2e64d156602f4164d6b03e8ba24bcc6a0692eded957a9d5e91a290fb76eac206

General

Target

cf887221e7eb733bcf7639e7970aca22.exe
Size

373KB
MD5

cf887221e7eb733bcf7639e7970aca22
SHA1

b0796719feef70f4fbe10bc3e95004e2c0bf1110
SHA256

2e64d156602f4164d6b03e8ba24bcc6a0692eded957a9d5e91a290fb76eac206
SHA512

412eaacd541fe9aec49452f021c421d93a766e3ad6840749dda7eed450e6fc8e6522575a2dd4b3fe63e2aa74fcf39e696bb2de8b45400bbc51ac39e9e95d2573
SSDEEP

6144:TAzF9RD/MHz2p5ZmwWPsEJ41SF5tKqECHWmXBShbfZzjHZ7fBQ0Q0Q:UFLDEypvmJsWrF5tKzmxSTjHpJRQ0Q

Score

7^/10

persistence upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

seemd.exe

pid process

2528 seemd.exe
Loads dropped DLL 2 IoCs

Processes:

cf887221e7eb733bcf7639e7970aca22.exe

pid process

2900 cf887221e7eb733bcf7639e7970aca22.exe
2900 cf887221e7eb733bcf7639e7970aca22.exe

pid	process
2900	cf887221e7eb733bcf7639e7970aca22.exe
2900	cf887221e7eb733bcf7639e7970aca22.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2900-0-0x0000000000400000-0x0000000000537000-memory.dmp	upx
\Users\Admin\AppData\Roaming\Icza\seemd.exe	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

seemd.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\{716CE7C8-8449-AD4E-8B2B-CDD0BB2BEECD} = "C:\\Users\\Admin\\AppData\\Roaming\\Icza\\seemd.exe"	seemd.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

cf887221e7eb733bcf7639e7970aca22.exe

description pid process target process

PID 2900 set thread context of 572 2900 cf887221e7eb733bcf7639e7970aca22.exe cmd.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1020 572 WerFault.exe cmd.exe

description	pid	process	target process
PID 2900 set thread context of 572	2900	cf887221e7eb733bcf7639e7970aca22.exe	cmd.exe

pid	pid_target	process	target process
1020	572	WerFault.exe	cmd.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

cf887221e7eb733bcf7639e7970aca22.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	cf887221e7eb733bcf7639e7970aca22.exe
Key created	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\Privacy	cf887221e7eb733bcf7639e7970aca22.exe

Suspicious behavior: EnumeratesProcesses 31 IoCs

Processes:

seemd.exe

pid	process
2528	seemd.exe
2528	seemd.exe
2528	seemd.exe
2528	seemd.exe
2528	seemd.exe
2528	seemd.exe
2528	seemd.exe
2528	seemd.exe
2528	seemd.exe
2528	seemd.exe
2528	seemd.exe
2528	seemd.exe
2528	seemd.exe
2528	seemd.exe
2528	seemd.exe
2528	seemd.exe
2528	seemd.exe
2528	seemd.exe
2528	seemd.exe
2528	seemd.exe
2528	seemd.exe
2528	seemd.exe
2528	seemd.exe
2528	seemd.exe
2528	seemd.exe
2528	seemd.exe
2528	seemd.exe
2528	seemd.exe
2528	seemd.exe
2528	seemd.exe
2528	seemd.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

cf887221e7eb733bcf7639e7970aca22.exe

description	pid	process
Token: SeSecurityPrivilege	2900	cf887221e7eb733bcf7639e7970aca22.exe
Token: SeSecurityPrivilege	2900	cf887221e7eb733bcf7639e7970aca22.exe
Token: SeSecurityPrivilege	2900	cf887221e7eb733bcf7639e7970aca22.exe

Suspicious use of WriteProcessMemory 47 IoCs

Processes:

cf887221e7eb733bcf7639e7970aca22.exeseemd.execmd.exe

description	pid	process	target process
PID 2900 wrote to memory of 2528	2900	cf887221e7eb733bcf7639e7970aca22.exe	seemd.exe
PID 2900 wrote to memory of 2528	2900	cf887221e7eb733bcf7639e7970aca22.exe	seemd.exe
PID 2900 wrote to memory of 2528	2900	cf887221e7eb733bcf7639e7970aca22.exe	seemd.exe
PID 2900 wrote to memory of 2528	2900	cf887221e7eb733bcf7639e7970aca22.exe	seemd.exe
PID 2528 wrote to memory of 1164	2528	seemd.exe	taskhost.exe
PID 2528 wrote to memory of 1164	2528	seemd.exe	taskhost.exe
PID 2528 wrote to memory of 1164	2528	seemd.exe	taskhost.exe
PID 2528 wrote to memory of 1164	2528	seemd.exe	taskhost.exe
PID 2528 wrote to memory of 1164	2528	seemd.exe	taskhost.exe
PID 2528 wrote to memory of 1276	2528	seemd.exe	Dwm.exe
PID 2528 wrote to memory of 1276	2528	seemd.exe	Dwm.exe
PID 2528 wrote to memory of 1276	2528	seemd.exe	Dwm.exe
PID 2528 wrote to memory of 1276	2528	seemd.exe	Dwm.exe
PID 2528 wrote to memory of 1276	2528	seemd.exe	Dwm.exe
PID 2528 wrote to memory of 1376	2528	seemd.exe	Explorer.EXE
PID 2528 wrote to memory of 1376	2528	seemd.exe	Explorer.EXE
PID 2528 wrote to memory of 1376	2528	seemd.exe	Explorer.EXE
PID 2528 wrote to memory of 1376	2528	seemd.exe	Explorer.EXE
PID 2528 wrote to memory of 1376	2528	seemd.exe	Explorer.EXE
PID 2528 wrote to memory of 2900	2528	seemd.exe	cf887221e7eb733bcf7639e7970aca22.exe
PID 2528 wrote to memory of 2900	2528	seemd.exe	cf887221e7eb733bcf7639e7970aca22.exe
PID 2528 wrote to memory of 2900	2528	seemd.exe	cf887221e7eb733bcf7639e7970aca22.exe
PID 2528 wrote to memory of 2900	2528	seemd.exe	cf887221e7eb733bcf7639e7970aca22.exe
PID 2528 wrote to memory of 2900	2528	seemd.exe	cf887221e7eb733bcf7639e7970aca22.exe
PID 2900 wrote to memory of 572	2900	cf887221e7eb733bcf7639e7970aca22.exe	cmd.exe
PID 2900 wrote to memory of 572	2900	cf887221e7eb733bcf7639e7970aca22.exe	cmd.exe
PID 2900 wrote to memory of 572	2900	cf887221e7eb733bcf7639e7970aca22.exe	cmd.exe
PID 2900 wrote to memory of 572	2900	cf887221e7eb733bcf7639e7970aca22.exe	cmd.exe
PID 2900 wrote to memory of 572	2900	cf887221e7eb733bcf7639e7970aca22.exe	cmd.exe
PID 2900 wrote to memory of 572	2900	cf887221e7eb733bcf7639e7970aca22.exe	cmd.exe
PID 2900 wrote to memory of 572	2900	cf887221e7eb733bcf7639e7970aca22.exe	cmd.exe
PID 2900 wrote to memory of 572	2900	cf887221e7eb733bcf7639e7970aca22.exe	cmd.exe
PID 2900 wrote to memory of 572	2900	cf887221e7eb733bcf7639e7970aca22.exe	cmd.exe
PID 572 wrote to memory of 1020	572	cmd.exe	WerFault.exe
PID 572 wrote to memory of 1020	572	cmd.exe	WerFault.exe
PID 572 wrote to memory of 1020	572	cmd.exe	WerFault.exe
PID 572 wrote to memory of 1020	572	cmd.exe	WerFault.exe
PID 2528 wrote to memory of 1108	2528	seemd.exe	conhost.exe
PID 2528 wrote to memory of 1108	2528	seemd.exe	conhost.exe
PID 2528 wrote to memory of 1108	2528	seemd.exe	conhost.exe
PID 2528 wrote to memory of 1108	2528	seemd.exe	conhost.exe
PID 2528 wrote to memory of 1108	2528	seemd.exe	conhost.exe
PID 2528 wrote to memory of 1020	2528	seemd.exe	WerFault.exe
PID 2528 wrote to memory of 1020	2528	seemd.exe	WerFault.exe
PID 2528 wrote to memory of 1020	2528	seemd.exe	WerFault.exe
PID 2528 wrote to memory of 1020	2528	seemd.exe	WerFault.exe
PID 2528 wrote to memory of 1020	2528	seemd.exe	WerFault.exe

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1164

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1276

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1376

C:\Users\Admin\AppData\Local\Temp\cf887221e7eb733bcf7639e7970aca22.exe
"C:\Users\Admin\AppData\Local\Temp\cf887221e7eb733bcf7639e7970aca22.exe"
2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2900

C:\Users\Admin\AppData\Roaming\Icza\seemd.exe
"C:\Users\Admin\AppData\Roaming\Icza\seemd.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2528

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp51d406c2.bat"
3⤵
- Suspicious use of WriteProcessMemory
PID:572

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 572 -s 116
4⤵
- Program crash
PID:1020

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1888972787-2043826486-1116540047-6783421851176092676-130242044-472982373269260377"
1⤵
PID:1108

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Dodape\fipu.ico
Filesize
366B

MD5
6af97934b69e1741d2813af78a56b923

SHA1
e171135adee0a502968ebc7e4716b28932d04dcc

SHA256
9dc3945b80087b9b5eb4c49bbd6444c02b60d3bae521da92db3f37cd573f28ae

SHA512
d19f132368dedb817fd543becf208c4380d4e2c114f261c2e3a103154e44dc0db027f6503d7d24e8dc3b2f7419c8f29eecd375721ce4aabf47b0682b53cadddb

Download Submit
\Users\Admin\AppData\Roaming\Icza\seemd.exe
Filesize
373KB

MD5
d4da3dfc3daa56a32a6f7f56ca733122

SHA1
0241f7d2ca4338299620385898e497a191be2054

SHA256
a3bf9c9a27287f6f59112a9e965024d02e4c285021eecd937bd57d6912622172

SHA512
71f8dbafcc3971627ae17909d55d537b8e6850cd9b87ea02c8fbd7dbd3dbe52555f3741fcbf54ac19958ba7dda4986ab6ac705a58c1c346a27a1b0c34f1d1164

Download Submit
memory/1020-267-0x00000000023B0000-0x00000000023F1000-memory.dmp

Filesize
260KB

Download
memory/1020-165-0x00000000023B0000-0x00000000023F1000-memory.dmp

Filesize
260KB

Download
memory/1020-170-0x0000000077710000-0x0000000077711000-memory.dmp

Filesize
4KB

Download
memory/1020-172-0x000000007772C000-0x000000007772D000-memory.dmp

Filesize
4KB

Download
memory/1020-174-0x0000000000A70000-0x0000000000A71000-memory.dmp

Filesize
4KB

Download
memory/1020-268-0x000000007772C000-0x000000007772D000-memory.dmp

Filesize
4KB

Download
memory/1164-17-0x0000000001BE0000-0x0000000001C21000-memory.dmp

Filesize
260KB

Download
memory/1164-20-0x0000000001BE0000-0x0000000001C21000-memory.dmp

Filesize
260KB

Download
memory/1164-18-0x0000000001BE0000-0x0000000001C21000-memory.dmp

Filesize
260KB

Download
memory/1164-15-0x0000000001BE0000-0x0000000001C21000-memory.dmp

Filesize
260KB

Download
memory/1164-19-0x0000000001BE0000-0x0000000001C21000-memory.dmp

Filesize
260KB

Download
memory/1276-25-0x0000000000170000-0x00000000001B1000-memory.dmp

Filesize
260KB

Download
memory/1276-24-0x0000000000170000-0x00000000001B1000-memory.dmp

Filesize
260KB

Download
memory/1276-23-0x0000000000170000-0x00000000001B1000-memory.dmp

Filesize
260KB

Download
memory/1276-22-0x0000000000170000-0x00000000001B1000-memory.dmp

Filesize
260KB

Download
memory/1376-28-0x0000000002740000-0x0000000002781000-memory.dmp

Filesize
260KB

Download
memory/1376-30-0x0000000002740000-0x0000000002781000-memory.dmp

Filesize
260KB

Download
memory/1376-29-0x0000000002740000-0x0000000002781000-memory.dmp

Filesize
260KB

Download
memory/1376-27-0x0000000002740000-0x0000000002781000-memory.dmp

Filesize
260KB

Download
memory/2528-16-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2528-168-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2900-43-0x0000000077710000-0x0000000077711000-memory.dmp

Filesize
4KB

Download
memory/2900-69-0x0000000000310000-0x0000000000311000-memory.dmp

Filesize
4KB

Download
memory/2900-41-0x0000000000310000-0x0000000000311000-memory.dmp

Filesize
4KB

Download
memory/2900-44-0x0000000000310000-0x0000000000311000-memory.dmp

Filesize
4KB

Download
memory/2900-45-0x0000000077710000-0x0000000077711000-memory.dmp

Filesize
4KB

Download
memory/2900-38-0x0000000000280000-0x00000000002C1000-memory.dmp

Filesize
260KB

Download
memory/2900-47-0x0000000000310000-0x0000000000311000-memory.dmp

Filesize
4KB

Download
memory/2900-49-0x0000000000310000-0x0000000000311000-memory.dmp

Filesize
4KB

Download
memory/2900-51-0x0000000000310000-0x0000000000311000-memory.dmp

Filesize
4KB

Download
memory/2900-53-0x0000000000310000-0x0000000000311000-memory.dmp

Filesize
4KB

Download
memory/2900-55-0x0000000000310000-0x0000000000311000-memory.dmp

Filesize
4KB

Download
memory/2900-57-0x0000000000310000-0x0000000000311000-memory.dmp

Filesize
4KB

Download
memory/2900-59-0x0000000000310000-0x0000000000311000-memory.dmp

Filesize
4KB

Download
memory/2900-61-0x0000000000310000-0x0000000000311000-memory.dmp

Filesize
4KB

Download
memory/2900-63-0x0000000000310000-0x0000000000311000-memory.dmp

Filesize
4KB

Download
memory/2900-65-0x0000000000310000-0x0000000000311000-memory.dmp

Filesize
4KB

Download
memory/2900-67-0x0000000000310000-0x0000000000311000-memory.dmp

Filesize
4KB

Download
memory/2900-40-0x0000000000280000-0x00000000002C1000-memory.dmp

Filesize
260KB

Download
memory/2900-71-0x0000000000310000-0x0000000000311000-memory.dmp

Filesize
4KB

Download
memory/2900-75-0x0000000000310000-0x0000000000311000-memory.dmp

Filesize
4KB

Download
memory/2900-73-0x0000000000310000-0x0000000000311000-memory.dmp

Filesize
4KB

Download
memory/2900-77-0x0000000000310000-0x0000000000311000-memory.dmp

Filesize
4KB

Download
memory/2900-79-0x0000000000310000-0x0000000000311000-memory.dmp

Filesize
4KB

Download
memory/2900-81-0x0000000000310000-0x0000000000311000-memory.dmp

Filesize
4KB

Download
memory/2900-135-0x0000000000310000-0x0000000000311000-memory.dmp

Filesize
4KB

Download
memory/2900-36-0x0000000000280000-0x00000000002C1000-memory.dmp

Filesize
260KB

Download
memory/2900-152-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2900-34-0x0000000000280000-0x00000000002C1000-memory.dmp

Filesize
260KB

Download
memory/2900-32-0x0000000000280000-0x00000000002C1000-memory.dmp

Filesize
260KB

Download
memory/2900-13-0x0000000002440000-0x0000000002577000-memory.dmp

Filesize
1.2MB

Download
memory/2900-3-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2900-0-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2900-1-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2900-2-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads