4cb700e45cc636ee830aeb8ee6cf850c.exe
  2⤵
  - Executes dropped EXE
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:1760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\e.exe

Filesize
1.8MB

MD5
cd95c32d572e2fa9b347cecd892064af

SHA1
a1bd304a20f7ec282e1e1f15dbb36582410876be

SHA256
3e4ea35d11f657d1491cd9bb85d22620b996a8f49e3f6b924154eec8870e8062

SHA512
c8ce2f29f5d3c85f3ebcdba89e820fca0f7ff43f4f66804779775f319f8c93c95392cd0c0e5b240d65ac898cd13afb42e8b6fece94a2a33844b38cc55f504812

Download Submit
C:\Users\Admin\AppData\Local\Temp\e.exe

Filesize
1.2MB

MD5
a432ee5ff08e2d0ba869550811a4048b

SHA1
fc7d6f1c37130454033fdc063b606176c5e2569d

SHA256
d7fc38ea1a340bf58cf377655a225500e71e792755d62407b1e67a9baa4e1bd4

SHA512
bb039a6aa07346e16c620ab0dcf6fdf1ab52874971efd32e6e8eff5a3d1f243fe74310c0b49cd3ebaa99327734b22a4977b70dd06360acba9564dee15d69525a

Download Submit
C:\Users\Admin\AppData\Local\Temp\e.exe

Filesize
2.2MB

MD5
e739abf0cd3c4b019f5031f795ff08dd

SHA1
c286669797c9e249826e9eef45349e63b918377a

SHA256
4b4e06c39d52ebe082f5a469634d616a22eca4c5060c770c4b526188f0f22d81

SHA512
9efca1f179c75cff0a5f960b57d6aaf9a0650f61cd3aabb8b29a475ace8ebf4414bc68b02d440c8c7bb8927b2aa830fcbec0b531b46c854732d7afe416bed32e

Download Submit
\Users\Admin\AppData\Local\Temp\e.exe

Filesize
2.3MB

MD5
59ea6fc62641fb35358aab0d31f2f8db

SHA1
7a7f66fa71dd70475afc5856f30c1e826ed08c09

SHA256
da6eef323a85ed0442540b2eb40cfa848f9303184114cf7f9864fe33bbd5307b

SHA512
991a4ef50e05b5137f70a2506cba9cd8dfab9be798093922a1ccbed2b8a79505a7705334c1265495d986545b7fac274dac3d530681421ae64732cbd96057d867

Download Submit
\Users\Admin\AppData\Local\Temp\e.exe

Filesize
2.5MB

MD5
0a268df12aff414535357c15a1b6da0b

SHA1
174bfedb0f5b1814087a9cec7d9d36301d51db1d

SHA256
f38059ffb4c98a3d2ed6c269924435ef5a63e82f366fb68e070bee51a6a217bd

SHA512
ca6a23175e2ffef33b37a15e7530cf2b10afdc511aea8c629981523ed56a339489c7a3a77d968573f22526b3cf2695f4f16045ea3896cc37ba8df3db0cef0d36

Download Submit
memory/1760-11-0x0000000000400000-0x000000000054E000-memory.dmp

Filesize
1.3MB

Download
memory/1760-12-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/1760-19-0x0000000000400000-0x000000000054E000-memory.dmp

Filesize
1.3MB

Download
memory/1760-20-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/2640-0-0x0000000000400000-0x000000000054E000-memory.dmp

Filesize
1.3MB

Download
memory/2640-9-0x0000000000400000-0x000000000054E000-memory.dmp

Filesize
1.3MB

Download
memory/2640-8-0x0000000002180000-0x00000000022CE000-memory.dmp

Filesize
1.3MB

Download

Analysis

Sharing