fe893dcee37d4c6e62ec9afcf149062916a51af6141323ff74ae361a95105273

General

Target

722e63f8910e9fe1d7775c3a0495de54.exe
Size

320KB
MD5

722e63f8910e9fe1d7775c3a0495de54
SHA1

88041f0b4f76532cdf45b48591f7953e83981070
SHA256

fe893dcee37d4c6e62ec9afcf149062916a51af6141323ff74ae361a95105273
SHA512

7f9f74da10056e30b86fe50d192c4c3410b7bd9c6429331980834571d04b9609174c240dca9512d933e9d8f051c4b567aefb2714868785907bd927a50a7c7a1b
SSDEEP

6144:qCo86w8tceyv3WsJZAShsJduZKMjHaJUCo0nyglJ//MQ/81hpPbbcjdwEpqK:wLw8t/gGsIpduZJax/r3MQ/Msxw2qK

Score

7^/10

persistence upx

Malware Config

Signatures

Deletes itself 1 IoCs

Processes:

bD22003JeFjH22003.exe

pid process

2816 bD22003JeFjH22003.exe
Executes dropped EXE 1 IoCs

Processes:

bD22003JeFjH22003.exe

pid process

2816 bD22003JeFjH22003.exe
Loads dropped DLL 2 IoCs

Processes:

722e63f8910e9fe1d7775c3a0495de54.exe

pid process

1520 722e63f8910e9fe1d7775c3a0495de54.exe
1520 722e63f8910e9fe1d7775c3a0495de54.exe

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1520-0-0x0000000000400000-0x00000000004C3000-memory.dmp	upx
behavioral1/memory/1520-2-0x0000000000400000-0x00000000004C3000-memory.dmp	upx
behavioral1/memory/1520-9-0x0000000000400000-0x00000000004C3000-memory.dmp	upx
behavioral1/memory/2816-28-0x0000000000400000-0x00000000004C3000-memory.dmp	upx
behavioral1/memory/1520-36-0x0000000000400000-0x00000000004C3000-memory.dmp	upx
behavioral1/memory/2816-37-0x0000000000400000-0x00000000004C3000-memory.dmp	upx
behavioral1/memory/2816-49-0x0000000000400000-0x00000000004C3000-memory.dmp	upx
behavioral1/memory/1520-52-0x0000000000400000-0x00000000004C3000-memory.dmp	upx
behavioral1/memory/2816-56-0x0000000000400000-0x00000000004C3000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

bD22003JeFjH22003.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\bD22003JeFjH22003 = "C:\\ProgramData\\bD22003JeFjH22003\\bD22003JeFjH22003.exe"	bD22003JeFjH22003.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

bD22003JeFjH22003.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Main	bD22003JeFjH22003.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

722e63f8910e9fe1d7775c3a0495de54.exebD22003JeFjH22003.exe

pid	process
1520	722e63f8910e9fe1d7775c3a0495de54.exe
2816	bD22003JeFjH22003.exe
1520	722e63f8910e9fe1d7775c3a0495de54.exe
2816	bD22003JeFjH22003.exe
1520	722e63f8910e9fe1d7775c3a0495de54.exe
2816	bD22003JeFjH22003.exe
1520	722e63f8910e9fe1d7775c3a0495de54.exe
2816	bD22003JeFjH22003.exe
1520	722e63f8910e9fe1d7775c3a0495de54.exe
2816	bD22003JeFjH22003.exe
1520	722e63f8910e9fe1d7775c3a0495de54.exe
2816	bD22003JeFjH22003.exe
1520	722e63f8910e9fe1d7775c3a0495de54.exe
2816	bD22003JeFjH22003.exe
1520	722e63f8910e9fe1d7775c3a0495de54.exe
2816	bD22003JeFjH22003.exe
1520	722e63f8910e9fe1d7775c3a0495de54.exe
2816	bD22003JeFjH22003.exe
1520	722e63f8910e9fe1d7775c3a0495de54.exe
2816	bD22003JeFjH22003.exe
1520	722e63f8910e9fe1d7775c3a0495de54.exe
2816	bD22003JeFjH22003.exe
1520	722e63f8910e9fe1d7775c3a0495de54.exe
2816	bD22003JeFjH22003.exe
1520	722e63f8910e9fe1d7775c3a0495de54.exe
2816	bD22003JeFjH22003.exe
1520	722e63f8910e9fe1d7775c3a0495de54.exe
2816	bD22003JeFjH22003.exe
1520	722e63f8910e9fe1d7775c3a0495de54.exe
2816	bD22003JeFjH22003.exe
1520	722e63f8910e9fe1d7775c3a0495de54.exe
2816	bD22003JeFjH22003.exe
1520	722e63f8910e9fe1d7775c3a0495de54.exe
2816	bD22003JeFjH22003.exe
1520	722e63f8910e9fe1d7775c3a0495de54.exe
2816	bD22003JeFjH22003.exe
1520	722e63f8910e9fe1d7775c3a0495de54.exe
2816	bD22003JeFjH22003.exe
1520	722e63f8910e9fe1d7775c3a0495de54.exe
2816	bD22003JeFjH22003.exe
1520	722e63f8910e9fe1d7775c3a0495de54.exe
2816	bD22003JeFjH22003.exe
1520	722e63f8910e9fe1d7775c3a0495de54.exe
2816	bD22003JeFjH22003.exe
1520	722e63f8910e9fe1d7775c3a0495de54.exe
2816	bD22003JeFjH22003.exe
1520	722e63f8910e9fe1d7775c3a0495de54.exe
2816	bD22003JeFjH22003.exe
1520	722e63f8910e9fe1d7775c3a0495de54.exe
2816	bD22003JeFjH22003.exe
1520	722e63f8910e9fe1d7775c3a0495de54.exe
2816	bD22003JeFjH22003.exe
1520	722e63f8910e9fe1d7775c3a0495de54.exe
2816	bD22003JeFjH22003.exe
1520	722e63f8910e9fe1d7775c3a0495de54.exe
2816	bD22003JeFjH22003.exe
1520	722e63f8910e9fe1d7775c3a0495de54.exe
2816	bD22003JeFjH22003.exe
1520	722e63f8910e9fe1d7775c3a0495de54.exe
2816	bD22003JeFjH22003.exe
1520	722e63f8910e9fe1d7775c3a0495de54.exe
2816	bD22003JeFjH22003.exe
1520	722e63f8910e9fe1d7775c3a0495de54.exe
2816	bD22003JeFjH22003.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

722e63f8910e9fe1d7775c3a0495de54.exebD22003JeFjH22003.exe

description pid process

Token: SeDebugPrivilege 1520 722e63f8910e9fe1d7775c3a0495de54.exe
Token: SeDebugPrivilege 2816 bD22003JeFjH22003.exe

description	pid	process
Token: SeDebugPrivilege	1520	722e63f8910e9fe1d7775c3a0495de54.exe
Token: SeDebugPrivilege	2816	bD22003JeFjH22003.exe

Suspicious use of FindShellTrayWindow 6 IoCs

Processes:

bD22003JeFjH22003.exe

pid	process
2816	bD22003JeFjH22003.exe
2816	bD22003JeFjH22003.exe
2816	bD22003JeFjH22003.exe
2816	bD22003JeFjH22003.exe
2816	bD22003JeFjH22003.exe
2816	bD22003JeFjH22003.exe

Suspicious use of SendNotifyMessage 6 IoCs

Processes:

bD22003JeFjH22003.exe

pid	process
2816	bD22003JeFjH22003.exe
2816	bD22003JeFjH22003.exe
2816	bD22003JeFjH22003.exe
2816	bD22003JeFjH22003.exe
2816	bD22003JeFjH22003.exe
2816	bD22003JeFjH22003.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

bD22003JeFjH22003.exe

pid process

2816 bD22003JeFjH22003.exe
2816 bD22003JeFjH22003.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

722e63f8910e9fe1d7775c3a0495de54.exe

description	pid	process	target process
PID 1520 wrote to memory of 2816	1520	722e63f8910e9fe1d7775c3a0495de54.exe	bD22003JeFjH22003.exe
PID 1520 wrote to memory of 2816	1520	722e63f8910e9fe1d7775c3a0495de54.exe	bD22003JeFjH22003.exe
PID 1520 wrote to memory of 2816	1520	722e63f8910e9fe1d7775c3a0495de54.exe	bD22003JeFjH22003.exe
PID 1520 wrote to memory of 2816	1520	722e63f8910e9fe1d7775c3a0495de54.exe	bD22003JeFjH22003.exe

C:\Users\Admin\AppData\Local\Temp\722e63f8910e9fe1d7775c3a0495de54.exe
"C:\Users\Admin\AppData\Local\Temp\722e63f8910e9fe1d7775c3a0495de54.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1520

C:\ProgramData\bD22003JeFjH22003\bD22003JeFjH22003.exe
"C:\ProgramData\bD22003JeFjH22003\bD22003JeFjH22003.exe" "C:\Users\Admin\AppData\Local\Temp\722e63f8910e9fe1d7775c3a0495de54.exe"
2⤵
- Deletes itself
- Executes dropped EXE
- Adds Run key to start application
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2816

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

\ProgramData\bD22003JeFjH22003\bD22003JeFjH22003.exe
Filesize
320KB

MD5
8d78965462fb6b53dad06670d9ee299d

SHA1
db0d0277a876a2b896ffef35bd352f801fd3c5c7

SHA256
e6bd84837a9c23b6071fcfd4b1ad964c26e51ebaab8930503c0fd056d549e1de

SHA512
a811b3c32f6fbea431b9697515d0fb7ea64828d2da9c24cb99f3755ae73d61283c1fba05e8afbd6dc6f8ead97870b7ab3fbc72e17a6cd1e6fefa302449350955

Download Submit
memory/1520-1-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/1520-0-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/1520-3-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1520-2-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/1520-9-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/1520-36-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/1520-52-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/2816-28-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/2816-37-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/2816-49-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/2816-56-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads