bfcc2917e52d5146b26850df0356a25af0b30b683aec08c265824c2eae4867df

General

Target

c1c8a989b1835396f57dbe6457aa3c89.exe
Size

6.0MB
MD5

c1c8a989b1835396f57dbe6457aa3c89
SHA1

d8124e7f7e993786abaf84a3dfd8f6699da1c326
SHA256

bfcc2917e52d5146b26850df0356a25af0b30b683aec08c265824c2eae4867df
SHA512

d9fbcd46d21430289e6869b2756e94990c291a483627d21852bfd54a6ec549f10202060a39dcd3a4f761034aaaddba6fb6c127a501f663a53f7e9068f196b3cf
SSDEEP

98304:/zeoDRJ/WoD1rHRk4srTRPnpRXQKaoVASgT4eB:be0Jv6TBvpRXxt+SeB

Score

5^/10

Malware Config

Signatures

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1964 set thread context of 972	1964	c1c8a989b1835396f57dbe6457aa3c89.exe	28

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main	c1c8a989b1835396f57dbe6457aa3c89.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
972	c1c8a989b1835396f57dbe6457aa3c89.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
972	c1c8a989b1835396f57dbe6457aa3c89.exe
972	c1c8a989b1835396f57dbe6457aa3c89.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 1964 wrote to memory of 972	1964	c1c8a989b1835396f57dbe6457aa3c89.exe	28
PID 1964 wrote to memory of 972	1964	c1c8a989b1835396f57dbe6457aa3c89.exe	28
PID 1964 wrote to memory of 972	1964	c1c8a989b1835396f57dbe6457aa3c89.exe	28
PID 1964 wrote to memory of 972	1964	c1c8a989b1835396f57dbe6457aa3c89.exe	28
PID 1964 wrote to memory of 972	1964	c1c8a989b1835396f57dbe6457aa3c89.exe	28
PID 1964 wrote to memory of 972	1964	c1c8a989b1835396f57dbe6457aa3c89.exe	28
PID 1964 wrote to memory of 972	1964	c1c8a989b1835396f57dbe6457aa3c89.exe	28
PID 1964 wrote to memory of 972	1964	c1c8a989b1835396f57dbe6457aa3c89.exe	28
PID 1964 wrote to memory of 972	1964	c1c8a989b1835396f57dbe6457aa3c89.exe	28
PID 1964 wrote to memory of 972	1964	c1c8a989b1835396f57dbe6457aa3c89.exe	28
PID 1964 wrote to memory of 972	1964	c1c8a989b1835396f57dbe6457aa3c89.exe	28
PID 1964 wrote to memory of 972	1964	c1c8a989b1835396f57dbe6457aa3c89.exe	28
PID 1964 wrote to memory of 972	1964	c1c8a989b1835396f57dbe6457aa3c89.exe	28
PID 1964 wrote to memory of 972	1964	c1c8a989b1835396f57dbe6457aa3c89.exe	28

C:\Users\Admin\AppData\Local\Temp\c1c8a989b1835396f57dbe6457aa3c89.exe
"C:\Users\Admin\AppData\Local\Temp\c1c8a989b1835396f57dbe6457aa3c89.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1964
- C:\Users\Admin\AppData\Local\Temp\c1c8a989b1835396f57dbe6457aa3c89.exe
  "C:\Users\Admin\AppData\Local\Temp\c1c8a989b1835396f57dbe6457aa3c89.exe" ""
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:972

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/972-29-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/972-49-0x0000000000400000-0x0000000000885000-memory.dmp

Filesize
4.5MB

Download
memory/972-25-0x0000000000400000-0x0000000000885000-memory.dmp

Filesize
4.5MB

Download
memory/972-5-0x0000000000400000-0x0000000000885000-memory.dmp

Filesize
4.5MB

Download
memory/972-7-0x0000000000400000-0x0000000000885000-memory.dmp

Filesize
4.5MB

Download
memory/972-9-0x0000000000400000-0x0000000000885000-memory.dmp

Filesize
4.5MB

Download
memory/972-11-0x0000000000400000-0x0000000000885000-memory.dmp

Filesize
4.5MB

Download
memory/972-13-0x0000000000400000-0x0000000000885000-memory.dmp

Filesize
4.5MB

Download
memory/972-15-0x0000000000400000-0x0000000000885000-memory.dmp

Filesize
4.5MB

Download
memory/972-17-0x0000000000400000-0x0000000000885000-memory.dmp

Filesize
4.5MB

Download
memory/972-21-0x0000000000400000-0x0000000000885000-memory.dmp

Filesize
4.5MB

Download
memory/972-19-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/972-3-0x0000000000400000-0x0000000000885000-memory.dmp

Filesize
4.5MB

Download
memory/972-1-0x0000000000400000-0x0000000000885000-memory.dmp

Filesize
4.5MB

Download
memory/972-32-0x0000000000400000-0x0000000000885000-memory.dmp

Filesize
4.5MB

Download
memory/972-26-0x0000000000400000-0x0000000000885000-memory.dmp

Filesize
4.5MB

Download
memory/972-27-0x0000000000400000-0x0000000000885000-memory.dmp

Filesize
4.5MB

Download
memory/972-28-0x0000000000400000-0x0000000000885000-memory.dmp

Filesize
4.5MB

Download
memory/972-36-0x0000000000400000-0x0000000000885000-memory.dmp

Filesize
4.5MB

Download
memory/972-30-0x0000000000400000-0x0000000000885000-memory.dmp

Filesize
4.5MB

Download
memory/972-31-0x0000000000400000-0x0000000000885000-memory.dmp

Filesize
4.5MB

Download
memory/972-24-0x0000000000400000-0x0000000000885000-memory.dmp

Filesize
4.5MB

Download
memory/972-33-0x0000000000400000-0x0000000000885000-memory.dmp

Filesize
4.5MB

Download
memory/972-34-0x0000000000400000-0x0000000000885000-memory.dmp

Filesize
4.5MB

Download
memory/972-35-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1964-0-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1964-23-0x0000000000400000-0x00000000009D0000-memory.dmp

Filesize
5.8MB

Download

Analysis

Sharing