b7380c5392e42d8d328ec2277080c55ea3b9567d921d54ad1b682285f3d95496

General

Target

751ed81e96a8610b4e5b565cde769089.exe
Size

413KB
MD5

751ed81e96a8610b4e5b565cde769089
SHA1

4b98fbee5c50a8f5d4ec49b4b623f4dafbd86994
SHA256

b7380c5392e42d8d328ec2277080c55ea3b9567d921d54ad1b682285f3d95496
SHA512

ec591f6eb820403cb7198c2a056c7cd9af1a1cc886c3fd5f7dbf3a929de50762cd23e20f733cabff24595305890f7cdb9a1d064c69fea4f55aa2a8bde52d8458
SSDEEP

6144:IYYWXQ7r0pjst48BVA0gP+VdQnQCgIwe/xSqF5loDOvOYbHgG8vpCWS9cXASj8k:IvAjCvM0hdCQEptoqvO6AG8Md9cQS

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2088	eLmNdKn07003.exe

Loads dropped DLL 2 IoCs

pid	Process
1936	751ed81e96a8610b4e5b565cde769089.exe
1936	751ed81e96a8610b4e5b565cde769089.exe

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1936-1-0x0000000000400000-0x00000000004B2000-memory.dmp	upx
behavioral1/memory/1936-3-0x0000000000400000-0x00000000004B2000-memory.dmp	upx
behavioral1/memory/1936-4-0x0000000000400000-0x00000000004B2000-memory.dmp	upx
behavioral1/memory/1936-5-0x0000000000400000-0x00000000004B2000-memory.dmp	upx
behavioral1/memory/2088-23-0x0000000000400000-0x00000000004B2000-memory.dmp	upx
behavioral1/memory/2088-24-0x0000000000400000-0x00000000004B2000-memory.dmp	upx
behavioral1/memory/1936-27-0x0000000000400000-0x00000000004B2000-memory.dmp	upx
behavioral1/memory/2088-28-0x0000000000400000-0x00000000004B2000-memory.dmp	upx
behavioral1/memory/2088-35-0x0000000000400000-0x00000000004B2000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\eLmNdKn07003 = "C:\\ProgramData\\eLmNdKn07003\\eLmNdKn07003.exe"	eLmNdKn07003.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Main	eLmNdKn07003.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1936	751ed81e96a8610b4e5b565cde769089.exe
Token: SeDebugPrivilege	2088	eLmNdKn07003.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2088	eLmNdKn07003.exe
2088	eLmNdKn07003.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
2088	eLmNdKn07003.exe
2088	eLmNdKn07003.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2088	eLmNdKn07003.exe
2088	eLmNdKn07003.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1936 wrote to memory of 2088	1936	751ed81e96a8610b4e5b565cde769089.exe	28
PID 1936 wrote to memory of 2088	1936	751ed81e96a8610b4e5b565cde769089.exe	28
PID 1936 wrote to memory of 2088	1936	751ed81e96a8610b4e5b565cde769089.exe	28
PID 1936 wrote to memory of 2088	1936	751ed81e96a8610b4e5b565cde769089.exe	28

C:\Users\Admin\AppData\Local\Temp\751ed81e96a8610b4e5b565cde769089.exe
"C:\Users\Admin\AppData\Local\Temp\751ed81e96a8610b4e5b565cde769089.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1936
- C:\ProgramData\eLmNdKn07003\eLmNdKn07003.exe
  "C:\ProgramData\eLmNdKn07003\eLmNdKn07003.exe" "C:\Users\Admin\AppData\Local\Temp\751ed81e96a8610b4e5b565cde769089.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Modifies Internet Explorer settings
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:2088

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\ProgramData\eLmNdKn07003\eLmNdKn07003.exe

Filesize
413KB

MD5
abfaccbf4f2b76f56aec9e9ab86030c7

SHA1
39aceb7e04304f16946143bee7fffee62110adda

SHA256
ae5f4f714b4e9a16f1e94bef1f2794ed05abcb1b4feef126d1a43fc35af7b35c

SHA512
f05af5d975921c80ad9a50798cb5b2a5964c420cd3a3512f29a439486a3266219da258dce7bf3395c8e499cbbf650b464c2ddb953f945f24c6ce674f056921be

Download Submit
memory/1936-0-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1936-1-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1936-3-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1936-4-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1936-5-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1936-27-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2088-18-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2088-23-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2088-24-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2088-28-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2088-35-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads