630cba04d316ca87e594ae5f6a59af50ddc8c3393bb9b9a6ea4a7e889045230f

General

Target

4ad4f1510241a99d3df6e8c9a6ce1e77.exe
Size

386KB
MD5

4ad4f1510241a99d3df6e8c9a6ce1e77
SHA1

31121ac5052639c57122a471e3304763d850ad25
SHA256

630cba04d316ca87e594ae5f6a59af50ddc8c3393bb9b9a6ea4a7e889045230f
SHA512

d787c571daf62a88f648d5c709fdd0471b63ee222fd20e8ebf0018458f981dfdf008e5c34795a4cf3e5869860ca81f8de2d72661273dfadb334f9cc91dfb019c
SSDEEP

6144:iCHDKhB0WCqB7l+04YmQ71poL5Cgg2GaSppsBUdZeppRSA6G7F3tNyu:tHmhW4BxXmQ71pkCg2aSoaISAxPL

Score

7^/10

persistence upx

Malware Config

Signatures

Deletes itself 1 IoCs

Processes:

bK28303JiOaF28303.exe

pid process

1184 bK28303JiOaF28303.exe
Executes dropped EXE 1 IoCs

Processes:

bK28303JiOaF28303.exe

pid process

1184 bK28303JiOaF28303.exe
Loads dropped DLL 2 IoCs

Processes:

4ad4f1510241a99d3df6e8c9a6ce1e77.exe

pid process

1988 4ad4f1510241a99d3df6e8c9a6ce1e77.exe
1988 4ad4f1510241a99d3df6e8c9a6ce1e77.exe

pid	process
1184	bK28303JiOaF28303.exe

pid	process
1184	bK28303JiOaF28303.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1988-1-0x0000000000400000-0x00000000004CF000-memory.dmp	upx
behavioral1/memory/1184-86-0x0000000000400000-0x00000000004CF000-memory.dmp	upx
behavioral1/memory/1988-162-0x0000000000400000-0x00000000004CF000-memory.dmp	upx
behavioral1/memory/1184-165-0x0000000000400000-0x00000000004CF000-memory.dmp	upx
behavioral1/memory/1988-196-0x0000000000400000-0x00000000004CF000-memory.dmp	upx
behavioral1/memory/1184-201-0x0000000000400000-0x00000000004CF000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

bK28303JiOaF28303.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\bK28303JiOaF28303 = "C:\\ProgramData\\bK28303JiOaF28303\\bK28303JiOaF28303.exe"	bK28303JiOaF28303.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

bK28303JiOaF28303.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main	bK28303JiOaF28303.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

4ad4f1510241a99d3df6e8c9a6ce1e77.exebK28303JiOaF28303.exe

pid	process
1988	4ad4f1510241a99d3df6e8c9a6ce1e77.exe
1988	4ad4f1510241a99d3df6e8c9a6ce1e77.exe
1988	4ad4f1510241a99d3df6e8c9a6ce1e77.exe
1988	4ad4f1510241a99d3df6e8c9a6ce1e77.exe
1988	4ad4f1510241a99d3df6e8c9a6ce1e77.exe
1988	4ad4f1510241a99d3df6e8c9a6ce1e77.exe
1988	4ad4f1510241a99d3df6e8c9a6ce1e77.exe
1988	4ad4f1510241a99d3df6e8c9a6ce1e77.exe
1988	4ad4f1510241a99d3df6e8c9a6ce1e77.exe
1988	4ad4f1510241a99d3df6e8c9a6ce1e77.exe
1988	4ad4f1510241a99d3df6e8c9a6ce1e77.exe
1988	4ad4f1510241a99d3df6e8c9a6ce1e77.exe
1988	4ad4f1510241a99d3df6e8c9a6ce1e77.exe
1988	4ad4f1510241a99d3df6e8c9a6ce1e77.exe
1988	4ad4f1510241a99d3df6e8c9a6ce1e77.exe
1988	4ad4f1510241a99d3df6e8c9a6ce1e77.exe
1988	4ad4f1510241a99d3df6e8c9a6ce1e77.exe
1988	4ad4f1510241a99d3df6e8c9a6ce1e77.exe
1988	4ad4f1510241a99d3df6e8c9a6ce1e77.exe
1988	4ad4f1510241a99d3df6e8c9a6ce1e77.exe
1988	4ad4f1510241a99d3df6e8c9a6ce1e77.exe
1988	4ad4f1510241a99d3df6e8c9a6ce1e77.exe
1988	4ad4f1510241a99d3df6e8c9a6ce1e77.exe
1988	4ad4f1510241a99d3df6e8c9a6ce1e77.exe
1184	bK28303JiOaF28303.exe
1988	4ad4f1510241a99d3df6e8c9a6ce1e77.exe
1184	bK28303JiOaF28303.exe
1988	4ad4f1510241a99d3df6e8c9a6ce1e77.exe
1184	bK28303JiOaF28303.exe
1988	4ad4f1510241a99d3df6e8c9a6ce1e77.exe
1184	bK28303JiOaF28303.exe
1988	4ad4f1510241a99d3df6e8c9a6ce1e77.exe
1184	bK28303JiOaF28303.exe
1988	4ad4f1510241a99d3df6e8c9a6ce1e77.exe
1184	bK28303JiOaF28303.exe
1988	4ad4f1510241a99d3df6e8c9a6ce1e77.exe
1184	bK28303JiOaF28303.exe
1988	4ad4f1510241a99d3df6e8c9a6ce1e77.exe
1184	bK28303JiOaF28303.exe
1988	4ad4f1510241a99d3df6e8c9a6ce1e77.exe
1184	bK28303JiOaF28303.exe
1988	4ad4f1510241a99d3df6e8c9a6ce1e77.exe
1184	bK28303JiOaF28303.exe
1988	4ad4f1510241a99d3df6e8c9a6ce1e77.exe
1184	bK28303JiOaF28303.exe
1988	4ad4f1510241a99d3df6e8c9a6ce1e77.exe
1184	bK28303JiOaF28303.exe
1988	4ad4f1510241a99d3df6e8c9a6ce1e77.exe
1184	bK28303JiOaF28303.exe
1988	4ad4f1510241a99d3df6e8c9a6ce1e77.exe
1184	bK28303JiOaF28303.exe
1988	4ad4f1510241a99d3df6e8c9a6ce1e77.exe
1184	bK28303JiOaF28303.exe
1988	4ad4f1510241a99d3df6e8c9a6ce1e77.exe
1184	bK28303JiOaF28303.exe
1988	4ad4f1510241a99d3df6e8c9a6ce1e77.exe
1184	bK28303JiOaF28303.exe
1988	4ad4f1510241a99d3df6e8c9a6ce1e77.exe
1184	bK28303JiOaF28303.exe
1988	4ad4f1510241a99d3df6e8c9a6ce1e77.exe
1184	bK28303JiOaF28303.exe
1988	4ad4f1510241a99d3df6e8c9a6ce1e77.exe
1184	bK28303JiOaF28303.exe
1988	4ad4f1510241a99d3df6e8c9a6ce1e77.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

4ad4f1510241a99d3df6e8c9a6ce1e77.exebK28303JiOaF28303.exe

description pid process

Token: SeDebugPrivilege 1988 4ad4f1510241a99d3df6e8c9a6ce1e77.exe
Token: SeDebugPrivilege 1184 bK28303JiOaF28303.exe
Suspicious use of FindShellTrayWindow 5 IoCs

Processes:

bK28303JiOaF28303.exe

pid process

1184 bK28303JiOaF28303.exe
1184 bK28303JiOaF28303.exe
1184 bK28303JiOaF28303.exe
1184 bK28303JiOaF28303.exe
1184 bK28303JiOaF28303.exe
Suspicious use of SendNotifyMessage 5 IoCs

Processes:

bK28303JiOaF28303.exe

pid process

1184 bK28303JiOaF28303.exe
1184 bK28303JiOaF28303.exe
1184 bK28303JiOaF28303.exe
1184 bK28303JiOaF28303.exe
1184 bK28303JiOaF28303.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

bK28303JiOaF28303.exe

pid process

1184 bK28303JiOaF28303.exe
1184 bK28303JiOaF28303.exe

description	pid	process
Token: SeDebugPrivilege	1988	4ad4f1510241a99d3df6e8c9a6ce1e77.exe
Token: SeDebugPrivilege	1184	bK28303JiOaF28303.exe

pid	process
1184	bK28303JiOaF28303.exe
1184	bK28303JiOaF28303.exe
1184	bK28303JiOaF28303.exe
1184	bK28303JiOaF28303.exe
1184	bK28303JiOaF28303.exe

pid	process
1184	bK28303JiOaF28303.exe
1184	bK28303JiOaF28303.exe
1184	bK28303JiOaF28303.exe
1184	bK28303JiOaF28303.exe
1184	bK28303JiOaF28303.exe

pid	process
1184	bK28303JiOaF28303.exe
1184	bK28303JiOaF28303.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

4ad4f1510241a99d3df6e8c9a6ce1e77.exe

description	pid	process	target process
PID 1988 wrote to memory of 1184	1988	4ad4f1510241a99d3df6e8c9a6ce1e77.exe	bK28303JiOaF28303.exe
PID 1988 wrote to memory of 1184	1988	4ad4f1510241a99d3df6e8c9a6ce1e77.exe	bK28303JiOaF28303.exe
PID 1988 wrote to memory of 1184	1988	4ad4f1510241a99d3df6e8c9a6ce1e77.exe	bK28303JiOaF28303.exe
PID 1988 wrote to memory of 1184	1988	4ad4f1510241a99d3df6e8c9a6ce1e77.exe	bK28303JiOaF28303.exe

C:\Users\Admin\AppData\Local\Temp\4ad4f1510241a99d3df6e8c9a6ce1e77.exe
"C:\Users\Admin\AppData\Local\Temp\4ad4f1510241a99d3df6e8c9a6ce1e77.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1988

C:\ProgramData\bK28303JiOaF28303\bK28303JiOaF28303.exe
"C:\ProgramData\bK28303JiOaF28303\bK28303JiOaF28303.exe" "C:\Users\Admin\AppData\Local\Temp\4ad4f1510241a99d3df6e8c9a6ce1e77.exe"
2⤵
- Deletes itself
- Executes dropped EXE
- Adds Run key to start application
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1184

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\bK28303JiOaF28303\bK28303JiOaF28303
Filesize
208B

MD5
c46deeadcffb8f2ae2a9f2b9829dec25

SHA1
0c9dd0d2a571070b653d20b4a57247e0878593a1

SHA256
a066fa0f01b3530823653254baf8d51dd0b6d95b16a7ad7c07ba238f8e4503d7

SHA512
40583c2267aea41efc2c5bbbbcb6b8f7b4c5ae3785a03358b470fe9abd365c6ebc54b6bd159ce04e4b7cd2d376833f9df7e39222e53069a8509b94ef1b4b1c75

Download Submit
\ProgramData\bK28303JiOaF28303\bK28303JiOaF28303.exe
Filesize
386KB

MD5
94495ee10ccd8e879696f1c9119e65a4

SHA1
bba6331fa9a3fcd51d5e9ca3a74e053774195fc4

SHA256
975d914f1a2de4f27a6d67adad6c8d6329f96f69d8931ee126824a299cea4510

SHA512
f85969b29210435e1b2f14acfaffa07e6b588f030534bec27a3adaebced44bea9701d52f6eac73121c05fafa58611b4ab74946c8ba831fd451ad7b0d11a3f511

Download Submit
memory/1184-86-0x0000000000400000-0x00000000004CF000-memory.dmp

Filesize
828KB

Download
memory/1184-87-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/1184-165-0x0000000000400000-0x00000000004CF000-memory.dmp

Filesize
828KB

Download
memory/1184-201-0x0000000000400000-0x00000000004CF000-memory.dmp

Filesize
828KB

Download
memory/1988-0-0x0000000000250000-0x0000000000253000-memory.dmp

Filesize
12KB

Download
memory/1988-1-0x0000000000400000-0x00000000004CF000-memory.dmp

Filesize
828KB

Download
memory/1988-2-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/1988-162-0x0000000000400000-0x00000000004CF000-memory.dmp

Filesize
828KB

Download
memory/1988-196-0x0000000000400000-0x00000000004CF000-memory.dmp

Filesize
828KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads