e399d1306a00d6625981ad6f3a066c12925d81bb6d5666369750bc3271f4a763

General

Target

e399d1306a00d6625981ad6f3a066c12925d81bb6d5666369750bc3271f4a763.exe
Size

374KB
MD5

7d1b4a39c8df0c02355ba58bf0d3180f
SHA1

786b6aa3aab3714d78d81b4573530d607532f07a
SHA256

e399d1306a00d6625981ad6f3a066c12925d81bb6d5666369750bc3271f4a763
SHA512

5f334b9cfb0fc10218d14bbe549aa157b1989593d6c63dd384d96f620d6bad1ee7292cf009f4aa797c59777d07db83c1f9afc47eed5ea583a2c84309bced3461
SSDEEP

6144:aLcf19DQCTpV1S2GJYs7kXlQ1IR/Is7P/t1QWiT5H6TgF4G+klOEuKqYgLKrW:aAf1q6pV4jYs7kXlQ8Is7qT5H8P/OOER

Score

7^/10

discovery persistence upx

Malware Config

Signatures

Deletes itself 1 IoCs

Processes:

lMc16601kEiDj16601.exe

pid process

2796 lMc16601kEiDj16601.exe
Executes dropped EXE 2 IoCs

Processes:

lMc16601kEiDj16601.exelMc16601kEiDj16601.exe

pid process

2908 lMc16601kEiDj16601.exe
2796 lMc16601kEiDj16601.exe
Loads dropped DLL 1 IoCs

Processes:

e399d1306a00d6625981ad6f3a066c12925d81bb6d5666369750bc3271f4a763.exe

pid process

2532 e399d1306a00d6625981ad6f3a066c12925d81bb6d5666369750bc3271f4a763.exe

pid	process
2796	lMc16601kEiDj16601.exe

pid	process
2908	lMc16601kEiDj16601.exe
2796	lMc16601kEiDj16601.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

lMc16601kEiDj16601.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\lMc16601kEiDj16601 = "C:\\ProgramData\\lMc16601kEiDj16601\\lMc16601kEiDj16601.exe"	lMc16601kEiDj16601.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2532-3-0x0000000000400000-0x00000000004C8000-memory.dmp	upx
behavioral1/memory/2908-21-0x0000000000400000-0x00000000004C8000-memory.dmp	upx
behavioral1/memory/2908-22-0x0000000000400000-0x00000000004C8000-memory.dmp	upx
behavioral1/memory/2532-24-0x0000000000400000-0x00000000004C8000-memory.dmp	upx
behavioral1/memory/2796-31-0x0000000000400000-0x00000000004C8000-memory.dmp	upx
behavioral1/memory/2796-34-0x0000000000400000-0x00000000004C8000-memory.dmp	upx
behavioral1/memory/2796-43-0x0000000000400000-0x00000000004C8000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

lMc16601kEiDj16601.exee399d1306a00d6625981ad6f3a066c12925d81bb6d5666369750bc3271f4a763.exelMc16601kEiDj16601.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lMc16601kEiDj16601.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e399d1306a00d6625981ad6f3a066c12925d81bb6d5666369750bc3271f4a763.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lMc16601kEiDj16601.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

lMc16601kEiDj16601.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main	lMc16601kEiDj16601.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

e399d1306a00d6625981ad6f3a066c12925d81bb6d5666369750bc3271f4a763.exelMc16601kEiDj16601.exelMc16601kEiDj16601.exe

pid	process
2532	e399d1306a00d6625981ad6f3a066c12925d81bb6d5666369750bc3271f4a763.exe
2532	e399d1306a00d6625981ad6f3a066c12925d81bb6d5666369750bc3271f4a763.exe
2532	e399d1306a00d6625981ad6f3a066c12925d81bb6d5666369750bc3271f4a763.exe
2532	e399d1306a00d6625981ad6f3a066c12925d81bb6d5666369750bc3271f4a763.exe
2908	lMc16601kEiDj16601.exe
2532	e399d1306a00d6625981ad6f3a066c12925d81bb6d5666369750bc3271f4a763.exe
2908	lMc16601kEiDj16601.exe
2532	e399d1306a00d6625981ad6f3a066c12925d81bb6d5666369750bc3271f4a763.exe
2908	lMc16601kEiDj16601.exe
2532	e399d1306a00d6625981ad6f3a066c12925d81bb6d5666369750bc3271f4a763.exe
2908	lMc16601kEiDj16601.exe
2532	e399d1306a00d6625981ad6f3a066c12925d81bb6d5666369750bc3271f4a763.exe
2532	e399d1306a00d6625981ad6f3a066c12925d81bb6d5666369750bc3271f4a763.exe
2532	e399d1306a00d6625981ad6f3a066c12925d81bb6d5666369750bc3271f4a763.exe
2796	lMc16601kEiDj16601.exe
2796	lMc16601kEiDj16601.exe
2796	lMc16601kEiDj16601.exe
2796	lMc16601kEiDj16601.exe
2796	lMc16601kEiDj16601.exe
2796	lMc16601kEiDj16601.exe
2796	lMc16601kEiDj16601.exe
2796	lMc16601kEiDj16601.exe
2796	lMc16601kEiDj16601.exe
2796	lMc16601kEiDj16601.exe
2796	lMc16601kEiDj16601.exe
2796	lMc16601kEiDj16601.exe
2796	lMc16601kEiDj16601.exe
2796	lMc16601kEiDj16601.exe
2796	lMc16601kEiDj16601.exe
2796	lMc16601kEiDj16601.exe
2796	lMc16601kEiDj16601.exe
2796	lMc16601kEiDj16601.exe
2796	lMc16601kEiDj16601.exe
2796	lMc16601kEiDj16601.exe
2796	lMc16601kEiDj16601.exe
2796	lMc16601kEiDj16601.exe
2796	lMc16601kEiDj16601.exe
2796	lMc16601kEiDj16601.exe
2796	lMc16601kEiDj16601.exe
2796	lMc16601kEiDj16601.exe
2796	lMc16601kEiDj16601.exe
2796	lMc16601kEiDj16601.exe
2796	lMc16601kEiDj16601.exe
2796	lMc16601kEiDj16601.exe
2796	lMc16601kEiDj16601.exe
2796	lMc16601kEiDj16601.exe
2796	lMc16601kEiDj16601.exe
2796	lMc16601kEiDj16601.exe
2796	lMc16601kEiDj16601.exe
2796	lMc16601kEiDj16601.exe
2796	lMc16601kEiDj16601.exe
2796	lMc16601kEiDj16601.exe
2796	lMc16601kEiDj16601.exe
2796	lMc16601kEiDj16601.exe
2796	lMc16601kEiDj16601.exe
2796	lMc16601kEiDj16601.exe
2796	lMc16601kEiDj16601.exe
2796	lMc16601kEiDj16601.exe
2796	lMc16601kEiDj16601.exe
2796	lMc16601kEiDj16601.exe
2796	lMc16601kEiDj16601.exe
2796	lMc16601kEiDj16601.exe
2796	lMc16601kEiDj16601.exe
2796	lMc16601kEiDj16601.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

e399d1306a00d6625981ad6f3a066c12925d81bb6d5666369750bc3271f4a763.exelMc16601kEiDj16601.exelMc16601kEiDj16601.exe

description	pid	process
Token: SeDebugPrivilege	2532	e399d1306a00d6625981ad6f3a066c12925d81bb6d5666369750bc3271f4a763.exe
Token: SeDebugPrivilege	2908	lMc16601kEiDj16601.exe
Token: SeDebugPrivilege	2796	lMc16601kEiDj16601.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

lMc16601kEiDj16601.exe

pid process

2796 lMc16601kEiDj16601.exe
2796 lMc16601kEiDj16601.exe
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

lMc16601kEiDj16601.exe

pid process

2796 lMc16601kEiDj16601.exe
2796 lMc16601kEiDj16601.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

lMc16601kEiDj16601.exe

pid process

2796 lMc16601kEiDj16601.exe
2796 lMc16601kEiDj16601.exe

pid	process
2796	lMc16601kEiDj16601.exe
2796	lMc16601kEiDj16601.exe

pid	process
2796	lMc16601kEiDj16601.exe
2796	lMc16601kEiDj16601.exe

pid	process
2796	lMc16601kEiDj16601.exe
2796	lMc16601kEiDj16601.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

e399d1306a00d6625981ad6f3a066c12925d81bb6d5666369750bc3271f4a763.exe

description	pid	process	target process
PID 2532 wrote to memory of 2908	2532	e399d1306a00d6625981ad6f3a066c12925d81bb6d5666369750bc3271f4a763.exe	lMc16601kEiDj16601.exe
PID 2532 wrote to memory of 2908	2532	e399d1306a00d6625981ad6f3a066c12925d81bb6d5666369750bc3271f4a763.exe	lMc16601kEiDj16601.exe
PID 2532 wrote to memory of 2908	2532	e399d1306a00d6625981ad6f3a066c12925d81bb6d5666369750bc3271f4a763.exe	lMc16601kEiDj16601.exe
PID 2532 wrote to memory of 2908	2532	e399d1306a00d6625981ad6f3a066c12925d81bb6d5666369750bc3271f4a763.exe	lMc16601kEiDj16601.exe
PID 2532 wrote to memory of 2796	2532	e399d1306a00d6625981ad6f3a066c12925d81bb6d5666369750bc3271f4a763.exe	lMc16601kEiDj16601.exe
PID 2532 wrote to memory of 2796	2532	e399d1306a00d6625981ad6f3a066c12925d81bb6d5666369750bc3271f4a763.exe	lMc16601kEiDj16601.exe
PID 2532 wrote to memory of 2796	2532	e399d1306a00d6625981ad6f3a066c12925d81bb6d5666369750bc3271f4a763.exe	lMc16601kEiDj16601.exe
PID 2532 wrote to memory of 2796	2532	e399d1306a00d6625981ad6f3a066c12925d81bb6d5666369750bc3271f4a763.exe	lMc16601kEiDj16601.exe

C:\Users\Admin\AppData\Local\Temp\e399d1306a00d6625981ad6f3a066c12925d81bb6d5666369750bc3271f4a763.exe
"C:\Users\Admin\AppData\Local\Temp\e399d1306a00d6625981ad6f3a066c12925d81bb6d5666369750bc3271f4a763.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2532

C:\ProgramData\lMc16601kEiDj16601\lMc16601kEiDj16601.exe
"C:\ProgramData\lMc16601kEiDj16601\lMc16601kEiDj16601.exe" BOMBARDAMAXIMUM
2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2908

C:\ProgramData\lMc16601kEiDj16601\lMc16601kEiDj16601.exe
"C:\ProgramData\lMc16601kEiDj16601\lMc16601kEiDj16601.exe" "C:\Users\Admin\AppData\Local\Temp\e399d1306a00d6625981ad6f3a066c12925d81bb6d5666369750bc3271f4a763.exe"
2⤵
- Deletes itself
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2796

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\lMc16601kEiDj16601\lMc16601kEiDj16601

Filesize
192B

MD5
62498791d0115455dff671477b4a4f76

SHA1
e39e40364ed37dfc6e2cb6c59bbb21355e7fa2b6

SHA256
037aad2836722e1bef030926a525f707dd514007eb31aa319126ab2b02d5e42a

SHA512
ce8d15bdc1cc378d4ec7b08eb1a3ff00e42652a9bb89ba873c838cc9b47dab5e1325fc53bdd04c3b890930becc27ab9ce1201c33efe05001330975a8cba0d28a

Download Submit
C:\ProgramData\lMc16601kEiDj16601\lMc16601kEiDj16601

Filesize
192B

MD5
9f1f6acbdc2789b0a33823172b638e29

SHA1
526167e7ee890c0c252f4dfc371690c100671dab

SHA256
f0327edf7fb2eefc44b182c8944432c8abd7a186ce24773cd52efa7bc0e56949

SHA512
864edfd8e9a2a815a27832b8bc454b1aa4177a93497d9b8e8b963b4acc255985bf9a271d055fb447c67fba8383add95ca7202dfceff23633bd70e1b651bbc830

Download Submit
\ProgramData\lMc16601kEiDj16601\lMc16601kEiDj16601.exe

Filesize
374KB

MD5
d7a46463e77dd3abe88fa154550f1ea6

SHA1
e1a0ef45da90748495193a6e06c11aef4960d34d

SHA256
a0d76372008300087bbae7d97f4e8cc35c394190778b7f6a2f135be9f827e082

SHA512
bf005fe36379d1412cb6a919d49b3e8264009fc4053d031c724f773a330feb45588f94ca2a62df1217179977a5621340ff2742afc54277366bfd608aea1c5054

Download Submit
memory/2532-0-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2532-3-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/2532-24-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/2796-31-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/2796-34-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/2796-43-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/2908-21-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/2908-22-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads