d64b4f7b645dd6f82ec28d3a184715515946eb7751f59181d0ba153f3dad08ed

General

Target

a3904a49fb0f2635ff85917f615c9b69.exe
Size

226KB
MD5

a3904a49fb0f2635ff85917f615c9b69
SHA1

61c0eb2ba8a586818a9b00b45a807c2af1efd62f
SHA256

d64b4f7b645dd6f82ec28d3a184715515946eb7751f59181d0ba153f3dad08ed
SHA512

810c85f0b6735bfc83e8c4c52f38c857df8521378babacfa5c11e93c3e1af0602eed4689e6e7740af638a5464c8269cd918cfd194931ba3c7c00b6b3a07d5e44
SSDEEP

6144:xvo/PO2WD/l/fFgBEJsAquP8sDk+plMm1jbkYcMoS:6m5NXFgB4bUsDkfYzoS

Score

7^/10

persistence upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

9znx6o42.exe

pid process

1708 9znx6o42.exe
Loads dropped DLL 1 IoCs

Processes:

a3904a49fb0f2635ff85917f615c9b69.exe

pid process

1244 a3904a49fb0f2635ff85917f615c9b69.exe

pid	process
1244	a3904a49fb0f2635ff85917f615c9b69.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1244-0-0x0000000000400000-0x000000000044D000-memory.dmp	upx
C:\Users\Admin\AppData\Roaming\9znx6o42.exe	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

a3904a49fb0f2635ff85917f615c9b69.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\9znx6o42.exe = "C:\\Users\\Admin\\AppData\\Roaming\\9znx6o42.exe"	a3904a49fb0f2635ff85917f615c9b69.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

Processes:

9znx6o42.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main	9znx6o42.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	9znx6o42.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	9znx6o42.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

9znx6o42.exe

pid	process
1708	9znx6o42.exe
1708	9znx6o42.exe
1708	9znx6o42.exe
1708	9znx6o42.exe
1708	9znx6o42.exe
1708	9znx6o42.exe
1708	9znx6o42.exe
1708	9znx6o42.exe
1708	9znx6o42.exe
1708	9znx6o42.exe
1708	9znx6o42.exe
1708	9znx6o42.exe
1708	9znx6o42.exe
1708	9znx6o42.exe
1708	9znx6o42.exe
1708	9znx6o42.exe
1708	9znx6o42.exe
1708	9znx6o42.exe
1708	9znx6o42.exe
1708	9znx6o42.exe
1708	9znx6o42.exe
1708	9znx6o42.exe
1708	9znx6o42.exe
1708	9znx6o42.exe
1708	9znx6o42.exe
1708	9znx6o42.exe
1708	9znx6o42.exe
1708	9znx6o42.exe
1708	9znx6o42.exe
1708	9znx6o42.exe
1708	9znx6o42.exe
1708	9znx6o42.exe
1708	9znx6o42.exe
1708	9znx6o42.exe
1708	9znx6o42.exe
1708	9znx6o42.exe
1708	9znx6o42.exe
1708	9znx6o42.exe
1708	9znx6o42.exe
1708	9znx6o42.exe
1708	9znx6o42.exe
1708	9znx6o42.exe
1708	9znx6o42.exe
1708	9znx6o42.exe
1708	9znx6o42.exe
1708	9znx6o42.exe
1708	9znx6o42.exe
1708	9znx6o42.exe
1708	9znx6o42.exe
1708	9znx6o42.exe
1708	9znx6o42.exe
1708	9znx6o42.exe
1708	9znx6o42.exe
1708	9znx6o42.exe
1708	9znx6o42.exe
1708	9znx6o42.exe
1708	9znx6o42.exe
1708	9znx6o42.exe
1708	9znx6o42.exe
1708	9znx6o42.exe
1708	9znx6o42.exe
1708	9znx6o42.exe
1708	9znx6o42.exe
1708	9znx6o42.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

9znx6o42.exe

pid process

1708 9znx6o42.exe
1708 9znx6o42.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

a3904a49fb0f2635ff85917f615c9b69.exe

description	pid	process	target process
PID 1244 wrote to memory of 1708	1244	a3904a49fb0f2635ff85917f615c9b69.exe	9znx6o42.exe
PID 1244 wrote to memory of 1708	1244	a3904a49fb0f2635ff85917f615c9b69.exe	9znx6o42.exe
PID 1244 wrote to memory of 1708	1244	a3904a49fb0f2635ff85917f615c9b69.exe	9znx6o42.exe
PID 1244 wrote to memory of 1708	1244	a3904a49fb0f2635ff85917f615c9b69.exe	9znx6o42.exe

C:\Users\Admin\AppData\Local\Temp\a3904a49fb0f2635ff85917f615c9b69.exe
"C:\Users\Admin\AppData\Local\Temp\a3904a49fb0f2635ff85917f615c9b69.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1244

C:\Users\Admin\AppData\Roaming\9znx6o42.exe
"C:\Users\Admin\AppData\Roaming\9znx6o42.exe"
2⤵
- Executes dropped EXE
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1708

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\EDQW9R5V\ib2[1].htm
Filesize
162B

MD5
4f8e702cc244ec5d4de32740c0ecbd97

SHA1
3adb1f02d5b6054de0046e367c1d687b6cdf7aff

SHA256
9e17cb15dd75bbbd5dbb984eda674863c3b10ab72613cf8a39a00c3e11a8492a

SHA512
21047fea5269fee75a2a187aa09316519e35068cb2f2f76cfaf371e5224445e9d5c98497bd76fb9608d2b73e9dac1a3f5bfadfdc4623c479d53ecf93d81d3c9f

Download Submit
C:\Users\Admin\AppData\Roaming\9znx6o42.exe
Filesize
226KB

MD5
a3904a49fb0f2635ff85917f615c9b69

SHA1
61c0eb2ba8a586818a9b00b45a807c2af1efd62f

SHA256
d64b4f7b645dd6f82ec28d3a184715515946eb7751f59181d0ba153f3dad08ed

SHA512
810c85f0b6735bfc83e8c4c52f38c857df8521378babacfa5c11e93c3e1af0602eed4689e6e7740af638a5464c8269cd918cfd194931ba3c7c00b6b3a07d5e44

Download Submit
memory/1244-0-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1244-1-0x0000000000230000-0x0000000000245000-memory.dmp

Filesize
84KB

Download
memory/1244-2-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1244-9-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1708-50-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1708-68-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1708-38-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1708-44-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1708-31-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1708-56-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1708-62-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1708-37-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1708-74-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1708-79-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1708-86-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1708-92-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1708-98-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1708-104-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1708-110-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads