df5b79fea098bbaff394dcea8a7dd98103e1fbfd057de125110bee66365049c7

Analysis

max time kernel
153s
max time network
165s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
04/12/2022, 14:03

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

df5b79fea098bbaff394dcea8a7dd98103e1fbfd057de125110bee66365049c7.exe
Size

1.3MB
MD5

11e76e8fba1fea3839785f924b037b21
SHA1

8ca2897c4cf38efaac154989664183c86d4d19fe
SHA256

df5b79fea098bbaff394dcea8a7dd98103e1fbfd057de125110bee66365049c7
SHA512

57cc313894912886761113d6dc9604ec36a3f448f76832784cfb91aa6030d1abf1049bf45efc1e85d4bce488510a2b81e8aedad38e598c9184b05281e7764389
SSDEEP

24576:cSjVW3PPtaThYccMTO3WSAw7ihr+wMF2LSiIILr9yv3ZFxZErvKh3YJDkdA1nEER:LBkPP0TdcMgWNwGhKws3iI3rQZxEE6Qd

Score

8^/10

adware evasion persistence stealer upx

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
2016	EhStorShell32.exe
1572	odbctrac32.exe
1404	EhStorShell32.exe
1608	lsass.exe

Modifies AppInit DLL entries 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Modifies Windows Firewall 1 TTPs 3 IoCs

evasion

Modify Existing Service

T1031

pid	Process
1344	netsh.exe
524	netsh.exe
1924	netsh.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1624-57-0x0000000010000000-0x0000000010087000-memory.dmp	upx
behavioral1/memory/1624-62-0x0000000010000000-0x0000000010087000-memory.dmp	upx

Loads dropped DLL 11 IoCs

pid	Process
1624	df5b79fea098bbaff394dcea8a7dd98103e1fbfd057de125110bee66365049c7.exe
1624	df5b79fea098bbaff394dcea8a7dd98103e1fbfd057de125110bee66365049c7.exe
1624	df5b79fea098bbaff394dcea8a7dd98103e1fbfd057de125110bee66365049c7.exe
1572	odbctrac32.exe
1896	WerFault.exe
1572	odbctrac32.exe
1572	odbctrac32.exe
1404	EhStorShell32.exe
2016	EhStorShell32.exe
2016	EhStorShell32.exe
1608	lsass.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	EhStorShell32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\RTHDBPL = "C:\\Users\\Admin\\AppData\\Roaming\\SysWin\\lsass.exe"	EhStorShell32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\RTHDBPL = "C:\\Users\\Admin\\AppData\\Roaming\\SysWin\\lsass.exe"	lsass.exe

Installs/modifies Browser Helper Object 2 TTPs 2 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	df5b79fea098bbaff394dcea8a7dd98103e1fbfd057de125110bee66365049c7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0F9D9786-4B2F-4CB9-8178-7DDA1B75C3Ea}	df5b79fea098bbaff394dcea8a7dd98103e1fbfd057de125110bee66365049c7.exe

Drops file in System32 directory 11 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\api-ms-win-core-localization-l1-2-032.dll	df5b79fea098bbaff394dcea8a7dd98103e1fbfd057de125110bee66365049c7.exe
File created	C:\Windows\SysWOW64\odbctrac32.exe	df5b79fea098bbaff394dcea8a7dd98103e1fbfd057de125110bee66365049c7.exe
File opened for modification	C:\Windows\SysWOW64\1048607963	odbctrac32.exe
File opened for modification	C:\Windows\SysWOW64\442e6bac1286P.manifest	odbctrac32.exe
File opened for modification	C:\Windows\SysWOW64\442e6bac1286C.manifest	odbctrac32.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	odbctrac32.exe
File created	C:\Windows\SysWOW64\EhStorShell32.exe	df5b79fea098bbaff394dcea8a7dd98103e1fbfd057de125110bee66365049c7.exe
File opened for modification	C:\Windows\SysWOW64\1048607963	df5b79fea098bbaff394dcea8a7dd98103e1fbfd057de125110bee66365049c7.exe
File opened for modification	C:\Windows\SysWOW64\odbctrac32.exe	df5b79fea098bbaff394dcea8a7dd98103e1fbfd057de125110bee66365049c7.exe
File opened for modification	C:\Windows\SysWOW64\442e6bac1286O.manifest	odbctrac32.exe
File opened for modification	C:\Windows\SysWOW64\442e6bac1286S.manifest	odbctrac32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1896	1624	WerFault.exe	8

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\XMLHTTP_UUID_Default = 86979d0f2f4bb94c81787dda1b75c3ea	df5b79fea098bbaff394dcea8a7dd98103e1fbfd057de125110bee66365049c7.exe

Modifies data under HKEY_USERS 43 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	odbctrac32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	odbctrac32.exe
Key created	\REGISTRY\USER\S-1-5-20\Software	df5b79fea098bbaff394dcea8a7dd98103e1fbfd057de125110bee66365049c7.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Qetlmikgnb	df5b79fea098bbaff394dcea8a7dd98103e1fbfd057de125110bee66365049c7.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	odbctrac32.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f007c000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	odbctrac32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{8A6E584D-80D2-4A61-9921-68D8E30B4145}\6e-89-29-0b-ef-3b	odbctrac32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	odbctrac32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	odbctrac32.exe
Key created	\REGISTRY\USER\S-1-5-19	df5b79fea098bbaff394dcea8a7dd98103e1fbfd057de125110bee66365049c7.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Qetlmikgnb\CLSID	df5b79fea098bbaff394dcea8a7dd98103e1fbfd057de125110bee66365049c7.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Qetlmikgnb\CLSID	df5b79fea098bbaff394dcea8a7dd98103e1fbfd057de125110bee66365049c7.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	odbctrac32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{8A6E584D-80D2-4A61-9921-68D8E30B4145}	odbctrac32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{8A6E584D-80D2-4A61-9921-68D8E30B4145}\WpadDecisionReason = "1"	odbctrac32.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\6e-89-29-0b-ef-3b\WpadDecisionTime = e074995dd80ad901	odbctrac32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Qetlmikgnb\CLSID	df5b79fea098bbaff394dcea8a7dd98103e1fbfd057de125110bee66365049c7.exe
Key created	\REGISTRY\USER\S-1-5-20	df5b79fea098bbaff394dcea8a7dd98103e1fbfd057de125110bee66365049c7.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Qetlmikgnb\CLSID\ = "{7900f693-ed5d-4e96-9df1-8b268caa3868}"	df5b79fea098bbaff394dcea8a7dd98103e1fbfd057de125110bee66365049c7.exe
Set value (data)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Internet Explorer\Main\XMLHTTP_UUID_Default = 86979d0f2f4bb94c81787dda1b75c3ea	df5b79fea098bbaff394dcea8a7dd98103e1fbfd057de125110bee66365049c7.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	odbctrac32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	odbctrac32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\6e-89-29-0b-ef-3b\WpadDecisionReason = "1"	odbctrac32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\6e-89-29-0b-ef-3b\WpadDecision = "0"	odbctrac32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Qetlmikgnb\CLSID\ = "{7900f693-ed5d-4e96-9df1-8b268caa3868}"	df5b79fea098bbaff394dcea8a7dd98103e1fbfd057de125110bee66365049c7.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	odbctrac32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	odbctrac32.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{8A6E584D-80D2-4A61-9921-68D8E30B4145}\WpadDecisionTime = e074995dd80ad901	odbctrac32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	odbctrac32.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Qetlmikgnb	df5b79fea098bbaff394dcea8a7dd98103e1fbfd057de125110bee66365049c7.exe
Key created	\REGISTRY\USER\S-1-5-19\Software	df5b79fea098bbaff394dcea8a7dd98103e1fbfd057de125110bee66365049c7.exe
Set value (data)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Internet Explorer\Main\XMLHTTP_UUID_Default = 86979d0f2f4bb94c81787dda1b75c3ea	df5b79fea098bbaff394dcea8a7dd98103e1fbfd057de125110bee66365049c7.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\442e6bac = " "	odbctrac32.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	odbctrac32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	odbctrac32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{8A6E584D-80D2-4A61-9921-68D8E30B4145}\WpadDecision = "0"	odbctrac32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\6e-89-29-0b-ef-3b	odbctrac32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	df5b79fea098bbaff394dcea8a7dd98103e1fbfd057de125110bee66365049c7.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{8A6E584D-80D2-4A61-9921-68D8E30B4145}\WpadNetworkName = "Network 3"	odbctrac32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Qetlmikgnb\CLSID	df5b79fea098bbaff394dcea8a7dd98103e1fbfd057de125110bee66365049c7.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Qetlmikgnb	df5b79fea098bbaff394dcea8a7dd98103e1fbfd057de125110bee66365049c7.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\Software\Qetlmikgnb\CLSID\ = "{7900f693-ed5d-4e96-9df1-8b268caa3868}"	df5b79fea098bbaff394dcea8a7dd98103e1fbfd057de125110bee66365049c7.exe
Key created	\REGISTRY\USER\.DEFAULT	df5b79fea098bbaff394dcea8a7dd98103e1fbfd057de125110bee66365049c7.exe

Modifies registry class 16 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Software	df5b79fea098bbaff394dcea8a7dd98103e1fbfd057de125110bee66365049c7.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Software\Qetlmikgnb\CLSID	df5b79fea098bbaff394dcea8a7dd98103e1fbfd057de125110bee66365049c7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.fsharproj\PersistentHandler\ = "{d8d72f44-a3e0-4ac6-8e0e-ce268b0d738e}"	df5b79fea098bbaff394dcea8a7dd98103e1fbfd057de125110bee66365049c7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Qetlmikgnb	df5b79fea098bbaff394dcea8a7dd98103e1fbfd057de125110bee66365049c7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Qetlmikgnb\CLSID\ = "{7900f693-ed5d-4e96-9df1-8b268caa3868}"	df5b79fea098bbaff394dcea8a7dd98103e1fbfd057de125110bee66365049c7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7900f693-ed5d-4e96-9df1-8b268caa3868}	df5b79fea098bbaff394dcea8a7dd98103e1fbfd057de125110bee66365049c7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.fsharproj\PersistentHandler	df5b79fea098bbaff394dcea8a7dd98103e1fbfd057de125110bee66365049c7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0F9D9786-4B2F-4CB9-8178-7DDA1B75C3Ea}\InprocServer32\ThreadingModel = "Both"	df5b79fea098bbaff394dcea8a7dd98103e1fbfd057de125110bee66365049c7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0F9D9786-4B2F-4CB9-8178-7DDA1B75C3Ea}\InprocServer32\ = "C:\\Windows\\SysWow64\\api-ms-win-core-localization-l1-2-032.dll"	df5b79fea098bbaff394dcea8a7dd98103e1fbfd057de125110bee66365049c7.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_Classes\Software\Qetlmikgnb\CLSID	df5b79fea098bbaff394dcea8a7dd98103e1fbfd057de125110bee66365049c7.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Software\Qetlmikgnb	df5b79fea098bbaff394dcea8a7dd98103e1fbfd057de125110bee66365049c7.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Software\Qetlmikgnb\CLSID\ = "{7900f693-ed5d-4e96-9df1-8b268caa3868}"	df5b79fea098bbaff394dcea8a7dd98103e1fbfd057de125110bee66365049c7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0F9D9786-4B2F-4CB9-8178-7DDA1B75C3Ea}\InprocServer32	df5b79fea098bbaff394dcea8a7dd98103e1fbfd057de125110bee66365049c7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Qetlmikgnb\CLSID	df5b79fea098bbaff394dcea8a7dd98103e1fbfd057de125110bee66365049c7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.fsharproj	df5b79fea098bbaff394dcea8a7dd98103e1fbfd057de125110bee66365049c7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0F9D9786-4B2F-4CB9-8178-7DDA1B75C3Ea}	df5b79fea098bbaff394dcea8a7dd98103e1fbfd057de125110bee66365049c7.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1624	df5b79fea098bbaff394dcea8a7dd98103e1fbfd057de125110bee66365049c7.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 1624 wrote to memory of 2016	1624	df5b79fea098bbaff394dcea8a7dd98103e1fbfd057de125110bee66365049c7.exe	28
PID 1624 wrote to memory of 2016	1624	df5b79fea098bbaff394dcea8a7dd98103e1fbfd057de125110bee66365049c7.exe	28
PID 1624 wrote to memory of 2016	1624	df5b79fea098bbaff394dcea8a7dd98103e1fbfd057de125110bee66365049c7.exe	28
PID 1624 wrote to memory of 2016	1624	df5b79fea098bbaff394dcea8a7dd98103e1fbfd057de125110bee66365049c7.exe	28
PID 1624 wrote to memory of 1344	1624	df5b79fea098bbaff394dcea8a7dd98103e1fbfd057de125110bee66365049c7.exe	29
PID 1624 wrote to memory of 1344	1624	df5b79fea098bbaff394dcea8a7dd98103e1fbfd057de125110bee66365049c7.exe	29
PID 1624 wrote to memory of 1344	1624	df5b79fea098bbaff394dcea8a7dd98103e1fbfd057de125110bee66365049c7.exe	29
PID 1624 wrote to memory of 1344	1624	df5b79fea098bbaff394dcea8a7dd98103e1fbfd057de125110bee66365049c7.exe	29
PID 1624 wrote to memory of 524	1624	df5b79fea098bbaff394dcea8a7dd98103e1fbfd057de125110bee66365049c7.exe	31
PID 1624 wrote to memory of 524	1624	df5b79fea098bbaff394dcea8a7dd98103e1fbfd057de125110bee66365049c7.exe	31
PID 1624 wrote to memory of 524	1624	df5b79fea098bbaff394dcea8a7dd98103e1fbfd057de125110bee66365049c7.exe	31
PID 1624 wrote to memory of 524	1624	df5b79fea098bbaff394dcea8a7dd98103e1fbfd057de125110bee66365049c7.exe	31
PID 1624 wrote to memory of 1924	1624	df5b79fea098bbaff394dcea8a7dd98103e1fbfd057de125110bee66365049c7.exe	33
PID 1624 wrote to memory of 1924	1624	df5b79fea098bbaff394dcea8a7dd98103e1fbfd057de125110bee66365049c7.exe	33
PID 1624 wrote to memory of 1924	1624	df5b79fea098bbaff394dcea8a7dd98103e1fbfd057de125110bee66365049c7.exe	33
PID 1624 wrote to memory of 1924	1624	df5b79fea098bbaff394dcea8a7dd98103e1fbfd057de125110bee66365049c7.exe	33
PID 1624 wrote to memory of 1896	1624	df5b79fea098bbaff394dcea8a7dd98103e1fbfd057de125110bee66365049c7.exe	36
PID 1624 wrote to memory of 1896	1624	df5b79fea098bbaff394dcea8a7dd98103e1fbfd057de125110bee66365049c7.exe	36
PID 1624 wrote to memory of 1896	1624	df5b79fea098bbaff394dcea8a7dd98103e1fbfd057de125110bee66365049c7.exe	36
PID 1624 wrote to memory of 1896	1624	df5b79fea098bbaff394dcea8a7dd98103e1fbfd057de125110bee66365049c7.exe	36
PID 1572 wrote to memory of 1404	1572	odbctrac32.exe	37
PID 1572 wrote to memory of 1404	1572	odbctrac32.exe	37
PID 1572 wrote to memory of 1404	1572	odbctrac32.exe	37
PID 1572 wrote to memory of 1404	1572	odbctrac32.exe	37
PID 2016 wrote to memory of 1608	2016	EhStorShell32.exe	38
PID 2016 wrote to memory of 1608	2016	EhStorShell32.exe	38
PID 2016 wrote to memory of 1608	2016	EhStorShell32.exe	38
PID 2016 wrote to memory of 1608	2016	EhStorShell32.exe	38

C:\Users\Admin\AppData\Local\Temp\df5b79fea098bbaff394dcea8a7dd98103e1fbfd057de125110bee66365049c7.exe
"C:\Users\Admin\AppData\Local\Temp\df5b79fea098bbaff394dcea8a7dd98103e1fbfd057de125110bee66365049c7.exe"
1⤵
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1624
- C:\Windows\SysWOW64\EhStorShell32.exe
  "C:\Windows\system32\EhStorShell32.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2016
- - C:\Users\Admin\AppData\Roaming\SysWin\lsass.exe
    "C:\Users\Admin\AppData\Roaming\SysWin\lsass.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    PID:1608
- C:\Windows\SysWOW64\netsh.exe
  "C:\Windows\system32\netsh.exe" advfirewall firewall add rule name="Windows Update Service" dir=in action=allow program="c:\windows\syswow64\odbctrac32.exe" enable=yes profile=domain
  2⤵
  - Modifies Windows Firewall
  PID:1344
- C:\Windows\SysWOW64\netsh.exe
  "C:\Windows\system32\netsh.exe" advfirewall firewall add rule name="Windows Update Service" dir=in action=allow program="c:\windows\syswow64\odbctrac32.exe" enable=yes profile=private
  2⤵
  - Modifies Windows Firewall
  PID:524
- C:\Windows\SysWOW64\netsh.exe
  "C:\Windows\system32\netsh.exe" advfirewall firewall add rule name="Windows Update Service" dir=in action=allow program="c:\windows\syswow64\odbctrac32.exe" enable=yes profile=public
  2⤵
  - Modifies Windows Firewall
  PID:1924
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1624 -s 580
  2⤵
  - Loads dropped DLL
  - Program crash
  PID:1896

C:\Windows\SysWOW64\odbctrac32.exe
C:\Windows\SysWOW64\odbctrac32.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:1572
- C:\ProgramData\EhStorShell32.exe
  schutz
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:1404

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Browser Extensions

T1176

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\EhStorShell32.exe

Filesize
1.3MB

MD5
11e76e8fba1fea3839785f924b037b21

SHA1
8ca2897c4cf38efaac154989664183c86d4d19fe

SHA256
df5b79fea098bbaff394dcea8a7dd98103e1fbfd057de125110bee66365049c7

SHA512
57cc313894912886761113d6dc9604ec36a3f448f76832784cfb91aa6030d1abf1049bf45efc1e85d4bce488510a2b81e8aedad38e598c9184b05281e7764389

Download Submit
C:\ProgramData\api-ms-win-core-localization-l1-2-032.dll

Filesize
243KB

MD5
0f3e5648c5962998fc6103d25caa4611

SHA1
bbfb26afc13eab710f994d3d71c1bca403ba8103

SHA256
fb0945777d8e6d053c39ab9b7993bdc2403e9cc4438bd8b2c5559dbbea354355

SHA512
ac0383567fef52e99d8c810c0c261f78e16c0c92b60d46a79db58c9603d5c177dbe21eef089cbaab9bb08b796c4bcc34272c29b41dd7030f15a1e90145dee65f

Download Submit
C:\Users\Admin\AppData\Roaming\SysWin\lsass.exe

Filesize
201KB

MD5
e42435a1f69bd2f0d7b05dd8a7a5b9ea

SHA1
022f5202546decd93eb98b480c343a95bfb39db3

SHA256
5604947061ca566d4d31b599800cc2439127e4dd6d5afc03c0b0f17543bb6237

SHA512
00ab0b66575890ebc33f1297e7ee415f7d4d508a885882a8bbb6487db5efa4e01f6f9bee0444124ff13f873929c6d34f6f2b707d0547f507068a05ea32656160

Download Submit
C:\Windows\SysWOW64\1048607963

Filesize
121B

MD5
2b93080744ce7cdad14bff72120dfe9f

SHA1
4ee3fbfa8fd50bcb9ed361478174cbd95cced7b9

SHA256
eee4fa6c305e52244bb6c1ac0f6e6db4e407983eb22e86b338f2ccc4b24e5fa1

SHA512
89d3eee818fb3cf53eb72ec21a730cde3e0be045ebeca48744067e1e11e2234cc36d2ae6f778d73046db59492dc63206878b40d4eec0dd5dbc93e0e3b8c9386d

Download Submit
C:\Windows\SysWOW64\1048607963

Filesize
33B

MD5
95732f09582ef7ffd5a92ade11d29b51

SHA1
7db09ff5b5b32e173b751909e056b35b429c8403

SHA256
23e09bd7d1ab1f331883764db366c48ffdbc92105d738341065afc6e64619e20

SHA512
fe7499fedd4717aae7efd8f38c670d7f41bca062e955a078433e97afe254550dee949fa7e775ca21a8cdcb4cb962cd9134000ed6fb938030b3a0a0c2204ee9d9

Download Submit
C:\Windows\SysWOW64\EhStorShell32.exe

Filesize
201KB

MD5
e42435a1f69bd2f0d7b05dd8a7a5b9ea

SHA1
022f5202546decd93eb98b480c343a95bfb39db3

SHA256
5604947061ca566d4d31b599800cc2439127e4dd6d5afc03c0b0f17543bb6237

SHA512
00ab0b66575890ebc33f1297e7ee415f7d4d508a885882a8bbb6487db5efa4e01f6f9bee0444124ff13f873929c6d34f6f2b707d0547f507068a05ea32656160

Download Submit
C:\Windows\SysWOW64\EhStorShell32.exe

Filesize
201KB

MD5
e42435a1f69bd2f0d7b05dd8a7a5b9ea

SHA1
022f5202546decd93eb98b480c343a95bfb39db3

SHA256
5604947061ca566d4d31b599800cc2439127e4dd6d5afc03c0b0f17543bb6237

SHA512
00ab0b66575890ebc33f1297e7ee415f7d4d508a885882a8bbb6487db5efa4e01f6f9bee0444124ff13f873929c6d34f6f2b707d0547f507068a05ea32656160

Download Submit
C:\Windows\SysWOW64\odbctrac32.exe

Filesize
1.3MB

MD5
11e76e8fba1fea3839785f924b037b21

SHA1
8ca2897c4cf38efaac154989664183c86d4d19fe

SHA256
df5b79fea098bbaff394dcea8a7dd98103e1fbfd057de125110bee66365049c7

SHA512
57cc313894912886761113d6dc9604ec36a3f448f76832784cfb91aa6030d1abf1049bf45efc1e85d4bce488510a2b81e8aedad38e598c9184b05281e7764389

Download Submit
C:\Windows\SysWOW64\odbctrac32.exe

Filesize
1.3MB

MD5
11e76e8fba1fea3839785f924b037b21

SHA1
8ca2897c4cf38efaac154989664183c86d4d19fe

SHA256
df5b79fea098bbaff394dcea8a7dd98103e1fbfd057de125110bee66365049c7

SHA512
57cc313894912886761113d6dc9604ec36a3f448f76832784cfb91aa6030d1abf1049bf45efc1e85d4bce488510a2b81e8aedad38e598c9184b05281e7764389

Download Submit
\ProgramData\EhStorShell32.exe

Filesize
1.3MB

MD5
11e76e8fba1fea3839785f924b037b21

SHA1
8ca2897c4cf38efaac154989664183c86d4d19fe

SHA256
df5b79fea098bbaff394dcea8a7dd98103e1fbfd057de125110bee66365049c7

SHA512
57cc313894912886761113d6dc9604ec36a3f448f76832784cfb91aa6030d1abf1049bf45efc1e85d4bce488510a2b81e8aedad38e598c9184b05281e7764389

Download Submit
\ProgramData\EhStorShell32.exe

Filesize
1.3MB

MD5
11e76e8fba1fea3839785f924b037b21

SHA1
8ca2897c4cf38efaac154989664183c86d4d19fe

SHA256
df5b79fea098bbaff394dcea8a7dd98103e1fbfd057de125110bee66365049c7

SHA512
57cc313894912886761113d6dc9604ec36a3f448f76832784cfb91aa6030d1abf1049bf45efc1e85d4bce488510a2b81e8aedad38e598c9184b05281e7764389

Download Submit
\ProgramData\api-ms-win-core-localization-l1-2-032.dll

Filesize
243KB

MD5
0f3e5648c5962998fc6103d25caa4611

SHA1
bbfb26afc13eab710f994d3d71c1bca403ba8103

SHA256
fb0945777d8e6d053c39ab9b7993bdc2403e9cc4438bd8b2c5559dbbea354355

SHA512
ac0383567fef52e99d8c810c0c261f78e16c0c92b60d46a79db58c9603d5c177dbe21eef089cbaab9bb08b796c4bcc34272c29b41dd7030f15a1e90145dee65f

Download Submit
\ProgramData\api-ms-win-core-localization-l1-2-032.dll

Filesize
243KB

MD5
0f3e5648c5962998fc6103d25caa4611

SHA1
bbfb26afc13eab710f994d3d71c1bca403ba8103

SHA256
fb0945777d8e6d053c39ab9b7993bdc2403e9cc4438bd8b2c5559dbbea354355

SHA512
ac0383567fef52e99d8c810c0c261f78e16c0c92b60d46a79db58c9603d5c177dbe21eef089cbaab9bb08b796c4bcc34272c29b41dd7030f15a1e90145dee65f

Download Submit
\ProgramData\api-ms-win-core-localization-l1-2-032.dll

Filesize
243KB

MD5
0f3e5648c5962998fc6103d25caa4611

SHA1
bbfb26afc13eab710f994d3d71c1bca403ba8103

SHA256
fb0945777d8e6d053c39ab9b7993bdc2403e9cc4438bd8b2c5559dbbea354355

SHA512
ac0383567fef52e99d8c810c0c261f78e16c0c92b60d46a79db58c9603d5c177dbe21eef089cbaab9bb08b796c4bcc34272c29b41dd7030f15a1e90145dee65f

Download Submit
\ProgramData\api-ms-win-core-localization-l1-2-032.dll

Filesize
243KB

MD5
0f3e5648c5962998fc6103d25caa4611

SHA1
bbfb26afc13eab710f994d3d71c1bca403ba8103

SHA256
fb0945777d8e6d053c39ab9b7993bdc2403e9cc4438bd8b2c5559dbbea354355

SHA512
ac0383567fef52e99d8c810c0c261f78e16c0c92b60d46a79db58c9603d5c177dbe21eef089cbaab9bb08b796c4bcc34272c29b41dd7030f15a1e90145dee65f

Download Submit
\Users\Admin\AppData\Roaming\SysWin\lsass.exe

Filesize
201KB

MD5
e42435a1f69bd2f0d7b05dd8a7a5b9ea

SHA1
022f5202546decd93eb98b480c343a95bfb39db3

SHA256
5604947061ca566d4d31b599800cc2439127e4dd6d5afc03c0b0f17543bb6237

SHA512
00ab0b66575890ebc33f1297e7ee415f7d4d508a885882a8bbb6487db5efa4e01f6f9bee0444124ff13f873929c6d34f6f2b707d0547f507068a05ea32656160

Download Submit
\Users\Admin\AppData\Roaming\SysWin\lsass.exe

Filesize
201KB

MD5
e42435a1f69bd2f0d7b05dd8a7a5b9ea

SHA1
022f5202546decd93eb98b480c343a95bfb39db3

SHA256
5604947061ca566d4d31b599800cc2439127e4dd6d5afc03c0b0f17543bb6237

SHA512
00ab0b66575890ebc33f1297e7ee415f7d4d508a885882a8bbb6487db5efa4e01f6f9bee0444124ff13f873929c6d34f6f2b707d0547f507068a05ea32656160

Download Submit
\Windows\SysWOW64\EhStorShell32.exe

Filesize
201KB

MD5
e42435a1f69bd2f0d7b05dd8a7a5b9ea

SHA1
022f5202546decd93eb98b480c343a95bfb39db3

SHA256
5604947061ca566d4d31b599800cc2439127e4dd6d5afc03c0b0f17543bb6237

SHA512
00ab0b66575890ebc33f1297e7ee415f7d4d508a885882a8bbb6487db5efa4e01f6f9bee0444124ff13f873929c6d34f6f2b707d0547f507068a05ea32656160

Download Submit
\Windows\SysWOW64\EhStorShell32.exe

Filesize
201KB

MD5
e42435a1f69bd2f0d7b05dd8a7a5b9ea

SHA1
022f5202546decd93eb98b480c343a95bfb39db3

SHA256
5604947061ca566d4d31b599800cc2439127e4dd6d5afc03c0b0f17543bb6237

SHA512
00ab0b66575890ebc33f1297e7ee415f7d4d508a885882a8bbb6487db5efa4e01f6f9bee0444124ff13f873929c6d34f6f2b707d0547f507068a05ea32656160

Download Submit
\Windows\SysWOW64\api-ms-win-core-localization-l1-2-032.dll

Filesize
402KB

MD5
db87ee81e1e86ce106c7b8c8a33bdfa3

SHA1
90a44ca73b4477296f6337087b6fc625b5448ef2

SHA256
d4c3975f646adae88b7a1f932d45e322c0bbfbd24618fd84544cfafded75b14a

SHA512
ad2962ba710daefb897d18fb2db1dffbfb6e941fb7a88752fb4992f23cdb41759b0c8ef0a1beb2fee76924cf1bb46f11c5a03a2e8bfedf5c74e17b946046ad5f

Download Submit
memory/1404-123-0x00000000009C0000-0x0000000000AC0000-memory.dmp

Filesize
1024KB

Download
memory/1404-106-0x00000000009C0000-0x0000000000AC0000-memory.dmp

Filesize
1024KB

Download
memory/1404-122-0x0000000000220000-0x000000000025F000-memory.dmp

Filesize
252KB

Download
memory/1404-105-0x0000000000220000-0x000000000025F000-memory.dmp

Filesize
252KB

Download
memory/1572-91-0x0000000001150000-0x000000000118F000-memory.dmp

Filesize
252KB

Download
memory/1572-120-0x0000000000A40000-0x0000000000B3B000-memory.dmp

Filesize
1004KB

Download
memory/1572-121-0x0000000001150000-0x000000000118F000-memory.dmp

Filesize
252KB

Download
memory/1572-90-0x0000000000A40000-0x0000000000B3B000-memory.dmp

Filesize
1004KB

Download
memory/1572-82-0x0000000010000000-0x0000000010042000-memory.dmp

Filesize
264KB

Download
memory/1608-118-0x0000000000220000-0x000000000025F000-memory.dmp

Filesize
252KB

Download
memory/1608-125-0x0000000000220000-0x0000000000230000-memory.dmp

Filesize
64KB

Download
memory/1608-124-0x0000000000220000-0x000000000025F000-memory.dmp

Filesize
252KB

Download
memory/1608-119-0x0000000000220000-0x0000000000230000-memory.dmp

Filesize
64KB

Download
memory/1608-116-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1624-54-0x0000000000400000-0x000000000055C000-memory.dmp

Filesize
1.4MB

Download
memory/1624-60-0x0000000001D00000-0x0000000001DFB000-memory.dmp

Filesize
1004KB

Download
memory/1624-57-0x0000000010000000-0x0000000010087000-memory.dmp

Filesize
540KB

Download
memory/1624-61-0x0000000002110000-0x0000000002159000-memory.dmp

Filesize
292KB

Download
memory/1624-62-0x0000000010000000-0x0000000010087000-memory.dmp

Filesize
540KB

Download
memory/1624-63-0x0000000001D00000-0x0000000001DFB000-memory.dmp

Filesize
1004KB

Download
memory/1624-65-0x00000000753C1000-0x00000000753C3000-memory.dmp

Filesize
8KB

Download
memory/1624-64-0x0000000002110000-0x0000000002159000-memory.dmp

Filesize
292KB

Download
memory/2016-70-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2016-89-0x0000000000220000-0x000000000024F000-memory.dmp

Filesize
188KB

Download