a6986bf0b9dedf3fb327a3201ca01bf7f05b4d868839b3c10090b57f1740e99b

General

Target

a6986bf0b9dedf3fb327a3201ca01bf7f05b4d868839b3c10090b57f1740e99b.exe
Size

1.1MB
MD5

14412d2aa398990082b683389385fb85
SHA1

158c3c43becd614837910f21ae163a4ebc09e80f
SHA256

a6986bf0b9dedf3fb327a3201ca01bf7f05b4d868839b3c10090b57f1740e99b
SHA512

e9daa68d9793d85315a948640a0ed23e5f9576a54de1f79e21ebdaa641521c5bef14908c708ae29dc57d206a496497ac9ec575c38b1542e800c2d9366af4049f
SSDEEP

24576:BAHnh+eWsN3skA4RV1Hom2KXMmHaHhDxJV5RI2m0A/5:Yh+ZkldoPK8YaHxxJu2mN

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 1 IoCs

Processes:

certreq.exe

pid process

2256 certreq.exe

pid	process
2256	certreq.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

a6986bf0b9dedf3fb327a3201ca01bf7f05b4d868839b3c10090b57f1740e99b.exesvchost.execertreq.exe

description	pid	process	target process
PID 1484 set thread context of 844	1484	a6986bf0b9dedf3fb327a3201ca01bf7f05b4d868839b3c10090b57f1740e99b.exe	svchost.exe
PID 844 set thread context of 1192	844	svchost.exe	Explorer.EXE
PID 844 set thread context of 2256	844	svchost.exe	certreq.exe
PID 2256 set thread context of 1192	2256	certreq.exe	Explorer.EXE

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

certreq.exe

description	ioc	process
Key created	\Registry\User\S-1-5-21-2737914667-933161113-3798636211-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	certreq.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

Processes:

svchost.execertreq.exe

pid	process
844	svchost.exe
844	svchost.exe
844	svchost.exe
844	svchost.exe
844	svchost.exe
844	svchost.exe
844	svchost.exe
844	svchost.exe
2256	certreq.exe
2256	certreq.exe
2256	certreq.exe
2256	certreq.exe
2256	certreq.exe

Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

a6986bf0b9dedf3fb327a3201ca01bf7f05b4d868839b3c10090b57f1740e99b.exesvchost.exeExplorer.EXEcertreq.exe

pid	process
1484	a6986bf0b9dedf3fb327a3201ca01bf7f05b4d868839b3c10090b57f1740e99b.exe
844	svchost.exe
1192	Explorer.EXE
1192	Explorer.EXE
2256	certreq.exe
2256	certreq.exe

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

a6986bf0b9dedf3fb327a3201ca01bf7f05b4d868839b3c10090b57f1740e99b.exeExplorer.EXE

pid	process
1484	a6986bf0b9dedf3fb327a3201ca01bf7f05b4d868839b3c10090b57f1740e99b.exe
1484	a6986bf0b9dedf3fb327a3201ca01bf7f05b4d868839b3c10090b57f1740e99b.exe
1192	Explorer.EXE
1192	Explorer.EXE

Suspicious use of SendNotifyMessage 2 IoCs

Processes:

a6986bf0b9dedf3fb327a3201ca01bf7f05b4d868839b3c10090b57f1740e99b.exe

pid	process
1484	a6986bf0b9dedf3fb327a3201ca01bf7f05b4d868839b3c10090b57f1740e99b.exe
1484	a6986bf0b9dedf3fb327a3201ca01bf7f05b4d868839b3c10090b57f1740e99b.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

a6986bf0b9dedf3fb327a3201ca01bf7f05b4d868839b3c10090b57f1740e99b.exeExplorer.EXE

description	pid	process	target process
PID 1484 wrote to memory of 844	1484	a6986bf0b9dedf3fb327a3201ca01bf7f05b4d868839b3c10090b57f1740e99b.exe	svchost.exe
PID 1484 wrote to memory of 844	1484	a6986bf0b9dedf3fb327a3201ca01bf7f05b4d868839b3c10090b57f1740e99b.exe	svchost.exe
PID 1484 wrote to memory of 844	1484	a6986bf0b9dedf3fb327a3201ca01bf7f05b4d868839b3c10090b57f1740e99b.exe	svchost.exe
PID 1484 wrote to memory of 844	1484	a6986bf0b9dedf3fb327a3201ca01bf7f05b4d868839b3c10090b57f1740e99b.exe	svchost.exe
PID 1484 wrote to memory of 844	1484	a6986bf0b9dedf3fb327a3201ca01bf7f05b4d868839b3c10090b57f1740e99b.exe	svchost.exe
PID 1192 wrote to memory of 2256	1192	Explorer.EXE	certreq.exe
PID 1192 wrote to memory of 2256	1192	Explorer.EXE	certreq.exe
PID 1192 wrote to memory of 2256	1192	Explorer.EXE	certreq.exe
PID 1192 wrote to memory of 2256	1192	Explorer.EXE	certreq.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1192

C:\Users\Admin\AppData\Local\Temp\a6986bf0b9dedf3fb327a3201ca01bf7f05b4d868839b3c10090b57f1740e99b.exe
"C:\Users\Admin\AppData\Local\Temp\a6986bf0b9dedf3fb327a3201ca01bf7f05b4d868839b3c10090b57f1740e99b.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1484

C:\Windows\SysWOW64\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\a6986bf0b9dedf3fb327a3201ca01bf7f05b4d868839b3c10090b57f1740e99b.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:844

C:\Windows\SysWOW64\certreq.exe
"C:\Windows\SysWOW64\certreq.exe"
2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2256

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\dpqxvfe.zip
Filesize
429KB

MD5
16f94aee2d9a53bf8e58722679063051

SHA1
b1495ea7c4b2cad58404e051c144ac49323f95ee

SHA256
43a12cc1c155d0bb9686a1fcbc90babc9e99dbec475bddc2acacf31bd2b159e8

SHA512
9eaa6f61ecbadccdec565e32d5559e795365adacdbc0ff7362612b4d623117ce821817c7b7ac41538e765e7e0887b0ff2512f860a80662322a22524d4da13b36

Download Submit
C:\Users\Admin\AppData\Local\Temp\underbalanced
Filesize
263KB

MD5
4d8361eeb2e70a2b8731e63ddf0b50dd

SHA1
f6a1e5ba7c59b6595809f42216a190481a34efae

SHA256
c62a9316957f85723e4a9f5ae04a329cbaae3c26868a0bedd9b778208648db2a

SHA512
5b62a25f5275026964171c7e844cec7c762da13135d9d1c086af4ca8bca29a32a8e770486ad6043db703044962f106d032a6efa75e01b9720b6cee21d1c27626

Download Submit
\Users\Admin\AppData\Local\Temp\sqlite3.dll
Filesize
819KB

MD5
eda40ea55ff2eb2a2e5aca836bb1cc26

SHA1
6de11b4b121bc8b9b87b05ddbdd6eda4e9442c37

SHA256
330b88eacb778b86dff1a90189121e8b3280723be9fbf4e55174ede2bbf74af0

SHA512
caf63f50931f76ec919528dedfb8b6ee14590f5aa33f91a6b9c24f63c0f3851cffdc16eab976ee7d6140f383050050d26f3547743b5ae772001b8f6199f0a4fc

Download Submit
memory/844-21-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/844-22-0x0000000000200000-0x0000000000221000-memory.dmp

Filesize
132KB

Download
memory/844-15-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/844-16-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/844-17-0x0000000000200000-0x0000000000221000-memory.dmp

Filesize
132KB

Download
memory/844-12-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/844-14-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/844-13-0x0000000000B00000-0x0000000000E03000-memory.dmp

Filesize
3.0MB

Download
memory/1192-68-0x0000000004BE0000-0x0000000004CBC000-memory.dmp

Filesize
880KB

Download
memory/1192-26-0x0000000004BE0000-0x0000000004CBC000-memory.dmp

Filesize
880KB

Download
memory/1192-18-0x0000000009050000-0x000000000A3F9000-memory.dmp

Filesize
19.7MB

Download
memory/1192-28-0x0000000009050000-0x000000000A3F9000-memory.dmp

Filesize
19.7MB

Download
memory/1192-27-0x0000000004BE0000-0x0000000004CBC000-memory.dmp

Filesize
880KB

Download
memory/1484-11-0x0000000000160000-0x0000000000164000-memory.dmp

Filesize
16KB

Download
memory/2256-19-0x00000000000D0000-0x000000000010F000-memory.dmp

Filesize
252KB

Download
memory/2256-25-0x00000000024C0000-0x0000000002560000-memory.dmp

Filesize
640KB

Download
memory/2256-24-0x00000000000D0000-0x000000000010F000-memory.dmp

Filesize
252KB

Download
memory/2256-23-0x0000000002790000-0x0000000002A93000-memory.dmp

Filesize
3.0MB

Download
memory/2256-67-0x00000000000D0000-0x000000000010F000-memory.dmp

Filesize
252KB

Download
memory/2256-66-0x0000000061E00000-0x0000000061EBA000-memory.dmp

Filesize
744KB

Download
memory/2256-20-0x00000000000D0000-0x000000000010F000-memory.dmp

Filesize
252KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads