92ec08e55a98246e4deec38931affe382e1bfd39f47d014dc5a30e3b8b2eb4cf

General

Target

92ec08e55a98246e4deec38931affe382e1bfd39f47d014dc5a30e3b8b2eb4cf.exe
Size

21KB
MD5

bf8503557d267a979c1840b5241f5ea8
SHA1

ba94e45cae97f1f71a45fe234b1aa2bd1ba81698
SHA256

92ec08e55a98246e4deec38931affe382e1bfd39f47d014dc5a30e3b8b2eb4cf
SHA512

ef314220b0921d99a139f744d620c92dc8a3547b232a7268540d23339856ac7266083d42cad0782f8fd0a9d17c5923f6493d43619b0d7e2ed7cb8c30c3b6c65d
SSDEEP

384:oc+h/+GIQMCczE3yzySSAsmXVFwWynCMSc2ZsKw8WS/PtY4JQjYVkwNeso:ox6QA9PTPDhc2ZT0SH6Ysj

Score

10^/10

evasion persistence spyware stealer trojan

Malware Config

Signatures

Modifies security service 2 TTPs 1 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	92ec08e55a98246e4deec38931affe382e1bfd39f47d014dc5a30e3b8b2eb4cf.exe

Windows security bypass 2 TTPs 5 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	92ec08e55a98246e4deec38931affe382e1bfd39f47d014dc5a30e3b8b2eb4cf.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	92ec08e55a98246e4deec38931affe382e1bfd39f47d014dc5a30e3b8b2eb4cf.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	92ec08e55a98246e4deec38931affe382e1bfd39f47d014dc5a30e3b8b2eb4cf.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	92ec08e55a98246e4deec38931affe382e1bfd39f47d014dc5a30e3b8b2eb4cf.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	92ec08e55a98246e4deec38931affe382e1bfd39f47d014dc5a30e3b8b2eb4cf.exe

Blocklisted process makes network request 1 IoCs

flow	pid	Process
5	952	rundll32.exe

Modifies Shared Task Scheduler registry keys 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler	92ec08e55a98246e4deec38931affe382e1bfd39f47d014dc5a30e3b8b2eb4cf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\SharedTaskScheduler\{A97A0466-31B2-4551-9A89-C3C053FF72A5} = "OLE Object"	92ec08e55a98246e4deec38931affe382e1bfd39f47d014dc5a30e3b8b2eb4cf.exe

Registers COM server for autorun 1 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Wow6432Node\CLSID\{A97A0466-31B2-4551-9A89-C3C053FF72A5}\InProcServer32	92ec08e55a98246e4deec38931affe382e1bfd39f47d014dc5a30e3b8b2eb4cf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Wow6432Node\CLSID\{A97A0466-31B2-4551-9A89-C3C053FF72A5}\InProcServer32\ = "C:\\Windows\\SysWow64\\barseek.dll"	92ec08e55a98246e4deec38931affe382e1bfd39f47d014dc5a30e3b8b2eb4cf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Wow6432Node\CLSID\{A97A0466-31B2-4551-9A89-C3C053FF72A5}\InProcServer32\ThreadingModel = "Apartment"	92ec08e55a98246e4deec38931affe382e1bfd39f47d014dc5a30e3b8b2eb4cf.exe

Deletes itself 1 IoCs

pid	Process
952	rundll32.exe

Loads dropped DLL 4 IoCs

pid	Process
952	rundll32.exe
952	rundll32.exe
952	rundll32.exe
952	rundll32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 5 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	92ec08e55a98246e4deec38931affe382e1bfd39f47d014dc5a30e3b8b2eb4cf.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	92ec08e55a98246e4deec38931affe382e1bfd39f47d014dc5a30e3b8b2eb4cf.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	92ec08e55a98246e4deec38931affe382e1bfd39f47d014dc5a30e3b8b2eb4cf.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	92ec08e55a98246e4deec38931affe382e1bfd39f47d014dc5a30e3b8b2eb4cf.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	92ec08e55a98246e4deec38931affe382e1bfd39f47d014dc5a30e3b8b2eb4cf.exe

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\I:	rundll32.exe
File opened (read-only)	\??\P:	rundll32.exe
File opened (read-only)	\??\Q:	rundll32.exe
File opened (read-only)	\??\F:	rundll32.exe
File opened (read-only)	\??\M:	rundll32.exe
File opened (read-only)	\??\T:	rundll32.exe
File opened (read-only)	\??\U:	rundll32.exe
File opened (read-only)	\??\Y:	rundll32.exe
File opened (read-only)	\??\L:	rundll32.exe
File opened (read-only)	\??\J:	rundll32.exe
File opened (read-only)	\??\K:	rundll32.exe
File opened (read-only)	\??\O:	rundll32.exe
File opened (read-only)	\??\R:	rundll32.exe
File opened (read-only)	\??\S:	rundll32.exe
File opened (read-only)	\??\V:	rundll32.exe
File opened (read-only)	\??\W:	rundll32.exe
File opened (read-only)	\??\H:	rundll32.exe
File opened (read-only)	\??\G:	rundll32.exe
File opened (read-only)	\??\N:	rundll32.exe
File opened (read-only)	\??\X:	rundll32.exe
File opened (read-only)	\??\Z:	rundll32.exe
File opened (read-only)	\??\E:	rundll32.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\barseek.dll	92ec08e55a98246e4deec38931affe382e1bfd39f47d014dc5a30e3b8b2eb4cf.exe

Modifies Internet Explorer settings 1 TTPs 5 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\SOFTWARE\Microsoft\Internet Explorer\Security	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Security\id = "156868725003"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Security\host = "64.70.19.203"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\SOFTWARE\Microsoft\Internet Explorer\Security	92ec08e55a98246e4deec38931affe382e1bfd39f47d014dc5a30e3b8b2eb4cf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Security\selfdel = "C:\\Users\\Admin\\AppData\\Local\\Temp\\92ec08e55a98246e4deec38931affe382e1bfd39f47d014dc5a30e3b8b2eb4cf.exe"	92ec08e55a98246e4deec38931affe382e1bfd39f47d014dc5a30e3b8b2eb4cf.exe

Modifies registry class 6 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Wow6432Node\CLSID\{A97A0466-31B2-4551-9A89-C3C053FF72A5}\InProcServer32\ = "C:\\Windows\\SysWow64\\barseek.dll"	92ec08e55a98246e4deec38931affe382e1bfd39f47d014dc5a30e3b8b2eb4cf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Wow6432Node\CLSID\{A97A0466-31B2-4551-9A89-C3C053FF72A5}\InProcServer32\ThreadingModel = "Apartment"	92ec08e55a98246e4deec38931affe382e1bfd39f47d014dc5a30e3b8b2eb4cf.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Wow6432Node\CLSID\{A97A0466-31B2-4551-9A89-C3C053FF72A5}\InProcServer32	92ec08e55a98246e4deec38931affe382e1bfd39f47d014dc5a30e3b8b2eb4cf.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Wow6432Node	92ec08e55a98246e4deec38931affe382e1bfd39f47d014dc5a30e3b8b2eb4cf.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Wow6432Node\CLSID	92ec08e55a98246e4deec38931affe382e1bfd39f47d014dc5a30e3b8b2eb4cf.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Wow6432Node\CLSID\{A97A0466-31B2-4551-9A89-C3C053FF72A5}	92ec08e55a98246e4deec38931affe382e1bfd39f47d014dc5a30e3b8b2eb4cf.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1632 wrote to memory of 952	1632	92ec08e55a98246e4deec38931affe382e1bfd39f47d014dc5a30e3b8b2eb4cf.exe	27
PID 1632 wrote to memory of 952	1632	92ec08e55a98246e4deec38931affe382e1bfd39f47d014dc5a30e3b8b2eb4cf.exe	27
PID 1632 wrote to memory of 952	1632	92ec08e55a98246e4deec38931affe382e1bfd39f47d014dc5a30e3b8b2eb4cf.exe	27
PID 1632 wrote to memory of 952	1632	92ec08e55a98246e4deec38931affe382e1bfd39f47d014dc5a30e3b8b2eb4cf.exe	27
PID 1632 wrote to memory of 952	1632	92ec08e55a98246e4deec38931affe382e1bfd39f47d014dc5a30e3b8b2eb4cf.exe	27
PID 1632 wrote to memory of 952	1632	92ec08e55a98246e4deec38931affe382e1bfd39f47d014dc5a30e3b8b2eb4cf.exe	27
PID 1632 wrote to memory of 952	1632	92ec08e55a98246e4deec38931affe382e1bfd39f47d014dc5a30e3b8b2eb4cf.exe	27

C:\Users\Admin\AppData\Local\Temp\92ec08e55a98246e4deec38931affe382e1bfd39f47d014dc5a30e3b8b2eb4cf.exe
"C:\Users\Admin\AppData\Local\Temp\92ec08e55a98246e4deec38931affe382e1bfd39f47d014dc5a30e3b8b2eb4cf.exe"
1⤵
- Modifies security service
- Windows security bypass
- Modifies Shared Task Scheduler registry keys
- Registers COM server for autorun
- Windows security modification
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1632
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Windows\system32\barseek.dll, load
  2⤵
  - Blocklisted process makes network request
  - Deletes itself
  - Loads dropped DLL
  - Enumerates connected drives
  - Modifies Internet Explorer settings
  PID:952

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

2

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

Modify Registry

Credential Access

Credentials in Files

1

T1081

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\barseek.dll

Filesize
16KB

MD5
2927b7854e17a95473c9b14a241931dd

SHA1
2b36d180eebe0123459755934c9806ce1b49b367

SHA256
9f185d268e09533a52f8efe0022694e83179c62a2b940be9eb6f24291ee23c52

SHA512
37a7495f008f6945067fe94f1be8d0ba58a15d6b33066573f528a688a9da256a1841fd65b6459180fa6348907c8fbe785e0221ed2e0bd78c8899bdc7e31c2688

Download Submit
\Windows\SysWOW64\barseek.dll

Filesize
16KB

MD5
2927b7854e17a95473c9b14a241931dd

SHA1
2b36d180eebe0123459755934c9806ce1b49b367

SHA256
9f185d268e09533a52f8efe0022694e83179c62a2b940be9eb6f24291ee23c52

SHA512
37a7495f008f6945067fe94f1be8d0ba58a15d6b33066573f528a688a9da256a1841fd65b6459180fa6348907c8fbe785e0221ed2e0bd78c8899bdc7e31c2688

Download Submit
\Windows\SysWOW64\barseek.dll

Filesize
16KB

MD5
2927b7854e17a95473c9b14a241931dd

SHA1
2b36d180eebe0123459755934c9806ce1b49b367

SHA256
9f185d268e09533a52f8efe0022694e83179c62a2b940be9eb6f24291ee23c52

SHA512
37a7495f008f6945067fe94f1be8d0ba58a15d6b33066573f528a688a9da256a1841fd65b6459180fa6348907c8fbe785e0221ed2e0bd78c8899bdc7e31c2688

Download Submit
\Windows\SysWOW64\barseek.dll

Filesize
16KB

MD5
2927b7854e17a95473c9b14a241931dd

SHA1
2b36d180eebe0123459755934c9806ce1b49b367

SHA256
9f185d268e09533a52f8efe0022694e83179c62a2b940be9eb6f24291ee23c52

SHA512
37a7495f008f6945067fe94f1be8d0ba58a15d6b33066573f528a688a9da256a1841fd65b6459180fa6348907c8fbe785e0221ed2e0bd78c8899bdc7e31c2688

Download Submit
\Windows\SysWOW64\barseek.dll

Filesize
16KB

MD5
2927b7854e17a95473c9b14a241931dd

SHA1
2b36d180eebe0123459755934c9806ce1b49b367

SHA256
9f185d268e09533a52f8efe0022694e83179c62a2b940be9eb6f24291ee23c52

SHA512
37a7495f008f6945067fe94f1be8d0ba58a15d6b33066573f528a688a9da256a1841fd65b6459180fa6348907c8fbe785e0221ed2e0bd78c8899bdc7e31c2688

Download Submit
memory/952-55-0x00000000761F1000-0x00000000761F3000-memory.dmp

Filesize
8KB

Download
memory/952-62-0x0000000010000000-0x000000001000C000-memory.dmp

Filesize
48KB

Download
memory/952-63-0x0000000010000000-0x000000001000C000-memory.dmp

Filesize
48KB

Download
memory/1632-61-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads