a3bbf1f3de84eb1a76ea97169372fecda6c25354aba4ab7bc78bd7fee318475f

Analysis

max time kernel
150s
max time network
121s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
30-12-2023 13:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

196f5d9f10dad00192205787aa815c37.exe
Size

17KB
MD5

196f5d9f10dad00192205787aa815c37
SHA1

fc691a7c33aa1a5188db3aa1eeeb7484a2ca67a6
SHA256

a3bbf1f3de84eb1a76ea97169372fecda6c25354aba4ab7bc78bd7fee318475f
SHA512

b796024e1821ad98ce26342f724f87a621b4c1440a8936aeeb12a5ce0fa6019457b9258e40177844e8aa5465c8c9915a1ac7f9d3cf038f4b228d1b7edc4a16c6
SSDEEP

384:eX9tY6/1a08Bhx3jz/UvAzIti3pFQB7a:etGe1HI3jzsIzI83v0

Score

8^/10

adware persistence stealer upx

Malware Config

Signatures

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\explorer\run	196f5d9f10dad00192205787aa815c37.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\start = "C:\\Users\\Admin\\AppData\\Local\\Temp\\196f5d9f10dad00192205787aa815c37.exe"	196f5d9f10dad00192205787aa815c37.exe

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x000a000000012251-2.dat	acprotect

Executes dropped EXE 1 IoCs

pid	Process
2200	iebtmm.exe

Loads dropped DLL 3 IoCs

pid	Process
1716	196f5d9f10dad00192205787aa815c37.exe
1716	196f5d9f10dad00192205787aa815c37.exe
1716	196f5d9f10dad00192205787aa815c37.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1716-0-0x0000000000400000-0x000000000040C000-memory.dmp	upx
behavioral1/files/0x000c000000013a83-5.dat	upx
behavioral1/files/0x000a000000012251-2.dat	upx
behavioral1/memory/2200-15-0x0000000000400000-0x0000000000407000-memory.dmp	upx
behavioral1/memory/1716-16-0x0000000000400000-0x000000000040C000-memory.dmp	upx
behavioral1/memory/2200-17-0x0000000000400000-0x0000000000407000-memory.dmp	upx

Installs/modifies Browser Helper Object 2 TTPs 3 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D46BEAA4-A304-40B3-A9DA-EC7F7F501F25}	196f5d9f10dad00192205787aa815c37.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{D46BEAA4-A304-40B3-A9DA-EC7F7F501F25}\	196f5d9f10dad00192205787aa815c37.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	196f5d9f10dad00192205787aa815c37.exe

Modifies Internet Explorer settings 1 TTPs 11 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{9034A523-D068-4BE8-A284-9DF278BE776E}\CLSID = "{1FBA04EE-3024-11d2-8F1F-0000F87ABD16}"	196f5d9f10dad00192205787aa815c37.exe
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Search	196f5d9f10dad00192205787aa815c37.exe
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\SearchScopes\{DAED9266-8C28-4C1C-8B58-5C66EFF1D302}	196f5d9f10dad00192205787aa815c37.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\SearchScopes\{DAED9266-8C28-4C1C-8B58-5C66EFF1D302}\URL = "http://www.whateversearch.net/index.php?b=1&t=0&q={searchTerms}"	196f5d9f10dad00192205787aa815c37.exe
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\SearchScopes	196f5d9f10dad00192205787aa815c37.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\SearchScopes\DefaultScope = "{DAED9266-8C28-4C1C-8B58-5C66EFF1D302}"	196f5d9f10dad00192205787aa815c37.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{9034A523-D068-4BE8-A284-9DF278BE776E}	196f5d9f10dad00192205787aa815c37.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\SearchScopes\{DAED9266-8C28-4C1C-8B58-5C66EFF1D302}\DisplayName = "Search"	196f5d9f10dad00192205787aa815c37.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{9034A523-D068-4BE8-A284-9DF278BE776E}\MenuText = "IE Anti-Spyware"	196f5d9f10dad00192205787aa815c37.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{9034A523-D068-4BE8-A284-9DF278BE776E}\Exec = "http://www.iexplorerclue.com/redirect.php"	196f5d9f10dad00192205787aa815c37.exe
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Main	196f5d9f10dad00192205787aa815c37.exe

Modifies registry class 6 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{D46BEAA4-A304-40B3-A9DA-EC7F7F501F25}	196f5d9f10dad00192205787aa815c37.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D46BEAA4-A304-40B3-A9DA-EC7F7F501F25}\ddd = "ddd"	196f5d9f10dad00192205787aa815c37.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{D46BEAA4-A304-40B3-A9DA-EC7F7F501F25}\InprocServer32	196f5d9f10dad00192205787aa815c37.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D46BEAA4-A304-40B3-A9DA-EC7F7F501F25}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\iebt.dll"	196f5d9f10dad00192205787aa815c37.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D46BEAA4-A304-40B3-A9DA-EC7F7F501F25}\InprocServer32\ThreadingModel = "Apartment"	196f5d9f10dad00192205787aa815c37.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID	196f5d9f10dad00192205787aa815c37.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1716	196f5d9f10dad00192205787aa815c37.exe
1716	196f5d9f10dad00192205787aa815c37.exe
2200	iebtmm.exe
1716	196f5d9f10dad00192205787aa815c37.exe
1716	196f5d9f10dad00192205787aa815c37.exe
2200	iebtmm.exe
1716	196f5d9f10dad00192205787aa815c37.exe
2200	iebtmm.exe
1716	196f5d9f10dad00192205787aa815c37.exe
2200	iebtmm.exe
1716	196f5d9f10dad00192205787aa815c37.exe
2200	iebtmm.exe
1716	196f5d9f10dad00192205787aa815c37.exe
2200	iebtmm.exe
1716	196f5d9f10dad00192205787aa815c37.exe
2200	iebtmm.exe
1716	196f5d9f10dad00192205787aa815c37.exe
2200	iebtmm.exe
1716	196f5d9f10dad00192205787aa815c37.exe
2200	iebtmm.exe
1716	196f5d9f10dad00192205787aa815c37.exe
2200	iebtmm.exe
1716	196f5d9f10dad00192205787aa815c37.exe
2200	iebtmm.exe
1716	196f5d9f10dad00192205787aa815c37.exe
2200	iebtmm.exe
1716	196f5d9f10dad00192205787aa815c37.exe
2200	iebtmm.exe
1716	196f5d9f10dad00192205787aa815c37.exe
2200	iebtmm.exe
1716	196f5d9f10dad00192205787aa815c37.exe
2200	iebtmm.exe
1716	196f5d9f10dad00192205787aa815c37.exe
2200	iebtmm.exe
1716	196f5d9f10dad00192205787aa815c37.exe
2200	iebtmm.exe
1716	196f5d9f10dad00192205787aa815c37.exe
2200	iebtmm.exe
1716	196f5d9f10dad00192205787aa815c37.exe
2200	iebtmm.exe
1716	196f5d9f10dad00192205787aa815c37.exe
2200	iebtmm.exe
1716	196f5d9f10dad00192205787aa815c37.exe
2200	iebtmm.exe
1716	196f5d9f10dad00192205787aa815c37.exe
2200	iebtmm.exe
1716	196f5d9f10dad00192205787aa815c37.exe
2200	iebtmm.exe
1716	196f5d9f10dad00192205787aa815c37.exe
2200	iebtmm.exe
1716	196f5d9f10dad00192205787aa815c37.exe
2200	iebtmm.exe
1716	196f5d9f10dad00192205787aa815c37.exe
2200	iebtmm.exe
1716	196f5d9f10dad00192205787aa815c37.exe
2200	iebtmm.exe
1716	196f5d9f10dad00192205787aa815c37.exe
2200	iebtmm.exe
1716	196f5d9f10dad00192205787aa815c37.exe
2200	iebtmm.exe
1716	196f5d9f10dad00192205787aa815c37.exe
2200	iebtmm.exe
1716	196f5d9f10dad00192205787aa815c37.exe
2200	iebtmm.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1716 wrote to memory of 2200	1716	196f5d9f10dad00192205787aa815c37.exe	25
PID 1716 wrote to memory of 2200	1716	196f5d9f10dad00192205787aa815c37.exe	25
PID 1716 wrote to memory of 2200	1716	196f5d9f10dad00192205787aa815c37.exe	25
PID 1716 wrote to memory of 2200	1716	196f5d9f10dad00192205787aa815c37.exe	25
PID 1716 wrote to memory of 1964	1716	196f5d9f10dad00192205787aa815c37.exe	24
PID 1716 wrote to memory of 1964	1716	196f5d9f10dad00192205787aa815c37.exe	24
PID 1716 wrote to memory of 1964	1716	196f5d9f10dad00192205787aa815c37.exe	24
PID 1716 wrote to memory of 1964	1716	196f5d9f10dad00192205787aa815c37.exe	24

C:\Users\Admin\AppData\Local\Temp\196f5d9f10dad00192205787aa815c37.exe
"C:\Users\Admin\AppData\Local\Temp\196f5d9f10dad00192205787aa815c37.exe"
1⤵
- Adds policy Run key to start application
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1716
- C:\Windows\SysWOW64\ctfmon.exe
  ctfmon.exe
  2⤵
  PID:1964
- C:\Users\Admin\AppData\Local\Temp\iebtmm.exe
  C:\Users\Admin\AppData\Local\Temp\iebtmm.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2200

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Browser Extensions

T1176

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\iebt.dll

Filesize
7KB

MD5
ead26975a00c823529ab3b491bfe39e2

SHA1
a5700c574880941dfa98977786d2b5612f70d7ff

SHA256
cd478ba42d3a01771c2db4a31bbf3e0ba2ea568da99061eb7c6c306cd1ce87bb

SHA512
097cde84f6c7012f062c6d5e7e34370657ea14538bb69ea62e4f6ef5369bf1a40d1a00214f59f1d9a8cf6cedceca6ac838725d3b0aa072b5f2b2f4bd3cdddeea

Download Submit
\Users\Admin\AppData\Local\Temp\iebtmm.exe

Filesize
5KB

MD5
c37988178faca33a5b6d6880b0773d79

SHA1
5ba4682c918397cdcf49a2c916cfd1be5f3ee05c

SHA256
9f1f8feefec57204e63acbfd71d34b2a521836dd5ccb2ca0c40dbdc2d7459f09

SHA512
8616912a01970bf61b813430711a9e37245c08996c70556d65051c2bd447977102c1d5001775441777e55c598009ddf665cf49b606a4a4b9ca55baf4c54b8697

Download Submit
memory/1716-0-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1716-13-0x0000000000240000-0x0000000000247000-memory.dmp

Filesize
28KB

Download
memory/1716-14-0x0000000000240000-0x0000000000247000-memory.dmp

Filesize
28KB

Download
memory/1716-7-0x0000000010000000-0x0000000010009000-memory.dmp

Filesize
36KB

Download
memory/1716-16-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1716-18-0x0000000010000000-0x0000000010009000-memory.dmp

Filesize
36KB

Download
memory/1716-19-0x0000000000240000-0x0000000000247000-memory.dmp

Filesize
28KB

Download
memory/1716-22-0x0000000000240000-0x0000000000247000-memory.dmp

Filesize
28KB

Download
memory/2200-15-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/2200-17-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download