c3a57a65c497d8879be2951597f2a4305af9f0315f4a8d4d88acc3c6bc60a78a

General

Target

05bcad0109788d76c1f9a199baad13c78352661dbf10c22dc99db2c9bdc216d0.exe
Size

5.4MB
MD5

d56a09aa4c061c9125c5871dd8ab19b2
SHA1

dfe1a0fbe3f7ff7cdebc5b5e51e860b5ee60440f
SHA256

05bcad0109788d76c1f9a199baad13c78352661dbf10c22dc99db2c9bdc216d0
SHA512

674038097546434ffc5832962e0c05efdf6e1277cede6d5fb4ba44445dc72a85b7738b0f958b458d22beb8fe2f6fc6ad7c5aed182c56a1caabf908439e2283a0
SSDEEP

98304:CEwQXyX2kHK5mi8P4+18frP3wbzWFimaI7dlZ:CE3XyXhHKQkgbzWFimaI7dl

Score

7^/10

adware persistence spyware stealer

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

05bcad0109788d76c1f9a199baad13c78352661dbf10c22dc99db2c9bdc216d0.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	05bcad0109788d76c1f9a199baad13c78352661dbf10c22dc99db2c9bdc216d0.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

05bcad0109788d76c1f9a199baad13c78352661dbf10c22dc99db2c9bdc216d0.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Windows\CurrentVersion\Run	05bcad0109788d76c1f9a199baad13c78352661dbf10c22dc99db2c9bdc216d0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDMan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\05bcad0109788d76c1f9a199baad13c78352661dbf10c22dc99db2c9bdc216d0.exe /onboot"	05bcad0109788d76c1f9a199baad13c78352661dbf10c22dc99db2c9bdc216d0.exe

Installs/modifies Browser Helper Object 2 TTPs 8 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

Processes:

05bcad0109788d76c1f9a199baad13c78352661dbf10c22dc99db2c9bdc216d0.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}\NoExplorer = "1"	05bcad0109788d76c1f9a199baad13c78352661dbf10c22dc99db2c9bdc216d0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	05bcad0109788d76c1f9a199baad13c78352661dbf10c22dc99db2c9bdc216d0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}	05bcad0109788d76c1f9a199baad13c78352661dbf10c22dc99db2c9bdc216d0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}\ = "IDM Helper"	05bcad0109788d76c1f9a199baad13c78352661dbf10c22dc99db2c9bdc216d0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}\NoExplorer = "1"	05bcad0109788d76c1f9a199baad13c78352661dbf10c22dc99db2c9bdc216d0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	05bcad0109788d76c1f9a199baad13c78352661dbf10c22dc99db2c9bdc216d0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}	05bcad0109788d76c1f9a199baad13c78352661dbf10c22dc99db2c9bdc216d0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}\ = "IDM Helper"	05bcad0109788d76c1f9a199baad13c78352661dbf10c22dc99db2c9bdc216d0.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 22 IoCs

adware spyware

Modify Registry

T1112

Processes:

05bcad0109788d76c1f9a199baad13c78352661dbf10c22dc99db2c9bdc216d0.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\MenuExt\Download with IDM	05bcad0109788d76c1f9a199baad13c78352661dbf10c22dc99db2c9bdc216d0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\MenuExt\Download with IDM\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IEExt.htm"	05bcad0109788d76c1f9a199baad13c78352661dbf10c22dc99db2c9bdc216d0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4}\AppPath = "C:\\Users\\Admin\\AppData\\Local\\Temp"	05bcad0109788d76c1f9a199baad13c78352661dbf10c22dc99db2c9bdc216d0.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Internet Explorer\Low Rights\DragDrop\{19129CDA-AFC0-4330-99BC-C5A834F89006}	05bcad0109788d76c1f9a199baad13c78352661dbf10c22dc99db2c9bdc216d0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\DownloadUI = "{7D11E719-FF90-479C-B0D7-96EB43EE55D7}"	05bcad0109788d76c1f9a199baad13c78352661dbf10c22dc99db2c9bdc216d0.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Internet Explorer\Low Rights\DragDrop	05bcad0109788d76c1f9a199baad13c78352661dbf10c22dc99db2c9bdc216d0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\DragDrop\{19129CDA-AFC0-4330-99BC-C5A834F89006}\AppPath = "C:\\Users\\Admin\\AppData\\Local\\Temp"	05bcad0109788d76c1f9a199baad13c78352661dbf10c22dc99db2c9bdc216d0.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\DragDrop\{19129CDA-AFC0-4330-99BC-C5A834F89006}\Policy = "3"	05bcad0109788d76c1f9a199baad13c78352661dbf10c22dc99db2c9bdc216d0.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	05bcad0109788d76c1f9a199baad13c78352661dbf10c22dc99db2c9bdc216d0.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\MenuExt\Download with IDM\contexts = "243"	05bcad0109788d76c1f9a199baad13c78352661dbf10c22dc99db2c9bdc216d0.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4}\Policy = "3"	05bcad0109788d76c1f9a199baad13c78352661dbf10c22dc99db2c9bdc216d0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\DragDrop\{19129CDA-AFC0-4330-99BC-C5A834F89006}\AppName = "05bcad0109788d76c1f9a199baad13c78352661dbf10c22dc99db2c9bdc216d0.exe"	05bcad0109788d76c1f9a199baad13c78352661dbf10c22dc99db2c9bdc216d0.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	05bcad0109788d76c1f9a199baad13c78352661dbf10c22dc99db2c9bdc216d0.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Internet Explorer\Low Rights	05bcad0109788d76c1f9a199baad13c78352661dbf10c22dc99db2c9bdc216d0.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy	05bcad0109788d76c1f9a199baad13c78352661dbf10c22dc99db2c9bdc216d0.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4}	05bcad0109788d76c1f9a199baad13c78352661dbf10c22dc99db2c9bdc216d0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4}\AppName = "05bcad0109788d76c1f9a199baad13c78352661dbf10c22dc99db2c9bdc216d0.exe"	05bcad0109788d76c1f9a199baad13c78352661dbf10c22dc99db2c9bdc216d0.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A}	05bcad0109788d76c1f9a199baad13c78352661dbf10c22dc99db2c9bdc216d0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A}\AppName = "IEMonitor.exe"	05bcad0109788d76c1f9a199baad13c78352661dbf10c22dc99db2c9bdc216d0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A}\AppPath = "C:\\Users\\Admin\\AppData\\Local\\Temp"	05bcad0109788d76c1f9a199baad13c78352661dbf10c22dc99db2c9bdc216d0.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A}\Policy = "3"	05bcad0109788d76c1f9a199baad13c78352661dbf10c22dc99db2c9bdc216d0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\DownloadUI = "{7D11E719-FF90-479C-B0D7-96EB43EE55D7}"	05bcad0109788d76c1f9a199baad13c78352661dbf10c22dc99db2c9bdc216d0.exe

Modifies registry class 12 IoCs

Processes:

05bcad0109788d76c1f9a199baad13c78352661dbf10c22dc99db2c9bdc216d0.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IDMan.CIDMLinkTransmitter\CLSID\ = "{AC746233-E9D3-49CD-862F-068F7B7CCCA4}"	05bcad0109788d76c1f9a199baad13c78352661dbf10c22dc99db2c9bdc216d0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\LocalServer32	05bcad0109788d76c1f9a199baad13c78352661dbf10c22dc99db2c9bdc216d0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\05bcad0109788d76c1f9a199baad13c78352661dbf10c22dc99db2c9bdc216d0.exe"	05bcad0109788d76c1f9a199baad13c78352661dbf10c22dc99db2c9bdc216d0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\ = "IDMan"	05bcad0109788d76c1f9a199baad13c78352661dbf10c22dc99db2c9bdc216d0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\RunAs = "Interactive User"	05bcad0109788d76c1f9a199baad13c78352661dbf10c22dc99db2c9bdc216d0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IDMan.CIDMLinkTransmitter	05bcad0109788d76c1f9a199baad13c78352661dbf10c22dc99db2c9bdc216d0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IDMan.CIDMLinkTransmitter\CLSID	05bcad0109788d76c1f9a199baad13c78352661dbf10c22dc99db2c9bdc216d0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}	05bcad0109788d76c1f9a199baad13c78352661dbf10c22dc99db2c9bdc216d0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\ = "IDMan.CIDMLinkTransmitter"	05bcad0109788d76c1f9a199baad13c78352661dbf10c22dc99db2c9bdc216d0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\AppID = "{AC746233-E9D3-49CD-862F-068F7B7CCCA4}"	05bcad0109788d76c1f9a199baad13c78352661dbf10c22dc99db2c9bdc216d0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}	05bcad0109788d76c1f9a199baad13c78352661dbf10c22dc99db2c9bdc216d0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\ROTFlags = "1"	05bcad0109788d76c1f9a199baad13c78352661dbf10c22dc99db2c9bdc216d0.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

05bcad0109788d76c1f9a199baad13c78352661dbf10c22dc99db2c9bdc216d0.exe

description pid process

Token: SeRestorePrivilege 3080 05bcad0109788d76c1f9a199baad13c78352661dbf10c22dc99db2c9bdc216d0.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

05bcad0109788d76c1f9a199baad13c78352661dbf10c22dc99db2c9bdc216d0.exe

pid process

3080 05bcad0109788d76c1f9a199baad13c78352661dbf10c22dc99db2c9bdc216d0.exe
Suspicious use of SendNotifyMessage 1 IoCs

Processes:

05bcad0109788d76c1f9a199baad13c78352661dbf10c22dc99db2c9bdc216d0.exe

pid process

3080 05bcad0109788d76c1f9a199baad13c78352661dbf10c22dc99db2c9bdc216d0.exe

description	pid	process
Token: SeRestorePrivilege	3080	05bcad0109788d76c1f9a199baad13c78352661dbf10c22dc99db2c9bdc216d0.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

05bcad0109788d76c1f9a199baad13c78352661dbf10c22dc99db2c9bdc216d0.exe

pid	process
3080	05bcad0109788d76c1f9a199baad13c78352661dbf10c22dc99db2c9bdc216d0.exe
3080	05bcad0109788d76c1f9a199baad13c78352661dbf10c22dc99db2c9bdc216d0.exe
3080	05bcad0109788d76c1f9a199baad13c78352661dbf10c22dc99db2c9bdc216d0.exe
3080	05bcad0109788d76c1f9a199baad13c78352661dbf10c22dc99db2c9bdc216d0.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

05bcad0109788d76c1f9a199baad13c78352661dbf10c22dc99db2c9bdc216d0.exe

description	pid	process	target process
PID 3080 wrote to memory of 1896	3080	05bcad0109788d76c1f9a199baad13c78352661dbf10c22dc99db2c9bdc216d0.exe	regsvr32.exe
PID 3080 wrote to memory of 1896	3080	05bcad0109788d76c1f9a199baad13c78352661dbf10c22dc99db2c9bdc216d0.exe	regsvr32.exe
PID 3080 wrote to memory of 1896	3080	05bcad0109788d76c1f9a199baad13c78352661dbf10c22dc99db2c9bdc216d0.exe	regsvr32.exe

C:\Users\Admin\AppData\Local\Temp\05bcad0109788d76c1f9a199baad13c78352661dbf10c22dc99db2c9bdc216d0.exe
"C:\Users\Admin\AppData\Local\Temp\05bcad0109788d76c1f9a199baad13c78352661dbf10c22dc99db2c9bdc216d0.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Installs/modifies Browser Helper Object
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3080