5228429e6eefc6336ac71c6f0c7c8fbd2770451057a951657e338d1cdd5d6c80

General

Target

5228429e6eefc6336ac71c6f0c7c8fbd2770451057a951657e338d1cdd5d6c80.exe
Size

876KB
MD5

beb116406043adf5d6fe5c688eae6d15
SHA1

f61c10b86ddad9dfde65ec4a923fedb253d52021
SHA256

5228429e6eefc6336ac71c6f0c7c8fbd2770451057a951657e338d1cdd5d6c80
SHA512

0005dc3a469a0d88208b9846611a13cefa7e996ffb7a12cd29f847b8c882eaf31a687e2e138e43379fbbb3a5dfe5174c4bbf58a17893ed116142ac1f48f40d25
SSDEEP

24576:jw4bjw4bBQ1mvhl5zJWunpgghRD7X84HYFZ7s:jw4bjw4bBQ+FWWpgUVHSBs

Score

5^/10

Malware Config

Signatures

Suspicious use of SetThreadContext 5 IoCs

Processes:

5228429e6eefc6336ac71c6f0c7c8fbd2770451057a951657e338d1cdd5d6c80.exeRegSvcs.exeiexpress.exe

description	pid	process	target process
PID 552 set thread context of 1788	552	5228429e6eefc6336ac71c6f0c7c8fbd2770451057a951657e338d1cdd5d6c80.exe	RegSvcs.exe
PID 1788 set thread context of 3444	1788	RegSvcs.exe	Explorer.EXE
PID 1788 set thread context of 3484	1788	RegSvcs.exe	iexpress.exe
PID 3484 set thread context of 3444	3484	iexpress.exe	Explorer.EXE
PID 3484 set thread context of 2604	3484	iexpress.exe	Firefox.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexpress.exe

description	ioc	process
Key created	\Registry\User\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	iexpress.exe

Suspicious behavior: EnumeratesProcesses 60 IoCs

Processes:

5228429e6eefc6336ac71c6f0c7c8fbd2770451057a951657e338d1cdd5d6c80.exeRegSvcs.exeiexpress.exe

pid	process
552	5228429e6eefc6336ac71c6f0c7c8fbd2770451057a951657e338d1cdd5d6c80.exe
552	5228429e6eefc6336ac71c6f0c7c8fbd2770451057a951657e338d1cdd5d6c80.exe
552	5228429e6eefc6336ac71c6f0c7c8fbd2770451057a951657e338d1cdd5d6c80.exe
552	5228429e6eefc6336ac71c6f0c7c8fbd2770451057a951657e338d1cdd5d6c80.exe
1788	RegSvcs.exe
1788	RegSvcs.exe
1788	RegSvcs.exe
1788	RegSvcs.exe
1788	RegSvcs.exe
1788	RegSvcs.exe
1788	RegSvcs.exe
1788	RegSvcs.exe
1788	RegSvcs.exe
1788	RegSvcs.exe
1788	RegSvcs.exe
1788	RegSvcs.exe
1788	RegSvcs.exe
1788	RegSvcs.exe
1788	RegSvcs.exe
1788	RegSvcs.exe
3484	iexpress.exe
3484	iexpress.exe
3484	iexpress.exe
3484	iexpress.exe
3484	iexpress.exe
3484	iexpress.exe
3484	iexpress.exe
3484	iexpress.exe
3484	iexpress.exe
3484	iexpress.exe
3484	iexpress.exe
3484	iexpress.exe
3484	iexpress.exe
3484	iexpress.exe
3484	iexpress.exe
3484	iexpress.exe
3484	iexpress.exe
3484	iexpress.exe
3484	iexpress.exe
3484	iexpress.exe
3484	iexpress.exe
3484	iexpress.exe
3484	iexpress.exe
3484	iexpress.exe
3484	iexpress.exe
3484	iexpress.exe
3484	iexpress.exe
3484	iexpress.exe
3484	iexpress.exe
3484	iexpress.exe
3484	iexpress.exe
3484	iexpress.exe
3484	iexpress.exe
3484	iexpress.exe
3484	iexpress.exe
3484	iexpress.exe
3484	iexpress.exe
3484	iexpress.exe
3484	iexpress.exe
3484	iexpress.exe

Suspicious behavior: MapViewOfSection 7 IoCs

Processes:

RegSvcs.exeExplorer.EXEiexpress.exe

pid process

1788 RegSvcs.exe
3444 Explorer.EXE
3444 Explorer.EXE
3484 iexpress.exe
3484 iexpress.exe
3484 iexpress.exe
3484 iexpress.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

5228429e6eefc6336ac71c6f0c7c8fbd2770451057a951657e338d1cdd5d6c80.exe

description pid process

Token: SeDebugPrivilege 552 5228429e6eefc6336ac71c6f0c7c8fbd2770451057a951657e338d1cdd5d6c80.exe
Suspicious use of UnmapMainImage 1 IoCs

Processes:

Explorer.EXE

pid process

3444 Explorer.EXE

pid	process
1788	RegSvcs.exe
3444	Explorer.EXE
3444	Explorer.EXE
3484	iexpress.exe
3484	iexpress.exe
3484	iexpress.exe
3484	iexpress.exe

description	pid	process
Token: SeDebugPrivilege	552	5228429e6eefc6336ac71c6f0c7c8fbd2770451057a951657e338d1cdd5d6c80.exe

pid	process
3444	Explorer.EXE

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

5228429e6eefc6336ac71c6f0c7c8fbd2770451057a951657e338d1cdd5d6c80.exeExplorer.EXEiexpress.exe

description	pid	process	target process
PID 552 wrote to memory of 1984	552	5228429e6eefc6336ac71c6f0c7c8fbd2770451057a951657e338d1cdd5d6c80.exe	RegSvcs.exe
PID 552 wrote to memory of 1984	552	5228429e6eefc6336ac71c6f0c7c8fbd2770451057a951657e338d1cdd5d6c80.exe	RegSvcs.exe
PID 552 wrote to memory of 1984	552	5228429e6eefc6336ac71c6f0c7c8fbd2770451057a951657e338d1cdd5d6c80.exe	RegSvcs.exe
PID 552 wrote to memory of 1788	552	5228429e6eefc6336ac71c6f0c7c8fbd2770451057a951657e338d1cdd5d6c80.exe	RegSvcs.exe
PID 552 wrote to memory of 1788	552	5228429e6eefc6336ac71c6f0c7c8fbd2770451057a951657e338d1cdd5d6c80.exe	RegSvcs.exe
PID 552 wrote to memory of 1788	552	5228429e6eefc6336ac71c6f0c7c8fbd2770451057a951657e338d1cdd5d6c80.exe	RegSvcs.exe
PID 552 wrote to memory of 1788	552	5228429e6eefc6336ac71c6f0c7c8fbd2770451057a951657e338d1cdd5d6c80.exe	RegSvcs.exe
PID 552 wrote to memory of 1788	552	5228429e6eefc6336ac71c6f0c7c8fbd2770451057a951657e338d1cdd5d6c80.exe	RegSvcs.exe
PID 552 wrote to memory of 1788	552	5228429e6eefc6336ac71c6f0c7c8fbd2770451057a951657e338d1cdd5d6c80.exe	RegSvcs.exe
PID 3444 wrote to memory of 3484	3444	Explorer.EXE	iexpress.exe
PID 3444 wrote to memory of 3484	3444	Explorer.EXE	iexpress.exe
PID 3444 wrote to memory of 3484	3444	Explorer.EXE	iexpress.exe
PID 3484 wrote to memory of 2604	3484	iexpress.exe	Firefox.exe
PID 3484 wrote to memory of 2604	3484	iexpress.exe	Firefox.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3444

C:\Users\Admin\AppData\Local\Temp\5228429e6eefc6336ac71c6f0c7c8fbd2770451057a951657e338d1cdd5d6c80.exe
"C:\Users\Admin\AppData\Local\Temp\5228429e6eefc6336ac71c6f0c7c8fbd2770451057a951657e338d1cdd5d6c80.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:552

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
3⤵
PID:1984

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1788

C:\Windows\SysWOW64\iexpress.exe
"C:\Windows\SysWOW64\iexpress.exe"
2⤵
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3484

C:\Program Files\Mozilla Firefox\Firefox.exe
"C:\Program Files\Mozilla Firefox\Firefox.exe"
3⤵
PID:2604

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

memory/552-12-0x0000000074490000-0x0000000074C40000-memory.dmp

Filesize
7.7MB

Download
memory/552-1-0x0000000000CE0000-0x0000000000DBE000-memory.dmp

Filesize
888KB

Download
memory/552-2-0x0000000005DC0000-0x0000000006364000-memory.dmp

Filesize
5.6MB

Download
memory/552-3-0x0000000005810000-0x00000000058A2000-memory.dmp

Filesize
584KB

Download
memory/552-4-0x00000000057F0000-0x00000000057FA000-memory.dmp

Filesize
40KB

Download
memory/552-5-0x0000000005A40000-0x0000000005ADC000-memory.dmp

Filesize
624KB

Download
memory/552-6-0x0000000074490000-0x0000000074C40000-memory.dmp

Filesize
7.7MB

Download
memory/552-7-0x00000000064F0000-0x000000000650A000-memory.dmp

Filesize
104KB

Download
memory/552-8-0x0000000006510000-0x0000000006520000-memory.dmp

Filesize
64KB

Download
memory/552-9-0x00000000069E0000-0x0000000006A6A000-memory.dmp

Filesize
552KB

Download
memory/552-0-0x000000007449E000-0x000000007449F000-memory.dmp

Filesize
4KB

Download
memory/1788-17-0x0000000000D20000-0x0000000000D3F000-memory.dmp

Filesize
124KB

Download
memory/1788-21-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1788-14-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1788-15-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1788-16-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1788-10-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1788-13-0x0000000000D70000-0x00000000010BA000-memory.dmp

Filesize
3.3MB

Download
memory/1788-22-0x0000000000D20000-0x0000000000D3F000-memory.dmp

Filesize
124KB

Download
memory/2604-37-0x000001F1AA4B0000-0x000001F1AA564000-memory.dmp

Filesize
720KB

Download
memory/3444-38-0x0000000003330000-0x0000000003416000-memory.dmp

Filesize
920KB

Download
memory/3444-26-0x000000000DC90000-0x000000000EA6C000-memory.dmp

Filesize
13.9MB

Download
memory/3444-18-0x000000000DC90000-0x000000000EA6C000-memory.dmp

Filesize
13.9MB

Download
memory/3444-30-0x0000000003330000-0x0000000003416000-memory.dmp

Filesize
920KB

Download
memory/3444-29-0x0000000003330000-0x0000000003416000-memory.dmp

Filesize
920KB

Download
memory/3484-23-0x0000000002FD0000-0x000000000331A000-memory.dmp

Filesize
3.3MB

Download
memory/3484-27-0x0000000001060000-0x000000000109F000-memory.dmp

Filesize
252KB

Download
memory/3484-28-0x0000000002E10000-0x0000000002EAE000-memory.dmp

Filesize
632KB

Download
memory/3484-25-0x0000000002E10000-0x0000000002EAE000-memory.dmp

Filesize
632KB

Download
memory/3484-24-0x0000000001060000-0x000000000109F000-memory.dmp

Filesize
252KB

Download
memory/3484-20-0x0000000001060000-0x000000000109F000-memory.dmp

Filesize
252KB

Download
memory/3484-19-0x0000000001060000-0x000000000109F000-memory.dmp

Filesize
252KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads