e0e21bfe863806596f9134d366c6ac0570cde94708f823bc5028213ccabb1b57

Analysis

max time kernel
137s
max time network
142s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
31/12/2023, 00:32

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

21cda66be5a5a266a6834c4f7c380b43.exe
Size

17KB
MD5

21cda66be5a5a266a6834c4f7c380b43
SHA1

3a4db917567623519a0060737c8108abaec865b1
SHA256

e0e21bfe863806596f9134d366c6ac0570cde94708f823bc5028213ccabb1b57
SHA512

80bffa1ce86cbf35db15551aa395ab885321765f0addcfd93cac9ff629a4d665ede30d747ce88e617c956303fa0c54c3c78f98ee00bbf40584cc5994c1078cb1
SSDEEP

384:2ouG6vcHqnOpe+JztSs8/SoG8EaiV2yqQ6e8vaWUUHcfj:SFcGoxJtSdi87isQR+aWhcf

Score

8^/10

adware persistence stealer upx

Malware Config

Signatures

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\explorer\run	21cda66be5a5a266a6834c4f7c380b43.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\start = "C:\\Users\\Admin\\AppData\\Local\\Temp\\21cda66be5a5a266a6834c4f7c380b43.exe"	21cda66be5a5a266a6834c4f7c380b43.exe

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x000300000001f45f-2.dat	acprotect

Executes dropped EXE 1 IoCs

pid	Process
4536	sbsm.exe

Loads dropped DLL 1 IoCs

pid	Process
3552	21cda66be5a5a266a6834c4f7c380b43.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3552-0-0x0000000000400000-0x000000000040C000-memory.dmp	upx
behavioral2/memory/3552-5-0x0000000010000000-0x0000000010009000-memory.dmp	upx
behavioral2/memory/4536-9-0x0000000000400000-0x0000000000407000-memory.dmp	upx
behavioral2/files/0x000b000000023166-8.dat	upx
behavioral2/files/0x000300000001f45f-2.dat	upx
behavioral2/memory/4536-12-0x0000000000400000-0x0000000000407000-memory.dmp	upx
behavioral2/memory/3552-11-0x0000000000400000-0x000000000040C000-memory.dmp	upx

Installs/modifies Browser Helper Object 2 TTPs 3 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7C109800-A5D5-438F-9640-18D17E168B88}	21cda66be5a5a266a6834c4f7c380b43.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7C109800-A5D5-438F-9640-18D17E168B88}\	21cda66be5a5a266a6834c4f7c380b43.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	21cda66be5a5a266a6834c4f7c380b43.exe

Modifies Internet Explorer settings 1 TTPs 11 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{9034A523-D068-4BE8-A284-9DF278BE776E}\Exec = "http://www.dwnldietool.com/redirect.php"	21cda66be5a5a266a6834c4f7c380b43.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{9034A523-D068-4BE8-A284-9DF278BE776E}\CLSID = "{1FBA04EE-3024-11d2-8F1F-0000F87ABD16}"	21cda66be5a5a266a6834c4f7c380b43.exe
Key created	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Software\Microsoft\Internet Explorer\SearchScopes	21cda66be5a5a266a6834c4f7c380b43.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\DefaultScope = "{DAED9266-8C28-4C1C-8B58-5C66EFF1D302}"	21cda66be5a5a266a6834c4f7c380b43.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{9034A523-D068-4BE8-A284-9DF278BE776E}	21cda66be5a5a266a6834c4f7c380b43.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{9034A523-D068-4BE8-A284-9DF278BE776E}\MenuText = "IE Anti-Spyware"	21cda66be5a5a266a6834c4f7c380b43.exe
Key created	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Software\Microsoft\Internet Explorer\Search	21cda66be5a5a266a6834c4f7c380b43.exe
Key created	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Software\Microsoft\Internet Explorer\SearchScopes\{DAED9266-8C28-4C1C-8B58-5C66EFF1D302}	21cda66be5a5a266a6834c4f7c380b43.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{DAED9266-8C28-4C1C-8B58-5C66EFF1D302}\DisplayName = "Search"	21cda66be5a5a266a6834c4f7c380b43.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{DAED9266-8C28-4C1C-8B58-5C66EFF1D302}\URL = "http://www.srchgate.com/index.php?b=1&t=0&q={searchTerms}"	21cda66be5a5a266a6834c4f7c380b43.exe
Key created	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Software\Microsoft\Internet Explorer\Main	21cda66be5a5a266a6834c4f7c380b43.exe

Modifies registry class 6 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7C109800-A5D5-438F-9640-18D17E168B88}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\sbmdl.dll"	21cda66be5a5a266a6834c4f7c380b43.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7C109800-A5D5-438F-9640-18D17E168B88}\InprocServer32\ThreadingModel = "Apartment"	21cda66be5a5a266a6834c4f7c380b43.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID	21cda66be5a5a266a6834c4f7c380b43.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{7C109800-A5D5-438F-9640-18D17E168B88}	21cda66be5a5a266a6834c4f7c380b43.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7C109800-A5D5-438F-9640-18D17E168B88}\xxx = "xxx"	21cda66be5a5a266a6834c4f7c380b43.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{7C109800-A5D5-438F-9640-18D17E168B88}\InprocServer32	21cda66be5a5a266a6834c4f7c380b43.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3552	21cda66be5a5a266a6834c4f7c380b43.exe
3552	21cda66be5a5a266a6834c4f7c380b43.exe
4536	sbsm.exe
4536	sbsm.exe
3552	21cda66be5a5a266a6834c4f7c380b43.exe
3552	21cda66be5a5a266a6834c4f7c380b43.exe
4536	sbsm.exe
4536	sbsm.exe
3552	21cda66be5a5a266a6834c4f7c380b43.exe
3552	21cda66be5a5a266a6834c4f7c380b43.exe
4536	sbsm.exe
4536	sbsm.exe
3552	21cda66be5a5a266a6834c4f7c380b43.exe
3552	21cda66be5a5a266a6834c4f7c380b43.exe
4536	sbsm.exe
4536	sbsm.exe
3552	21cda66be5a5a266a6834c4f7c380b43.exe
3552	21cda66be5a5a266a6834c4f7c380b43.exe
4536	sbsm.exe
4536	sbsm.exe
3552	21cda66be5a5a266a6834c4f7c380b43.exe
3552	21cda66be5a5a266a6834c4f7c380b43.exe
4536	sbsm.exe
4536	sbsm.exe
3552	21cda66be5a5a266a6834c4f7c380b43.exe
3552	21cda66be5a5a266a6834c4f7c380b43.exe
4536	sbsm.exe
4536	sbsm.exe
3552	21cda66be5a5a266a6834c4f7c380b43.exe
3552	21cda66be5a5a266a6834c4f7c380b43.exe
4536	sbsm.exe
4536	sbsm.exe
3552	21cda66be5a5a266a6834c4f7c380b43.exe
3552	21cda66be5a5a266a6834c4f7c380b43.exe
4536	sbsm.exe
4536	sbsm.exe
3552	21cda66be5a5a266a6834c4f7c380b43.exe
3552	21cda66be5a5a266a6834c4f7c380b43.exe
4536	sbsm.exe
4536	sbsm.exe
3552	21cda66be5a5a266a6834c4f7c380b43.exe
3552	21cda66be5a5a266a6834c4f7c380b43.exe
4536	sbsm.exe
4536	sbsm.exe
3552	21cda66be5a5a266a6834c4f7c380b43.exe
3552	21cda66be5a5a266a6834c4f7c380b43.exe
4536	sbsm.exe
4536	sbsm.exe
3552	21cda66be5a5a266a6834c4f7c380b43.exe
3552	21cda66be5a5a266a6834c4f7c380b43.exe
4536	sbsm.exe
4536	sbsm.exe
3552	21cda66be5a5a266a6834c4f7c380b43.exe
3552	21cda66be5a5a266a6834c4f7c380b43.exe
4536	sbsm.exe
4536	sbsm.exe
3552	21cda66be5a5a266a6834c4f7c380b43.exe
3552	21cda66be5a5a266a6834c4f7c380b43.exe
4536	sbsm.exe
4536	sbsm.exe
3552	21cda66be5a5a266a6834c4f7c380b43.exe
3552	21cda66be5a5a266a6834c4f7c380b43.exe
4536	sbsm.exe
4536	sbsm.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3552 wrote to memory of 4536	3552	21cda66be5a5a266a6834c4f7c380b43.exe	15
PID 3552 wrote to memory of 4536	3552	21cda66be5a5a266a6834c4f7c380b43.exe	15
PID 3552 wrote to memory of 4536	3552	21cda66be5a5a266a6834c4f7c380b43.exe	15

C:\Users\Admin\AppData\Local\Temp\21cda66be5a5a266a6834c4f7c380b43.exe
"C:\Users\Admin\AppData\Local\Temp\21cda66be5a5a266a6834c4f7c380b43.exe"
1⤵
- Adds policy Run key to start application
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3552
- C:\Users\Admin\AppData\Local\Temp\sbsm.exe
  C:\Users\Admin\AppData\Local\Temp\sbsm.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:4536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Browser Extensions

T1176

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\sbmdl.dll

Filesize
7KB

MD5
be2073b9da87faf7f160d13d13085f23

SHA1
aae42996e7675de4ee0c268e618f658913e1e296

SHA256
7b6b7399b4a64e087fa63ade7b40600f85c5c04d06c72779af77383871b0a2c3

SHA512
736e49495b93287f19a4ea8c5b841d29a08b4855ac76e7bb786d1afb34f799aba5f048f6f584a58b0f94b19eed986642bacf01ca5a01a356b0b195fd2301ea08

Download Submit
C:\Users\Admin\AppData\Local\Temp\sbsm.exe

Filesize
5KB

MD5
6fb9ebf6bd26c22d6fc829210e1ad8a3

SHA1
1f7797c4887c808a0db06bd394fd9d462c286d63

SHA256
4a404c3c4875b032e4405379d35a0ab52c321de652d9d3ebc179241f43cdab86

SHA512
78ae674e95c4588fa7f0f6b05d4969f00ae07c5e7237cfbe0be1ee52850a07608ba93be88120c909b47fc8b295bcd0c1e180530acaf0818730bf62fe3663d35d

Download Submit
memory/3552-0-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/3552-5-0x0000000010000000-0x0000000010009000-memory.dmp

Filesize
36KB

Download
memory/3552-11-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/3552-15-0x0000000010000000-0x0000000010009000-memory.dmp

Filesize
36KB

Download
memory/4536-9-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/4536-12-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download