54e5d5def603f6775637df8107a85c258920d48a29219a1dc983f87a522d4530

Analysis

max time kernel
90s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
26/11/2022, 22:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

54e5d5def603f6775637df8107a85c258920d48a29219a1dc983f87a522d4530.exe
Size

1.2MB
MD5

77dd00b4301cabeca411c23e15119642
SHA1

64c276e8aecb27b296efc99e1976e0de9dc24c08
SHA256

54e5d5def603f6775637df8107a85c258920d48a29219a1dc983f87a522d4530
SHA512

9f834d1749a443cccbd3303197a84e8a46886af5c6f9c8d24fbcdcfb48f90e9e0a2c6a0ae1d5712e5407844e76c5b24417f52d7c43515aacd93ffc34f230c1e9
SSDEEP

24576:C3UwQCeoeO0VwWfRGgSNWC86CblPKPHZg5tAO4dkL0Iwpfyjre1:CEwQCeoedw6RGh86+CP5ggvdkLOVyjy

Score

8^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
644	kmssetup.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Keep My Search = "C:\\Users\\Admin\\AppData\\Local\\KeepMySearch\\keepmysearch\\1.3.17.3\\keepmysearch.exe"	kmssetup.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	kmssetup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\kmssetup.exe = "19000"	kmssetup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\keepmysearch.exe = "19000"	kmssetup.exe

Modifies registry class 13 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\keepmysearch\instl\data	kmssetup.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\keepmysearch	kmssetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\keepmysearch\instl\data\prm4	kmssetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\keepmysearch\instl\data\prm5	kmssetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\keepmysearch\instl\data\country	kmssetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\keepmysearch\instl\data\lng	kmssetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\keepmysearch\uninstl\keepmysearchkms = "C:\\Users\\Admin\\AppData\\Local\\KeepMySearch\\keepmysearch\\1.3.17.3\\kmssetup.exe"	kmssetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\keepmysearch\instl\data\APPORDR = "60EA272D1317BE98"	kmssetup.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\keepmysearch\instl	kmssetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\keepmysearch\instl\data\prm1	kmssetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\keepmysearch\instl\data\prm2	kmssetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\keepmysearch\instl\data\prm3	kmssetup.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\keepmysearch\uninstl	kmssetup.exe

Script User-Agent 2 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	5	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	13	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
644	kmssetup.exe
644	kmssetup.exe
644	kmssetup.exe
644	kmssetup.exe
644	kmssetup.exe
644	kmssetup.exe
644	kmssetup.exe
644	kmssetup.exe
644	kmssetup.exe
644	kmssetup.exe
644	kmssetup.exe
644	kmssetup.exe
644	kmssetup.exe
644	kmssetup.exe
644	kmssetup.exe
644	kmssetup.exe
644	kmssetup.exe
644	kmssetup.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
644	kmssetup.exe
644	kmssetup.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4752 wrote to memory of 644	4752	54e5d5def603f6775637df8107a85c258920d48a29219a1dc983f87a522d4530.exe	82
PID 4752 wrote to memory of 644	4752	54e5d5def603f6775637df8107a85c258920d48a29219a1dc983f87a522d4530.exe	82
PID 4752 wrote to memory of 644	4752	54e5d5def603f6775637df8107a85c258920d48a29219a1dc983f87a522d4530.exe	82

C:\Users\Admin\AppData\Local\Temp\54e5d5def603f6775637df8107a85c258920d48a29219a1dc983f87a522d4530.exe
"C:\Users\Admin\AppData\Local\Temp\54e5d5def603f6775637df8107a85c258920d48a29219a1dc983f87a522d4530.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4752
- C:\Users\Admin\AppData\Local\KeepMySearch\keepmysearch\1.3.17.3\kmssetup.exe
  /instl
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Modifies Internet Explorer settings
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:644

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\KeepMySearch\keepmysearch\1.3.17.3\app.ini

Filesize
579B

MD5
ad2501840f31137bd6a7d2101c16bffa

SHA1
decaf1ab9d6c2c28d173e021b3b2ad5ad93640e6

SHA256
ade2b0fb1e19a93959944265947ecee76c10c91d8309846aa23a2a2204652275

SHA512
7675a255e42168d983af62658138c665c7d0ef37ecf69bf72ecd3a10c9b646ae5371d4a09848dfa2190141a59f8d481f1529068d2b6e557a93ba348479702221

Download Submit
C:\Users\Admin\AppData\Local\KeepMySearch\keepmysearch\1.3.17.3\hopowcbk.dll

Filesize
298KB

MD5
b555a7d55c12f7769eda611b0bf5723b

SHA1
4aa902a368b7719022ad6e014f23b7cdcfcf1a4f

SHA256
8a79ff2c4df91681fedc5ed70dbe117e89fab0f4d920ae459a82ccb5323a10a5

SHA512
42e1670b720b45c9f64d49bb153dce202e78e42cb391ffaddeeb140497fbac91345fb8d41bbb467c9aa6ff1d1d20fc3f1cf8b3ba7bf24c6cc300a98bd814c7e2

Download Submit
C:\Users\Admin\AppData\Local\KeepMySearch\keepmysearch\1.3.17.3\kaiHjogb.dll

Filesize
279KB

MD5
d285347dc86127e7044f5f829621c4af

SHA1
522c913bd2cf0f33b32f6b1fcbe9b928d196b9a7

SHA256
2300f11a66e0605f97fae13e351ad9d58a10e848a043dcc7eacb9562cb8400b9

SHA512
077ed94923390601b98f94246ca258fc7a012396303bbc7c36601c7f80b4c3b757a36ca056c4268e2caba469532168834336d6170497364cebd0e864e36a313d

Download Submit
C:\Users\Admin\AppData\Local\KeepMySearch\keepmysearch\1.3.17.3\keepmysearch.exe

Filesize
614KB

MD5
d87748eabe21ad2f180d89aa8e0f2198

SHA1
11dcbca5df0acf67a48d9da014a6b15a75121342

SHA256
8e4dd8cc14ecdd489a531e79e761bae66d1fb0fb9a6d4136eddcf4058bd9ee3a

SHA512
f1e456feda8eb013ce91533f755348b52e41e9be0f4030eb80e12c3abcbe0d063031249fbe64bfcf5bd4506758ef7ee9b920de065dbae0223f065e5c2cedb929

Download Submit
C:\Users\Admin\AppData\Local\KeepMySearch\keepmysearch\1.3.17.3\kmssetup.exe

Filesize
427KB

MD5
0231348b09add430bf8792829529dbcf

SHA1
ba45b3a396f35706d15436ae7b407b0ee0038be9

SHA256
a63dbadf088228f0f00e7fda202b9643876ea9775321a62cceb43fb12f9a4812

SHA512
4ef11446c74449b1d15bca9ef5357ac73566d86be3f230a34d215c0445d09e5094cddfdb083565764082832b5740bedefc5f1760c3666d7dd8ae27dc491d57f5

Download Submit
C:\Users\Admin\AppData\Local\KeepMySearch\keepmysearch\1.3.17.3\kmssetup.exe

Filesize
427KB

MD5
0231348b09add430bf8792829529dbcf

SHA1
ba45b3a396f35706d15436ae7b407b0ee0038be9

SHA256
a63dbadf088228f0f00e7fda202b9643876ea9775321a62cceb43fb12f9a4812

SHA512
4ef11446c74449b1d15bca9ef5357ac73566d86be3f230a34d215c0445d09e5094cddfdb083565764082832b5740bedefc5f1760c3666d7dd8ae27dc491d57f5

Download Submit
C:\Users\Admin\AppData\Local\KeepMySearch\keepmysearch\1.3.17.3\res.dll

Filesize
192KB

MD5
17b66d64799bbd6dc773ff9097a85924

SHA1
188d9bf1b20c8e7a593c10d96d5998c83681e7ce

SHA256
8d72363a76d24b2cb22947d6d56176ba9fe8f71685a04ac746cc235d3c6db812

SHA512
0a7a8180b520331c4b7f3bd5bb93b2bd9382cd1e4c14224291ea72f27b32fab9efcac008cb78cb27b99c233a3f6a496994ed1a136cd1f29931bd1295009aef36

Download Submit
C:\Users\Admin\AppData\Local\KeepMySearch\keepmysearch\1.3.17.3\serp.js

Filesize
1KB

MD5
3df053951cb1471e5f4203599f45f321

SHA1
45cee1efa9550a824019d19ee6ce7ae9d06e651d

SHA256
56e3495005c994693d339549108520e1ca1686ea98da1737f48c3a7d7b0495bd

SHA512
58ab062d857c35654b09a9c02453fadb9d297d169010c6f938f9512036508ec4ccb2b9502c3706635ba068b9fd4c38b4751864d78acec6920f6b8f4659af6971

Download Submit
C:\Users\Admin\AppData\Local\KeepMySearch\keepmysearch\1.3.17.3\sqlite.dll

Filesize
559KB

MD5
0b18046d65a107e1e51e7bdc9b50ff6b

SHA1
dafe5501f7637f40d26efd888d5f127dd672f41d

SHA256
b513b988a563946e8270184fbfe422e14af7b954aeb57e228640658b904e8438

SHA512
907561b69494f0eb4b07c6334778d1c0750b39e73d62d9660ba53953893f0fde3515255f90d4591f31cdbe924a73fc0deb86aa23630f6f3e4cbc21ee12ce99d3

Download Submit