a3ec4bd1ce1bfe598872aac1c8a4a8db281003f4ac99e43e20d19ce49fd7ca69

General

Target

tmp.exe
Size

375KB
MD5

04b346cab54c682b9091b173b1dfbd38
SHA1

3fcc2279403de376d554f691090c1670c6ce6087
SHA256

a3ec4bd1ce1bfe598872aac1c8a4a8db281003f4ac99e43e20d19ce49fd7ca69
SHA512

f09e75514f1a4fa52d433b091510c68a7ecb4a1f976874ca07b0a7d239984dd4a604d928d5fc62c08b8cce3404bc4b615de8bc61c13675e32946ac8425d8881f
SSDEEP

6144:xaxd9NJrrnTlSq5HdBu/FHhU+Cg9ddMU9ld/zzwoh/rRo4ycXbONDe/X65:sxBJnTlSq5Hn80qDdM2TXJruHki1e/X

Score

7^/10

adware stealer

Malware Config

Signatures

Loads dropped DLL 2 IoCs

Processes:

tmp.exe

pid process

1884 tmp.exe
1884 tmp.exe

pid	process
1884	tmp.exe
1884	tmp.exe

Installs/modifies Browser Helper Object 2 TTPs 3 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

Processes:

tmp.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{81C57AAD-F991-48E5-A42D-51AF23F40150}	tmp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{81C57AAD-F991-48E5-A42D-51AF23F40150}\NoExplorer = "1"	tmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	tmp.exe

Drops file in System32 directory 5 IoCs

Processes:

tmp.exe

description	ioc	process
File created	C:\Windows\SysWOW64\CBExt.bpl	tmp.exe
File created	C:\Windows\SysWOW64\CBRun.bpl	tmp.exe
File created	C:\Windows\SysWOW64\AppCache.v2.dat	tmp.exe
File opened for modification	C:\Windows\SysWOW64\AppCache.v2.dat	tmp.exe
File created	C:\Windows\SysWOW64\CBRun.rar	tmp.exe

Modifies Internet Explorer settings 1 TTPs 30 IoCs

adware spyware

Modify Registry

T1112

Processes:

IEXPLORE.EXEIEXPLORE.EXEtmp.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2890635272-812199704-3564780063-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2890635272-812199704-3564780063-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2890635272-812199704-3564780063-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2890635272-812199704-3564780063-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2890635272-812199704-3564780063-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2890635272-812199704-3564780063-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2890635272-812199704-3564780063-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2874971085"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2890635272-812199704-3564780063-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2890635272-812199704-3564780063-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2890635272-812199704-3564780063-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2890635272-812199704-3564780063-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31041118"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2890635272-812199704-3564780063-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2890635272-812199704-3564780063-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2890635272-812199704-3564780063-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2890635272-812199704-3564780063-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\DEPon = "1"	tmp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2890635272-812199704-3564780063-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{D62D1A73-1251-11EE-BEC7-F6AA226F753B} = "0"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2890635272-812199704-3564780063-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2890635272-812199704-3564780063-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2890635272-812199704-3564780063-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2890635272-812199704-3564780063-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2890635272-812199704-3564780063-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2890635272-812199704-3564780063-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2865281877"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2890635272-812199704-3564780063-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "394350294"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2890635272-812199704-3564780063-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2890635272-812199704-3564780063-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2865281877"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2890635272-812199704-3564780063-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31041118"	IEXPLORE.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\DEPoff = "1"	tmp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2890635272-812199704-3564780063-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31041118"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2890635272-812199704-3564780063-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	IEXPLORE.EXE

Modifies registry class 64 IoCs

Processes:

tmp.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A46ADB95-7678-4C80-95EA-A6C48DF2E5BC}\ProxyStubClsid32	tmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BFEE3E69-F75C-4ED7-A3FE-1CF67C096D64}\ToolboxBitmap32	tmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DAF593D9-515A-4869-864D-8DCE6D7DCB91}\Control	tmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DAE1419C-B543-4AD0-BDD4-065E1A505269}\ProgID	tmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{569137C9-A7AA-41FB-AC5A-116E8C91399D}\TypeLib\Version = "1.0"	tmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A46ADB95-7678-4C80-95EA-A6C48DF2E5BC}	tmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{569137C9-A7AA-41FB-AC5A-116E8C91399D}	tmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BFEE3E69-F75C-4ED7-A3FE-1CF67C096D64}\Version\ = "1.0"	tmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A46ADB95-7678-4C80-95EA-A6C48DF2E5BC}\TypeLib\Version = "1.0"	tmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BFEE3E69-F75C-4ED7-A3FE-1CF67C096D64}\Verb	tmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{81C57AAD-F991-48E5-A42D-51AF23F40150}\ToolboxBitmap32	tmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0981FBA3-F54A-4C81-B343-53A1C7B78CD9}\TypeLib	tmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{51C34CCD-02E7-487F-900A-80F01B807969}\TypeLib	tmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{81C57AAD-F991-48E5-A42D-51AF23F40150}\InprocServer32\ThreadingModel = "Apartment"	tmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DAE1419C-B543-4AD0-BDD4-065E1A505269}\InprocServer32\ThreadingModel = "Apartment"	tmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0981FBA3-F54A-4C81-B343-53A1C7B78CD9}\TypeLib\Version = "1.0"	tmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{569137C9-A7AA-41FB-AC5A-116E8C91399D}\TypeLib\ = "{CCC51463-1F85-462B-A8FA-A8428805B304}"	tmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6FAB0FBD-2252-4825-A581-512F9EE939C3}\ = "IIntelliObjXEvents"	tmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6FAB0FBD-2252-4825-A581-512F9EE939C3}\ProxyStubClsid32	tmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E80FD4F4-DEFA-41C7-A5EE-8E75C22C3077}\TypeLib\Version = "1.0"	tmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BFEE3E69-F75C-4ED7-A3FE-1CF67C096D64}\ProgID\ = "CLXBaseAppX.EmbedWordX"	tmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BFEE3E69-F75C-4ED7-A3FE-1CF67C096D64}\MiscStatus\1	tmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{81C57AAD-F991-48E5-A42D-51AF23F40150}\MiscStatus	tmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{51C34CCD-02E7-487F-900A-80F01B807969}\ = "ICLXBaseRunEvents"	tmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{51C34CCD-02E7-487F-900A-80F01B807969}\TypeLib\Version = "1.0"	tmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A46ADB95-7678-4C80-95EA-A6C48DF2E5BC}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	tmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{81C57AAD-F991-48E5-A42D-51AF23F40150}\ProgID\ = "CLXBaseAppX.CLXBaseRun"	tmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{81C57AAD-F991-48E5-A42D-51AF23F40150}\Version	tmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CCC51463-1F85-462B-A8FA-A8428805B304}\1.0\0\win32	tmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{569137C9-A7AA-41FB-AC5A-116E8C91399D}\ProxyStubClsid32	tmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6FAB0FBD-2252-4825-A581-512F9EE939C3}\ = "IIntelliObjXEvents"	tmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A46ADB95-7678-4C80-95EA-A6C48DF2E5BC}\TypeLib	tmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BFEE3E69-F75C-4ED7-A3FE-1CF67C096D64}\ = "EmbedWordX Control"	tmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{81C57AAD-F991-48E5-A42D-51AF23F40150}\TypeLib	tmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DAE1419C-B543-4AD0-BDD4-065E1A505269}\InprocServer32\ = "C:\\Windows\\SysWow64\\CBRun.bpl"	tmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0981FBA3-F54A-4C81-B343-53A1C7B78CD9}	tmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{569137C9-A7AA-41FB-AC5A-116E8C91399D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	tmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A46ADB95-7678-4C80-95EA-A6C48DF2E5BC}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	tmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{81C57AAD-F991-48E5-A42D-51AF23F40150}\InprocServer32\ = "C:\\Windows\\SysWow64\\CBRun.bpl"	tmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLXBaseAppX.CLXBaseRun	tmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{81C57AAD-F991-48E5-A42D-51AF23F40150}\Control\	tmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DAF593D9-515A-4869-864D-8DCE6D7DCB91}\MiscStatus	tmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DAF593D9-515A-4869-864D-8DCE6D7DCB91}\Control\	tmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6FAB0FBD-2252-4825-A581-512F9EE939C3}	tmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E80FD4F4-DEFA-41C7-A5EE-8E75C22C3077}\ = "IEmbedWordXEvents"	tmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DAF593D9-515A-4869-864D-8DCE6D7DCB91}\Version\ = "1.0"	tmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DAF593D9-515A-4869-864D-8DCE6D7DCB91}\ToolboxBitmap32	tmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0981FBA3-F54A-4C81-B343-53A1C7B78CD9}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	tmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E80FD4F4-DEFA-41C7-A5EE-8E75C22C3077}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	tmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{81C57AAD-F991-48E5-A42D-51AF23F40150}\Verb\0\ = "Properties,0,2"	tmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLXBaseAppX.IntelliObjX\ = "IntelliObjX Control"	tmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DAE1419C-B543-4AD0-BDD4-065E1A505269}\InprocServer32	tmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CCC51463-1F85-462B-A8FA-A8428805B304}\1.0\0	tmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BFEE3E69-F75C-4ED7-A3FE-1CF67C096D64}\InprocServer32\ = "C:\\Windows\\SysWow64\\CBRun.bpl"	tmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{569137C9-A7AA-41FB-AC5A-116E8C91399D}\TypeLib\Version = "1.0"	tmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6FAB0FBD-2252-4825-A581-512F9EE939C3}\TypeLib\ = "{CCC51463-1F85-462B-A8FA-A8428805B304}"	tmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6FAB0FBD-2252-4825-A581-512F9EE939C3}\TypeLib\Version = "1.0"	tmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E80FD4F4-DEFA-41C7-A5EE-8E75C22C3077}	tmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BFEE3E69-F75C-4ED7-A3FE-1CF67C096D64}\MiscStatus	tmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BFEE3E69-F75C-4ED7-A3FE-1CF67C096D64}\Verb\0	tmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{51C34CCD-02E7-487F-900A-80F01B807969}\ = "ICLXBaseRunEvents"	tmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{51C34CCD-02E7-487F-900A-80F01B807969}\TypeLib	tmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DAF593D9-515A-4869-864D-8DCE6D7DCB91}\ = "IntelliObjX Control"	tmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DAF593D9-515A-4869-864D-8DCE6D7DCB91}\Version	tmp.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

IEXPLORE.EXE

pid process

4776 IEXPLORE.EXE
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

IEXPLORE.EXEIEXPLORE.EXE

pid process

4776 IEXPLORE.EXE
4776 IEXPLORE.EXE
3908 IEXPLORE.EXE
3908 IEXPLORE.EXE
3908 IEXPLORE.EXE
3908 IEXPLORE.EXE

pid	process
4776	IEXPLORE.EXE

pid	process
4776	IEXPLORE.EXE
4776	IEXPLORE.EXE
3908	IEXPLORE.EXE
3908	IEXPLORE.EXE
3908	IEXPLORE.EXE
3908	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

tmp.exeIEXPLORE.EXE

description	pid	process	target process
PID 1884 wrote to memory of 4776	1884	tmp.exe	IEXPLORE.EXE
PID 1884 wrote to memory of 4776	1884	tmp.exe	IEXPLORE.EXE
PID 4776 wrote to memory of 3908	4776	IEXPLORE.EXE	IEXPLORE.EXE
PID 4776 wrote to memory of 3908	4776	IEXPLORE.EXE	IEXPLORE.EXE
PID 4776 wrote to memory of 3908	4776	IEXPLORE.EXE	IEXPLORE.EXE

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1884

C:\Program Files\Internet Explorer\IEXPLORE.EXE
"C:\Program Files\Internet Explorer\IEXPLORE.EXE"
2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4776

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4776 CREDAT:17410 /prefetch:2
3⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:3908

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Browser Extensions

1

T1176

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\XW4YEBB9\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Windows\SysWOW64\CBRun.bpl

Filesize
7.2MB

MD5
45682678083ba2f948dd6517e1b5323b

SHA1
990c6cd98510d1d73d61bc652d2900894da0a319

SHA256
4a0d3d5680985b883446801a6e4b71d20abc643a5b8272a214defbf18843066c

SHA512
a81fb6ba09c0bec253d1c5580a27c188962293ef64a56f8ed08c7c1cf53da4579725b63266555768cc2a112688c0c46672dab33550675f9d9e9b7db7a357a92f

Download Submit
C:\Windows\SysWOW64\CBRun.bpl

Filesize
7.2MB

MD5
45682678083ba2f948dd6517e1b5323b

SHA1
990c6cd98510d1d73d61bc652d2900894da0a319

SHA256
4a0d3d5680985b883446801a6e4b71d20abc643a5b8272a214defbf18843066c

SHA512
a81fb6ba09c0bec253d1c5580a27c188962293ef64a56f8ed08c7c1cf53da4579725b63266555768cc2a112688c0c46672dab33550675f9d9e9b7db7a357a92f

Download Submit
memory/1884-157-0x00000000027A0000-0x00000000027B0000-memory.dmp

Filesize
64KB

Download
memory/1884-143-0x0000000000400000-0x00000000004E6000-memory.dmp

Filesize
920KB

Download
memory/1884-142-0x0000000000400000-0x00000000004E6000-memory.dmp

Filesize
920KB

Download
memory/1884-140-0x0000000000400000-0x00000000004E6000-memory.dmp

Filesize
920KB

Download
memory/1884-153-0x0000000005700000-0x0000000005E45000-memory.dmp

Filesize
7.3MB

Download
memory/1884-134-0x0000000002400000-0x0000000002448000-memory.dmp

Filesize
288KB

Download
memory/1884-159-0x0000000002780000-0x0000000002781000-memory.dmp

Filesize
4KB

Download
memory/1884-165-0x0000000002D80000-0x0000000002E3A000-memory.dmp

Filesize
744KB

Download
memory/1884-171-0x0000000002E40000-0x0000000002E61000-memory.dmp

Filesize
132KB

Download
memory/1884-180-0x0000000006420000-0x00000000064DA000-memory.dmp

Filesize
744KB

Download
memory/1884-186-0x0000000000400000-0x00000000004E6000-memory.dmp

Filesize
920KB

Download
memory/1884-187-0x0000000005700000-0x0000000005E45000-memory.dmp

Filesize
7.3MB

Download
memory/1884-138-0x00000000007C0000-0x00000000007C1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads