58668c2d786aa1dd25da6c91163678e93b62dfebccc1e37ae352f469bb002d03

General

Target

58668c2d786aa1dd25da6c91163678e93b62dfebccc1e37ae352f469bb002d03.exe
Size

1.1MB
MD5

be17e1f9a72d48dbaca43c92270ebefb
SHA1

c399fd0a665af7324997c99c4d625fc524cbf737
SHA256

58668c2d786aa1dd25da6c91163678e93b62dfebccc1e37ae352f469bb002d03
SHA512

848621092700c058989708d63d1093af75134295709a5f059f67c139474c4a2abc309e49892a737af72b9532d89d9568b2fcf24672c0afe60dd2facbadd4f275
SSDEEP

24576:5AHnh+eWsN3skA4RV1Hom2KXMmHatXzudFl0r72OWsKMEtVaX5:Ah+ZkldoPK8YatDud70OOWsKMQm

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 1 IoCs

Processes:

certreq.exe

pid process

2112 certreq.exe

pid	process
2112	certreq.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

58668c2d786aa1dd25da6c91163678e93b62dfebccc1e37ae352f469bb002d03.exesvchost.execertreq.exe

description	pid	process	target process
PID 2292 set thread context of 1948	2292	58668c2d786aa1dd25da6c91163678e93b62dfebccc1e37ae352f469bb002d03.exe	svchost.exe
PID 1948 set thread context of 1208	1948	svchost.exe	Explorer.EXE
PID 1948 set thread context of 2112	1948	svchost.exe	certreq.exe
PID 2112 set thread context of 1208	2112	certreq.exe	Explorer.EXE

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

certreq.exe

description	ioc	process
Key created	\Registry\User\S-1-5-21-2721934792-624042501-2768869379-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	certreq.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

Processes:

svchost.execertreq.exe

pid	process
1948	svchost.exe
1948	svchost.exe
1948	svchost.exe
1948	svchost.exe
1948	svchost.exe
1948	svchost.exe
1948	svchost.exe
1948	svchost.exe
2112	certreq.exe
2112	certreq.exe
2112	certreq.exe
2112	certreq.exe
2112	certreq.exe

Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

58668c2d786aa1dd25da6c91163678e93b62dfebccc1e37ae352f469bb002d03.exesvchost.exeExplorer.EXEcertreq.exe

pid	process
2292	58668c2d786aa1dd25da6c91163678e93b62dfebccc1e37ae352f469bb002d03.exe
1948	svchost.exe
1208	Explorer.EXE
1208	Explorer.EXE
2112	certreq.exe
2112	certreq.exe

Suspicious use of FindShellTrayWindow 6 IoCs

Processes:

58668c2d786aa1dd25da6c91163678e93b62dfebccc1e37ae352f469bb002d03.exeExplorer.EXE

pid	process
2292	58668c2d786aa1dd25da6c91163678e93b62dfebccc1e37ae352f469bb002d03.exe
2292	58668c2d786aa1dd25da6c91163678e93b62dfebccc1e37ae352f469bb002d03.exe
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE

Suspicious use of SendNotifyMessage 4 IoCs

Processes:

58668c2d786aa1dd25da6c91163678e93b62dfebccc1e37ae352f469bb002d03.exeExplorer.EXE

pid	process
2292	58668c2d786aa1dd25da6c91163678e93b62dfebccc1e37ae352f469bb002d03.exe
2292	58668c2d786aa1dd25da6c91163678e93b62dfebccc1e37ae352f469bb002d03.exe
1208	Explorer.EXE
1208	Explorer.EXE

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

58668c2d786aa1dd25da6c91163678e93b62dfebccc1e37ae352f469bb002d03.exeExplorer.EXE

description	pid	process	target process
PID 2292 wrote to memory of 1948	2292	58668c2d786aa1dd25da6c91163678e93b62dfebccc1e37ae352f469bb002d03.exe	svchost.exe
PID 2292 wrote to memory of 1948	2292	58668c2d786aa1dd25da6c91163678e93b62dfebccc1e37ae352f469bb002d03.exe	svchost.exe
PID 2292 wrote to memory of 1948	2292	58668c2d786aa1dd25da6c91163678e93b62dfebccc1e37ae352f469bb002d03.exe	svchost.exe
PID 2292 wrote to memory of 1948	2292	58668c2d786aa1dd25da6c91163678e93b62dfebccc1e37ae352f469bb002d03.exe	svchost.exe
PID 2292 wrote to memory of 1948	2292	58668c2d786aa1dd25da6c91163678e93b62dfebccc1e37ae352f469bb002d03.exe	svchost.exe
PID 1208 wrote to memory of 2112	1208	Explorer.EXE	certreq.exe
PID 1208 wrote to memory of 2112	1208	Explorer.EXE	certreq.exe
PID 1208 wrote to memory of 2112	1208	Explorer.EXE	certreq.exe
PID 1208 wrote to memory of 2112	1208	Explorer.EXE	certreq.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1208

C:\Users\Admin\AppData\Local\Temp\58668c2d786aa1dd25da6c91163678e93b62dfebccc1e37ae352f469bb002d03.exe
"C:\Users\Admin\AppData\Local\Temp\58668c2d786aa1dd25da6c91163678e93b62dfebccc1e37ae352f469bb002d03.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2292

C:\Windows\SysWOW64\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\58668c2d786aa1dd25da6c91163678e93b62dfebccc1e37ae352f469bb002d03.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1948

C:\Windows\SysWOW64\certreq.exe
"C:\Windows\SysWOW64\certreq.exe"
2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2112

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ehxtu400.zip
Filesize
444KB

MD5
d71848944418c67f6eb230682f9a969a

SHA1
11d37a0eccbaf9995c6b236ff1a99d174a2566bd

SHA256
efff0464180fcb34ec33e7835086ea58adc84bc3f0b08a7323ef1d58b258e59e

SHA512
7baef376fb5f87e43124f79f81fe45567b7926be277a05abbbfe74bdbbe8dc49c238999e432fb4c457dff23ca78915d2a899bdde9a2ee79b77c655c17ebe706d

Download Submit
C:\Users\Admin\AppData\Local\Temp\springmaker
Filesize
263KB

MD5
1a3f44afc6dbd6865cd95e17d704932e

SHA1
5a12a97f8435a255c8acc2424a1bde797994c26a

SHA256
c475f4a95b01d2e6e5507b5cefd6db55d0c0c2a277ce7a22ccf85db51781bd86

SHA512
90e16eb669fdecc889f19ba951994bba70126a29904a5eb4f9ffdf9ef5566fdb97072409679c7524fda39837d6d8a8c15ef81b40e1fdee30ffbf7c278e8c3d11

Download Submit
\Users\Admin\AppData\Local\Temp\sqlite3.dll
Filesize
849KB

MD5
87f9e5a6318ac1ec5ee05aa94a919d7a

SHA1
7a9956e8de89603dba99772da29493d3fd0fe37d

SHA256
7705b87603e0d772e1753441001fcf1ac2643ee41bf14a8177de2c056628665c

SHA512
c45c03176142918e34f746711e83384572bd6a8ed0a005600aa4a18cf22eade06c76eda190b37db49ec1971c4649e086affd19eee108c5f405df27c0c8cb23d2

Download Submit
memory/1208-18-0x0000000003160000-0x0000000003260000-memory.dmp

Filesize
1024KB

Download
memory/1208-67-0x0000000004540000-0x0000000004638000-memory.dmp

Filesize
992KB

Download
memory/1208-28-0x0000000004540000-0x0000000004638000-memory.dmp

Filesize
992KB

Download
memory/1208-27-0x0000000004540000-0x0000000004638000-memory.dmp

Filesize
992KB

Download
memory/1948-13-0x00000000008B0000-0x0000000000BB3000-memory.dmp

Filesize
3.0MB

Download
memory/1948-17-0x0000000000390000-0x00000000003B1000-memory.dmp

Filesize
132KB

Download
memory/1948-16-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1948-15-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1948-22-0x0000000000390000-0x00000000003B1000-memory.dmp

Filesize
132KB

Download
memory/1948-21-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1948-14-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1948-12-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2112-20-0x00000000000C0000-0x00000000000FF000-memory.dmp

Filesize
252KB

Download
memory/2112-26-0x00000000024B0000-0x0000000002550000-memory.dmp

Filesize
640KB

Download
memory/2112-24-0x00000000000C0000-0x00000000000FF000-memory.dmp

Filesize
252KB

Download
memory/2112-23-0x00000000025E0000-0x00000000028E3000-memory.dmp

Filesize
3.0MB

Download
memory/2112-19-0x00000000000C0000-0x00000000000FF000-memory.dmp

Filesize
252KB

Download
memory/2112-65-0x00000000000C0000-0x00000000000FF000-memory.dmp

Filesize
252KB

Download
memory/2112-66-0x0000000061E00000-0x0000000061EC1000-memory.dmp

Filesize
772KB

Download
memory/2292-11-0x00000000002C0000-0x00000000002C4000-memory.dmp

Filesize
16KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads