58668c2d786aa1dd25da6c91163678e93b62dfebccc1e37ae352f469bb002d03

General

Target

58668c2d786aa1dd25da6c91163678e93b62dfebccc1e37ae352f469bb002d03.exe
Size

1.1MB
MD5

be17e1f9a72d48dbaca43c92270ebefb
SHA1

c399fd0a665af7324997c99c4d625fc524cbf737
SHA256

58668c2d786aa1dd25da6c91163678e93b62dfebccc1e37ae352f469bb002d03
SHA512

848621092700c058989708d63d1093af75134295709a5f059f67c139474c4a2abc309e49892a737af72b9532d89d9568b2fcf24672c0afe60dd2facbadd4f275
SSDEEP

24576:5AHnh+eWsN3skA4RV1Hom2KXMmHatXzudFl0r72OWsKMEtVaX5:Ah+ZkldoPK8YatDud70OOWsKMQm

Score

5^/10

Malware Config

Signatures

Suspicious use of SetThreadContext 5 IoCs

Processes:

58668c2d786aa1dd25da6c91163678e93b62dfebccc1e37ae352f469bb002d03.exesvchost.execertreq.exe

description	pid	process	target process
PID 2964 set thread context of 4532	2964	58668c2d786aa1dd25da6c91163678e93b62dfebccc1e37ae352f469bb002d03.exe	svchost.exe
PID 4532 set thread context of 3572	4532	svchost.exe	Explorer.EXE
PID 4532 set thread context of 4284	4532	svchost.exe	certreq.exe
PID 4284 set thread context of 3572	4284	certreq.exe	Explorer.EXE
PID 4284 set thread context of 2372	4284	certreq.exe	Firefox.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

certreq.exe

description	ioc	process
Key created	\Registry\User\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	certreq.exe

Suspicious behavior: EnumeratesProcesses 60 IoCs

Processes:

svchost.execertreq.exe

pid	process
4532	svchost.exe
4532	svchost.exe
4532	svchost.exe
4532	svchost.exe
4532	svchost.exe
4532	svchost.exe
4532	svchost.exe
4532	svchost.exe
4532	svchost.exe
4532	svchost.exe
4532	svchost.exe
4532	svchost.exe
4532	svchost.exe
4532	svchost.exe
4532	svchost.exe
4532	svchost.exe
4284	certreq.exe
4284	certreq.exe
4284	certreq.exe
4284	certreq.exe
4284	certreq.exe
4284	certreq.exe
4284	certreq.exe
4284	certreq.exe
4284	certreq.exe
4284	certreq.exe
4284	certreq.exe
4284	certreq.exe
4284	certreq.exe
4284	certreq.exe
4284	certreq.exe
4284	certreq.exe
4284	certreq.exe
4284	certreq.exe
4284	certreq.exe
4284	certreq.exe
4284	certreq.exe
4284	certreq.exe
4284	certreq.exe
4284	certreq.exe
4284	certreq.exe
4284	certreq.exe
4284	certreq.exe
4284	certreq.exe
4284	certreq.exe
4284	certreq.exe
4284	certreq.exe
4284	certreq.exe
4284	certreq.exe
4284	certreq.exe
4284	certreq.exe
4284	certreq.exe
4284	certreq.exe
4284	certreq.exe
4284	certreq.exe
4284	certreq.exe
4284	certreq.exe
4284	certreq.exe
4284	certreq.exe
4284	certreq.exe

Suspicious behavior: MapViewOfSection 8 IoCs

Processes:

58668c2d786aa1dd25da6c91163678e93b62dfebccc1e37ae352f469bb002d03.exesvchost.exeExplorer.EXEcertreq.exe

pid	process
2964	58668c2d786aa1dd25da6c91163678e93b62dfebccc1e37ae352f469bb002d03.exe
4532	svchost.exe
3572	Explorer.EXE
3572	Explorer.EXE
4284	certreq.exe
4284	certreq.exe
4284	certreq.exe
4284	certreq.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

58668c2d786aa1dd25da6c91163678e93b62dfebccc1e37ae352f469bb002d03.exe

pid	process
2964	58668c2d786aa1dd25da6c91163678e93b62dfebccc1e37ae352f469bb002d03.exe
2964	58668c2d786aa1dd25da6c91163678e93b62dfebccc1e37ae352f469bb002d03.exe

Suspicious use of SendNotifyMessage 2 IoCs

Processes:

58668c2d786aa1dd25da6c91163678e93b62dfebccc1e37ae352f469bb002d03.exe

pid	process
2964	58668c2d786aa1dd25da6c91163678e93b62dfebccc1e37ae352f469bb002d03.exe
2964	58668c2d786aa1dd25da6c91163678e93b62dfebccc1e37ae352f469bb002d03.exe

Suspicious use of UnmapMainImage 1 IoCs

Processes:

Explorer.EXE

pid process

3572 Explorer.EXE

pid	process
3572	Explorer.EXE

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

58668c2d786aa1dd25da6c91163678e93b62dfebccc1e37ae352f469bb002d03.exeExplorer.EXEcertreq.exe

description	pid	process	target process
PID 2964 wrote to memory of 4532	2964	58668c2d786aa1dd25da6c91163678e93b62dfebccc1e37ae352f469bb002d03.exe	svchost.exe
PID 2964 wrote to memory of 4532	2964	58668c2d786aa1dd25da6c91163678e93b62dfebccc1e37ae352f469bb002d03.exe	svchost.exe
PID 2964 wrote to memory of 4532	2964	58668c2d786aa1dd25da6c91163678e93b62dfebccc1e37ae352f469bb002d03.exe	svchost.exe
PID 2964 wrote to memory of 4532	2964	58668c2d786aa1dd25da6c91163678e93b62dfebccc1e37ae352f469bb002d03.exe	svchost.exe
PID 3572 wrote to memory of 4284	3572	Explorer.EXE	certreq.exe
PID 3572 wrote to memory of 4284	3572	Explorer.EXE	certreq.exe
PID 3572 wrote to memory of 4284	3572	Explorer.EXE	certreq.exe
PID 4284 wrote to memory of 2372	4284	certreq.exe	Firefox.exe
PID 4284 wrote to memory of 2372	4284	certreq.exe	Firefox.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3572

C:\Users\Admin\AppData\Local\Temp\58668c2d786aa1dd25da6c91163678e93b62dfebccc1e37ae352f469bb002d03.exe
"C:\Users\Admin\AppData\Local\Temp\58668c2d786aa1dd25da6c91163678e93b62dfebccc1e37ae352f469bb002d03.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2964

C:\Windows\SysWOW64\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\58668c2d786aa1dd25da6c91163678e93b62dfebccc1e37ae352f469bb002d03.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4532

C:\Windows\SysWOW64\certreq.exe
"C:\Windows\SysWOW64\certreq.exe"
2⤵
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4284

C:\Program Files\Mozilla Firefox\Firefox.exe
"C:\Program Files\Mozilla Firefox\Firefox.exe"
3⤵
PID:2372

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\aut2DE6.tmp
Filesize
263KB

MD5
1a3f44afc6dbd6865cd95e17d704932e

SHA1
5a12a97f8435a255c8acc2424a1bde797994c26a

SHA256
c475f4a95b01d2e6e5507b5cefd6db55d0c0c2a277ce7a22ccf85db51781bd86

SHA512
90e16eb669fdecc889f19ba951994bba70126a29904a5eb4f9ffdf9ef5566fdb97072409679c7524fda39837d6d8a8c15ef81b40e1fdee30ffbf7c278e8c3d11

Download Submit
memory/2372-37-0x000001D1BAAE0000-0x000001D1BABF1000-memory.dmp

Filesize
1.1MB

Download
memory/2964-12-0x0000000001050000-0x0000000001054000-memory.dmp

Filesize
16KB

Download
memory/3572-19-0x000000000D750000-0x0000000010554000-memory.dmp

Filesize
46.0MB

Download
memory/3572-38-0x0000000002D60000-0x0000000002E19000-memory.dmp

Filesize
740KB

Download
memory/3572-30-0x0000000002D60000-0x0000000002E19000-memory.dmp

Filesize
740KB

Download
memory/3572-29-0x0000000002D60000-0x0000000002E19000-memory.dmp

Filesize
740KB

Download
memory/3572-27-0x000000000D750000-0x0000000010554000-memory.dmp

Filesize
46.0MB

Download
memory/4284-26-0x0000000003150000-0x00000000031F0000-memory.dmp

Filesize
640KB

Download
memory/4284-25-0x0000000001000000-0x000000000103F000-memory.dmp

Filesize
252KB

Download
memory/4284-21-0x0000000001000000-0x000000000103F000-memory.dmp

Filesize
252KB

Download
memory/4284-28-0x0000000001000000-0x000000000103F000-memory.dmp

Filesize
252KB

Download
memory/4284-20-0x0000000001000000-0x000000000103F000-memory.dmp

Filesize
252KB

Download
memory/4284-24-0x0000000003420000-0x000000000376A000-memory.dmp

Filesize
3.3MB

Download
memory/4532-18-0x00000000016D0000-0x00000000016F1000-memory.dmp

Filesize
132KB

Download
memory/4532-22-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4532-17-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4532-23-0x00000000016D0000-0x00000000016F1000-memory.dmp

Filesize
132KB

Download
memory/4532-16-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4532-15-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4532-14-0x0000000001800000-0x0000000001B4A000-memory.dmp

Filesize
3.3MB

Download
memory/4532-13-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads