f39aebf299b195c976064d444cfeb51a5df9890a0ec03ea61beac41d671aa026

Analysis

max time kernel
152s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
06/12/2022, 23:44

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

f39aebf299b195c976064d444cfeb51a5df9890a0ec03ea61beac41d671aa026.exe
Size

36KB
MD5

898e64054cf624fee9d7dd9fe1e913f6
SHA1

6c0578a6f92a100d40903704cbd3d32b1e325d03
SHA256

f39aebf299b195c976064d444cfeb51a5df9890a0ec03ea61beac41d671aa026
SHA512

860dc29262ac981a4559a3850154faf325ec2f65b68f211628891ea44a3df707004837e8b0254a04b812f7a2c3d424541ffa003451227fea407ecff983c7b4eb
SSDEEP

768:BFYyA/IqYVGtPPXrq9R3y1WzxI55R5yZ+UlsH:3YyA/hB/rq9R3yo6x5yZ+qs

Score

8^/10

adware persistence stealer

Malware Config

Signatures

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\explorer\run	f39aebf299b195c976064d444cfeb51a5df9890a0ec03ea61beac41d671aa026.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\start = "C:\\Users\\Admin\\AppData\\Local\\Temp\\f39aebf299b195c976064d444cfeb51a5df9890a0ec03ea61beac41d671aa026.exe"	f39aebf299b195c976064d444cfeb51a5df9890a0ec03ea61beac41d671aa026.exe

Executes dropped EXE 1 IoCs

pid	Process
964	isfmm.exe

Loads dropped DLL 3 IoCs

pid	Process
1496	f39aebf299b195c976064d444cfeb51a5df9890a0ec03ea61beac41d671aa026.exe
1496	f39aebf299b195c976064d444cfeb51a5df9890a0ec03ea61beac41d671aa026.exe
1496	f39aebf299b195c976064d444cfeb51a5df9890a0ec03ea61beac41d671aa026.exe

Installs/modifies Browser Helper Object 2 TTPs 3 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E8249E69-A809-4544-832F-64EB65747A92}	f39aebf299b195c976064d444cfeb51a5df9890a0ec03ea61beac41d671aa026.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{E8249E69-A809-4544-832F-64EB65747A92}\	f39aebf299b195c976064d444cfeb51a5df9890a0ec03ea61beac41d671aa026.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	f39aebf299b195c976064d444cfeb51a5df9890a0ec03ea61beac41d671aa026.exe

Modifies Internet Explorer settings 1 TTPs 11 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\SearchScopes\{DAED9266-8C28-4C1C-8B58-5C66EFF1D302}	f39aebf299b195c976064d444cfeb51a5df9890a0ec03ea61beac41d671aa026.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\SearchScopes\{DAED9266-8C28-4C1C-8B58-5C66EFF1D302}\DisplayName = "Search"	f39aebf299b195c976064d444cfeb51a5df9890a0ec03ea61beac41d671aa026.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{9034A523-D068-4BE8-A284-9DF278BE776E}\Exec = "http://www.topsoftwarefeed.com/redirect.php"	f39aebf299b195c976064d444cfeb51a5df9890a0ec03ea61beac41d671aa026.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\SearchScopes\DefaultScope = "{DAED9266-8C28-4C1C-8B58-5C66EFF1D302}"	f39aebf299b195c976064d444cfeb51a5df9890a0ec03ea61beac41d671aa026.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{9034A523-D068-4BE8-A284-9DF278BE776E}	f39aebf299b195c976064d444cfeb51a5df9890a0ec03ea61beac41d671aa026.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{9034A523-D068-4BE8-A284-9DF278BE776E}\MenuText = "IE Anti-Spyware"	f39aebf299b195c976064d444cfeb51a5df9890a0ec03ea61beac41d671aa026.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{9034A523-D068-4BE8-A284-9DF278BE776E}\CLSID = "{1FBA04EE-3024-11d2-8F1F-0000F87ABD16}"	f39aebf299b195c976064d444cfeb51a5df9890a0ec03ea61beac41d671aa026.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Search	f39aebf299b195c976064d444cfeb51a5df9890a0ec03ea61beac41d671aa026.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main	f39aebf299b195c976064d444cfeb51a5df9890a0ec03ea61beac41d671aa026.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\SearchScopes\{DAED9266-8C28-4C1C-8B58-5C66EFF1D302}\URL = "http://www.altersearches.com/index.php?&b=1&t=0&q={searchTerms}"	f39aebf299b195c976064d444cfeb51a5df9890a0ec03ea61beac41d671aa026.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\SearchScopes	f39aebf299b195c976064d444cfeb51a5df9890a0ec03ea61beac41d671aa026.exe

Modifies Internet Explorer start page 1 TTPs 1 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "about:blank"	f39aebf299b195c976064d444cfeb51a5df9890a0ec03ea61beac41d671aa026.exe

Modifies registry class 6 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{E8249E69-A809-4544-832F-64EB65747A92}\InprocServer32	f39aebf299b195c976064d444cfeb51a5df9890a0ec03ea61beac41d671aa026.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E8249E69-A809-4544-832F-64EB65747A92}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\isfmdl.dll"	f39aebf299b195c976064d444cfeb51a5df9890a0ec03ea61beac41d671aa026.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E8249E69-A809-4544-832F-64EB65747A92}\InprocServer32\ThreadingModel = "Apartment"	f39aebf299b195c976064d444cfeb51a5df9890a0ec03ea61beac41d671aa026.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID	f39aebf299b195c976064d444cfeb51a5df9890a0ec03ea61beac41d671aa026.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{E8249E69-A809-4544-832F-64EB65747A92}	f39aebf299b195c976064d444cfeb51a5df9890a0ec03ea61beac41d671aa026.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E8249E69-A809-4544-832F-64EB65747A92}\xxx = "xxx"	f39aebf299b195c976064d444cfeb51a5df9890a0ec03ea61beac41d671aa026.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1496	f39aebf299b195c976064d444cfeb51a5df9890a0ec03ea61beac41d671aa026.exe
964	isfmm.exe
1496	f39aebf299b195c976064d444cfeb51a5df9890a0ec03ea61beac41d671aa026.exe
964	isfmm.exe
1496	f39aebf299b195c976064d444cfeb51a5df9890a0ec03ea61beac41d671aa026.exe
964	isfmm.exe
1496	f39aebf299b195c976064d444cfeb51a5df9890a0ec03ea61beac41d671aa026.exe
964	isfmm.exe
1496	f39aebf299b195c976064d444cfeb51a5df9890a0ec03ea61beac41d671aa026.exe
964	isfmm.exe
1496	f39aebf299b195c976064d444cfeb51a5df9890a0ec03ea61beac41d671aa026.exe
964	isfmm.exe
1496	f39aebf299b195c976064d444cfeb51a5df9890a0ec03ea61beac41d671aa026.exe
964	isfmm.exe
1496	f39aebf299b195c976064d444cfeb51a5df9890a0ec03ea61beac41d671aa026.exe
964	isfmm.exe
1496	f39aebf299b195c976064d444cfeb51a5df9890a0ec03ea61beac41d671aa026.exe
964	isfmm.exe
1496	f39aebf299b195c976064d444cfeb51a5df9890a0ec03ea61beac41d671aa026.exe
964	isfmm.exe
1496	f39aebf299b195c976064d444cfeb51a5df9890a0ec03ea61beac41d671aa026.exe
964	isfmm.exe
1496	f39aebf299b195c976064d444cfeb51a5df9890a0ec03ea61beac41d671aa026.exe
964	isfmm.exe
1496	f39aebf299b195c976064d444cfeb51a5df9890a0ec03ea61beac41d671aa026.exe
964	isfmm.exe
1496	f39aebf299b195c976064d444cfeb51a5df9890a0ec03ea61beac41d671aa026.exe
964	isfmm.exe
1496	f39aebf299b195c976064d444cfeb51a5df9890a0ec03ea61beac41d671aa026.exe
964	isfmm.exe
1496	f39aebf299b195c976064d444cfeb51a5df9890a0ec03ea61beac41d671aa026.exe
964	isfmm.exe
1496	f39aebf299b195c976064d444cfeb51a5df9890a0ec03ea61beac41d671aa026.exe
964	isfmm.exe
1496	f39aebf299b195c976064d444cfeb51a5df9890a0ec03ea61beac41d671aa026.exe
964	isfmm.exe
1496	f39aebf299b195c976064d444cfeb51a5df9890a0ec03ea61beac41d671aa026.exe
964	isfmm.exe
1496	f39aebf299b195c976064d444cfeb51a5df9890a0ec03ea61beac41d671aa026.exe
964	isfmm.exe
1496	f39aebf299b195c976064d444cfeb51a5df9890a0ec03ea61beac41d671aa026.exe
964	isfmm.exe
1496	f39aebf299b195c976064d444cfeb51a5df9890a0ec03ea61beac41d671aa026.exe
964	isfmm.exe
1496	f39aebf299b195c976064d444cfeb51a5df9890a0ec03ea61beac41d671aa026.exe
964	isfmm.exe
1496	f39aebf299b195c976064d444cfeb51a5df9890a0ec03ea61beac41d671aa026.exe
964	isfmm.exe
1496	f39aebf299b195c976064d444cfeb51a5df9890a0ec03ea61beac41d671aa026.exe
964	isfmm.exe
1496	f39aebf299b195c976064d444cfeb51a5df9890a0ec03ea61beac41d671aa026.exe
964	isfmm.exe
1496	f39aebf299b195c976064d444cfeb51a5df9890a0ec03ea61beac41d671aa026.exe
964	isfmm.exe
1496	f39aebf299b195c976064d444cfeb51a5df9890a0ec03ea61beac41d671aa026.exe
964	isfmm.exe
1496	f39aebf299b195c976064d444cfeb51a5df9890a0ec03ea61beac41d671aa026.exe
964	isfmm.exe
1496	f39aebf299b195c976064d444cfeb51a5df9890a0ec03ea61beac41d671aa026.exe
964	isfmm.exe
1496	f39aebf299b195c976064d444cfeb51a5df9890a0ec03ea61beac41d671aa026.exe
964	isfmm.exe
1496	f39aebf299b195c976064d444cfeb51a5df9890a0ec03ea61beac41d671aa026.exe
964	isfmm.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
1496	f39aebf299b195c976064d444cfeb51a5df9890a0ec03ea61beac41d671aa026.exe
964	isfmm.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1496 wrote to memory of 964	1496	f39aebf299b195c976064d444cfeb51a5df9890a0ec03ea61beac41d671aa026.exe	27
PID 1496 wrote to memory of 964	1496	f39aebf299b195c976064d444cfeb51a5df9890a0ec03ea61beac41d671aa026.exe	27
PID 1496 wrote to memory of 964	1496	f39aebf299b195c976064d444cfeb51a5df9890a0ec03ea61beac41d671aa026.exe	27
PID 1496 wrote to memory of 964	1496	f39aebf299b195c976064d444cfeb51a5df9890a0ec03ea61beac41d671aa026.exe	27

C:\Users\Admin\AppData\Local\Temp\f39aebf299b195c976064d444cfeb51a5df9890a0ec03ea61beac41d671aa026.exe
"C:\Users\Admin\AppData\Local\Temp\f39aebf299b195c976064d444cfeb51a5df9890a0ec03ea61beac41d671aa026.exe"
1⤵
- Adds policy Run key to start application
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:1496
- C:\Users\Admin\AppData\Local\Temp\isfmm.exe
  C:\Users\Admin\AppData\Local\Temp\isfmm.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  PID:964

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Browser Extensions

T1176

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\isfmm.exe

Filesize
8KB

MD5
6dd6c1fb9319989389d041768b45fe9d

SHA1
43133ea2ac83d296589feaa903d0f4a3800e9424

SHA256
0849b5629ff961e1476f0ee08afa0111fad21177f933148e5fb565400e42e869

SHA512
159d0aa84384931430b3d8a6208fc8b8e10a22f0ba7747802ef458475b8f776eab39167342c53d774e385c501f6cf1998fc4b1f658b4df6fe4cc5da93b649bb8

Download Submit
\Users\Admin\AppData\Local\Temp\isfmdl.dll

Filesize
14KB

MD5
23c1b39925697b4d6dac461c6b690e18

SHA1
a72d9bcdce4213f8c214d6cc8d14aa041b03c40e

SHA256
1d21914b80581ca4ca4422c8f17783dfe3a1f7b3c0ad0d4e79f03b286921ea33

SHA512
c93bf915a76350a99f17f1529a0665976a2e023baa893d5dee47ac0e4266100a3fe96569873625bdfb9c75cfc7e24709f722253aa2bedd7914cae4fefb3a3fc8

Download Submit
\Users\Admin\AppData\Local\Temp\isfmm.exe

Filesize
8KB

MD5
6dd6c1fb9319989389d041768b45fe9d

SHA1
43133ea2ac83d296589feaa903d0f4a3800e9424

SHA256
0849b5629ff961e1476f0ee08afa0111fad21177f933148e5fb565400e42e869

SHA512
159d0aa84384931430b3d8a6208fc8b8e10a22f0ba7747802ef458475b8f776eab39167342c53d774e385c501f6cf1998fc4b1f658b4df6fe4cc5da93b649bb8

Download Submit
\Users\Admin\AppData\Local\Temp\isfmm.exe

Filesize
8KB

MD5
6dd6c1fb9319989389d041768b45fe9d

SHA1
43133ea2ac83d296589feaa903d0f4a3800e9424

SHA256
0849b5629ff961e1476f0ee08afa0111fad21177f933148e5fb565400e42e869

SHA512
159d0aa84384931430b3d8a6208fc8b8e10a22f0ba7747802ef458475b8f776eab39167342c53d774e385c501f6cf1998fc4b1f658b4df6fe4cc5da93b649bb8

Download Submit
memory/1496-54-0x0000000075131000-0x0000000075133000-memory.dmp

Filesize
8KB

Download