c28d1138b14e58c750896882c2832e4f2f7594c554eca20dc5fc454082fe1fa3

General

Target

07ce970f7c584e9ece86a07df4198ca4.exe
Size

1.1MB
MD5

07ce970f7c584e9ece86a07df4198ca4
SHA1

8e63435eea731fb5191896aa17f91d0ff4110a8f
SHA256

c28d1138b14e58c750896882c2832e4f2f7594c554eca20dc5fc454082fe1fa3
SHA512

a641279c9f85499d43b0dfabb739fa216086fda26cdfcc330990bf217ffb18c862910cf05066456de935988974c9c74e5e241021eaf1e0d60c51c3f01b8eac63
SSDEEP

24576:HAVgakfgrhMYPLgiRDo4DH+thd+hNd+37VbQtQCgwe/Qqs4ADmiff:HAtkYriH4Sl+hf+37VbQxJqs4Ais

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 7 IoCs

pid	Process
3800	07ce970f7c584e9ece86a07df4198ca4.exe
3800	07ce970f7c584e9ece86a07df4198ca4.exe
3800	07ce970f7c584e9ece86a07df4198ca4.exe
3800	07ce970f7c584e9ece86a07df4198ca4.exe
3800	07ce970f7c584e9ece86a07df4198ca4.exe
3800	07ce970f7c584e9ece86a07df4198ca4.exe
3800	07ce970f7c584e9ece86a07df4198ca4.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ieguide_v3 = "C:\\Program Files (x86)\\ieguide_v3\\ieguideupdate.exe"	07ce970f7c584e9ece86a07df4198ca4.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Installs/modifies Browser Helper Object 2 TTPs 2 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{14ED2E3F-CC38-4FDC-82FB-951D45A09F77}	07ce970f7c584e9ece86a07df4198ca4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{14ED2E3F-CC38-4FDC-82FB-951D45A09F77}\	07ce970f7c584e9ece86a07df4198ca4.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\niebgt.dll	07ce970f7c584e9ece86a07df4198ca4.exe
File created	C:\Windows\SysWOW64\niebgt.dll	07ce970f7c584e9ece86a07df4198ca4.exe

Drops file in Program Files directory 11 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\ieguide_v3\uninstall.exe	07ce970f7c584e9ece86a07df4198ca4.exe
File opened for modification	C:\Program Files (x86)\ieguide_v3\ieguideupdate.exe	07ce970f7c584e9ece86a07df4198ca4.exe
File created	C:\Program Files (x86)\ieguide_v3\niebho.dll	07ce970f7c584e9ece86a07df4198ca4.exe
File created	C:\Program Files (x86)\ieguide_v3\niebar.dll	07ce970f7c584e9ece86a07df4198ca4.exe
File opened for modification	C:\Program Files (x86)\ieguide_v3\License.txt	07ce970f7c584e9ece86a07df4198ca4.exe
File opened for modification	C:\Program Files (x86)\ieguide_v3\config.exe	07ce970f7c584e9ece86a07df4198ca4.exe
File created	C:\Program Files (x86)\ieguide_v3\config.exe	07ce970f7c584e9ece86a07df4198ca4.exe
File created	C:\Program Files (x86)\ieguide_v3\ieguideupdate.exe	07ce970f7c584e9ece86a07df4198ca4.exe
File opened for modification	C:\Program Files (x86)\ieguide_v3\niebho.dll	07ce970f7c584e9ece86a07df4198ca4.exe
File opened for modification	C:\Program Files (x86)\ieguide_v3\niebar.dll	07ce970f7c584e9ece86a07df4198ca4.exe
File created	C:\Program Files (x86)\ieguide_v3\License.txt	07ce970f7c584e9ece86a07df4198ca4.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 5 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Software\Microsoft\Internet Explorer\Main	07ce970f7c584e9ece86a07df4198ca4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Enable Browser Extensions = "yes"	07ce970f7c584e9ece86a07df4198ca4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Explorer Bars\{9CC3DECA-53F1-441B-A0FB-369633975784}	07ce970f7c584e9ece86a07df4198ca4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Explorer Bars	07ce970f7c584e9ece86a07df4198ca4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Explorer Bars\{9CC3DECA-53F1-441B-A0FB-369633975784}\	07ce970f7c584e9ece86a07df4198ca4.exe

Modifies registry class 19 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{14ED2E3F-CC38-4FDC-82FB-951D45A09F77}\InprocServer32\ = "C:\\Program Files (x86)\\ieguide_v3\\niebho.dll"	07ce970f7c584e9ece86a07df4198ca4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9CC3DECA-53F1-441B-A0FB-369633975784}\InprocServer32\ = "C:\\Program Files (x86)\\ieguide_v3\\niebar.dll"	07ce970f7c584e9ece86a07df4198ca4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9CC3DECA-53F1-441B-A0FB-369633975784}\Implemented Categories\{00021493-0000-0000-C000-000000000046}\	07ce970f7c584e9ece86a07df4198ca4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{14ED2E3F-CC38-4FDC-82FB-951D45A09F77}\InprocServer32	07ce970f7c584e9ece86a07df4198ca4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{14ED2E3F-CC38-4FDC-82FB-951D45A09F77}\InProcServer32	07ce970f7c584e9ece86a07df4198ca4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{14ED2E3F-CC38-4FDC-82FB-951D45A09F77}	07ce970f7c584e9ece86a07df4198ca4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9CC3DECA-53F1-441B-A0FB-369633975784}\Implemented Categories\{00021493-0000-0000-C000-000000000046}	07ce970f7c584e9ece86a07df4198ca4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9CC3DECA-53F1-441B-A0FB-369633975784}	07ce970f7c584e9ece86a07df4198ca4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9CC3DECA-53F1-441B-A0FB-369633975784}\InprocServer32	07ce970f7c584e9ece86a07df4198ca4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9CC3DECA-53F1-441B-A0FB-369633975784}\InProcServer32	07ce970f7c584e9ece86a07df4198ca4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	07ce970f7c584e9ece86a07df4198ca4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9CC3DECA-53F1-441B-A0FB-369633975784}\Implemented Categories	07ce970f7c584e9ece86a07df4198ca4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{14ED2E3F-CC38-4FDC-82FB-951D45A09F77}\InprocServer32\ = "C:\\PROGRA~2\\IEGUID~1\\niebho.dll"	07ce970f7c584e9ece86a07df4198ca4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{14ED2E3F-CC38-4FDC-82FB-951D45A09F77}\InprocServer32\ThreadingModel = "Apartment"	07ce970f7c584e9ece86a07df4198ca4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9CC3DECA-53F1-441B-A0FB-369633975784}\InprocServer32\ = "C:\\PROGRA~2\\IEGUID~1\\niebar.dll"	07ce970f7c584e9ece86a07df4198ca4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9CC3DECA-53F1-441B-A0FB-369633975784}\InprocServer32\ThreadingModel = "Apartment"	07ce970f7c584e9ece86a07df4198ca4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	07ce970f7c584e9ece86a07df4198ca4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{14ED2E3F-CC38-4FDC-82FB-951D45A09F77}\ = "IBHO"	07ce970f7c584e9ece86a07df4198ca4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9CC3DECA-53F1-441B-A0FB-369633975784}\ = "ÃßÃµ»çÀÌÆ®"	07ce970f7c584e9ece86a07df4198ca4.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3800	07ce970f7c584e9ece86a07df4198ca4.exe
3800	07ce970f7c584e9ece86a07df4198ca4.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3800 wrote to memory of 3348	3800	07ce970f7c584e9ece86a07df4198ca4.exe	92
PID 3800 wrote to memory of 3348	3800	07ce970f7c584e9ece86a07df4198ca4.exe	92
PID 3800 wrote to memory of 3348	3800	07ce970f7c584e9ece86a07df4198ca4.exe	92

C:\Users\Admin\AppData\Local\Temp\07ce970f7c584e9ece86a07df4198ca4.exe
"C:\Users\Admin\AppData\Local\Temp\07ce970f7c584e9ece86a07df4198ca4.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Installs/modifies Browser Helper Object
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3800
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c \DelUS.bat
  2⤵
  PID:3348

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Browser Extensions

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

3

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\DelUS.bat

Filesize
200B

MD5
73bc07090954864957d9f0dbb4ccaad7

SHA1
f69c0f89f5c5c626b20d85eed8bb7784a886e378

SHA256
89b16b350bda5e3403cfc0ce9102879a96c453ac8fff43b5923dce075cebc008

SHA512
6943edf99eb5ce084d7b92eb2d7141217c545561a5aa1fc9b4dfe63c35ca50ab50f1a50f3e0c3a5e467e8231cd094e65359c8426b6838822338c5fe26d62da02

Download Submit
C:\Program Files (x86)\ieguide_v3\niebar.dll

Filesize
238KB

MD5
6b8cf6d6540957481e69244fc679fe4e

SHA1
ed0a7007770e84439cc01661daeebda8c25b1264

SHA256
df32e6aec0f82c7ca7d908b1bc93854e41f3b8598c5b30ee46a58e25ff1ceeeb

SHA512
f2e114c96eea5b7b485332b20d03350dfea32fa83e7b326f94f49d79612238a7340bda91bfc0eac33f19877be77e7b6ef74c5977fc4426770d8a7d872c58e4d9

Download Submit
C:\Program Files (x86)\ieguide_v3\niebho.dll

Filesize
260KB

MD5
a9edd749425b975acbe1594dfb986096

SHA1
30d1379a666eae50e0ddf2f87693190706dcc02f

SHA256
87f399d3a6d47a84564778eaced548937b983c164ffb57f8066f25af440ebbf5

SHA512
09cbea06cc7030315ac3342bc02e62d66ec1a8c9a84b92c39e5dd37cf9ef5e6648084aeb22dd83797c2af88dbedd87ad65237dabc5298d80860a06cd5a63ccf3

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsg7C55.tmp\DLLWebCount.dll

Filesize
28KB

MD5
d825e4003d1697fd4bc45361e222746c

SHA1
e9d4b1073aac15d4dbb430471fcaea549e633d13

SHA256
c79e4be74eecf16f2f7f1d39724c938bf372e9568bb96fa4610926a57fe323f5

SHA512
7740a18cae5a42963c748a49ac6175482c93b34dce703a7cf24f5828ee6cdc19eb2669a634b64c2a4c861272f7e9b9e943455195a7cd6afcd8fa5586744eb86f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsg7C55.tmp\FindProcDLL.dll

Filesize
31KB

MD5
83cd62eab980e3d64c131799608c8371

SHA1
5b57a6842a154997e31fab573c5754b358f5dd1c

SHA256
a6122e80f1c51dc72770b4f56c7c482f7a9571143fbf83b19c4d141d0cb19294

SHA512
91cfbcc125600ec341f5571dcf1e4a814cf7673f82cf42f32155bd54791bbf32619f2bb14ae871d7996e9ddecdfcc5db40caa0979d6dfba3e73cfe8e69c163c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsg7C55.tmp\SelfDelete.dll

Filesize
24KB

MD5
7bf1bd7661385621c7908e36958f582e

SHA1
43242d7731c097e95fb96753c8262609ff929410

SHA256
c0ad2c13d48c9fe62f898da822a5f08be3bf6c4e2c1c7ffdf7634f2ca4a8859e

SHA512
8317af5cc3ac802eb095f3fa8cc71daa1265ca58fead031c07872f3d4bb07663a7002ae734fad392a7617f0923fe0caf1f54ed55afdf8516a6a08e202d86fa7f

Download Submit
memory/3800-17-0x0000000002A00000-0x0000000002ABE000-memory.dmp

Filesize
760KB

Download
memory/3800-19-0x00000000028A0000-0x00000000028A2000-memory.dmp

Filesize
8KB

Download
memory/3800-18-0x0000000002A00000-0x0000000002ABE000-memory.dmp

Filesize
760KB

Download
memory/3800-25-0x0000000002A00000-0x0000000002AAC000-memory.dmp

Filesize
688KB

Download
memory/3800-29-0x00000000028E0000-0x00000000028E2000-memory.dmp

Filesize
8KB

Download
memory/3800-26-0x0000000002A00000-0x0000000002AAC000-memory.dmp

Filesize
688KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads