b87a39cf4d0bfcb643f754bddd5d459e77a62475c792bd11db432c8e8b4f02fa

General

Target

b87a39cf4d0bfcb643f754bddd5d459e77a62475c792bd11db432c8e8b4f02fa.exe
Size

244KB
MD5

ebe58dda0e680bad20a1bd6adb5eea8a
SHA1

64aded078b22cc30e68dc8d92855f25bf8e9f7b4
SHA256

b87a39cf4d0bfcb643f754bddd5d459e77a62475c792bd11db432c8e8b4f02fa
SHA512

df2d098efc18f77e90959b4732f84d4afa7251af2f92b4dd99e78bdb725176e2dca11aff0ef241469077d756725166a1a9ba1df7c8469643adc856db9cf4909e
SSDEEP

6144:SLdOyetKju521va44L0ZgQHPVFttiRJuBY9:WFetF56WOHPntQR/

Score

8^/10

adware persistence stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

yfm.exe

pid process

1600 yfm.exe

pid	process
1600	yfm.exe

Sets DLL path for service in the registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

yfm.exesvchost.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Iprip\Parameters\ServiceDll = "C:\\WINDOWS\\SYSTEM32\\liprip.dll"	yfm.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Iprip\Parameters\ServiceDll = "C:\\Windows\\system32\\liprip.dll"	svchost.exe

Loads dropped DLL 4 IoCs

Processes:

b87a39cf4d0bfcb643f754bddd5d459e77a62475c792bd11db432c8e8b4f02fa.exesvchost.exe

pid	process
1648	b87a39cf4d0bfcb643f754bddd5d459e77a62475c792bd11db432c8e8b4f02fa.exe
1648	b87a39cf4d0bfcb643f754bddd5d459e77a62475c792bd11db432c8e8b4f02fa.exe
1768	svchost.exe
1768	svchost.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\repst = "C:\\Windows\\system32\\iprep.exe"	svchost.exe

Installs/modifies Browser Helper Object 2 TTPs 2 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

Processes:

svchost.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BF50AC63-19DA-487E-AD4A-0B452D823B59}\	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{BF50AC63-19DA-487E-AD4A-0B452D823B59}\	svchost.exe

Drops file in System32 directory 4 IoCs

Processes:

b87a39cf4d0bfcb643f754bddd5d459e77a62475c792bd11db432c8e8b4f02fa.exeyfm.exesvchost.exe

description	ioc	process
File created	C:\Windows\SysWOW64\fsutk.dll	b87a39cf4d0bfcb643f754bddd5d459e77a62475c792bd11db432c8e8b4f02fa.exe
File created	C:\WINDOWS\SysWOW64\liprip.dll	yfm.exe
File opened for modification	C:\Windows\SysWOW64\fsutk.dll	svchost.exe
File created	C:\Windows\SysWOW64\iprep.exe	svchost.exe

Modifies data under HKEY_USERS 48 IoCs

Processes:

svchost.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Ext	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	svchost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{BF50AC63-19DA-487E-AD4A-0B452D823B59}\Flags = "0"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Autodesk\AutoCAD\R18.0	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{BF50AC63-19DA-487E-AD4A-0B452D823B59}\Version = "*"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software	svchost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{BF50AC63-19DA-487E-AD4A-0B452D823B59}	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Autodesk\AutoCAD\R16.1	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Settings	svchost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{BF50AC63-19DA-487E-AD4A-0B452D823B59}\	svchost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{BF50AC63-19DA-487E-AD4A-0B452D823B59}\	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{BF50AC63-19DA-487E-AD4A-0B452D823B59}\Version = "*"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{BF50AC63-19DA-487E-AD4A-0B452D823B59}\Flags = "0"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Autodesk	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{BF50AC63-19DA-487E-AD4A-0B452D823B59}\	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Autodesk\AutoCAD\R17.0	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Autodesk\AutoCAD\R16.2	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{BF50AC63-19DA-487E-AD4A-0B452D823B59}	svchost.exe
Key created	\REGISTRY\USER\S-1-5-19	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{BF50AC63-19DA-487E-AD4A-0B452D823B59}\	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{BF50AC63-19DA-487E-AD4A-0B452D823B59}\	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Autodesk\AutoCAD\R17.1	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{BF50AC63-19DA-487E-AD4A-0B452D823B59}\	svchost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Ext	svchost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Ext\Settings	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{BF50AC63-19DA-487E-AD4A-0B452D823B59}\Flags = "0"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Autodesk\AutoCAD\R16.0	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Autodesk\AutoCAD	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Autodesk\AutoCAD\R17.2	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{BF50AC63-19DA-487E-AD4A-0B452D823B59}\Version = "*"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-18	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Autodesk\AutoCAD\R16.0	svchost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{BF50AC63-19DA-487E-AD4A-0B452D823B59}	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Ext\Settings	svchost.exe

Modifies registry class 22 IoCs

Processes:

svchost.exeyfm.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IEHlprObj.IEHlprObj\CurVer\ = "IEHlprObj.IEHlprObj.1"	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IEHlprObj.IEHlprObj.1\CLSID\	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BF50AC63-19DA-487E-AD4A-0B452D823B59}\ProgID\ = "IEHlprObj.IEHlprObj.1"	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BF50AC63-19DA-487E-AD4A-0B452D823B59}\Programmable\	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IEHlprObj.IEHlprObj\ = "QuickFlash"	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IEHlprObj.IEHlprObj\	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IEHlprObj.IEHlprObj.1\ = "QuickFlash"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IEHlprObj.IEHlprObj.1\CLSID\ = "{BF50AC63-19DA-487E-AD4A-0B452D823B59}"	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AF604EFE-8897-11D1-B944-00A0C90312E1}\InProcServer32\	yfm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AF604EFE-8897-11D1-B944-00A0C90312E1}\InProcServer32\	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BF50AC63-19DA-487E-AD4A-0B452D823B59}\VersionIndependentProgID\	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BF50AC63-19DA-487E-AD4A-0B452D823B59}\InprocServer32\ = "C:\\Windows\\SysWow64\\fsutk.dll"	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BF50AC63-19DA-487E-AD4A-0B452D823B59}\	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BF50AC63-19DA-487E-AD4A-0B452D823B59}\InprocServer32\ThreadingModel = "Apartment"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BF50AC63-19DA-487E-AD4A-0B452D823B59}\VersionIndependentProgID\ = "IEHlprObj.IEHlprObj"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BF50AC63-19DA-487E-AD4A-0B452D823B59}\Programmable\	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IEHlprObj.IEHlprObj\CurVer\	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IEHlprObj.IEHlprObj.1\	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0E5CBF21-D15F-11d0-8301-00AA005B4383}\InProcServer32\	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BF50AC63-19DA-487E-AD4A-0B452D823B59}\ = "QuickFlash"	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BF50AC63-19DA-487E-AD4A-0B452D823B59}\InprocServer32\	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BF50AC63-19DA-487E-AD4A-0B452D823B59}\ProgID\	svchost.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

svchost.exe

description pid process

Token: SeShutdownPrivilege 1768 svchost.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

b87a39cf4d0bfcb643f754bddd5d459e77a62475c792bd11db432c8e8b4f02fa.exeyfm.exe

pid process

1648 b87a39cf4d0bfcb643f754bddd5d459e77a62475c792bd11db432c8e8b4f02fa.exe
1600 yfm.exe

description	pid	process
Token: SeShutdownPrivilege	1768	svchost.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

b87a39cf4d0bfcb643f754bddd5d459e77a62475c792bd11db432c8e8b4f02fa.exe

description	pid	process	target process
PID 1648 wrote to memory of 1600	1648	b87a39cf4d0bfcb643f754bddd5d459e77a62475c792bd11db432c8e8b4f02fa.exe	yfm.exe
PID 1648 wrote to memory of 1600	1648	b87a39cf4d0bfcb643f754bddd5d459e77a62475c792bd11db432c8e8b4f02fa.exe	yfm.exe
PID 1648 wrote to memory of 1600	1648	b87a39cf4d0bfcb643f754bddd5d459e77a62475c792bd11db432c8e8b4f02fa.exe	yfm.exe
PID 1648 wrote to memory of 1600	1648	b87a39cf4d0bfcb643f754bddd5d459e77a62475c792bd11db432c8e8b4f02fa.exe	yfm.exe

C:\Users\Admin\AppData\Local\Temp\b87a39cf4d0bfcb643f754bddd5d459e77a62475c792bd11db432c8e8b4f02fa.exe
"C:\Users\Admin\AppData\Local\Temp\b87a39cf4d0bfcb643f754bddd5d459e77a62475c792bd11db432c8e8b4f02fa.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1648

C:\Users\Admin\AppData\Local\Temp\yfm.exe
"C:\Users\Admin\AppData\Local\Temp\yfm.exe"
2⤵
- Executes dropped EXE
- Sets DLL path for service in the registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1600

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
- Sets DLL path for service in the registry
- Loads dropped DLL
- Adds Run key to start application
- Installs/modifies Browser Helper Object
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:1768

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:392

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
1⤵
PID:556

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Browser Extensions

1

T1176

Registry Run Keys / Startup Folder

2

T1060

Privilege Escalation

Defense Evasion

Modify Registry

3

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\yfm.exe

Filesize
20KB

MD5
9daeeb01835ea8e364d4292df184f827

SHA1
1cb1b3274d0e2e6ac44f76a7c3ba38a2d8d15312

SHA256
b2700747b19b03bb99f4a00ba17d9271971283a7df14a290d3adc08de05de997

SHA512
87871c848994179e9ab10ac3da2b5bf81e598611317d46f8574391bbc78d0cca835b6526cabb1a21fa900cd2c5cb06a03fd0f690ee0860428d5a76855d3c9af7

Download Submit
C:\Windows\SysWOW64\fsutk.dll

Filesize
116KB

MD5
759da890358906ebeb81fd76ecf0632e

SHA1
9758efc746647ec7035ec9426712e2dadfaf06bc

SHA256
e11a416c4ce7a324c783afdfc5d7e7df5c73b9a65d99433c1563a58c0c6f96b9

SHA512
c403d403d8024669672810f7b27d8c44ddfe21cc09b3cb59cbf27a0950217595edd73308dd278fead00100d3eed85dc0b9f98f99db21159dd2e9777000339c5a

Download Submit
\??\c:\$Recycle.bin\int.dat

Filesize
220KB

MD5
34f36425c949036dd1ea78cb0dc32c30

SHA1
2f12b31227962f63b6d94cf20927ef4cdf2bd5fb

SHA256
33645d3500827b8f5690d43863795f867469f2afead268f7f20bbc79416a4d38

SHA512
649c4344286f0ad9dcd24d55df9e8cd69d3f5776a1a4af1262b7390615d08e8c2427f957f459e04da0e1556c9537568a4d8a4f47f69f69699af359fdefa37d5f

Download Submit
\??\c:\windows\SysWOW64\liprip.dll

Filesize
84KB

MD5
965b7446076d7e0a5e3bb8a05665a042

SHA1
245fb1259c9016a2b5d1d2f8d3791fd613a36b8f

SHA256
fecdb92561a3b782acd4659153d88d89118d8958af979b3eafb696eeebe070f1

SHA512
3aa518c7d3aaac6bfd1a9e1f0f976bd031fff1310e04a0b6a8ee3dc22abdc7b9e2dfe196c7d1ce96a8240ff27ab536db01487d20b99a8de0554d4373e3fccfd8

Download Submit
\Users\Admin\AppData\Local\Temp\yfm.exe

Filesize
20KB

MD5
9daeeb01835ea8e364d4292df184f827

SHA1
1cb1b3274d0e2e6ac44f76a7c3ba38a2d8d15312

SHA256
b2700747b19b03bb99f4a00ba17d9271971283a7df14a290d3adc08de05de997

SHA512
87871c848994179e9ab10ac3da2b5bf81e598611317d46f8574391bbc78d0cca835b6526cabb1a21fa900cd2c5cb06a03fd0f690ee0860428d5a76855d3c9af7

Download Submit
\Users\Admin\AppData\Local\Temp\yfm.exe

Filesize
20KB

MD5
9daeeb01835ea8e364d4292df184f827

SHA1
1cb1b3274d0e2e6ac44f76a7c3ba38a2d8d15312

SHA256
b2700747b19b03bb99f4a00ba17d9271971283a7df14a290d3adc08de05de997

SHA512
87871c848994179e9ab10ac3da2b5bf81e598611317d46f8574391bbc78d0cca835b6526cabb1a21fa900cd2c5cb06a03fd0f690ee0860428d5a76855d3c9af7

Download Submit
\Windows\SysWOW64\fsutk.dll

Filesize
116KB

MD5
759da890358906ebeb81fd76ecf0632e

SHA1
9758efc746647ec7035ec9426712e2dadfaf06bc

SHA256
e11a416c4ce7a324c783afdfc5d7e7df5c73b9a65d99433c1563a58c0c6f96b9

SHA512
c403d403d8024669672810f7b27d8c44ddfe21cc09b3cb59cbf27a0950217595edd73308dd278fead00100d3eed85dc0b9f98f99db21159dd2e9777000339c5a

Download Submit
\Windows\SysWOW64\liprip.dll

Filesize
84KB

MD5
965b7446076d7e0a5e3bb8a05665a042

SHA1
245fb1259c9016a2b5d1d2f8d3791fd613a36b8f

SHA256
fecdb92561a3b782acd4659153d88d89118d8958af979b3eafb696eeebe070f1

SHA512
3aa518c7d3aaac6bfd1a9e1f0f976bd031fff1310e04a0b6a8ee3dc22abdc7b9e2dfe196c7d1ce96a8240ff27ab536db01487d20b99a8de0554d4373e3fccfd8

Download Submit
memory/392-64-0x000007FEFBD41000-0x000007FEFBD43000-memory.dmp

Filesize
8KB

Download
memory/1600-56-0x0000000000000000-mapping.dmp

Download
memory/1768-63-0x0000000000090000-0x00000000000B0000-memory.dmp

Filesize
128KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads