8f8fc246c05c6acc8b22f29bc08b2e09104a048317a4b2e71f69bbbfc4e00d14

Analysis

max time kernel
119s
max time network
124s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
25-12-2023 15:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

288956072ac1151694a29d17921c271d.exe
Size

87KB
MD5

288956072ac1151694a29d17921c271d
SHA1

b96c16eaea75ef22a1c71b29ddbcdf23b1343ce3
SHA256

8f8fc246c05c6acc8b22f29bc08b2e09104a048317a4b2e71f69bbbfc4e00d14
SHA512

3f7befe9332c93996226537f825aa93d51b08198c9a84c896895a365fec3a4972824ca79ef09b293cb3437229d286fea49c8652ff85ecbca611c6f61f9b9a968
SSDEEP

1536:GLv1GdXALyIioUrqU9d3QrlQKEdebpHlRomsTTyLMsbXslOQCPt:KOAeLoszWQYbNlams/QvbXEOLPt

Score

10^/10

adware persistence stealer upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe,C:\\Program Files (x86)\\Internet Explorer\\288956072ac1151694a29d17921c271d.exe"	288956072ac1151694a29d17921c271d.exe

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x000b000000015c1b-5.dat	acprotect

Deletes itself 1 IoCs

pid	Process
2604	cmd.exe

Loads dropped DLL 1 IoCs

pid	Process
2300	Regsvr32.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2660-0-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral1/files/0x000b000000015c1b-5.dat	upx
behavioral1/memory/2300-7-0x0000000010000000-0x0000000010031000-memory.dmp	upx
behavioral1/memory/2660-24-0x0000000000400000-0x000000000040F000-memory.dmp	upx

Installs/modifies Browser Helper Object 2 TTPs 2 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{59DA0F12-24E3-4616-95FC-7925675F2A33}\NoExplorer = "1"	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{59DA0F12-24E3-4616-95FC-7925675F2A33}	Regsvr32.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\wybho.dll	288956072ac1151694a29d17921c271d.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Internet Explorer\288956072ac1151694a29d17921c271d.exe	288956072ac1151694a29d17921c271d.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 46 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{59DA0F12-24E3-4616-95FC-7925675F2A33}\TypeLib\ = "{97416121-26C3-5292-8FFE-E232CA276E86}"	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{97416121-26C3-5292-8FFE-E232CA276E86}\1.0\ = "WYBHO 1.0 Type Library"	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D3DA8A66-5315-4E41-A2B6-A8818B9B8268}\TypeLib\Version = "1.0"	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WYBHO.wybhotool.1	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{59DA0F12-24E3-4616-95FC-7925675F2A33}	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{59DA0F12-24E3-4616-95FC-7925675F2A33}\ProgID\ = "WYBHO.wybhotool.1"	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{59DA0F12-24E3-4616-95FC-7925675F2A33}\InprocServer32	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{59DA0F12-24E3-4616-95FC-7925675F2A33}\InprocServer32\ThreadingModel = "Apartment"	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WYBHO.wybhotool.1\ = "wybhotool Class"	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WYBHO.wybhotool.1\CLSID\ = "{59DA0F12-24E3-4616-95FC-7925675F2A33}"	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{97416121-26C3-5292-8FFE-E232CA276E86}\1.0\HELPDIR	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D3DA8A66-5315-4E41-A2B6-A8818B9B8268}	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D3DA8A66-5315-4E41-A2B6-A8818B9B8268}\ProxyStubClsid32	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D3DA8A66-5315-4E41-A2B6-A8818B9B8268}\TypeLib\ = "{97416121-26C3-5292-8FFE-E232CA276E86}"	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WYBHO.wybhotool.1\CLSID	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WYBHO.wybhotool\CLSID\ = "{59DA0F12-24E3-4616-95FC-7925675F2A33}"	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{97416121-26C3-5292-8FFE-E232CA276E86}\1.0	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{97416121-26C3-5292-8FFE-E232CA276E86}\1.0\FLAGS\ = "0"	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{97416121-26C3-5292-8FFE-E232CA276E86}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\wybho.dll"	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D3DA8A66-5315-4E41-A2B6-A8818B9B8268}\TypeLib\ = "{97416121-26C3-5292-8FFE-E232CA276E86}"	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D3DA8A66-5315-4E41-A2B6-A8818B9B8268}\TypeLib	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WYBHO.wybhotool\CurVer\ = "WYBHO.wybhotool.1"	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{59DA0F12-24E3-4616-95FC-7925675F2A33}\ProgID	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{59DA0F12-24E3-4616-95FC-7925675F2A33}\VersionIndependentProgID\ = "WYBHO.wybhotool"	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{97416121-26C3-5292-8FFE-E232CA276E86}\1.0\0\win32	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D3DA8A66-5315-4E41-A2B6-A8818B9B8268}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{59DA0F12-24E3-4616-95FC-7925675F2A33}\Programmable	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{97416121-26C3-5292-8FFE-E232CA276E86}	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{97416121-26C3-5292-8FFE-E232CA276E86}\1.0\FLAGS	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{97416121-26C3-5292-8FFE-E232CA276E86}\1.0\HELPDIR\ = "C:\\Windows\\system32"	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D3DA8A66-5315-4E41-A2B6-A8818B9B8268}\TypeLib\Version = "1.0"	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D3DA8A66-5315-4E41-A2B6-A8818B9B8268}	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D3DA8A66-5315-4E41-A2B6-A8818B9B8268}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WYBHO.wybhotool\CLSID	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{59DA0F12-24E3-4616-95FC-7925675F2A33}\InprocServer32\ = "C:\\Windows\\SysWow64\\wybho.dll"	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{59DA0F12-24E3-4616-95FC-7925675F2A33}\TypeLib	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{97416121-26C3-5292-8FFE-E232CA276E86}\1.0\0	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D3DA8A66-5315-4E41-A2B6-A8818B9B8268}\ProxyStubClsid32	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WYBHO.wybhotool\ = "wybhotool Class"	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WYBHO.wybhotool\CurVer	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{59DA0F12-24E3-4616-95FC-7925675F2A33}\VersionIndependentProgID	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D3DA8A66-5315-4E41-A2B6-A8818B9B8268}\TypeLib	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D3DA8A66-5315-4E41-A2B6-A8818B9B8268}\ = "Iwybhotool"	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WYBHO.wybhotool	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{59DA0F12-24E3-4616-95FC-7925675F2A33}\ = "wybhotool Class"	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D3DA8A66-5315-4E41-A2B6-A8818B9B8268}\ = "Iwybhotool"	Regsvr32.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2660	288956072ac1151694a29d17921c271d.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2660	288956072ac1151694a29d17921c271d.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2660 wrote to memory of 2300	2660	288956072ac1151694a29d17921c271d.exe	28
PID 2660 wrote to memory of 2300	2660	288956072ac1151694a29d17921c271d.exe	28
PID 2660 wrote to memory of 2300	2660	288956072ac1151694a29d17921c271d.exe	28
PID 2660 wrote to memory of 2300	2660	288956072ac1151694a29d17921c271d.exe	28
PID 2660 wrote to memory of 2300	2660	288956072ac1151694a29d17921c271d.exe	28
PID 2660 wrote to memory of 2300	2660	288956072ac1151694a29d17921c271d.exe	28
PID 2660 wrote to memory of 2300	2660	288956072ac1151694a29d17921c271d.exe	28
PID 2660 wrote to memory of 2604	2660	288956072ac1151694a29d17921c271d.exe	30
PID 2660 wrote to memory of 2604	2660	288956072ac1151694a29d17921c271d.exe	30
PID 2660 wrote to memory of 2604	2660	288956072ac1151694a29d17921c271d.exe	30
PID 2660 wrote to memory of 2604	2660	288956072ac1151694a29d17921c271d.exe	30

C:\Users\Admin\AppData\Local\Temp\288956072ac1151694a29d17921c271d.exe
"C:\Users\Admin\AppData\Local\Temp\288956072ac1151694a29d17921c271d.exe"
1⤵
- Modifies WinLogon for persistence
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2660
- C:\Windows\SysWOW64\Regsvr32.exe
  Regsvr32.exe /s "C:\Windows\system32\wybho.dll"
  2⤵
  - Loads dropped DLL
  - Installs/modifies Browser Helper Object
  - Modifies registry class
  PID:2300
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\123.bat" "
  2⤵
  - Deletes itself
  PID:2604

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Browser Extensions

T1176

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\123.bat

Filesize
254B

MD5
5fea8b79cb85520529dee3c0a1e2c235

SHA1
64c0993b00791e39be10dd60030fa2e7d608b5a8

SHA256
30a9f5bfb1297ac45414b9c51c0fd4299466ce0cd7f03470bd57f80f88102946

SHA512
2f5732faaff928aa0ec7ea5a823c0ea3ec1c83f2f724fb9a8662ff1db47495cb838ef2c8fad7a1fd8478483df2f78432af984e107ff494e9fde9a7dbe30aebf2

Download Submit
C:\Windows\SysWOW64\wybho.dll

Filesize
69KB

MD5
e8ea8d3d634e2161f2659efed5d14f4f

SHA1
64fc0429e20aa973abe22884c54048909a3fc4e3

SHA256
7175796aeecba99d4d5e1ed49a75ac061082cc8368c6a2d8f8fd1081d324d0b0

SHA512
39c4aa6f5d99841a1f8cf339049807ad33d2853b291af5f452c2c926aecb3872bf2985c1381dbeaffddfce63994016ecbbdd52d5d2c2770aceac9bc323b84acd

Download Submit
memory/2300-7-0x0000000010000000-0x0000000010031000-memory.dmp

Filesize
196KB

Download
memory/2660-0-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2660-24-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download