e606d4733adf353c8a7bf7d021e43c3920a304538bef46d857df5fd5b64e3dc1

Analysis

max time kernel
122s
max time network
139s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
01-01-2024 06:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3c2d81eaee0204ac08594ca6872f1b77.exe
Size

431KB
MD5

3c2d81eaee0204ac08594ca6872f1b77
SHA1

4882168c92b3c1f91e21289436c5f482025b3522
SHA256

e606d4733adf353c8a7bf7d021e43c3920a304538bef46d857df5fd5b64e3dc1
SHA512

2195fdab9a36b177fe8c4518b2e6f0212e546a70ad105f276e826ec5a5db4e2d48a5d1551e0738354444bcc5e23af921b004a4788d57349fcc8d125657c50434
SSDEEP

12288:sQ412eBEXfiDanUdpqjyzyQlPKEEQsd+xB:ZNeBIqoY7plPKhNd+7

Score

8^/10

adware evasion stealer upx

Malware Config

Signatures

Sets file to hidden 1 TTPs 1 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1564.001

pid	Process
2720	attrib.exe

Executes dropped EXE 3 IoCs

pid	Process
2296	taskngr.exe
3024	wddmgr.exe
2960	cmss.exe

Loads dropped DLL 8 IoCs

pid	Process
2668	3c2d81eaee0204ac08594ca6872f1b77.exe
2668	3c2d81eaee0204ac08594ca6872f1b77.exe
2296	taskngr.exe
2296	taskngr.exe
2296	taskngr.exe
2296	taskngr.exe
3024	wddmgr.exe
2100	regsvr32.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0009000000012252-4.dat	upx
behavioral1/memory/2668-5-0x0000000001EA0000-0x0000000002011000-memory.dmp	upx
behavioral1/memory/2296-13-0x0000000000400000-0x0000000000571000-memory.dmp	upx
behavioral1/memory/2296-43-0x0000000000400000-0x0000000000571000-memory.dmp	upx
behavioral1/memory/2296-44-0x0000000000400000-0x0000000000571000-memory.dmp	upx
behavioral1/memory/2296-47-0x0000000000400000-0x0000000000571000-memory.dmp	upx

Installs/modifies Browser Helper Object 2 TTPs 2 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{D032570A-5F63-4812-A094-87D007C23012}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{D032570A-5F63-4812-A094-87D007C23012}\	regsvr32.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\taskngr.exe	3c2d81eaee0204ac08594ca6872f1b77.exe
File created	C:\Windows\SysWOW64\WinIo.dll	taskngr.exe
File created	C:\Windows\SysWOW64\WinIo.sys	taskngr.exe
File created	C:\Windows\SysWOW64\TEBHO.dll	taskngr.exe
File created	C:\Windows\SysWOW64\wddmgr.exe	taskngr.exe
File created	C:\Windows\SysWOW64\cmss.exe	taskngr.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
2964	taskkill.exe

Modifies registry class 11 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TEBHO.TIEAdvBHO\Clsid	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TEBHO.TIEAdvBHO\Clsid\ = "{D032570A-5F63-4812-A094-87D007C23012}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D032570A-5F63-4812-A094-87D007C23012}\ProgID\ = "TEBHO.TIEAdvBHO"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D032570A-5F63-4812-A094-87D007C23012}\InprocServer32\ = "C:\\Windows\\SysWOW64\\TEBHO.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D032570A-5F63-4812-A094-87D007C23012}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TEBHO.TIEAdvBHO\	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TEBHO.TIEAdvBHO	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D032570A-5F63-4812-A094-87D007C23012}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D032570A-5F63-4812-A094-87D007C23012}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D032570A-5F63-4812-A094-87D007C23012}\	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D032570A-5F63-4812-A094-87D007C23012}\InprocServer32	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2296	taskngr.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
464	Process not Found

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2964	taskkill.exe

Suspicious use of WriteProcessMemory 39 IoCs

description	pid	Process	procid_target
PID 2668 wrote to memory of 2296	2668	3c2d81eaee0204ac08594ca6872f1b77.exe	28
PID 2668 wrote to memory of 2296	2668	3c2d81eaee0204ac08594ca6872f1b77.exe	28
PID 2668 wrote to memory of 2296	2668	3c2d81eaee0204ac08594ca6872f1b77.exe	28
PID 2668 wrote to memory of 2296	2668	3c2d81eaee0204ac08594ca6872f1b77.exe	28
PID 2296 wrote to memory of 2736	2296	taskngr.exe	38
PID 2296 wrote to memory of 2736	2296	taskngr.exe	38
PID 2296 wrote to memory of 2736	2296	taskngr.exe	38
PID 2296 wrote to memory of 2736	2296	taskngr.exe	38
PID 2296 wrote to memory of 2888	2296	taskngr.exe	37
PID 2296 wrote to memory of 2888	2296	taskngr.exe	37
PID 2296 wrote to memory of 2888	2296	taskngr.exe	37
PID 2296 wrote to memory of 2888	2296	taskngr.exe	37
PID 2736 wrote to memory of 2720	2736	cmd.exe	35
PID 2736 wrote to memory of 2720	2736	cmd.exe	35
PID 2736 wrote to memory of 2720	2736	cmd.exe	35
PID 2736 wrote to memory of 2720	2736	cmd.exe	35
PID 2888 wrote to memory of 2100	2888	cmd.exe	30
PID 2888 wrote to memory of 2100	2888	cmd.exe	30
PID 2888 wrote to memory of 2100	2888	cmd.exe	30
PID 2888 wrote to memory of 2100	2888	cmd.exe	30
PID 2888 wrote to memory of 2100	2888	cmd.exe	30
PID 2888 wrote to memory of 2100	2888	cmd.exe	30
PID 2888 wrote to memory of 2100	2888	cmd.exe	30
PID 2296 wrote to memory of 3024	2296	taskngr.exe	34
PID 2296 wrote to memory of 3024	2296	taskngr.exe	34
PID 2296 wrote to memory of 3024	2296	taskngr.exe	34
PID 2296 wrote to memory of 3024	2296	taskngr.exe	34
PID 2296 wrote to memory of 2960	2296	taskngr.exe	32
PID 2296 wrote to memory of 2960	2296	taskngr.exe	32
PID 2296 wrote to memory of 2960	2296	taskngr.exe	32
PID 2296 wrote to memory of 2960	2296	taskngr.exe	32
PID 2296 wrote to memory of 268	2296	taskngr.exe	39
PID 2296 wrote to memory of 268	2296	taskngr.exe	39
PID 2296 wrote to memory of 268	2296	taskngr.exe	39
PID 2296 wrote to memory of 268	2296	taskngr.exe	39
PID 268 wrote to memory of 2964	268	cmd.exe	41
PID 268 wrote to memory of 2964	268	cmd.exe	41
PID 268 wrote to memory of 2964	268	cmd.exe	41
PID 268 wrote to memory of 2964	268	cmd.exe	41

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2720	attrib.exe

C:\Users\Admin\AppData\Local\Temp\3c2d81eaee0204ac08594ca6872f1b77.exe
"C:\Users\Admin\AppData\Local\Temp\3c2d81eaee0204ac08594ca6872f1b77.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2668
- C:\Windows\SysWOW64\taskngr.exe
  C:\Windows\system32\taskngr.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2296
- - C:\Windows\SysWOW64\cmss.exe
    C:\Windows\system32\cmss.exe
    3⤵
    - Executes dropped EXE
    PID:2960
- - C:\Windows\SysWOW64\wddmgr.exe
    C:\Windows\system32\wddmgr.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:3024
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c regsvr32 /s TEBHO.dll
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2888
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c attrib +s +h c:/file.txt
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2736
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /F /im wddmgr.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:268
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /im wddmgr.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2964

C:\Windows\SysWOW64\regsvr32.exe
regsvr32 /s TEBHO.dll
1⤵
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Modifies registry class
PID:2100

C:\Windows\SysWOW64\attrib.exe
attrib +s +h c:/file.txt
1⤵
- Sets file to hidden
- Views/modifies file attributes
PID:2720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\TEBHO.dll

Filesize
158KB

MD5
27c67977d14bd0a6b8f3e51a90ba41e0

SHA1
5cd1070c952097c69978e46e37e3cbefb4aa1ccd

SHA256
882b1a5d15c89c26392cde245c1525c414cce820fc82ee9c41f624369ead585c

SHA512
08008886c780ec046280ad46bddef1695b4d7eec6d38edac19c89ea0d6774b71987a0bfe70665081be171dafd4dabffbef1b3f111c4c69c38aee8fcffe1fc44b

Download Submit
C:\Windows\SysWOW64\WINIO.dll

Filesize
48KB

MD5
6d113aa35a8c79b236751e4ccf2b7751

SHA1
b4ac97768512acd31e4a824b6595ec2163db7972

SHA256
d2eb2a40174b9adb3abc768af7fa80882cd1e2ad22303fe4448db89509ac392b

SHA512
f83209d9e98395ae6127f247b7f68167708c1af789a332695feed0f7879d8a83405eed3c3e860e482cebc704a613563bcadfaa8a2986e348d85e50a2e0b3fb68

Download Submit
C:\Windows\SysWOW64\cmss.exe

Filesize
176KB

MD5
03672f7e99ad8fde741103cdd01eb7fb

SHA1
4c2080e31147b6eb1f70b275c82a6941d5b8248e

SHA256
37166788d820638f8e8a4b061531b7379412e8b7510778c2e668026f0a6a012f

SHA512
ba38c1becac90388350c64ea9fe1983330844ae2f5d07b01406d11622c4c1c45608d425fb93a9b2648479ddd4e816fde060ccc1f0c9471025e1c968b376cc764

Download Submit
\??\c:\ytyy.pfx

Filesize
85B

MD5
e05e7187c049f49c5191ffed1b655234

SHA1
abe799e9ca2e4c7263df2390d94baf2378518c6a

SHA256
fa5efee834627b723722c59635e412c49fbe310e6fa3ccb8dd4f8b34d97596d8

SHA512
4f7e553a654b48e0ce3d0973488df0d660d15eac3317c985afb9139bdef81f525fa2c7ca7c582c3db25e18a43a48083eed903fe180dc1bf8221352c5a807ac66

Download Submit
\Windows\SysWOW64\TEBHO.dll

Filesize
294KB

MD5
cf9b3757a58c8fe87f83b4869a6a67ed

SHA1
8636171be9b5bf1b9fd10c7cd61a2849bf0ec92f

SHA256
1145a5c6b33dfa047a46b1fdea8c5e9337d22c424bb1dc18d125890777692592

SHA512
e095199f881d06d561b64c9fa1fda087e1aad0dffb9ca7d758fe2994436461b7080f632484624d09c70a1f42a51b680977bf36be235a149ae1205000a59947b6

Download Submit
\Windows\SysWOW64\taskngr.exe

Filesize
409KB

MD5
63f0f473c4f0d7dd2280ce5c3dc39ef0

SHA1
c318282c11d6c132d6f767c27efd2fa741fd8bf9

SHA256
a2470a887c48a6fcb5a6e6e3a6aab5a50bac058a366a8bc9219249865a4635b3

SHA512
a540e050f150ebc855bf854e3880b2668486a5980ad44af4c0f3771fbb339414007d93e43ff5e50336c060767db9014c24a68b5a0ddb446898361ba890b2a319

Download Submit
\Windows\SysWOW64\wddmgr.exe

Filesize
44KB

MD5
77cc252fa93649b9d2a6352137a8e2b5

SHA1
8516b62be627f5185d4d000f79be8e745501b4a2

SHA256
127e6407a3710d88e572645083757ddb06cd7e1f50dcb192575e4ab8ec2de556

SHA512
ff03f558067abf4959e8830a14274f829d65f786b921065b0a40a812c9dbaf33c221a9283f24b789d61febf35cc82a4a2fb1b435059dd742d137c6b40dfa4a2c

Download Submit
memory/2100-42-0x00000000001B0000-0x0000000000221000-memory.dmp

Filesize
452KB

Download
memory/2296-13-0x0000000000400000-0x0000000000571000-memory.dmp

Filesize
1.4MB

Download
memory/2296-14-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2296-44-0x0000000000400000-0x0000000000571000-memory.dmp

Filesize
1.4MB

Download
memory/2296-43-0x0000000000400000-0x0000000000571000-memory.dmp

Filesize
1.4MB

Download
memory/2296-45-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2296-47-0x0000000000400000-0x0000000000571000-memory.dmp

Filesize
1.4MB

Download
memory/2668-12-0x0000000001EA0000-0x0000000002011000-memory.dmp

Filesize
1.4MB

Download
memory/2668-34-0x0000000000400000-0x00000000004F0000-memory.dmp

Filesize
960KB

Download
memory/2668-0-0x0000000000400000-0x00000000004F0000-memory.dmp

Filesize
960KB

Download
memory/2668-5-0x0000000001EA0000-0x0000000002011000-memory.dmp

Filesize
1.4MB

Download
memory/2668-1-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2668-2-0x0000000000400000-0x00000000004F0000-memory.dmp

Filesize
960KB

Download