b568e22f971b242c2c6dc56db0cdfedf3b1fe446dedc221ba4062d4b34cc35d9

Analysis

max time kernel
148s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
07-12-2022 00:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b568e22f971b242c2c6dc56db0cdfedf3b1fe446dedc221ba4062d4b34cc35d9.exe
Size

423KB
MD5

11fc813561fe852d0c857b7c466f2130
SHA1

fb35ba1129d02e9115328ec9af826c184b0ea519
SHA256

b568e22f971b242c2c6dc56db0cdfedf3b1fe446dedc221ba4062d4b34cc35d9
SHA512

aa87bb9c2e9951e0ca0b61735cf33d523fa6543e584d831ae6648db11e598dbc5217e10b322c40e7a5ad887c9e6cdb35271a7aeffcd5eb33dddada3269ae8570
SSDEEP

12288:FRHH+RW/SolDfb4FuWlD7JXu1GcWh7aKgq7UJ:Fdt/SGDcuWlD794+h7aB

Score

8^/10

adware discovery persistence stealer

Malware Config

Signatures

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Indtry\Parameters\ServiceDll = "C:\\Windows\\system32\\spted.dll"	rundll32.exe

Loads dropped DLL 4 IoCs

pid	Process
2060	b568e22f971b242c2c6dc56db0cdfedf3b1fe446dedc221ba4062d4b34cc35d9.exe
2060	b568e22f971b242c2c6dc56db0cdfedf3b1fe446dedc221ba4062d4b34cc35d9.exe
4512	rundll32.exe
4768	rundll32.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	b568e22f971b242c2c6dc56db0cdfedf3b1fe446dedc221ba4062d4b34cc35d9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Update = "C:\\Program Files (x86)\\Common Files\\UPDAT\\Update.exe"	b568e22f971b242c2c6dc56db0cdfedf3b1fe446dedc221ba4062d4b34cc35d9.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Installs/modifies Browser Helper Object 2 TTPs 2 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	b568e22f971b242c2c6dc56db0cdfedf3b1fe446dedc221ba4062d4b34cc35d9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D1BB7CF4-4463-4e91-88D7-ECC3CE0A13B7}	b568e22f971b242c2c6dc56db0cdfedf3b1fe446dedc221ba4062d4b34cc35d9.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\wbem\IRJIT.dll	b568e22f971b242c2c6dc56db0cdfedf3b1fe446dedc221ba4062d4b34cc35d9.exe
File created	C:\Windows\SysWOW64\nt.sys	b568e22f971b242c2c6dc56db0cdfedf3b1fe446dedc221ba4062d4b34cc35d9.exe
File created	C:\Windows\SysWOW64\spted.dll	b568e22f971b242c2c6dc56db0cdfedf3b1fe446dedc221ba4062d4b34cc35d9.exe
File created	C:\Windows\SysWOW64\wbem\ocmor.dat	b568e22f971b242c2c6dc56db0cdfedf3b1fe446dedc221ba4062d4b34cc35d9.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\CoolWebsite\QuickLink.dll	b568e22f971b242c2c6dc56db0cdfedf3b1fe446dedc221ba4062d4b34cc35d9.exe
File created	C:\Program Files (x86)\Common Files\UPDAT\update.exe	b568e22f971b242c2c6dc56db0cdfedf3b1fe446dedc221ba4062d4b34cc35d9.exe
File created	C:\Program Files (x86)\Common Files\UPDAT\update.dat	b568e22f971b242c2c6dc56db0cdfedf3b1fe446dedc221ba4062d4b34cc35d9.exe
File created	C:\Program Files (x86)\CoolWebsite\uninst.exe	b568e22f971b242c2c6dc56db0cdfedf3b1fe446dedc221ba4062d4b34cc35d9.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 13 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Extensions\{1D901067-2529-4A9B-9B6B-7A1DB3A44CB5}	b568e22f971b242c2c6dc56db0cdfedf3b1fe446dedc221ba4062d4b34cc35d9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{1D901067-2529-4A9B-9B6B-7A1DB3A44CB5}\ButtonText = "ÊµÓÃÍøÖ·µ¼º½"	b568e22f971b242c2c6dc56db0cdfedf3b1fe446dedc221ba4062d4b34cc35d9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{1D901067-2529-4A9B-9B6B-7A1DB3A44CB5}\HotIcon = "C:\\Program Files (x86)\\CoolWebsite\\QuickLink.dll,207"	b568e22f971b242c2c6dc56db0cdfedf3b1fe446dedc221ba4062d4b34cc35d9.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\TypedURLs\url9 = "http://www.9991.com/"	b568e22f971b242c2c6dc56db0cdfedf3b1fe446dedc221ba4062d4b34cc35d9.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\TypedURLs\url12 = "http://www.999x.com/"	b568e22f971b242c2c6dc56db0cdfedf3b1fe446dedc221ba4062d4b34cc35d9.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\TypedURLs\url2 = "http://www.9991.com/tools/index.htm"	b568e22f971b242c2c6dc56db0cdfedf3b1fe446dedc221ba4062d4b34cc35d9.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\TypedURLs\url5 = "http://www.51.com/"	b568e22f971b242c2c6dc56db0cdfedf3b1fe446dedc221ba4062d4b34cc35d9.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Extensions	b568e22f971b242c2c6dc56db0cdfedf3b1fe446dedc221ba4062d4b34cc35d9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{1D901067-2529-4A9B-9B6B-7A1DB3A44CB5}\CLSID = "{1FBA04EE-3024-11D2-8F1F-0000F87ABD16}"	b568e22f971b242c2c6dc56db0cdfedf3b1fe446dedc221ba4062d4b34cc35d9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{1D901067-2529-4A9B-9B6B-7A1DB3A44CB5}\ClsidExtension = "{D1BB7CF4-4463-4e91-88D7-ECC3CE0A13B7}"	b568e22f971b242c2c6dc56db0cdfedf3b1fe446dedc221ba4062d4b34cc35d9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{1D901067-2529-4A9B-9B6B-7A1DB3A44CB5}\Default Visible = "Yes"	b568e22f971b242c2c6dc56db0cdfedf3b1fe446dedc221ba4062d4b34cc35d9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{1D901067-2529-4A9B-9B6B-7A1DB3A44CB5}\Icon = "C:\\Program Files (x86)\\CoolWebsite\\QuickLink.dll,209"	b568e22f971b242c2c6dc56db0cdfedf3b1fe446dedc221ba4062d4b34cc35d9.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\typedUrls\	b568e22f971b242c2c6dc56db0cdfedf3b1fe446dedc221ba4062d4b34cc35d9.exe

Modifies registry class 46 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D1BB7CF4-4463-4e91-88D7-ECC3CE0A13B7}\ = "QuickBtn"	b568e22f971b242c2c6dc56db0cdfedf3b1fe446dedc221ba4062d4b34cc35d9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D1BB7CF4-4463-4e91-88D7-ECC3CE0A13B7}\Programmable	b568e22f971b242c2c6dc56db0cdfedf3b1fe446dedc221ba4062d4b34cc35d9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D1BB7CF4-4463-4e91-88D7-ECC3CE0A13B7}\InprocServer32\ = "C:\\Program Files (x86)\\CoolWebsite\\QuickLink.dll"	b568e22f971b242c2c6dc56db0cdfedf3b1fe446dedc221ba4062d4b34cc35d9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{933DB9D6-9447-4EFE-ABA2-EAF3B309B44C}\1.0\FLAGS	b568e22f971b242c2c6dc56db0cdfedf3b1fe446dedc221ba4062d4b34cc35d9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{933DB9D6-9447-4EFE-ABA2-EAF3B309B44C}\1.0\0	b568e22f971b242c2c6dc56db0cdfedf3b1fe446dedc221ba4062d4b34cc35d9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0083DE51-EB2E-4521-A95C-735D8E563373}\ProxyStubClsid32	b568e22f971b242c2c6dc56db0cdfedf3b1fe446dedc221ba4062d4b34cc35d9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0083DE51-EB2E-4521-A95C-735D8E563373}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	b568e22f971b242c2c6dc56db0cdfedf3b1fe446dedc221ba4062d4b34cc35d9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D1BB7CF4-4463-4e91-88D7-ECC3CE0A13B7}	b568e22f971b242c2c6dc56db0cdfedf3b1fe446dedc221ba4062d4b34cc35d9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D1BB7CF4-4463-4e91-88D7-ECC3CE0A13B7}\VersionIndependentProgID\ = "QuickButton.QuickBtn"	b568e22f971b242c2c6dc56db0cdfedf3b1fe446dedc221ba4062d4b34cc35d9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D1BB7CF4-4463-4e91-88D7-ECC3CE0A13B7}\TypeLib\ = "{933DB9D6-9447-4EFE-ABA2-EAF3B309B44C}"	b568e22f971b242c2c6dc56db0cdfedf3b1fe446dedc221ba4062d4b34cc35d9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0083DE51-EB2E-4521-A95C-735D8E563373}	b568e22f971b242c2c6dc56db0cdfedf3b1fe446dedc221ba4062d4b34cc35d9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0083DE51-EB2E-4521-A95C-735D8E563373}\TypeLib\ = "{933DB9D6-9447-4EFE-ABA2-EAF3B309B44C}"	b568e22f971b242c2c6dc56db0cdfedf3b1fe446dedc221ba4062d4b34cc35d9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0083DE51-EB2E-4521-A95C-735D8E563373}\TypeLib\ = "{933DB9D6-9447-4EFE-ABA2-EAF3B309B44C}"	b568e22f971b242c2c6dc56db0cdfedf3b1fe446dedc221ba4062d4b34cc35d9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QuickButton.QuickBtn\CLSID	b568e22f971b242c2c6dc56db0cdfedf3b1fe446dedc221ba4062d4b34cc35d9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QuickButton.QuickBtn\CurVer\ = "QuickButton.QuickBtn.1"	b568e22f971b242c2c6dc56db0cdfedf3b1fe446dedc221ba4062d4b34cc35d9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D1BB7CF4-4463-4e91-88D7-ECC3CE0A13B7}\VersionIndependentProgID	b568e22f971b242c2c6dc56db0cdfedf3b1fe446dedc221ba4062d4b34cc35d9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{933DB9D6-9447-4EFE-ABA2-EAF3B309B44C}\1.0\ = "QuickBtn 1.0 Type Library"	b568e22f971b242c2c6dc56db0cdfedf3b1fe446dedc221ba4062d4b34cc35d9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{933DB9D6-9447-4EFE-ABA2-EAF3B309B44C}\1.0\0\win32	b568e22f971b242c2c6dc56db0cdfedf3b1fe446dedc221ba4062d4b34cc35d9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QuickButton.QuickBtn\CLSID\ = "{D1BB7CF4-4463-4e91-88D7-ECC3CE0A13B7}"	b568e22f971b242c2c6dc56db0cdfedf3b1fe446dedc221ba4062d4b34cc35d9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D1BB7CF4-4463-4e91-88D7-ECC3CE0A13B7}\TypeLib	b568e22f971b242c2c6dc56db0cdfedf3b1fe446dedc221ba4062d4b34cc35d9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0083DE51-EB2E-4521-A95C-735D8E563373}\ProxyStubClsid32	b568e22f971b242c2c6dc56db0cdfedf3b1fe446dedc221ba4062d4b34cc35d9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0083DE51-EB2E-4521-A95C-735D8E563373}\ = "IQuickBtn"	b568e22f971b242c2c6dc56db0cdfedf3b1fe446dedc221ba4062d4b34cc35d9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0083DE51-EB2E-4521-A95C-735D8E563373}\TypeLib	b568e22f971b242c2c6dc56db0cdfedf3b1fe446dedc221ba4062d4b34cc35d9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0083DE51-EB2E-4521-A95C-735D8E563373}\TypeLib\Version = "1.0"	b568e22f971b242c2c6dc56db0cdfedf3b1fe446dedc221ba4062d4b34cc35d9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D1BB7CF4-4463-4e91-88D7-ECC3CE0A13B7}\ProgID	b568e22f971b242c2c6dc56db0cdfedf3b1fe446dedc221ba4062d4b34cc35d9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QuickButton.QuickBtn\CurVer	b568e22f971b242c2c6dc56db0cdfedf3b1fe446dedc221ba4062d4b34cc35d9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{933DB9D6-9447-4EFE-ABA2-EAF3B309B44C}\1.0\FLAGS\ = "0"	b568e22f971b242c2c6dc56db0cdfedf3b1fe446dedc221ba4062d4b34cc35d9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{933DB9D6-9447-4EFE-ABA2-EAF3B309B44C}\1.0\0\win32\ = "C:\\Program Files (x86)\\CoolWebsite\\QuickLink.dll"	b568e22f971b242c2c6dc56db0cdfedf3b1fe446dedc221ba4062d4b34cc35d9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{933DB9D6-9447-4EFE-ABA2-EAF3B309B44C}\1.0\HELPDIR	b568e22f971b242c2c6dc56db0cdfedf3b1fe446dedc221ba4062d4b34cc35d9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{933DB9D6-9447-4EFE-ABA2-EAF3B309B44C}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\CoolWebsite\\"	b568e22f971b242c2c6dc56db0cdfedf3b1fe446dedc221ba4062d4b34cc35d9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0083DE51-EB2E-4521-A95C-735D8E563373}	b568e22f971b242c2c6dc56db0cdfedf3b1fe446dedc221ba4062d4b34cc35d9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\sss1.sss2.1\CLSID	b568e22f971b242c2c6dc56db0cdfedf3b1fe446dedc221ba4062d4b34cc35d9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{933DB9D6-9447-4EFE-ABA2-EAF3B309B44C}	b568e22f971b242c2c6dc56db0cdfedf3b1fe446dedc221ba4062d4b34cc35d9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\sss1.sss2.1\CLSID\ = "{D1BB7CF4-4463-4e91-88D7-ECC3CE0A13B7}"	b568e22f971b242c2c6dc56db0cdfedf3b1fe446dedc221ba4062d4b34cc35d9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{933DB9D6-9447-4EFE-ABA2-EAF3B309B44C}\1.0	b568e22f971b242c2c6dc56db0cdfedf3b1fe446dedc221ba4062d4b34cc35d9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0083DE51-EB2E-4521-A95C-735D8E563373}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	b568e22f971b242c2c6dc56db0cdfedf3b1fe446dedc221ba4062d4b34cc35d9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0083DE51-EB2E-4521-A95C-735D8E563373}\TypeLib\Version = "1.0"	b568e22f971b242c2c6dc56db0cdfedf3b1fe446dedc221ba4062d4b34cc35d9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\sss1.sss2.1	b568e22f971b242c2c6dc56db0cdfedf3b1fe446dedc221ba4062d4b34cc35d9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QuickButton.QuickBtn	b568e22f971b242c2c6dc56db0cdfedf3b1fe446dedc221ba4062d4b34cc35d9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QuickButton.QuickBtn\ = "QuickBtn"	b568e22f971b242c2c6dc56db0cdfedf3b1fe446dedc221ba4062d4b34cc35d9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D1BB7CF4-4463-4e91-88D7-ECC3CE0A13B7}\ProgID\ = "sss1.sss2.1"	b568e22f971b242c2c6dc56db0cdfedf3b1fe446dedc221ba4062d4b34cc35d9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D1BB7CF4-4463-4e91-88D7-ECC3CE0A13B7}\InprocServer32	b568e22f971b242c2c6dc56db0cdfedf3b1fe446dedc221ba4062d4b34cc35d9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D1BB7CF4-4463-4e91-88D7-ECC3CE0A13B7}\InprocServer32\ThreadingModel = "Apartment"	b568e22f971b242c2c6dc56db0cdfedf3b1fe446dedc221ba4062d4b34cc35d9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0083DE51-EB2E-4521-A95C-735D8E563373}\ = "IQuickBtn"	b568e22f971b242c2c6dc56db0cdfedf3b1fe446dedc221ba4062d4b34cc35d9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0083DE51-EB2E-4521-A95C-735D8E563373}\TypeLib	b568e22f971b242c2c6dc56db0cdfedf3b1fe446dedc221ba4062d4b34cc35d9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\sss1.sss2.1\ = "QuickBtn"	b568e22f971b242c2c6dc56db0cdfedf3b1fe446dedc221ba4062d4b34cc35d9.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2060 wrote to memory of 4512	2060	b568e22f971b242c2c6dc56db0cdfedf3b1fe446dedc221ba4062d4b34cc35d9.exe	82
PID 2060 wrote to memory of 4512	2060	b568e22f971b242c2c6dc56db0cdfedf3b1fe446dedc221ba4062d4b34cc35d9.exe	82
PID 2060 wrote to memory of 4512	2060	b568e22f971b242c2c6dc56db0cdfedf3b1fe446dedc221ba4062d4b34cc35d9.exe	82
PID 2060 wrote to memory of 4768	2060	b568e22f971b242c2c6dc56db0cdfedf3b1fe446dedc221ba4062d4b34cc35d9.exe	83
PID 2060 wrote to memory of 4768	2060	b568e22f971b242c2c6dc56db0cdfedf3b1fe446dedc221ba4062d4b34cc35d9.exe	83
PID 2060 wrote to memory of 4768	2060	b568e22f971b242c2c6dc56db0cdfedf3b1fe446dedc221ba4062d4b34cc35d9.exe	83

C:\Users\Admin\AppData\Local\Temp\b568e22f971b242c2c6dc56db0cdfedf3b1fe446dedc221ba4062d4b34cc35d9.exe
"C:\Users\Admin\AppData\Local\Temp\b568e22f971b242c2c6dc56db0cdfedf3b1fe446dedc221ba4062d4b34cc35d9.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Installs/modifies Browser Helper Object
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2060
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\spted.dll",ExportFunc 1001
  2⤵
  - Sets DLL path for service in the registry
  - Loads dropped DLL
  PID:4512
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\wbem\IRJIT.dll",Export @install
  2⤵
  - Loads dropped DLL
  PID:4768

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Browser Extensions

T1176

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\CoolWebsite\QuickLink.dll

Filesize
88KB

MD5
9802d32fd6432af38473453c9d3065f6

SHA1
e6a2a66766a504c24f72cf3c9bb8303e67286d2a

SHA256
7acf989fc8a6a7492b8b87e98af54c1e445f8356d24624af829dd3bbc7b97292

SHA512
49b4cafc80555d973ff4a047c4b0e205ca44720f8b6f5a64ed11d6cc0e8c83614830dba52f216fabc4618c7f3e71310d444e56bd2c56e6522984a98a162a9eee

Download Submit
C:\Program Files (x86)\CoolWebsite\QuickLink.dll

Filesize
88KB

MD5
9802d32fd6432af38473453c9d3065f6

SHA1
e6a2a66766a504c24f72cf3c9bb8303e67286d2a

SHA256
7acf989fc8a6a7492b8b87e98af54c1e445f8356d24624af829dd3bbc7b97292

SHA512
49b4cafc80555d973ff4a047c4b0e205ca44720f8b6f5a64ed11d6cc0e8c83614830dba52f216fabc4618c7f3e71310d444e56bd2c56e6522984a98a162a9eee

Download Submit
C:\Windows\SysWOW64\spted.dll

Filesize
284KB

MD5
076711594cf048a56df8f039a4a9c0f5

SHA1
9eee7e5aaa4fe029c6c231b00e825609e4cd9473

SHA256
6b1140448d14a30c869b2edeba5d579d85536e13086ac2c4af5bbc25252d8f7a

SHA512
b63efea48d220383e9f972567189a9fd79a97d8b84da99593a0802c788f2e48615557bace91757d4b37142d0f139b0d7cbae6a5f0b2ee7c22a8e367a23cfe8c8

Download Submit
C:\Windows\SysWOW64\spted.dll

Filesize
284KB

MD5
076711594cf048a56df8f039a4a9c0f5

SHA1
9eee7e5aaa4fe029c6c231b00e825609e4cd9473

SHA256
6b1140448d14a30c869b2edeba5d579d85536e13086ac2c4af5bbc25252d8f7a

SHA512
b63efea48d220383e9f972567189a9fd79a97d8b84da99593a0802c788f2e48615557bace91757d4b37142d0f139b0d7cbae6a5f0b2ee7c22a8e367a23cfe8c8

Download Submit
C:\Windows\SysWOW64\wbem\IRJIT.dll

Filesize
282KB

MD5
a88c9fdc32e6108f5e38ce7824d1725b

SHA1
f4a34d71b5fdf6ca82e1dcd2443b699c6d262335

SHA256
3d672cf8431bc8f6ab86841c977c581902cf6e023fbbfee3e58c5bba0d2a8bf5

SHA512
3d24f6f471cd9cdbe0e4d8dee55a172c52c96f7ac40f7782aabbe6b85567d586a83f8c6ede350628a7ff87d4d8fae20fa7ca8fd229d01b368aead16b593e045a

Download Submit
C:\Windows\SysWOW64\wbem\IRJIT.dll

Filesize
282KB

MD5
a88c9fdc32e6108f5e38ce7824d1725b

SHA1
f4a34d71b5fdf6ca82e1dcd2443b699c6d262335

SHA256
3d672cf8431bc8f6ab86841c977c581902cf6e023fbbfee3e58c5bba0d2a8bf5

SHA512
3d24f6f471cd9cdbe0e4d8dee55a172c52c96f7ac40f7782aabbe6b85567d586a83f8c6ede350628a7ff87d4d8fae20fa7ca8fd229d01b368aead16b593e045a

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads