aa6aaa2be3d8cc64ad42be11e2cd924bddf7bdb46780ec3bc2b8ac2032c3ad89

General

Target

aa6aaa2be3d8cc64ad42be11e2cd924bddf7bdb46780ec3bc2b8ac2032c3ad89.exe
Size

699KB
MD5

7d2dffc850ea555d40c45f09570475c7
SHA1

6cc0693502bc8caefcde997e260b0798b4fbde1e
SHA256

aa6aaa2be3d8cc64ad42be11e2cd924bddf7bdb46780ec3bc2b8ac2032c3ad89
SHA512

1e2036443166fea107ba4aab7ea4a5b991761c00d2b8e55ca17cb44fa06e9fbe09fb2c18979034af20be6f2d15c62880bcfcf8854b746080cc827e89a52ef865
SSDEEP

12288:6e37i8LkpEaIptKciGsJn4k4k0sa+NU89WJGTxUQvPCQv1ZdI7n0xRviwkR:6AOjEzpsrJ4kVh99WkUQvqQNZS0xRA

Score

5^/10

Malware Config

Signatures

Suspicious use of SetThreadContext 5 IoCs

Processes:

aa6aaa2be3d8cc64ad42be11e2cd924bddf7bdb46780ec3bc2b8ac2032c3ad89.exeRegSvcs.exeiexpress.exe

description	pid	process	target process
PID 1616 set thread context of 692	1616	aa6aaa2be3d8cc64ad42be11e2cd924bddf7bdb46780ec3bc2b8ac2032c3ad89.exe	RegSvcs.exe
PID 692 set thread context of 3300	692	RegSvcs.exe	Explorer.EXE
PID 692 set thread context of 456	692	RegSvcs.exe	iexpress.exe
PID 456 set thread context of 3300	456	iexpress.exe	Explorer.EXE
PID 456 set thread context of 4568	456	iexpress.exe	Firefox.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexpress.exe

description	ioc	process
Key created	\Registry\User\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	iexpress.exe

Suspicious behavior: EnumeratesProcesses 48 IoCs

Processes:

aa6aaa2be3d8cc64ad42be11e2cd924bddf7bdb46780ec3bc2b8ac2032c3ad89.exeRegSvcs.exeiexpress.exe

pid	process
1616	aa6aaa2be3d8cc64ad42be11e2cd924bddf7bdb46780ec3bc2b8ac2032c3ad89.exe
1616	aa6aaa2be3d8cc64ad42be11e2cd924bddf7bdb46780ec3bc2b8ac2032c3ad89.exe
1616	aa6aaa2be3d8cc64ad42be11e2cd924bddf7bdb46780ec3bc2b8ac2032c3ad89.exe
692	RegSvcs.exe
692	RegSvcs.exe
692	RegSvcs.exe
692	RegSvcs.exe
692	RegSvcs.exe
692	RegSvcs.exe
692	RegSvcs.exe
692	RegSvcs.exe
692	RegSvcs.exe
692	RegSvcs.exe
692	RegSvcs.exe
692	RegSvcs.exe
692	RegSvcs.exe
692	RegSvcs.exe
692	RegSvcs.exe
692	RegSvcs.exe
692	RegSvcs.exe
456	iexpress.exe
456	iexpress.exe
456	iexpress.exe
456	iexpress.exe
456	iexpress.exe
456	iexpress.exe
456	iexpress.exe
456	iexpress.exe
456	iexpress.exe
456	iexpress.exe
456	iexpress.exe
456	iexpress.exe
456	iexpress.exe
456	iexpress.exe
456	iexpress.exe
456	iexpress.exe
456	iexpress.exe
456	iexpress.exe
456	iexpress.exe
456	iexpress.exe
456	iexpress.exe
456	iexpress.exe
456	iexpress.exe
456	iexpress.exe
456	iexpress.exe
456	iexpress.exe
456	iexpress.exe
456	iexpress.exe

Suspicious behavior: MapViewOfSection 7 IoCs

Processes:

RegSvcs.exeExplorer.EXEiexpress.exe

pid process

692 RegSvcs.exe
3300 Explorer.EXE
3300 Explorer.EXE
456 iexpress.exe
456 iexpress.exe
456 iexpress.exe
456 iexpress.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

aa6aaa2be3d8cc64ad42be11e2cd924bddf7bdb46780ec3bc2b8ac2032c3ad89.exe

description pid process

Token: SeDebugPrivilege 1616 aa6aaa2be3d8cc64ad42be11e2cd924bddf7bdb46780ec3bc2b8ac2032c3ad89.exe

pid	process
692	RegSvcs.exe
3300	Explorer.EXE
3300	Explorer.EXE
456	iexpress.exe
456	iexpress.exe
456	iexpress.exe
456	iexpress.exe

description	pid	process
Token: SeDebugPrivilege	1616	aa6aaa2be3d8cc64ad42be11e2cd924bddf7bdb46780ec3bc2b8ac2032c3ad89.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

aa6aaa2be3d8cc64ad42be11e2cd924bddf7bdb46780ec3bc2b8ac2032c3ad89.exeExplorer.EXEiexpress.exe

description	pid	process	target process
PID 1616 wrote to memory of 692	1616	aa6aaa2be3d8cc64ad42be11e2cd924bddf7bdb46780ec3bc2b8ac2032c3ad89.exe	RegSvcs.exe
PID 1616 wrote to memory of 692	1616	aa6aaa2be3d8cc64ad42be11e2cd924bddf7bdb46780ec3bc2b8ac2032c3ad89.exe	RegSvcs.exe
PID 1616 wrote to memory of 692	1616	aa6aaa2be3d8cc64ad42be11e2cd924bddf7bdb46780ec3bc2b8ac2032c3ad89.exe	RegSvcs.exe
PID 1616 wrote to memory of 692	1616	aa6aaa2be3d8cc64ad42be11e2cd924bddf7bdb46780ec3bc2b8ac2032c3ad89.exe	RegSvcs.exe
PID 1616 wrote to memory of 692	1616	aa6aaa2be3d8cc64ad42be11e2cd924bddf7bdb46780ec3bc2b8ac2032c3ad89.exe	RegSvcs.exe
PID 1616 wrote to memory of 692	1616	aa6aaa2be3d8cc64ad42be11e2cd924bddf7bdb46780ec3bc2b8ac2032c3ad89.exe	RegSvcs.exe
PID 3300 wrote to memory of 456	3300	Explorer.EXE	iexpress.exe
PID 3300 wrote to memory of 456	3300	Explorer.EXE	iexpress.exe
PID 3300 wrote to memory of 456	3300	Explorer.EXE	iexpress.exe
PID 456 wrote to memory of 4568	456	iexpress.exe	Firefox.exe
PID 456 wrote to memory of 4568	456	iexpress.exe	Firefox.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3300

C:\Users\Admin\AppData\Local\Temp\aa6aaa2be3d8cc64ad42be11e2cd924bddf7bdb46780ec3bc2b8ac2032c3ad89.exe
"C:\Users\Admin\AppData\Local\Temp\aa6aaa2be3d8cc64ad42be11e2cd924bddf7bdb46780ec3bc2b8ac2032c3ad89.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1616

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:692

C:\Windows\SysWOW64\iexpress.exe
"C:\Windows\SysWOW64\iexpress.exe"
2⤵
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:456

C:\Program Files\Mozilla Firefox\Firefox.exe
"C:\Program Files\Mozilla Firefox\Firefox.exe"
3⤵
PID:4568

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3700 --field-trial-handle=2280,i,4114443225282860369,4764091921472631035,262144 --variations-seed-version /prefetch:8
1⤵
PID:848

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/456-20-0x0000000000180000-0x00000000001BF000-memory.dmp

Filesize
252KB

Download
memory/456-28-0x0000000000180000-0x00000000001BF000-memory.dmp

Filesize
252KB

Download
memory/456-26-0x0000000002160000-0x00000000021FE000-memory.dmp

Filesize
632KB

Download
memory/456-25-0x0000000000180000-0x00000000001BF000-memory.dmp

Filesize
252KB

Download
memory/456-24-0x0000000002400000-0x000000000274A000-memory.dmp

Filesize
3.3MB

Download
memory/456-21-0x0000000000180000-0x00000000001BF000-memory.dmp

Filesize
252KB

Download
memory/692-17-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/692-15-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/692-23-0x0000000001810000-0x000000000182F000-memory.dmp

Filesize
124KB

Download
memory/692-22-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/692-18-0x0000000001810000-0x000000000182F000-memory.dmp

Filesize
124KB

Download
memory/692-11-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/692-16-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/692-14-0x00000000014C0000-0x000000000180A000-memory.dmp

Filesize
3.3MB

Download
memory/1616-6-0x0000000005450000-0x000000000546A000-memory.dmp

Filesize
104KB

Download
memory/1616-4-0x0000000074AB0000-0x0000000075260000-memory.dmp

Filesize
7.7MB

Download
memory/1616-0-0x0000000074ABE000-0x0000000074ABF000-memory.dmp

Filesize
4KB

Download
memory/1616-10-0x0000000008030000-0x00000000080CC000-memory.dmp

Filesize
624KB

Download
memory/1616-1-0x00000000007F0000-0x00000000008A2000-memory.dmp

Filesize
712KB

Download
memory/1616-7-0x0000000005470000-0x0000000005480000-memory.dmp

Filesize
64KB

Download
memory/1616-5-0x00000000052A0000-0x00000000052AA000-memory.dmp

Filesize
40KB

Download
memory/1616-9-0x0000000006C90000-0x0000000006D1A000-memory.dmp

Filesize
552KB

Download
memory/1616-8-0x0000000074ABE000-0x0000000074ABF000-memory.dmp

Filesize
4KB

Download
memory/1616-13-0x0000000074AB0000-0x0000000075260000-memory.dmp

Filesize
7.7MB

Download
memory/1616-3-0x00000000052D0000-0x0000000005362000-memory.dmp

Filesize
584KB

Download
memory/1616-2-0x0000000005880000-0x0000000005E24000-memory.dmp

Filesize
5.6MB

Download
memory/3300-27-0x000000000D780000-0x000000001064D000-memory.dmp

Filesize
46.8MB

Download
memory/3300-19-0x000000000D780000-0x000000001064D000-memory.dmp

Filesize
46.8MB

Download
memory/3300-29-0x0000000003050000-0x000000000311E000-memory.dmp

Filesize
824KB

Download
memory/3300-30-0x0000000003050000-0x000000000311E000-memory.dmp

Filesize
824KB

Download
memory/3300-37-0x0000000003050000-0x000000000311E000-memory.dmp

Filesize
824KB

Download
memory/4568-36-0x0000023CFDEE0000-0x0000023CFDF93000-memory.dmp

Filesize
716KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads