1d99830d342634540a53b4c0d7ffd21e0f79db3c88bedcbcfbfc9069aa611be0

General

Target

a983ab02d85c650d83b3daa0dc6b5cf3.exe
Size

124KB
MD5

a983ab02d85c650d83b3daa0dc6b5cf3
SHA1

65c3bca645abf1e82fa3513fb6970fd984c40173
SHA256

1d99830d342634540a53b4c0d7ffd21e0f79db3c88bedcbcfbfc9069aa611be0
SHA512

bb27ad320c44f2567950b0fdeaee398ec09ed000efcbbc8a5d22ad86b1bc7c82b37ed3b72b7a69416b28fe01680330dd1bd0d268955b9b8fe9cc4855fa4838f4
SSDEEP

1536:5g4yf1zwQVghp59gaqLy5FHV/Sz2jgzQHzdf:e4a1zwLV9gaqA/SSszUzt

Score

8^/10

evasion persistence

Malware Config

Signatures

Disables RegEdit via registry modification 1 IoCs

evasion

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	a983ab02d85c650d83b3daa0dc6b5cf3.exe

Disables Task Manager via registry modification
evasion

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsSystem = "C:\\Program Files\\snss.exe /start"	a983ab02d85c650d83b3daa0dc6b5cf3.exe

Drops autorun.inf file 1 TTPs 20 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	C:\Program Files\autorun.inf	a983ab02d85c650d83b3daa0dc6b5cf3.exe
File created	\??\d:\autorun.inf	a983ab02d85c650d83b3daa0dc6b5cf3.exe
File opened for modification	\??\d:\autorun.inf	a983ab02d85c650d83b3daa0dc6b5cf3.exe
File opened for modification	\??\e:\autorun.inf	a983ab02d85c650d83b3daa0dc6b5cf3.exe
File opened for modification	\??\g:\autorun.inf	a983ab02d85c650d83b3daa0dc6b5cf3.exe
File opened for modification	\??\l:\autorun.inf	a983ab02d85c650d83b3daa0dc6b5cf3.exe
File created	\??\e:\autorun.inf	a983ab02d85c650d83b3daa0dc6b5cf3.exe
File created	\??\f:\autorun.inf	a983ab02d85c650d83b3daa0dc6b5cf3.exe
File created	\??\j:\autorun.inf	a983ab02d85c650d83b3daa0dc6b5cf3.exe
File created	\??\l:\autorun.inf	a983ab02d85c650d83b3daa0dc6b5cf3.exe
File created	C:\Users\Admin\AppData\Local\Temp\autorun.inf	a983ab02d85c650d83b3daa0dc6b5cf3.exe
File opened for modification	\??\f:\autorun.inf	a983ab02d85c650d83b3daa0dc6b5cf3.exe
File opened for modification	\??\h:\autorun.inf	a983ab02d85c650d83b3daa0dc6b5cf3.exe
File opened for modification	\??\j:\autorun.inf	a983ab02d85c650d83b3daa0dc6b5cf3.exe
File created	\??\g:\autorun.inf	a983ab02d85c650d83b3daa0dc6b5cf3.exe
File created	\??\h:\autorun.inf	a983ab02d85c650d83b3daa0dc6b5cf3.exe
File created	\??\k:\autorun.inf	a983ab02d85c650d83b3daa0dc6b5cf3.exe
File opened for modification	\??\i:\autorun.inf	a983ab02d85c650d83b3daa0dc6b5cf3.exe
File created	C:\Program Files\autorun.inf	a983ab02d85c650d83b3daa0dc6b5cf3.exe
File created	\??\i:\autorun.inf	a983ab02d85c650d83b3daa0dc6b5cf3.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\snss.exe	a983ab02d85c650d83b3daa0dc6b5cf3.exe
File opened for modification	C:\Program Files\autorun.inf	a983ab02d85c650d83b3daa0dc6b5cf3.exe
File created	C:\Program Files\autorun.inf	a983ab02d85c650d83b3daa0dc6b5cf3.exe

Modifies Internet Explorer settings 1 TTPs 8 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Software\Microsoft\Internet Explorer\Main	a983ab02d85c650d83b3daa0dc6b5cf3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "????(ZmKe.CoM & CnXhack.CoM)??????????"	a983ab02d85c650d83b3daa0dc6b5cf3.exe
Key created	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "????(ZmKe.CoM & CnXhack.CoM)??????????!"	a983ab02d85c650d83b3daa0dc6b5cf3.exe
Key created	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\software\microsoft\Internet Explorer\main	a983ab02d85c650d83b3daa0dc6b5cf3.exe

Modifies Internet Explorer start page 1 TTPs 1 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.cnxhack.com"	a983ab02d85c650d83b3daa0dc6b5cf3.exe

Modifies registry class 20 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 19002f433a5c000000000000000000000000000000000000000000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic"	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	explorer.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
3236	explorer.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1576	a983ab02d85c650d83b3daa0dc6b5cf3.exe
3236	explorer.exe
3236	explorer.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1576 wrote to memory of 2652	1576	a983ab02d85c650d83b3daa0dc6b5cf3.exe	88
PID 1576 wrote to memory of 2652	1576	a983ab02d85c650d83b3daa0dc6b5cf3.exe	88
PID 1576 wrote to memory of 2652	1576	a983ab02d85c650d83b3daa0dc6b5cf3.exe	88

C:\Users\Admin\AppData\Local\Temp\a983ab02d85c650d83b3daa0dc6b5cf3.exe
"C:\Users\Admin\AppData\Local\Temp\a983ab02d85c650d83b3daa0dc6b5cf3.exe"
1⤵
- Disables RegEdit via registry modification
- Adds Run key to start application
- Drops autorun.inf file
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1576
- C:\Windows\SysWOW64\explorer.exe
  explorer.exe \
  2⤵
  PID:2652

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3236

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

1

T1091

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

3

T1112

Credential Access

Discovery

Lateral Movement

Replication Through Removable Media

1

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\autorun.inf

Filesize
185B

MD5
4c2e31e25869e130a272c89a85c2d2a7

SHA1
6e591975707a89d5d24d534564b9095afebb0724

SHA256
01797c5f04a12507e7f4c386001aad53a4ad67a77d6acac6fcc46f13d4b072f8

SHA512
c5199530147043b93042fe919ba3271dc7f5ce0544f853625f9707bf4e21eb811e1c5551a6b958fb7a359d25c06ee44bd5c8fc9c266ad01af4c69e025414f379

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads