a92ad73c5b612720d3561622c6e11f18613d0ea39234870d6f6879e45d358f92

General

Target

4736226d9a237c905fad4c5c89eb61d1.exe
Size

262KB
MD5

4736226d9a237c905fad4c5c89eb61d1
SHA1

b1e6731b1ced0ab43e986460c478d4c9d9497bef
SHA256

a92ad73c5b612720d3561622c6e11f18613d0ea39234870d6f6879e45d358f92
SHA512

17efec0e254e4a4a4fb7941bc5c935b6c3227f787e5a58cf86dda4cac538bfef459aee509fc8fe1d44c7890c79a96c8b0f027ccdd98980e8d3ad28818b200a86
SSDEEP

6144:Hv8Gp+df0afmVTRMdNdpn94sLrNXel9jb98+MATD:P8YkfXf4TRMj94svNuzjb9ZJ

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

feul.exe

pid process

3048 feul.exe
Loads dropped DLL 1 IoCs

Processes:

4736226d9a237c905fad4c5c89eb61d1.exe

pid process

3060 4736226d9a237c905fad4c5c89eb61d1.exe

pid	process
3060	4736226d9a237c905fad4c5c89eb61d1.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

feul.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\{E705BD28-DA76-AD4E-D262-B4D1F82197CC} = "C:\\Users\\Admin\\AppData\\Roaming\\Icxi\\feul.exe"	feul.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

4736226d9a237c905fad4c5c89eb61d1.exe

description pid process target process

PID 3060 set thread context of 1504 3060 4736226d9a237c905fad4c5c89eb61d1.exe cmd.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1192 1504 WerFault.exe cmd.exe

description	pid	process	target process
PID 3060 set thread context of 1504	3060	4736226d9a237c905fad4c5c89eb61d1.exe	cmd.exe

pid	pid_target	process	target process
1192	1504	WerFault.exe	cmd.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

4736226d9a237c905fad4c5c89eb61d1.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Privacy	4736226d9a237c905fad4c5c89eb61d1.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	4736226d9a237c905fad4c5c89eb61d1.exe

Suspicious behavior: EnumeratesProcesses 32 IoCs

Processes:

feul.exe

pid	process
3048	feul.exe
3048	feul.exe
3048	feul.exe
3048	feul.exe
3048	feul.exe
3048	feul.exe
3048	feul.exe
3048	feul.exe
3048	feul.exe
3048	feul.exe
3048	feul.exe
3048	feul.exe
3048	feul.exe
3048	feul.exe
3048	feul.exe
3048	feul.exe
3048	feul.exe
3048	feul.exe
3048	feul.exe
3048	feul.exe
3048	feul.exe
3048	feul.exe
3048	feul.exe
3048	feul.exe
3048	feul.exe
3048	feul.exe
3048	feul.exe
3048	feul.exe
3048	feul.exe
3048	feul.exe
3048	feul.exe
3048	feul.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

4736226d9a237c905fad4c5c89eb61d1.exe

description	pid	process
Token: SeSecurityPrivilege	3060	4736226d9a237c905fad4c5c89eb61d1.exe
Token: SeSecurityPrivilege	3060	4736226d9a237c905fad4c5c89eb61d1.exe
Token: SeSecurityPrivilege	3060	4736226d9a237c905fad4c5c89eb61d1.exe

Suspicious use of UnmapMainImage 2 IoCs

Processes:

4736226d9a237c905fad4c5c89eb61d1.exefeul.exe

pid process

3060 4736226d9a237c905fad4c5c89eb61d1.exe
3048 feul.exe

pid	process
3060	4736226d9a237c905fad4c5c89eb61d1.exe
3048	feul.exe

Suspicious use of WriteProcessMemory 52 IoCs

Processes:

4736226d9a237c905fad4c5c89eb61d1.exefeul.execmd.exe

description	pid	process	target process
PID 3060 wrote to memory of 3048	3060	4736226d9a237c905fad4c5c89eb61d1.exe	feul.exe
PID 3060 wrote to memory of 3048	3060	4736226d9a237c905fad4c5c89eb61d1.exe	feul.exe
PID 3060 wrote to memory of 3048	3060	4736226d9a237c905fad4c5c89eb61d1.exe	feul.exe
PID 3060 wrote to memory of 3048	3060	4736226d9a237c905fad4c5c89eb61d1.exe	feul.exe
PID 3048 wrote to memory of 1252	3048	feul.exe	taskhost.exe
PID 3048 wrote to memory of 1252	3048	feul.exe	taskhost.exe
PID 3048 wrote to memory of 1252	3048	feul.exe	taskhost.exe
PID 3048 wrote to memory of 1252	3048	feul.exe	taskhost.exe
PID 3048 wrote to memory of 1252	3048	feul.exe	taskhost.exe
PID 3048 wrote to memory of 1352	3048	feul.exe	Dwm.exe
PID 3048 wrote to memory of 1352	3048	feul.exe	Dwm.exe
PID 3048 wrote to memory of 1352	3048	feul.exe	Dwm.exe
PID 3048 wrote to memory of 1352	3048	feul.exe	Dwm.exe
PID 3048 wrote to memory of 1352	3048	feul.exe	Dwm.exe
PID 3048 wrote to memory of 1392	3048	feul.exe	Explorer.EXE
PID 3048 wrote to memory of 1392	3048	feul.exe	Explorer.EXE
PID 3048 wrote to memory of 1392	3048	feul.exe	Explorer.EXE
PID 3048 wrote to memory of 1392	3048	feul.exe	Explorer.EXE
PID 3048 wrote to memory of 1392	3048	feul.exe	Explorer.EXE
PID 3048 wrote to memory of 1896	3048	feul.exe	DllHost.exe
PID 3048 wrote to memory of 1896	3048	feul.exe	DllHost.exe
PID 3048 wrote to memory of 1896	3048	feul.exe	DllHost.exe
PID 3048 wrote to memory of 1896	3048	feul.exe	DllHost.exe
PID 3048 wrote to memory of 1896	3048	feul.exe	DllHost.exe
PID 3048 wrote to memory of 3060	3048	feul.exe	4736226d9a237c905fad4c5c89eb61d1.exe
PID 3048 wrote to memory of 3060	3048	feul.exe	4736226d9a237c905fad4c5c89eb61d1.exe
PID 3048 wrote to memory of 3060	3048	feul.exe	4736226d9a237c905fad4c5c89eb61d1.exe
PID 3048 wrote to memory of 3060	3048	feul.exe	4736226d9a237c905fad4c5c89eb61d1.exe
PID 3048 wrote to memory of 3060	3048	feul.exe	4736226d9a237c905fad4c5c89eb61d1.exe
PID 3060 wrote to memory of 1504	3060	4736226d9a237c905fad4c5c89eb61d1.exe	cmd.exe
PID 3060 wrote to memory of 1504	3060	4736226d9a237c905fad4c5c89eb61d1.exe	cmd.exe
PID 3060 wrote to memory of 1504	3060	4736226d9a237c905fad4c5c89eb61d1.exe	cmd.exe
PID 3060 wrote to memory of 1504	3060	4736226d9a237c905fad4c5c89eb61d1.exe	cmd.exe
PID 3060 wrote to memory of 1504	3060	4736226d9a237c905fad4c5c89eb61d1.exe	cmd.exe
PID 3060 wrote to memory of 1504	3060	4736226d9a237c905fad4c5c89eb61d1.exe	cmd.exe
PID 3060 wrote to memory of 1504	3060	4736226d9a237c905fad4c5c89eb61d1.exe	cmd.exe
PID 3060 wrote to memory of 1504	3060	4736226d9a237c905fad4c5c89eb61d1.exe	cmd.exe
PID 3060 wrote to memory of 1504	3060	4736226d9a237c905fad4c5c89eb61d1.exe	cmd.exe
PID 1504 wrote to memory of 1192	1504	cmd.exe	WerFault.exe
PID 1504 wrote to memory of 1192	1504	cmd.exe	WerFault.exe
PID 1504 wrote to memory of 1192	1504	cmd.exe	WerFault.exe
PID 1504 wrote to memory of 1192	1504	cmd.exe	WerFault.exe
PID 3048 wrote to memory of 2940	3048	feul.exe	conhost.exe
PID 3048 wrote to memory of 2940	3048	feul.exe	conhost.exe
PID 3048 wrote to memory of 2940	3048	feul.exe	conhost.exe
PID 3048 wrote to memory of 2940	3048	feul.exe	conhost.exe
PID 3048 wrote to memory of 2940	3048	feul.exe	conhost.exe
PID 3048 wrote to memory of 1192	3048	feul.exe	WerFault.exe
PID 3048 wrote to memory of 1192	3048	feul.exe	WerFault.exe
PID 3048 wrote to memory of 1192	3048	feul.exe	WerFault.exe
PID 3048 wrote to memory of 1192	3048	feul.exe	WerFault.exe
PID 3048 wrote to memory of 1192	3048	feul.exe	WerFault.exe

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1896

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1392

C:\Users\Admin\AppData\Local\Temp\4736226d9a237c905fad4c5c89eb61d1.exe
"C:\Users\Admin\AppData\Local\Temp\4736226d9a237c905fad4c5c89eb61d1.exe"
2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3060

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp6451eab9.bat"
3⤵
- Suspicious use of WriteProcessMemory
PID:1504

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1504 -s 112
4⤵
- Program crash
PID:1192

C:\Users\Admin\AppData\Roaming\Icxi\feul.exe
"C:\Users\Admin\AppData\Roaming\Icxi\feul.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3048

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1352

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1252

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "545947175-37993843953108789213311765131825709117321149207-1166327374-140051491"
1⤵
PID:2940

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Icxi\feul.exe
Filesize
262KB

MD5
723ec3262784406be776352587cd8876

SHA1
c9c04a83fd2f2fe72e4b18d2af888927fb9edc53

SHA256
92b04190826a810cb353333ba27727c0bd6ae4fa588dccb1fedc077928c343bb

SHA512
c46bde1fada49cd428d37260ee6e0add112525350f1820d76bca6a9cd15017defd7734b49ea128f5d9170c4f4c388c6e2df903615ad3c71410c38af267b30929

Download Submit
memory/1192-276-0x0000000000660000-0x00000000006A1000-memory.dmp

Filesize
260KB

Download
memory/1192-175-0x0000000000660000-0x00000000006A1000-memory.dmp

Filesize
260KB

Download
memory/1192-273-0x0000000001EE0000-0x0000000001EE1000-memory.dmp

Filesize
4KB

Download
memory/1192-270-0x0000000077B60000-0x0000000077B61000-memory.dmp

Filesize
4KB

Download
memory/1252-19-0x0000000000490000-0x00000000004D1000-memory.dmp

Filesize
260KB

Download
memory/1252-14-0x0000000000490000-0x00000000004D1000-memory.dmp

Filesize
260KB

Download
memory/1252-21-0x0000000000490000-0x00000000004D1000-memory.dmp

Filesize
260KB

Download
memory/1252-20-0x0000000000490000-0x00000000004D1000-memory.dmp

Filesize
260KB

Download
memory/1252-17-0x0000000000490000-0x00000000004D1000-memory.dmp

Filesize
260KB

Download
memory/1352-26-0x00000000002B0000-0x00000000002F1000-memory.dmp

Filesize
260KB

Download
memory/1352-24-0x00000000002B0000-0x00000000002F1000-memory.dmp

Filesize
260KB

Download
memory/1352-27-0x00000000002B0000-0x00000000002F1000-memory.dmp

Filesize
260KB

Download
memory/1352-25-0x00000000002B0000-0x00000000002F1000-memory.dmp

Filesize
260KB

Download
memory/1392-29-0x0000000002500000-0x0000000002541000-memory.dmp

Filesize
260KB

Download
memory/1392-30-0x0000000002500000-0x0000000002541000-memory.dmp

Filesize
260KB

Download
memory/1392-31-0x0000000002500000-0x0000000002541000-memory.dmp

Filesize
260KB

Download
memory/1392-32-0x0000000002500000-0x0000000002541000-memory.dmp

Filesize
260KB

Download
memory/1896-37-0x0000000001E30000-0x0000000001E71000-memory.dmp

Filesize
260KB

Download
memory/1896-36-0x0000000001E30000-0x0000000001E71000-memory.dmp

Filesize
260KB

Download
memory/1896-34-0x0000000001E30000-0x0000000001E71000-memory.dmp

Filesize
260KB

Download
memory/1896-35-0x0000000001E30000-0x0000000001E71000-memory.dmp

Filesize
260KB

Download
memory/3048-16-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3048-18-0x0000000000320000-0x0000000000361000-memory.dmp

Filesize
260KB

Download
memory/3048-274-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3048-13-0x0000000000370000-0x00000000003B5000-memory.dmp

Filesize
276KB

Download
memory/3060-74-0x00000000002F0000-0x00000000002F1000-memory.dmp

Filesize
4KB

Download
memory/3060-68-0x00000000002F0000-0x00000000002F1000-memory.dmp

Filesize
4KB

Download
memory/3060-44-0x00000000002F0000-0x00000000002F1000-memory.dmp

Filesize
4KB

Download
memory/3060-43-0x0000000001DB0000-0x0000000001DF1000-memory.dmp

Filesize
260KB

Download
memory/3060-42-0x0000000001DB0000-0x0000000001DF1000-memory.dmp

Filesize
260KB

Download
memory/3060-41-0x0000000001DB0000-0x0000000001DF1000-memory.dmp

Filesize
260KB

Download
memory/3060-40-0x0000000001DB0000-0x0000000001DF1000-memory.dmp

Filesize
260KB

Download
memory/3060-39-0x0000000001DB0000-0x0000000001DF1000-memory.dmp

Filesize
260KB

Download
memory/3060-48-0x00000000002F0000-0x00000000002F1000-memory.dmp

Filesize
4KB

Download
memory/3060-50-0x00000000002F0000-0x00000000002F1000-memory.dmp

Filesize
4KB

Download
memory/3060-52-0x00000000002F0000-0x00000000002F1000-memory.dmp

Filesize
4KB

Download
memory/3060-54-0x00000000002F0000-0x00000000002F1000-memory.dmp

Filesize
4KB

Download
memory/3060-56-0x00000000002F0000-0x00000000002F1000-memory.dmp

Filesize
4KB

Download
memory/3060-58-0x00000000002F0000-0x00000000002F1000-memory.dmp

Filesize
4KB

Download
memory/3060-60-0x00000000002F0000-0x00000000002F1000-memory.dmp

Filesize
4KB

Download
memory/3060-62-0x00000000002F0000-0x00000000002F1000-memory.dmp

Filesize
4KB

Download
memory/3060-66-0x00000000002F0000-0x00000000002F1000-memory.dmp

Filesize
4KB

Download
memory/3060-46-0x00000000002F0000-0x00000000002F1000-memory.dmp

Filesize
4KB

Download
memory/3060-70-0x00000000002F0000-0x00000000002F1000-memory.dmp

Filesize
4KB

Download
memory/3060-72-0x00000000002F0000-0x00000000002F1000-memory.dmp

Filesize
4KB

Download
memory/3060-0-0x00000000002A0000-0x00000000002E1000-memory.dmp

Filesize
260KB

Download
memory/3060-161-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3060-162-0x0000000001C20000-0x0000000001C65000-memory.dmp

Filesize
276KB

Download
memory/3060-163-0x0000000001DB0000-0x0000000001DF1000-memory.dmp

Filesize
260KB

Download
memory/3060-76-0x00000000002F0000-0x00000000002F1000-memory.dmp

Filesize
4KB

Download
memory/3060-9-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3060-4-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3060-3-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3060-78-0x00000000002F0000-0x00000000002F1000-memory.dmp

Filesize
4KB

Download
memory/3060-138-0x00000000002F0000-0x00000000002F1000-memory.dmp

Filesize
4KB

Download
memory/3060-65-0x0000000077B60000-0x0000000077B61000-memory.dmp

Filesize
4KB

Download
memory/3060-63-0x0000000001DB0000-0x0000000001DF1000-memory.dmp

Filesize
260KB

Download
memory/3060-1-0x0000000001C20000-0x0000000001C65000-memory.dmp

Filesize
276KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads