74ad99a6bfaa5d10112289bb55fb71bc90e5106f4e1591ad387e4ad381ef2caf

Analysis

max time kernel
150s
max time network
152s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
19/05/2023, 04:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tmp.exe
Size

6.0MB
MD5

4c2b59cbcbebeb321ac4a0def370c0dd
SHA1

3e8935a7382d1f8df799f3214ac10a267fcf287c
SHA256

74ad99a6bfaa5d10112289bb55fb71bc90e5106f4e1591ad387e4ad381ef2caf
SHA512

3da098eade2ba141b3852246e798692f793d4da1b54d0f09ee2ddbe24cd6626cced1556d421f3f033eca1ce7359507785a047e20a6c140190e6fa276041ceed6
SSDEEP

98304:TXz+Cz0GdAq9q59bl1v+QbSmNapj6vjGrOTDHenGmXcDgFzFQqzC+/rC3+VyOE:jKXGdAq9q/bl5+QbNEd6Tren7eKFFzCz

Score

7^/10

adware discovery persistence stealer

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
860	microi.exe
784	microd.exe

Loads dropped DLL 5 IoCs

pid	Process
2004	tmp.exe
2004	tmp.exe
2004	tmp.exe
2004	tmp.exe
860	microi.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\micro = "\"C:\\Program Files (x86)\\micro\\microm.exe\""	microi.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Installs/modifies Browser Helper Object 2 TTPs 3 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{358D8A21-5EFC-46CB-AAA6-B1552639222D}\ = "microengine"	microi.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{358D8A21-5EFC-46CB-AAA6-B1552639222D}\NoExplorer = "1"	microi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{358D8A21-5EFC-46CB-AAA6-B1552639222D}	microi.exe

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\micro\micros.exe	tmp.exe
File opened for modification	C:\Program Files (x86)\micro\microu.exe	tmp.exe
File opened for modification	C:\Program Files (x86)\micro\microd.exe	tmp.exe
File opened for modification	C:\Program Files (x86)\micro\microi.exe	tmp.exe
File opened for modification	C:\Program Files (x86)\micro\microm.exe	tmp.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\microengine.dll	tmp.exe
File opened for modification	C:\Windows\microsecurity.exe	tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 50 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{625C75AF-1128-47A1-B68A-B135108E6118}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	microi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\microengine.Helper\CurVer\ = "microengine.Helper.1"	microi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{625C75AF-1128-47A1-B68A-B135108E6118}\TypeLib	microi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{358D8A21-5EFC-46CB-AAA6-B1552639222D}\ = "microengine"	microi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8ED0B5EA-5202-4B20-9DE6-8B1B14738D35}\1.0	microi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8ED0B5EA-5202-4B20-9DE6-8B1B14738D35}\1.0\FLAGS\ = "0"	microi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{625C75AF-1128-47A1-B68A-B135108E6118}	microi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{625C75AF-1128-47A1-B68A-B135108E6118}\ProxyStubClsid32	microi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\microengine.Helper.1\ = "microengine"	microi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\microengine.Helper.1\CLSID	microi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8ED0B5EA-5202-4B20-9DE6-8B1B14738D35}\1.0\HELPDIR	microi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{625C75AF-1128-47A1-B68A-B135108E6118}\TypeLib\Version = "1.0"	microi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{358D8A21-5EFC-46CB-AAA6-B1552639222D}\Elevation	microi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8ED0B5EA-5202-4B20-9DE6-8B1B14738D35}\1.0\ = "microengineLib"	microi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{358D8A21-5EFC-46CB-AAA6-B1552639222D}\TypeLib\ = "{8ED0B5EA-5202-4B20-9DE6-8B1B14738D35}"	microi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8ED0B5EA-5202-4B20-9DE6-8B1B14738D35}\1.0\0	microi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{625C75AF-1128-47A1-B68A-B135108E6118}\TypeLib	microi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\microengine.Helper.1	microi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{358D8A21-5EFC-46CB-AAA6-B1552639222D}\AppID = "{3DDF4950-D399-4678-B94D-48412BC49249}"	microi.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{358D8A21-5EFC-46CB-AAA6-B1552639222D}\Elevation\Enabled = "1"	microi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{358D8A21-5EFC-46CB-AAA6-B1552639222D}\TypeLib	microi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\microengine.Helper	microi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\microengine.Helper\ = "microengine"	microi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{358D8A21-5EFC-46CB-AAA6-B1552639222D}	microi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{358D8A21-5EFC-46CB-AAA6-B1552639222D}\ProgID	microi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{358D8A21-5EFC-46CB-AAA6-B1552639222D}\ProgID\ = "microengine.Helper.1"	microi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{358D8A21-5EFC-46CB-AAA6-B1552639222D}\InprocServer32	microi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{358D8A21-5EFC-46CB-AAA6-B1552639222D}\Version	microi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{358D8A21-5EFC-46CB-AAA6-B1552639222D}\Version\ = "1.0"	microi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\microengine.Helper.1\CLSID\ = "{358D8A21-5EFC-46CB-AAA6-B1552639222D}"	microi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\microengine.Helper\CurVer	microi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8ED0B5EA-5202-4B20-9DE6-8B1B14738D35}\1.0\HELPDIR\ = "C:\\Windows"	microi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{625C75AF-1128-47A1-B68A-B135108E6118}	microi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8ED0B5EA-5202-4B20-9DE6-8B1B14738D35}	microi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8ED0B5EA-5202-4B20-9DE6-8B1B14738D35}\1.0\0\win32	microi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{358D8A21-5EFC-46CB-AAA6-B1552639222D}\InprocServer32\ThreadingModel = "Apartment"	microi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{358D8A21-5EFC-46CB-AAA6-B1552639222D}\LocalizedString = "@C:\\Windows\\microengine.dll,-101"	microi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{625C75AF-1128-47A1-B68A-B135108E6118}\TypeLib\ = "{8ED0B5EA-5202-4B20-9DE6-8B1B14738D35}"	microi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{625C75AF-1128-47A1-B68A-B135108E6118}\TypeLib\ = "{8ED0B5EA-5202-4B20-9DE6-8B1B14738D35}"	microi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{358D8A21-5EFC-46CB-AAA6-B1552639222D}\VersionIndependentProgID\ = "microengine"	microi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{358D8A21-5EFC-46CB-AAA6-B1552639222D}\InprocServer32\ = "C:\\Windows\\microengine.dll"	microi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8ED0B5EA-5202-4B20-9DE6-8B1B14738D35}\1.0\FLAGS	microi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8ED0B5EA-5202-4B20-9DE6-8B1B14738D35}\1.0\0\win32\ = "C:\\Windows\\microengine.dll"	microi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{625C75AF-1128-47A1-B68A-B135108E6118}\ = "IHelper"	microi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{625C75AF-1128-47A1-B68A-B135108E6118}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	microi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{625C75AF-1128-47A1-B68A-B135108E6118}\ = "IHelper"	microi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{625C75AF-1128-47A1-B68A-B135108E6118}\ProxyStubClsid32	microi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{358D8A21-5EFC-46CB-AAA6-B1552639222D}\VersionIndependentProgID	microi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{358D8A21-5EFC-46CB-AAA6-B1552639222D}\Programmable	microi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{625C75AF-1128-47A1-B68A-B135108E6118}\TypeLib\Version = "1.0"	microi.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
860	microi.exe
860	microi.exe
784	microd.exe
784	microd.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2004 wrote to memory of 860	2004	tmp.exe	28
PID 2004 wrote to memory of 860	2004	tmp.exe	28
PID 2004 wrote to memory of 860	2004	tmp.exe	28
PID 2004 wrote to memory of 860	2004	tmp.exe	28
PID 860 wrote to memory of 784	860	microi.exe	29
PID 860 wrote to memory of 784	860	microi.exe	29
PID 860 wrote to memory of 784	860	microi.exe	29
PID 860 wrote to memory of 784	860	microi.exe	29

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2004
- C:\Program Files (x86)\micro\microi.exe
  "C:\Program Files (x86)\micro\microi.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Installs/modifies Browser Helper Object
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:860
- - C:\Program Files (x86)\micro\microd.exe
    "C:\Program Files (x86)\micro\microd.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:784

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Browser Extensions

T1176

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\micro\microd.exe

Filesize
3.5MB

MD5
1960a710a5be7c916b1bb2c30d09ad3d

SHA1
f69861b6edbf066f89d4b7a2aefdbbc0c7281655

SHA256
c057e5b638f7b356fd96e25fc426b2ed3c17696199bcf084a20e62efc9ac4ce1

SHA512
f8b12fa42fa9fa8e18efd87a8c958645d34d2c06caeeec88393d2b7aa342590bafd43f5559b5aa9c52167fcff7ebb93841b040800e4599e3aa6ff4aa3487977a

Download Submit
C:\Program Files (x86)\micro\microd.exe

Filesize
3.5MB

MD5
1960a710a5be7c916b1bb2c30d09ad3d

SHA1
f69861b6edbf066f89d4b7a2aefdbbc0c7281655

SHA256
c057e5b638f7b356fd96e25fc426b2ed3c17696199bcf084a20e62efc9ac4ce1

SHA512
f8b12fa42fa9fa8e18efd87a8c958645d34d2c06caeeec88393d2b7aa342590bafd43f5559b5aa9c52167fcff7ebb93841b040800e4599e3aa6ff4aa3487977a

Download Submit
C:\Program Files (x86)\micro\microi.exe

Filesize
3.5MB

MD5
a587f115c68c9ddf5edf53819d04027b

SHA1
81ae6f3840687bdfac5d4613699a08c47a2b8b2a

SHA256
f0d4dfa270f0e7d1eb32834e153285e5e1aed42761ac8802fa0a1a448b148022

SHA512
05b150ebfe49899b83f2538f175beb4994a1ce4b73d01c72b5ee07c7e7b211da8a1f77fe93770a43eccb1450879fde1ca421f1d4dac2e545006f44c286d55bbe

Download Submit
C:\Program Files (x86)\micro\microi.exe

Filesize
3.5MB

MD5
a587f115c68c9ddf5edf53819d04027b

SHA1
81ae6f3840687bdfac5d4613699a08c47a2b8b2a

SHA256
f0d4dfa270f0e7d1eb32834e153285e5e1aed42761ac8802fa0a1a448b148022

SHA512
05b150ebfe49899b83f2538f175beb4994a1ce4b73d01c72b5ee07c7e7b211da8a1f77fe93770a43eccb1450879fde1ca421f1d4dac2e545006f44c286d55bbe

Download Submit
C:\Windows\microengine.dll

Filesize
254KB

MD5
bdc6fad6caa405c861c06369c186915d

SHA1
8091ec49ff491a2ee2c47e8e30584d5d3e40e497

SHA256
2a5c3c3876be048d17a8c7919f054f648405923182428e040006bf488ffb1972

SHA512
50032492b1f52038da00065d9e625dd0dc026fcf24c4af8541751d65c8394b5636f5fb26cec952b54c2f06a34ef0ceba9a800ba9b697b4bd1cc57968e8ce3ef5

Download Submit
\Program Files (x86)\micro\microd.exe

Filesize
3.5MB

MD5
1960a710a5be7c916b1bb2c30d09ad3d

SHA1
f69861b6edbf066f89d4b7a2aefdbbc0c7281655

SHA256
c057e5b638f7b356fd96e25fc426b2ed3c17696199bcf084a20e62efc9ac4ce1

SHA512
f8b12fa42fa9fa8e18efd87a8c958645d34d2c06caeeec88393d2b7aa342590bafd43f5559b5aa9c52167fcff7ebb93841b040800e4599e3aa6ff4aa3487977a

Download Submit
\Program Files (x86)\micro\microi.exe

Filesize
3.5MB

MD5
a587f115c68c9ddf5edf53819d04027b

SHA1
81ae6f3840687bdfac5d4613699a08c47a2b8b2a

SHA256
f0d4dfa270f0e7d1eb32834e153285e5e1aed42761ac8802fa0a1a448b148022

SHA512
05b150ebfe49899b83f2538f175beb4994a1ce4b73d01c72b5ee07c7e7b211da8a1f77fe93770a43eccb1450879fde1ca421f1d4dac2e545006f44c286d55bbe

Download Submit
\Program Files (x86)\micro\microi.exe

Filesize
3.5MB

MD5
a587f115c68c9ddf5edf53819d04027b

SHA1
81ae6f3840687bdfac5d4613699a08c47a2b8b2a

SHA256
f0d4dfa270f0e7d1eb32834e153285e5e1aed42761ac8802fa0a1a448b148022

SHA512
05b150ebfe49899b83f2538f175beb4994a1ce4b73d01c72b5ee07c7e7b211da8a1f77fe93770a43eccb1450879fde1ca421f1d4dac2e545006f44c286d55bbe

Download Submit
\Program Files (x86)\micro\microi.exe

Filesize
3.5MB

MD5
a587f115c68c9ddf5edf53819d04027b

SHA1
81ae6f3840687bdfac5d4613699a08c47a2b8b2a

SHA256
f0d4dfa270f0e7d1eb32834e153285e5e1aed42761ac8802fa0a1a448b148022

SHA512
05b150ebfe49899b83f2538f175beb4994a1ce4b73d01c72b5ee07c7e7b211da8a1f77fe93770a43eccb1450879fde1ca421f1d4dac2e545006f44c286d55bbe

Download Submit
\Program Files (x86)\micro\microi.exe

Filesize
3.5MB

MD5
a587f115c68c9ddf5edf53819d04027b

SHA1
81ae6f3840687bdfac5d4613699a08c47a2b8b2a

SHA256
f0d4dfa270f0e7d1eb32834e153285e5e1aed42761ac8802fa0a1a448b148022

SHA512
05b150ebfe49899b83f2538f175beb4994a1ce4b73d01c72b5ee07c7e7b211da8a1f77fe93770a43eccb1450879fde1ca421f1d4dac2e545006f44c286d55bbe

Download Submit
memory/2004-98-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2004-101-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads