fbf3997330e5b4e11c9786a0947a943e895cb6f6706e726b804d40fc6b59ec40

Analysis

max time kernel
239s
max time network
282s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
30/12/2023, 11:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

17ba83f79f37e85b9c9fd05dc71645e2.exe
Size

59KB
MD5

17ba83f79f37e85b9c9fd05dc71645e2
SHA1

f154fda2ecb59e0d56df108a492bb473ebb7a3cd
SHA256

fbf3997330e5b4e11c9786a0947a943e895cb6f6706e726b804d40fc6b59ec40
SHA512

eb5185ad8692fb78e7556dbab70c7579871a1f466d1050aca319fa8c183d49f80a82716f260ab5f8e0824f3c28773bb125c031577cce16fa98f6028585f6fda8
SSDEEP

1536:WriYVA9WB5dHn5dBl1pN15x1Z5lwTsmSLRA8vKuVEHFducS32j:yB5dHn5dBl1pN15x1Z5lCsmSXyuVLyj

Score

7^/10

adware stealer upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x0004000000004ed7-3.dat	acprotect

Loads dropped DLL 1 IoCs

pid	Process
2884	regsvr32.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2884-4-0x0000000010000000-0x00000000100F7000-memory.dmp	upx
behavioral1/files/0x0004000000004ed7-3.dat	upx

Installs/modifies Browser Helper Object 2 TTPs 1 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{8EF40C36-293F-4749-8EA0-94FB3AD83FA1}	regsvr32.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\cfov32i.dll	17ba83f79f37e85b9c9fd05dc71645e2.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a883829c536588438b4279b7bc6c193000000000020000000000106600000001000020000000770812e2d2c9636fba03a3946440ba757bcfb1b2ddb97adedc3cc359586c3eb9000000000e8000000002000020000000d14e302149531bc163c3963e970f09d01ad5b8ba8d7f830ecd79d78c7dce5836900000000c6328fd3c33accf4e396e3960450647a32b01f046f8df90e73e02e1f73ff5756c5e4b7601201b37b16af45c79ef9c0fe34c84d77a58dbb726e535e6f92f1df61aced87749b2a6c023452de073f97b6dbab5713dd5686c5ac01ccc5e766c8ff3af19d7644c6a48cf931d9892a14576c4f651d17504146c41e3cbda938097b5d8e16cecf294419ddba8e7a1e2e53e0fbd4000000001870e8cdadb8baa9dd6eaec44070c26908d2b1023d23bc921abea5f89f48935150ca6b85cf2d7fc72e51b809eaf54240fd39bf53dfae7621b25b09b76024555	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = e0160cee263eda01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{05A50321-AA1A-11EE-9B2E-42DF7B237CB2} = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a883829c536588438b4279b7bc6c19300000000002000000000010660000000100002000000020189aa642a215478b35d82abf7165dc7f145031bb689cf6233918c48d8693ed000000000e8000000002000020000000ef5bbe3ca24a86931c1d8682a3256970dd9a3ef70b6644ae4c0e0f725973f0692000000014ca8c9a390a82b64eafb7d72f4d86b9c177e68a223ecd69b40c149c5cc1452240000000b28b4546683282207c2821e95d5907ccf2e6828573291ad7545e55d849853b371592dd18183a3a57a2cd64d3d53a7f990e0e32b8644a5e78e35beaf4c8d9e637	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "410435834"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe

Modifies registry class 60 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8EF40C36-293F-4749-8EA0-94FB3AD83FA1}\InprocServer32\ = "C:\\Windows\\SysWow64\\cfov32i.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9EF67FCC-5B6C-474C-9E6C-1307EC42DFE6}\TypeLib\ = "{15C7D7AD-A87A-4C0D-9D8B-637FCD3488EF}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9EF67FCC-5B6C-474C-9E6C-1307EC42DFE6}\ = "_IBhoEvents"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9EF67FCC-5B6C-474C-9E6C-1307EC42DFE6}\ = "_IBhoEvents"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9EF67FCC-5B6C-474C-9E6C-1307EC42DFE6}\TypeLib\ = "{15C7D7AD-A87A-4C0D-9D8B-637FCD3488EF}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1F1EEDDD-13C7-4AD3-821C-B116295D08D2}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{15C7D7AD-A87A-4C0D-9D8B-637FCD3488EF}\1.0\ = "Type Library"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1F1EEDDD-13C7-4AD3-821C-B116295D08D2}\ = "IBho"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Aikido\CLSID\ = "{8EF40C36-293F-4749-8EA0-94FB3AD83FA1}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\toolie.Bho\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8EF40C36-293F-4749-8EA0-94FB3AD83FA1}\ = "library.edu"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1F1EEDDD-13C7-4AD3-821C-B116295D08D2}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1F1EEDDD-13C7-4AD3-821C-B116295D08D2}\ = "IBho"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1F1EEDDD-13C7-4AD3-821C-B116295D08D2}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Aikido\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8EF40C36-293F-4749-8EA0-94FB3AD83FA1}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{15C7D7AD-A87A-4C0D-9D8B-637FCD3488EF}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\cfov32i.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Aikido\ = "library.edu"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9EF67FCC-5B6C-474C-9E6C-1307EC42DFE6}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1F1EEDDD-13C7-4AD3-821C-B116295D08D2}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8EF40C36-293F-4749-8EA0-94FB3AD83FA1}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{15C7D7AD-A87A-4C0D-9D8B-637FCD3488EF}\1.0\HELPDIR\ = "C:\\Windows\\SysWow64\\"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1F1EEDDD-13C7-4AD3-821C-B116295D08D2}\TypeLib\ = "{15C7D7AD-A87A-4C0D-9D8B-637FCD3488EF}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9EF67FCC-5B6C-474C-9E6C-1307EC42DFE6}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9EF67FCC-5B6C-474C-9E6C-1307EC42DFE6}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8EF40C36-293F-4749-8EA0-94FB3AD83FA1}\ProgID\ = "Aikido"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9EF67FCC-5B6C-474C-9E6C-1307EC42DFE6}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9EF67FCC-5B6C-474C-9E6C-1307EC42DFE6}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1F1EEDDD-13C7-4AD3-821C-B116295D08D2}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{15C7D7AD-A87A-4C0D-9D8B-637FCD3488EF}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{15C7D7AD-A87A-4C0D-9D8B-637FCD3488EF}\1.0\FLAGS\ = "0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{15C7D7AD-A87A-4C0D-9D8B-637FCD3488EF}\1.0\HELPDIR	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\toolie.Bho	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1F1EEDDD-13C7-4AD3-821C-B116295D08D2}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1F1EEDDD-13C7-4AD3-821C-B116295D08D2}\TypeLib\ = "{15C7D7AD-A87A-4C0D-9D8B-637FCD3488EF}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{15C7D7AD-A87A-4C0D-9D8B-637FCD3488EF}\1.0\FLAGS	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9EF67FCC-5B6C-474C-9E6C-1307EC42DFE6}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1F1EEDDD-13C7-4AD3-821C-B116295D08D2}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8EF40C36-293F-4749-8EA0-94FB3AD83FA1}\VersionIndependentProgID\ = "toolie.Bho"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8EF40C36-293F-4749-8EA0-94FB3AD83FA1}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9EF67FCC-5B6C-474C-9E6C-1307EC42DFE6}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8EF40C36-293F-4749-8EA0-94FB3AD83FA1}\TypeLib\ = "{15C7D7AD-A87A-4C0D-9D8B-637FCD3488EF}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\toolie.Bho\ = "library.edu"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\toolie.Bho\CurVer	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\toolie.Bho\CurVer\ = "Aikido"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8EF40C36-293F-4749-8EA0-94FB3AD83FA1}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8EF40C36-293F-4749-8EA0-94FB3AD83FA1}\Programmable	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9EF67FCC-5B6C-474C-9E6C-1307EC42DFE6}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1F1EEDDD-13C7-4AD3-821C-B116295D08D2}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{15C7D7AD-A87A-4C0D-9D8B-637FCD3488EF}\1.0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{15C7D7AD-A87A-4C0D-9D8B-637FCD3488EF}\1.0\0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9EF67FCC-5B6C-474C-9E6C-1307EC42DFE6}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9EF67FCC-5B6C-474C-9E6C-1307EC42DFE6}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1F1EEDDD-13C7-4AD3-821C-B116295D08D2}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8EF40C36-293F-4749-8EA0-94FB3AD83FA1}\VersionIndependentProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8EF40C36-293F-4749-8EA0-94FB3AD83FA1}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{15C7D7AD-A87A-4C0D-9D8B-637FCD3488EF}\1.0\0\win32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Aikido	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\toolie.Bho\CLSID\ = "{8EF40C36-293F-4749-8EA0-94FB3AD83FA1}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1F1EEDDD-13C7-4AD3-821C-B116295D08D2}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2868	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2868	iexplore.exe
2868	iexplore.exe
992	IEXPLORE.EXE
992	IEXPLORE.EXE
992	IEXPLORE.EXE
992	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2660 wrote to memory of 2868	2660	17ba83f79f37e85b9c9fd05dc71645e2.exe	27
PID 2660 wrote to memory of 2868	2660	17ba83f79f37e85b9c9fd05dc71645e2.exe	27
PID 2660 wrote to memory of 2868	2660	17ba83f79f37e85b9c9fd05dc71645e2.exe	27
PID 2660 wrote to memory of 2868	2660	17ba83f79f37e85b9c9fd05dc71645e2.exe	27
PID 2660 wrote to memory of 2884	2660	17ba83f79f37e85b9c9fd05dc71645e2.exe	28
PID 2660 wrote to memory of 2884	2660	17ba83f79f37e85b9c9fd05dc71645e2.exe	28
PID 2660 wrote to memory of 2884	2660	17ba83f79f37e85b9c9fd05dc71645e2.exe	28
PID 2660 wrote to memory of 2884	2660	17ba83f79f37e85b9c9fd05dc71645e2.exe	28
PID 2660 wrote to memory of 2884	2660	17ba83f79f37e85b9c9fd05dc71645e2.exe	28
PID 2660 wrote to memory of 2884	2660	17ba83f79f37e85b9c9fd05dc71645e2.exe	28
PID 2660 wrote to memory of 2884	2660	17ba83f79f37e85b9c9fd05dc71645e2.exe	28
PID 2868 wrote to memory of 992	2868	iexplore.exe	30
PID 2868 wrote to memory of 992	2868	iexplore.exe	30
PID 2868 wrote to memory of 992	2868	iexplore.exe	30
PID 2868 wrote to memory of 992	2868	iexplore.exe	30

C:\Users\Admin\AppData\Local\Temp\17ba83f79f37e85b9c9fd05dc71645e2.exe
"C:\Users\Admin\AppData\Local\Temp\17ba83f79f37e85b9c9fd05dc71645e2.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2660
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://thevid11.com/bind2.php?id=3913704
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2868
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2868 CREDAT:275457 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:992
- C:\Windows\SysWOW64\regsvr32.exe
  "C:\Windows\System32\regsvr32.exe" /s "C:\Windows\system32\cfov32i.dll"
  2⤵
  - Loads dropped DLL
  - Installs/modifies Browser Helper Object
  - Modifies registry class
  PID:2884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
96c03ac88594be267cd4882b7ab7e1ee

SHA1
873f99aedb230da562d84f90662348deabbcb32a

SHA256
da5f13d179d1ce0ea93092e995eaff91b40154873a801d2a347d25a22088882c

SHA512
303b117107135be2d3a793cbcf6c2eb4c9aa401da23c7495e62713e3b2648373cfdf83aaefaa6994d8bc8d94377c889d6268fc62b0299bc5f01dcdcb4527fe3d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
861a1d48ad7dddc3b6ebd034d9a549d7

SHA1
2ec0cbfafea96264038eb6f8c4ea29981d5f6b26

SHA256
a3c29cc1a9be1c3e6618259a075cbdabf03bc878cb799e8ec2d6b644cb51869f

SHA512
beab05aee258167b9fa113558ab2dff4476d33938677ea6f080c51535814a75dc0c4c06e02e647968f8803f006733f63eb22a08e9cce48c49bd5b29374f1acc2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a8c102e5050beae8ffea4b5014f8523d

SHA1
79b7495e0f197a274330c236d41eb383cfcde06a

SHA256
9124a2b25b7bc27652bf517fb3ecb66906e0cd21485d2a45df04852e652e43e1

SHA512
2f84b693021c1b5c45d0ae564a206a4cf320f0ee0062594a0a4c33179cd661d72544fe71003a4f37e143da0c56670027adbfce619c360ac4c94a415b2b96c247

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
3a9a2d530d0fbd89d2f44533de1a9823

SHA1
7abfd0293fc6104345e422209bd318201ffd89c1

SHA256
38b7ac624799bcd0682045cd8383bc9f00bcfbbd0fd8c608f515722c153ce50b

SHA512
24167e5b1a23080dd40b8785c1105e937275bce500036b3830642558c0ddcae5ac89cde0aadf99ceae94ccd62890cfb5c7fceb979efab857e595064af628ebc8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
2c681f6e138b378fb7119432ff8dd199

SHA1
359d0f27e93f576e4801b32eba56bc4f7f844325

SHA256
f47b2a2c8992dd3f04731184e574b4de5aed84123dc06035eb51f030bd6c02e0

SHA512
1ec74d9a9fb5ae36bc433b100bf2d5bd500eb4ca89cc49ff7799761ad0df5608f04c589db8b64203929ce0cb788f4e72fab17a2086ce8a34f236a7d81c7d1170

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
82a2a5301a090133bb4f5811da66081e

SHA1
e33aa572f4ae896694121d3c484764c37406183f

SHA256
7f8627c4c1743bb7f49a7717f780f5df98046dba8ed134a3c598225057630694

SHA512
5856bcc0b70f60af575069a203798f8ccdddc06aa6805ec86fbabdd726e032ac32680890cc49aca2fb352d8da6bc998c58df597271d672ef51f03501a1b37494

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
654dcb20bc6c7ca45cf84169393c04ac

SHA1
a5b72d8cdc750cc9e5f086ef38a07fad84010028

SHA256
207667c010134ea3353e9bc756da787e2cf4d9f882290edf5ce8452633f7bdf5

SHA512
a6dad6fd6dda3d5e94adb69d2d0682cdc35a90aebfefacef53b43f9d17e3664c0f975191babeea324d6486cb2040a11b3b910f042797fbfbf12de25ab0d5793e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
9340d4b26e4290069fd775e0893671c4

SHA1
fc18e15b9e2283b35921110a81660bae30a74df7

SHA256
de3d59ebd4dd0f5f51906c781914665a888d4833bfeff54c107d6024a596723d

SHA512
c6c311a60715fe0b985726c992724f85c1a6fb258b6f78349372ddbfea7d578903b0538c3a36b4fcc45e3b8dc1d5c906823fe1c71157d3eba8ee681b43b274a1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a49fe73a0f2986073180a7fab847d257

SHA1
627d483b3d6a507f6117e6f85f301af6d6162a3c

SHA256
74f79f5a4df9b5912da8b4c903cb19f6671af2a381918331e0e3b0824b1de0fc

SHA512
c19557696310322997da020631b8d35e1457540c32d98aeb70665f91797399a24bd28e1d151c9978072aa49086dc6809a17d501d27ec8ec570f675ce9a7a39e8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
00fd2908b7003e8e287508021647ffcb

SHA1
4f1dc8aa129ab9e16f1c629aca1400a1a2a35dd8

SHA256
8afcd91a665572f9aefc45461528a86281b85d8d5d3b3c50093aae10f7fae98e

SHA512
f9ea69369271c1cc4dc4831297628c2f8e6b37f28965cbeaba69ff55565b8c0eb5e5b853ec9712db3b27fda1e5811b7b369b78acee62500a8d6d0fe728f5a53f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab33ED.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar4292.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
\Windows\SysWOW64\cfov32i.dll

Filesize
23KB

MD5
3125c2c5b7805fe4c5146392acef7681

SHA1
01934f83826a99769410bad1e227079792bdcd1f

SHA256
5ffa1f22aeec2ad26e5379caf52a8a362d21e75e8980826e95b17b273c021cc8

SHA512
f4c83997e4f51c3ae2963f3062d98eff667e210f27a35b5d6d2c92aff479b9a280c71401b4265b74e2eef09715d8d07b83f0f20931c7181fade0b7e4079a1c5e

Download Submit
memory/2660-1-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2884-4-0x0000000010000000-0x00000000100F7000-memory.dmp

Filesize
988KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads