3ec4ff39f06bf8b6e8201a31f102fc732a32ca545d7d338d832e1044d4557762

General

Target

50d0d9c519640847eefb9f1bfee5b573.exe
Size

6.7MB
MD5

50d0d9c519640847eefb9f1bfee5b573
SHA1

026b7aafed3875c92dc9b7afd31696e2cf1e0fbc
SHA256

3ec4ff39f06bf8b6e8201a31f102fc732a32ca545d7d338d832e1044d4557762
SHA512

44246d76c95e50c120df65bb7bad979a77768e1f8aeba5c97bbb0b4da6748f379a59b524f99fa4bc6346725156132b2ff8efa4b58591f13d5a53ba88ca4a8e7c
SSDEEP

196608:BUAMkAg8PgPz+WXdkAjNyS53csFxVzL/ppb7fzg:BUAMkAg84hXdD37ppbfg

Score

7^/10

adware stealer

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\International\Geo\Nation	50d0d9c519640847eefb9f1bfee5b573.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\International\Geo\Nation	f.exe

Executes dropped EXE 2 IoCs

pid	Process
3568	f.exe
2596	fontreg.exe

Loads dropped DLL 1 IoCs

pid	Process
3956	regsvr32.exe

Installs/modifies Browser Helper Object 2 TTPs 3 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{ecc37558-63c9-49eb-aa3d-5d19f6997312}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{ecc37558-63c9-49eb-aa3d-5d19f6997312}\ = "Anti-Aliasing Tuner for IE"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{ecc37558-63c9-49eb-aa3d-5d19f6997312}\NoExplorer = "1"	regsvr32.exe

Drops file in Windows directory 27 IoCs

description	ioc	Process
File created	\??\c:\windows\gdie9\aatie.dll	50d0d9c519640847eefb9f1bfee5b573.exe
File opened for modification	\??\c:\windows\gdie9\Custom.css	50d0d9c519640847eefb9f1bfee5b573.exe
File opened for modification	\??\c:\windows\gdie9\COPYING	50d0d9c519640847eefb9f1bfee5b573.exe
File created	\??\c:\windows\gdie9\src\aatie.def	50d0d9c519640847eefb9f1bfee5b573.exe
File created	\??\c:\windows\gdie9\src\aatie.mft	50d0d9c519640847eefb9f1bfee5b573.exe
File created	\??\c:\windows\gdie9\install.bat	50d0d9c519640847eefb9f1bfee5b573.exe
File opened for modification	\??\c:\windows\gdie9\aatie.ini	50d0d9c519640847eefb9f1bfee5b573.exe
File opened for modification	\??\c:\windows\gdie9\f.exe	50d0d9c519640847eefb9f1bfee5b573.exe
File opened for modification	\??\c:\windows\gdie9\aatie.dll	50d0d9c519640847eefb9f1bfee5b573.exe
File created	\??\c:\windows\gdie9\Custom.css	50d0d9c519640847eefb9f1bfee5b573.exe
File created	\??\c:\windows\gdie9\COPYING	50d0d9c519640847eefb9f1bfee5b573.exe
File opened for modification	\??\c:\windows\gdie9\src\Makefile	50d0d9c519640847eefb9f1bfee5b573.exe
File opened for modification	\??\c:\windows\gdie9\src\aatie.cpp	50d0d9c519640847eefb9f1bfee5b573.exe
File opened for modification	\??\c:\windows\gdie9\src\aatie.def	50d0d9c519640847eefb9f1bfee5b573.exe
File created	\??\c:\windows\gdie9\aatie.ini	50d0d9c519640847eefb9f1bfee5b573.exe
File opened for modification	\??\c:\windows\gdie9\src\aatie.mft	50d0d9c519640847eefb9f1bfee5b573.exe
File created	\??\c:\windows\gdie9\detoured.dll	50d0d9c519640847eefb9f1bfee5b573.exe
File opened for modification	\??\c:\windows\gdie9\src	50d0d9c519640847eefb9f1bfee5b573.exe
File created	\??\c:\windows\gdie9\src\brute_cast.h	50d0d9c519640847eefb9f1bfee5b573.exe
File opened for modification	\??\c:\windows\gdie9\install.bat	50d0d9c519640847eefb9f1bfee5b573.exe
File opened for modification	\??\c:\windows\gdie9\detoured.dll	50d0d9c519640847eefb9f1bfee5b573.exe
File created	C:\Windows\Fonts\Hiragino Sans GB W6.ttf	fontreg.exe
File opened for modification	\??\c:\windows\gdie9\src\brute_cast.h	50d0d9c519640847eefb9f1bfee5b573.exe
File created	\??\c:\windows\gdie9\f.exe	50d0d9c519640847eefb9f1bfee5b573.exe
File opened for modification	C:\Windows\Fonts\Hiragino Sans GB W6.ttf	fontreg.exe
File created	\??\c:\windows\gdie9\src\Makefile	50d0d9c519640847eefb9f1bfee5b573.exe
File created	\??\c:\windows\gdie9\src\aatie.cpp	50d0d9c519640847eefb9f1bfee5b573.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ecc37558-63c9-49eb-aa3d-5d19f6997312}\InProcServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ecc37558-63c9-49eb-aa3d-5d19f6997312}\InProcServer32\ = "c:\\windows\\gdie9\\aatie.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ecc37558-63c9-49eb-aa3d-5d19f6997312}\InProcServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ecc37558-63c9-49eb-aa3d-5d19f6997312}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ecc37558-63c9-49eb-aa3d-5d19f6997312}\ = "Anti-Aliasing Tuner for IE"	regsvr32.exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
3896	PING.EXE
444	PING.EXE

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3568	f.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 4800 wrote to memory of 3568	4800	50d0d9c519640847eefb9f1bfee5b573.exe	92
PID 4800 wrote to memory of 3568	4800	50d0d9c519640847eefb9f1bfee5b573.exe	92
PID 4800 wrote to memory of 3568	4800	50d0d9c519640847eefb9f1bfee5b573.exe	92
PID 4800 wrote to memory of 4136	4800	50d0d9c519640847eefb9f1bfee5b573.exe	93
PID 4800 wrote to memory of 4136	4800	50d0d9c519640847eefb9f1bfee5b573.exe	93
PID 4800 wrote to memory of 4136	4800	50d0d9c519640847eefb9f1bfee5b573.exe	93
PID 4136 wrote to memory of 3956	4136	cmd.exe	95
PID 4136 wrote to memory of 3956	4136	cmd.exe	95
PID 4136 wrote to memory of 3956	4136	cmd.exe	95
PID 3568 wrote to memory of 2596	3568	f.exe	96
PID 3568 wrote to memory of 2596	3568	f.exe	96
PID 3568 wrote to memory of 2596	3568	f.exe	96
PID 3568 wrote to memory of 2628	3568	f.exe	97
PID 3568 wrote to memory of 2628	3568	f.exe	97
PID 3568 wrote to memory of 2628	3568	f.exe	97
PID 2628 wrote to memory of 3896	2628	cmd.exe	99
PID 2628 wrote to memory of 3896	2628	cmd.exe	99
PID 2628 wrote to memory of 3896	2628	cmd.exe	99
PID 2628 wrote to memory of 444	2628	cmd.exe	100
PID 2628 wrote to memory of 444	2628	cmd.exe	100
PID 2628 wrote to memory of 444	2628	cmd.exe	100

C:\Users\Admin\AppData\Local\Temp\50d0d9c519640847eefb9f1bfee5b573.exe
"C:\Users\Admin\AppData\Local\Temp\50d0d9c519640847eefb9f1bfee5b573.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4800
- C:\windows\gdie9\f.exe
  "C:\windows\gdie9\f.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3568
- - C:\Users\Admin\AppData\Local\Temp\HZ$D.176.4351\fontreg.exe
    "C:\Users\Admin\AppData\Local\Temp\HZ$D.176.4351\fontreg.exe" /copy
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    PID:2596
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\HZ~91B1.tmp.bat"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2628
  - - C:\Windows\SysWOW64\PING.EXE
      ping 127.0.0.1 -n 2
      4⤵
      Runs ping.exe
      PID:3896
  - - C:\Windows\SysWOW64\PING.EXE
      ping 127.0.0.1 -n 2
      4⤵
      Runs ping.exe
      PID:444
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\windows\gdie9\install.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4136
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32.exe /s aatie.dll
    3⤵
    - Loads dropped DLL
    - Installs/modifies Browser Helper Object
    - Modifies registry class
    PID:3956

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Browser Extensions

1

T1176

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

Remote System Discovery

1

T1018

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\HZ$D.176.4351\FontReg.exe

Filesize
6KB

MD5
ce49c477e640463a4f4173e01b661101

SHA1
dd297f9cedd50fb2ef72004bec7c77bd592f2d07

SHA256
0a76dd4304c1c0fb3454e888acc92f7423c22181035e37b6153519f7d7075c10

SHA512
e79357a7fa4dc2eec23d2eeb086898bb9acefdee820e8c3aa85cb8376b19eb5bb355097d6731e9d77e530b77faa87073609cd6e117fcdd5daf26403481574249

Download Submit
C:\Users\Admin\AppData\Local\Temp\HZ$D.176.4351\Hiragino Sans GB W6.ttf

Filesize
1.6MB

MD5
8fff7489f25c03a6bd140c651d7dbcc0

SHA1
b2ef95bef32a7c3617d44a6ebc5021b7eb343a45

SHA256
fa0077d8f423570aaa6f168ab444ef627435114eb3cf6de72bcd1fc537bfa82f

SHA512
c6721e04285278fbdf6aa39740511c9b8edf402c360b66b8f84551ac7248d5fe5a1665b219fb6f37858b826317a009d68554c3e3c2b20447203bce8836fe6c8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\HZ~91B1.tmp.bat

Filesize
106B

MD5
8db19cc6ea373f5b0394adc9b65a3821

SHA1
3c4022024981964026bd7c9153e155cc0b9f21a0

SHA256
ce411b3db896f2e646df69551b7d8f0445f1c1e25df2e68e8757d3e7d321132b

SHA512
94897ab71e578cbff6b4da14de400b5341602d4289651974b7a80e711133738d14cd8f142c58c9905cdb9842114e7822de625d3f2a63982bb2a5e031a14a6c34

Download Submit
C:\Windows\gdie9\aatie.dll

Filesize
68KB

MD5
bb7b119b54f1698288bcff1f983d8a28

SHA1
7c56c360137b5923672b55c608251d4375bcead7

SHA256
bccdc3beacfa30d86a3ce72e9af0f87115ed740159a6f374ecfd81447a32bffe

SHA512
6d3e401ff3c9b3b6c663d1dca3cff86f63ed7c35b3fb0783d9db01729b41cef190dd73f5b18be0cdcdbe1109b755c0b7f96772d58cec3f493a333acc67a56a81

Download Submit
C:\Windows\gdie9\f.exe

Filesize
4.8MB

MD5
4087dcadc2c9726192a4d27942d335a0

SHA1
1b5a205c6f3dccb1c99296fe79937a47b82ae211

SHA256
ed06d5cfb96614f66fe33063535072fb080dd78ff16728a6a4f2d4fca172aa44

SHA512
3dc43eeea3c9440f25022c89a823d70282548219b7275f0a27638c8b544ca66d887803523aac67edf3f2af5728939bc0130c86ef66fa07506a902063fe5658b3

Download Submit
C:\Windows\gdie9\f.exe

Filesize
2.7MB

MD5
d85030a737dc2a44e490fff9fea3be96

SHA1
30ed917b81a398d5855ccc0632e57f3df6859e7c

SHA256
c9d06a426bf4d04e479f24232ab07e5739f804e95cff7ccd32efe589301338c6

SHA512
c4e00df6a2a2c577e7b37fe42a8be9d992252a311f35bc58fd37dfd5082a3f2c0fd46fe0eb74d6f226990da85dabf9179e0ff352c7ae429a2c803017b91b9c7b

Download Submit
C:\windows\gdie9\f.exe

Filesize
2.2MB

MD5
6752cb2c0ba261cdeb1e49e146ba928e

SHA1
22bffa5bd50573774df310886417169d82c9c6ea

SHA256
2dea8a7274744b85ede9e8ec95de5fe5f884a2419469e394496818608c31441a

SHA512
00139c5cfff515ac69df89f5677b17367a3a466ca697b92f4b046ce64781192a202ea53f8b8b22b4001116cd6bd7a625ebfc3c718a41975917f898f1b2f14c4f

Download Submit
C:\windows\gdie9\install.bat

Filesize
83B

MD5
f40ce357bdcf83f24524cda1cea44c7c

SHA1
8ecd9bc4560a855f0c0ac132eae1897fa120b60c

SHA256
88be7369018558d65cb9ec167bb20c37dfc26c5ac0a0c76a0f7af912daab619a

SHA512
d0d21c984f58c7f6270add550c41b569589a0b4416cf035adf8116a724843d80b8d525dd7778be6a40127fbff5a8a4e95289eb291566f1b16a5c937fa709942d

Download Submit

Analysis

Sharing