d65aabb07b421ee9ef06267cd04481cdbb7d9cfe3eb1f64a0c417e30404bbd2c

Analysis

max time kernel
167s
max time network
199s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
04/12/2022, 05:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d65aabb07b421ee9ef06267cd04481cdbb7d9cfe3eb1f64a0c417e30404bbd2c.exe
Size

761KB
MD5

febe10c022f20c10ffc02547327b6b40
SHA1

7566df16051523fb0aa2612a8c81c440c7e4fb13
SHA256

d65aabb07b421ee9ef06267cd04481cdbb7d9cfe3eb1f64a0c417e30404bbd2c
SHA512

873df7631812233c611515267e71efb21ef9b0ce9024ae613c4d3a2ddeadf1c2922bf17e0aac3890abd714a1209e962dd40faab3ca009ffecf2380283144fca4
SSDEEP

12288:NPfHCCNQ393Ht+OSpuPLAsQ5iv5pU4FYqA1o4TK5RN++ZOPFiPDdFcasrravNt7:ZihFHUOauPPVXSoOIN++c9a5easWt7

Score

9^/10

adware discovery persistence stealer upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 4 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x0006000000022e57-134.dat	acprotect
behavioral2/files/0x0006000000022e57-135.dat	acprotect
behavioral2/files/0x0006000000022e57-137.dat	acprotect
behavioral2/files/0x0006000000022e57-136.dat	acprotect

Executes dropped EXE 2 IoCs

pid	Process
3992	enumerate_gtu.exe
4516	enumst.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0006000000022e57-134.dat	upx
behavioral2/files/0x0006000000022e57-135.dat	upx
behavioral2/files/0x0006000000022e57-137.dat	upx
behavioral2/files/0x0006000000022e57-136.dat	upx

Loads dropped DLL 10 IoCs

pid	Process
1532	d65aabb07b421ee9ef06267cd04481cdbb7d9cfe3eb1f64a0c417e30404bbd2c.exe
1532	d65aabb07b421ee9ef06267cd04481cdbb7d9cfe3eb1f64a0c417e30404bbd2c.exe
1532	d65aabb07b421ee9ef06267cd04481cdbb7d9cfe3eb1f64a0c417e30404bbd2c.exe
1532	d65aabb07b421ee9ef06267cd04481cdbb7d9cfe3eb1f64a0c417e30404bbd2c.exe
1532	d65aabb07b421ee9ef06267cd04481cdbb7d9cfe3eb1f64a0c417e30404bbd2c.exe
1532	d65aabb07b421ee9ef06267cd04481cdbb7d9cfe3eb1f64a0c417e30404bbd2c.exe
1532	d65aabb07b421ee9ef06267cd04481cdbb7d9cfe3eb1f64a0c417e30404bbd2c.exe
1532	d65aabb07b421ee9ef06267cd04481cdbb7d9cfe3eb1f64a0c417e30404bbd2c.exe
1532	d65aabb07b421ee9ef06267cd04481cdbb7d9cfe3eb1f64a0c417e30404bbd2c.exe
1532	d65aabb07b421ee9ef06267cd04481cdbb7d9cfe3eb1f64a0c417e30404bbd2c.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows\CurrentVersion\Run	d65aabb07b421ee9ef06267cd04481cdbb7d9cfe3eb1f64a0c417e30404bbd2c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Enumerate_gt = "\"C:\\Program Files (x86)\\enumerate\\gt\\enumerate_gtu.exe\" subcmd"	d65aabb07b421ee9ef06267cd04481cdbb7d9cfe3eb1f64a0c417e30404bbd2c.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Installs/modifies Browser Helper Object 2 TTPs 3 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{57405ED3-751C-4F30-A4D3-791E21290582}\NoExplorer = "1"	d65aabb07b421ee9ef06267cd04481cdbb7d9cfe3eb1f64a0c417e30404bbd2c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{57405ED3-751C-4F30-A4D3-791E21290582}	d65aabb07b421ee9ef06267cd04481cdbb7d9cfe3eb1f64a0c417e30404bbd2c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{57405ED3-751C-4F30-A4D3-791E21290582}\ = "Enumerate Top Search - GT"	d65aabb07b421ee9ef06267cd04481cdbb7d9cfe3eb1f64a0c417e30404bbd2c.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\enumerate\gt\enumerate_gt.dll	d65aabb07b421ee9ef06267cd04481cdbb7d9cfe3eb1f64a0c417e30404bbd2c.exe
File created	C:\Program Files (x86)\enumerate\gt\enumerate_gtu.exe	d65aabb07b421ee9ef06267cd04481cdbb7d9cfe3eb1f64a0c417e30404bbd2c.exe
File created	C:\Program Files (x86)\enumerate\gt\enumst.exe	d65aabb07b421ee9ef06267cd04481cdbb7d9cfe3eb1f64a0c417e30404bbd2c.exe
File created	C:\Program Files (x86)\enumerate\gt\uninstall.exe	d65aabb07b421ee9ef06267cd04481cdbb7d9cfe3eb1f64a0c417e30404bbd2c.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
3528	schtasks.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{75AE2228-E06B-4955-8C3F-BF0D5636DC50}\AppPath = "C:\\Program Files (x86)\\enumerate\\gt\\"	d65aabb07b421ee9ef06267cd04481cdbb7d9cfe3eb1f64a0c417e30404bbd2c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{75AE2228-E06B-4955-8C3F-BF0D5636DC50}\Policy = "3"	d65aabb07b421ee9ef06267cd04481cdbb7d9cfe3eb1f64a0c417e30404bbd2c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{75AE2228-E06B-4955-8C3F-BF0D5636DC50}	d65aabb07b421ee9ef06267cd04481cdbb7d9cfe3eb1f64a0c417e30404bbd2c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{75AE2228-E06B-4955-8C3F-BF0D5636DC50}\AppName = "enumerate_gtu.exe"	d65aabb07b421ee9ef06267cd04481cdbb7d9cfe3eb1f64a0c417e30404bbd2c.exe

Modifies registry class 51 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\enumerate_gt_search01.DLL	d65aabb07b421ee9ef06267cd04481cdbb7d9cfe3eb1f64a0c417e30404bbd2c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\enumerate_gt_search01.enumerate_gt_se.1\CLSID\ = "{57405ED3-751C-4F30-A4D3-791E21290582}"	d65aabb07b421ee9ef06267cd04481cdbb7d9cfe3eb1f64a0c417e30404bbd2c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{57405ED3-751C-4F30-A4D3-791E21290582}\Programmable	d65aabb07b421ee9ef06267cd04481cdbb7d9cfe3eb1f64a0c417e30404bbd2c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{57405ED3-751C-4F30-A4D3-791E21290582}\TypeLib\ = "{8B553F1E-C7DD-41C2-ACC0-CD4D80758FC4}"	d65aabb07b421ee9ef06267cd04481cdbb7d9cfe3eb1f64a0c417e30404bbd2c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1B496CDD-E357-4AD9-9E19-2188063B2B20}	d65aabb07b421ee9ef06267cd04481cdbb7d9cfe3eb1f64a0c417e30404bbd2c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1B496CDD-E357-4AD9-9E19-2188063B2B20}\ = "Ienumerate_gt_search01SO"	d65aabb07b421ee9ef06267cd04481cdbb7d9cfe3eb1f64a0c417e30404bbd2c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1B496CDD-E357-4AD9-9E19-2188063B2B20}\TypeLib\ = "{8B553F1E-C7DD-41C2-ACC0-CD4D80758FC4}"	d65aabb07b421ee9ef06267cd04481cdbb7d9cfe3eb1f64a0c417e30404bbd2c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{57405ED3-751C-4F30-A4D3-791E21290582}\ProgID\ = "enumerate_gt_search01.enumerate_gt_se.1"	d65aabb07b421ee9ef06267cd04481cdbb7d9cfe3eb1f64a0c417e30404bbd2c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{57405ED3-751C-4F30-A4D3-791E21290582}\VersionIndependentProgID\ = "enumerate_gt_search01.enumerate_gt_sear"	d65aabb07b421ee9ef06267cd04481cdbb7d9cfe3eb1f64a0c417e30404bbd2c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{57405ED3-751C-4F30-A4D3-791E21290582}\InprocServer32	d65aabb07b421ee9ef06267cd04481cdbb7d9cfe3eb1f64a0c417e30404bbd2c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{57405ED3-751C-4F30-A4D3-791E21290582}\InprocServer32\ = "C:\\Program Files (x86)\\enumerate\\gt\\enumerate_gt.dll"	d65aabb07b421ee9ef06267cd04481cdbb7d9cfe3eb1f64a0c417e30404bbd2c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8B553F1E-C7DD-41C2-ACC0-CD4D80758FC4}\1.0\0\win32	d65aabb07b421ee9ef06267cd04481cdbb7d9cfe3eb1f64a0c417e30404bbd2c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1B496CDD-E357-4AD9-9E19-2188063B2B20}\ = "Ienumerate_gt_search01SO"	d65aabb07b421ee9ef06267cd04481cdbb7d9cfe3eb1f64a0c417e30404bbd2c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\enumerate_gt_search01.DLL\AppID = "{ABEEC692-63C9-4926-9738-88DE0C8CE92F}"	d65aabb07b421ee9ef06267cd04481cdbb7d9cfe3eb1f64a0c417e30404bbd2c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{57405ED3-751C-4F30-A4D3-791E21290582}\InprocServer32\ThreadingModel = "Apartment"	d65aabb07b421ee9ef06267cd04481cdbb7d9cfe3eb1f64a0c417e30404bbd2c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8B553F1E-C7DD-41C2-ACC0-CD4D80758FC4}\1.0\HELPDIR	d65aabb07b421ee9ef06267cd04481cdbb7d9cfe3eb1f64a0c417e30404bbd2c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{57405ED3-751C-4F30-A4D3-791E21290582}	d65aabb07b421ee9ef06267cd04481cdbb7d9cfe3eb1f64a0c417e30404bbd2c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{57405ED3-751C-4F30-A4D3-791E21290582}\AppID = "{ABEEC692-63C9-4926-9738-88DE0C8CE92F}"	d65aabb07b421ee9ef06267cd04481cdbb7d9cfe3eb1f64a0c417e30404bbd2c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{ABEEC692-63C9-4926-9738-88DE0C8CE92F}	d65aabb07b421ee9ef06267cd04481cdbb7d9cfe3eb1f64a0c417e30404bbd2c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\enumerate_gt_search01.enumerate_gt_se.1\ = "enumerate_gt_search01SO Class"	d65aabb07b421ee9ef06267cd04481cdbb7d9cfe3eb1f64a0c417e30404bbd2c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\enumerate_gt_search01.enumerate_gt_sear	d65aabb07b421ee9ef06267cd04481cdbb7d9cfe3eb1f64a0c417e30404bbd2c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\enumerate_gt_search01.enumerate_gt_sear\ = "enumerate_gt_search01SO Class"	d65aabb07b421ee9ef06267cd04481cdbb7d9cfe3eb1f64a0c417e30404bbd2c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\enumerate_gt_search01.enumerate_gt_sear\CurVer\ = "enumerate_gt_search01.enumerate_gt_se.1"	d65aabb07b421ee9ef06267cd04481cdbb7d9cfe3eb1f64a0c417e30404bbd2c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1B496CDD-E357-4AD9-9E19-2188063B2B20}\TypeLib	d65aabb07b421ee9ef06267cd04481cdbb7d9cfe3eb1f64a0c417e30404bbd2c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1B496CDD-E357-4AD9-9E19-2188063B2B20}\TypeLib\Version = "1.0"	d65aabb07b421ee9ef06267cd04481cdbb7d9cfe3eb1f64a0c417e30404bbd2c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\enumerate_gt_search01.enumerate_gt_sear\CurVer	d65aabb07b421ee9ef06267cd04481cdbb7d9cfe3eb1f64a0c417e30404bbd2c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{57405ED3-751C-4F30-A4D3-791E21290582}\ = "Enumerate Top Search - GT"	d65aabb07b421ee9ef06267cd04481cdbb7d9cfe3eb1f64a0c417e30404bbd2c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{57405ED3-751C-4F30-A4D3-791E21290582}\VersionIndependentProgID	d65aabb07b421ee9ef06267cd04481cdbb7d9cfe3eb1f64a0c417e30404bbd2c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8B553F1E-C7DD-41C2-ACC0-CD4D80758FC4}\1.0	d65aabb07b421ee9ef06267cd04481cdbb7d9cfe3eb1f64a0c417e30404bbd2c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1B496CDD-E357-4AD9-9E19-2188063B2B20}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	d65aabb07b421ee9ef06267cd04481cdbb7d9cfe3eb1f64a0c417e30404bbd2c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\enumerate_gt_search01.enumerate_gt_sear\CLSID\ = "{57405ED3-751C-4F30-A4D3-791E21290582}"	d65aabb07b421ee9ef06267cd04481cdbb7d9cfe3eb1f64a0c417e30404bbd2c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8B553F1E-C7DD-41C2-ACC0-CD4D80758FC4}\1.0\FLAGS	d65aabb07b421ee9ef06267cd04481cdbb7d9cfe3eb1f64a0c417e30404bbd2c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8B553F1E-C7DD-41C2-ACC0-CD4D80758FC4}\1.0\FLAGS\ = "0"	d65aabb07b421ee9ef06267cd04481cdbb7d9cfe3eb1f64a0c417e30404bbd2c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1B496CDD-E357-4AD9-9E19-2188063B2B20}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	d65aabb07b421ee9ef06267cd04481cdbb7d9cfe3eb1f64a0c417e30404bbd2c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1B496CDD-E357-4AD9-9E19-2188063B2B20}\TypeLib\ = "{8B553F1E-C7DD-41C2-ACC0-CD4D80758FC4}"	d65aabb07b421ee9ef06267cd04481cdbb7d9cfe3eb1f64a0c417e30404bbd2c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{ABEEC692-63C9-4926-9738-88DE0C8CE92F}\ = "enumerate_gt_search01"	d65aabb07b421ee9ef06267cd04481cdbb7d9cfe3eb1f64a0c417e30404bbd2c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\enumerate_gt_search01.enumerate_gt_sear\CLSID	d65aabb07b421ee9ef06267cd04481cdbb7d9cfe3eb1f64a0c417e30404bbd2c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1B496CDD-E357-4AD9-9E19-2188063B2B20}\TypeLib	d65aabb07b421ee9ef06267cd04481cdbb7d9cfe3eb1f64a0c417e30404bbd2c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1B496CDD-E357-4AD9-9E19-2188063B2B20}\TypeLib\Version = "1.0"	d65aabb07b421ee9ef06267cd04481cdbb7d9cfe3eb1f64a0c417e30404bbd2c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1B496CDD-E357-4AD9-9E19-2188063B2B20}	d65aabb07b421ee9ef06267cd04481cdbb7d9cfe3eb1f64a0c417e30404bbd2c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8B553F1E-C7DD-41C2-ACC0-CD4D80758FC4}\1.0\ = "enumerate_gt_search01 1.0 Çü½Ä ¶óÀÌºê·¯¸®"	d65aabb07b421ee9ef06267cd04481cdbb7d9cfe3eb1f64a0c417e30404bbd2c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8B553F1E-C7DD-41C2-ACC0-CD4D80758FC4}\1.0\0	d65aabb07b421ee9ef06267cd04481cdbb7d9cfe3eb1f64a0c417e30404bbd2c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8B553F1E-C7DD-41C2-ACC0-CD4D80758FC4}\1.0\0\win32\ = "C:\\Program Files (x86)\\enumerate\\gt\\enumerate_gt.dll"	d65aabb07b421ee9ef06267cd04481cdbb7d9cfe3eb1f64a0c417e30404bbd2c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\enumerate_gt_search01.enumerate_gt_se.1	d65aabb07b421ee9ef06267cd04481cdbb7d9cfe3eb1f64a0c417e30404bbd2c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\enumerate_gt_search01.enumerate_gt_se.1\CLSID	d65aabb07b421ee9ef06267cd04481cdbb7d9cfe3eb1f64a0c417e30404bbd2c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{57405ED3-751C-4F30-A4D3-791E21290582}\ProgID	d65aabb07b421ee9ef06267cd04481cdbb7d9cfe3eb1f64a0c417e30404bbd2c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{57405ED3-751C-4F30-A4D3-791E21290582}\TypeLib	d65aabb07b421ee9ef06267cd04481cdbb7d9cfe3eb1f64a0c417e30404bbd2c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8B553F1E-C7DD-41C2-ACC0-CD4D80758FC4}	d65aabb07b421ee9ef06267cd04481cdbb7d9cfe3eb1f64a0c417e30404bbd2c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8B553F1E-C7DD-41C2-ACC0-CD4D80758FC4}\1.0\HELPDIR\	d65aabb07b421ee9ef06267cd04481cdbb7d9cfe3eb1f64a0c417e30404bbd2c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1B496CDD-E357-4AD9-9E19-2188063B2B20}\ProxyStubClsid32	d65aabb07b421ee9ef06267cd04481cdbb7d9cfe3eb1f64a0c417e30404bbd2c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1B496CDD-E357-4AD9-9E19-2188063B2B20}\ProxyStubClsid32	d65aabb07b421ee9ef06267cd04481cdbb7d9cfe3eb1f64a0c417e30404bbd2c.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3992	enumerate_gtu.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
3992	enumerate_gtu.exe
4516	enumst.exe
3992	enumerate_gtu.exe
4516	enumst.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1532 wrote to memory of 208	1532	d65aabb07b421ee9ef06267cd04481cdbb7d9cfe3eb1f64a0c417e30404bbd2c.exe	85
PID 1532 wrote to memory of 208	1532	d65aabb07b421ee9ef06267cd04481cdbb7d9cfe3eb1f64a0c417e30404bbd2c.exe	85
PID 1532 wrote to memory of 208	1532	d65aabb07b421ee9ef06267cd04481cdbb7d9cfe3eb1f64a0c417e30404bbd2c.exe	85
PID 208 wrote to memory of 3528	208	cmd.exe	87
PID 208 wrote to memory of 3528	208	cmd.exe	87
PID 208 wrote to memory of 3528	208	cmd.exe	87
PID 1532 wrote to memory of 3992	1532	d65aabb07b421ee9ef06267cd04481cdbb7d9cfe3eb1f64a0c417e30404bbd2c.exe	88
PID 1532 wrote to memory of 3992	1532	d65aabb07b421ee9ef06267cd04481cdbb7d9cfe3eb1f64a0c417e30404bbd2c.exe	88
PID 1532 wrote to memory of 3992	1532	d65aabb07b421ee9ef06267cd04481cdbb7d9cfe3eb1f64a0c417e30404bbd2c.exe	88
PID 1532 wrote to memory of 4516	1532	d65aabb07b421ee9ef06267cd04481cdbb7d9cfe3eb1f64a0c417e30404bbd2c.exe	89
PID 1532 wrote to memory of 4516	1532	d65aabb07b421ee9ef06267cd04481cdbb7d9cfe3eb1f64a0c417e30404bbd2c.exe	89
PID 1532 wrote to memory of 4516	1532	d65aabb07b421ee9ef06267cd04481cdbb7d9cfe3eb1f64a0c417e30404bbd2c.exe	89
PID 1532 wrote to memory of 4648	1532	d65aabb07b421ee9ef06267cd04481cdbb7d9cfe3eb1f64a0c417e30404bbd2c.exe	90
PID 1532 wrote to memory of 4648	1532	d65aabb07b421ee9ef06267cd04481cdbb7d9cfe3eb1f64a0c417e30404bbd2c.exe	90
PID 1532 wrote to memory of 4648	1532	d65aabb07b421ee9ef06267cd04481cdbb7d9cfe3eb1f64a0c417e30404bbd2c.exe	90

C:\Users\Admin\AppData\Local\Temp\d65aabb07b421ee9ef06267cd04481cdbb7d9cfe3eb1f64a0c417e30404bbd2c.exe
"C:\Users\Admin\AppData\Local\Temp\d65aabb07b421ee9ef06267cd04481cdbb7d9cfe3eb1f64a0c417e30404bbd2c.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Installs/modifies Browser Helper Object
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1532
- C:\Windows\SysWOW64\cmd.exe
  cmd /C schtasks /Create /F /TN "enumerategt" /SC ONLOGON /TR "'C:\Program Files (x86)\enumerate\gt\enumerate_gtu.exe' schcmd" /rL HIGHEST
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:208
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /Create /F /TN "enumerategt" /SC ONLOGON /TR "'C:\Program Files (x86)\enumerate\gt\enumerate_gtu.exe' schcmd" /rL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:3528
- C:\Program Files (x86)\enumerate\gt\enumerate_gtu.exe
  "C:\Program Files (x86)\enumerate\gt\enumerate_gtu.exe" Runcmd
  2⤵
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  PID:3992
- C:\Program Files (x86)\enumerate\gt\enumst.exe
  "C:\Program Files (x86)\enumerate\gt\enumst.exe" Runcmd
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4516
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c \DelUS.bat
  2⤵
  PID:4648

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Browser Extensions

T1176

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\DelUS.bat

Filesize
264B

MD5
43c893a89ffb07fc93953d7043771b6d

SHA1
5dd1455ecd8f783e8f4cf03910fdec7896c8c0de

SHA256
70295ac472b703c0cf60ec6b15d2e591e6394a8a6cb08660d0bec206b2c325a7

SHA512
b605e22fa71c684743b746122fd834a59203dc251c9f31df20866dac6a382a465d1e662dc46cfcdd73b4a8baeaa6cd3557a1afd9322430750127d8976150f831

Download Submit
C:\Program Files (x86)\enumerate\gt\enumerate_gt.dll

Filesize
212KB

MD5
7bf53961ec92f2a4a3df129bd5bd091b

SHA1
1c831de62943d85db777d1367bbcd023be59089e

SHA256
15d843ea30da5b265bcfbf79c9c95093028d582744f8f98441253eeba649c585

SHA512
f11acb7b50d4c681e1a5f4fd779063db764220a9ed4d18ff7719e8a4210724dc9b3b4643f1678b2f2422cca6570c25af9e0b91d7b068d9c35b189be28d3ca8ce

Download Submit
C:\Program Files (x86)\enumerate\gt\enumerate_gtu.exe

Filesize
952KB

MD5
5a257cab0c14e6b1334cabd26b569a3a

SHA1
59e68d6b289e1f932d0e6c74f90758a37f930f6a

SHA256
dfeaa527cd3c62076ac3f99d2dda7f7db4256d5aa43f04581b38c45c4e5a4ada

SHA512
8302a6ffbc288101e8ffa41ff9d9d33f0f4c627bab1168199abf7292e556fe5e1e961d359aad45fa2dfe99bd7deb56dcd894d6c3d0a21ed871a1df23b38906a9

Download Submit
C:\Program Files (x86)\enumerate\gt\enumerate_gtu.exe

Filesize
952KB

MD5
5a257cab0c14e6b1334cabd26b569a3a

SHA1
59e68d6b289e1f932d0e6c74f90758a37f930f6a

SHA256
dfeaa527cd3c62076ac3f99d2dda7f7db4256d5aa43f04581b38c45c4e5a4ada

SHA512
8302a6ffbc288101e8ffa41ff9d9d33f0f4c627bab1168199abf7292e556fe5e1e961d359aad45fa2dfe99bd7deb56dcd894d6c3d0a21ed871a1df23b38906a9

Download Submit
C:\Program Files (x86)\enumerate\gt\enumst.exe

Filesize
1.2MB

MD5
ad89f7ffb4fab904541cf37a786b4e56

SHA1
1365b452e94427cb399383ac3751af1cc730fd6f

SHA256
a92fda2e19dfed3f03db9a493c4673f6b24eb5c1a1ff2106d475e330039dc09c

SHA512
f4600be7573bb2c9801c05ba09d1451ab0ca2e9769e8a19e2161bc0bc2bc107c41d9cfe556315384a032434404a416879163415e740c26acae9e9136dd3f67ef

Download Submit
C:\Program Files (x86)\enumerate\gt\enumst.exe

Filesize
1.2MB

MD5
ad89f7ffb4fab904541cf37a786b4e56

SHA1
1365b452e94427cb399383ac3751af1cc730fd6f

SHA256
a92fda2e19dfed3f03db9a493c4673f6b24eb5c1a1ff2106d475e330039dc09c

SHA512
f4600be7573bb2c9801c05ba09d1451ab0ca2e9769e8a19e2161bc0bc2bc107c41d9cfe556315384a032434404a416879163415e740c26acae9e9136dd3f67ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsmB24A.tmp\DLLWebCount.dll

Filesize
32KB

MD5
248536afcb6f59c1797f079a0da15b63

SHA1
7fa238f871b357c66168728ab1bb38addcfba3f8

SHA256
9c5f4eeadc9c2881bc02b45d757b35d3bfd2dc7d917d2e8fde2917fabf48908f

SHA512
b82accc8530650ebae8d4f8752002c2d23ab7b29e958e6c14731ad186a0fcdbbab937723a540de62d58f4659580843191fd53cb415e07167d7b55cd174a79652

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsmB24A.tmp\DLLWebCount.dll

Filesize
32KB

MD5
248536afcb6f59c1797f079a0da15b63

SHA1
7fa238f871b357c66168728ab1bb38addcfba3f8

SHA256
9c5f4eeadc9c2881bc02b45d757b35d3bfd2dc7d917d2e8fde2917fabf48908f

SHA512
b82accc8530650ebae8d4f8752002c2d23ab7b29e958e6c14731ad186a0fcdbbab937723a540de62d58f4659580843191fd53cb415e07167d7b55cd174a79652

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsmB24A.tmp\SelfDelete.dll

Filesize
24KB

MD5
ddc0d6806073a5b034104c88288ca762

SHA1
9663cc10c496f05d6167e19c3920245040e5e431

SHA256
2f4767da9dc7e720d910d32d451674cd08b7892ca753ec5c10b11fe85e12f06b

SHA512
545ca797a397cfcbd9b5d3bd2da2e3219ba7a294e541831655c5763a7f17480fd0b990d0c2e58ba8c71f81d85472b2da6d079b8211b44c40c8c36d21168ec054

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsmB24A.tmp\UnProtectMode.dll

Filesize
200KB

MD5
d37323d733078a8da425ad71a51d1462

SHA1
7061f1f388c6fa0159d614ded01251da4e4b7e4b

SHA256
e1a0b1168a87ac0d140b3a394efda23148a8907093898e0a2549079009d318e3

SHA512
f7e0780aa18785c1402d7233b67fabb61cefa8568e71cd4ca37405eafc7a340053836b16fdebc2ce351b7ddeac28d17a43091904ba443269cac1e7e4f46bd929

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsmB24A.tmp\nsExec.dll

Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsmB24A.tmp\version.dll

Filesize
22KB

MD5
fbe588b15eb1bd86defade69f796b56f

SHA1
2f63cf44039addddb22c2c0497673b49e6b3ad7a

SHA256
31144e8b156fe87317073c48a09abcb033fda8dbdd96986c4abea8c00c00355f

SHA512
e1a9e29e4c62e77a2ec2c539344f0b5a8cd67ca3fd8dfefb0b0666a992eb2fabadb0034d439c4adbbdffd9c9439f23ee5757fac0ed669d3c9db48f50c677143d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsmB24A.tmp\version.dll

Filesize
22KB

MD5
fbe588b15eb1bd86defade69f796b56f

SHA1
2f63cf44039addddb22c2c0497673b49e6b3ad7a

SHA256
31144e8b156fe87317073c48a09abcb033fda8dbdd96986c4abea8c00c00355f

SHA512
e1a9e29e4c62e77a2ec2c539344f0b5a8cd67ca3fd8dfefb0b0666a992eb2fabadb0034d439c4adbbdffd9c9439f23ee5757fac0ed669d3c9db48f50c677143d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsmB24A.tmp\version.dll

Filesize
22KB

MD5
fbe588b15eb1bd86defade69f796b56f

SHA1
2f63cf44039addddb22c2c0497673b49e6b3ad7a

SHA256
31144e8b156fe87317073c48a09abcb033fda8dbdd96986c4abea8c00c00355f

SHA512
e1a9e29e4c62e77a2ec2c539344f0b5a8cd67ca3fd8dfefb0b0666a992eb2fabadb0034d439c4adbbdffd9c9439f23ee5757fac0ed669d3c9db48f50c677143d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsmB24A.tmp\version.dll

Filesize
22KB

MD5
fbe588b15eb1bd86defade69f796b56f

SHA1
2f63cf44039addddb22c2c0497673b49e6b3ad7a

SHA256
31144e8b156fe87317073c48a09abcb033fda8dbdd96986c4abea8c00c00355f

SHA512
e1a9e29e4c62e77a2ec2c539344f0b5a8cd67ca3fd8dfefb0b0666a992eb2fabadb0034d439c4adbbdffd9c9439f23ee5757fac0ed669d3c9db48f50c677143d

Download Submit
memory/1532-144-0x0000000003080000-0x0000000003092000-memory.dmp

Filesize
72KB

Download
memory/1532-143-0x0000000003080000-0x0000000003092000-memory.dmp

Filesize
72KB

Download
memory/1532-142-0x0000000003080000-0x0000000003092000-memory.dmp

Filesize
72KB

Download
memory/1532-141-0x0000000003080000-0x0000000003092000-memory.dmp

Filesize
72KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads