fe948aee2865c647197443970205169d34300becff3265ebe2223208a560dec5

General

Target

cd4fa39d99d58ea96b81c12a8859ba2b.exe
Size

404KB
MD5

cd4fa39d99d58ea96b81c12a8859ba2b
SHA1

5427575465c23cc2b7e38b13d7840d2862b5d324
SHA256

fe948aee2865c647197443970205169d34300becff3265ebe2223208a560dec5
SHA512

a5a839c700cd29df2ba88863a27a18525e44eda7e90988dc3ae999f092615a0ebc1f9b53dc50da759da5e77d001d1b7fc6bf1ccd1cab7b952349f97e278f25a0
SSDEEP

6144:Jl37vQRX5LmYj/6Me8JQnV6W8gTKlF2bbgT3F+G6JFYZYnS3xwC:bvmXNntxQnV6WdKlAAz0FYZYnS3xwC

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
2944	Adobe After Effects Cs5 V10 0 X64 Incl Keymaker-Embrace.exe
2972	7za.exe
2700	ic1.exe

Loads dropped DLL 10 IoCs

pid	Process
2304	cd4fa39d99d58ea96b81c12a8859ba2b.exe
2944	Adobe After Effects Cs5 V10 0 X64 Incl Keymaker-Embrace.exe
2944	Adobe After Effects Cs5 V10 0 X64 Incl Keymaker-Embrace.exe
2304	cd4fa39d99d58ea96b81c12a8859ba2b.exe
2304	cd4fa39d99d58ea96b81c12a8859ba2b.exe
2304	cd4fa39d99d58ea96b81c12a8859ba2b.exe
2972	7za.exe
2972	7za.exe
2972	7za.exe
2304	cd4fa39d99d58ea96b81c12a8859ba2b.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main	Adobe After Effects Cs5 V10 0 X64 Incl Keymaker-Embrace.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2944	Adobe After Effects Cs5 V10 0 X64 Incl Keymaker-Embrace.exe
2944	Adobe After Effects Cs5 V10 0 X64 Incl Keymaker-Embrace.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2304 wrote to memory of 2944	2304	cd4fa39d99d58ea96b81c12a8859ba2b.exe	28
PID 2304 wrote to memory of 2944	2304	cd4fa39d99d58ea96b81c12a8859ba2b.exe	28
PID 2304 wrote to memory of 2944	2304	cd4fa39d99d58ea96b81c12a8859ba2b.exe	28
PID 2304 wrote to memory of 2944	2304	cd4fa39d99d58ea96b81c12a8859ba2b.exe	28
PID 2304 wrote to memory of 2944	2304	cd4fa39d99d58ea96b81c12a8859ba2b.exe	28
PID 2304 wrote to memory of 2944	2304	cd4fa39d99d58ea96b81c12a8859ba2b.exe	28
PID 2304 wrote to memory of 2944	2304	cd4fa39d99d58ea96b81c12a8859ba2b.exe	28
PID 2304 wrote to memory of 2972	2304	cd4fa39d99d58ea96b81c12a8859ba2b.exe	29
PID 2304 wrote to memory of 2972	2304	cd4fa39d99d58ea96b81c12a8859ba2b.exe	29
PID 2304 wrote to memory of 2972	2304	cd4fa39d99d58ea96b81c12a8859ba2b.exe	29
PID 2304 wrote to memory of 2972	2304	cd4fa39d99d58ea96b81c12a8859ba2b.exe	29
PID 2304 wrote to memory of 2972	2304	cd4fa39d99d58ea96b81c12a8859ba2b.exe	29
PID 2304 wrote to memory of 2972	2304	cd4fa39d99d58ea96b81c12a8859ba2b.exe	29
PID 2304 wrote to memory of 2972	2304	cd4fa39d99d58ea96b81c12a8859ba2b.exe	29
PID 2304 wrote to memory of 2700	2304	cd4fa39d99d58ea96b81c12a8859ba2b.exe	31
PID 2304 wrote to memory of 2700	2304	cd4fa39d99d58ea96b81c12a8859ba2b.exe	31
PID 2304 wrote to memory of 2700	2304	cd4fa39d99d58ea96b81c12a8859ba2b.exe	31
PID 2304 wrote to memory of 2700	2304	cd4fa39d99d58ea96b81c12a8859ba2b.exe	31

C:\Users\Admin\AppData\Local\Temp\cd4fa39d99d58ea96b81c12a8859ba2b.exe
"C:\Users\Admin\AppData\Local\Temp\cd4fa39d99d58ea96b81c12a8859ba2b.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2304
- C:\Users\Admin\AppData\Local\Temp\Adobe After Effects Cs5 V10 0 X64 Incl Keymaker-Embrace.exe
  "C:\Users\Admin\AppData\Local\Temp\Adobe After Effects Cs5 V10 0 X64 Incl Keymaker-Embrace.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2944
- C:\Users\Admin\AppData\Local\Temp\7za.exe
  C:\Users\Admin\AppData\Local\Temp\7za.exe x C:\Users\Admin\AppData\Local\Temp\a1.7z -aoa -oC:\Users\Admin\AppData\Local\Temp -plolmilf
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2972
- C:\Users\Admin\AppData\Local\Temp\ic1.exe
  "C:\Users\Admin\AppData\Local\Temp\ic1.exe"
  2⤵
  - Executes dropped EXE
  PID:2700

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\a1.7z

Filesize
7KB

MD5
e73e5ecc3958ffe56d1b410b904c5cb6

SHA1
68a4b8b7bf87c5b56c5ae183f880c538ab831080

SHA256
c93868af3ba02f2b60348ee94daa6f5acabe9facfd4659ebeceb03f1cc4ebb86

SHA512
80beda8c24e7cbb3608d85bc393acc08d3772e352b4304d84bc9417f79d3a5b89afe82919e16adfaee3ad9c916282cb683355f87bab2a63cea94fec6ed0a6a74

Download Submit
C:\Users\Admin\AppData\Local\Temp\ic1.exe

Filesize
18KB

MD5
b64b538899d4588a05d7d3db92918448

SHA1
b2d0b29a9c69bac6b22f696474eb031cca664f9a

SHA256
803abec016d53636f2817c972f2c769beb36501fc8bd30c73994958eb94cfb29

SHA512
ba4732c7a25dfdd636009a5ec8597e233c7c2b736b9c08a07dce13de70d9e0e08652b7f323ab590a29b57da12bf6a347675b2103bdfef06a80dbfd555ad09727

Download Submit
\Users\Admin\AppData\Local\Temp\7za.exe

Filesize
523KB

MD5
e92604e043f51c604b6d1ac3bcd3a202

SHA1
4154dda4a1e2a5ed14303dc3d36f448953ff6d33

SHA256
fa252e501332b7486a972e7e471cf6915daa681af35c6aa102213921093eb2a3

SHA512
ef396d94d83fd7a588c6e645ea5fcfe24390440a03b3bf0ecd05ca6749fd3f9561dfafe725ee0edea51a34d52af26cd311e768aa72f75686cc796abee4757d43

Download Submit
\Users\Admin\AppData\Local\Temp\Adobe After Effects Cs5 V10 0 X64 Incl Keymaker-Embrace.exe

Filesize
162KB

MD5
836f373ca91c863133e5575813bca1e3

SHA1
cdfb7b3d972feb15a4eef16a9a92111e4f84855f

SHA256
5d5c47f78fdd9c1cdae3a32d1519b25e405b1c7917157605285596f219a3761a

SHA512
ae677841be28c7b85ccb020b9a16cc380b09b6c367c5f6874f9b7e715a7af09fa24c766a74df1c7703d59b18640fe109c8960daa74b6ddbd0b4405e40fda75d8

Download Submit
\Users\Admin\AppData\Local\Temp\nsi21E4.tmp\ExecDos.dll

Filesize
5KB

MD5
a7cd6206240484c8436c66afb12bdfbf

SHA1
0bb3e24a7eb0a9e5a8eae06b1c6e7551a7ec9919

SHA256
69ac56d2fdf3c71b766d3cc49b33b36f1287cc2503310811017467dfcb455926

SHA512
b9ee7803301e50a8ec20ab3f87eb9e509ea24d11a69e90005f30c1666acc4ed0a208bd56e372e2e5c6a6d901d45f04a12427303d74761983593d10b344c79904

Download Submit
memory/2700-45-0x000007FEF5270000-0x000007FEF5C0D000-memory.dmp

Filesize
9.6MB

Download
memory/2700-39-0x00000000020F0000-0x0000000002150000-memory.dmp

Filesize
384KB

Download
memory/2700-49-0x0000000001F70000-0x0000000001FF0000-memory.dmp

Filesize
512KB

Download
memory/2700-51-0x000007FEF5270000-0x000007FEF5C0D000-memory.dmp

Filesize
9.6MB

Download
memory/2700-52-0x0000000001F70000-0x0000000001FF0000-memory.dmp

Filesize
512KB

Download
memory/2700-56-0x0000000001F70000-0x0000000001FF0000-memory.dmp

Filesize
512KB

Download
memory/2700-57-0x0000000001F70000-0x0000000001FF0000-memory.dmp

Filesize
512KB

Download
memory/2700-58-0x000007FEF5270000-0x000007FEF5C0D000-memory.dmp

Filesize
9.6MB

Download
memory/2700-59-0x0000000001F70000-0x0000000001FF0000-memory.dmp

Filesize
512KB

Download

Analysis

Sharing