09a14d8fd564b40b7db6c8d69e3acb39c356d2299431094a8958f4130723b75c

General

Target

157670a4ae60c8bb3b4098ecd7c75585.exe
Size

448KB
MD5

157670a4ae60c8bb3b4098ecd7c75585
SHA1

08f5e24fae415f4377f307a1aa7a157adaa48753
SHA256

09a14d8fd564b40b7db6c8d69e3acb39c356d2299431094a8958f4130723b75c
SHA512

6e5883817fb344d101667304e621be5ad055269a6115b127b3342ee8f602ca62622185cb781744204bd81f85a4fb434709370a133ab9991d130a81d1124e2de1
SSDEEP

6144:mGp8mKszXpyCzlOvClFx0R7FrMfgm0AwS0iX0YbHrYlmWVB6iJw8BIlAMiyGKWEy:bKszPIvCzAF1OwxdZmWWiG88AMJg/kI

Score

7^/10

adware stealer upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x000c0000000122f9-4.dat	acprotect

Deletes itself 1 IoCs

pid	Process
2836	cmd.exe

Loads dropped DLL 1 IoCs

pid	Process
2376	157670a4ae60c8bb3b4098ecd7c75585.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2376-0-0x0000000000400000-0x0000000000509000-memory.dmp	upx
behavioral1/memory/2376-14-0x0000000000400000-0x0000000000509000-memory.dmp	upx

Installs/modifies Browser Helper Object 2 TTPs 5 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{49B7172E-F295-4AFF-893E-5763294454AC}	157670a4ae60c8bb3b4098ecd7c75585.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects	157670a4ae60c8bb3b4098ecd7c75585.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}	157670a4ae60c8bb3b4098ecd7c75585.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}	157670a4ae60c8bb3b4098ecd7c75585.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF}	157670a4ae60c8bb3b4098ecd7c75585.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\FleshCatcher.dll	157670a4ae60c8bb3b4098ecd7c75585.exe

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{49B7172E-F295-4AFF-893E-5763294454AC}	157670a4ae60c8bb3b4098ecd7c75585.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{49B7172E-F295-4AFF-893E-5763294454AC}\ = "Flash Catcher"	157670a4ae60c8bb3b4098ecd7c75585.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{49B7172E-F295-4AFF-893E-5763294454AC}\InprocServer32	157670a4ae60c8bb3b4098ecd7c75585.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{49B7172E-F295-4AFF-893E-5763294454AC}\InprocServer32\ = "C:\\Windows\\SysWow64\\FleshCatcher.dll"	157670a4ae60c8bb3b4098ecd7c75585.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{49B7172E-F295-4AFF-893E-5763294454AC}\InprocServer32\ThreadingModel = "Apartment"	157670a4ae60c8bb3b4098ecd7c75585.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2376 wrote to memory of 2836	2376	157670a4ae60c8bb3b4098ecd7c75585.exe	28
PID 2376 wrote to memory of 2836	2376	157670a4ae60c8bb3b4098ecd7c75585.exe	28
PID 2376 wrote to memory of 2836	2376	157670a4ae60c8bb3b4098ecd7c75585.exe	28
PID 2376 wrote to memory of 2836	2376	157670a4ae60c8bb3b4098ecd7c75585.exe	28

C:\Users\Admin\AppData\Local\Temp\157670a4ae60c8bb3b4098ecd7c75585.exe
"C:\Users\Admin\AppData\Local\Temp\157670a4ae60c8bb3b4098ecd7c75585.exe"
1⤵
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2376
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\_delme.bat
  2⤵
  - Deletes itself
  PID:2836

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Browser Extensions

1

T1176

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_delme.bat

Filesize
184B

MD5
beb18f16de83e4372fa076539e6418a1

SHA1
d6d526ec24ce3425d220afb490150c61e39b5021

SHA256
904971e2e3caeea4b8405cb8a8666439ee9ba60e9b836f5556a5d45e6132ebfb

SHA512
7edb24da8082187ad67d46f3bc856c08f507702d0a7aa603c9eee5faf5b0c29393bdda32db77215eec9b68686dccb01c05aed32d29baaf333e942474c06aaefc

Download Submit
\Windows\SysWOW64\FleshCatcher.dll

Filesize
201KB

MD5
b08da8984c936a7a7ec8a3b617532b5b

SHA1
aa85ec5a2518b541a19032f164e773d9620d9ca2

SHA256
bc039edbaf1bcbeff636fb941e68b987d727d713769cfd9aa8d7b153489a4c23

SHA512
7c1b1d32ec75b32df946ce04d72482982fb1cdbf8f587760a12307dc7e1dd09b2549889469ec52d3e51638d8dc042e42695af1a2656962538bfdf8a1a3ff66db

Download Submit
memory/2376-0-0x0000000000400000-0x0000000000509000-memory.dmp

Filesize
1.0MB

Download
memory/2376-1-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2376-6-0x0000000002E40000-0x0000000002EC5000-memory.dmp

Filesize
532KB

Download
memory/2376-14-0x0000000000400000-0x0000000000509000-memory.dmp

Filesize
1.0MB

Download

Analysis

Sharing