bd2234a31a15f31b0afd9ed6db59767482c4236db557e58f6f7fb2f92b88fb8c

General

Target

087a8101d38fa364ddf1b2c248494788.exe
Size

696KB
MD5

087a8101d38fa364ddf1b2c248494788
SHA1

479e880862dd54d7d45145208dba3c2a494fab52
SHA256

bd2234a31a15f31b0afd9ed6db59767482c4236db557e58f6f7fb2f92b88fb8c
SHA512

2d9249405bf4f5e69f3610e5a109450cc56c8fe75e5aad919393ff1d96ef4571bfd60d9f16151738eb1b0f60b1d14f768407df047d812336f2076ea2f85bccf2
SSDEEP

12288:nwYrzpGLVyD/E23EDF5l8gVCtfad1Fi9OgJPFj8HwuRrM8b+6QSTccnxXo:wAzpWEf0DFEgEtSd1I9zJtj8HwutMhi8

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 1 IoCs

pid	Process
1676	087a8101d38fa364ddf1b2c248494788.exe

Installs/modifies Browser Helper Object 2 TTPs 1 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{CA21E6FA-41D9-4F05-9650-8B3FBE72124D}	087a8101d38fa364ddf1b2c248494788.exe

Modifies WinLogon 2 TTPs 7 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\clsevnt\Startup = "LogonWinEvent"	087a8101d38fa364ddf1b2c248494788.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\clsevnt\Logoff = "LogoffWinEvent"	087a8101d38fa364ddf1b2c248494788.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\	087a8101d38fa364ddf1b2c248494788.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\clsevnt	087a8101d38fa364ddf1b2c248494788.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\clsevnt\Asynchronous = "1"	087a8101d38fa364ddf1b2c248494788.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\clsevnt\DllName = "clsevnt.dll"	087a8101d38fa364ddf1b2c248494788.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\clsevnt\Impersonate = "0"	087a8101d38fa364ddf1b2c248494788.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\clsevnt.dll	087a8101d38fa364ddf1b2c248494788.exe
File opened for modification	C:\Windows\SysWOW64\clsevnt.dlli	087a8101d38fa364ddf1b2c248494788.exe
File opened for modification	C:\Windows\SysWOW64\clsevnt.dll	087a8101d38fa364ddf1b2c248494788.exe
File created	C:\Windows\SysWOW64\clsevnt.dlli	087a8101d38fa364ddf1b2c248494788.exe

Modifies registry class 27 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CA21E6FA-41D9-4F05-9650-8B3FBE72124D}	087a8101d38fa364ddf1b2c248494788.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IEpl.IEPl.1\ = "CIEPl Object"	087a8101d38fa364ddf1b2c248494788.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IEpl.IEPl.1\CLSID	087a8101d38fa364ddf1b2c248494788.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CA21E6FA-41D9-4F05-9650-8B3FBE72124D}\InprocServer32	087a8101d38fa364ddf1b2c248494788.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IEpl.IEpl\CurVer	087a8101d38fa364ddf1b2c248494788.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CA21E6FA-41D9-4F05-9650-8B3FBE72124D}\AppID	087a8101d38fa364ddf1b2c248494788.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CA21E6FA-41D9-4F05-9650-8B3FBE72124D}\InprocServer32	087a8101d38fa364ddf1b2c248494788.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IEpl.IEpl\CLSID	087a8101d38fa364ddf1b2c248494788.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CA21E6FA-41D9-4F05-9650-8B3FBE72124D}\VersionIndependentProgID\ = "IEpl.IEpl"	087a8101d38fa364ddf1b2c248494788.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CA21E6FA-41D9-4F05-9650-8B3FBE72124D}\TypeLib	087a8101d38fa364ddf1b2c248494788.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CA21E6FA-41D9-4F05-9650-8B3FBE72124D}	087a8101d38fa364ddf1b2c248494788.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CA21E6FA-41D9-4F05-9650-8B3FBE72124D}\ = "CIEPl Object"	087a8101d38fa364ddf1b2c248494788.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CA21E6FA-41D9-4F05-9650-8B3FBE72124D}\ProgID\ = "IEpl.IEPl.1"	087a8101d38fa364ddf1b2c248494788.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CA21E6FA-41D9-4F05-9650-8B3FBE72124D}\VersionIndependentProgID	087a8101d38fa364ddf1b2c248494788.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	087a8101d38fa364ddf1b2c248494788.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IEpl.IEpl\ = "CIEPl Object"	087a8101d38fa364ddf1b2c248494788.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IEpl.IEPl.1	087a8101d38fa364ddf1b2c248494788.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IEpl.IEPl.1\CLSID\ = "{CA21E6FA-41D9-4F05-9650-8B3FBE72124D}"	087a8101d38fa364ddf1b2c248494788.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IEpl.IEpl	087a8101d38fa364ddf1b2c248494788.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IEpl.IEpl\CLSID\ = "{CA21E6FA-41D9-4F05-9650-8B3FBE72124D}"	087a8101d38fa364ddf1b2c248494788.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CA21E6FA-41D9-4F05-9650-8B3FBE72124D}\Programmable	087a8101d38fa364ddf1b2c248494788.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CA21E6FA-41D9-4F05-9650-8B3FBE72124D}\InprocServer32\ = "C:\\Windows\\SysWow64\\clsevnt.dll"	087a8101d38fa364ddf1b2c248494788.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CA21E6FA-41D9-4F05-9650-8B3FBE72124D}\TypeLib\ = "{B83288C5-7B89-4748-8B4C-A2246AE6240A}"	087a8101d38fa364ddf1b2c248494788.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	087a8101d38fa364ddf1b2c248494788.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IEpl.IEpl\CurVer\ = "IEpl.IEPl.1"	087a8101d38fa364ddf1b2c248494788.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CA21E6FA-41D9-4F05-9650-8B3FBE72124D}\ProgID	087a8101d38fa364ddf1b2c248494788.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CA21E6FA-41D9-4F05-9650-8B3FBE72124D}\InprocServer32\ThreadingModel = "apartment"	087a8101d38fa364ddf1b2c248494788.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1676	087a8101d38fa364ddf1b2c248494788.exe
1676	087a8101d38fa364ddf1b2c248494788.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1676	087a8101d38fa364ddf1b2c248494788.exe

Suspicious use of WriteProcessMemory 1 IoCs

description	pid	Process	procid_target
PID 1676 wrote to memory of 1188	1676	087a8101d38fa364ddf1b2c248494788.exe	11

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1188
- C:\Users\Admin\AppData\Local\Temp\087a8101d38fa364ddf1b2c248494788.exe
  "C:\Users\Admin\AppData\Local\Temp\087a8101d38fa364ddf1b2c248494788.exe"
  2⤵
  - Loads dropped DLL
  - Installs/modifies Browser Helper Object
  - Modifies WinLogon
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1676

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

Browser Extensions

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1188-11-0x0000000002D30000-0x0000000002D31000-memory.dmp

Filesize
4KB

Download
memory/1676-10-0x0000000010000000-0x00000000100AD000-memory.dmp

Filesize
692KB

Download
memory/1676-5-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/1676-12-0x0000000010000000-0x00000000100AD000-memory.dmp

Filesize
692KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads