f002e84df7f3906d363522b3e4497f9f5ed37b996fcc862dede912d2b7386d5b

Analysis

max time kernel
186s
max time network
204s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
26/12/2023, 00:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

45e18c4a64d02d99156dc3a75603a240.exe
Size

30KB
MD5

45e18c4a64d02d99156dc3a75603a240
SHA1

549d6879208795db03f7e268ba2cf4bfb881b45c
SHA256

f002e84df7f3906d363522b3e4497f9f5ed37b996fcc862dede912d2b7386d5b
SHA512

d29fee8bd9dee184427c6d7c9aca6a7a2bac8d52a37475825cfbbcd13c07563539d2451246e3b8547cde4b56d8100121e8eeb4424f509077bcca8e4117cdee53
SSDEEP

768:fEUlIyjTLkR5IV6PPgzoytLlQ4R1ucbyVZR:BGygQoygsByF

Score

8^/10

adware persistence stealer

Malware Config

Signatures

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\explorer\run	45e18c4a64d02d99156dc3a75603a240.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\start = "C:\\Users\\Admin\\AppData\\Local\\Temp\\45e18c4a64d02d99156dc3a75603a240.exe"	45e18c4a64d02d99156dc3a75603a240.exe

Executes dropped EXE 1 IoCs

pid	Process
5080	isfmm.exe

Loads dropped DLL 1 IoCs

pid	Process
1664	45e18c4a64d02d99156dc3a75603a240.exe

Installs/modifies Browser Helper Object 2 TTPs 3 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C2A1C5CB-C0EF-4689-9436-F62CCA1C5383}	45e18c4a64d02d99156dc3a75603a240.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C2A1C5CB-C0EF-4689-9436-F62CCA1C5383}\	45e18c4a64d02d99156dc3a75603a240.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	45e18c4a64d02d99156dc3a75603a240.exe

Modifies Internet Explorer settings 1 TTPs 11 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\DefaultScope = "{DAED9266-8C28-4C1C-8B58-5C66EFF1D302}"	45e18c4a64d02d99156dc3a75603a240.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{9034A523-D068-4BE8-A284-9DF278BE776E}	45e18c4a64d02d99156dc3a75603a240.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{9034A523-D068-4BE8-A284-9DF278BE776E}\MenuText = "IE Anti-Spyware"	45e18c4a64d02d99156dc3a75603a240.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{9034A523-D068-4BE8-A284-9DF278BE776E}\Exec = "http://www.ietoolgate.com/redirect.php"	45e18c4a64d02d99156dc3a75603a240.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{9034A523-D068-4BE8-A284-9DF278BE776E}\CLSID = "{1FBA04EE-3024-11d2-8F1F-0000F87ABD16}"	45e18c4a64d02d99156dc3a75603a240.exe
Key created	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Software\Microsoft\Internet Explorer\Search	45e18c4a64d02d99156dc3a75603a240.exe
Key created	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Software\Microsoft\Internet Explorer\SearchScopes\{DAED9266-8C28-4C1C-8B58-5C66EFF1D302}	45e18c4a64d02d99156dc3a75603a240.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{DAED9266-8C28-4C1C-8B58-5C66EFF1D302}\DisplayName = "Search"	45e18c4a64d02d99156dc3a75603a240.exe
Key created	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Software\Microsoft\Internet Explorer\SearchScopes	45e18c4a64d02d99156dc3a75603a240.exe
Key created	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Software\Microsoft\Internet Explorer\Main	45e18c4a64d02d99156dc3a75603a240.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{DAED9266-8C28-4C1C-8B58-5C66EFF1D302}\URL = "http://www.asearchpool.com/index.php?b=1&t=0&q={searchTerms}"	45e18c4a64d02d99156dc3a75603a240.exe

Modifies Internet Explorer start page 1 TTPs 1 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "about:blank"	45e18c4a64d02d99156dc3a75603a240.exe

Modifies registry class 6 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C2A1C5CB-C0EF-4689-9436-F62CCA1C5383}\xxx = "xxx"	45e18c4a64d02d99156dc3a75603a240.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{C2A1C5CB-C0EF-4689-9436-F62CCA1C5383}\InprocServer32	45e18c4a64d02d99156dc3a75603a240.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C2A1C5CB-C0EF-4689-9436-F62CCA1C5383}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\isfmdl.dll"	45e18c4a64d02d99156dc3a75603a240.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C2A1C5CB-C0EF-4689-9436-F62CCA1C5383}\InprocServer32\ThreadingModel = "Apartment"	45e18c4a64d02d99156dc3a75603a240.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID	45e18c4a64d02d99156dc3a75603a240.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{C2A1C5CB-C0EF-4689-9436-F62CCA1C5383}	45e18c4a64d02d99156dc3a75603a240.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1664	45e18c4a64d02d99156dc3a75603a240.exe
1664	45e18c4a64d02d99156dc3a75603a240.exe
5080	isfmm.exe
5080	isfmm.exe
5080	isfmm.exe
5080	isfmm.exe
1664	45e18c4a64d02d99156dc3a75603a240.exe
1664	45e18c4a64d02d99156dc3a75603a240.exe
1664	45e18c4a64d02d99156dc3a75603a240.exe
1664	45e18c4a64d02d99156dc3a75603a240.exe
5080	isfmm.exe
5080	isfmm.exe
1664	45e18c4a64d02d99156dc3a75603a240.exe
1664	45e18c4a64d02d99156dc3a75603a240.exe
5080	isfmm.exe
5080	isfmm.exe
1664	45e18c4a64d02d99156dc3a75603a240.exe
1664	45e18c4a64d02d99156dc3a75603a240.exe
5080	isfmm.exe
5080	isfmm.exe
1664	45e18c4a64d02d99156dc3a75603a240.exe
1664	45e18c4a64d02d99156dc3a75603a240.exe
5080	isfmm.exe
5080	isfmm.exe
1664	45e18c4a64d02d99156dc3a75603a240.exe
1664	45e18c4a64d02d99156dc3a75603a240.exe
5080	isfmm.exe
5080	isfmm.exe
1664	45e18c4a64d02d99156dc3a75603a240.exe
1664	45e18c4a64d02d99156dc3a75603a240.exe
5080	isfmm.exe
5080	isfmm.exe
1664	45e18c4a64d02d99156dc3a75603a240.exe
1664	45e18c4a64d02d99156dc3a75603a240.exe
5080	isfmm.exe
5080	isfmm.exe
1664	45e18c4a64d02d99156dc3a75603a240.exe
1664	45e18c4a64d02d99156dc3a75603a240.exe
5080	isfmm.exe
5080	isfmm.exe
1664	45e18c4a64d02d99156dc3a75603a240.exe
1664	45e18c4a64d02d99156dc3a75603a240.exe
5080	isfmm.exe
5080	isfmm.exe
1664	45e18c4a64d02d99156dc3a75603a240.exe
1664	45e18c4a64d02d99156dc3a75603a240.exe
5080	isfmm.exe
5080	isfmm.exe
1664	45e18c4a64d02d99156dc3a75603a240.exe
1664	45e18c4a64d02d99156dc3a75603a240.exe
5080	isfmm.exe
5080	isfmm.exe
1664	45e18c4a64d02d99156dc3a75603a240.exe
1664	45e18c4a64d02d99156dc3a75603a240.exe
5080	isfmm.exe
5080	isfmm.exe
1664	45e18c4a64d02d99156dc3a75603a240.exe
1664	45e18c4a64d02d99156dc3a75603a240.exe
5080	isfmm.exe
5080	isfmm.exe
1664	45e18c4a64d02d99156dc3a75603a240.exe
1664	45e18c4a64d02d99156dc3a75603a240.exe
5080	isfmm.exe
5080	isfmm.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1664 wrote to memory of 5080	1664	45e18c4a64d02d99156dc3a75603a240.exe	90
PID 1664 wrote to memory of 5080	1664	45e18c4a64d02d99156dc3a75603a240.exe	90
PID 1664 wrote to memory of 5080	1664	45e18c4a64d02d99156dc3a75603a240.exe	90

C:\Users\Admin\AppData\Local\Temp\45e18c4a64d02d99156dc3a75603a240.exe
"C:\Users\Admin\AppData\Local\Temp\45e18c4a64d02d99156dc3a75603a240.exe"
1⤵
- Adds policy Run key to start application
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1664
- C:\Users\Admin\AppData\Local\Temp\isfmm.exe
  C:\Users\Admin\AppData\Local\Temp\isfmm.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:5080

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Browser Extensions

T1176

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\isfmdl.dll

Filesize
11KB

MD5
11d923708ee0f58104f03d7e430503e1

SHA1
58c3d25d57ed82d36f64f35f1fadd62166bad756

SHA256
604f32dde1fd1204712afa0b3811d8203e61f3995c84c7092a116943bc62d189

SHA512
0d5fe4adbd35dcef690c0bd10fd3dd20db2f48f79b269231f5fda174392368c25e0b8bf18f0a38c34ac90381ee6b06910f37ec9fbd27504880b55f2bc026d2bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\isfmm.exe

Filesize
7KB

MD5
f2ae943aab2fd86a4a46ab3a7755a11b

SHA1
ba6933ee5ce7f408e3690012bb227f1a23a3fa5c

SHA256
b1fcf08abac0f20e6c32525ad2f195e4e61f4efafdd0ec6afd62b5e8ea998303

SHA512
658d02069c9d82ab06bf4b9ea3e32ee537ab7f3a3ebed396112454c82be6dcaa76d91095d5ae2650f698ebad5f6cd604139326126f6759ff89da32f727e204f6

Download Submit