bd2234a31a15f31b0afd9ed6db59767482c4236db557e58f6f7fb2f92b88fb8c

General

Target

087a8101d38fa364ddf1b2c248494788.exe
Size

696KB
MD5

087a8101d38fa364ddf1b2c248494788
SHA1

479e880862dd54d7d45145208dba3c2a494fab52
SHA256

bd2234a31a15f31b0afd9ed6db59767482c4236db557e58f6f7fb2f92b88fb8c
SHA512

2d9249405bf4f5e69f3610e5a109450cc56c8fe75e5aad919393ff1d96ef4571bfd60d9f16151738eb1b0f60b1d14f768407df047d812336f2076ea2f85bccf2
SSDEEP

12288:nwYrzpGLVyD/E23EDF5l8gVCtfad1Fi9OgJPFj8HwuRrM8b+6QSTccnxXo:wAzpWEf0DFEgEtSd1I9zJtj8HwutMhi8

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 2 IoCs

pid	Process
4580	087a8101d38fa364ddf1b2c248494788.exe
4580	087a8101d38fa364ddf1b2c248494788.exe

Installs/modifies Browser Helper Object 2 TTPs 1 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{CA21E6FA-41D9-4F05-9650-8B3FBE72124D}	087a8101d38fa364ddf1b2c248494788.exe

Modifies WinLogon 2 TTPs 7 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\	087a8101d38fa364ddf1b2c248494788.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\tdev	087a8101d38fa364ddf1b2c248494788.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\tdev\Asynchronous = "1"	087a8101d38fa364ddf1b2c248494788.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\tdev\DllName = "tdev.dll"	087a8101d38fa364ddf1b2c248494788.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\tdev\Impersonate = "0"	087a8101d38fa364ddf1b2c248494788.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\tdev\Startup = "LogonWinEvent"	087a8101d38fa364ddf1b2c248494788.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\tdev\Logoff = "LogoffWinEvent"	087a8101d38fa364ddf1b2c248494788.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\tdev.dll	087a8101d38fa364ddf1b2c248494788.exe
File opened for modification	C:\Windows\SysWOW64\tdev.dlli	087a8101d38fa364ddf1b2c248494788.exe
File opened for modification	C:\Windows\SysWOW64\tdev.dll	087a8101d38fa364ddf1b2c248494788.exe
File created	C:\Windows\SysWOW64\tdev.dlli	087a8101d38fa364ddf1b2c248494788.exe

Modifies registry class 27 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	087a8101d38fa364ddf1b2c248494788.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IEpl.IEPl.1	087a8101d38fa364ddf1b2c248494788.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IEpl.IEpl\CLSID	087a8101d38fa364ddf1b2c248494788.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CA21E6FA-41D9-4F05-9650-8B3FBE72124D}\VersionIndependentProgID	087a8101d38fa364ddf1b2c248494788.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	087a8101d38fa364ddf1b2c248494788.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CA21E6FA-41D9-4F05-9650-8B3FBE72124D}	087a8101d38fa364ddf1b2c248494788.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IEpl.IEpl	087a8101d38fa364ddf1b2c248494788.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IEpl.IEpl\ = "CIEPl Object"	087a8101d38fa364ddf1b2c248494788.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IEpl.IEpl\CLSID\ = "{CA21E6FA-41D9-4F05-9650-8B3FBE72124D}"	087a8101d38fa364ddf1b2c248494788.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CA21E6FA-41D9-4F05-9650-8B3FBE72124D}	087a8101d38fa364ddf1b2c248494788.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CA21E6FA-41D9-4F05-9650-8B3FBE72124D}\VersionIndependentProgID\ = "IEpl.IEpl"	087a8101d38fa364ddf1b2c248494788.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CA21E6FA-41D9-4F05-9650-8B3FBE72124D}\InprocServer32\ = "C:\\Windows\\SysWow64\\tdev.dll"	087a8101d38fa364ddf1b2c248494788.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IEpl.IEPl.1\CLSID	087a8101d38fa364ddf1b2c248494788.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IEpl.IEpl\CurVer	087a8101d38fa364ddf1b2c248494788.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CA21E6FA-41D9-4F05-9650-8B3FBE72124D}\ = "CIEPl Object"	087a8101d38fa364ddf1b2c248494788.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CA21E6FA-41D9-4F05-9650-8B3FBE72124D}\TypeLib	087a8101d38fa364ddf1b2c248494788.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IEpl.IEPl.1\ = "CIEPl Object"	087a8101d38fa364ddf1b2c248494788.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CA21E6FA-41D9-4F05-9650-8B3FBE72124D}\InprocServer32	087a8101d38fa364ddf1b2c248494788.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CA21E6FA-41D9-4F05-9650-8B3FBE72124D}\AppID	087a8101d38fa364ddf1b2c248494788.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IEpl.IEPl.1\CLSID\ = "{CA21E6FA-41D9-4F05-9650-8B3FBE72124D}"	087a8101d38fa364ddf1b2c248494788.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IEpl.IEpl\CurVer\ = "IEpl.IEPl.1"	087a8101d38fa364ddf1b2c248494788.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CA21E6FA-41D9-4F05-9650-8B3FBE72124D}\ProgID	087a8101d38fa364ddf1b2c248494788.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CA21E6FA-41D9-4F05-9650-8B3FBE72124D}\ProgID\ = "IEpl.IEPl.1"	087a8101d38fa364ddf1b2c248494788.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CA21E6FA-41D9-4F05-9650-8B3FBE72124D}\InprocServer32	087a8101d38fa364ddf1b2c248494788.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CA21E6FA-41D9-4F05-9650-8B3FBE72124D}\Programmable	087a8101d38fa364ddf1b2c248494788.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CA21E6FA-41D9-4F05-9650-8B3FBE72124D}\InprocServer32\ThreadingModel = "apartment"	087a8101d38fa364ddf1b2c248494788.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CA21E6FA-41D9-4F05-9650-8B3FBE72124D}\TypeLib\ = "{B83288C5-7B89-4748-8B4C-A2246AE6240A}"	087a8101d38fa364ddf1b2c248494788.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4580	087a8101d38fa364ddf1b2c248494788.exe
4580	087a8101d38fa364ddf1b2c248494788.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4580	087a8101d38fa364ddf1b2c248494788.exe

Suspicious use of WriteProcessMemory 1 IoCs

description	pid	Process	procid_target
PID 4580 wrote to memory of 3440	4580	087a8101d38fa364ddf1b2c248494788.exe	49

C:\Users\Admin\AppData\Local\Temp\087a8101d38fa364ddf1b2c248494788.exe
"C:\Users\Admin\AppData\Local\Temp\087a8101d38fa364ddf1b2c248494788.exe"
1⤵
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4580

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3440

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

Browser Extensions

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\tdev.dll

Filesize
93KB

MD5
d8cf6b0590d7fcb85195885767ecfd58

SHA1
071799f0ddcdabe670f00516c47d511e8ae2a46d

SHA256
26665f47c302d145b717ce194867299b6454aa699fc737639eaf56d57f1a9272

SHA512
5ef690f67dab3fd9ab8bace6063094ed1666dfb2445ad33570a3f70a9d0cd7cadd8ab9ec6dd0fcc0e25f974540a587b13d707c62db0d6a274d952ca9dc21eb69

Download Submit
C:\Windows\SysWOW64\tdev.dll

Filesize
91KB

MD5
1c6259db282ce7d80777aff57331f746

SHA1
f74a0a52c7d944f45f56b224b1caca64b98f1b8d

SHA256
600bd1d3f56444afe93ca67fa82b5e20db77d42e3c461f6da15922253b368c19

SHA512
08be444c56baec147ac122f8659c6140ef012c865e56b66a63d524ddb9a3536bc57e007185ae84a3a6bc97c3c11c83fbb4a7d994146076578b5da48fe3ca6934

Download Submit
C:\Windows\SysWOW64\tdev.dll

Filesize
92KB

MD5
e9674516aebeca24c5c366af96e10d05

SHA1
de9b775edcb5ddf5e7cb8691ef002547a1a48a29

SHA256
af6d7faa1d9f9a0a5ad16628869322416972afdd7c9563405eb990285b49acc0

SHA512
487cc1d79ed663e3fd89972ba944532f9dfb5a3bc80eca2293e9274feba8b847828fcd1e667116a2ed2544bddf92c3672338fef78a12928248d55cfb8897e71f

Download Submit
memory/4580-0-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/4580-12-0x00000000022E0000-0x000000000238D000-memory.dmp

Filesize
692KB

Download
memory/4580-15-0x00000000022E0000-0x000000000238D000-memory.dmp

Filesize
692KB

Download
memory/4580-14-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads