ea9ff29cfe3cb3fd140cc15fb740693fcfb1656c1dee1058158177c5facf5ba1

General

Target

ea9ff29cfe3cb3fd140cc15fb740693fcfb1656c1dee1058158177c5facf5ba1.exe
Size

60KB
MD5

7c1d9df96817698aa21a4350cc0b039d
SHA1

17d79a9f5f8616fdc72f91d9f70eaadde1cba0e6
SHA256

ea9ff29cfe3cb3fd140cc15fb740693fcfb1656c1dee1058158177c5facf5ba1
SHA512

2e37b7ba7d8c205361c7109d4f4563840aee9cc6cee4de9ce924ea7415f9c3f6975c3b266c641ae9472ce0deacc0d5f5c1bd4c9ebdf3ec8b0eadbc45126a98d0
SSDEEP

768:9eXIe14uEhPTvvQhRjbacva8lX8B1fGGf9:9fe6uEZLQ/PacBXE1uG

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 7 IoCs

pid	Process
4792	ea9ff29cfe3cb3fd140cc15fb740693fcfb1656c1dee1058158177c5facf5ba1.exe
4792	ea9ff29cfe3cb3fd140cc15fb740693fcfb1656c1dee1058158177c5facf5ba1.exe
4792	ea9ff29cfe3cb3fd140cc15fb740693fcfb1656c1dee1058158177c5facf5ba1.exe
4792	ea9ff29cfe3cb3fd140cc15fb740693fcfb1656c1dee1058158177c5facf5ba1.exe
4792	ea9ff29cfe3cb3fd140cc15fb740693fcfb1656c1dee1058158177c5facf5ba1.exe
4792	ea9ff29cfe3cb3fd140cc15fb740693fcfb1656c1dee1058158177c5facf5ba1.exe
4792	ea9ff29cfe3cb3fd140cc15fb740693fcfb1656c1dee1058158177c5facf5ba1.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows\CurrentVersion\Run	ea9ff29cfe3cb3fd140cc15fb740693fcfb1656c1dee1058158177c5facf5ba1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Update Client = "C:\\Windows\\system32\\wuclient.exe"	ea9ff29cfe3cb3fd140cc15fb740693fcfb1656c1dee1058158177c5facf5ba1.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	ea9ff29cfe3cb3fd140cc15fb740693fcfb1656c1dee1058158177c5facf5ba1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\XPSP2 Firewall = "C:\\Windows\\system32\\xpsp2fw.exe"	ea9ff29cfe3cb3fd140cc15fb740693fcfb1656c1dee1058158177c5facf5ba1.exe

Drops file in System32 directory 9 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\acVSen.dll	ea9ff29cfe3cb3fd140cc15fb740693fcfb1656c1dee1058158177c5facf5ba1.exe
File created	C:\Windows\SysWOW64\ditunoCre.dll	ea9ff29cfe3cb3fd140cc15fb740693fcfb1656c1dee1058158177c5facf5ba1.exe
File created	C:\Windows\SysWOW64\naldrclpp.dll	ea9ff29cfe3cb3fd140cc15fb740693fcfb1656c1dee1058158177c5facf5ba1.exe
File created	C:\Windows\SysWOW64\favico.dat	ea9ff29cfe3cb3fd140cc15fb740693fcfb1656c1dee1058158177c5facf5ba1.exe
File created	C:\Windows\SysWOW64\wuclient.exe	ea9ff29cfe3cb3fd140cc15fb740693fcfb1656c1dee1058158177c5facf5ba1.exe
File created	C:\Windows\SysWOW64\xpsp2fw.exe	ea9ff29cfe3cb3fd140cc15fb740693fcfb1656c1dee1058158177c5facf5ba1.exe
File opened for modification	C:\Windows\SysWOW64\xpsp2fw.exe	ea9ff29cfe3cb3fd140cc15fb740693fcfb1656c1dee1058158177c5facf5ba1.exe
File created	C:\Windows\SysWOW64\ctipds.dll	ea9ff29cfe3cb3fd140cc15fb740693fcfb1656c1dee1058158177c5facf5ba1.exe
File opened for modification	C:\Windows\SysWOW64\wuclient.exe	ea9ff29cfe3cb3fd140cc15fb740693fcfb1656c1dee1058158177c5facf5ba1.exe

Modifies Internet Explorer settings 1 TTPs 16 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Search Bar = "http://realsearch.cc/?a=2"	ea9ff29cfe3cb3fd140cc15fb740693fcfb1656c1dee1058158177c5facf5ba1.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Search	ea9ff29cfe3cb3fd140cc15fb740693fcfb1656c1dee1058158177c5facf5ba1.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main	ea9ff29cfe3cb3fd140cc15fb740693fcfb1656c1dee1058158177c5facf5ba1.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\SearchUrl	ea9ff29cfe3cb3fd140cc15fb740693fcfb1656c1dee1058158177c5facf5ba1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\SearchUrl\SearchUrl = "http://realsearch.cc/?a=2"	ea9ff29cfe3cb3fd140cc15fb740693fcfb1656c1dee1058158177c5facf5ba1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\SearchUrl = "http://realsearch.cc/?a=2"	ea9ff29cfe3cb3fd140cc15fb740693fcfb1656c1dee1058158177c5facf5ba1.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Search	ea9ff29cfe3cb3fd140cc15fb740693fcfb1656c1dee1058158177c5facf5ba1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Search Bar = "http://realsearch.cc/?a=2"	ea9ff29cfe3cb3fd140cc15fb740693fcfb1656c1dee1058158177c5facf5ba1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Search\SearchAssistant = "http://realsearch.cc/?a=2"	ea9ff29cfe3cb3fd140cc15fb740693fcfb1656c1dee1058158177c5facf5ba1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Search\SearchAssistant = "http://realsearch.cc/?a=2"	ea9ff29cfe3cb3fd140cc15fb740693fcfb1656c1dee1058158177c5facf5ba1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page = "http://realsearch.cc/?a=2"	ea9ff29cfe3cb3fd140cc15fb740693fcfb1656c1dee1058158177c5facf5ba1.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Main	ea9ff29cfe3cb3fd140cc15fb740693fcfb1656c1dee1058158177c5facf5ba1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Search Page = "http://realsearch.cc/?a=2"	ea9ff29cfe3cb3fd140cc15fb740693fcfb1656c1dee1058158177c5facf5ba1.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\SearchUrl	ea9ff29cfe3cb3fd140cc15fb740693fcfb1656c1dee1058158177c5facf5ba1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\SearchUrl\SearchUrl = "http://realsearch.cc/?a=2"	ea9ff29cfe3cb3fd140cc15fb740693fcfb1656c1dee1058158177c5facf5ba1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\SearchUrl = "http://realsearch.cc/?a=2"	ea9ff29cfe3cb3fd140cc15fb740693fcfb1656c1dee1058158177c5facf5ba1.exe

Modifies Internet Explorer start page 1 TTPs 1 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://realsearch.cc/"	ea9ff29cfe3cb3fd140cc15fb740693fcfb1656c1dee1058158177c5facf5ba1.exe

Modifies data under HKEY_USERS 27 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Internet Explorer\SearchUrl	ea9ff29cfe3cb3fd140cc15fb740693fcfb1656c1dee1058158177c5facf5ba1.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Main\Search Page = "http://realsearch.cc/?a=2"	ea9ff29cfe3cb3fd140cc15fb740693fcfb1656c1dee1058158177c5facf5ba1.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page = "http://realsearch.cc/?a=2"	ea9ff29cfe3cb3fd140cc15fb740693fcfb1656c1dee1058158177c5facf5ba1.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Search\SearchAssistant = "http://realsearch.cc/?a=2"	ea9ff29cfe3cb3fd140cc15fb740693fcfb1656c1dee1058158177c5facf5ba1.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\SearchUrl = "http://realsearch.cc/?a=2"	ea9ff29cfe3cb3fd140cc15fb740693fcfb1656c1dee1058158177c5facf5ba1.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\SearchUrl = "http://realsearch.cc/?a=2"	ea9ff29cfe3cb3fd140cc15fb740693fcfb1656c1dee1058158177c5facf5ba1.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\Search\SearchAssistant = "http://realsearch.cc/?a=2"	ea9ff29cfe3cb3fd140cc15fb740693fcfb1656c1dee1058158177c5facf5ba1.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Main	ea9ff29cfe3cb3fd140cc15fb740693fcfb1656c1dee1058158177c5facf5ba1.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Main\Search Bar = "http://realsearch.cc/?a=2"	ea9ff29cfe3cb3fd140cc15fb740693fcfb1656c1dee1058158177c5facf5ba1.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\Main\Search Bar = "http://realsearch.cc/?a=2"	ea9ff29cfe3cb3fd140cc15fb740693fcfb1656c1dee1058158177c5facf5ba1.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\Search\SearchAssistant = "http://realsearch.cc/?a=2"	ea9ff29cfe3cb3fd140cc15fb740693fcfb1656c1dee1058158177c5facf5ba1.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page = "http://realsearch.cc/?a=2"	ea9ff29cfe3cb3fd140cc15fb740693fcfb1656c1dee1058158177c5facf5ba1.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer	ea9ff29cfe3cb3fd140cc15fb740693fcfb1656c1dee1058158177c5facf5ba1.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\Main\Search Bar = "http://realsearch.cc/?a=2"	ea9ff29cfe3cb3fd140cc15fb740693fcfb1656c1dee1058158177c5facf5ba1.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\SearchUrl\SearchUrl = "http://realsearch.cc/?a=2"	ea9ff29cfe3cb3fd140cc15fb740693fcfb1656c1dee1058158177c5facf5ba1.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Internet Explorer\Main	ea9ff29cfe3cb3fd140cc15fb740693fcfb1656c1dee1058158177c5facf5ba1.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Internet Explorer	ea9ff29cfe3cb3fd140cc15fb740693fcfb1656c1dee1058158177c5facf5ba1.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Internet Explorer	ea9ff29cfe3cb3fd140cc15fb740693fcfb1656c1dee1058158177c5facf5ba1.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Internet Explorer\Search	ea9ff29cfe3cb3fd140cc15fb740693fcfb1656c1dee1058158177c5facf5ba1.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Internet Explorer\Main	ea9ff29cfe3cb3fd140cc15fb740693fcfb1656c1dee1058158177c5facf5ba1.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\SearchUrl	ea9ff29cfe3cb3fd140cc15fb740693fcfb1656c1dee1058158177c5facf5ba1.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\SearchUrl\SearchUrl = "http://realsearch.cc/?a=2"	ea9ff29cfe3cb3fd140cc15fb740693fcfb1656c1dee1058158177c5facf5ba1.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\SearchUrl = "http://realsearch.cc/?a=2"	ea9ff29cfe3cb3fd140cc15fb740693fcfb1656c1dee1058158177c5facf5ba1.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Search	ea9ff29cfe3cb3fd140cc15fb740693fcfb1656c1dee1058158177c5facf5ba1.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\SearchUrl\SearchUrl = "http://realsearch.cc/?a=2"	ea9ff29cfe3cb3fd140cc15fb740693fcfb1656c1dee1058158177c5facf5ba1.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Internet Explorer\SearchUrl	ea9ff29cfe3cb3fd140cc15fb740693fcfb1656c1dee1058158177c5facf5ba1.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Internet Explorer\Search	ea9ff29cfe3cb3fd140cc15fb740693fcfb1656c1dee1058158177c5facf5ba1.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5022158c-0442-0940-8561-8110ac350221}	ea9ff29cfe3cb3fd140cc15fb740693fcfb1656c1dee1058158177c5facf5ba1.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5022158c-0442-0940-8561-8110ac350221}\ = 8899667700000000100000001ea1f0d2100000001ea1f0d2510000001e0000001000000072657861756200010000001000000070724742747f00b500000010000000757865647f7e5263740060000000100000007f707d7563727d616100	ea9ff29cfe3cb3fd140cc15fb740693fcfb1656c1dee1058158177c5facf5ba1.exe

C:\Users\Admin\AppData\Local\Temp\ea9ff29cfe3cb3fd140cc15fb740693fcfb1656c1dee1058158177c5facf5ba1.exe
"C:\Users\Admin\AppData\Local\Temp\ea9ff29cfe3cb3fd140cc15fb740693fcfb1656c1dee1058158177c5facf5ba1.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies data under HKEY_USERS
- Modifies registry class
PID:4792

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

3

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\acVSen.dll

Filesize
9KB

MD5
89eb286f0dbcebb4fc60796ee1b9c4a5

SHA1
15efc2b0ba2355cbe202791e87fcade327de3475

SHA256
405d64a5e986ecf6078a549f1c9587515a153a0d007b064d1c94dbf77439640a

SHA512
8c59b547e55ec4da448578bca5f47930346ced8ce7e0d8dadaa667881d147bf00e70fc31c7224606ccf4fe41832f964af4c0cbadeb108904fda5dd31ba2220b1

Download Submit
C:\Windows\SysWOW64\acVSen.dll

Filesize
9KB

MD5
89eb286f0dbcebb4fc60796ee1b9c4a5

SHA1
15efc2b0ba2355cbe202791e87fcade327de3475

SHA256
405d64a5e986ecf6078a549f1c9587515a153a0d007b064d1c94dbf77439640a

SHA512
8c59b547e55ec4da448578bca5f47930346ced8ce7e0d8dadaa667881d147bf00e70fc31c7224606ccf4fe41832f964af4c0cbadeb108904fda5dd31ba2220b1

Download Submit
C:\Windows\SysWOW64\ctipds.dll

Filesize
1KB

MD5
3d583b7658f1a3850ad21fbdece0db02

SHA1
3d4a7eff7408193be1e80e7dae3d702245c47cda

SHA256
2d385adeb071e72ac5839ab02d37ddfa006c6c456531eb63fd52fd6e5911e99a

SHA512
da825f8a8b0dbb58f54b62772e52f51197f58ec947e87937efd38dc904dae17e5122e5b493e7a6ee6d237b83b308255198eacba6b4e6352f3d462347818bd964

Download Submit
C:\Windows\SysWOW64\ditunoCre.dll

Filesize
2KB

MD5
b7e6e91e7a8efbc7a2014ceb6961da1d

SHA1
451fc2c2d7aed9efbdaa7d2ce3839a1488eb17cb

SHA256
dd90a0ca50ab0c7668f5184166d7848b1d773ae2b862382f18c85d3c18cb02c9

SHA512
c0de05b5c4be627b1bbd334c40de3c336b6a3265eecb428a8fdcc4d9ccb7b0e2ffc5cdaf6a02859b8f20dbe6feaa3acf176418b2ae13831706507a38532d9261

Download Submit
C:\Windows\SysWOW64\ditunoCre.dll

Filesize
2KB

MD5
b7e6e91e7a8efbc7a2014ceb6961da1d

SHA1
451fc2c2d7aed9efbdaa7d2ce3839a1488eb17cb

SHA256
dd90a0ca50ab0c7668f5184166d7848b1d773ae2b862382f18c85d3c18cb02c9

SHA512
c0de05b5c4be627b1bbd334c40de3c336b6a3265eecb428a8fdcc4d9ccb7b0e2ffc5cdaf6a02859b8f20dbe6feaa3acf176418b2ae13831706507a38532d9261

Download Submit
C:\Windows\SysWOW64\naldrclpp.dll

Filesize
2KB

MD5
831c549c3903dce08aff4225a0731b5d

SHA1
3c94df395a2b0cfdf7922c54e978620c7f7e4574

SHA256
a8217ea2fc079a115a28a6c365bfaabd7ce261d5d3454d853f9592c7a53706a0

SHA512
b287b618e93396f2e424c9f67764e7180150bbb5c8cd0ebff6f56a1737e6ecf70bb754a36f9f3715e6f5a7dc0ae85453b10c01b75b10700368a023357068c7a6

Download Submit
C:\Windows\SysWOW64\naldrclpp.dll

Filesize
2KB

MD5
831c549c3903dce08aff4225a0731b5d

SHA1
3c94df395a2b0cfdf7922c54e978620c7f7e4574

SHA256
a8217ea2fc079a115a28a6c365bfaabd7ce261d5d3454d853f9592c7a53706a0

SHA512
b287b618e93396f2e424c9f67764e7180150bbb5c8cd0ebff6f56a1737e6ecf70bb754a36f9f3715e6f5a7dc0ae85453b10c01b75b10700368a023357068c7a6

Download Submit
memory/4792-133-0x0000000010000000-0x0000000010003000-memory.dmp

Filesize
12KB

Download
memory/4792-136-0x00000000009F0000-0x00000000009F4000-memory.dmp

Filesize
16KB

Download
memory/4792-139-0x0000000000A40000-0x0000000000A43000-memory.dmp

Filesize
12KB

Download
memory/4792-142-0x0000000000A00000-0x0000000000A03000-memory.dmp

Filesize
12KB

Download
memory/4792-143-0x00000000009F0000-0x00000000009F4000-memory.dmp

Filesize
16KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads