9b9240a2389a803eb3c93cdc4dfefcdfe22f4f2bbc24fb5eb593c86c1fbea5c8

General

Target

9b9240a2389a803eb3c93cdc4dfefcdfe22f4f2bbc24fb5eb593c86c1fbea5c8.exe
Size

41KB
MD5

5d1e4a4e7302c1c20d358978a5fcba50
SHA1

b1c5289e645610db4aa891c4a08ced5d359505f1
SHA256

9b9240a2389a803eb3c93cdc4dfefcdfe22f4f2bbc24fb5eb593c86c1fbea5c8
SHA512

556dbe93692e55dd83580c989fb3e73e5997433d41166fd7db0eed209431ae09124589c01939a4091c4b869c4a5a2031a22eadab9342f54a02fe33ce3d1eb6ee

Score

7^/10

adware stealer

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

9b9240a2389a803eb3c93cdc4dfefcdfe22f4f2bbc24fb5eb593c86c1fbea5c8.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	9b9240a2389a803eb3c93cdc4dfefcdfe22f4f2bbc24fb5eb593c86c1fbea5c8.exe

Installs/modifies Browser Helper Object 2 TTPs
BHOs are DLL modules which act as plugins for Internet Explorer.
stealer adware

Modify Registry
T1112

Browser Extensions
T1176

Drops file in System32 directory 2 IoCs

Processes:

9b9240a2389a803eb3c93cdc4dfefcdfe22f4f2bbc24fb5eb593c86c1fbea5c8.exe

description	ioc	process
File created	C:\Windows\SysWOW64\sklh.dat	9b9240a2389a803eb3c93cdc4dfefcdfe22f4f2bbc24fb5eb593c86c1fbea5c8.exe
File created	C:\Windows\SysWOW64\jzcom32.dll	9b9240a2389a803eb3c93cdc4dfefcdfe22f4f2bbc24fb5eb593c86c1fbea5c8.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

9b9240a2389a803eb3c93cdc4dfefcdfe22f4f2bbc24fb5eb593c86c1fbea5c8.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Enable Browser Extensions = "yes"	9b9240a2389a803eb3c93cdc4dfefcdfe22f4f2bbc24fb5eb593c86c1fbea5c8.exe

Modifies registry class 9 IoCs

Processes:

9b9240a2389a803eb3c93cdc4dfefcdfe22f4f2bbc24fb5eb593c86c1fbea5c8.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D9A7B3B6-1F8A-4cf9-A20C-BDF427DBDB4A}\ = "Rmn plugin"	9b9240a2389a803eb3c93cdc4dfefcdfe22f4f2bbc24fb5eb593c86c1fbea5c8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D9A7B3B6-1F8A-4cf9-A20C-BDF427DBDB4A}\InprocServer32\ = "jzcom32.dll"	9b9240a2389a803eb3c93cdc4dfefcdfe22f4f2bbc24fb5eb593c86c1fbea5c8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D9A7B3B6-1F8A-4cf9-A20C-BDF427DBDB4A}\InprocServer32\ThreadingModel = "Apartment"	9b9240a2389a803eb3c93cdc4dfefcdfe22f4f2bbc24fb5eb593c86c1fbea5c8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D9A7B3B6-1F8A-4cf9-A20C-BDF427DBDB4A}\ProgID\ = "RITLAB.1"	9b9240a2389a803eb3c93cdc4dfefcdfe22f4f2bbc24fb5eb593c86c1fbea5c8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D9A7B3B6-1F8A-4cf9-A20C-BDF427DBDB4A}	9b9240a2389a803eb3c93cdc4dfefcdfe22f4f2bbc24fb5eb593c86c1fbea5c8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D9A7B3B6-1F8A-4cf9-A20C-BDF427DBDB4A}\InprocServer32	9b9240a2389a803eb3c93cdc4dfefcdfe22f4f2bbc24fb5eb593c86c1fbea5c8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D9A7B3B6-1F8A-4cf9-A20C-BDF427DBDB4A}\ProgID	9b9240a2389a803eb3c93cdc4dfefcdfe22f4f2bbc24fb5eb593c86c1fbea5c8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D9A7B3B6-1F8A-4cf9-A20C-BDF427DBDB4A}\TypeLib	9b9240a2389a803eb3c93cdc4dfefcdfe22f4f2bbc24fb5eb593c86c1fbea5c8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D9A7B3B6-1F8A-4cf9-A20C-BDF427DBDB4A}\TypeLib\ = "{0781A6CB-03C2-4780-A4F4-946319703918}"	9b9240a2389a803eb3c93cdc4dfefcdfe22f4f2bbc24fb5eb593c86c1fbea5c8.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

9b9240a2389a803eb3c93cdc4dfefcdfe22f4f2bbc24fb5eb593c86c1fbea5c8.exe

description	pid	process	target process
PID 4708 wrote to memory of 2124	4708	9b9240a2389a803eb3c93cdc4dfefcdfe22f4f2bbc24fb5eb593c86c1fbea5c8.exe	cmd.exe
PID 4708 wrote to memory of 2124	4708	9b9240a2389a803eb3c93cdc4dfefcdfe22f4f2bbc24fb5eb593c86c1fbea5c8.exe	cmd.exe
PID 4708 wrote to memory of 2124	4708	9b9240a2389a803eb3c93cdc4dfefcdfe22f4f2bbc24fb5eb593c86c1fbea5c8.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\9b9240a2389a803eb3c93cdc4dfefcdfe22f4f2bbc24fb5eb593c86c1fbea5c8.exe
"C:\Users\Admin\AppData\Local\Temp\9b9240a2389a803eb3c93cdc4dfefcdfe22f4f2bbc24fb5eb593c86c1fbea5c8.exe"
1⤵
- Checks computer location settings
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4708