427e589e554cf195057169b6c737173ebe21a8edeec3170b1d9423b19402149f

General

Target

e0429d505642e0d79ac2740fc5950750.exe
Size

61KB
MD5

e0429d505642e0d79ac2740fc5950750
SHA1

e107f7dd1e7e1cb0c21f136cbde4d92a19aeb2bb
SHA256

427e589e554cf195057169b6c737173ebe21a8edeec3170b1d9423b19402149f
SHA512

a396cf2a485333a5714c5e25e3b58c29d67beaea50328a19e8c410a03eb04108b30fa776db1a4709a728b394057c5878a29d7884e7fbab9d57fc704ed26d47de
SSDEEP

1536:MiMF/5zutWoFMOUgHluFRR2t/L8DwVg0Eq:SF/to4OUU8FqADlfq

Score

8^/10

adware persistence stealer upx

Malware Config

Signatures

Modifies AppInit DLL entries 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1547.001

Modify Registry
T1112

Executes dropped EXE 2 IoCs

pid	Process
2352	kept.exe
2288	load.exe

Loads dropped DLL 7 IoCs

pid	Process
2360	e0429d505642e0d79ac2740fc5950750.exe
2360	e0429d505642e0d79ac2740fc5950750.exe
2360	e0429d505642e0d79ac2740fc5950750.exe
2360	e0429d505642e0d79ac2740fc5950750.exe
2716	WerFault.exe
2716	WerFault.exe
2716	WerFault.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x00090000000143ec-9.dat	upx
behavioral1/memory/2352-24-0x0000000000400000-0x0000000000424000-memory.dmp	upx
behavioral1/memory/2360-12-0x00000000031B0000-0x00000000031D4000-memory.dmp	upx
behavioral1/memory/2352-43-0x0000000000400000-0x0000000000424000-memory.dmp	upx

Installs/modifies Browser Helper Object 2 TTPs 2 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	kept.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects	kept.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\mmmvnrvn.dll	kept.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2716	2288	WerFault.exe	29

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar	kept.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2360 wrote to memory of 2352	2360	e0429d505642e0d79ac2740fc5950750.exe	28
PID 2360 wrote to memory of 2352	2360	e0429d505642e0d79ac2740fc5950750.exe	28
PID 2360 wrote to memory of 2352	2360	e0429d505642e0d79ac2740fc5950750.exe	28
PID 2360 wrote to memory of 2352	2360	e0429d505642e0d79ac2740fc5950750.exe	28
PID 2360 wrote to memory of 2288	2360	e0429d505642e0d79ac2740fc5950750.exe	29
PID 2360 wrote to memory of 2288	2360	e0429d505642e0d79ac2740fc5950750.exe	29
PID 2360 wrote to memory of 2288	2360	e0429d505642e0d79ac2740fc5950750.exe	29
PID 2360 wrote to memory of 2288	2360	e0429d505642e0d79ac2740fc5950750.exe	29
PID 2288 wrote to memory of 2716	2288	load.exe	30
PID 2288 wrote to memory of 2716	2288	load.exe	30
PID 2288 wrote to memory of 2716	2288	load.exe	30
PID 2288 wrote to memory of 2716	2288	load.exe	30
PID 2352 wrote to memory of 2240	2352	kept.exe	31
PID 2352 wrote to memory of 2240	2352	kept.exe	31
PID 2352 wrote to memory of 2240	2352	kept.exe	31
PID 2352 wrote to memory of 2240	2352	kept.exe	31

C:\Users\Admin\AppData\Local\Temp\e0429d505642e0d79ac2740fc5950750.exe
"C:\Users\Admin\AppData\Local\Temp\e0429d505642e0d79ac2740fc5950750.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2360
- C:\Users\Admin\AppData\Local\Temp\kept.exe
  "C:\Users\Admin\AppData\Local\Temp\kept.exe"
  2⤵
  - Executes dropped EXE
  - Installs/modifies Browser Helper Object
  - Drops file in System32 directory
  - Modifies Internet Explorer settings
  - Suspicious use of WriteProcessMemory
  PID:2352
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c preved.bat
    3⤵
    PID:2240
- C:\Users\Admin\AppData\Local\Temp\load.exe
  "C:\Users\Admin\AppData\Local\Temp\load.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2288
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2288 -s 88
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Browser Extensions

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

3

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\kept.exe

Filesize
32KB

MD5
0482b3f2a4ba95ccb7c88381d1fc9719

SHA1
85cf3021ca5877e58632205c191ee96616f31dc2

SHA256
c59e23c9b34ea3050b97f0e4e9eb1e1b197e7a460cc17bc04c4495d74ebe1dd9

SHA512
8653a27b27f9caa1c0d2474210c2200e95438a891f5a56647b80d0f5746ba2469c9c34b99556002b69e61a3148e3e78329619e92281205b0c86d122de1b925db

Download Submit
C:\Users\Admin\AppData\Local\Temp\load.exe

Filesize
9KB

MD5
1881018552e81c812f99d5ed14b9dc5a

SHA1
3a1a39535f8ab75aeef4d5f59729cd6bd665d060

SHA256
d28834eb1cbffd32961d40b33d1d4c902568643f03695e50eb34834b4044f590

SHA512
f749dc298985de49f27130ce7293e59f33ca565f3e7e24cc13e12728cfd91c7be7e9013495464ba001a5a3594166d90ac095d6a152bf9d6944b35bb050c9bb36

Download Submit
C:\Users\Admin\AppData\Local\Temp\preved.bat

Filesize
159B

MD5
01d030a96ea759f7a77de4418b589d26

SHA1
c477d4510a484ac15a07d0b09ecdec0a5e227028

SHA256
8920328983362064eac8d911aeea19de37727bd4bc57684782c39b25f13b0050

SHA512
984d2475f9dcbba22ac962f5750c96b15af7a9594caef73bf00ec077276f935af43e044bd74f6f122c799b88a22a1dbb60c75f434511b61a47944a766fb9e7f9

Download Submit
memory/2352-24-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2352-43-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2360-0-0x0000000000400000-0x0000000000417200-memory.dmp

Filesize
92KB

Download
memory/2360-12-0x00000000031B0000-0x00000000031D4000-memory.dmp

Filesize
144KB

Download
memory/2360-27-0x00000000031B0000-0x00000000031D4000-memory.dmp

Filesize
144KB

Download
memory/2360-34-0x0000000000400000-0x0000000000417200-memory.dmp

Filesize
92KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads