a68a028e4b58b0a17c874e984a4bd6a936018deae688972feb9a6513b0158d13

General

Target

a68a028e4b58b0a17c874e984a4bd6a936018deae688972feb9a6513b0158d13.exe
Size

1.7MB
MD5

c7e2bccfe4e1d784768a20cafb256ce7
SHA1

3106910ff2c2b6f9716a6814558d0f20b4e3af5b
SHA256

a68a028e4b58b0a17c874e984a4bd6a936018deae688972feb9a6513b0158d13
SHA512

50c04e1330be93ee2ce0fc1eefc334482a13e0a9a23643ed37ffb5558b52a26eca798dc0187c5d18219b5c963d9b62f291b037e554a780c4fef94e8de1ca3125
SSDEEP

49152:G98E8uMwqQvhCcD0Tgy0LXu1qoTzmYvr6/TPeqwDTtxIxTie+GwBVUkCa2CSEAT6:G9PJqQvkcD+v49pN/reqwDTtxIxTie+1

Score

9^/10

Malware Config

Signatures

Detects executables built or packed with MPress PE compressor 3 IoCs

resource	yara_rule
behavioral1/files/0x0010000000014b12-8.dat	INDICATOR_EXE_Packed_MPress
behavioral1/memory/2820-13-0x0000000000400000-0x00000000004B4000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/2820-78-0x0000000000400000-0x00000000004B4000-memory.dmp	INDICATOR_EXE_Packed_MPress

Executes dropped EXE 2 IoCs

pid	Process
1680	13EE.tmp
2820	a68a028e4b58b0a17c874e984a4bd6a936018deae688972feb9a6513b0158d13.exe

Loads dropped DLL 3 IoCs

pid	Process
2936	a68a028e4b58b0a17c874e984a4bd6a936018deae688972feb9a6513b0158d13.exe
1680	13EE.tmp
2820	a68a028e4b58b0a17c874e984a4bd6a936018deae688972feb9a6513b0158d13.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main	a68a028e4b58b0a17c874e984a4bd6a936018deae688972feb9a6513b0158d13.exe

Suspicious behavior: RenamesItself 2 IoCs

pid	Process
1680	13EE.tmp
2820	a68a028e4b58b0a17c874e984a4bd6a936018deae688972feb9a6513b0158d13.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2820	a68a028e4b58b0a17c874e984a4bd6a936018deae688972feb9a6513b0158d13.exe
2820	a68a028e4b58b0a17c874e984a4bd6a936018deae688972feb9a6513b0158d13.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2936 wrote to memory of 1680	2936	a68a028e4b58b0a17c874e984a4bd6a936018deae688972feb9a6513b0158d13.exe	28
PID 2936 wrote to memory of 1680	2936	a68a028e4b58b0a17c874e984a4bd6a936018deae688972feb9a6513b0158d13.exe	28
PID 2936 wrote to memory of 1680	2936	a68a028e4b58b0a17c874e984a4bd6a936018deae688972feb9a6513b0158d13.exe	28
PID 2936 wrote to memory of 1680	2936	a68a028e4b58b0a17c874e984a4bd6a936018deae688972feb9a6513b0158d13.exe	28
PID 2936 wrote to memory of 1680	2936	a68a028e4b58b0a17c874e984a4bd6a936018deae688972feb9a6513b0158d13.exe	28
PID 2936 wrote to memory of 1680	2936	a68a028e4b58b0a17c874e984a4bd6a936018deae688972feb9a6513b0158d13.exe	28
PID 2936 wrote to memory of 1680	2936	a68a028e4b58b0a17c874e984a4bd6a936018deae688972feb9a6513b0158d13.exe	28
PID 1680 wrote to memory of 2820	1680	13EE.tmp	29
PID 1680 wrote to memory of 2820	1680	13EE.tmp	29
PID 1680 wrote to memory of 2820	1680	13EE.tmp	29
PID 1680 wrote to memory of 2820	1680	13EE.tmp	29
PID 1680 wrote to memory of 2820	1680	13EE.tmp	29
PID 1680 wrote to memory of 2820	1680	13EE.tmp	29
PID 1680 wrote to memory of 2820	1680	13EE.tmp	29

C:\Users\Admin\AppData\Local\Temp\a68a028e4b58b0a17c874e984a4bd6a936018deae688972feb9a6513b0158d13.exe
"C:\Users\Admin\AppData\Local\Temp\a68a028e4b58b0a17c874e984a4bd6a936018deae688972feb9a6513b0158d13.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2936
- C:\Users\Admin\AppData\Local\Temp\13EE.tmp
  "C:\Users\Admin\AppData\Local\Temp\13EE.tmp" --pingC:\Users\Admin\AppData\Local\Temp\a68a028e4b58b0a17c874e984a4bd6a936018deae688972feb9a6513b0158d13.exe 0C68347343B6644F2846893570711B15DBFC42993779BF8A7442EA7B44EBC2149AF1B5818076A09F65958DF03DB1B82ABE092AF274E32B4E66D79DF3584FE704
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: RenamesItself
  - Suspicious use of WriteProcessMemory
  PID:1680
- - C:\Users\Admin\AppData\Local\Temp\a68a028e4b58b0a17c874e984a4bd6a936018deae688972feb9a6513b0158d13.exe
    "C:\Users\Admin\AppData\Local\Temp\a68a028e4b58b0a17c874e984a4bd6a936018deae688972feb9a6513b0158d13.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Modifies Internet Explorer settings
    - Suspicious behavior: RenamesItself
    - Suspicious use of SetWindowsHookEx
    PID:2820

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar218C.tmp

Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
\Users\Admin\AppData\Local\Adobe\downloader.dll

Filesize
737KB

MD5
7c130d8567d6e4c1555174af578918a8

SHA1
bb1f72b7eb5aa6ac54733f01d4195841dfe72cc8

SHA256
1540c84cde9716b2abd70e0efbf6beaf9eaa169b4dcaf157bd124f098e4abf38

SHA512
bde576ce37023cf1b4494106d65ab6e552d9d94622c88e074e9572d89f2d97371fd53697562f6c26147176825b84b6f7ea893c2cfd0fd151a78e6137165ff8e0

Download Submit
\Users\Admin\AppData\Local\Temp\13EE.tmp

Filesize
1.7MB

MD5
2695f2d2dcadb449595daaaa06214f8c

SHA1
e08247734e4e3848b00f9229e323f280377a3fa4

SHA256
e3856cf4a0a9a6a5ff32a021eebee767f4387469b9697b8ffe9f98fb7074fd55

SHA512
c21b0d0dc1ac8fbe2d785787377d6586c0a8bcf8dff8f27baf8b0664e3709d37ffac27320311fcfd09650e3fd8354d177525b90aed9f20efc5e59b14700cce0d

Download Submit
\Users\Admin\AppData\Local\Temp\a68a028e4b58b0a17c874e984a4bd6a936018deae688972feb9a6513b0158d13.exe

Filesize
1.0MB

MD5
03b18ee5ae548b01cf455ca56aa2daae

SHA1
3149878b9d40624265bd1abd63632ec21bf36c8d

SHA256
9f581b5730b3f10de2a3b3a21d3e476f3094feef3e4dd92ffdaa103f6c410802

SHA512
919b9e512a30c643052337e461fa1fbd055932b4a557753fe03ebab29925bfc6d1aba61a92f320729569a5ad3d60e7493b43e366313f5328caf0597772f60721

Download Submit
memory/1680-10-0x0000000002D30000-0x0000000002DE4000-memory.dmp

Filesize
720KB

Download
memory/2820-13-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/2820-31-0x0000000006BA0000-0x0000000006BC0000-memory.dmp

Filesize
128KB

Download
memory/2820-78-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/2820-79-0x0000000006BA0000-0x0000000006BC0000-memory.dmp

Filesize
128KB

Download

Analysis

Sharing