c857b44dd1ba38982a48c59472c3a31ab5ab2a510afb378d36c9381f4dfec618

Analysis

max time kernel
152s
max time network
42s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
06/12/2022, 17:58

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

c857b44dd1ba38982a48c59472c3a31ab5ab2a510afb378d36c9381f4dfec618.exe
Size

35KB
MD5

1f12fbc653eb08f5069446cb015337ba
SHA1

8fdbf0028893113da3f7f279e6f02f06d5fd70cc
SHA256

c857b44dd1ba38982a48c59472c3a31ab5ab2a510afb378d36c9381f4dfec618
SHA512

d1926bad19c54a0a7c11681fb6f03db40e5359cbc5d8dc03b3cf5ec1173a3827d71abbba8021ce5b713137f7cc9fe111a44ee71eef502e5b1ed1523863125149
SSDEEP

768:34CRQMApypWh9FTzgWEbDkWlrTvYGBCgU:oNMA8UB+DkCrMGC

Score

9^/10

adware discovery persistence stealer

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x000a000000012353-65.dat	acprotect

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\explorer\run	iebtm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\start = "C:\\Program Files (x86)\\Applications\\iebtm.exe"	iebtm.exe

Executes dropped EXE 2 IoCs

pid	Process
2012	iebtm.exe
1468	iebtmm.exe

Deletes itself 1 IoCs

pid	Process
2032	cmd.exe

Loads dropped DLL 5 IoCs

pid	Process
900	c857b44dd1ba38982a48c59472c3a31ab5ab2a510afb378d36c9381f4dfec618.exe
900	c857b44dd1ba38982a48c59472c3a31ab5ab2a510afb378d36c9381f4dfec618.exe
2012	iebtm.exe
2012	iebtm.exe
2012	iebtm.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Installs/modifies Browser Helper Object 2 TTPs 3 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8710DF42-3171-4A3B-9079-3F7D7101552B}	iebtm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{8710DF42-3171-4A3B-9079-3F7D7101552B}\	iebtm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	iebtm.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Applications\iebtm.exe	c857b44dd1ba38982a48c59472c3a31ab5ab2a510afb378d36c9381f4dfec618.exe
File created	C:\Program Files (x86)\Applications\iebtu.exe	c857b44dd1ba38982a48c59472c3a31ab5ab2a510afb378d36c9381f4dfec618.exe
File created	C:\Program Files (x86)\Applications\iebt.dll	iebtm.exe
File created	C:\Program Files (x86)\Applications\iebtmm.exe	iebtm.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 11 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{9034A523-D068-4BE8-A284-9DF278BE776E}	iebtm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{9034A523-D068-4BE8-A284-9DF278BE776E}\Exec = "http://www.ietoolmachine.com/redirect.php"	iebtm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{9034A523-D068-4BE8-A284-9DF278BE776E}\CLSID = "{1FBA04EE-3024-11D2-8F1F-0000F87ABD16}"	iebtm.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Search	iebtm.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\SearchScopes\{DAED9266-8C28-4C1C-8B58-5C66EFF1D302}	iebtm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\SearchScopes\{DAED9266-8C28-4C1C-8B58-5C66EFF1D302}\URL = "http://www.aseachengine.com/index.php?b=1&t=0&q={searchTerms}"	iebtm.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\SearchScopes	iebtm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\SearchScopes\DefaultScope = "{DAED9266-8C28-4C1C-8B58-5C66EFF1D302}"	iebtm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\SearchScopes\{DAED9266-8C28-4C1C-8B58-5C66EFF1D302}\DisplayName = "Search"	iebtm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{9034A523-D068-4BE8-A284-9DF278BE776E}\MenuText = "IE Anti-Spyware"	iebtm.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main	iebtm.exe

Modifies registry class 6 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{8710DF42-3171-4A3B-9079-3F7D7101552B}	iebtm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8710DF42-3171-4A3B-9079-3F7D7101552B}\www = "www"	iebtm.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{8710DF42-3171-4A3B-9079-3F7D7101552B}\InprocServer32	iebtm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8710DF42-3171-4A3B-9079-3F7D7101552B}\InprocServer32\ = "C:\\Program Files (x86)\\Applications\\iebt.dll"	iebtm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8710DF42-3171-4A3B-9079-3F7D7101552B}\InprocServer32\ThreadingModel = "Apartment"	iebtm.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID	iebtm.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
900	c857b44dd1ba38982a48c59472c3a31ab5ab2a510afb378d36c9381f4dfec618.exe
900	c857b44dd1ba38982a48c59472c3a31ab5ab2a510afb378d36c9381f4dfec618.exe
2012	iebtm.exe
1468	iebtmm.exe
2012	iebtm.exe
1468	iebtmm.exe
2012	iebtm.exe
1468	iebtmm.exe
2012	iebtm.exe
1468	iebtmm.exe
2012	iebtm.exe
1468	iebtmm.exe
2012	iebtm.exe
1468	iebtmm.exe
2012	iebtm.exe
1468	iebtmm.exe
2012	iebtm.exe
1468	iebtmm.exe
2012	iebtm.exe
1468	iebtmm.exe
2012	iebtm.exe
1468	iebtmm.exe
2012	iebtm.exe
1468	iebtmm.exe
2012	iebtm.exe
1468	iebtmm.exe
2012	iebtm.exe
1468	iebtmm.exe
2012	iebtm.exe
1468	iebtmm.exe
2012	iebtm.exe
1468	iebtmm.exe
2012	iebtm.exe
1468	iebtmm.exe
2012	iebtm.exe
1468	iebtmm.exe
2012	iebtm.exe
1468	iebtmm.exe
2012	iebtm.exe
1468	iebtmm.exe
2012	iebtm.exe
1468	iebtmm.exe
2012	iebtm.exe
1468	iebtmm.exe
2012	iebtm.exe
1468	iebtmm.exe
2012	iebtm.exe
1468	iebtmm.exe
2012	iebtm.exe
1468	iebtmm.exe
2012	iebtm.exe
1468	iebtmm.exe
2012	iebtm.exe
1468	iebtmm.exe
2012	iebtm.exe
1468	iebtmm.exe
2012	iebtm.exe
1468	iebtmm.exe
2012	iebtm.exe
1468	iebtmm.exe
2012	iebtm.exe
1468	iebtmm.exe
2012	iebtm.exe
1468	iebtmm.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 900 wrote to memory of 940	900	c857b44dd1ba38982a48c59472c3a31ab5ab2a510afb378d36c9381f4dfec618.exe	27
PID 900 wrote to memory of 940	900	c857b44dd1ba38982a48c59472c3a31ab5ab2a510afb378d36c9381f4dfec618.exe	27
PID 900 wrote to memory of 940	900	c857b44dd1ba38982a48c59472c3a31ab5ab2a510afb378d36c9381f4dfec618.exe	27
PID 900 wrote to memory of 940	900	c857b44dd1ba38982a48c59472c3a31ab5ab2a510afb378d36c9381f4dfec618.exe	27
PID 900 wrote to memory of 2012	900	c857b44dd1ba38982a48c59472c3a31ab5ab2a510afb378d36c9381f4dfec618.exe	28
PID 900 wrote to memory of 2012	900	c857b44dd1ba38982a48c59472c3a31ab5ab2a510afb378d36c9381f4dfec618.exe	28
PID 900 wrote to memory of 2012	900	c857b44dd1ba38982a48c59472c3a31ab5ab2a510afb378d36c9381f4dfec618.exe	28
PID 900 wrote to memory of 2012	900	c857b44dd1ba38982a48c59472c3a31ab5ab2a510afb378d36c9381f4dfec618.exe	28
PID 900 wrote to memory of 2032	900	c857b44dd1ba38982a48c59472c3a31ab5ab2a510afb378d36c9381f4dfec618.exe	29
PID 900 wrote to memory of 2032	900	c857b44dd1ba38982a48c59472c3a31ab5ab2a510afb378d36c9381f4dfec618.exe	29
PID 900 wrote to memory of 2032	900	c857b44dd1ba38982a48c59472c3a31ab5ab2a510afb378d36c9381f4dfec618.exe	29
PID 900 wrote to memory of 2032	900	c857b44dd1ba38982a48c59472c3a31ab5ab2a510afb378d36c9381f4dfec618.exe	29
PID 2012 wrote to memory of 1468	2012	iebtm.exe	31
PID 2012 wrote to memory of 1468	2012	iebtm.exe	31
PID 2012 wrote to memory of 1468	2012	iebtm.exe	31
PID 2012 wrote to memory of 1468	2012	iebtm.exe	31

C:\Users\Admin\AppData\Local\Temp\c857b44dd1ba38982a48c59472c3a31ab5ab2a510afb378d36c9381f4dfec618.exe
"C:\Users\Admin\AppData\Local\Temp\c857b44dd1ba38982a48c59472c3a31ab5ab2a510afb378d36c9381f4dfec618.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:900
- C:\Windows\SysWOW64\ctfmon.exe
  ctfmon.exe
  2⤵
  PID:940
- C:\Program Files (x86)\Applications\iebtm.exe
  "C:\Program Files (x86)\Applications\iebtm.exe"
  2⤵
  - Adds policy Run key to start application
  - Executes dropped EXE
  - Loads dropped DLL
  - Installs/modifies Browser Helper Object
  - Drops file in Program Files directory
  - Modifies Internet Explorer settings
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2012
- - C:\Program Files (x86)\Applications\iebtmm.exe
    "C:\Program Files (x86)\Applications\iebtmm.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:1468
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\wewt0.bat" "
  2⤵
  - Deletes itself
  PID:2032

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Browser Extensions

T1176

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Applications\iebtm.exe

Filesize
22KB

MD5
7d2b3a7c30802c6bb26c3951be8e26fc

SHA1
cf7323ad3050add903059a628eca878c88e8e945

SHA256
1969789311468d92564b3c65f7407f8cd7e407f28b2ec85674187207788cec0f

SHA512
ecf5232673c039f926a2bb5d8a51e0a0558f7ff5e592664ca9b161cdf1c57c056debfc3421ee1f03942472e03054fa4863d604d53154d45316b88258eca37329

Download Submit
C:\Program Files (x86)\Applications\iebtmm.exe

Filesize
6KB

MD5
a8e1fedffe582b7b563ff45f9d3710f0

SHA1
f0a75cb894a31410227d896dda1aba8d58609600

SHA256
f9741a363a9ba3873abc91066a991e6cf1b8637839aff8dc7bee83f40fb0b5bf

SHA512
ec57434d44161e66eccc9af69de6669e19e197bd5877a805e2310e310eb761e83bc7e9c420cad3dab7e5ee05a6718883d3c471ad09f8bdb9ad575c57c02ea5f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\wewt0.bat

Filesize
338B

MD5
a723bfe0d199327bdbceeb8f5e3defc3

SHA1
ec6e5e3dda8724c6374b8e79d54088464d9676d1

SHA256
f38fbcce616864d6225c7b0e5ff4ff2adf6ce0ec90ba6f4e63586e03cea9f8de

SHA512
5dc46e9a68ae369b006bbd7d187928bb784b2dcb30f51c8ba56c8e95836987ef3ad06712f4f440d9a30b5e3ee5bc21291a27c9bba3c5995124235f59cafeb214

Download Submit
\Program Files (x86)\Applications\iebt.dll

Filesize
9KB

MD5
af28a36684286d5327d616b04ba64e6e

SHA1
d21228775dce57c058c9c07b922701156e2068b1

SHA256
8f1a1ea7c43617e2deb9214159d1dc0b164a8ee5165aff131d2d89ae417ed05e

SHA512
0ef100151938ed67c9c30a1747d06f253f52481e8fdba056fd57d7d82bc04676e961a619caf36b311330df3e1c336ffa358476d99efa84dedc7205d8a3e94e5c

Download Submit
\Program Files (x86)\Applications\iebtm.exe

Filesize
22KB

MD5
7d2b3a7c30802c6bb26c3951be8e26fc

SHA1
cf7323ad3050add903059a628eca878c88e8e945

SHA256
1969789311468d92564b3c65f7407f8cd7e407f28b2ec85674187207788cec0f

SHA512
ecf5232673c039f926a2bb5d8a51e0a0558f7ff5e592664ca9b161cdf1c57c056debfc3421ee1f03942472e03054fa4863d604d53154d45316b88258eca37329

Download Submit
\Program Files (x86)\Applications\iebtm.exe

Filesize
22KB

MD5
7d2b3a7c30802c6bb26c3951be8e26fc

SHA1
cf7323ad3050add903059a628eca878c88e8e945

SHA256
1969789311468d92564b3c65f7407f8cd7e407f28b2ec85674187207788cec0f

SHA512
ecf5232673c039f926a2bb5d8a51e0a0558f7ff5e592664ca9b161cdf1c57c056debfc3421ee1f03942472e03054fa4863d604d53154d45316b88258eca37329

Download Submit
\Program Files (x86)\Applications\iebtmm.exe

Filesize
6KB

MD5
a8e1fedffe582b7b563ff45f9d3710f0

SHA1
f0a75cb894a31410227d896dda1aba8d58609600

SHA256
f9741a363a9ba3873abc91066a991e6cf1b8637839aff8dc7bee83f40fb0b5bf

SHA512
ec57434d44161e66eccc9af69de6669e19e197bd5877a805e2310e310eb761e83bc7e9c420cad3dab7e5ee05a6718883d3c471ad09f8bdb9ad575c57c02ea5f1

Download Submit
\Program Files (x86)\Applications\iebtmm.exe

Filesize
6KB

MD5
a8e1fedffe582b7b563ff45f9d3710f0

SHA1
f0a75cb894a31410227d896dda1aba8d58609600

SHA256
f9741a363a9ba3873abc91066a991e6cf1b8637839aff8dc7bee83f40fb0b5bf

SHA512
ec57434d44161e66eccc9af69de6669e19e197bd5877a805e2310e310eb761e83bc7e9c420cad3dab7e5ee05a6718883d3c471ad09f8bdb9ad575c57c02ea5f1

Download Submit
memory/900-63-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/900-54-0x0000000076071000-0x0000000076073000-memory.dmp

Filesize
8KB

Download
memory/900-55-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/1468-79-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1468-74-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2012-71-0x00000000002E0000-0x00000000002E9000-memory.dmp

Filesize
36KB

Download
memory/2012-70-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download
memory/2012-72-0x00000000002E0000-0x00000000002E9000-memory.dmp

Filesize
36KB

Download
memory/2012-73-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2012-76-0x00000000002E0000-0x00000000002E9000-memory.dmp

Filesize
36KB

Download
memory/2012-75-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download
memory/2012-77-0x00000000002E0000-0x00000000002E9000-memory.dmp

Filesize
36KB

Download
memory/2012-78-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download