e4930c125a70e8e968fc364b1a66022be47f14408800e838b7d80fbbc2574834

General

Target

9c0a91778d0ea0cdf4e950327551364b.exe
Size

405KB
MD5

9c0a91778d0ea0cdf4e950327551364b
SHA1

deadac0aab81603422eded52ed12b146250781a6
SHA256

e4930c125a70e8e968fc364b1a66022be47f14408800e838b7d80fbbc2574834
SHA512

28543823bcb4346fb5d03c29c8f703530cad9488308c954983c9d91ab526885c08f91a2ecbded275cccc80f69a85d591f4a7be5e5937e9fee4947bfb93d33ba6
SSDEEP

6144:1UCKJ1qLbGqnP8nI0jSCdW81XJPHu3d0o7VmfcPTwQRW9GMfni1fOkD:1sI1P8TjSCdllJfu3d0ITwCgZf8

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
884	pHjDnCf08504.exe

Executes dropped EXE 1 IoCs

pid	Process
884	pHjDnCf08504.exe

Loads dropped DLL 2 IoCs

pid	Process
1172	9c0a91778d0ea0cdf4e950327551364b.exe
1172	9c0a91778d0ea0cdf4e950327551364b.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1172-1-0x0000000000400000-0x00000000004B9000-memory.dmp	upx
behavioral1/memory/1172-21-0x0000000000400000-0x00000000004B9000-memory.dmp	upx
behavioral1/memory/884-22-0x0000000000400000-0x00000000004B9000-memory.dmp	upx
behavioral1/memory/1172-25-0x0000000000400000-0x00000000004B9000-memory.dmp	upx
behavioral1/memory/884-34-0x0000000000400000-0x00000000004B9000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\pHjDnCf08504 = "C:\\ProgramData\\pHjDnCf08504\\pHjDnCf08504.exe"	pHjDnCf08504.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\Main	pHjDnCf08504.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1172	9c0a91778d0ea0cdf4e950327551364b.exe
Token: SeDebugPrivilege	884	pHjDnCf08504.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
884	pHjDnCf08504.exe
884	pHjDnCf08504.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
884	pHjDnCf08504.exe
884	pHjDnCf08504.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
884	pHjDnCf08504.exe
884	pHjDnCf08504.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1172 wrote to memory of 884	1172	9c0a91778d0ea0cdf4e950327551364b.exe	28
PID 1172 wrote to memory of 884	1172	9c0a91778d0ea0cdf4e950327551364b.exe	28
PID 1172 wrote to memory of 884	1172	9c0a91778d0ea0cdf4e950327551364b.exe	28
PID 1172 wrote to memory of 884	1172	9c0a91778d0ea0cdf4e950327551364b.exe	28

C:\Users\Admin\AppData\Local\Temp\9c0a91778d0ea0cdf4e950327551364b.exe
"C:\Users\Admin\AppData\Local\Temp\9c0a91778d0ea0cdf4e950327551364b.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1172
- C:\ProgramData\pHjDnCf08504\pHjDnCf08504.exe
  "C:\ProgramData\pHjDnCf08504\pHjDnCf08504.exe" "C:\Users\Admin\AppData\Local\Temp\9c0a91778d0ea0cdf4e950327551364b.exe"
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Adds Run key to start application
  - Modifies Internet Explorer settings
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\ProgramData\pHjDnCf08504\pHjDnCf08504.exe

Filesize
405KB

MD5
3f4076b2cc760da6d444d4ecfda36a89

SHA1
722daf97fd40fb7bfb219bf9a2259137947ba1ec

SHA256
2dbec886f5e191ac6c930aed9938b953f2da0740e5e38ccef98e52bf4d64b2aa

SHA512
40a3ebfb566e08d591151465202da37ad41938555d9cd5de95aaebb00dbd457a26d8c163f046b25749e9fcc0a2f38942e77982393c3a1cb2a44678134aa97e47

Download Submit
memory/884-15-0x0000000000260000-0x0000000000360000-memory.dmp

Filesize
1024KB

Download
memory/884-16-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/884-17-0x0000000000260000-0x0000000000360000-memory.dmp

Filesize
1024KB

Download
memory/884-22-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/884-27-0x0000000000260000-0x0000000000360000-memory.dmp

Filesize
1024KB

Download
memory/884-34-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/1172-2-0x0000000000570000-0x0000000000670000-memory.dmp

Filesize
1024KB

Download
memory/1172-1-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/1172-0-0x0000000000570000-0x0000000000670000-memory.dmp

Filesize
1024KB

Download
memory/1172-21-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/1172-24-0x0000000000570000-0x0000000000670000-memory.dmp

Filesize
1024KB

Download
memory/1172-25-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads