232c5934602eb593f7b3053c8b40b0c89ac74784f9aec9c60be48468c6f826bd

General

Target

670a4915743f08d0b1778ac7551f7942.exe
Size

562KB
MD5

670a4915743f08d0b1778ac7551f7942
SHA1

11e3a62ada71e5b587df50b67fa65eef9bb5ec2a
SHA256

232c5934602eb593f7b3053c8b40b0c89ac74784f9aec9c60be48468c6f826bd
SHA512

93dcadbe6627235eacd0c0126db29f1fdb1bb9853c6b3ff7df525c36ddd4fe3c582dd75b4c8c354b68e5073f6409a683ca69997aea864b97f22ea359d5d9e9d6
SSDEEP

12288:oPwMDD1dxDx5SCbpK2h6Ieu96aUT7dxIfLbdi8R+3z2f:kt9jF5JU2h6IlLUTUvdRRaz2f

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2808	DownloadManager.exe

Loads dropped DLL 8 IoCs

pid	Process
2504	670a4915743f08d0b1778ac7551f7942.exe
2504	670a4915743f08d0b1778ac7551f7942.exe
2504	670a4915743f08d0b1778ac7551f7942.exe
2504	670a4915743f08d0b1778ac7551f7942.exe
2504	670a4915743f08d0b1778ac7551f7942.exe
2504	670a4915743f08d0b1778ac7551f7942.exe
2504	670a4915743f08d0b1778ac7551f7942.exe
2504	670a4915743f08d0b1778ac7551f7942.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\Main	DownloadManager.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2808	DownloadManager.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
2808	DownloadManager.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2808	DownloadManager.exe
2808	DownloadManager.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2504 wrote to memory of 2808	2504	670a4915743f08d0b1778ac7551f7942.exe	28
PID 2504 wrote to memory of 2808	2504	670a4915743f08d0b1778ac7551f7942.exe	28
PID 2504 wrote to memory of 2808	2504	670a4915743f08d0b1778ac7551f7942.exe	28
PID 2504 wrote to memory of 2808	2504	670a4915743f08d0b1778ac7551f7942.exe	28

C:\Users\Admin\AppData\Local\Temp\670a4915743f08d0b1778ac7551f7942.exe
"C:\Users\Admin\AppData\Local\Temp\670a4915743f08d0b1778ac7551f7942.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2504
- C:\Users\Admin\AppData\Local\Temp\DM_4DpZmmpFPk\DownloadManager.exe
  DownloadManager.exe "C:\Users\Admin\AppData\Local\Temp\670a4915743f08d0b1778ac7551f7942.exe"
  2⤵
  - Executes dropped EXE
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:2808

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DM_4DpZmmpFPk\ApplicationDebug.log

Filesize
228B

MD5
9e3cfcdd4fd754e893f2d79629cc8377

SHA1
3a93fc958d20ed83c80e6f0801627958f3aac746

SHA256
70a4351b30f7c4dbfe017dded1645fc22d3d030713f0edc9401a8d1dd8a0c788

SHA512
355428b837405350009c2292067e5246d8c07bd19312284db27ed13b8ee23af8d386389d778680b40f875350825d16e5add49dd157ec196aad40591b1d486965

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst3CA4.tmp\System.dll

Filesize
11KB

MD5
a436db0c473a087eb61ff5c53c34ba27

SHA1
65ea67e424e75f5065132b539c8b2eda88aa0506

SHA256
75ed40311875312617d6711baed0be29fcaee71031ca27a8d308a72b15a51e49

SHA512
908f46a855480af6eacb2fb64de0e60b1e04bbb10b23992e2cf38a4cbebdcd7d3928c4c022d7ad9f7479265a8f426b93eef580afec95570e654c360d62f5e08d

Download Submit
\Users\Admin\AppData\Local\Temp\DM_4DpZmmpFPk\DownloadManager.exe

Filesize
864KB

MD5
54fff123842d60d5e57d04c4cf7fbf93

SHA1
8b7c9ee4dfb31d76d6cdf0a4c1c9b1d974e1ddcb

SHA256
e5f6ecac207287ea1c955497315de6c7622a06d4f8c63f44a838615f62acbb44

SHA512
b415d13a53d9cbae34d6e1badec0db06be522a3233440947b2351027d671e02c99b64a8f121bf14a0d9539ef988d07d03dae6c4d90644333c54ad5574518f2d1

Download Submit
\Users\Admin\AppData\Local\Temp\nst3CA4.tmp\UserInfo.dll

Filesize
4KB

MD5
031ec9b12afb1fafc9fc397f3b90f29c

SHA1
de26ddfe3ef452f8205bfbd5520a8eff6328619f

SHA256
2dc320488b636b9dce9581a95e5a833a07500622c1a64fc05023ba6482d2a6e1

SHA512
cbebded4e3a87234899e2b67121f898c9060671d25088b7de29bbcbda90a5410dd3afd110417caa6c46ba656e1a863da39127e15c2122fedaa5054f4d43b90a6

Download Submit
\Users\Admin\AppData\Local\Temp\nst3CA4.tmp\inetc.dll

Filesize
21KB

MD5
d7a3fa6a6c738b4a3c40d5602af20b08

SHA1
34fc75d97f640609cb6cadb001da2cb2c0b3538a

SHA256
67eff17c53a78c8ec9a28f392b9bb93df3e74f96f6ecd87a333a482c36546b3e

SHA512
75cf123448567806be5f852ebf70f398da881e89994b82442a1f4bc6799894e799f979f5ab1cc9ba12617e48620e6c34f71e23259da498da37354e5fd3c0f934

Download Submit
\Users\Admin\AppData\Local\Temp\nst3CA4.tmp\pwgen.dll

Filesize
16KB

MD5
a555472395178ac8c733d90928e05017

SHA1
f44b192d66473f01a6540aaec4b6c9ac4c611d35

SHA256
82ae08fced4a1f9a7df123634da5f4cb12af4593a006bef421a54739a2cbd44e

SHA512
e6d87b030c45c655d93b2e76d7437ad900df5da2475dd2e6e28b6c872040491e80f540b00b6091d16bc8410bd58a1e82c62ee1b17193ef8500a153d4474bb80a

Download Submit
memory/2808-40-0x0000000000A80000-0x0000000000B00000-memory.dmp

Filesize
512KB

Download
memory/2808-41-0x000007FEF6000000-0x000007FEF699D000-memory.dmp

Filesize
9.6MB

Download
memory/2808-42-0x0000000000A80000-0x0000000000B00000-memory.dmp

Filesize
512KB

Download
memory/2808-43-0x0000000000A80000-0x0000000000B00000-memory.dmp

Filesize
512KB

Download
memory/2808-44-0x0000000000A80000-0x0000000000B00000-memory.dmp

Filesize
512KB

Download
memory/2808-45-0x0000000000A80000-0x0000000000B00000-memory.dmp

Filesize
512KB

Download
memory/2808-46-0x0000000020C90000-0x0000000021436000-memory.dmp

Filesize
7.6MB

Download
memory/2808-52-0x000007FEF6000000-0x000007FEF699D000-memory.dmp

Filesize
9.6MB

Download
memory/2808-39-0x000007FEF6000000-0x000007FEF699D000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing