f2118ee1219fe02b5126a778e0ffd4c3cc786b3d7af50c67978c4c18163e1e8b

General

Target

f2118ee1219fe02b5126a778e0ffd4c3cc786b3d7af50c67978c4c18163e1e8b.exe
Size

128KB
MD5

6482d1c8f3ba54f893f3cf5b329be842
SHA1

60b8228e6b2c0a450e6d848b9cd87788fcc8efa0
SHA256

f2118ee1219fe02b5126a778e0ffd4c3cc786b3d7af50c67978c4c18163e1e8b
SHA512

ee6086a165c55d2c6b44865526bcc00881b8d19b947917ac182541ee1eb6854b4531b60ca495cd64664b576b9496e35f111ac18fa46742219750a18d336dc8ef
SSDEEP

3072:uc2Elfx2kDYp6YCaW5yqC6r/bb1Cq3EueWKPtE:qEvYE1Aq0VWKP

Score

9^/10

adware stealer upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x000900000002316b-132.dat	acprotect

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000900000002316b-132.dat	upx
behavioral2/memory/4632-133-0x0000000010000000-0x000000001004C000-memory.dmp	upx

Loads dropped DLL 1 IoCs

pid	Process
4632	f2118ee1219fe02b5126a778e0ffd4c3cc786b3d7af50c67978c4c18163e1e8b.exe

Installs/modifies Browser Helper Object 2 TTPs 2 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{500BCA15-57A7-4eaf-8143-8C619470B13D}	f2118ee1219fe02b5126a778e0ffd4c3cc786b3d7af50c67978c4c18163e1e8b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{500BCA15-57A7-4eaf-8143-8C619470B13D}\ = "XML module"	f2118ee1219fe02b5126a778e0ffd4c3cc786b3d7af50c67978c4c18163e1e8b.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\msxml71.dll	f2118ee1219fe02b5126a778e0ffd4c3cc786b3d7af50c67978c4c18163e1e8b.exe

Modifies registry class 27 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{500BCA15-57A7-4eaf-8143-8C619470B13D}\ProgID\ = "XML.XML.1"	f2118ee1219fe02b5126a778e0ffd4c3cc786b3d7af50c67978c4c18163e1e8b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{500BCA15-57A7-4eaf-8143-8C619470B13D}\Programmable	f2118ee1219fe02b5126a778e0ffd4c3cc786b3d7af50c67978c4c18163e1e8b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\XML.XML\CLSID\ = "{500BCA15-57A7-4eaf-8143-8C619470B13D}"	f2118ee1219fe02b5126a778e0ffd4c3cc786b3d7af50c67978c4c18163e1e8b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\XML.XML.1\ = "XML Class"	f2118ee1219fe02b5126a778e0ffd4c3cc786b3d7af50c67978c4c18163e1e8b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9233C3C0-1472-4091-A505-5580A23BB4AC}\.0\ = "XML Library"	f2118ee1219fe02b5126a778e0ffd4c3cc786b3d7af50c67978c4c18163e1e8b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{500BCA15-57A7-4eaf-8143-8C619470B13D}	f2118ee1219fe02b5126a778e0ffd4c3cc786b3d7af50c67978c4c18163e1e8b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{500BCA15-57A7-4eaf-8143-8C619470B13D}\InprocServer32	f2118ee1219fe02b5126a778e0ffd4c3cc786b3d7af50c67978c4c18163e1e8b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{500BCA15-57A7-4eaf-8143-8C619470B13D}\TypeLib	f2118ee1219fe02b5126a778e0ffd4c3cc786b3d7af50c67978c4c18163e1e8b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9233C3C0-1472-4091-A505-5580A23BB4AC}\.0	f2118ee1219fe02b5126a778e0ffd4c3cc786b3d7af50c67978c4c18163e1e8b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\XML.XML.1	f2118ee1219fe02b5126a778e0ffd4c3cc786b3d7af50c67978c4c18163e1e8b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{500BCA15-57A7-4eaf-8143-8C619470B13D}\Install = "OK"	f2118ee1219fe02b5126a778e0ffd4c3cc786b3d7af50c67978c4c18163e1e8b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{500BCA15-57A7-4eaf-8143-8C619470B13D}\ProgID	f2118ee1219fe02b5126a778e0ffd4c3cc786b3d7af50c67978c4c18163e1e8b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\XML.XML\ = "XML Class"	f2118ee1219fe02b5126a778e0ffd4c3cc786b3d7af50c67978c4c18163e1e8b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\XML.XML\CLSID	f2118ee1219fe02b5126a778e0ffd4c3cc786b3d7af50c67978c4c18163e1e8b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\XML.XML\CurVer\ = "XML.XML.1"	f2118ee1219fe02b5126a778e0ffd4c3cc786b3d7af50c67978c4c18163e1e8b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\XML.XML.1\CLSID\ = "{500BCA15-57A7-4eaf-8143-8C619470B13D}"	f2118ee1219fe02b5126a778e0ffd4c3cc786b3d7af50c67978c4c18163e1e8b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9233C3C0-1472-4091-A505-5580A23BB4AC}	f2118ee1219fe02b5126a778e0ffd4c3cc786b3d7af50c67978c4c18163e1e8b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{500BCA15-57A7-4eaf-8143-8C619470B13D}\ = "XML Class"	f2118ee1219fe02b5126a778e0ffd4c3cc786b3d7af50c67978c4c18163e1e8b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{500BCA15-57A7-4eaf-8143-8C619470B13D}\InprocServer32\ = "C:\\Windows\\SysWow64\\msxml71.dll"	f2118ee1219fe02b5126a778e0ffd4c3cc786b3d7af50c67978c4c18163e1e8b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{500BCA15-57A7-4eaf-8143-8C619470B13D}\InprocServer32\ThreadingModel = "Apartment"	f2118ee1219fe02b5126a778e0ffd4c3cc786b3d7af50c67978c4c18163e1e8b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\XML.XML\CurVer	f2118ee1219fe02b5126a778e0ffd4c3cc786b3d7af50c67978c4c18163e1e8b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{500BCA15-57A7-4eaf-8143-8C619470B13D}\TypeLib\ = "{9233C3C0-1472-4091-A505-5580A23BB4AC}"	f2118ee1219fe02b5126a778e0ffd4c3cc786b3d7af50c67978c4c18163e1e8b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{500BCA15-57A7-4eaf-8143-8C619470B13D}\VersionIndependentProgID\ = "XML.XML"	f2118ee1219fe02b5126a778e0ffd4c3cc786b3d7af50c67978c4c18163e1e8b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\XML.XML	f2118ee1219fe02b5126a778e0ffd4c3cc786b3d7af50c67978c4c18163e1e8b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{500BCA15-57A7-4eaf-8143-8C619470B13D}\VersionIndependentProgID	f2118ee1219fe02b5126a778e0ffd4c3cc786b3d7af50c67978c4c18163e1e8b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\XML.XML.1\CLSID	f2118ee1219fe02b5126a778e0ffd4c3cc786b3d7af50c67978c4c18163e1e8b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9233C3C0-1472-4091-A505-5580A23BB4AC}\.0\ = "C:\\Windows\\SysWow64\\msxml71.dll"	f2118ee1219fe02b5126a778e0ffd4c3cc786b3d7af50c67978c4c18163e1e8b.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4632	f2118ee1219fe02b5126a778e0ffd4c3cc786b3d7af50c67978c4c18163e1e8b.exe

C:\Users\Admin\AppData\Local\Temp\f2118ee1219fe02b5126a778e0ffd4c3cc786b3d7af50c67978c4c18163e1e8b.exe
"C:\Users\Admin\AppData\Local\Temp\f2118ee1219fe02b5126a778e0ffd4c3cc786b3d7af50c67978c4c18163e1e8b.exe"
1⤵
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4632

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Browser Extensions

1

T1176

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\msxml71.dll

Filesize
101KB

MD5
5375ddac29dc43764b53d247ea2c754e

SHA1
1a013d318faa5d63390b83b3637b83a435e3e80a

SHA256
336140e3474f34803632d6c5edab68670f8a69590ee48390591279efe6259702

SHA512
cb681f82bb97e1d93ae8e7290eea514c3b0f370228de2999e76c12088d60a4b228a11215df26c0b206025001990007012786a1fb9ccfa9c03b56dbea1a657659

Download Submit
memory/4632-133-0x0000000010000000-0x000000001004C000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing