0312f2bfbdeaf9061f4ba0443d87c2fce68846fcbc2ffaca194ddc79fbaed895

General

Target

0312f2bfbdeaf9061f4ba0443d87c2fce68846fcbc2ffaca194ddc79fbaed895.exe
Size

5.4MB
MD5

f3fa95da5c40de082f3fe90f65cc8ca0
SHA1

554adccf1258d090eeaa5ce1094ba83246f09a50
SHA256

0312f2bfbdeaf9061f4ba0443d87c2fce68846fcbc2ffaca194ddc79fbaed895
SHA512

165776dd77e76bcc878b9b4c86aefb3ca4221b1c606226fe6341efe4a1ec22189d4e3df7298966bdae8ddd166af933b29305186ea7ad763a365f0b0da7e78218

Score

6^/10

adware stealer

Malware Config

Signatures

Installs/modifies Browser Helper Object 2 TTPs
BHOs are DLL modules which act as plugins for Internet Explorer.
stealer adware

Modify Registry
T1112

Browser Extensions
T1176
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 24 IoCs

adware spyware

Modify Registry

T1112

Processes:

0312f2bfbdeaf9061f4ba0443d87c2fce68846fcbc2ffaca194ddc79fbaed895.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A}\AppName = "IEMonitor.exe"	0312f2bfbdeaf9061f4ba0443d87c2fce68846fcbc2ffaca194ddc79fbaed895.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A}\AppPath = "C:\\Users\\Admin\\AppData\\Local\\Temp"	0312f2bfbdeaf9061f4ba0443d87c2fce68846fcbc2ffaca194ddc79fbaed895.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A}\Policy = "3"	0312f2bfbdeaf9061f4ba0443d87c2fce68846fcbc2ffaca194ddc79fbaed895.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\MenuExt\	0312f2bfbdeaf9061f4ba0443d87c2fce68846fcbc2ffaca194ddc79fbaed895.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\MenuExt\Download with IDM	0312f2bfbdeaf9061f4ba0443d87c2fce68846fcbc2ffaca194ddc79fbaed895.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\MenuExt\Download all links with IDM	0312f2bfbdeaf9061f4ba0443d87c2fce68846fcbc2ffaca194ddc79fbaed895.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\MenuExt\Download all links with IDM\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IEGetAll.htm"	0312f2bfbdeaf9061f4ba0443d87c2fce68846fcbc2ffaca194ddc79fbaed895.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A}	0312f2bfbdeaf9061f4ba0443d87c2fce68846fcbc2ffaca194ddc79fbaed895.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\DownloadUI = "{7D11E719-FF90-479C-B0D7-96EB43EE55D7}"	0312f2bfbdeaf9061f4ba0443d87c2fce68846fcbc2ffaca194ddc79fbaed895.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\MenuExt\Download with IDM\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IEExt.htm"	0312f2bfbdeaf9061f4ba0443d87c2fce68846fcbc2ffaca194ddc79fbaed895.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\MenuExt\Download with IDM\contexts = "243"	0312f2bfbdeaf9061f4ba0443d87c2fce68846fcbc2ffaca194ddc79fbaed895.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\MenuExt\Download all links with IDM\contexts = "243"	0312f2bfbdeaf9061f4ba0443d87c2fce68846fcbc2ffaca194ddc79fbaed895.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4}\AppPath = "C:\\Users\\Admin\\AppData\\Local\\Temp"	0312f2bfbdeaf9061f4ba0443d87c2fce68846fcbc2ffaca194ddc79fbaed895.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Low Rights\DragDrop\{19129CDA-AFC0-4330-99BC-C5A834F89006}\AppPath = "C:\\Users\\Admin\\AppData\\Local\\Temp"	0312f2bfbdeaf9061f4ba0443d87c2fce68846fcbc2ffaca194ddc79fbaed895.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Low Rights\DragDrop\{19129CDA-AFC0-4330-99BC-C5A834F89006}\AppName = "0312f2bfbdeaf9061f4ba0443d87c2fce68846fcbc2ffaca194ddc79fbaed895.exe"	0312f2bfbdeaf9061f4ba0443d87c2fce68846fcbc2ffaca194ddc79fbaed895.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Low Rights\DragDrop\{19129CDA-AFC0-4330-99BC-C5A834F89006}\Policy = "3"	0312f2bfbdeaf9061f4ba0443d87c2fce68846fcbc2ffaca194ddc79fbaed895.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\DownloadUI = "{7D11E719-FF90-479C-B0D7-96EB43EE55D7}"	0312f2bfbdeaf9061f4ba0443d87c2fce68846fcbc2ffaca194ddc79fbaed895.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy	0312f2bfbdeaf9061f4ba0443d87c2fce68846fcbc2ffaca194ddc79fbaed895.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4}\AppName = "0312f2bfbdeaf9061f4ba0443d87c2fce68846fcbc2ffaca194ddc79fbaed895.exe"	0312f2bfbdeaf9061f4ba0443d87c2fce68846fcbc2ffaca194ddc79fbaed895.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4}\Policy = "3"	0312f2bfbdeaf9061f4ba0443d87c2fce68846fcbc2ffaca194ddc79fbaed895.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Low Rights\DragDrop	0312f2bfbdeaf9061f4ba0443d87c2fce68846fcbc2ffaca194ddc79fbaed895.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Low Rights\DragDrop\{19129CDA-AFC0-4330-99BC-C5A834F89006}	0312f2bfbdeaf9061f4ba0443d87c2fce68846fcbc2ffaca194ddc79fbaed895.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Low Rights	0312f2bfbdeaf9061f4ba0443d87c2fce68846fcbc2ffaca194ddc79fbaed895.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4}	0312f2bfbdeaf9061f4ba0443d87c2fce68846fcbc2ffaca194ddc79fbaed895.exe

Modifies registry class 12 IoCs

Processes:

0312f2bfbdeaf9061f4ba0443d87c2fce68846fcbc2ffaca194ddc79fbaed895.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}	0312f2bfbdeaf9061f4ba0443d87c2fce68846fcbc2ffaca194ddc79fbaed895.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\ = "IDMan.CIDMLinkTransmitter"	0312f2bfbdeaf9061f4ba0443d87c2fce68846fcbc2ffaca194ddc79fbaed895.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}	0312f2bfbdeaf9061f4ba0443d87c2fce68846fcbc2ffaca194ddc79fbaed895.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\LocalServer32	0312f2bfbdeaf9061f4ba0443d87c2fce68846fcbc2ffaca194ddc79fbaed895.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\0312f2bfbdeaf9061f4ba0443d87c2fce68846fcbc2ffaca194ddc79fbaed895.exe"	0312f2bfbdeaf9061f4ba0443d87c2fce68846fcbc2ffaca194ddc79fbaed895.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\ = "IDMan"	0312f2bfbdeaf9061f4ba0443d87c2fce68846fcbc2ffaca194ddc79fbaed895.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\RunAs = "Interactive User"	0312f2bfbdeaf9061f4ba0443d87c2fce68846fcbc2ffaca194ddc79fbaed895.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IDMan.CIDMLinkTransmitter	0312f2bfbdeaf9061f4ba0443d87c2fce68846fcbc2ffaca194ddc79fbaed895.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IDMan.CIDMLinkTransmitter\CLSID	0312f2bfbdeaf9061f4ba0443d87c2fce68846fcbc2ffaca194ddc79fbaed895.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IDMan.CIDMLinkTransmitter\CLSID\ = "{AC746233-E9D3-49CD-862F-068F7B7CCCA4}"	0312f2bfbdeaf9061f4ba0443d87c2fce68846fcbc2ffaca194ddc79fbaed895.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\AppID = "{AC746233-E9D3-49CD-862F-068F7B7CCCA4}"	0312f2bfbdeaf9061f4ba0443d87c2fce68846fcbc2ffaca194ddc79fbaed895.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\ROTFlags = "1"	0312f2bfbdeaf9061f4ba0443d87c2fce68846fcbc2ffaca194ddc79fbaed895.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

0312f2bfbdeaf9061f4ba0443d87c2fce68846fcbc2ffaca194ddc79fbaed895.exe

description pid process

Token: SeRestorePrivilege 452 0312f2bfbdeaf9061f4ba0443d87c2fce68846fcbc2ffaca194ddc79fbaed895.exe

description	pid	process
Token: SeRestorePrivilege	452	0312f2bfbdeaf9061f4ba0443d87c2fce68846fcbc2ffaca194ddc79fbaed895.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

0312f2bfbdeaf9061f4ba0443d87c2fce68846fcbc2ffaca194ddc79fbaed895.exe

pid	process
452	0312f2bfbdeaf9061f4ba0443d87c2fce68846fcbc2ffaca194ddc79fbaed895.exe
452	0312f2bfbdeaf9061f4ba0443d87c2fce68846fcbc2ffaca194ddc79fbaed895.exe
452	0312f2bfbdeaf9061f4ba0443d87c2fce68846fcbc2ffaca194ddc79fbaed895.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

0312f2bfbdeaf9061f4ba0443d87c2fce68846fcbc2ffaca194ddc79fbaed895.exe

description	pid	process	target process
PID 452 wrote to memory of 1116	452	0312f2bfbdeaf9061f4ba0443d87c2fce68846fcbc2ffaca194ddc79fbaed895.exe	regsvr32.exe
PID 452 wrote to memory of 1116	452	0312f2bfbdeaf9061f4ba0443d87c2fce68846fcbc2ffaca194ddc79fbaed895.exe	regsvr32.exe
PID 452 wrote to memory of 1116	452	0312f2bfbdeaf9061f4ba0443d87c2fce68846fcbc2ffaca194ddc79fbaed895.exe	regsvr32.exe
PID 452 wrote to memory of 1116	452	0312f2bfbdeaf9061f4ba0443d87c2fce68846fcbc2ffaca194ddc79fbaed895.exe	regsvr32.exe
PID 452 wrote to memory of 1116	452	0312f2bfbdeaf9061f4ba0443d87c2fce68846fcbc2ffaca194ddc79fbaed895.exe	regsvr32.exe
PID 452 wrote to memory of 1116	452	0312f2bfbdeaf9061f4ba0443d87c2fce68846fcbc2ffaca194ddc79fbaed895.exe	regsvr32.exe
PID 452 wrote to memory of 1116	452	0312f2bfbdeaf9061f4ba0443d87c2fce68846fcbc2ffaca194ddc79fbaed895.exe	regsvr32.exe

C:\Users\Admin\AppData\Local\Temp\0312f2bfbdeaf9061f4ba0443d87c2fce68846fcbc2ffaca194ddc79fbaed895.exe
"C:\Users\Admin\AppData\Local\Temp\0312f2bfbdeaf9061f4ba0443d87c2fce68846fcbc2ffaca194ddc79fbaed895.exe"
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:452

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\IDMShellExt64.dll"
2⤵
PID:1116

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Browser Extensions

1

T1176

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/452-54-0x0000000075361000-0x0000000075363000-memory.dmp

Filesize
8KB

Download
memory/1116-55-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads