79957451036cc62edc9e55bd2f19ecd9464ec454632e24ff6503da2d038f5e72

General

Target

79957451036cc62edc9e55bd2f19ecd9464ec454632e24ff6503da2d038f5e72N.exe
Size

889KB
MD5

f39d2a6989e91889f32517bbec113740
SHA1

553f9cb0f8986f0fa9194d21c47e6ec1ff3154b2
SHA256

79957451036cc62edc9e55bd2f19ecd9464ec454632e24ff6503da2d038f5e72
SHA512

8bcf9f44a8fd8940e541149f98ddc98af3df2280236a1252a1b61a62322e72112cebf4708e4d9c1e5070efa8daa6986bc19cb6a6125be7d7406d0841e376ae08
SSDEEP

24576:0NZmIHf1QWK2a+XPnwYPbZDagZWuefKsZKnOIn:0JxaG0ZKnfn

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2532	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2776	MicrosoftSevice.exe
3040	MicrosoftSevice.tmp

Loads dropped DLL 4 IoCs

pid	Process
1288	79957451036cc62edc9e55bd2f19ecd9464ec454632e24ff6503da2d038f5e72N.exe
2776	MicrosoftSevice.exe
3040	MicrosoftSevice.tmp
3040	MicrosoftSevice.tmp

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	79957451036cc62edc9e55bd2f19ecd9464ec454632e24ff6503da2d038f5e72N.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1288-0-0x0000000000400000-0x00000000004E0000-memory.dmp	upx
behavioral1/memory/1288-50-0x0000000000400000-0x00000000004E0000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	79957451036cc62edc9e55bd2f19ecd9464ec454632e24ff6503da2d038f5e72N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftSevice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftSevice.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\software\Wow6432Node\microsoft\internet explorer\version Vector	79957451036cc62edc9e55bd2f19ecd9464ec454632e24ff6503da2d038f5e72N.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main	regedit.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main	79957451036cc62edc9e55bd2f19ecd9464ec454632e24ff6503da2d038f5e72N.exe

Modifies Internet Explorer start page 1 TTPs 1 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.hae123.com"	regedit.exe

Runs regedit.exe 1 IoCs

pid	Process
2944	regedit.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1288	79957451036cc62edc9e55bd2f19ecd9464ec454632e24ff6503da2d038f5e72N.exe
1288	79957451036cc62edc9e55bd2f19ecd9464ec454632e24ff6503da2d038f5e72N.exe
1288	79957451036cc62edc9e55bd2f19ecd9464ec454632e24ff6503da2d038f5e72N.exe
1288	79957451036cc62edc9e55bd2f19ecd9464ec454632e24ff6503da2d038f5e72N.exe
1288	79957451036cc62edc9e55bd2f19ecd9464ec454632e24ff6503da2d038f5e72N.exe
1288	79957451036cc62edc9e55bd2f19ecd9464ec454632e24ff6503da2d038f5e72N.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3040	MicrosoftSevice.tmp

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1288	79957451036cc62edc9e55bd2f19ecd9464ec454632e24ff6503da2d038f5e72N.exe
1288	79957451036cc62edc9e55bd2f19ecd9464ec454632e24ff6503da2d038f5e72N.exe

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 1288 wrote to memory of 2776	1288	79957451036cc62edc9e55bd2f19ecd9464ec454632e24ff6503da2d038f5e72N.exe	29
PID 1288 wrote to memory of 2776	1288	79957451036cc62edc9e55bd2f19ecd9464ec454632e24ff6503da2d038f5e72N.exe	29
PID 1288 wrote to memory of 2776	1288	79957451036cc62edc9e55bd2f19ecd9464ec454632e24ff6503da2d038f5e72N.exe	29
PID 1288 wrote to memory of 2776	1288	79957451036cc62edc9e55bd2f19ecd9464ec454632e24ff6503da2d038f5e72N.exe	29
PID 1288 wrote to memory of 2776	1288	79957451036cc62edc9e55bd2f19ecd9464ec454632e24ff6503da2d038f5e72N.exe	29
PID 1288 wrote to memory of 2776	1288	79957451036cc62edc9e55bd2f19ecd9464ec454632e24ff6503da2d038f5e72N.exe	29
PID 1288 wrote to memory of 2776	1288	79957451036cc62edc9e55bd2f19ecd9464ec454632e24ff6503da2d038f5e72N.exe	29
PID 2776 wrote to memory of 3040	2776	MicrosoftSevice.exe	30
PID 2776 wrote to memory of 3040	2776	MicrosoftSevice.exe	30
PID 2776 wrote to memory of 3040	2776	MicrosoftSevice.exe	30
PID 2776 wrote to memory of 3040	2776	MicrosoftSevice.exe	30
PID 3040 wrote to memory of 2944	3040	MicrosoftSevice.tmp	31
PID 3040 wrote to memory of 2944	3040	MicrosoftSevice.tmp	31
PID 3040 wrote to memory of 2944	3040	MicrosoftSevice.tmp	31
PID 3040 wrote to memory of 2944	3040	MicrosoftSevice.tmp	31
PID 1288 wrote to memory of 2532	1288	79957451036cc62edc9e55bd2f19ecd9464ec454632e24ff6503da2d038f5e72N.exe	33
PID 1288 wrote to memory of 2532	1288	79957451036cc62edc9e55bd2f19ecd9464ec454632e24ff6503da2d038f5e72N.exe	33
PID 1288 wrote to memory of 2532	1288	79957451036cc62edc9e55bd2f19ecd9464ec454632e24ff6503da2d038f5e72N.exe	33
PID 1288 wrote to memory of 2532	1288	79957451036cc62edc9e55bd2f19ecd9464ec454632e24ff6503da2d038f5e72N.exe	33
PID 2532 wrote to memory of 2872	2532	cmd.exe	35
PID 2532 wrote to memory of 2872	2532	cmd.exe	35
PID 2532 wrote to memory of 2872	2532	cmd.exe	35
PID 2532 wrote to memory of 2872	2532	cmd.exe	35

C:\Users\Admin\AppData\Local\Temp\79957451036cc62edc9e55bd2f19ecd9464ec454632e24ff6503da2d038f5e72N.exe
"C:\Users\Admin\AppData\Local\Temp\79957451036cc62edc9e55bd2f19ecd9464ec454632e24ff6503da2d038f5e72N.exe"
1⤵
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1288
- C:\Users\Admin\AppData\Local\Temp\MicrosoftSevice.exe
  C:\Users\Admin\AppData\Local\Temp\MicrosoftSevice.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2776
- - C:\Users\Admin\AppData\Local\Temp\is-IVDJ1.tmp\MicrosoftSevice.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-IVDJ1.tmp\MicrosoftSevice.tmp" /SL5="$80184,51915,51712,C:\Users\Admin\AppData\Local\Temp\MicrosoftSevice.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:3040
  - - C:\Windows\SysWOW64\regedit.exe
      "C:\Windows\Regedit.exe" -s C:\Adobes\info.desc
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Modifies Internet Explorer start page
      Runs regedit.exe
      PID:2944
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\$$dmsf.bat
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2532
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2872

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Adobes\info.desc

Filesize
280B

MD5
a0fd44bf16c285a195d371ba2404dc0a

SHA1
1880991f3f49d2f35e86ce2575d7535517a10f28

SHA256
686ea1ff46449d5412e6454ca7329a6f03e777714e35d502640c61ac16849613

SHA512
3477a190eda4b3fd79319ebeab24c3a62cdaffeb4d58f65488713f23e370f8a906365985dad5a8bd39a5d2e047c6f1da40af1d952cb3899c9809a32fb03b970a

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$dmsf.bat

Filesize
777B

MD5
ef331a41d2eb0a24da9e1bb2b9beb28f

SHA1
5077f96e5e193969670d9bd05d95bb329f968a8b

SHA256
554f559f26d87c5c6d83016815f5d66fc4d2022ec4611a6f6a7bcd465bc2b079

SHA512
81e8ebf3ff1313f80b9b7416c108f264cb0b9c1352fdd638cf1f6bdf106ed4bb69d090b4c9f3384a397a0e47bdf3fcdf6b4999606806372bc3e074423ceb1e94

Download Submit
\Users\Admin\AppData\Local\Temp\MicrosoftSevice.exe

Filesize
294KB

MD5
0634379d5e353caeec255cc16ae4118c

SHA1
ab0b74432223c7af24278e2cdf1323f50ff14922

SHA256
b152214b9d1a982bf574d30cd383dccd12e9104009776c61da540556b1c68339

SHA512
3b64ca89cf904b3dc9610845cff62778dff4f77848c8a29e2872a2ec50f23078545130ab362aebf9fbbf685406e5c28bb134c54b4aca04f1b8e0838dc76587cd

Download Submit
\Users\Admin\AppData\Local\Temp\is-IVDJ1.tmp\MicrosoftSevice.tmp

Filesize
706KB

MD5
1a6c2b578c69b9388e22d38afa16a7fb

SHA1
186370d5438b1f5f3d75891aa8412e8edd00981c

SHA256
86ac18632bfdca026df9fe12a1d4df2de64bbdc1d2d7e42d2dcbf7809cbbebb3

SHA512
fb868c629cd0255b7620c9260bb5712b6622f53f0b7de3d6125c295e02d16f03584ce3a90eccb02b65ce9825885aa1bca5f68c7cc09dc0c09e7c208fcef54714

Download Submit
\Users\Admin\AppData\Local\Temp\is-RATT6.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
memory/1288-0-0x0000000000400000-0x00000000004E0000-memory.dmp

Filesize
896KB

Download
memory/1288-1-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/1288-50-0x0000000000400000-0x00000000004E0000-memory.dmp

Filesize
896KB

Download
memory/2776-32-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2776-7-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2776-10-0x0000000000401000-0x000000000040B000-memory.dmp

Filesize
40KB

Download
memory/3040-30-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/3040-16-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads