e2608264766c151f79e81bd28b4caf303b12f85d774162df61e4a4ca952e7a18

General

Target

e2608264766c151f79e81bd28b4caf303b12f85d774162df61e4a4ca952e7a18.exe
Size

156KB
MD5

5550c27810d3c6921185be70d8800d1e
SHA1

10749e5cea7aacf0cde73ecafb53431e9a1a2b46
SHA256

e2608264766c151f79e81bd28b4caf303b12f85d774162df61e4a4ca952e7a18
SHA512

0fb3bd4dbfe87a48309256367e29f5af650efc2ddeacbc7c06732d326dc5edfa202c6279b9beeec86d55a19fb73954112c36949599b155ff4688109f2d66f1e7
SSDEEP

3072:PoUs8w85SfTEHHsQNZJPfXJ7UGA95wjUbMlNPVBcvWtmJhA7WppCfG:P0l8sfTEn3Xdf57UGJUYzPc4a8fG

Score

9^/10

adware stealer upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x000a000000022e2a-132.dat	acprotect

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000a000000022e2a-132.dat	upx

Loads dropped DLL 1 IoCs

pid	Process
1632	e2608264766c151f79e81bd28b4caf303b12f85d774162df61e4a4ca952e7a18.exe

Installs/modifies Browser Helper Object 2 TTPs 2 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{500BCA15-57A7-4eaf-8143-8C619470B13D}	e2608264766c151f79e81bd28b4caf303b12f85d774162df61e4a4ca952e7a18.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{500BCA15-57A7-4eaf-8143-8C619470B13D}\ = "XML module"	e2608264766c151f79e81bd28b4caf303b12f85d774162df61e4a4ca952e7a18.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\msxml71.dll	e2608264766c151f79e81bd28b4caf303b12f85d774162df61e4a4ca952e7a18.exe

Modifies registry class 27 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\XML.XML.1\ = "XML Class"	e2608264766c151f79e81bd28b4caf303b12f85d774162df61e4a4ca952e7a18.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{500BCA15-57A7-4eaf-8143-8C619470B13D}\InprocServer32	e2608264766c151f79e81bd28b4caf303b12f85d774162df61e4a4ca952e7a18.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{500BCA15-57A7-4eaf-8143-8C619470B13D}\VersionIndependentProgID\ = "XML.XML"	e2608264766c151f79e81bd28b4caf303b12f85d774162df61e4a4ca952e7a18.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\XML.XML\CLSID\ = "{500BCA15-57A7-4eaf-8143-8C619470B13D}"	e2608264766c151f79e81bd28b4caf303b12f85d774162df61e4a4ca952e7a18.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\XML.XML\CurVer	e2608264766c151f79e81bd28b4caf303b12f85d774162df61e4a4ca952e7a18.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{500BCA15-57A7-4eaf-8143-8C619470B13D}\InprocServer32\ThreadingModel = "Apartment"	e2608264766c151f79e81bd28b4caf303b12f85d774162df61e4a4ca952e7a18.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\XML.XML.1\CLSID	e2608264766c151f79e81bd28b4caf303b12f85d774162df61e4a4ca952e7a18.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CFE37CAC-CA8A-FC67-89A8-F31AC98F6D61}\.0\ = "C:\\Windows\\SysWow64\\msxml71.dll"	e2608264766c151f79e81bd28b4caf303b12f85d774162df61e4a4ca952e7a18.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{500BCA15-57A7-4eaf-8143-8C619470B13D}\ProgID\ = "XML.XML.1"	e2608264766c151f79e81bd28b4caf303b12f85d774162df61e4a4ca952e7a18.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{500BCA15-57A7-4eaf-8143-8C619470B13D}\Programmable	e2608264766c151f79e81bd28b4caf303b12f85d774162df61e4a4ca952e7a18.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\XML.XML	e2608264766c151f79e81bd28b4caf303b12f85d774162df61e4a4ca952e7a18.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\XML.XML\ = "XML Class"	e2608264766c151f79e81bd28b4caf303b12f85d774162df61e4a4ca952e7a18.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\XML.XML\CurVer\ = "XML.XML.1"	e2608264766c151f79e81bd28b4caf303b12f85d774162df61e4a4ca952e7a18.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\XML.XML.1	e2608264766c151f79e81bd28b4caf303b12f85d774162df61e4a4ca952e7a18.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{500BCA15-57A7-4eaf-8143-8C619470B13D}\ = "XML Class"	e2608264766c151f79e81bd28b4caf303b12f85d774162df61e4a4ca952e7a18.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{500BCA15-57A7-4eaf-8143-8C619470B13D}\TypeLib\ = "{CFE37CAC-CA8A-FC67-89A8-F31AC98F6D61}"	e2608264766c151f79e81bd28b4caf303b12f85d774162df61e4a4ca952e7a18.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{500BCA15-57A7-4eaf-8143-8C619470B13D}\VersionIndependentProgID	e2608264766c151f79e81bd28b4caf303b12f85d774162df61e4a4ca952e7a18.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\XML.XML\CLSID	e2608264766c151f79e81bd28b4caf303b12f85d774162df61e4a4ca952e7a18.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{500BCA15-57A7-4eaf-8143-8C619470B13D}\Install = "OK"	e2608264766c151f79e81bd28b4caf303b12f85d774162df61e4a4ca952e7a18.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{500BCA15-57A7-4eaf-8143-8C619470B13D}\ProgID	e2608264766c151f79e81bd28b4caf303b12f85d774162df61e4a4ca952e7a18.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CFE37CAC-CA8A-FC67-89A8-F31AC98F6D61}	e2608264766c151f79e81bd28b4caf303b12f85d774162df61e4a4ca952e7a18.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CFE37CAC-CA8A-FC67-89A8-F31AC98F6D61}\.0	e2608264766c151f79e81bd28b4caf303b12f85d774162df61e4a4ca952e7a18.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CFE37CAC-CA8A-FC67-89A8-F31AC98F6D61}\.0\ = "XML Library"	e2608264766c151f79e81bd28b4caf303b12f85d774162df61e4a4ca952e7a18.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{500BCA15-57A7-4eaf-8143-8C619470B13D}	e2608264766c151f79e81bd28b4caf303b12f85d774162df61e4a4ca952e7a18.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{500BCA15-57A7-4eaf-8143-8C619470B13D}\InprocServer32\ = "C:\\Windows\\SysWow64\\msxml71.dll"	e2608264766c151f79e81bd28b4caf303b12f85d774162df61e4a4ca952e7a18.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{500BCA15-57A7-4eaf-8143-8C619470B13D}\TypeLib	e2608264766c151f79e81bd28b4caf303b12f85d774162df61e4a4ca952e7a18.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\XML.XML.1\CLSID\ = "{500BCA15-57A7-4eaf-8143-8C619470B13D}"	e2608264766c151f79e81bd28b4caf303b12f85d774162df61e4a4ca952e7a18.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1632	e2608264766c151f79e81bd28b4caf303b12f85d774162df61e4a4ca952e7a18.exe

C:\Users\Admin\AppData\Local\Temp\e2608264766c151f79e81bd28b4caf303b12f85d774162df61e4a4ca952e7a18.exe
"C:\Users\Admin\AppData\Local\Temp\e2608264766c151f79e81bd28b4caf303b12f85d774162df61e4a4ca952e7a18.exe"
1⤵
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1632

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Browser Extensions

1

T1176

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\msxml71.dll

Filesize
127KB

MD5
756b09649abb9715b623c8d1b3d8d405

SHA1
23b47d7bfa0ec3827bbf7e515e9cf4850a6fd279

SHA256
3f024a30945a541957a9f4a24a083b27e2f605b07924acb52e7c3c4df4cdc91d

SHA512
710491c02530fac919c7555481ec231c2dac0c37396cc80b8e8568b87963a1b51686e70e46d828b174935e8d978371ab1ac8d2a0bfc1649c959d2930be9a94d0

Download Submit

Analysis

Sharing