4972624436d63615a384952d200b3a55258a590ccf0c613d9e37e5418e120e42

General

Target

4972624436d63615a384952d200b3a55258a590ccf0c613d9e37e5418e120e42.exe
Size

207KB
MD5

0a6533f28d8fd2c0787b0efd3639f5ed
SHA1

4ce9dd199563540da0ed450927e66b46f414e414
SHA256

4972624436d63615a384952d200b3a55258a590ccf0c613d9e37e5418e120e42
SHA512

c38080f0ee9a398252e567e9d9ae87692e0a31e51bd3400972c6b86b68983e15fc0556db97d5c27226ee8b08e0be52c68d600e30fc31cc01a59c32340cd13722

Score

10^/10

adware persistence stealer suricata

Malware Config

Signatures

suricata: ET MALWARE TSPY_BANKER.IDV/Infostealer.Bancos Module Download
suricata: ET MALWARE TSPY_BANKER.IDV/Infostealer.Bancos Module Download
suricata
Loads dropped DLL 1 IoCs

Processes:

4972624436d63615a384952d200b3a55258a590ccf0c613d9e37e5418e120e42.exe

pid process

2268 4972624436d63615a384952d200b3a55258a590ccf0c613d9e37e5418e120e42.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

4972624436d63615a384952d200b3a55258a590ccf0c613d9e37e5418e120e42.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\cftmon = "C:\\Windows\\system32\\cftmon.exe"	4972624436d63615a384952d200b3a55258a590ccf0c613d9e37e5418e120e42.exe

Installs/modifies Browser Helper Object 2 TTPs
BHOs are DLL modules which act as plugins for Internet Explorer.
stealer adware

Modify Registry
T1112

Browser Extensions
T1176

Modifies WinLogon 2 TTPs 11 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

4972624436d63615a384952d200b3a55258a590ccf0c613d9e37e5418e120e42.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\__A\Asynchronous = "0"	4972624436d63615a384952d200b3a55258a590ccf0c613d9e37e5418e120e42.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\__A	4972624436d63615a384952d200b3a55258a590ccf0c613d9e37e5418e120e42.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\__A\Startup = "fnGbf2"	4972624436d63615a384952d200b3a55258a590ccf0c613d9e37e5418e120e42.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\__A\StartShell = "fnGbf2"	4972624436d63615a384952d200b3a55258a590ccf0c613d9e37e5418e120e42.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\__A\Shutdown = "fnGbf2"	4972624436d63615a384952d200b3a55258a590ccf0c613d9e37e5418e120e42.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\__A\Logoff = "fnGbf2"	4972624436d63615a384952d200b3a55258a590ccf0c613d9e37e5418e120e42.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\__A\Impersonate = "0"	4972624436d63615a384952d200b3a55258a590ccf0c613d9e37e5418e120e42.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\__A	4972624436d63615a384952d200b3a55258a590ccf0c613d9e37e5418e120e42.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify	4972624436d63615a384952d200b3a55258a590ccf0c613d9e37e5418e120e42.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\__A\DllName = "C:\\Windows\\system32\\mshyta16.dll"	4972624436d63615a384952d200b3a55258a590ccf0c613d9e37e5418e120e42.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\__A\Logon = "fnGbf2"	4972624436d63615a384952d200b3a55258a590ccf0c613d9e37e5418e120e42.exe

Drops file in System32 directory 5 IoCs

Processes:

4972624436d63615a384952d200b3a55258a590ccf0c613d9e37e5418e120e42.exe

description	ioc	process
File created	C:\Windows\SysWOW64\mshyta16.dll	4972624436d63615a384952d200b3a55258a590ccf0c613d9e37e5418e120e42.exe
File opened for modification	C:\Windows\SysWOW64\mshyta16.dll	4972624436d63615a384952d200b3a55258a590ccf0c613d9e37e5418e120e42.exe
File created	C:\Windows\SysWOW64\mshdtxt32.dat	4972624436d63615a384952d200b3a55258a590ccf0c613d9e37e5418e120e42.exe
File opened for modification	C:\Windows\SysWOW64\mshdtxt32.dat	4972624436d63615a384952d200b3a55258a590ccf0c613d9e37e5418e120e42.exe
File created	C:\Windows\SysWOW64\cftmon.exe	4972624436d63615a384952d200b3a55258a590ccf0c613d9e37e5418e120e42.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

4972624436d63615a384952d200b3a55258a590ccf0c613d9e37e5418e120e42.exe

pid	process
2268	4972624436d63615a384952d200b3a55258a590ccf0c613d9e37e5418e120e42.exe
2268	4972624436d63615a384952d200b3a55258a590ccf0c613d9e37e5418e120e42.exe
2268	4972624436d63615a384952d200b3a55258a590ccf0c613d9e37e5418e120e42.exe
2268	4972624436d63615a384952d200b3a55258a590ccf0c613d9e37e5418e120e42.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

4972624436d63615a384952d200b3a55258a590ccf0c613d9e37e5418e120e42.exe

pid	process
2268	4972624436d63615a384952d200b3a55258a590ccf0c613d9e37e5418e120e42.exe
2268	4972624436d63615a384952d200b3a55258a590ccf0c613d9e37e5418e120e42.exe

C:\Users\Admin\AppData\Local\Temp\4972624436d63615a384952d200b3a55258a590ccf0c613d9e37e5418e120e42.exe
"C:\Users\Admin\AppData\Local\Temp\4972624436d63615a384952d200b3a55258a590ccf0c613d9e37e5418e120e42.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Modifies WinLogon
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2268

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Browser Extensions

1

T1176

Winlogon Helper DLL

1

T1004

Privilege Escalation

Defense Evasion

Modify Registry

3

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\gbfCD1.tmp
Filesize
25KB

MD5
d471b32dcd464e9e7fc14f940d14c4ad

SHA1
e57c539a91521e372fc427b271afe9567641e5d5

SHA256
3c25589f7e5ca3f5201049a45132180fa2ab9b02865705798675f4b7fb803dc1

SHA512
7cb29a6ddaeb11ca696fd13a3cab2b90aecaedb28c3693fb292731610665e77431c2c88f7f3fb0ae976a28a5eda0460e2d8ef6db65efdf368c1e1ebd1129a1c9

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads