f14b6c8707a9705a57d554847e414191738d67f53b572eb7cbd4bf45a0cf6676

General

Target

f14b6c8707a9705a57d554847e414191738d67f53b572eb7cbd4bf45a0cf6676.exe
Size

200KB
MD5

ad2d269de4b6e20e3c5f05530abb8bd8
SHA1

2fcfe67cd378160bb8ed4e3160ce80ccc08d6822
SHA256

f14b6c8707a9705a57d554847e414191738d67f53b572eb7cbd4bf45a0cf6676
SHA512

45d8ddfdea7adcb44377435d88bc0dd331798bb400f9e458bee58dbe3d7077430a2553e1f12ca102214527eded7c0516f024144414ec0c3abfde597a2503988a
SSDEEP

6144:TlzJH5O7SWi9UpSGusPmwMa87XGS/EocnzvWBU:/s51HPzmXGmzEvW2

Score

7^/10

adware discovery persistence stealer

Malware Config

Signatures

Loads dropped DLL 2 IoCs

Processes:

f14b6c8707a9705a57d554847e414191738d67f53b572eb7cbd4bf45a0cf6676.exe

pid	process
1976	f14b6c8707a9705a57d554847e414191738d67f53b572eb7cbd4bf45a0cf6676.exe
1976	f14b6c8707a9705a57d554847e414191738d67f53b572eb7cbd4bf45a0cf6676.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

f14b6c8707a9705a57d554847e414191738d67f53b572eb7cbd4bf45a0cf6676.exeregsvr32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\mqtdygjuqolbekne = "C:\\Windows\\System32\\regsvr32.exe /s \"C:\\Users\\Admin\\AppData\\Local\\Temp\\ijqlpagmntplf.DLL\""	f14b6c8707a9705a57d554847e414191738d67f53b572eb7cbd4bf45a0cf6676.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\mqtdygjuqolbekne = "C:\\Windows\\System32\\regsvr32.exe /s \"C:\\Windows\\system32\\ijqlpagmntplf.dll\""	regsvr32.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Installs/modifies Browser Helper Object 2 TTPs 4 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

Processes:

regsvr32.exef14b6c8707a9705a57d554847e414191738d67f53b572eb7cbd4bf45a0cf6676.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9D104D8C-6F2C-F197-EF14-C3596FA5EE85}	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{9D104D8C-6F2C-F197-EF14-C3596FA5EE85}\NoExplorer = "1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9D104D8C-6F2C-F197-EF14-C3596FA5EE85}	f14b6c8707a9705a57d554847e414191738d67f53b572eb7cbd4bf45a0cf6676.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{9D104D8C-6F2C-F197-EF14-C3596FA5EE85}\NoExplorer = "1"	f14b6c8707a9705a57d554847e414191738d67f53b572eb7cbd4bf45a0cf6676.exe

Drops file in System32 directory 1 IoCs

Processes:

f14b6c8707a9705a57d554847e414191738d67f53b572eb7cbd4bf45a0cf6676.exe

description ioc process

File created C:\Windows\SysWOW64\skdipjgvwruojbvs.exe f14b6c8707a9705a57d554847e414191738d67f53b572eb7cbd4bf45a0cf6676.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File created	C:\Windows\SysWOW64\skdipjgvwruojbvs.exe	f14b6c8707a9705a57d554847e414191738d67f53b572eb7cbd4bf45a0cf6676.exe

Modifies Internet Explorer settings 1 TTPs 35 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 20b4c7fc37ffd801	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000058be5af21121584f874029a2fa904a25000000000200000000001066000000010000200000001e9b6f5d32d992f45e3cdc57ca8ca33a89041070f660634ca8372aa33865fe88000000000e800000000200002000000059f13e76607e38c07306d4bb90ed99d9eb7f0d6cbe1e3129f5b7cc18c8a26c42900000003104692b9fde0510e35aa86b1f88332133e01a03b276bc0f1ced68981e07ec0892392b80dfd51895566716a2760c8e50dca42bd71a7796c3c54845c326a78b61638523cd57b8f003601b3c4333edfab877b347f404736672467e7a4c8aa8835baa50bd2061661be822436dd38d22fdd3e419f9ab3971f4f699155491dd83e78d36c3ec7580ba0b7e53472f56ac19784240000000b55706138b2904b076dba1de31092e6d85752b6b92d99ad04d238b2d1c0df783ccc54790b03ef2770e62e4152fb4a18a2164c9b41180a0e861e069d7c128ec5e	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000058be5af21121584f874029a2fa904a25000000000200000000001066000000010000200000009fa56cd62b192d7ae09aa12e04f06aeab613796c3bb03d2d06e67ea31e339a3d000000000e80000000020000200000003f03df746895bd9deab6e8b62c5758905b6f51c5a187498a21538af85d9b88be20000000123e1fc9951cb4de527076127f7ecc9a7cbb06d82ad91e8e19cc20aef8f6c5ac40000000be3242e0651840db2cde04d4824760e722f55fb25f391ecbad86be869a289fe1933c0de9af63f21d3bb7226e7f0aca347eaed3ebc72e18f49ae84d63f53422b4	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "375971851"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{21FD8531-6B2B-11ED-9551-6E705F4A26E5} = "0"	iexplore.exe

Modifies registry class 10 IoCs

Processes:

f14b6c8707a9705a57d554847e414191738d67f53b572eb7cbd4bf45a0cf6676.exeregsvr32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9D104D8C-6F2C-F197-EF14-C3596FA5EE85}	f14b6c8707a9705a57d554847e414191738d67f53b572eb7cbd4bf45a0cf6676.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9D104D8C-6F2C-F197-EF14-C3596FA5EE85}\ = "precisead browser enhancer"	f14b6c8707a9705a57d554847e414191738d67f53b572eb7cbd4bf45a0cf6676.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9D104D8C-6F2C-F197-EF14-C3596FA5EE85}\ = "precisead browser enhancer"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9D104D8C-6F2C-F197-EF14-C3596FA5EE85}\InProcServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9D104D8C-6F2C-F197-EF14-C3596FA5EE85}\InProcServer32\ = "C:\\Windows\\SysWow64\\ijqlpagmntplf.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9D104D8C-6F2C-F197-EF14-C3596FA5EE85}\InProcServer32	f14b6c8707a9705a57d554847e414191738d67f53b572eb7cbd4bf45a0cf6676.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9D104D8C-6F2C-F197-EF14-C3596FA5EE85}\InProcServer32\ThreadingModel = "Apartment"	f14b6c8707a9705a57d554847e414191738d67f53b572eb7cbd4bf45a0cf6676.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9D104D8C-6F2C-F197-EF14-C3596FA5EE85}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ijqlpagmntplf.DLL"	f14b6c8707a9705a57d554847e414191738d67f53b572eb7cbd4bf45a0cf6676.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9D104D8C-6F2C-F197-EF14-C3596FA5EE85}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9D104D8C-6F2C-F197-EF14-C3596FA5EE85}\InProcServer32\ThreadingModel = "Apartment"	regsvr32.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

1104 iexplore.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

1104 iexplore.exe
1104 iexplore.exe
564 IEXPLORE.EXE
564 IEXPLORE.EXE

pid	process
1104	iexplore.exe

pid	process
1104	iexplore.exe
1104	iexplore.exe
564	IEXPLORE.EXE
564	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

f14b6c8707a9705a57d554847e414191738d67f53b572eb7cbd4bf45a0cf6676.exeiexplore.exe

description	pid	process	target process
PID 1976 wrote to memory of 980	1976	f14b6c8707a9705a57d554847e414191738d67f53b572eb7cbd4bf45a0cf6676.exe	regsvr32.exe
PID 1976 wrote to memory of 980	1976	f14b6c8707a9705a57d554847e414191738d67f53b572eb7cbd4bf45a0cf6676.exe	regsvr32.exe
PID 1976 wrote to memory of 980	1976	f14b6c8707a9705a57d554847e414191738d67f53b572eb7cbd4bf45a0cf6676.exe	regsvr32.exe
PID 1976 wrote to memory of 980	1976	f14b6c8707a9705a57d554847e414191738d67f53b572eb7cbd4bf45a0cf6676.exe	regsvr32.exe
PID 1976 wrote to memory of 980	1976	f14b6c8707a9705a57d554847e414191738d67f53b572eb7cbd4bf45a0cf6676.exe	regsvr32.exe
PID 1976 wrote to memory of 980	1976	f14b6c8707a9705a57d554847e414191738d67f53b572eb7cbd4bf45a0cf6676.exe	regsvr32.exe
PID 1976 wrote to memory of 980	1976	f14b6c8707a9705a57d554847e414191738d67f53b572eb7cbd4bf45a0cf6676.exe	regsvr32.exe
PID 1104 wrote to memory of 564	1104	iexplore.exe	IEXPLORE.EXE
PID 1104 wrote to memory of 564	1104	iexplore.exe	IEXPLORE.EXE
PID 1104 wrote to memory of 564	1104	iexplore.exe	IEXPLORE.EXE
PID 1104 wrote to memory of 564	1104	iexplore.exe	IEXPLORE.EXE

C:\Users\Admin\AppData\Local\Temp\f14b6c8707a9705a57d554847e414191738d67f53b572eb7cbd4bf45a0cf6676.exe
"C:\Users\Admin\AppData\Local\Temp\f14b6c8707a9705a57d554847e414191738d67f53b572eb7cbd4bf45a0cf6676.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Installs/modifies Browser Helper Object
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1976

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" /s "C:\Windows\system32\ijqlpagmntplf.dll"
2⤵
- Adds Run key to start application
- Installs/modifies Browser Helper Object
- Modifies registry class
PID:980

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1104

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1104 CREDAT:275457 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:564

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Browser Extensions

1

T1176

Privilege Escalation

Defense Evasion

Modify Registry

3

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\N5230DNV.txt
Filesize
603B

MD5
a656e3a06e3965e5e3323441d631ab60

SHA1
a2b5ebbca6f9d5e92410aa4bddc436b0b2247033

SHA256
5bd59b7eb2d6001a8df49add46d980c56aa2f165ba359750f9092b2c0cf6d4c9

SHA512
97762fe97c04d5737a6143368a180737c9df26e57df42345b93986d9fb2df944c99122a755a8350091f8304906e750d931701112dd0a044e07bb6c74f97addd1

Download Submit
C:\Windows\SysWOW64\ijqlpagmntplf.dll
Filesize
381KB

MD5
572e7b84018c4384e6f44ee85a4b6921

SHA1
7874f698e0213610a2bb89c995274c5015bf23f5

SHA256
71d25c9e176b96387dd91a8ef801916e070cb6ee68be5714a7cb01085d0d8ea1

SHA512
e8d29b97e633478604b6b21eff299b56eeda319ee4db30c4e70ce33b1228eb9ea3e59ed7ef74bdfa0c3a1f49f29d5e77195e62340f32d0f68aaa0235d8d5753b

Download Submit
\Users\Admin\AppData\Local\Temp\ijqlpagmntplf.dll
Filesize
381KB

MD5
572e7b84018c4384e6f44ee85a4b6921

SHA1
7874f698e0213610a2bb89c995274c5015bf23f5

SHA256
71d25c9e176b96387dd91a8ef801916e070cb6ee68be5714a7cb01085d0d8ea1

SHA512
e8d29b97e633478604b6b21eff299b56eeda319ee4db30c4e70ce33b1228eb9ea3e59ed7ef74bdfa0c3a1f49f29d5e77195e62340f32d0f68aaa0235d8d5753b

Download Submit
\Users\Admin\AppData\Local\Temp\nsiF588.tmp\System.dll
Filesize
11KB

MD5
c6f5b9596db45ce43f14b64e0fbcf552

SHA1
665a2207a643726602dc3e845e39435868dddabc

SHA256
4b6da3f2bdb6c452fb493b98f6b7aa1171787dbd3fa2df2b3b22ccaeac88ffa0

SHA512
8faa0204f9ed2721acede285be843b5a2d7f9986841bcf3816ebc8900910afb590816c64aebd2dd845686daf825bbf9970cb4a08b20a785c7e54542eddc5b09a

Download Submit
memory/980-59-0x0000000000000000-mapping.dmp

Download
memory/1976-54-0x0000000074AB1000-0x0000000074AB3000-memory.dmp

Filesize
8KB

Download
memory/1976-57-0x0000000003800000-0x0000000003866000-memory.dmp

Filesize
408KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads