ff658f2385cd1ea6958f1abac9f1af4460ec66764f8373f43f7146f605dc1ae7

General

Target

5025d4d18be3e307f280ce99792bd103.exe
Size

386KB
MD5

5025d4d18be3e307f280ce99792bd103
SHA1

1ebf08dae68919dcec39b056eee1d84051db0cdf
SHA256

ff658f2385cd1ea6958f1abac9f1af4460ec66764f8373f43f7146f605dc1ae7
SHA512

f1d0700bee5933cb6bd1a2744a9ae7f98c099a5ed63531cc210d5565045f45b74431e64f7e7b0a961385158c17977f5c00c975466ce7fea2b833047987957695
SSDEEP

6144:PCHDNhB0WCqB7l+04YmQ71poL5Cgg2GaSppsBUdZeppRSA6G7F3tNyu:qHZhW4BxXmQ71pkCg2aSoaISAxPL

Score

7^/10

persistence upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

lB15402GgEfE15402.exe

pid process

680 lB15402GgEfE15402.exe
Loads dropped DLL 2 IoCs

Processes:

5025d4d18be3e307f280ce99792bd103.exe

pid process

2124 5025d4d18be3e307f280ce99792bd103.exe
2124 5025d4d18be3e307f280ce99792bd103.exe

pid	process
680	lB15402GgEfE15402.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2124-1-0x0000000000400000-0x00000000004CF000-memory.dmp	upx
behavioral1/memory/680-87-0x0000000000400000-0x00000000004CF000-memory.dmp	upx
behavioral1/memory/2124-163-0x0000000000400000-0x00000000004CF000-memory.dmp	upx
behavioral1/memory/680-166-0x0000000000400000-0x00000000004CF000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

lB15402GgEfE15402.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\lB15402GgEfE15402 = "C:\\ProgramData\\lB15402GgEfE15402\\lB15402GgEfE15402.exe"	lB15402GgEfE15402.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

lB15402GgEfE15402.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\Main	lB15402GgEfE15402.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

5025d4d18be3e307f280ce99792bd103.exe

pid	process
2124	5025d4d18be3e307f280ce99792bd103.exe
2124	5025d4d18be3e307f280ce99792bd103.exe
2124	5025d4d18be3e307f280ce99792bd103.exe
2124	5025d4d18be3e307f280ce99792bd103.exe
2124	5025d4d18be3e307f280ce99792bd103.exe
2124	5025d4d18be3e307f280ce99792bd103.exe
2124	5025d4d18be3e307f280ce99792bd103.exe
2124	5025d4d18be3e307f280ce99792bd103.exe
2124	5025d4d18be3e307f280ce99792bd103.exe
2124	5025d4d18be3e307f280ce99792bd103.exe
2124	5025d4d18be3e307f280ce99792bd103.exe
2124	5025d4d18be3e307f280ce99792bd103.exe
2124	5025d4d18be3e307f280ce99792bd103.exe
2124	5025d4d18be3e307f280ce99792bd103.exe
2124	5025d4d18be3e307f280ce99792bd103.exe
2124	5025d4d18be3e307f280ce99792bd103.exe
2124	5025d4d18be3e307f280ce99792bd103.exe
2124	5025d4d18be3e307f280ce99792bd103.exe
2124	5025d4d18be3e307f280ce99792bd103.exe
2124	5025d4d18be3e307f280ce99792bd103.exe
2124	5025d4d18be3e307f280ce99792bd103.exe
2124	5025d4d18be3e307f280ce99792bd103.exe
2124	5025d4d18be3e307f280ce99792bd103.exe
2124	5025d4d18be3e307f280ce99792bd103.exe
2124	5025d4d18be3e307f280ce99792bd103.exe
2124	5025d4d18be3e307f280ce99792bd103.exe
2124	5025d4d18be3e307f280ce99792bd103.exe
2124	5025d4d18be3e307f280ce99792bd103.exe
2124	5025d4d18be3e307f280ce99792bd103.exe
2124	5025d4d18be3e307f280ce99792bd103.exe
2124	5025d4d18be3e307f280ce99792bd103.exe
2124	5025d4d18be3e307f280ce99792bd103.exe
2124	5025d4d18be3e307f280ce99792bd103.exe
2124	5025d4d18be3e307f280ce99792bd103.exe
2124	5025d4d18be3e307f280ce99792bd103.exe
2124	5025d4d18be3e307f280ce99792bd103.exe
2124	5025d4d18be3e307f280ce99792bd103.exe
2124	5025d4d18be3e307f280ce99792bd103.exe
2124	5025d4d18be3e307f280ce99792bd103.exe
2124	5025d4d18be3e307f280ce99792bd103.exe
2124	5025d4d18be3e307f280ce99792bd103.exe
2124	5025d4d18be3e307f280ce99792bd103.exe
2124	5025d4d18be3e307f280ce99792bd103.exe
2124	5025d4d18be3e307f280ce99792bd103.exe
2124	5025d4d18be3e307f280ce99792bd103.exe
2124	5025d4d18be3e307f280ce99792bd103.exe
2124	5025d4d18be3e307f280ce99792bd103.exe
2124	5025d4d18be3e307f280ce99792bd103.exe
2124	5025d4d18be3e307f280ce99792bd103.exe
2124	5025d4d18be3e307f280ce99792bd103.exe
2124	5025d4d18be3e307f280ce99792bd103.exe
2124	5025d4d18be3e307f280ce99792bd103.exe
2124	5025d4d18be3e307f280ce99792bd103.exe
2124	5025d4d18be3e307f280ce99792bd103.exe
2124	5025d4d18be3e307f280ce99792bd103.exe
2124	5025d4d18be3e307f280ce99792bd103.exe
2124	5025d4d18be3e307f280ce99792bd103.exe
2124	5025d4d18be3e307f280ce99792bd103.exe
2124	5025d4d18be3e307f280ce99792bd103.exe
2124	5025d4d18be3e307f280ce99792bd103.exe
2124	5025d4d18be3e307f280ce99792bd103.exe
2124	5025d4d18be3e307f280ce99792bd103.exe
2124	5025d4d18be3e307f280ce99792bd103.exe
2124	5025d4d18be3e307f280ce99792bd103.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

5025d4d18be3e307f280ce99792bd103.exelB15402GgEfE15402.exe

description pid process

Token: SeDebugPrivilege 2124 5025d4d18be3e307f280ce99792bd103.exe
Token: SeDebugPrivilege 680 lB15402GgEfE15402.exe
Suspicious use of FindShellTrayWindow 5 IoCs

Processes:

lB15402GgEfE15402.exe

pid process

680 lB15402GgEfE15402.exe
680 lB15402GgEfE15402.exe
680 lB15402GgEfE15402.exe
680 lB15402GgEfE15402.exe
680 lB15402GgEfE15402.exe
Suspicious use of SendNotifyMessage 5 IoCs

Processes:

lB15402GgEfE15402.exe

pid process

680 lB15402GgEfE15402.exe
680 lB15402GgEfE15402.exe
680 lB15402GgEfE15402.exe
680 lB15402GgEfE15402.exe
680 lB15402GgEfE15402.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

lB15402GgEfE15402.exe

pid process

680 lB15402GgEfE15402.exe
680 lB15402GgEfE15402.exe

description	pid	process
Token: SeDebugPrivilege	2124	5025d4d18be3e307f280ce99792bd103.exe
Token: SeDebugPrivilege	680	lB15402GgEfE15402.exe

pid	process
680	lB15402GgEfE15402.exe
680	lB15402GgEfE15402.exe
680	lB15402GgEfE15402.exe
680	lB15402GgEfE15402.exe
680	lB15402GgEfE15402.exe

pid	process
680	lB15402GgEfE15402.exe
680	lB15402GgEfE15402.exe
680	lB15402GgEfE15402.exe
680	lB15402GgEfE15402.exe
680	lB15402GgEfE15402.exe

pid	process
680	lB15402GgEfE15402.exe
680	lB15402GgEfE15402.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

5025d4d18be3e307f280ce99792bd103.exe

description	pid	process	target process
PID 2124 wrote to memory of 680	2124	5025d4d18be3e307f280ce99792bd103.exe	lB15402GgEfE15402.exe
PID 2124 wrote to memory of 680	2124	5025d4d18be3e307f280ce99792bd103.exe	lB15402GgEfE15402.exe
PID 2124 wrote to memory of 680	2124	5025d4d18be3e307f280ce99792bd103.exe	lB15402GgEfE15402.exe
PID 2124 wrote to memory of 680	2124	5025d4d18be3e307f280ce99792bd103.exe	lB15402GgEfE15402.exe

C:\Users\Admin\AppData\Local\Temp\5025d4d18be3e307f280ce99792bd103.exe
"C:\Users\Admin\AppData\Local\Temp\5025d4d18be3e307f280ce99792bd103.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2124

C:\ProgramData\lB15402GgEfE15402\lB15402GgEfE15402.exe
"C:\ProgramData\lB15402GgEfE15402\lB15402GgEfE15402.exe" "C:\Users\Admin\AppData\Local\Temp\5025d4d18be3e307f280ce99792bd103.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:680

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

\ProgramData\lB15402GgEfE15402\lB15402GgEfE15402.exe
Filesize
386KB

MD5
3323fb1d0434b434a39a2eabee52e93b

SHA1
e8e3c87bbe3ed4d2bb38ef823f08b87343f64303

SHA256
889dc5624df764a8dc115a92e9a8004c17ed34f02eef2ecef47e61399cab0ff7

SHA512
d61d2bad744f671a7cc39045cb7d84c6ff9e904abbcca5a818e59cecaef9f831e7f4107165f141fccf1209716394282bd3322385602df505e6e026b96f6ee71e

Download Submit
memory/680-87-0x0000000000400000-0x00000000004CF000-memory.dmp

Filesize
828KB

Download
memory/680-88-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/680-166-0x0000000000400000-0x00000000004CF000-memory.dmp

Filesize
828KB

Download
memory/2124-0-0x0000000000240000-0x0000000000243000-memory.dmp

Filesize
12KB

Download
memory/2124-1-0x0000000000400000-0x00000000004CF000-memory.dmp

Filesize
828KB

Download
memory/2124-2-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2124-163-0x0000000000400000-0x00000000004CF000-memory.dmp

Filesize
828KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads