6b968fba3ba74a04e1f1d9b82836d228e874ed76225f744f23d2dfabd0f32bcf

General

Target

6b968fba3ba74a04e1f1d9b82836d228e874ed76225f744f23d2dfabd0f32bcf.exe
Size

182KB
MD5

19e13740b772bc759f9a1b5366ea1f34
SHA1

c5c8d2ba30ceaf20571c4eac828e41ef0965f297
SHA256

6b968fba3ba74a04e1f1d9b82836d228e874ed76225f744f23d2dfabd0f32bcf
SHA512

0f7c21ead099a2956785458268d3841c8fa83bc2b9fa2e3d34553cd6c98b07211a76cc003af27a1bbb3a14859f6c3184d554fb6681a08a9f19a5534ae6acb57f
SSDEEP

3072:I+RJBV2575eusnu4JuiTPqsn9pKZLR/M4U9bVmFBYySf/45IQRRoMwMUe3:IYJ32/rgJuimmqLRU4okFtSi3sM9

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3892	toolbar.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	toolbar.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	6b968fba3ba74a04e1f1d9b82836d228e874ed76225f744f23d2dfabd0f32bcf.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	toolbar.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SystemScript = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\Windows\\toolbar.exe\""	toolbar.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	toolbar.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemScript = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\Windows\\toolbar.exe\""	toolbar.exe

Drops Chrome extension 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\nlgdemkdapolikbjimjajpmonpbpmipk\1.0_0\manifest.json	toolbar.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1476	schtasks.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	6b968fba3ba74a04e1f1d9b82836d228e874ed76225f744f23d2dfabd0f32bcf.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

pid	Process
3892	toolbar.exe
3892	toolbar.exe
3892	toolbar.exe
3892	toolbar.exe
3892	toolbar.exe
3892	toolbar.exe
3892	toolbar.exe
3892	toolbar.exe
3892	toolbar.exe
3892	toolbar.exe
3892	toolbar.exe
3892	toolbar.exe
3892	toolbar.exe
3892	toolbar.exe
3892	toolbar.exe
3892	toolbar.exe
3892	toolbar.exe
3892	toolbar.exe
3892	toolbar.exe
3892	toolbar.exe
3892	toolbar.exe
3892	toolbar.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3916 wrote to memory of 3892	3916	6b968fba3ba74a04e1f1d9b82836d228e874ed76225f744f23d2dfabd0f32bcf.exe	79
PID 3916 wrote to memory of 3892	3916	6b968fba3ba74a04e1f1d9b82836d228e874ed76225f744f23d2dfabd0f32bcf.exe	79
PID 3916 wrote to memory of 3892	3916	6b968fba3ba74a04e1f1d9b82836d228e874ed76225f744f23d2dfabd0f32bcf.exe	79
PID 3892 wrote to memory of 2324	3892	toolbar.exe	81
PID 3892 wrote to memory of 2324	3892	toolbar.exe	81
PID 3892 wrote to memory of 2324	3892	toolbar.exe	81
PID 3892 wrote to memory of 1476	3892	toolbar.exe	83
PID 3892 wrote to memory of 1476	3892	toolbar.exe	83
PID 3892 wrote to memory of 1476	3892	toolbar.exe	83

C:\Users\Admin\AppData\Local\Temp\6b968fba3ba74a04e1f1d9b82836d228e874ed76225f744f23d2dfabd0f32bcf.exe
"C:\Users\Admin\AppData\Local\Temp\6b968fba3ba74a04e1f1d9b82836d228e874ed76225f744f23d2dfabd0f32bcf.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3916
- C:\Users\Admin\AppData\Local\Microsoft\Windows\toolbar.exe
  "C:\Users\Admin\AppData\Local\Microsoft\Windows\toolbar.exe" lol
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Adds Run key to start application
  - Drops Chrome extension
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3892
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\system32\schtasks.exe" /delete /tn SystemScript /f
    3⤵
    PID:2324
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\system32\schtasks.exe" /create /tn SystemScript /tr ""C:\Users\Admin\AppData\Local\Microsoft\Windows\toolbar.exe"" /sc ONLOGON /f
    3⤵
    - Creates scheduled task(s)
    PID:1476

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\toolbar.exe

Filesize
182KB

MD5
19e13740b772bc759f9a1b5366ea1f34

SHA1
c5c8d2ba30ceaf20571c4eac828e41ef0965f297

SHA256
6b968fba3ba74a04e1f1d9b82836d228e874ed76225f744f23d2dfabd0f32bcf

SHA512
0f7c21ead099a2956785458268d3841c8fa83bc2b9fa2e3d34553cd6c98b07211a76cc003af27a1bbb3a14859f6c3184d554fb6681a08a9f19a5534ae6acb57f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\toolbar.exe

Filesize
182KB

MD5
19e13740b772bc759f9a1b5366ea1f34

SHA1
c5c8d2ba30ceaf20571c4eac828e41ef0965f297

SHA256
6b968fba3ba74a04e1f1d9b82836d228e874ed76225f744f23d2dfabd0f32bcf

SHA512
0f7c21ead099a2956785458268d3841c8fa83bc2b9fa2e3d34553cd6c98b07211a76cc003af27a1bbb3a14859f6c3184d554fb6681a08a9f19a5534ae6acb57f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\windows.zpx

Filesize
104KB

MD5
6f806b5954d057b8beb4fa9407885a07

SHA1
ebee7cfe3227e702b5dd337d1ba2400f0e5e88b7

SHA256
706dc075630b4a171df48d7de2b9bf268110616d1ed6cb485dfd988ba7235135

SHA512
ba0447f55779e6bf16fd5cf876d2cbfd1a5b7c5f2dc82c42d1d669d04ff242e6266fd135a70e48c0f1945aee7680359b26d5b5d1038e0564ffc1b54ce690d3de

Download Submit
memory/1476-136-0x0000000000000000-mapping.dmp

Download
memory/2324-135-0x0000000000000000-mapping.dmp

Download
memory/3892-132-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads