8fede6deb4f290fa9c296c3c7e097e9551178c88d3f2372af233b7fe279fb9ab

Analysis

max time kernel
43s
max time network
51s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
19/09/2022, 04:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8fede6deb4f290fa9c296c3c7e097e9551178c88d3f2372af233b7fe279fb9ab.exe
Size

87KB
MD5

8964caa661358908ed89c5b635b0ce51
SHA1

f78dc6da226ebf00d2570626b5221ba74e710662
SHA256

8fede6deb4f290fa9c296c3c7e097e9551178c88d3f2372af233b7fe279fb9ab
SHA512

9cae722163e314bd469e40681bd649c6494261256099495cc1e185bc6851b4ea6946efa677c99e3e511defef634d5c8978914b8869be0c6feeee72eb0b092a00
SSDEEP

1536:UN6uBK9mVEQGCB6pZa6RGEN8XxWQchH33bYPDs5s35Tzdn:UN6uE9PQtB6pZa6RJCXxWhX3bYPD2spt

Score

10^/10

adware persistence stealer upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe,C:\\Program Files (x86)\\Internet Explorer\\8fede6deb4f290fa9c296c3c7e097e9551178c88d3f2372af233b7fe279fb9ab.exe"	8fede6deb4f290fa9c296c3c7e097e9551178c88d3f2372af233b7fe279fb9ab.exe

ACProtect 1.3x - 1.4x DLL software 2 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x0009000000013482-59.dat	acprotect
behavioral1/files/0x0009000000013482-60.dat	acprotect

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1808-56-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral1/files/0x0009000000013482-59.dat	upx
behavioral1/files/0x0009000000013482-60.dat	upx
behavioral1/memory/1808-63-0x0000000000400000-0x000000000040F000-memory.dmp	upx

Deletes itself 1 IoCs

pid	Process
1740	cmd.exe

Loads dropped DLL 1 IoCs

pid	Process
832	Regsvr32.exe

Installs/modifies Browser Helper Object 2 TTPs 2 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{16FE2912-E2E2-4F3A-BAE2-D11B7A8E4765}	Regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{16FE2912-E2E2-4F3A-BAE2-D11B7A8E4765}\NoExplorer = "1"	Regsvr32.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\wybho.dll	8fede6deb4f290fa9c296c3c7e097e9551178c88d3f2372af233b7fe279fb9ab.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Internet Explorer\8fede6deb4f290fa9c296c3c7e097e9551178c88d3f2372af233b7fe279fb9ab.exe	8fede6deb4f290fa9c296c3c7e097e9551178c88d3f2372af233b7fe279fb9ab.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 46 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{16FE2912-E2E2-4F3A-BAE2-D11B7A8E4765}\VersionIndependentProgID	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{16FE2912-E2E2-4F3A-BAE2-D11B7A8E4765}\VersionIndependentProgID\ = "WYBHO.wybhotool"	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{16FE2912-E2E2-4F3A-BAE2-D11B7A8E4765}\InprocServer32	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{16FE2912-E2E2-4F3A-BAE2-D11B7A8E4765}\TypeLib\ = "{7ED241B8-29E4-4501-BD55-A1D233A91C39}"	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EB680CA0-A942-4232-B9AB-5E23181AFD62}\TypeLib	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EB680CA0-A942-4232-B9AB-5E23181AFD62}\TypeLib\Version = "1.0"	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WYBHO.wybhotool.1\CLSID\ = "{16FE2912-E2E2-4F3A-BAE2-D11B7A8E4765}"	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WYBHO.wybhotool\CLSID\ = "{16FE2912-E2E2-4F3A-BAE2-D11B7A8E4765}"	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{16FE2912-E2E2-4F3A-BAE2-D11B7A8E4765}\InprocServer32\ThreadingModel = "Apartment"	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{16FE2912-E2E2-4F3A-BAE2-D11B7A8E4765}\TypeLib	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7ED241B8-29E4-4501-BD55-A1D233A91C39}\1.0\0	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7ED241B8-29E4-4501-BD55-A1D233A91C39}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\wybho.dll"	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EB680CA0-A942-4232-B9AB-5E23181AFD62}	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WYBHO.wybhotool.1	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{16FE2912-E2E2-4F3A-BAE2-D11B7A8E4765}\ProgID	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WYBHO.wybhotool\CurVer\ = "WYBHO.wybhotool.1"	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{16FE2912-E2E2-4F3A-BAE2-D11B7A8E4765}\ = "wybhotool Class"	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7ED241B8-29E4-4501-BD55-A1D233A91C39}\1.0\FLAGS	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7ED241B8-29E4-4501-BD55-A1D233A91C39}\1.0\HELPDIR	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EB680CA0-A942-4232-B9AB-5E23181AFD62}\TypeLib\ = "{7ED241B8-29E4-4501-BD55-A1D233A91C39}"	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WYBHO.wybhotool.1\CLSID	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WYBHO.wybhotool\CurVer	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7ED241B8-29E4-4501-BD55-A1D233A91C39}\1.0\HELPDIR\ = "C:\\Windows\\system32"	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EB680CA0-A942-4232-B9AB-5E23181AFD62}\TypeLib\Version = "1.0"	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WYBHO.wybhotool.1\ = "wybhotool Class"	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WYBHO.wybhotool\ = "wybhotool Class"	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7ED241B8-29E4-4501-BD55-A1D233A91C39}\1.0	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7ED241B8-29E4-4501-BD55-A1D233A91C39}\1.0\ = "WYBHO 1.0 Type Library"	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7ED241B8-29E4-4501-BD55-A1D233A91C39}\1.0\FLAGS\ = "0"	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EB680CA0-A942-4232-B9AB-5E23181AFD62}	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EB680CA0-A942-4232-B9AB-5E23181AFD62}\ProxyStubClsid32	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WYBHO.wybhotool	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WYBHO.wybhotool\CLSID	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EB680CA0-A942-4232-B9AB-5E23181AFD62}\TypeLib	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{16FE2912-E2E2-4F3A-BAE2-D11B7A8E4765}\Programmable	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EB680CA0-A942-4232-B9AB-5E23181AFD62}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7ED241B8-29E4-4501-BD55-A1D233A91C39}\1.0\0\win32	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EB680CA0-A942-4232-B9AB-5E23181AFD62}\ = "Iwybhotool"	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EB680CA0-A942-4232-B9AB-5E23181AFD62}\ = "Iwybhotool"	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EB680CA0-A942-4232-B9AB-5E23181AFD62}\ProxyStubClsid32	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{16FE2912-E2E2-4F3A-BAE2-D11B7A8E4765}\InprocServer32\ = "C:\\Windows\\SysWow64\\wybho.dll"	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7ED241B8-29E4-4501-BD55-A1D233A91C39}	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EB680CA0-A942-4232-B9AB-5E23181AFD62}\TypeLib\ = "{7ED241B8-29E4-4501-BD55-A1D233A91C39}"	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EB680CA0-A942-4232-B9AB-5E23181AFD62}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{16FE2912-E2E2-4F3A-BAE2-D11B7A8E4765}	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{16FE2912-E2E2-4F3A-BAE2-D11B7A8E4765}\ProgID\ = "WYBHO.wybhotool.1"	Regsvr32.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1808	8fede6deb4f290fa9c296c3c7e097e9551178c88d3f2372af233b7fe279fb9ab.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1808	8fede6deb4f290fa9c296c3c7e097e9551178c88d3f2372af233b7fe279fb9ab.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 1808 wrote to memory of 832	1808	8fede6deb4f290fa9c296c3c7e097e9551178c88d3f2372af233b7fe279fb9ab.exe	27
PID 1808 wrote to memory of 832	1808	8fede6deb4f290fa9c296c3c7e097e9551178c88d3f2372af233b7fe279fb9ab.exe	27
PID 1808 wrote to memory of 832	1808	8fede6deb4f290fa9c296c3c7e097e9551178c88d3f2372af233b7fe279fb9ab.exe	27
PID 1808 wrote to memory of 832	1808	8fede6deb4f290fa9c296c3c7e097e9551178c88d3f2372af233b7fe279fb9ab.exe	27
PID 1808 wrote to memory of 832	1808	8fede6deb4f290fa9c296c3c7e097e9551178c88d3f2372af233b7fe279fb9ab.exe	27
PID 1808 wrote to memory of 832	1808	8fede6deb4f290fa9c296c3c7e097e9551178c88d3f2372af233b7fe279fb9ab.exe	27
PID 1808 wrote to memory of 832	1808	8fede6deb4f290fa9c296c3c7e097e9551178c88d3f2372af233b7fe279fb9ab.exe	27
PID 1808 wrote to memory of 1740	1808	8fede6deb4f290fa9c296c3c7e097e9551178c88d3f2372af233b7fe279fb9ab.exe	29
PID 1808 wrote to memory of 1740	1808	8fede6deb4f290fa9c296c3c7e097e9551178c88d3f2372af233b7fe279fb9ab.exe	29
PID 1808 wrote to memory of 1740	1808	8fede6deb4f290fa9c296c3c7e097e9551178c88d3f2372af233b7fe279fb9ab.exe	29
PID 1808 wrote to memory of 1740	1808	8fede6deb4f290fa9c296c3c7e097e9551178c88d3f2372af233b7fe279fb9ab.exe	29

C:\Users\Admin\AppData\Local\Temp\8fede6deb4f290fa9c296c3c7e097e9551178c88d3f2372af233b7fe279fb9ab.exe
"C:\Users\Admin\AppData\Local\Temp\8fede6deb4f290fa9c296c3c7e097e9551178c88d3f2372af233b7fe279fb9ab.exe"
1⤵
- Modifies WinLogon for persistence
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1808
- C:\Windows\SysWOW64\Regsvr32.exe
  Regsvr32.exe /s "C:\Windows\system32\wybho.dll"
  2⤵
  - Loads dropped DLL
  - Installs/modifies Browser Helper Object
  - Modifies registry class
  PID:832
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\123.bat
  2⤵
  - Deletes itself
  PID:1740

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Browser Extensions

T1176

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\123.bat

Filesize
316B

MD5
00b5c420b31bd1a9ef3f9a5ad78754ab

SHA1
1f20a42ffd9f917d5522a88f885b66ea6ed8e891

SHA256
bbb64b0e6a7b7d63d1c917a4bb56862b4834098527b1bb2ed2891542702da018

SHA512
a057e55338f95db8cf50156d1e05b11220477e1aa8cf022537171da4eaa7b1f6ad22a86edc0f4d2aae153a282dd6263058e94056c76525fd6f13ff279f8ef474

Download Submit
C:\Windows\SysWOW64\wybho.dll

Filesize
69KB

MD5
c0d62f71ef70e5e047b2708ce1dac36d

SHA1
13bc749b9d5962aaf0c66ee79bd1257263437bc4

SHA256
4eadb35a5ecf6b84b95a0543109864b00ba62d33b30551a079e9c0414e49f055

SHA512
649df96c80c81d5324da3a95d48a78c377521a35908bc5e90a4513ffb447a1827222556623f424c0d74f60e9fc97f21c3044df2d4062870cea245a60ed66183e

Download Submit
\Windows\SysWOW64\wybho.dll

Filesize
69KB

MD5
c0d62f71ef70e5e047b2708ce1dac36d

SHA1
13bc749b9d5962aaf0c66ee79bd1257263437bc4

SHA256
4eadb35a5ecf6b84b95a0543109864b00ba62d33b30551a079e9c0414e49f055

SHA512
649df96c80c81d5324da3a95d48a78c377521a35908bc5e90a4513ffb447a1827222556623f424c0d74f60e9fc97f21c3044df2d4062870cea245a60ed66183e

Download Submit
memory/832-58-0x0000000075AC1000-0x0000000075AC3000-memory.dmp

Filesize
8KB

Download
memory/1808-56-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/1808-63-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download