54f6384bc85682d1fb78d49906bfbffd5c082545dd2212d22460aa2d9b314531

Analysis

max time kernel
172s
max time network
201s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
25/11/2022, 11:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

54f6384bc85682d1fb78d49906bfbffd5c082545dd2212d22460aa2d9b314531.exe
Size

1.9MB
MD5

6347cc9bc10df0a1468e924b9d70b110
SHA1

4975c70b6d66a0747a50fc7962b002264362e77f
SHA256

54f6384bc85682d1fb78d49906bfbffd5c082545dd2212d22460aa2d9b314531
SHA512

ccb4668f0462ffa64ab4fdb971a22681e5568463019a2af286abb1c838507c6d07a08216196be1df47bff02ff360b8246bedb0a42183793f2f1fab5a84139ca3
SSDEEP

49152:5lo74jnQUiUK8JMud9+7rg0kBPxlsMJ5cxwBCMF2ef:Q70n9iDu67c1HJ5cOVFf

Score

9^/10

adware discovery persistence stealer upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 4 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x000300000001e7bd-147.dat	acprotect
behavioral2/files/0x000300000001e7bd-146.dat	acprotect
behavioral2/files/0x000300000001e7bd-145.dat	acprotect
behavioral2/files/0x000300000001e7bd-144.dat	acprotect

Executes dropped EXE 2 IoCs

pid	Process
372	searchlineu_nc.exe
1516	searchlinedc.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000300000001e7bd-147.dat	upx
behavioral2/files/0x000300000001e7bd-146.dat	upx
behavioral2/files/0x000300000001e7bd-145.dat	upx
behavioral2/files/0x000300000001e7bd-144.dat	upx

Loads dropped DLL 19 IoCs

pid	Process
1584	54f6384bc85682d1fb78d49906bfbffd5c082545dd2212d22460aa2d9b314531.exe
1584	54f6384bc85682d1fb78d49906bfbffd5c082545dd2212d22460aa2d9b314531.exe
1584	54f6384bc85682d1fb78d49906bfbffd5c082545dd2212d22460aa2d9b314531.exe
1584	54f6384bc85682d1fb78d49906bfbffd5c082545dd2212d22460aa2d9b314531.exe
1584	54f6384bc85682d1fb78d49906bfbffd5c082545dd2212d22460aa2d9b314531.exe
1584	54f6384bc85682d1fb78d49906bfbffd5c082545dd2212d22460aa2d9b314531.exe
1584	54f6384bc85682d1fb78d49906bfbffd5c082545dd2212d22460aa2d9b314531.exe
1584	54f6384bc85682d1fb78d49906bfbffd5c082545dd2212d22460aa2d9b314531.exe
1584	54f6384bc85682d1fb78d49906bfbffd5c082545dd2212d22460aa2d9b314531.exe
1584	54f6384bc85682d1fb78d49906bfbffd5c082545dd2212d22460aa2d9b314531.exe
1584	54f6384bc85682d1fb78d49906bfbffd5c082545dd2212d22460aa2d9b314531.exe
1584	54f6384bc85682d1fb78d49906bfbffd5c082545dd2212d22460aa2d9b314531.exe
1584	54f6384bc85682d1fb78d49906bfbffd5c082545dd2212d22460aa2d9b314531.exe
1584	54f6384bc85682d1fb78d49906bfbffd5c082545dd2212d22460aa2d9b314531.exe
1584	54f6384bc85682d1fb78d49906bfbffd5c082545dd2212d22460aa2d9b314531.exe
1584	54f6384bc85682d1fb78d49906bfbffd5c082545dd2212d22460aa2d9b314531.exe
1584	54f6384bc85682d1fb78d49906bfbffd5c082545dd2212d22460aa2d9b314531.exe
1584	54f6384bc85682d1fb78d49906bfbffd5c082545dd2212d22460aa2d9b314531.exe
1584	54f6384bc85682d1fb78d49906bfbffd5c082545dd2212d22460aa2d9b314531.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows\CurrentVersion\Run	54f6384bc85682d1fb78d49906bfbffd5c082545dd2212d22460aa2d9b314531.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Searchline_ncupdate = "C:\\Program Files (x86)\\Searchline_nc\\searchlinedc.exe"	54f6384bc85682d1fb78d49906bfbffd5c082545dd2212d22460aa2d9b314531.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Searchline_nc = "\"C:\\Program Files (x86)\\Searchline_nc\\searchlineu_nc.exe\" subcmd"	54f6384bc85682d1fb78d49906bfbffd5c082545dd2212d22460aa2d9b314531.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Installs/modifies Browser Helper Object 2 TTPs 3 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5F930A63-011A-4796-A0FB-3A7C8F78E7CF}	54f6384bc85682d1fb78d49906bfbffd5c082545dd2212d22460aa2d9b314531.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5F930A63-011A-4796-A0FB-3A7C8F78E7CF}\ = "searchline_nc"	54f6384bc85682d1fb78d49906bfbffd5c082545dd2212d22460aa2d9b314531.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5F930A63-011A-4796-A0FB-3A7C8F78E7CF}\NoExplorer = "1"	54f6384bc85682d1fb78d49906bfbffd5c082545dd2212d22460aa2d9b314531.exe

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Searchline_nc\searchlineu_nc.exe	54f6384bc85682d1fb78d49906bfbffd5c082545dd2212d22460aa2d9b314531.exe
File created	C:\Program Files (x86)\Searchline_nc\searchlinedc.exe	54f6384bc85682d1fb78d49906bfbffd5c082545dd2212d22460aa2d9b314531.exe
File created	C:\Program Files (x86)\Searchline_nc\searchline_sajulove.dll	54f6384bc85682d1fb78d49906bfbffd5c082545dd2212d22460aa2d9b314531.exe
File created	C:\Program Files (x86)\Searchline_nc\searchline_sajulove_new.dll	54f6384bc85682d1fb78d49906bfbffd5c082545dd2212d22460aa2d9b314531.exe
File created	C:\Program Files (x86)\Searchline_nc\uninstall.exe	54f6384bc85682d1fb78d49906bfbffd5c082545dd2212d22460aa2d9b314531.exe
File created	C:\Program Files (x86)\Searchline_nc\searchline_nc.dll	54f6384bc85682d1fb78d49906bfbffd5c082545dd2212d22460aa2d9b314531.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
680	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
2884	schtasks.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{B7FED86F-D92D-4ae1-971B-0E64FCEFDDB8}	54f6384bc85682d1fb78d49906bfbffd5c082545dd2212d22460aa2d9b314531.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{B7FED86F-D92D-4ae1-971B-0E64FCEFDDB8}\AppName = "searchlineu_nc.exe"	54f6384bc85682d1fb78d49906bfbffd5c082545dd2212d22460aa2d9b314531.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{B7FED86F-D92D-4ae1-971B-0E64FCEFDDB8}\AppPath = "C:\\Program Files (x86)\\Searchline_nc\\"	54f6384bc85682d1fb78d49906bfbffd5c082545dd2212d22460aa2d9b314531.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{B7FED86F-D92D-4ae1-971B-0E64FCEFDDB8}\Policy = "3"	54f6384bc85682d1fb78d49906bfbffd5c082545dd2212d22460aa2d9b314531.exe

Modifies registry class 51 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\searchline_nc.DLL\AppID = "{3FE22CA2-D5CC-4961-9FA3-96140C724342}"	54f6384bc85682d1fb78d49906bfbffd5c082545dd2212d22460aa2d9b314531.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\searchline_nc.searchline_nc_Obj.1\CLSID	54f6384bc85682d1fb78d49906bfbffd5c082545dd2212d22460aa2d9b314531.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BC5EC5A8-9A2B-4F4C-BF58-BBB179EB6850}	54f6384bc85682d1fb78d49906bfbffd5c082545dd2212d22460aa2d9b314531.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5F930A63-011A-4796-A0FB-3A7C8F78E7CF}\Programmable	54f6384bc85682d1fb78d49906bfbffd5c082545dd2212d22460aa2d9b314531.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DB89C58B-D295-4783-99AC-ABAADE306791}	54f6384bc85682d1fb78d49906bfbffd5c082545dd2212d22460aa2d9b314531.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{3FE22CA2-D5CC-4961-9FA3-96140C724342}	54f6384bc85682d1fb78d49906bfbffd5c082545dd2212d22460aa2d9b314531.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\searchline_nc.searchline_nc_Obj.1	54f6384bc85682d1fb78d49906bfbffd5c082545dd2212d22460aa2d9b314531.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\searchline_nc.searchline_nc_Obj\CLSID\ = "{5F930A63-011A-4796-A0FB-3A7C8F78E7CF}"	54f6384bc85682d1fb78d49906bfbffd5c082545dd2212d22460aa2d9b314531.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\searchline_nc.searchline_nc_Obj\CurVer\ = "searchline_nc.searchline_nc_Obj.1"	54f6384bc85682d1fb78d49906bfbffd5c082545dd2212d22460aa2d9b314531.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5F930A63-011A-4796-A0FB-3A7C8F78E7CF}	54f6384bc85682d1fb78d49906bfbffd5c082545dd2212d22460aa2d9b314531.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5F930A63-011A-4796-A0FB-3A7C8F78E7CF}\ProgID	54f6384bc85682d1fb78d49906bfbffd5c082545dd2212d22460aa2d9b314531.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DB89C58B-D295-4783-99AC-ABAADE306791}\1.0\0\win32	54f6384bc85682d1fb78d49906bfbffd5c082545dd2212d22460aa2d9b314531.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BC5EC5A8-9A2B-4F4C-BF58-BBB179EB6850}\TypeLib\ = "{DB89C58B-D295-4783-99AC-ABAADE306791}"	54f6384bc85682d1fb78d49906bfbffd5c082545dd2212d22460aa2d9b314531.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BC5EC5A8-9A2B-4F4C-BF58-BBB179EB6850}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	54f6384bc85682d1fb78d49906bfbffd5c082545dd2212d22460aa2d9b314531.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\searchline_nc.searchline_nc_Obj.1\CLSID\ = "{5F930A63-011A-4796-A0FB-3A7C8F78E7CF}"	54f6384bc85682d1fb78d49906bfbffd5c082545dd2212d22460aa2d9b314531.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5F930A63-011A-4796-A0FB-3A7C8F78E7CF}\ProgID\ = "searchline_nc.searchline_nc_Obj.1"	54f6384bc85682d1fb78d49906bfbffd5c082545dd2212d22460aa2d9b314531.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5F930A63-011A-4796-A0FB-3A7C8F78E7CF}\InprocServer32	54f6384bc85682d1fb78d49906bfbffd5c082545dd2212d22460aa2d9b314531.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5F930A63-011A-4796-A0FB-3A7C8F78E7CF}\AppID = "{3FE22CA2-D5CC-4961-9FA3-96140C724342}"	54f6384bc85682d1fb78d49906bfbffd5c082545dd2212d22460aa2d9b314531.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5F930A63-011A-4796-A0FB-3A7C8F78E7CF}\TypeLib\ = "{DB89C58B-D295-4783-99AC-ABAADE306791}"	54f6384bc85682d1fb78d49906bfbffd5c082545dd2212d22460aa2d9b314531.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DB89C58B-D295-4783-99AC-ABAADE306791}\1.0\FLAGS	54f6384bc85682d1fb78d49906bfbffd5c082545dd2212d22460aa2d9b314531.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\searchline_nc.DLL	54f6384bc85682d1fb78d49906bfbffd5c082545dd2212d22460aa2d9b314531.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\searchline_nc.searchline_nc_Obj\ = "searchline_nc_Obj Class"	54f6384bc85682d1fb78d49906bfbffd5c082545dd2212d22460aa2d9b314531.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5F930A63-011A-4796-A0FB-3A7C8F78E7CF}\InprocServer32\ = "C:\\Program Files (x86)\\Searchline_nc\\searchline_nc.dll"	54f6384bc85682d1fb78d49906bfbffd5c082545dd2212d22460aa2d9b314531.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DB89C58B-D295-4783-99AC-ABAADE306791}\1.0\HELPDIR\	54f6384bc85682d1fb78d49906bfbffd5c082545dd2212d22460aa2d9b314531.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BC5EC5A8-9A2B-4F4C-BF58-BBB179EB6850}	54f6384bc85682d1fb78d49906bfbffd5c082545dd2212d22460aa2d9b314531.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BC5EC5A8-9A2B-4F4C-BF58-BBB179EB6850}\TypeLib\ = "{DB89C58B-D295-4783-99AC-ABAADE306791}"	54f6384bc85682d1fb78d49906bfbffd5c082545dd2212d22460aa2d9b314531.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\searchline_nc.searchline_nc_Obj	54f6384bc85682d1fb78d49906bfbffd5c082545dd2212d22460aa2d9b314531.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5F930A63-011A-4796-A0FB-3A7C8F78E7CF}\InprocServer32\ThreadingModel = "Apartment"	54f6384bc85682d1fb78d49906bfbffd5c082545dd2212d22460aa2d9b314531.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DB89C58B-D295-4783-99AC-ABAADE306791}\1.0	54f6384bc85682d1fb78d49906bfbffd5c082545dd2212d22460aa2d9b314531.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BC5EC5A8-9A2B-4F4C-BF58-BBB179EB6850}\TypeLib\Version = "1.0"	54f6384bc85682d1fb78d49906bfbffd5c082545dd2212d22460aa2d9b314531.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BC5EC5A8-9A2B-4F4C-BF58-BBB179EB6850}\ = "Isearchline_nc_Obj"	54f6384bc85682d1fb78d49906bfbffd5c082545dd2212d22460aa2d9b314531.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BC5EC5A8-9A2B-4F4C-BF58-BBB179EB6850}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	54f6384bc85682d1fb78d49906bfbffd5c082545dd2212d22460aa2d9b314531.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\searchline_nc.searchline_nc_Obj.1\ = "searchline_nc_Obj Class"	54f6384bc85682d1fb78d49906bfbffd5c082545dd2212d22460aa2d9b314531.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5F930A63-011A-4796-A0FB-3A7C8F78E7CF}\TypeLib	54f6384bc85682d1fb78d49906bfbffd5c082545dd2212d22460aa2d9b314531.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DB89C58B-D295-4783-99AC-ABAADE306791}\1.0\FLAGS\ = "0"	54f6384bc85682d1fb78d49906bfbffd5c082545dd2212d22460aa2d9b314531.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DB89C58B-D295-4783-99AC-ABAADE306791}\1.0\0	54f6384bc85682d1fb78d49906bfbffd5c082545dd2212d22460aa2d9b314531.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BC5EC5A8-9A2B-4F4C-BF58-BBB179EB6850}\TypeLib	54f6384bc85682d1fb78d49906bfbffd5c082545dd2212d22460aa2d9b314531.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BC5EC5A8-9A2B-4F4C-BF58-BBB179EB6850}\TypeLib	54f6384bc85682d1fb78d49906bfbffd5c082545dd2212d22460aa2d9b314531.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{3FE22CA2-D5CC-4961-9FA3-96140C724342}\ = "searchline_nc"	54f6384bc85682d1fb78d49906bfbffd5c082545dd2212d22460aa2d9b314531.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5F930A63-011A-4796-A0FB-3A7C8F78E7CF}\VersionIndependentProgID\ = "searchline_nc.searchline_nc_Obj"	54f6384bc85682d1fb78d49906bfbffd5c082545dd2212d22460aa2d9b314531.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DB89C58B-D295-4783-99AC-ABAADE306791}\1.0\0\win32\ = "C:\\Program Files (x86)\\Searchline_nc\\searchline_nc.dll"	54f6384bc85682d1fb78d49906bfbffd5c082545dd2212d22460aa2d9b314531.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DB89C58B-D295-4783-99AC-ABAADE306791}\1.0\HELPDIR	54f6384bc85682d1fb78d49906bfbffd5c082545dd2212d22460aa2d9b314531.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BC5EC5A8-9A2B-4F4C-BF58-BBB179EB6850}\ProxyStubClsid32	54f6384bc85682d1fb78d49906bfbffd5c082545dd2212d22460aa2d9b314531.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BC5EC5A8-9A2B-4F4C-BF58-BBB179EB6850}\ProxyStubClsid32	54f6384bc85682d1fb78d49906bfbffd5c082545dd2212d22460aa2d9b314531.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BC5EC5A8-9A2B-4F4C-BF58-BBB179EB6850}\TypeLib\Version = "1.0"	54f6384bc85682d1fb78d49906bfbffd5c082545dd2212d22460aa2d9b314531.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\searchline_nc.searchline_nc_Obj\CLSID	54f6384bc85682d1fb78d49906bfbffd5c082545dd2212d22460aa2d9b314531.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\searchline_nc.searchline_nc_Obj\CurVer	54f6384bc85682d1fb78d49906bfbffd5c082545dd2212d22460aa2d9b314531.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5F930A63-011A-4796-A0FB-3A7C8F78E7CF}\ = "searchline_nc"	54f6384bc85682d1fb78d49906bfbffd5c082545dd2212d22460aa2d9b314531.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5F930A63-011A-4796-A0FB-3A7C8F78E7CF}\VersionIndependentProgID	54f6384bc85682d1fb78d49906bfbffd5c082545dd2212d22460aa2d9b314531.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DB89C58B-D295-4783-99AC-ABAADE306791}\1.0\ = "searchline_nc 1.0 Çü½Ä ¶óÀÌºê·¯¸®"	54f6384bc85682d1fb78d49906bfbffd5c082545dd2212d22460aa2d9b314531.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BC5EC5A8-9A2B-4F4C-BF58-BBB179EB6850}\ = "Isearchline_nc_Obj"	54f6384bc85682d1fb78d49906bfbffd5c082545dd2212d22460aa2d9b314531.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

pid	Process
1584	54f6384bc85682d1fb78d49906bfbffd5c082545dd2212d22460aa2d9b314531.exe
1584	54f6384bc85682d1fb78d49906bfbffd5c082545dd2212d22460aa2d9b314531.exe
1584	54f6384bc85682d1fb78d49906bfbffd5c082545dd2212d22460aa2d9b314531.exe
1584	54f6384bc85682d1fb78d49906bfbffd5c082545dd2212d22460aa2d9b314531.exe
1584	54f6384bc85682d1fb78d49906bfbffd5c082545dd2212d22460aa2d9b314531.exe
1584	54f6384bc85682d1fb78d49906bfbffd5c082545dd2212d22460aa2d9b314531.exe
1584	54f6384bc85682d1fb78d49906bfbffd5c082545dd2212d22460aa2d9b314531.exe
1584	54f6384bc85682d1fb78d49906bfbffd5c082545dd2212d22460aa2d9b314531.exe
1584	54f6384bc85682d1fb78d49906bfbffd5c082545dd2212d22460aa2d9b314531.exe
1584	54f6384bc85682d1fb78d49906bfbffd5c082545dd2212d22460aa2d9b314531.exe
1584	54f6384bc85682d1fb78d49906bfbffd5c082545dd2212d22460aa2d9b314531.exe
1584	54f6384bc85682d1fb78d49906bfbffd5c082545dd2212d22460aa2d9b314531.exe
1584	54f6384bc85682d1fb78d49906bfbffd5c082545dd2212d22460aa2d9b314531.exe
1584	54f6384bc85682d1fb78d49906bfbffd5c082545dd2212d22460aa2d9b314531.exe
1584	54f6384bc85682d1fb78d49906bfbffd5c082545dd2212d22460aa2d9b314531.exe
1584	54f6384bc85682d1fb78d49906bfbffd5c082545dd2212d22460aa2d9b314531.exe
1584	54f6384bc85682d1fb78d49906bfbffd5c082545dd2212d22460aa2d9b314531.exe
1584	54f6384bc85682d1fb78d49906bfbffd5c082545dd2212d22460aa2d9b314531.exe
1584	54f6384bc85682d1fb78d49906bfbffd5c082545dd2212d22460aa2d9b314531.exe
1584	54f6384bc85682d1fb78d49906bfbffd5c082545dd2212d22460aa2d9b314531.exe
372	searchlineu_nc.exe
372	searchlineu_nc.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
372	searchlineu_nc.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1516	searchlinedc.exe
1516	searchlinedc.exe
372	searchlineu_nc.exe
372	searchlineu_nc.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1584 wrote to memory of 4116	1584	54f6384bc85682d1fb78d49906bfbffd5c082545dd2212d22460aa2d9b314531.exe	85
PID 1584 wrote to memory of 4116	1584	54f6384bc85682d1fb78d49906bfbffd5c082545dd2212d22460aa2d9b314531.exe	85
PID 1584 wrote to memory of 4116	1584	54f6384bc85682d1fb78d49906bfbffd5c082545dd2212d22460aa2d9b314531.exe	85
PID 4116 wrote to memory of 2884	4116	cmd.exe	87
PID 4116 wrote to memory of 2884	4116	cmd.exe	87
PID 4116 wrote to memory of 2884	4116	cmd.exe	87
PID 1584 wrote to memory of 372	1584	54f6384bc85682d1fb78d49906bfbffd5c082545dd2212d22460aa2d9b314531.exe	88
PID 1584 wrote to memory of 372	1584	54f6384bc85682d1fb78d49906bfbffd5c082545dd2212d22460aa2d9b314531.exe	88
PID 1584 wrote to memory of 372	1584	54f6384bc85682d1fb78d49906bfbffd5c082545dd2212d22460aa2d9b314531.exe	88
PID 1584 wrote to memory of 1516	1584	54f6384bc85682d1fb78d49906bfbffd5c082545dd2212d22460aa2d9b314531.exe	89
PID 1584 wrote to memory of 1516	1584	54f6384bc85682d1fb78d49906bfbffd5c082545dd2212d22460aa2d9b314531.exe	89
PID 1584 wrote to memory of 1516	1584	54f6384bc85682d1fb78d49906bfbffd5c082545dd2212d22460aa2d9b314531.exe	89
PID 1584 wrote to memory of 4960	1584	54f6384bc85682d1fb78d49906bfbffd5c082545dd2212d22460aa2d9b314531.exe	90
PID 1584 wrote to memory of 4960	1584	54f6384bc85682d1fb78d49906bfbffd5c082545dd2212d22460aa2d9b314531.exe	90
PID 1584 wrote to memory of 4960	1584	54f6384bc85682d1fb78d49906bfbffd5c082545dd2212d22460aa2d9b314531.exe	90
PID 372 wrote to memory of 680	372	searchlineu_nc.exe	92
PID 372 wrote to memory of 680	372	searchlineu_nc.exe	92
PID 372 wrote to memory of 680	372	searchlineu_nc.exe	92

C:\Users\Admin\AppData\Local\Temp\54f6384bc85682d1fb78d49906bfbffd5c082545dd2212d22460aa2d9b314531.exe
"C:\Users\Admin\AppData\Local\Temp\54f6384bc85682d1fb78d49906bfbffd5c082545dd2212d22460aa2d9b314531.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Installs/modifies Browser Helper Object
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1584
- C:\Windows\SysWOW64\cmd.exe
  cmd /C schtasks /Create /F /TN "Searchlinenc" /SC ONLOGON /TR "'C:\Program Files (x86)\Searchline_nc\searchlineu_nc.exe' schcmd" /rL HIGHEST
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4116
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /Create /F /TN "Searchlinenc" /SC ONLOGON /TR "'C:\Program Files (x86)\Searchline_nc\searchlineu_nc.exe' schcmd" /rL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:2884
- C:\Program Files (x86)\Searchline_nc\searchlineu_nc.exe
  "C:\Program Files (x86)\Searchline_nc\searchlineu_nc.exe" Runcmd
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:372
- - C:\Windows\SysWOW64\sc.exe
    sc query npf
    3⤵
    - Launches sc.exe
    PID:680
- C:\Program Files (x86)\Searchline_nc\searchlinedc.exe
  "C:\Program Files (x86)\Searchline_nc\searchlinedc.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1516
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c \DelUS.bat
  2⤵
  PID:4960

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Browser Extensions

T1176

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\DelUS.bat

Filesize
264B

MD5
6a733e9d537afb0ed3d9d744a4062d77

SHA1
9dc43ad146b175398558789f1e718aa5c405d3a0

SHA256
746879d0d35e748489e087ff5288713d900af67637f2ccb7f1695b55e887710f

SHA512
d34a1b63f4c11c66df698e20ea3b2f0e0fe03e326b1a4c1d573c7ee3acd027ac2a8ba0b598a8f7f680b526f74c1afb9687bfab381e0e547f6056aa71c79c5849

Download Submit
C:\Program Files (x86)\Searchline_nc\searchline_nc.dll

Filesize
170KB

MD5
14fbe278c10068a44636289e4fcfc09b

SHA1
888e7b2f5fe774ac831175c968d59f40407cbdd8

SHA256
2f485df272137fe7509f0ddd2c28e15fa9a425eb29df3a70265efeb4f7e97ba6

SHA512
193e2122fb460c6e081327e8cac5334e70c42e45591023da4893d73551b476ab1cbca33ad0cf705e7fd66920c8a40709d81c5e0871ad724734cb9e1d2b36052b

Download Submit
C:\Program Files (x86)\Searchline_nc\searchlinedc.exe

Filesize
638KB

MD5
62f387712ca620b5ea4b88c1a520a85f

SHA1
aa57fcac873786a5bde249bd61d883bb7fc92738

SHA256
b900f54ad04b0f53f7a4cc91ef8b6d1ea8294b6efdddaa20e1c77b33b1ab9111

SHA512
d2fd45ee0a6491b8e8c1fc55d6cc55f5fa0d6bae067c92f53b0830c3e680289cc4eaf689c2cb9f312b52f0f9cd14df4358c1b17b8bd0a919410187d46557b086

Download Submit
C:\Program Files (x86)\Searchline_nc\searchlinedc.exe

Filesize
638KB

MD5
62f387712ca620b5ea4b88c1a520a85f

SHA1
aa57fcac873786a5bde249bd61d883bb7fc92738

SHA256
b900f54ad04b0f53f7a4cc91ef8b6d1ea8294b6efdddaa20e1c77b33b1ab9111

SHA512
d2fd45ee0a6491b8e8c1fc55d6cc55f5fa0d6bae067c92f53b0830c3e680289cc4eaf689c2cb9f312b52f0f9cd14df4358c1b17b8bd0a919410187d46557b086

Download Submit
C:\Program Files (x86)\Searchline_nc\searchlineu_nc.exe

Filesize
390KB

MD5
67abb7da78bd67e80627fd8529e46245

SHA1
21c41bec13aaff7f12a6dc0b30410ea2d6052404

SHA256
6a1149cf59b53070ac1db1b7fa85c8194dea8c5035d4472a045168f6c73b8c56

SHA512
1a2f9d3ae9ea36bd781a23c18371db414117997f62130af71c442793a5f84b1f22d1179178fd61761d5364b6df470a43d39c573d17ebf33944b03cd9e13fec3b

Download Submit
C:\Program Files (x86)\Searchline_nc\searchlineu_nc.exe

Filesize
390KB

MD5
67abb7da78bd67e80627fd8529e46245

SHA1
21c41bec13aaff7f12a6dc0b30410ea2d6052404

SHA256
6a1149cf59b53070ac1db1b7fa85c8194dea8c5035d4472a045168f6c73b8c56

SHA512
1a2f9d3ae9ea36bd781a23c18371db414117997f62130af71c442793a5f84b1f22d1179178fd61761d5364b6df470a43d39c573d17ebf33944b03cd9e13fec3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsg6EBA.tmp\DLLWebCount.dll

Filesize
32KB

MD5
248536afcb6f59c1797f079a0da15b63

SHA1
7fa238f871b357c66168728ab1bb38addcfba3f8

SHA256
9c5f4eeadc9c2881bc02b45d757b35d3bfd2dc7d917d2e8fde2917fabf48908f

SHA512
b82accc8530650ebae8d4f8752002c2d23ab7b29e958e6c14731ad186a0fcdbbab937723a540de62d58f4659580843191fd53cb415e07167d7b55cd174a79652

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsg6EBA.tmp\FindProcDLL.dll

Filesize
32KB

MD5
849abe37c3b8a6dd48089b769ee789c5

SHA1
81d5d6c4d6328059a07ae59878c717211a726512

SHA256
0ac175b28d2a156e71bda214d4a35321c85d434e325624564f0a5eee23c718be

SHA512
fa1f60aa1e26dffe6a0b2ee8cba6490cc2d1f94613777466ce434a71431bd88f8c3964718f3ea1dd2c8ca41847cc259999bb293ea2591f4f0a0add286229f76f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsg6EBA.tmp\KillProcDLL.dll

Filesize
32KB

MD5
83142eac84475f4ca889c73f10d9c179

SHA1
dbe43c0de8ef881466bd74861b2e5b17598b5ce8

SHA256
ae2f1658656e554f37e6eac896475a3862841a18ffc6fad2754e2d3525770729

SHA512
1c66eab21f0c9e0b99ecc3844516a6978f52e0c7f489405a427532ecbe78947c37dac5b4c8b722cc8bc1edfb74ba4824519d56099e587e754e5c668701e83bd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsg6EBA.tmp\KillProcDLL.dll

Filesize
32KB

MD5
83142eac84475f4ca889c73f10d9c179

SHA1
dbe43c0de8ef881466bd74861b2e5b17598b5ce8

SHA256
ae2f1658656e554f37e6eac896475a3862841a18ffc6fad2754e2d3525770729

SHA512
1c66eab21f0c9e0b99ecc3844516a6978f52e0c7f489405a427532ecbe78947c37dac5b4c8b722cc8bc1edfb74ba4824519d56099e587e754e5c668701e83bd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsg6EBA.tmp\KillProcDLL.dll

Filesize
32KB

MD5
83142eac84475f4ca889c73f10d9c179

SHA1
dbe43c0de8ef881466bd74861b2e5b17598b5ce8

SHA256
ae2f1658656e554f37e6eac896475a3862841a18ffc6fad2754e2d3525770729

SHA512
1c66eab21f0c9e0b99ecc3844516a6978f52e0c7f489405a427532ecbe78947c37dac5b4c8b722cc8bc1edfb74ba4824519d56099e587e754e5c668701e83bd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsg6EBA.tmp\KillProcDLL.dll

Filesize
32KB

MD5
83142eac84475f4ca889c73f10d9c179

SHA1
dbe43c0de8ef881466bd74861b2e5b17598b5ce8

SHA256
ae2f1658656e554f37e6eac896475a3862841a18ffc6fad2754e2d3525770729

SHA512
1c66eab21f0c9e0b99ecc3844516a6978f52e0c7f489405a427532ecbe78947c37dac5b4c8b722cc8bc1edfb74ba4824519d56099e587e754e5c668701e83bd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsg6EBA.tmp\KillProcDLL.dll

Filesize
32KB

MD5
83142eac84475f4ca889c73f10d9c179

SHA1
dbe43c0de8ef881466bd74861b2e5b17598b5ce8

SHA256
ae2f1658656e554f37e6eac896475a3862841a18ffc6fad2754e2d3525770729

SHA512
1c66eab21f0c9e0b99ecc3844516a6978f52e0c7f489405a427532ecbe78947c37dac5b4c8b722cc8bc1edfb74ba4824519d56099e587e754e5c668701e83bd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsg6EBA.tmp\KillProcDLL.dll

Filesize
32KB

MD5
83142eac84475f4ca889c73f10d9c179

SHA1
dbe43c0de8ef881466bd74861b2e5b17598b5ce8

SHA256
ae2f1658656e554f37e6eac896475a3862841a18ffc6fad2754e2d3525770729

SHA512
1c66eab21f0c9e0b99ecc3844516a6978f52e0c7f489405a427532ecbe78947c37dac5b4c8b722cc8bc1edfb74ba4824519d56099e587e754e5c668701e83bd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsg6EBA.tmp\KillProcDLL.dll

Filesize
32KB

MD5
83142eac84475f4ca889c73f10d9c179

SHA1
dbe43c0de8ef881466bd74861b2e5b17598b5ce8

SHA256
ae2f1658656e554f37e6eac896475a3862841a18ffc6fad2754e2d3525770729

SHA512
1c66eab21f0c9e0b99ecc3844516a6978f52e0c7f489405a427532ecbe78947c37dac5b4c8b722cc8bc1edfb74ba4824519d56099e587e754e5c668701e83bd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsg6EBA.tmp\KillProcDLL.dll

Filesize
32KB

MD5
83142eac84475f4ca889c73f10d9c179

SHA1
dbe43c0de8ef881466bd74861b2e5b17598b5ce8

SHA256
ae2f1658656e554f37e6eac896475a3862841a18ffc6fad2754e2d3525770729

SHA512
1c66eab21f0c9e0b99ecc3844516a6978f52e0c7f489405a427532ecbe78947c37dac5b4c8b722cc8bc1edfb74ba4824519d56099e587e754e5c668701e83bd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsg6EBA.tmp\KillProcDLL.dll

Filesize
32KB

MD5
83142eac84475f4ca889c73f10d9c179

SHA1
dbe43c0de8ef881466bd74861b2e5b17598b5ce8

SHA256
ae2f1658656e554f37e6eac896475a3862841a18ffc6fad2754e2d3525770729

SHA512
1c66eab21f0c9e0b99ecc3844516a6978f52e0c7f489405a427532ecbe78947c37dac5b4c8b722cc8bc1edfb74ba4824519d56099e587e754e5c668701e83bd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsg6EBA.tmp\SelfDelete.dll

Filesize
24KB

MD5
ddc0d6806073a5b034104c88288ca762

SHA1
9663cc10c496f05d6167e19c3920245040e5e431

SHA256
2f4767da9dc7e720d910d32d451674cd08b7892ca753ec5c10b11fe85e12f06b

SHA512
545ca797a397cfcbd9b5d3bd2da2e3219ba7a294e541831655c5763a7f17480fd0b990d0c2e58ba8c71f81d85472b2da6d079b8211b44c40c8c36d21168ec054

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsg6EBA.tmp\UnProtectMode.dll

Filesize
300KB

MD5
d89ff06d097d5040c1e530990bbe5dfe

SHA1
aaf0e28701d20617352b4679c32b93668e44cb00

SHA256
19daf98b87df2d643e4b42dfbb0f31dccbd9bd36908f419de7df7db3b74b8b4f

SHA512
512c82a00d41aa2884e4154dbbaefec557d4bf57c3848b7d25096791b393c9eae73d530aa476f1fd51409f4454e2668a1392810d3609f37c1b65ad7df485498d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsg6EBA.tmp\nsExec.dll

Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsg6EBA.tmp\version.dll

Filesize
22KB

MD5
fbe588b15eb1bd86defade69f796b56f

SHA1
2f63cf44039addddb22c2c0497673b49e6b3ad7a

SHA256
31144e8b156fe87317073c48a09abcb033fda8dbdd96986c4abea8c00c00355f

SHA512
e1a9e29e4c62e77a2ec2c539344f0b5a8cd67ca3fd8dfefb0b0666a992eb2fabadb0034d439c4adbbdffd9c9439f23ee5757fac0ed669d3c9db48f50c677143d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsg6EBA.tmp\version.dll

Filesize
22KB

MD5
fbe588b15eb1bd86defade69f796b56f

SHA1
2f63cf44039addddb22c2c0497673b49e6b3ad7a

SHA256
31144e8b156fe87317073c48a09abcb033fda8dbdd96986c4abea8c00c00355f

SHA512
e1a9e29e4c62e77a2ec2c539344f0b5a8cd67ca3fd8dfefb0b0666a992eb2fabadb0034d439c4adbbdffd9c9439f23ee5757fac0ed669d3c9db48f50c677143d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsg6EBA.tmp\version.dll

Filesize
22KB

MD5
fbe588b15eb1bd86defade69f796b56f

SHA1
2f63cf44039addddb22c2c0497673b49e6b3ad7a

SHA256
31144e8b156fe87317073c48a09abcb033fda8dbdd96986c4abea8c00c00355f

SHA512
e1a9e29e4c62e77a2ec2c539344f0b5a8cd67ca3fd8dfefb0b0666a992eb2fabadb0034d439c4adbbdffd9c9439f23ee5757fac0ed669d3c9db48f50c677143d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsg6EBA.tmp\version.dll

Filesize
22KB

MD5
fbe588b15eb1bd86defade69f796b56f

SHA1
2f63cf44039addddb22c2c0497673b49e6b3ad7a

SHA256
31144e8b156fe87317073c48a09abcb033fda8dbdd96986c4abea8c00c00355f

SHA512
e1a9e29e4c62e77a2ec2c539344f0b5a8cd67ca3fd8dfefb0b0666a992eb2fabadb0034d439c4adbbdffd9c9439f23ee5757fac0ed669d3c9db48f50c677143d

Download Submit
memory/1584-154-0x0000000003090000-0x00000000030A2000-memory.dmp

Filesize
72KB

Download
memory/1584-153-0x0000000003090000-0x00000000030A2000-memory.dmp

Filesize
72KB

Download
memory/1584-152-0x0000000003090000-0x00000000030A2000-memory.dmp

Filesize
72KB

Download
memory/1584-151-0x0000000003090000-0x00000000030A2000-memory.dmp

Filesize
72KB

Download