5999187654ca53d596fa2b82010badf37584474d15b6ed176f14e330a1b9b25e

General

Target

5999187654ca53d596fa2b82010badf37584474d15b6ed176f14e330a1b9b25e.exe
Size

88KB
MD5

107a2fefad98ccbfe9e90b7d673af869
SHA1

119484ee7a5a361cfb9de2542c044135a4cc33ca
SHA256

5999187654ca53d596fa2b82010badf37584474d15b6ed176f14e330a1b9b25e
SHA512

59c6b106197d8c6a928422806e5dd921f1ac82fd033ccaccf7974e5b13ecebb34d37e4a130a8ab70fcd9730421121c31c23df60765f1ca97286f6f260129b7aa

Score

8^/10

adware evasion stealer trojan

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

EnclosureMasonry.exeEnclosureMasonry.exe

pid process

1712 EnclosureMasonry.exe
1644 EnclosureMasonry.exe

pid	process
1712	EnclosureMasonry.exe
1644	EnclosureMasonry.exe

Loads dropped DLL 4 IoCs

Processes:

5999187654ca53d596fa2b82010badf37584474d15b6ed176f14e330a1b9b25e.exe

pid	process
1988	5999187654ca53d596fa2b82010badf37584474d15b6ed176f14e330a1b9b25e.exe
1988	5999187654ca53d596fa2b82010badf37584474d15b6ed176f14e330a1b9b25e.exe
1988	5999187654ca53d596fa2b82010badf37584474d15b6ed176f14e330a1b9b25e.exe
1988	5999187654ca53d596fa2b82010badf37584474d15b6ed176f14e330a1b9b25e.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

5999187654ca53d596fa2b82010badf37584474d15b6ed176f14e330a1b9b25e.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	5999187654ca53d596fa2b82010badf37584474d15b6ed176f14e330a1b9b25e.exe

Installs/modifies Browser Helper Object 2 TTPs
BHOs are DLL modules which act as plugins for Internet Explorer.
stealer adware

Modify Registry
T1112

Browser Extensions
T1176

Drops file in Program Files directory 4 IoCs

Processes:

EnclosureMasonry.exeEnclosureMasonry.exe

description	ioc	process
File created	C:\Program Files\AverNebula\AntediluvianAver.exe	EnclosureMasonry.exe
File created	C:\Program Files\ProtractSartorial\SartorialDeclivity.exe	EnclosureMasonry.exe
File opened for modification	C:\Program Files\AverNebula\AntediluvianAver.exe	EnclosureMasonry.exe
File opened for modification	C:\Program Files\ProtractSartorial\SartorialDeclivity.exe	EnclosureMasonry.exe

Drops file in Windows directory 1 IoCs

Processes:

5999187654ca53d596fa2b82010badf37584474d15b6ed176f14e330a1b9b25e.exe

description ioc process

File created C:\Windows\SUGUZEFHWD.dll 5999187654ca53d596fa2b82010badf37584474d15b6ed176f14e330a1b9b25e.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File created	C:\Windows\SUGUZEFHWD.dll	5999187654ca53d596fa2b82010badf37584474d15b6ed176f14e330a1b9b25e.exe

Modifies registry class 46 IoCs

Processes:

regsvr32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Thunder.xunlei.1\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D8D2F841-C4FC-4ADE-731A-56E6D1755624}\InprocServer32\ = "C:\\Windows\\SUGUZEFHWD.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D8D2F841-C4FC-4ADE-731A-56E6D1755624}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{472A988E-2192-5F11-F0C0-ED3419BB40AB}\1.0\ = "Thunder 1.0 Type Library"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{472A988E-2192-5F11-F0C0-ED3419BB40AB}\1.0\FLAGS\ = "0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{472A988E-2192-5F11-F0C0-ED3419BB40AB}\1.0\HELPDIR\ = "C:\\Windows"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Thunder.xunlei\CurVer\ = "Thunder.xunlei.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE}\ = "Ixunlei"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D8D2F841-C4FC-4ADE-731A-56E6D1755624}\ProgID\ = "Thunder.xunlei.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D8D2F841-C4FC-4ADE-731A-56E6D1755624}\VersionIndependentProgID\ = "Thunder.xunlei"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{472A988E-2192-5F11-F0C0-ED3419BB40AB}\1.0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{472A988E-2192-5F11-F0C0-ED3419BB40AB}\1.0\0\win32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Thunder.xunlei	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D8D2F841-C4FC-4ADE-731A-56E6D1755624}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D8D2F841-C4FC-4ADE-731A-56E6D1755624}\Programmable	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D8D2F841-C4FC-4ADE-731A-56E6D1755624}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE}\ = "Ixunlei"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE}\TypeLib\ = "{472A988E-2192-5F11-F0C0-ED3419BB40AB}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Thunder.xunlei.1\ = "xunlei Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Thunder.xunlei\CurVer	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D8D2F841-C4FC-4ADE-731A-56E6D1755624}\VersionIndependentProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{472A988E-2192-5F11-F0C0-ED3419BB40AB}\1.0\0\win32\ = "C:\\Windows\\SUGUZEFHWD.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Thunder.xunlei.1	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Thunder.xunlei\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE}\TypeLib\ = "{472A988E-2192-5F11-F0C0-ED3419BB40AB}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Thunder.xunlei.1\CLSID\ = "{D8D2F841-C4FC-4ADE-731A-56E6D1755624}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Thunder.xunlei\CLSID\ = "{D8D2F841-C4FC-4ADE-731A-56E6D1755624}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D8D2F841-C4FC-4ADE-731A-56E6D1755624}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D8D2F841-C4FC-4ADE-731A-56E6D1755624}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{472A988E-2192-5F11-F0C0-ED3419BB40AB}\1.0\FLAGS	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{472A988E-2192-5F11-F0C0-ED3419BB40AB}\1.0\HELPDIR	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Thunder.xunlei\ = "xunlei Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D8D2F841-C4FC-4ADE-731A-56E6D1755624}\ = "xunlei Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D8D2F841-C4FC-4ADE-731A-56E6D1755624}\TypeLib\ = "{472A988E-2192-5F11-F0C0-ED3419BB40AB}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{472A988E-2192-5F11-F0C0-ED3419BB40AB}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{472A988E-2192-5F11-F0C0-ED3419BB40AB}\1.0\0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE}\TypeLib\Version = "1.0"	regsvr32.exe

Suspicious use of SetWindowsHookEx 9 IoCs

Processes:

5999187654ca53d596fa2b82010badf37584474d15b6ed176f14e330a1b9b25e.exeEnclosureMasonry.exeEnclosureMasonry.exe

pid	process
1988	5999187654ca53d596fa2b82010badf37584474d15b6ed176f14e330a1b9b25e.exe
1988	5999187654ca53d596fa2b82010badf37584474d15b6ed176f14e330a1b9b25e.exe
1988	5999187654ca53d596fa2b82010badf37584474d15b6ed176f14e330a1b9b25e.exe
1988	5999187654ca53d596fa2b82010badf37584474d15b6ed176f14e330a1b9b25e.exe
1988	5999187654ca53d596fa2b82010badf37584474d15b6ed176f14e330a1b9b25e.exe
1712	EnclosureMasonry.exe
1712	EnclosureMasonry.exe
1644	EnclosureMasonry.exe
1644	EnclosureMasonry.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

5999187654ca53d596fa2b82010badf37584474d15b6ed176f14e330a1b9b25e.exe

description	pid	process	target process
PID 1988 wrote to memory of 764	1988	5999187654ca53d596fa2b82010badf37584474d15b6ed176f14e330a1b9b25e.exe	regsvr32.exe
PID 1988 wrote to memory of 764	1988	5999187654ca53d596fa2b82010badf37584474d15b6ed176f14e330a1b9b25e.exe	regsvr32.exe
PID 1988 wrote to memory of 764	1988	5999187654ca53d596fa2b82010badf37584474d15b6ed176f14e330a1b9b25e.exe	regsvr32.exe
PID 1988 wrote to memory of 764	1988	5999187654ca53d596fa2b82010badf37584474d15b6ed176f14e330a1b9b25e.exe	regsvr32.exe
PID 1988 wrote to memory of 764	1988	5999187654ca53d596fa2b82010badf37584474d15b6ed176f14e330a1b9b25e.exe	regsvr32.exe
PID 1988 wrote to memory of 764	1988	5999187654ca53d596fa2b82010badf37584474d15b6ed176f14e330a1b9b25e.exe	regsvr32.exe
PID 1988 wrote to memory of 764	1988	5999187654ca53d596fa2b82010badf37584474d15b6ed176f14e330a1b9b25e.exe	regsvr32.exe
PID 1988 wrote to memory of 1712	1988	5999187654ca53d596fa2b82010badf37584474d15b6ed176f14e330a1b9b25e.exe	EnclosureMasonry.exe
PID 1988 wrote to memory of 1712	1988	5999187654ca53d596fa2b82010badf37584474d15b6ed176f14e330a1b9b25e.exe	EnclosureMasonry.exe
PID 1988 wrote to memory of 1712	1988	5999187654ca53d596fa2b82010badf37584474d15b6ed176f14e330a1b9b25e.exe	EnclosureMasonry.exe
PID 1988 wrote to memory of 1712	1988	5999187654ca53d596fa2b82010badf37584474d15b6ed176f14e330a1b9b25e.exe	EnclosureMasonry.exe
PID 1988 wrote to memory of 1644	1988	5999187654ca53d596fa2b82010badf37584474d15b6ed176f14e330a1b9b25e.exe	EnclosureMasonry.exe
PID 1988 wrote to memory of 1644	1988	5999187654ca53d596fa2b82010badf37584474d15b6ed176f14e330a1b9b25e.exe	EnclosureMasonry.exe
PID 1988 wrote to memory of 1644	1988	5999187654ca53d596fa2b82010badf37584474d15b6ed176f14e330a1b9b25e.exe	EnclosureMasonry.exe
PID 1988 wrote to memory of 1644	1988	5999187654ca53d596fa2b82010badf37584474d15b6ed176f14e330a1b9b25e.exe	EnclosureMasonry.exe

C:\Users\Admin\AppData\Local\Temp\5999187654ca53d596fa2b82010badf37584474d15b6ed176f14e330a1b9b25e.exe
"C:\Users\Admin\AppData\Local\Temp\5999187654ca53d596fa2b82010badf37584474d15b6ed176f14e330a1b9b25e.exe"
1⤵
- Loads dropped DLL
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1988

C:\Windows\SysWOW64\regsvr32.exe
regsvr32.exe /s "C:\Windows\SUGUZEFHWD.dll"
2⤵
- Modifies registry class
PID:764

C:\Users\Admin\AppData\Local\Temp\EnclosureMasonry.exe
"C:\Users\Admin\AppData\Local\Temp\EnclosureMasonry.exe"
2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
PID:1712

C:\Users\Admin\AppData\Local\Temp\EnclosureMasonry.exe
C:\Users\Admin\AppData\Local\Temp\EnclosureMasonry.exe
2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
PID:1644

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Browser Extensions

1

T1176

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\EnclosureMasonry.exe
MD5
619b4cf619eaebe531bb252e99cdd23b

SHA1
75131437e0039afc65aca67a7a54885b58b8054e

SHA256
cb6686fe656cba89761f291c52a77f9f5d9c50fa20d277d4e2e1bfa122e02402

SHA512
40a84a0a5b9246cff882a12e76b1e014fb9b6f018a637402f74bfd24155dd64b7a1ff519907a1e24b64ca1382a191adf6d29499d8f340426cb6876cd2fe3e6d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\EnclosureMasonry.exe
MD5
619b4cf619eaebe531bb252e99cdd23b

SHA1
75131437e0039afc65aca67a7a54885b58b8054e

SHA256
cb6686fe656cba89761f291c52a77f9f5d9c50fa20d277d4e2e1bfa122e02402

SHA512
40a84a0a5b9246cff882a12e76b1e014fb9b6f018a637402f74bfd24155dd64b7a1ff519907a1e24b64ca1382a191adf6d29499d8f340426cb6876cd2fe3e6d3

Download Submit
C:\Windows\SUGUZEFHWD.dll
MD5
a3716a7e6a87a2b55dacaf863e3cbc6f

SHA1
826f9bf60c15c269c53e64dbf12484c6c199d892

SHA256
bb47f9c56664bf852c94ebcfe11da19f590eccae073fa35cb54be6171f2ef09c

SHA512
2db1d232eefef751c702d1e8aedea02d6f6729f4c928ec88185ebd2af34bd8d4f574741f05bc7d7582f2ec5ff63a08fd6bea1cfd09f25151f0d662af24055a67

Download Submit
\Users\Admin\AppData\Local\Temp\EnclosureMasonry.exe
MD5
619b4cf619eaebe531bb252e99cdd23b

SHA1
75131437e0039afc65aca67a7a54885b58b8054e

SHA256
cb6686fe656cba89761f291c52a77f9f5d9c50fa20d277d4e2e1bfa122e02402

SHA512
40a84a0a5b9246cff882a12e76b1e014fb9b6f018a637402f74bfd24155dd64b7a1ff519907a1e24b64ca1382a191adf6d29499d8f340426cb6876cd2fe3e6d3

Download Submit
\Users\Admin\AppData\Local\Temp\EnclosureMasonry.exe
MD5
619b4cf619eaebe531bb252e99cdd23b

SHA1
75131437e0039afc65aca67a7a54885b58b8054e

SHA256
cb6686fe656cba89761f291c52a77f9f5d9c50fa20d277d4e2e1bfa122e02402

SHA512
40a84a0a5b9246cff882a12e76b1e014fb9b6f018a637402f74bfd24155dd64b7a1ff519907a1e24b64ca1382a191adf6d29499d8f340426cb6876cd2fe3e6d3

Download Submit
\Users\Admin\AppData\Local\Temp\EnclosureMasonry.exe
MD5
619b4cf619eaebe531bb252e99cdd23b

SHA1
75131437e0039afc65aca67a7a54885b58b8054e

SHA256
cb6686fe656cba89761f291c52a77f9f5d9c50fa20d277d4e2e1bfa122e02402

SHA512
40a84a0a5b9246cff882a12e76b1e014fb9b6f018a637402f74bfd24155dd64b7a1ff519907a1e24b64ca1382a191adf6d29499d8f340426cb6876cd2fe3e6d3

Download Submit
\Users\Admin\AppData\Local\Temp\EnclosureMasonry.exe
MD5
619b4cf619eaebe531bb252e99cdd23b

SHA1
75131437e0039afc65aca67a7a54885b58b8054e

SHA256
cb6686fe656cba89761f291c52a77f9f5d9c50fa20d277d4e2e1bfa122e02402

SHA512
40a84a0a5b9246cff882a12e76b1e014fb9b6f018a637402f74bfd24155dd64b7a1ff519907a1e24b64ca1382a191adf6d29499d8f340426cb6876cd2fe3e6d3

Download Submit
memory/764-61-0x0000000000000000-mapping.dmp

Download
memory/1644-70-0x0000000000000000-mapping.dmp

Download
memory/1712-66-0x0000000000000000-mapping.dmp

Download
memory/1988-60-0x0000000075AD1000-0x0000000075AD3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads