929ad412f2ea75b80bbd11bfa2bac3bec3fd689b7f40a5674a9449f1846d79e3

General

Target

929ad412f2ea75b80bbd11bfa2bac3bec3fd689b7f40a5674a9449f1846d79e3.exe
Size

24KB
MD5

58de1ef68aefc14928f13ada8ffdc7d6
SHA1

746c48cbc7c6494a97eb51fc5653ea4d92067886
SHA256

929ad412f2ea75b80bbd11bfa2bac3bec3fd689b7f40a5674a9449f1846d79e3
SHA512

0dff73007502969838c2c3dd7c9f89775cad5a6d07f8acebe8660f376cfaf8c0e76cd3e68b65f04421139cad7225abebcdfc824ebcb9c4bdb81fcb1cac1841f7

Score

8^/10

adware stealer

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

Processes:

929ad412f2ea75b80bbd11bfa2bac3bec3fd689b7f40a5674a9449f1846d79e3.exe

description	ioc	process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	929ad412f2ea75b80bbd11bfa2bac3bec3fd689b7f40a5674a9449f1846d79e3.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

929ad412f2ea75b80bbd11bfa2bac3bec3fd689b7f40a5674a9449f1846d79e3.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	929ad412f2ea75b80bbd11bfa2bac3bec3fd689b7f40a5674a9449f1846d79e3.exe

Loads dropped DLL 1 IoCs

Processes:

929ad412f2ea75b80bbd11bfa2bac3bec3fd689b7f40a5674a9449f1846d79e3.exe

pid process

1268 929ad412f2ea75b80bbd11bfa2bac3bec3fd689b7f40a5674a9449f1846d79e3.exe
Installs/modifies Browser Helper Object 2 TTPs
BHOs are DLL modules which act as plugins for Internet Explorer.
stealer adware

Modify Registry
T1112

Browser Extensions
T1176

pid	process
1268	929ad412f2ea75b80bbd11bfa2bac3bec3fd689b7f40a5674a9449f1846d79e3.exe

Drops file in System32 directory 3 IoCs

Processes:

929ad412f2ea75b80bbd11bfa2bac3bec3fd689b7f40a5674a9449f1846d79e3.exe

description	ioc	process
File created	C:\Windows\SysWOW64\hkjig.dll	929ad412f2ea75b80bbd11bfa2bac3bec3fd689b7f40a5674a9449f1846d79e3.exe
File opened for modification	C:\Windows\SysWOW64\hkjig.dll	929ad412f2ea75b80bbd11bfa2bac3bec3fd689b7f40a5674a9449f1846d79e3.exe
File created	C:\Windows\SysWOW64\d3dco.dll	929ad412f2ea75b80bbd11bfa2bac3bec3fd689b7f40a5674a9449f1846d79e3.exe

Drops file in Windows directory 1 IoCs

Processes:

929ad412f2ea75b80bbd11bfa2bac3bec3fd689b7f40a5674a9449f1846d79e3.exe

description ioc process

File opened for modification C:\Windows\hosts 929ad412f2ea75b80bbd11bfa2bac3bec3fd689b7f40a5674a9449f1846d79e3.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File opened for modification	C:\Windows\hosts	929ad412f2ea75b80bbd11bfa2bac3bec3fd689b7f40a5674a9449f1846d79e3.exe

Modifies Internet Explorer settings 1 TTPs 16 IoCs

adware spyware

Modify Registry

T1112

Processes:

929ad412f2ea75b80bbd11bfa2bac3bec3fd689b7f40a5674a9449f1846d79e3.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Internet Explorer\Main	929ad412f2ea75b80bbd11bfa2bac3bec3fd689b7f40a5674a9449f1846d79e3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Use Search Asst = "no"	929ad412f2ea75b80bbd11bfa2bac3bec3fd689b7f40a5674a9449f1846d79e3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Search Bar = "file://C:\\Users\\Admin\\AppData\\Local\\Temp\\sp.html"	929ad412f2ea75b80bbd11bfa2bac3bec3fd689b7f40a5674a9449f1846d79e3.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Search	929ad412f2ea75b80bbd11bfa2bac3bec3fd689b7f40a5674a9449f1846d79e3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\Main\HOMEOldSP = "about:blank"	929ad412f2ea75b80bbd11bfa2bac3bec3fd689b7f40a5674a9449f1846d79e3.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Main	929ad412f2ea75b80bbd11bfa2bac3bec3fd689b7f40a5674a9449f1846d79e3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Use Search Asst = "no"	929ad412f2ea75b80bbd11bfa2bac3bec3fd689b7f40a5674a9449f1846d79e3.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Use Custom Search URL = "1"	929ad412f2ea75b80bbd11bfa2bac3bec3fd689b7f40a5674a9449f1846d79e3.exe
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Internet Explorer\Search	929ad412f2ea75b80bbd11bfa2bac3bec3fd689b7f40a5674a9449f1846d79e3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\Search\SearchAssistant = "file://C:\\Users\\Admin\\AppData\\Local\\Temp\\sp.html"	929ad412f2ea75b80bbd11bfa2bac3bec3fd689b7f40a5674a9449f1846d79e3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Use Custom Search URL = "1"	929ad412f2ea75b80bbd11bfa2bac3bec3fd689b7f40a5674a9449f1846d79e3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Search\SearchAssistant = "file://C:\\Users\\Admin\\AppData\\Local\\Temp\\sp.html"	929ad412f2ea75b80bbd11bfa2bac3bec3fd689b7f40a5674a9449f1846d79e3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Search Bar = "file://C:\\Users\\Admin\\AppData\\Local\\Temp\\sp.html"	929ad412f2ea75b80bbd11bfa2bac3bec3fd689b7f40a5674a9449f1846d79e3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page = "file://C:\\Users\\Admin\\AppData\\Local\\Temp\\sp.html"	929ad412f2ea75b80bbd11bfa2bac3bec3fd689b7f40a5674a9449f1846d79e3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\HOMEOldSP = "about:blank"	929ad412f2ea75b80bbd11bfa2bac3bec3fd689b7f40a5674a9449f1846d79e3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Search Page = "file://C:\\Users\\Admin\\AppData\\Local\\Temp\\sp.html"	929ad412f2ea75b80bbd11bfa2bac3bec3fd689b7f40a5674a9449f1846d79e3.exe

Modifies Internet Explorer start page 1 TTPs 2 IoCs

stealer

Modify Registry

T1112

Processes:

929ad412f2ea75b80bbd11bfa2bac3bec3fd689b7f40a5674a9449f1846d79e3.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "about:blank"	929ad412f2ea75b80bbd11bfa2bac3bec3fd689b7f40a5674a9449f1846d79e3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Start Page = "about:blank"	929ad412f2ea75b80bbd11bfa2bac3bec3fd689b7f40a5674a9449f1846d79e3.exe

Modifies registry class 18 IoCs

Processes:

929ad412f2ea75b80bbd11bfa2bac3bec3fd689b7f40a5674a9449f1846d79e3.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{956F2967-B957-4260-B9BF-A86F61A69BC2}	929ad412f2ea75b80bbd11bfa2bac3bec3fd689b7f40a5674a9449f1846d79e3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{956F2967-B957-4260-B9BF-A86F61A69BC2}\InProcServer32\ = "C:\\Windows\\SysWow64\\hkjig.dll"	929ad412f2ea75b80bbd11bfa2bac3bec3fd689b7f40a5674a9449f1846d79e3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{17461DA8-E062-499C-951C-E5CCE6F0C1D6}\InProcServer32\ = "C:\\Windows\\SysWow64\\hkjig.dll"	929ad412f2ea75b80bbd11bfa2bac3bec3fd689b7f40a5674a9449f1846d79e3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PROTOCOLS\Filter\text/html\CLSID = "{17461DA8-E062-499C-951C-E5CCE6F0C1D6}"	929ad412f2ea75b80bbd11bfa2bac3bec3fd689b7f40a5674a9449f1846d79e3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{956F2967-B957-4260-B9BF-A86F61A69BC2}\InProcServer32	929ad412f2ea75b80bbd11bfa2bac3bec3fd689b7f40a5674a9449f1846d79e3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{956F2967-B957-4260-B9BF-A86F61A69BC2}\InProcServer32\ThreadingModel = "Apartment"	929ad412f2ea75b80bbd11bfa2bac3bec3fd689b7f40a5674a9449f1846d79e3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8A3351C0-2581-4E4E-BEB8-A90589DEED66}\InProcServer32\ = "C:\\Windows\\SysWow64\\hkjig.dll"	929ad412f2ea75b80bbd11bfa2bac3bec3fd689b7f40a5674a9449f1846d79e3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{17461DA8-E062-499C-951C-E5CCE6F0C1D6}\InProcServer32	929ad412f2ea75b80bbd11bfa2bac3bec3fd689b7f40a5674a9449f1846d79e3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	929ad412f2ea75b80bbd11bfa2bac3bec3fd689b7f40a5674a9449f1846d79e3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PROTOCOLS\Filter\text/plain	929ad412f2ea75b80bbd11bfa2bac3bec3fd689b7f40a5674a9449f1846d79e3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8A3351C0-2581-4E4E-BEB8-A90589DEED66}\InProcServer32	929ad412f2ea75b80bbd11bfa2bac3bec3fd689b7f40a5674a9449f1846d79e3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{17461DA8-E062-499C-951C-E5CCE6F0C1D6}\InProcServer32\ThreadingModel = "Apartment"	929ad412f2ea75b80bbd11bfa2bac3bec3fd689b7f40a5674a9449f1846d79e3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PROTOCOLS\Filter\text/html	929ad412f2ea75b80bbd11bfa2bac3bec3fd689b7f40a5674a9449f1846d79e3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PROTOCOLS\Filter\text/plain\CLSID = "{17461DA8-E062-499C-951C-E5CCE6F0C1D6}"	929ad412f2ea75b80bbd11bfa2bac3bec3fd689b7f40a5674a9449f1846d79e3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8A3351C0-2581-4E4E-BEB8-A90589DEED66}	929ad412f2ea75b80bbd11bfa2bac3bec3fd689b7f40a5674a9449f1846d79e3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8A3351C0-2581-4E4E-BEB8-A90589DEED66}\InProcServer32\ThreadingModel = "Apartment"	929ad412f2ea75b80bbd11bfa2bac3bec3fd689b7f40a5674a9449f1846d79e3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	929ad412f2ea75b80bbd11bfa2bac3bec3fd689b7f40a5674a9449f1846d79e3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{17461DA8-E062-499C-951C-E5CCE6F0C1D6}	929ad412f2ea75b80bbd11bfa2bac3bec3fd689b7f40a5674a9449f1846d79e3.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

929ad412f2ea75b80bbd11bfa2bac3bec3fd689b7f40a5674a9449f1846d79e3.exe

description	pid	process	target process
PID 1268 wrote to memory of 1484	1268	929ad412f2ea75b80bbd11bfa2bac3bec3fd689b7f40a5674a9449f1846d79e3.exe	cmd.exe
PID 1268 wrote to memory of 1484	1268	929ad412f2ea75b80bbd11bfa2bac3bec3fd689b7f40a5674a9449f1846d79e3.exe	cmd.exe
PID 1268 wrote to memory of 1484	1268	929ad412f2ea75b80bbd11bfa2bac3bec3fd689b7f40a5674a9449f1846d79e3.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\929ad412f2ea75b80bbd11bfa2bac3bec3fd689b7f40a5674a9449f1846d79e3.exe
"C:\Users\Admin\AppData\Local\Temp\929ad412f2ea75b80bbd11bfa2bac3bec3fd689b7f40a5674a9449f1846d79e3.exe"
1⤵
- Drops file in Drivers directory
- Checks computer location settings
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1268

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\iehf.bat "C:\Users\Admin\AppData\Local\Temp\929ad412f2ea75b80bbd11bfa2bac3bec3fd689b7f40a5674a9449f1846d79e3.exe"
2⤵
PID:1484

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Browser Extensions

1

T1176

Privilege Escalation

Defense Evasion

Modify Registry

3

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\iehf.bat
Filesize
70B

MD5
677931564938373367422e56cdf23934

SHA1
fb077020992d9fa49a901d3b64c3d9ce5bb88b35

SHA256
2d8efe1526fa203539bc77da8570b4cb38d5a63836a76d2379b7b506d0a67ee0

SHA512
808e177716911a5b975449b55df4fe1fc97cdb929be621fe541a7dfe7dce3362039214fe1ab4760c4d67aafe8a12308d04e5a40dc028b848c154f3e3f2d120ba

Download Submit
C:\Windows\SysWOW64\hkjig.dll
Filesize
30KB

MD5
6ab6da7e09169e8c7e2b19a9c6f92525

SHA1
f7380838c22b386719cd684eaf11a0987166a4a9

SHA256
a0e35b3490d586c57550c12f89fa9087da687f775951190224ee96a00385ec5b

SHA512
0c5074c723b9c9666cd996301765069cc5676c8756a9d573a2976c6f609cae6992d8d5198b52e9c0aba7e076a2b916554f040fce16574fc44cd98ef124a31b11

Download Submit
memory/1484-132-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads