d05679f26a30fa9428ae344e7270f97a29d88506d2bfc13aebf622dd9c64274f

General

Target

d05679f26a30fa9428ae344e7270f97a29d88506d2bfc13aebf622dd9c64274f.exe
Size

733KB
MD5

04c4b97fb89f0903a0ab998316877fde
SHA1

586606a7459293d3f8b793770ea16e9d3e1878e7
SHA256

d05679f26a30fa9428ae344e7270f97a29d88506d2bfc13aebf622dd9c64274f
SHA512

ae032305a5b24db1ca931eac91c35a513bcc07b73dfc25ab784f5a039f3debfce0a449fddd2c7dfddf07a97bc5c1b2f014a0efcc1aacb78d4e1f47274f3948c3
SSDEEP

12288:QSWXV+uZM2I7tBbDW2IHBplF2tM/rLDehxP1+LmjqTn:QL8uZvwtFuH/hL0t1+Lmjqj

Score

7^/10

adware stealer

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	d05679f26a30fa9428ae344e7270f97a29d88506d2bfc13aebf622dd9c64274f.exe

Loads dropped DLL 2 IoCs

pid	Process
4252	Regsvr32.exe
4252	Regsvr32.exe

Installs/modifies Browser Helper Object 2 TTPs 1 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{7B434A2A-9E4C-48F2-8373-5801F316A4D5}	Regsvr32.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\PROGRA~1\Youdao\Toolbar\ydtbv2.2\YodaoToolbar.dll	d05679f26a30fa9428ae344e7270f97a29d88506d2bfc13aebf622dd9c64274f.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\ime\SPTIPIMERS.ini	d05679f26a30fa9428ae344e7270f97a29d88506d2bfc13aebf622dd9c64274f.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer start page 1 TTPs 1 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.353.com"	d05679f26a30fa9428ae344e7270f97a29d88506d2bfc13aebf622dd9c64274f.exe

Modifies registry class 11 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7B434A2A-9E4C-48F2-8373-5801F316A4D5}\InprocServer32\ = "C:\\PROGRA~1\\Youdao\\Toolbar\\ydtbv2.2\\YODAOT~1.DLL"	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7B434A2A-9E4C-48F2-8373-5801F316A4D5}\ProgID	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7B434A2A-9E4C-48F2-8373-5801F316A4D5}\ProgID\ = "YodaoToolbar.StockBar"	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\YodaoToolbar.StockBar\Clsid	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\YodaoToolbar.StockBar\Clsid\ = "{7B434A2A-9E4C-48F2-8373-5801F316A4D5}"	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7B434A2A-9E4C-48F2-8373-5801F316A4D5}	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7B434A2A-9E4C-48F2-8373-5801F316A4D5}\	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7B434A2A-9E4C-48F2-8373-5801F316A4D5}\InprocServer32	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7B434A2A-9E4C-48F2-8373-5801F316A4D5}\InprocServer32\ThreadingModel = "Apartment"	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\YodaoToolbar.StockBar	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\YodaoToolbar.StockBar\	Regsvr32.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3164 wrote to memory of 4252	3164	d05679f26a30fa9428ae344e7270f97a29d88506d2bfc13aebf622dd9c64274f.exe	82
PID 3164 wrote to memory of 4252	3164	d05679f26a30fa9428ae344e7270f97a29d88506d2bfc13aebf622dd9c64274f.exe	82
PID 3164 wrote to memory of 4252	3164	d05679f26a30fa9428ae344e7270f97a29d88506d2bfc13aebf622dd9c64274f.exe	82
PID 3164 wrote to memory of 2420	3164	d05679f26a30fa9428ae344e7270f97a29d88506d2bfc13aebf622dd9c64274f.exe	83
PID 3164 wrote to memory of 2420	3164	d05679f26a30fa9428ae344e7270f97a29d88506d2bfc13aebf622dd9c64274f.exe	83
PID 3164 wrote to memory of 2420	3164	d05679f26a30fa9428ae344e7270f97a29d88506d2bfc13aebf622dd9c64274f.exe	83

C:\Users\Admin\AppData\Local\Temp\d05679f26a30fa9428ae344e7270f97a29d88506d2bfc13aebf622dd9c64274f.exe
"C:\Users\Admin\AppData\Local\Temp\d05679f26a30fa9428ae344e7270f97a29d88506d2bfc13aebf622dd9c64274f.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies Internet Explorer start page
- Suspicious use of WriteProcessMemory
PID:3164
- C:\Windows\SysWOW64\Regsvr32.exe
  Regsvr32.exe /s C:\PROGRA~1\Youdao\Toolbar\ydtbv2.2\YodaoToolbar.dll
  2⤵
  - Loads dropped DLL
  - Installs/modifies Browser Helper Object
  - Modifies registry class
  PID:4252
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DelTemp.bat" "
  2⤵
  PID:2420

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Browser Extensions

1

T1176

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~1\Youdao\Toolbar\ydtbv2.2\YodaoToolbar.dll

Filesize
578KB

MD5
271cd48bf924891a08d4fca5d0c7a748

SHA1
bd0ecb1baefa0106ed214b50e18a7bebb2391c1b

SHA256
a9408f9b7cb0be1e6510346eeee750098d996dd2157bc57926e2641d34c14c3c

SHA512
e4226cf0f557af85614615ec55635cc1f7233fc32e22cc26a880c1fc9b4cf1ef803a298bedea5297842c15868bb76281fd0aac9df4d78f36456f70c38928e554

Download Submit
C:\Program Files\Youdao\Toolbar\ydtbv2.2\YodaoToolbar.dll

Filesize
578KB

MD5
271cd48bf924891a08d4fca5d0c7a748

SHA1
bd0ecb1baefa0106ed214b50e18a7bebb2391c1b

SHA256
a9408f9b7cb0be1e6510346eeee750098d996dd2157bc57926e2641d34c14c3c

SHA512
e4226cf0f557af85614615ec55635cc1f7233fc32e22cc26a880c1fc9b4cf1ef803a298bedea5297842c15868bb76281fd0aac9df4d78f36456f70c38928e554

Download Submit
C:\Program Files\Youdao\Toolbar\ydtbv2.2\YodaoToolbar.dll

Filesize
578KB

MD5
271cd48bf924891a08d4fca5d0c7a748

SHA1
bd0ecb1baefa0106ed214b50e18a7bebb2391c1b

SHA256
a9408f9b7cb0be1e6510346eeee750098d996dd2157bc57926e2641d34c14c3c

SHA512
e4226cf0f557af85614615ec55635cc1f7233fc32e22cc26a880c1fc9b4cf1ef803a298bedea5297842c15868bb76281fd0aac9df4d78f36456f70c38928e554

Download Submit
C:\Users\Admin\AppData\Local\Temp\DelTemp.bat

Filesize
187B

MD5
511dcd08bb7a897531416d3ed40fc2a4

SHA1
cde09b963619ca9fa2130840935deaa9a787c2db

SHA256
7d5505f613f10ae14f5bc09e14267e1803a87f2831879ed8a227618f532d3a43

SHA512
7028b87c4721f604448d6493144615e68d5166199553a2ce2b9f5a399471c9d43e0426c5101126c808c43241afa294b16d9d5bd5db4b16fbd9db0419360e63f1

Download Submit
memory/4252-136-0x0000000001F20000-0x0000000001FB5000-memory.dmp

Filesize
596KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads