d84b1418b2bc91f672d3a61d999ec5dbce4cd0da245a8afff3a00c0d9d5f222d

Analysis

max time kernel
99s
max time network
130s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
25-11-2022 11:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d84b1418b2bc91f672d3a61d999ec5dbce4cd0da245a8afff3a00c0d9d5f222d.exe
Size

1.8MB
MD5

f461f9f52fc6a8c85090ff006f0afacb
SHA1

7be1b241ae8734309ed19579a5689914357495a7
SHA256

d84b1418b2bc91f672d3a61d999ec5dbce4cd0da245a8afff3a00c0d9d5f222d
SHA512

b164d6a93026bfa29601296438854506c3a84ff28cb0edcd059f7fb08918f6d4e5591610b01a0daf6c19648e55de8ab9383d30db6d13db404e51e453bbd10487
SSDEEP

49152:bWwGMAEA6TCdnbMY2KoH1C6OSJJQec8a9z:KwGMAQUbuV9OcJQeJa9z

Score

9^/10

adware discovery persistence stealer upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 2 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x00070000000126af-61.dat	acprotect
behavioral1/files/0x00070000000126af-62.dat	acprotect

Executes dropped EXE 1 IoCs

pid	Process
1836	searchlineu_nc.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x00070000000126af-61.dat	upx
behavioral1/files/0x00070000000126af-62.dat	upx

Deletes itself 1 IoCs

pid	Process
2004	cmd.exe

Loads dropped DLL 16 IoCs

pid	Process
1748	d84b1418b2bc91f672d3a61d999ec5dbce4cd0da245a8afff3a00c0d9d5f222d.exe
1748	d84b1418b2bc91f672d3a61d999ec5dbce4cd0da245a8afff3a00c0d9d5f222d.exe
1748	d84b1418b2bc91f672d3a61d999ec5dbce4cd0da245a8afff3a00c0d9d5f222d.exe
1748	d84b1418b2bc91f672d3a61d999ec5dbce4cd0da245a8afff3a00c0d9d5f222d.exe
1748	d84b1418b2bc91f672d3a61d999ec5dbce4cd0da245a8afff3a00c0d9d5f222d.exe
1748	d84b1418b2bc91f672d3a61d999ec5dbce4cd0da245a8afff3a00c0d9d5f222d.exe
1748	d84b1418b2bc91f672d3a61d999ec5dbce4cd0da245a8afff3a00c0d9d5f222d.exe
1748	d84b1418b2bc91f672d3a61d999ec5dbce4cd0da245a8afff3a00c0d9d5f222d.exe
1748	d84b1418b2bc91f672d3a61d999ec5dbce4cd0da245a8afff3a00c0d9d5f222d.exe
1748	d84b1418b2bc91f672d3a61d999ec5dbce4cd0da245a8afff3a00c0d9d5f222d.exe
1748	d84b1418b2bc91f672d3a61d999ec5dbce4cd0da245a8afff3a00c0d9d5f222d.exe
1836	searchlineu_nc.exe
1748	d84b1418b2bc91f672d3a61d999ec5dbce4cd0da245a8afff3a00c0d9d5f222d.exe
1836	searchlineu_nc.exe
1836	searchlineu_nc.exe
1748	d84b1418b2bc91f672d3a61d999ec5dbce4cd0da245a8afff3a00c0d9d5f222d.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run	d84b1418b2bc91f672d3a61d999ec5dbce4cd0da245a8afff3a00c0d9d5f222d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\Searchline_nc = "\"C:\\Program Files (x86)\\Searchline_nc\\searchlineu_nc.exe\" subcmd"	d84b1418b2bc91f672d3a61d999ec5dbce4cd0da245a8afff3a00c0d9d5f222d.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Installs/modifies Browser Helper Object 2 TTPs 3 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{5F930A63-011A-4796-A0FB-3A7C8F78E7CF}	d84b1418b2bc91f672d3a61d999ec5dbce4cd0da245a8afff3a00c0d9d5f222d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{5F930A63-011A-4796-A0FB-3A7C8F78E7CF}\ = "searchline_nc"	d84b1418b2bc91f672d3a61d999ec5dbce4cd0da245a8afff3a00c0d9d5f222d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{5F930A63-011A-4796-A0FB-3A7C8F78E7CF}\NoExplorer = "1"	d84b1418b2bc91f672d3a61d999ec5dbce4cd0da245a8afff3a00c0d9d5f222d.exe

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Searchline_nc\uninstall.exe	d84b1418b2bc91f672d3a61d999ec5dbce4cd0da245a8afff3a00c0d9d5f222d.exe
File created	C:\Program Files (x86)\Searchline_nc\searchline_nc.dll	d84b1418b2bc91f672d3a61d999ec5dbce4cd0da245a8afff3a00c0d9d5f222d.exe
File created	C:\Program Files (x86)\Searchline_nc\searchlineu_nc.exe	d84b1418b2bc91f672d3a61d999ec5dbce4cd0da245a8afff3a00c0d9d5f222d.exe
File created	C:\Program Files (x86)\Searchline_nc\searchline_sajulove.dll	d84b1418b2bc91f672d3a61d999ec5dbce4cd0da245a8afff3a00c0d9d5f222d.exe
File created	C:\Program Files (x86)\Searchline_nc\searchline_sajulove_new.dll	d84b1418b2bc91f672d3a61d999ec5dbce4cd0da245a8afff3a00c0d9d5f222d.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1452	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
524	schtasks.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{B7FED86F-D92D-4ae1-971B-0E64FCEFDDB8}	d84b1418b2bc91f672d3a61d999ec5dbce4cd0da245a8afff3a00c0d9d5f222d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{B7FED86F-D92D-4ae1-971B-0E64FCEFDDB8}\AppName = "searchlineu_nc.exe"	d84b1418b2bc91f672d3a61d999ec5dbce4cd0da245a8afff3a00c0d9d5f222d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{B7FED86F-D92D-4ae1-971B-0E64FCEFDDB8}\AppPath = "C:\\Program Files (x86)\\Searchline_nc\\"	d84b1418b2bc91f672d3a61d999ec5dbce4cd0da245a8afff3a00c0d9d5f222d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{B7FED86F-D92D-4ae1-971B-0E64FCEFDDB8}\Policy = "3"	d84b1418b2bc91f672d3a61d999ec5dbce4cd0da245a8afff3a00c0d9d5f222d.exe

Modifies registry class 51 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5F930A63-011A-4796-A0FB-3A7C8F78E7CF}\VersionIndependentProgID	d84b1418b2bc91f672d3a61d999ec5dbce4cd0da245a8afff3a00c0d9d5f222d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DB89C58B-D295-4783-99AC-ABAADE306791}\1.0\HELPDIR	d84b1418b2bc91f672d3a61d999ec5dbce4cd0da245a8afff3a00c0d9d5f222d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BC5EC5A8-9A2B-4F4C-BF58-BBB179EB6850}\ = "Isearchline_nc_Obj"	d84b1418b2bc91f672d3a61d999ec5dbce4cd0da245a8afff3a00c0d9d5f222d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BC5EC5A8-9A2B-4F4C-BF58-BBB179EB6850}\TypeLib\ = "{DB89C58B-D295-4783-99AC-ABAADE306791}"	d84b1418b2bc91f672d3a61d999ec5dbce4cd0da245a8afff3a00c0d9d5f222d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BC5EC5A8-9A2B-4F4C-BF58-BBB179EB6850}\ProxyStubClsid32	d84b1418b2bc91f672d3a61d999ec5dbce4cd0da245a8afff3a00c0d9d5f222d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{3FE22CA2-D5CC-4961-9FA3-96140C724342}	d84b1418b2bc91f672d3a61d999ec5dbce4cd0da245a8afff3a00c0d9d5f222d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\searchline_nc.searchline_nc_Obj	d84b1418b2bc91f672d3a61d999ec5dbce4cd0da245a8afff3a00c0d9d5f222d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\searchline_nc.searchline_nc_Obj\CLSID\ = "{5F930A63-011A-4796-A0FB-3A7C8F78E7CF}"	d84b1418b2bc91f672d3a61d999ec5dbce4cd0da245a8afff3a00c0d9d5f222d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5F930A63-011A-4796-A0FB-3A7C8F78E7CF}\Programmable	d84b1418b2bc91f672d3a61d999ec5dbce4cd0da245a8afff3a00c0d9d5f222d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DB89C58B-D295-4783-99AC-ABAADE306791}\1.0\0	d84b1418b2bc91f672d3a61d999ec5dbce4cd0da245a8afff3a00c0d9d5f222d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BC5EC5A8-9A2B-4F4C-BF58-BBB179EB6850}	d84b1418b2bc91f672d3a61d999ec5dbce4cd0da245a8afff3a00c0d9d5f222d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5F930A63-011A-4796-A0FB-3A7C8F78E7CF}\ProgID	d84b1418b2bc91f672d3a61d999ec5dbce4cd0da245a8afff3a00c0d9d5f222d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5F930A63-011A-4796-A0FB-3A7C8F78E7CF}\AppID = "{3FE22CA2-D5CC-4961-9FA3-96140C724342}"	d84b1418b2bc91f672d3a61d999ec5dbce4cd0da245a8afff3a00c0d9d5f222d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5F930A63-011A-4796-A0FB-3A7C8F78E7CF}\TypeLib	d84b1418b2bc91f672d3a61d999ec5dbce4cd0da245a8afff3a00c0d9d5f222d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DB89C58B-D295-4783-99AC-ABAADE306791}\1.0\ = "searchline_nc 1.0 Çü½Ä ¶óÀÌºê·¯¸®"	d84b1418b2bc91f672d3a61d999ec5dbce4cd0da245a8afff3a00c0d9d5f222d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BC5EC5A8-9A2B-4F4C-BF58-BBB179EB6850}\TypeLib	d84b1418b2bc91f672d3a61d999ec5dbce4cd0da245a8afff3a00c0d9d5f222d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BC5EC5A8-9A2B-4F4C-BF58-BBB179EB6850}	d84b1418b2bc91f672d3a61d999ec5dbce4cd0da245a8afff3a00c0d9d5f222d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\searchline_nc.searchline_nc_Obj.1\CLSID	d84b1418b2bc91f672d3a61d999ec5dbce4cd0da245a8afff3a00c0d9d5f222d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\searchline_nc.searchline_nc_Obj\CurVer	d84b1418b2bc91f672d3a61d999ec5dbce4cd0da245a8afff3a00c0d9d5f222d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\searchline_nc.searchline_nc_Obj\CurVer\ = "searchline_nc.searchline_nc_Obj.1"	d84b1418b2bc91f672d3a61d999ec5dbce4cd0da245a8afff3a00c0d9d5f222d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DB89C58B-D295-4783-99AC-ABAADE306791}\1.0\HELPDIR\	d84b1418b2bc91f672d3a61d999ec5dbce4cd0da245a8afff3a00c0d9d5f222d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BC5EC5A8-9A2B-4F4C-BF58-BBB179EB6850}\ = "Isearchline_nc_Obj"	d84b1418b2bc91f672d3a61d999ec5dbce4cd0da245a8afff3a00c0d9d5f222d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BC5EC5A8-9A2B-4F4C-BF58-BBB179EB6850}\TypeLib\ = "{DB89C58B-D295-4783-99AC-ABAADE306791}"	d84b1418b2bc91f672d3a61d999ec5dbce4cd0da245a8afff3a00c0d9d5f222d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\searchline_nc.searchline_nc_Obj.1	d84b1418b2bc91f672d3a61d999ec5dbce4cd0da245a8afff3a00c0d9d5f222d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5F930A63-011A-4796-A0FB-3A7C8F78E7CF}\ = "searchline_nc"	d84b1418b2bc91f672d3a61d999ec5dbce4cd0da245a8afff3a00c0d9d5f222d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DB89C58B-D295-4783-99AC-ABAADE306791}\1.0\FLAGS	d84b1418b2bc91f672d3a61d999ec5dbce4cd0da245a8afff3a00c0d9d5f222d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DB89C58B-D295-4783-99AC-ABAADE306791}\1.0\0\win32\ = "C:\\Program Files (x86)\\Searchline_nc\\searchline_nc.dll"	d84b1418b2bc91f672d3a61d999ec5dbce4cd0da245a8afff3a00c0d9d5f222d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BC5EC5A8-9A2B-4F4C-BF58-BBB179EB6850}\ProxyStubClsid32	d84b1418b2bc91f672d3a61d999ec5dbce4cd0da245a8afff3a00c0d9d5f222d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\searchline_nc.searchline_nc_Obj\CLSID	d84b1418b2bc91f672d3a61d999ec5dbce4cd0da245a8afff3a00c0d9d5f222d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5F930A63-011A-4796-A0FB-3A7C8F78E7CF}\TypeLib\ = "{DB89C58B-D295-4783-99AC-ABAADE306791}"	d84b1418b2bc91f672d3a61d999ec5dbce4cd0da245a8afff3a00c0d9d5f222d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DB89C58B-D295-4783-99AC-ABAADE306791}\1.0	d84b1418b2bc91f672d3a61d999ec5dbce4cd0da245a8afff3a00c0d9d5f222d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BC5EC5A8-9A2B-4F4C-BF58-BBB179EB6850}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	d84b1418b2bc91f672d3a61d999ec5dbce4cd0da245a8afff3a00c0d9d5f222d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DB89C58B-D295-4783-99AC-ABAADE306791}\1.0\FLAGS\ = "0"	d84b1418b2bc91f672d3a61d999ec5dbce4cd0da245a8afff3a00c0d9d5f222d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DB89C58B-D295-4783-99AC-ABAADE306791}\1.0\0\win32	d84b1418b2bc91f672d3a61d999ec5dbce4cd0da245a8afff3a00c0d9d5f222d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\searchline_nc.DLL	d84b1418b2bc91f672d3a61d999ec5dbce4cd0da245a8afff3a00c0d9d5f222d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\searchline_nc.searchline_nc_Obj.1\ = "searchline_nc_Obj Class"	d84b1418b2bc91f672d3a61d999ec5dbce4cd0da245a8afff3a00c0d9d5f222d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\searchline_nc.searchline_nc_Obj.1\CLSID\ = "{5F930A63-011A-4796-A0FB-3A7C8F78E7CF}"	d84b1418b2bc91f672d3a61d999ec5dbce4cd0da245a8afff3a00c0d9d5f222d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5F930A63-011A-4796-A0FB-3A7C8F78E7CF}\ProgID\ = "searchline_nc.searchline_nc_Obj.1"	d84b1418b2bc91f672d3a61d999ec5dbce4cd0da245a8afff3a00c0d9d5f222d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5F930A63-011A-4796-A0FB-3A7C8F78E7CF}\VersionIndependentProgID\ = "searchline_nc.searchline_nc_Obj"	d84b1418b2bc91f672d3a61d999ec5dbce4cd0da245a8afff3a00c0d9d5f222d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5F930A63-011A-4796-A0FB-3A7C8F78E7CF}\InprocServer32\ = "C:\\Program Files (x86)\\Searchline_nc\\searchline_nc.dll"	d84b1418b2bc91f672d3a61d999ec5dbce4cd0da245a8afff3a00c0d9d5f222d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BC5EC5A8-9A2B-4F4C-BF58-BBB179EB6850}\TypeLib\Version = "1.0"	d84b1418b2bc91f672d3a61d999ec5dbce4cd0da245a8afff3a00c0d9d5f222d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BC5EC5A8-9A2B-4F4C-BF58-BBB179EB6850}\TypeLib\Version = "1.0"	d84b1418b2bc91f672d3a61d999ec5dbce4cd0da245a8afff3a00c0d9d5f222d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DB89C58B-D295-4783-99AC-ABAADE306791}	d84b1418b2bc91f672d3a61d999ec5dbce4cd0da245a8afff3a00c0d9d5f222d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BC5EC5A8-9A2B-4F4C-BF58-BBB179EB6850}\TypeLib	d84b1418b2bc91f672d3a61d999ec5dbce4cd0da245a8afff3a00c0d9d5f222d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{3FE22CA2-D5CC-4961-9FA3-96140C724342}\ = "searchline_nc"	d84b1418b2bc91f672d3a61d999ec5dbce4cd0da245a8afff3a00c0d9d5f222d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\searchline_nc.DLL\AppID = "{3FE22CA2-D5CC-4961-9FA3-96140C724342}"	d84b1418b2bc91f672d3a61d999ec5dbce4cd0da245a8afff3a00c0d9d5f222d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\searchline_nc.searchline_nc_Obj\ = "searchline_nc_Obj Class"	d84b1418b2bc91f672d3a61d999ec5dbce4cd0da245a8afff3a00c0d9d5f222d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5F930A63-011A-4796-A0FB-3A7C8F78E7CF}	d84b1418b2bc91f672d3a61d999ec5dbce4cd0da245a8afff3a00c0d9d5f222d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5F930A63-011A-4796-A0FB-3A7C8F78E7CF}\InprocServer32	d84b1418b2bc91f672d3a61d999ec5dbce4cd0da245a8afff3a00c0d9d5f222d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5F930A63-011A-4796-A0FB-3A7C8F78E7CF}\InprocServer32\ThreadingModel = "Apartment"	d84b1418b2bc91f672d3a61d999ec5dbce4cd0da245a8afff3a00c0d9d5f222d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BC5EC5A8-9A2B-4F4C-BF58-BBB179EB6850}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	d84b1418b2bc91f672d3a61d999ec5dbce4cd0da245a8afff3a00c0d9d5f222d.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
1748	d84b1418b2bc91f672d3a61d999ec5dbce4cd0da245a8afff3a00c0d9d5f222d.exe
1748	d84b1418b2bc91f672d3a61d999ec5dbce4cd0da245a8afff3a00c0d9d5f222d.exe
1748	d84b1418b2bc91f672d3a61d999ec5dbce4cd0da245a8afff3a00c0d9d5f222d.exe
1748	d84b1418b2bc91f672d3a61d999ec5dbce4cd0da245a8afff3a00c0d9d5f222d.exe
1836	searchlineu_nc.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1836	searchlineu_nc.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1836	searchlineu_nc.exe
1836	searchlineu_nc.exe

Suspicious use of WriteProcessMemory 35 IoCs

description	pid	Process	procid_target
PID 1748 wrote to memory of 364	1748	d84b1418b2bc91f672d3a61d999ec5dbce4cd0da245a8afff3a00c0d9d5f222d.exe	28
PID 1748 wrote to memory of 364	1748	d84b1418b2bc91f672d3a61d999ec5dbce4cd0da245a8afff3a00c0d9d5f222d.exe	28
PID 1748 wrote to memory of 364	1748	d84b1418b2bc91f672d3a61d999ec5dbce4cd0da245a8afff3a00c0d9d5f222d.exe	28
PID 1748 wrote to memory of 364	1748	d84b1418b2bc91f672d3a61d999ec5dbce4cd0da245a8afff3a00c0d9d5f222d.exe	28
PID 1748 wrote to memory of 364	1748	d84b1418b2bc91f672d3a61d999ec5dbce4cd0da245a8afff3a00c0d9d5f222d.exe	28
PID 1748 wrote to memory of 364	1748	d84b1418b2bc91f672d3a61d999ec5dbce4cd0da245a8afff3a00c0d9d5f222d.exe	28
PID 1748 wrote to memory of 364	1748	d84b1418b2bc91f672d3a61d999ec5dbce4cd0da245a8afff3a00c0d9d5f222d.exe	28
PID 364 wrote to memory of 524	364	cmd.exe	30
PID 364 wrote to memory of 524	364	cmd.exe	30
PID 364 wrote to memory of 524	364	cmd.exe	30
PID 364 wrote to memory of 524	364	cmd.exe	30
PID 364 wrote to memory of 524	364	cmd.exe	30
PID 364 wrote to memory of 524	364	cmd.exe	30
PID 364 wrote to memory of 524	364	cmd.exe	30
PID 1748 wrote to memory of 1836	1748	d84b1418b2bc91f672d3a61d999ec5dbce4cd0da245a8afff3a00c0d9d5f222d.exe	31
PID 1748 wrote to memory of 1836	1748	d84b1418b2bc91f672d3a61d999ec5dbce4cd0da245a8afff3a00c0d9d5f222d.exe	31
PID 1748 wrote to memory of 1836	1748	d84b1418b2bc91f672d3a61d999ec5dbce4cd0da245a8afff3a00c0d9d5f222d.exe	31
PID 1748 wrote to memory of 1836	1748	d84b1418b2bc91f672d3a61d999ec5dbce4cd0da245a8afff3a00c0d9d5f222d.exe	31
PID 1748 wrote to memory of 1836	1748	d84b1418b2bc91f672d3a61d999ec5dbce4cd0da245a8afff3a00c0d9d5f222d.exe	31
PID 1748 wrote to memory of 1836	1748	d84b1418b2bc91f672d3a61d999ec5dbce4cd0da245a8afff3a00c0d9d5f222d.exe	31
PID 1748 wrote to memory of 1836	1748	d84b1418b2bc91f672d3a61d999ec5dbce4cd0da245a8afff3a00c0d9d5f222d.exe	31
PID 1836 wrote to memory of 1452	1836	searchlineu_nc.exe	33
PID 1836 wrote to memory of 1452	1836	searchlineu_nc.exe	33
PID 1836 wrote to memory of 1452	1836	searchlineu_nc.exe	33
PID 1836 wrote to memory of 1452	1836	searchlineu_nc.exe	33
PID 1836 wrote to memory of 1452	1836	searchlineu_nc.exe	33
PID 1836 wrote to memory of 1452	1836	searchlineu_nc.exe	33
PID 1836 wrote to memory of 1452	1836	searchlineu_nc.exe	33
PID 1748 wrote to memory of 2004	1748	d84b1418b2bc91f672d3a61d999ec5dbce4cd0da245a8afff3a00c0d9d5f222d.exe	37
PID 1748 wrote to memory of 2004	1748	d84b1418b2bc91f672d3a61d999ec5dbce4cd0da245a8afff3a00c0d9d5f222d.exe	37
PID 1748 wrote to memory of 2004	1748	d84b1418b2bc91f672d3a61d999ec5dbce4cd0da245a8afff3a00c0d9d5f222d.exe	37
PID 1748 wrote to memory of 2004	1748	d84b1418b2bc91f672d3a61d999ec5dbce4cd0da245a8afff3a00c0d9d5f222d.exe	37
PID 1748 wrote to memory of 2004	1748	d84b1418b2bc91f672d3a61d999ec5dbce4cd0da245a8afff3a00c0d9d5f222d.exe	37
PID 1748 wrote to memory of 2004	1748	d84b1418b2bc91f672d3a61d999ec5dbce4cd0da245a8afff3a00c0d9d5f222d.exe	37
PID 1748 wrote to memory of 2004	1748	d84b1418b2bc91f672d3a61d999ec5dbce4cd0da245a8afff3a00c0d9d5f222d.exe	37

C:\Users\Admin\AppData\Local\Temp\d84b1418b2bc91f672d3a61d999ec5dbce4cd0da245a8afff3a00c0d9d5f222d.exe
"C:\Users\Admin\AppData\Local\Temp\d84b1418b2bc91f672d3a61d999ec5dbce4cd0da245a8afff3a00c0d9d5f222d.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Installs/modifies Browser Helper Object
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1748
- C:\Windows\SysWOW64\cmd.exe
  cmd /C schtasks /Create /F /TN "Searchlinenc" /SC ONLOGON /TR "'C:\Program Files (x86)\Searchline_nc\searchlineu_nc.exe' schcmd" /rL HIGHEST
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:364
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /Create /F /TN "Searchlinenc" /SC ONLOGON /TR "'C:\Program Files (x86)\Searchline_nc\searchlineu_nc.exe' schcmd" /rL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:524
- C:\Program Files (x86)\Searchline_nc\searchlineu_nc.exe
  "C:\Program Files (x86)\Searchline_nc\searchlineu_nc.exe" Updatecmd
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1836
- - C:\Windows\SysWOW64\sc.exe
    sc query npf
    3⤵
    - Launches sc.exe
    PID:1452
- C:\Windows\SysWOW64\cmd.exe
  cmd /c \DelUS.bat
  2⤵
  - Deletes itself
  PID:2004

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Browser Extensions

T1176

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\DelUS.bat

Filesize
264B

MD5
fd592bba4d7a0a8f1d3349d4af11160e

SHA1
9ff4b08f07277ffdb9337a274f97eeb4e15e6ddd

SHA256
4f22a87fecf5d63ac53a238b51f44d93080f4e45e76cb2b49465c221dc5eab88

SHA512
9d63d9c64e5ff192d5c4adda5c38ae61b21d767646f74a7ad7a2849ca3d3a7b5d33d55873380e6019e9f1dd58fb3c9ea1ac5255a5c95ce28aa18c5376cef5410

Download Submit
C:\Program Files (x86)\Searchline_nc\searchlineu_nc.exe

Filesize
390KB

MD5
78ddc299c6a243f684b1eece06685c26

SHA1
4a29b6651de3a70cec097d587439b5908dc2a88f

SHA256
18787c31e73ff28a4c6b33555f09bc72fee9de85a96530483bf61311c2c292a7

SHA512
78a8d188b345d85d367c04008a4841fd622fff3e3818a1c4d240c1d682454de47cc3db2f9df840fe3cd2db87a11accaa78361ab80f4f50583cf672c866d2f8f9

Download Submit
C:\Program Files (x86)\Searchline_nc\searchlineu_nc.exe

Filesize
390KB

MD5
78ddc299c6a243f684b1eece06685c26

SHA1
4a29b6651de3a70cec097d587439b5908dc2a88f

SHA256
18787c31e73ff28a4c6b33555f09bc72fee9de85a96530483bf61311c2c292a7

SHA512
78a8d188b345d85d367c04008a4841fd622fff3e3818a1c4d240c1d682454de47cc3db2f9df840fe3cd2db87a11accaa78361ab80f4f50583cf672c866d2f8f9

Download Submit
\Program Files (x86)\Searchline_nc\searchline_nc.dll

Filesize
170KB

MD5
810db6bbf806f2f32c7d8b0d390553e7

SHA1
4c751ed2227a1dad08114bd9ca81da25850f4777

SHA256
b5520eb399f3eb90d77cd1a4ddc4b4410d93a1f51d022e3e6c711c66525b9270

SHA512
b255bc829a4a1da9493259cdbc00426c89f996476138eae44b79e44a95a81b9f0b8446cc32ecd6f1b1528a3ee648658cd5a346abd48a60a02268c6d931ce0fa6

Download Submit
\Program Files (x86)\Searchline_nc\searchlineu_nc.exe

Filesize
390KB

MD5
78ddc299c6a243f684b1eece06685c26

SHA1
4a29b6651de3a70cec097d587439b5908dc2a88f

SHA256
18787c31e73ff28a4c6b33555f09bc72fee9de85a96530483bf61311c2c292a7

SHA512
78a8d188b345d85d367c04008a4841fd622fff3e3818a1c4d240c1d682454de47cc3db2f9df840fe3cd2db87a11accaa78361ab80f4f50583cf672c866d2f8f9

Download Submit
\Program Files (x86)\Searchline_nc\searchlineu_nc.exe

Filesize
390KB

MD5
78ddc299c6a243f684b1eece06685c26

SHA1
4a29b6651de3a70cec097d587439b5908dc2a88f

SHA256
18787c31e73ff28a4c6b33555f09bc72fee9de85a96530483bf61311c2c292a7

SHA512
78a8d188b345d85d367c04008a4841fd622fff3e3818a1c4d240c1d682454de47cc3db2f9df840fe3cd2db87a11accaa78361ab80f4f50583cf672c866d2f8f9

Download Submit
\Program Files (x86)\Searchline_nc\searchlineu_nc.exe

Filesize
390KB

MD5
78ddc299c6a243f684b1eece06685c26

SHA1
4a29b6651de3a70cec097d587439b5908dc2a88f

SHA256
18787c31e73ff28a4c6b33555f09bc72fee9de85a96530483bf61311c2c292a7

SHA512
78a8d188b345d85d367c04008a4841fd622fff3e3818a1c4d240c1d682454de47cc3db2f9df840fe3cd2db87a11accaa78361ab80f4f50583cf672c866d2f8f9

Download Submit
\Program Files (x86)\Searchline_nc\searchlineu_nc.exe

Filesize
390KB

MD5
78ddc299c6a243f684b1eece06685c26

SHA1
4a29b6651de3a70cec097d587439b5908dc2a88f

SHA256
18787c31e73ff28a4c6b33555f09bc72fee9de85a96530483bf61311c2c292a7

SHA512
78a8d188b345d85d367c04008a4841fd622fff3e3818a1c4d240c1d682454de47cc3db2f9df840fe3cd2db87a11accaa78361ab80f4f50583cf672c866d2f8f9

Download Submit
\Program Files (x86)\Searchline_nc\searchlineu_nc.exe

Filesize
390KB

MD5
78ddc299c6a243f684b1eece06685c26

SHA1
4a29b6651de3a70cec097d587439b5908dc2a88f

SHA256
18787c31e73ff28a4c6b33555f09bc72fee9de85a96530483bf61311c2c292a7

SHA512
78a8d188b345d85d367c04008a4841fd622fff3e3818a1c4d240c1d682454de47cc3db2f9df840fe3cd2db87a11accaa78361ab80f4f50583cf672c866d2f8f9

Download Submit
\Users\Admin\AppData\Local\Temp\nsy9ABC.tmp\DLLWebCount.dll

Filesize
32KB

MD5
248536afcb6f59c1797f079a0da15b63

SHA1
7fa238f871b357c66168728ab1bb38addcfba3f8

SHA256
9c5f4eeadc9c2881bc02b45d757b35d3bfd2dc7d917d2e8fde2917fabf48908f

SHA512
b82accc8530650ebae8d4f8752002c2d23ab7b29e958e6c14731ad186a0fcdbbab937723a540de62d58f4659580843191fd53cb415e07167d7b55cd174a79652

Download Submit
\Users\Admin\AppData\Local\Temp\nsy9ABC.tmp\KillProcDLL.dll

Filesize
32KB

MD5
83142eac84475f4ca889c73f10d9c179

SHA1
dbe43c0de8ef881466bd74861b2e5b17598b5ce8

SHA256
ae2f1658656e554f37e6eac896475a3862841a18ffc6fad2754e2d3525770729

SHA512
1c66eab21f0c9e0b99ecc3844516a6978f52e0c7f489405a427532ecbe78947c37dac5b4c8b722cc8bc1edfb74ba4824519d56099e587e754e5c668701e83bd1

Download Submit
\Users\Admin\AppData\Local\Temp\nsy9ABC.tmp\KillProcDLL.dll

Filesize
32KB

MD5
83142eac84475f4ca889c73f10d9c179

SHA1
dbe43c0de8ef881466bd74861b2e5b17598b5ce8

SHA256
ae2f1658656e554f37e6eac896475a3862841a18ffc6fad2754e2d3525770729

SHA512
1c66eab21f0c9e0b99ecc3844516a6978f52e0c7f489405a427532ecbe78947c37dac5b4c8b722cc8bc1edfb74ba4824519d56099e587e754e5c668701e83bd1

Download Submit
\Users\Admin\AppData\Local\Temp\nsy9ABC.tmp\KillProcDLL.dll

Filesize
32KB

MD5
83142eac84475f4ca889c73f10d9c179

SHA1
dbe43c0de8ef881466bd74861b2e5b17598b5ce8

SHA256
ae2f1658656e554f37e6eac896475a3862841a18ffc6fad2754e2d3525770729

SHA512
1c66eab21f0c9e0b99ecc3844516a6978f52e0c7f489405a427532ecbe78947c37dac5b4c8b722cc8bc1edfb74ba4824519d56099e587e754e5c668701e83bd1

Download Submit
\Users\Admin\AppData\Local\Temp\nsy9ABC.tmp\KillProcDLL.dll

Filesize
32KB

MD5
83142eac84475f4ca889c73f10d9c179

SHA1
dbe43c0de8ef881466bd74861b2e5b17598b5ce8

SHA256
ae2f1658656e554f37e6eac896475a3862841a18ffc6fad2754e2d3525770729

SHA512
1c66eab21f0c9e0b99ecc3844516a6978f52e0c7f489405a427532ecbe78947c37dac5b4c8b722cc8bc1edfb74ba4824519d56099e587e754e5c668701e83bd1

Download Submit
\Users\Admin\AppData\Local\Temp\nsy9ABC.tmp\SelfDelete.dll

Filesize
24KB

MD5
ddc0d6806073a5b034104c88288ca762

SHA1
9663cc10c496f05d6167e19c3920245040e5e431

SHA256
2f4767da9dc7e720d910d32d451674cd08b7892ca753ec5c10b11fe85e12f06b

SHA512
545ca797a397cfcbd9b5d3bd2da2e3219ba7a294e541831655c5763a7f17480fd0b990d0c2e58ba8c71f81d85472b2da6d079b8211b44c40c8c36d21168ec054

Download Submit
\Users\Admin\AppData\Local\Temp\nsy9ABC.tmp\UnProtectMode.dll

Filesize
300KB

MD5
d89ff06d097d5040c1e530990bbe5dfe

SHA1
aaf0e28701d20617352b4679c32b93668e44cb00

SHA256
19daf98b87df2d643e4b42dfbb0f31dccbd9bd36908f419de7df7db3b74b8b4f

SHA512
512c82a00d41aa2884e4154dbbaefec557d4bf57c3848b7d25096791b393c9eae73d530aa476f1fd51409f4454e2668a1392810d3609f37c1b65ad7df485498d

Download Submit
\Users\Admin\AppData\Local\Temp\nsy9ABC.tmp\nsExec.dll

Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
\Users\Admin\AppData\Local\Temp\nsy9ABC.tmp\version.dll

Filesize
22KB

MD5
fbe588b15eb1bd86defade69f796b56f

SHA1
2f63cf44039addddb22c2c0497673b49e6b3ad7a

SHA256
31144e8b156fe87317073c48a09abcb033fda8dbdd96986c4abea8c00c00355f

SHA512
e1a9e29e4c62e77a2ec2c539344f0b5a8cd67ca3fd8dfefb0b0666a992eb2fabadb0034d439c4adbbdffd9c9439f23ee5757fac0ed669d3c9db48f50c677143d

Download Submit
\Users\Admin\AppData\Local\Temp\nsy9ABC.tmp\version.dll

Filesize
22KB

MD5
fbe588b15eb1bd86defade69f796b56f

SHA1
2f63cf44039addddb22c2c0497673b49e6b3ad7a

SHA256
31144e8b156fe87317073c48a09abcb033fda8dbdd96986c4abea8c00c00355f

SHA512
e1a9e29e4c62e77a2ec2c539344f0b5a8cd67ca3fd8dfefb0b0666a992eb2fabadb0034d439c4adbbdffd9c9439f23ee5757fac0ed669d3c9db48f50c677143d

Download Submit
memory/364-64-0x0000000000000000-mapping.dmp

Download
memory/524-66-0x0000000000000000-mapping.dmp

Download
memory/1452-81-0x0000000000000000-mapping.dmp

Download
memory/1748-70-0x0000000000600000-0x0000000000612000-memory.dmp

Filesize
72KB

Download
memory/1748-69-0x0000000000600000-0x0000000000612000-memory.dmp

Filesize
72KB

Download
memory/1748-68-0x0000000000600000-0x0000000000612000-memory.dmp

Filesize
72KB

Download
memory/1748-54-0x0000000075631000-0x0000000075633000-memory.dmp

Filesize
8KB

Download
memory/1836-73-0x0000000000000000-mapping.dmp

Download
memory/2004-84-0x0000000000000000-mapping.dmp

Download