16149fe4aa159035e3421c31d632ba17ab018a9792d8d8ea283739fb94b14d28

General

Target

8720d04c541e19359d9434e2a671f904.exe
Size

415KB
MD5

8720d04c541e19359d9434e2a671f904
SHA1

516f1b100dc2fdd82b30e9dfa8297ffe6fbe6965
SHA256

16149fe4aa159035e3421c31d632ba17ab018a9792d8d8ea283739fb94b14d28
SHA512

d40749816a61772c20934a3518f177820e7b9849f19f3e5e57539b3c12edf70be4d232b1c14d5aeff9dcd52cd233314d44ad8fc2d5322cc6eb7d4fa2e62a7aeb
SSDEEP

6144:yfmXV93ikswB7SJcog4mOy74036KkOeMK+xdGb2GxEf+SZ+wr9YFLiby64XlJot:CKFswL4Hy740qKjLEvSf+oYFLzHot

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3628	regscan.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Regscan = "C:\\Windows\\system32\\regscan.exe"	8720d04c541e19359d9434e2a671f904.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\regscan.exe	8720d04c541e19359d9434e2a671f904.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Internet Explorer\Settings\GID = 00000045	8720d04c541e19359d9434e2a671f904.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Internet Explorer\Settings\GatesList = 6974616b6b6173612e6363002f6367692d62696e2f636f756e7465722e63676900637573746f6d7375626d69742e636f6d002f6367692d62696e2f636f756e7465722e63676900616e7469616874756e672e7773002f6367692d62696e2f636861742e63676900637269746963616c666163746f722e6363002f6367692d62696e2f636974792e63676900616e616d616c6974792e696e666f002f6367692d62696e2f62616e672e636769007769726564782e696e002f6367692d62696e2f64622e636769007765697264626f78696b2e636f6d002f6367692d62696e2f636f756e7465722e63676900746f79616f652e636f6d002f6367692d62696e2f636f756e7465722e636769006175746f636165732e636f6d002f6367692d62696e2f636f756e7465722e63676900736465726869672e636f6d002f6367692d62696e2f636f756e7465722e63676900626f62727579736b2e62697a002f6367692d62696e2f636f756e7465722e63676900676c6f62616c727573682e696e666f002f6367692d62696e2f636f756e7465722e63676900636f6e636c7573696f6e30302e6363002f6367692d62696e2f636f756e7465722e636769006d6172696f34657665722e6f7267002f6367692d62696e2f636f756e7465722e636769006e6f6563686f2e6f7267002f6367692d62696e2f636f756e7465722e63676900	8720d04c541e19359d9434e2a671f904.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Internet Explorer\Settings\KeyM = 946beebcffa5bb8b5e682aa58fbf24f57a63b79cbbdb14d51faeb0573402596fc6389c7ebd8f82029f36ab3f0c6cb94cc3987ee6770acc53206f6b5bec83a89e34c19e9c73930501f33dd2da79ed63000425cb82fc873d89e18679798c67a8435cbc6526665eb18ac55195e024b87ff51a1c2083ddb744e6e766b35d88a785c82ba4584e1885a29dd316d589e6514b7090c9f3826913f109ed7c30862a164a4ca406faf978c47d7293fc64d748c5fb83a2440a9877becd4bfea869a216f273c5f144ff11383eaf5f3f87056161fcff22be00d54667a0bace65a5c73203931196627eeb0b5d9d9a921b41108c2c9b09a51184eb91ca34180e922d85c76b02b0ef	8720d04c541e19359d9434e2a671f904.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Internet Explorer\Settings\KeyE = 00010001	8720d04c541e19359d9434e2a671f904.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 4752 wrote to memory of 3628	4752	8720d04c541e19359d9434e2a671f904.exe	86
PID 4752 wrote to memory of 3628	4752	8720d04c541e19359d9434e2a671f904.exe	86
PID 4752 wrote to memory of 3628	4752	8720d04c541e19359d9434e2a671f904.exe	86
PID 3628 wrote to memory of 4128	3628	regscan.exe	97
PID 3628 wrote to memory of 4128	3628	regscan.exe	97

C:\Users\Admin\AppData\Local\Temp\8720d04c541e19359d9434e2a671f904.exe
"C:\Users\Admin\AppData\Local\Temp\8720d04c541e19359d9434e2a671f904.exe"
1⤵
- Adds Run key to start application
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:4752
- C:\Windows\SysWOW64\regscan.exe
  C:\Windows\system32\regscan.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3628
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" üë^‹þW¬<Zt,AÀàŠØ¬,AÃªëìXÃèáÿÿÿILOMOIAJAAAAAAJAJAJAJAJAJAJAJAJAFOAPDBLJAIAAAAAAILNAFGIKMCCEAPAEEBIIAGEGMBOKAEOCPCMGAGAAFOILHNAEIDMHBFDDMAFGFHFAGKAEFAGKPPLILABGCFHGPPNAILNIIFMAHFBALIBAOACFHGPPNADNLHAAAAAAHELJOLEODDMAFHFAFAGIBPAAAPAAFDLIJAPFCFHGPPNAIFMAHEDALJAJAAAAAAIJAEAIIJFMAIAEOIBEAAAAAAILOMILHFAEILFOANPPHGAJLINAAFCGHGPPNAOLALIPEEAIAIILPIPMPDKEOLAKFDLIOACOCGHGPPNADDMAILOFMDZ
    3⤵
    PID:4128

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\regscan.exe

Filesize
344KB

MD5
84e058e004bb576ed24974ff989d8e3e

SHA1
4d293f9844798c54ad540e1b8f686aeab36915a6

SHA256
1277fcda40aed365ea166e09d23b4d40bc6fa5202a9750c63b4757f010986388

SHA512
54e0c50d474cb6c695c57947f2f623f04d97aece49a83bd2fec09072e83cb472cb99255e75707fa84bd36b4ee00b0b2209eb1389faec50ef7139cb9f087493bf

Download Submit
memory/3628-5-0x0000000000400000-0x00000000004C7000-memory.dmp

Filesize
796KB

Download
memory/3628-7-0x0000000000400000-0x00000000004C7000-memory.dmp

Filesize
796KB

Download
memory/4752-0-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4752-6-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads