97c2d5b8641875634156368989ff410bb6b5cab67c2c5430b73cb47d51982012

General

Target

97c2d5b8641875634156368989ff410bb6b5cab67c2c5430b73cb47d51982012.exe
Size

1.4MB
MD5

2f0d1effca8e06f489035a1e1facc192
SHA1

fd96f6c801e4791c82d2c7cf44c7a829d95a946b
SHA256

97c2d5b8641875634156368989ff410bb6b5cab67c2c5430b73cb47d51982012
SHA512

a8deb4a624d5d83c1c5aa98aa986dd9ae0b261a9e57066853e2187fc9ea25308e1d1e072efe80d76e569ff93734a75447566c9a31f5b0536fae532383075166f
SSDEEP

24576:Y4U6dqpfTTGiyfhy584ihQuL87Etqq6vOSpd57vwvN4j6Ii3Vke3u:Y4XwppyU+87jd57v243akj

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 1 IoCs

pid	Process
2612	wextract.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2040 set thread context of 2112	2040	97c2d5b8641875634156368989ff410bb6b5cab67c2c5430b73cb47d51982012.exe	28
PID 2112 set thread context of 1188	2112	calc.exe	17
PID 2112 set thread context of 2612	2112	calc.exe	31
PID 2612 set thread context of 1188	2612	wextract.exe	17

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\Registry\User\S-1-5-21-3427588347-1492276948-3422228430-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	wextract.exe

Suspicious behavior: EnumeratesProcesses 29 IoCs

pid	Process
2112	calc.exe
2112	calc.exe
2112	calc.exe
2112	calc.exe
2112	calc.exe
2112	calc.exe
2112	calc.exe
2112	calc.exe
2612	wextract.exe
2612	wextract.exe
2612	wextract.exe
2612	wextract.exe
2612	wextract.exe
2612	wextract.exe
2612	wextract.exe
2612	wextract.exe
2612	wextract.exe
2612	wextract.exe
2612	wextract.exe
2612	wextract.exe
2612	wextract.exe
2612	wextract.exe
2612	wextract.exe
2612	wextract.exe
2612	wextract.exe
2612	wextract.exe
2612	wextract.exe
2612	wextract.exe
2612	wextract.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1188	Explorer.EXE

Suspicious behavior: MapViewOfSection 7 IoCs

pid	Process
2112	calc.exe
1188	Explorer.EXE
1188	Explorer.EXE
2612	wextract.exe
2612	wextract.exe
2612	wextract.exe
2612	wextract.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1188	Explorer.EXE
1188	Explorer.EXE

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1188	Explorer.EXE
1188	Explorer.EXE

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 2040 wrote to memory of 2112	2040	97c2d5b8641875634156368989ff410bb6b5cab67c2c5430b73cb47d51982012.exe	28
PID 2040 wrote to memory of 2112	2040	97c2d5b8641875634156368989ff410bb6b5cab67c2c5430b73cb47d51982012.exe	28
PID 2040 wrote to memory of 2112	2040	97c2d5b8641875634156368989ff410bb6b5cab67c2c5430b73cb47d51982012.exe	28
PID 2040 wrote to memory of 2112	2040	97c2d5b8641875634156368989ff410bb6b5cab67c2c5430b73cb47d51982012.exe	28
PID 2040 wrote to memory of 2112	2040	97c2d5b8641875634156368989ff410bb6b5cab67c2c5430b73cb47d51982012.exe	28
PID 2040 wrote to memory of 2112	2040	97c2d5b8641875634156368989ff410bb6b5cab67c2c5430b73cb47d51982012.exe	28
PID 2040 wrote to memory of 2112	2040	97c2d5b8641875634156368989ff410bb6b5cab67c2c5430b73cb47d51982012.exe	28
PID 1188 wrote to memory of 2612	1188	Explorer.EXE	31
PID 1188 wrote to memory of 2612	1188	Explorer.EXE	31
PID 1188 wrote to memory of 2612	1188	Explorer.EXE	31
PID 1188 wrote to memory of 2612	1188	Explorer.EXE	31
PID 1188 wrote to memory of 2612	1188	Explorer.EXE	31
PID 1188 wrote to memory of 2612	1188	Explorer.EXE	31
PID 1188 wrote to memory of 2612	1188	Explorer.EXE	31
PID 2612 wrote to memory of 756	2612	wextract.exe	34
PID 2612 wrote to memory of 756	2612	wextract.exe	34
PID 2612 wrote to memory of 756	2612	wextract.exe	34
PID 2612 wrote to memory of 756	2612	wextract.exe	34
PID 2612 wrote to memory of 756	2612	wextract.exe	34
PID 2612 wrote to memory of 756	2612	wextract.exe	34
PID 2612 wrote to memory of 756	2612	wextract.exe	34
PID 2612 wrote to memory of 756	2612	wextract.exe	34

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1188
- C:\Users\Admin\AppData\Local\Temp\97c2d5b8641875634156368989ff410bb6b5cab67c2c5430b73cb47d51982012.exe
  "C:\Users\Admin\AppData\Local\Temp\97c2d5b8641875634156368989ff410bb6b5cab67c2c5430b73cb47d51982012.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:2040
- - C:\Windows\SYSWOW64\calc.exe
    "C:\Windows\SYSWOW64\calc.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    PID:2112
- C:\Windows\SysWOW64\wextract.exe
  "C:\Windows\SysWOW64\wextract.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:2612
- - C:\Program Files\Mozilla Firefox\Firefox.exe
    "C:\Program Files\Mozilla Firefox\Firefox.exe"
    3⤵
    PID:756

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\bfmdgr.zip

Filesize
469KB

MD5
2555518e014abda6ab2156aceaa4c25c

SHA1
dbfa5be3e5ab5705bea72c62591d1856a69e99a5

SHA256
81f30ffed254f6660eda1845240da62f1a73e94dbae6ddb564f982825c7e99fe

SHA512
6984f9bff3facf693dcf4d22883e402ebfe673305ab0395ea52881109ea2b467b7d61567e3e8a0ca7ff01a3969fb8e0e384790333c7f5807ead1ef190623c6ac

Download Submit
\Users\Admin\AppData\Local\Temp\sqlite3.dll

Filesize
895KB

MD5
1eb6acf76a15b74b38333af47dc1218d

SHA1
a3fbc817f59b6a8899dc338cc15a75cdd17dfff1

SHA256
a5ef3a78eb333b0e6dca194ea711dcbb036119a788ecfe125f05176fb0fb70a3

SHA512
717931aa928de150abbb70d523c7dbd472bfa6c511ab55e0b50df8d9661d33635156ed7b750285fa383cdd4064f225ea022f0bead3e066ee2beba84ef5731c15

Download Submit
memory/1188-13-0x0000000008AC0000-0x000000000A350000-memory.dmp

Filesize
24.6MB

Download
memory/1188-12-0x00000000026F0000-0x00000000027F0000-memory.dmp

Filesize
1024KB

Download
memory/1188-21-0x0000000007380000-0x000000000748D000-memory.dmp

Filesize
1.1MB

Download
memory/1188-22-0x0000000007380000-0x000000000748D000-memory.dmp

Filesize
1.1MB

Download
memory/1188-67-0x0000000007380000-0x000000000748D000-memory.dmp

Filesize
1.1MB

Download
memory/1188-23-0x0000000008AC0000-0x000000000A350000-memory.dmp

Filesize
24.6MB

Download
memory/2040-3-0x0000000004D60000-0x0000000004DA0000-memory.dmp

Filesize
256KB

Download
memory/2040-0-0x0000000000A30000-0x0000000000B98000-memory.dmp

Filesize
1.4MB

Download
memory/2040-6-0x0000000074550000-0x0000000074C3E000-memory.dmp

Filesize
6.9MB

Download
memory/2040-4-0x0000000004DA0000-0x0000000004E32000-memory.dmp

Filesize
584KB

Download
memory/2040-2-0x00000000001F0000-0x000000000020A000-memory.dmp

Filesize
104KB

Download
memory/2040-1-0x0000000074550000-0x0000000074C3E000-memory.dmp

Filesize
6.9MB

Download
memory/2112-7-0x0000000000810000-0x0000000000B13000-memory.dmp

Filesize
3.0MB

Download
memory/2112-11-0x0000000000200000-0x0000000000222000-memory.dmp

Filesize
136KB

Download
memory/2112-16-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2112-17-0x0000000000200000-0x0000000000222000-memory.dmp

Filesize
136KB

Download
memory/2112-5-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2112-8-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2112-9-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2112-10-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2612-19-0x00000000000D0000-0x000000000010A000-memory.dmp

Filesize
232KB

Download
memory/2612-14-0x00000000000D0000-0x000000000010A000-memory.dmp

Filesize
232KB

Download
memory/2612-24-0x00000000000D0000-0x000000000010A000-memory.dmp

Filesize
232KB

Download
memory/2612-20-0x0000000000B50000-0x0000000000BF1000-memory.dmp

Filesize
644KB

Download
memory/2612-15-0x00000000000D0000-0x000000000010A000-memory.dmp

Filesize
232KB

Download
memory/2612-64-0x0000000061E00000-0x0000000061ECB000-memory.dmp

Filesize
812KB

Download
memory/2612-65-0x0000000000B50000-0x0000000000BF1000-memory.dmp

Filesize
644KB

Download
memory/2612-18-0x0000000002230000-0x0000000002533000-memory.dmp

Filesize
3.0MB

Download
memory/2612-68-0x0000000061E00000-0x0000000061ECB000-memory.dmp

Filesize
812KB

Download

Analysis

Sharing