de27b6995c9e75e1b28001d190ef14d01db8048cb5a45d307e36ed9e380135b1

Analysis

max time kernel
118s
max time network
130s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
11/01/2024, 17:08

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

54194865ace6b32dab8b4d3fe5ce93af.exe
Size

103KB
MD5

54194865ace6b32dab8b4d3fe5ce93af
SHA1

6828dc5ba15e0420a9cdb790375734d540cd1ab1
SHA256

de27b6995c9e75e1b28001d190ef14d01db8048cb5a45d307e36ed9e380135b1
SHA512

fb09e405fb55cca55b99d4d9e68211f3d9403ab8c966c4d172ffa80113f92df770ce9c7fe2ea5d3e619a6406c71a14bdf0e7bb2a9bdad0fe75f6039d9d531145
SSDEEP

1536:00kNcWY31aRhvT5JaRSv7WanirRtOKz7fHwrjVUV0aTT7WzAt6FzW6:Dk2WvhvT2sDE17fHwVeTWzAtT6

Score

7^/10

adware stealer upx

Malware Config

Signatures

Loads dropped DLL 1 IoCs

pid	Process
2088	regsvr32.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1244-0-0x0000000000400000-0x000000000044E000-memory.dmp	upx
behavioral1/memory/1244-28-0x0000000000400000-0x000000000044E000-memory.dmp	upx

Installs/modifies Browser Helper Object 2 TTPs 1 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{F30A54E8-72C6-4907-AA5B-9F5FF8279082}	regsvr32.exe

Drops file in System32 directory 7 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\jumast.dll	54194865ace6b32dab8b4d3fe5ce93af.exe
File created	C:\Windows\SysWOW64\p.ico	54194865ace6b32dab8b4d3fe5ce93af.exe
File created	C:\Windows\SysWOW64\sf.ico	54194865ace6b32dab8b4d3fe5ce93af.exe
File created	C:\Windows\SysWOW64\c.ico	54194865ace6b32dab8b4d3fe5ce93af.exe
File created	C:\Windows\SysWOW64\m.ico	54194865ace6b32dab8b4d3fe5ce93af.exe
File created	C:\Windows\SysWOW64\m3.ico	54194865ace6b32dab8b4d3fe5ce93af.exe
File created	C:\Windows\SysWOW64\s.ico	54194865ace6b32dab8b4d3fe5ce93af.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\ios.dat	54194865ace6b32dab8b4d3fe5ce93af.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 701d00d8b044da01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000969d72c3e5a03a40a0257479feadc03a000000000200000000001066000000010000200000004d4b0b10dc9a0aeb469899aaa16c113a32d81d25027648a33eaec23b260cc2e3000000000e8000000002000020000000f0c4252c86078ecbae7641d84842822325d43d71097eb79aba33da559c6f29a390000000b83fcfec44791818aafd4bd445b9abbcd7124ebc6483beed0f6802df1d378313b8dc0666db43ef93007853ed0f722cfffbf363e1da0b3ea272d5d820802064a8bae6c8c432674a51bd315d6c95c0b54b25294d5227cfbb54265d98722a956279e86f33f402db54c1f24040d625cb400a58f29a9bcb95f198f1a88a5a50db104efa134f22a41a87ae710e2d6e2ec189ea400000000b87a2a4b7a1c827383a24deea6311d26179454626449c12ae28452c13babf36be4b2b148c0fe465a2a1d67687e9a6383895af15fbfeb45822ca6ee6d2d8e79f	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000969d72c3e5a03a40a0257479feadc03a00000000020000000000106600000001000020000000067a2cb32e6f647ae840e61770a87c47d4d2f40f488a046383b3a0a87692cb83000000000e8000000002000020000000eb74d93fd8d3e6a41f7c601eafd34b1e9e4d484d05574c62d0b76b4a76a1b80220000000ebbd0145e52af5fc098f1e76abc0ca9607f4371c92c2057ccbfea70a5f65af5740000000ebb88bd65d3e63ff45970f8cdc4bb46e2cfa9425fac4229561c9517dd4a30d82f0adb3044f6d9c447bb713f7ff39bfefe64f6abbf48be1e2678d09d5ef3512a3	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{03732921-B0A4-11EE-832E-DECE4B73D784} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "411154767"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe

Modifies registry class 60 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Bohia.1\ = "Windows Live Sign-in"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F30A54E8-72C6-4907-AA5B-9F5FF8279082}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F17DACBC-737A-481F-B587-E500EC210426}\ = "Ibnfav2"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F17DACBC-737A-481F-B587-E500EC210426}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A8954909-1F0F-41A5-A7FA-3B376D69E226}\1.0\FLAGS	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{62CA9254-5246-412C-9141-1486B0F519C0}\TypeLib\ = "{A8954909-1F0F-41A5-A7FA-3B376D69E226}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Bohia.1	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Bohia\ = "Windows Live Sign-in"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F30A54E8-72C6-4907-AA5B-9F5FF8279082}\VersionIndependentProgID\ = "Bohia"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{62CA9254-5246-412C-9141-1486B0F519C0}\ = "_Ibnfav2Events"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F30A54E8-72C6-4907-AA5B-9F5FF8279082}\Programmable	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{62CA9254-5246-412C-9141-1486B0F519C0}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F17DACBC-737A-481F-B587-E500EC210426}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F17DACBC-737A-481F-B587-E500EC210426}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Bohia.1\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{62CA9254-5246-412C-9141-1486B0F519C0}\ = "_Ibnfav2Events"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{62CA9254-5246-412C-9141-1486B0F519C0}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F17DACBC-737A-481F-B587-E500EC210426}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F17DACBC-737A-481F-B587-E500EC210426}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F17DACBC-737A-481F-B587-E500EC210426}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F30A54E8-72C6-4907-AA5B-9F5FF8279082}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F30A54E8-72C6-4907-AA5B-9F5FF8279082}\ProgID\ = "Bohia.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A8954909-1F0F-41A5-A7FA-3B376D69E226}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F17DACBC-737A-481F-B587-E500EC210426}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F30A54E8-72C6-4907-AA5B-9F5FF8279082}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A8954909-1F0F-41A5-A7FA-3B376D69E226}\1.0\0\win32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F17DACBC-737A-481F-B587-E500EC210426}\TypeLib\ = "{A8954909-1F0F-41A5-A7FA-3B376D69E226}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F17DACBC-737A-481F-B587-E500EC210426}\TypeLib\ = "{A8954909-1F0F-41A5-A7FA-3B376D69E226}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Bohia	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F30A54E8-72C6-4907-AA5B-9F5FF8279082}\InprocServer32\ = "C:\\Windows\\SysWow64\\jumast.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A8954909-1F0F-41A5-A7FA-3B376D69E226}\1.0\ = "sdfip1 Library"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F17DACBC-737A-481F-B587-E500EC210426}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A8954909-1F0F-41A5-A7FA-3B376D69E226}\1.0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A8954909-1F0F-41A5-A7FA-3B376D69E226}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\jumast.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{62CA9254-5246-412C-9141-1486B0F519C0}\TypeLib\ = "{A8954909-1F0F-41A5-A7FA-3B376D69E226}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F30A54E8-72C6-4907-AA5B-9F5FF8279082}\ = "Windows Live Sign-in"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F30A54E8-72C6-4907-AA5B-9F5FF8279082}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A8954909-1F0F-41A5-A7FA-3B376D69E226}\1.0\HELPDIR\ = "C:\\Windows\\SysWow64\\"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{62CA9254-5246-412C-9141-1486B0F519C0}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{62CA9254-5246-412C-9141-1486B0F519C0}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Bohia.1\CLSID\ = "{F30A54E8-72C6-4907-AA5B-9F5FF8279082}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F30A54E8-72C6-4907-AA5B-9F5FF8279082}\VersionIndependentProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{62CA9254-5246-412C-9141-1486B0F519C0}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F17DACBC-737A-481F-B587-E500EC210426}\ = "Ibnfav2"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{62CA9254-5246-412C-9141-1486B0F519C0}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Bohia\CurVer	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F30A54E8-72C6-4907-AA5B-9F5FF8279082}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F30A54E8-72C6-4907-AA5B-9F5FF8279082}\TypeLib\ = "{A8954909-1F0F-41A5-A7FA-3B376D69E226}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{62CA9254-5246-412C-9141-1486B0F519C0}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F17DACBC-737A-481F-B587-E500EC210426}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F17DACBC-737A-481F-B587-E500EC210426}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Bohia\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A8954909-1F0F-41A5-A7FA-3B376D69E226}\1.0\FLAGS\ = "0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A8954909-1F0F-41A5-A7FA-3B376D69E226}\1.0\HELPDIR	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{62CA9254-5246-412C-9141-1486B0F519C0}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Bohia\CLSID\ = "{F30A54E8-72C6-4907-AA5B-9F5FF8279082}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A8954909-1F0F-41A5-A7FA-3B376D69E226}\1.0\0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{62CA9254-5246-412C-9141-1486B0F519C0}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Bohia\CurVer\ = "Bohia.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{62CA9254-5246-412C-9141-1486B0F519C0}\TypeLib	regsvr32.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2872	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2872	iexplore.exe
2872	iexplore.exe
2748	IEXPLORE.EXE
2748	IEXPLORE.EXE
2748	IEXPLORE.EXE
2748	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1244 wrote to memory of 2088	1244	54194865ace6b32dab8b4d3fe5ce93af.exe	28
PID 1244 wrote to memory of 2088	1244	54194865ace6b32dab8b4d3fe5ce93af.exe	28
PID 1244 wrote to memory of 2088	1244	54194865ace6b32dab8b4d3fe5ce93af.exe	28
PID 1244 wrote to memory of 2088	1244	54194865ace6b32dab8b4d3fe5ce93af.exe	28
PID 1244 wrote to memory of 2088	1244	54194865ace6b32dab8b4d3fe5ce93af.exe	28
PID 1244 wrote to memory of 2088	1244	54194865ace6b32dab8b4d3fe5ce93af.exe	28
PID 1244 wrote to memory of 2088	1244	54194865ace6b32dab8b4d3fe5ce93af.exe	28
PID 1244 wrote to memory of 2872	1244	54194865ace6b32dab8b4d3fe5ce93af.exe	29
PID 1244 wrote to memory of 2872	1244	54194865ace6b32dab8b4d3fe5ce93af.exe	29
PID 1244 wrote to memory of 2872	1244	54194865ace6b32dab8b4d3fe5ce93af.exe	29
PID 1244 wrote to memory of 2872	1244	54194865ace6b32dab8b4d3fe5ce93af.exe	29
PID 2872 wrote to memory of 2748	2872	iexplore.exe	30
PID 2872 wrote to memory of 2748	2872	iexplore.exe	30
PID 2872 wrote to memory of 2748	2872	iexplore.exe	30
PID 2872 wrote to memory of 2748	2872	iexplore.exe	30

C:\Users\Admin\AppData\Local\Temp\54194865ace6b32dab8b4d3fe5ce93af.exe
"C:\Users\Admin\AppData\Local\Temp\54194865ace6b32dab8b4d3fe5ce93af.exe"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1244
- C:\Windows\SysWOW64\regsvr32.exe
  "C:\Windows\System32\regsvr32.exe" /s C:\Windows\system32\jumast.dll
  2⤵
  - Loads dropped DLL
  - Installs/modifies Browser Helper Object
  - Modifies registry class
  PID:2088
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://configupdatestart.com/bind2.php?id=dress
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2872
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2872 CREDAT:275457 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:2748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
af8fb249abc254fba2e95320035d6ddc

SHA1
2a4fdb89c2a119f2b54acff9fb4040df2fa1c50e

SHA256
3373869efa18154b83ad7b3df5a0339df89e54550307ee4d38aef83f4a61aa34

SHA512
e1eb63695f42c92c19423ddd6bdde29dccf8bae5b3787eb23be89427ad70da83084da1aef5bfad1d26b7c2e0b885e1e876bfbafdc81aeddb3a9436c3d18a3f65

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
3e5c345f36f90348de0fcfe43d806db6

SHA1
59f267ca4428ae4f6ff98fbde5c41e5cdb2df1d5

SHA256
b65d74845c03b55ec9f4ef88f6a22a6c8919ba011fc3f67f95827613b9205288

SHA512
a2658d28b58d15f92430ece2a46cf5f7595243b1acb74d121be2823849f9ad191645c76d60f78d757d54ac9873af5e60c8f8f71d65cfd8385777ffedf7c260a2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
8af5a4e94464e304c08b356cd4a8fefb

SHA1
10b9b712bc6f108acb60682c15eac2345dff8ed8

SHA256
494b8ec3daa942bfdd3b7762b66f113beffbf4089c48a808833455b58dd01388

SHA512
db0f42e157e41d64675f63708d486b75827669b0bab232991c14c6bdd817e5514fbb2597ce60d0ecc1804e7adfad9632419c032aca2edb58d98edfcf2f657717

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
945f72f9a05e02dd182c817f5a0cba35

SHA1
2ff944d306b81707e0f74c6daf7760f7dd0ad82f

SHA256
6b6654aa865ae150dfb5ac2674437a7fb27b59920dd956b018b4a78f9ca251d4

SHA512
202c2a7585bcb4b32f2105158434164665f1002a08d4c377c9ccaee867c3b85fa8387f9eae977d1054bda98c7df51229dd517d7b07cd311515ca17881e60468d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d908caa73269acbb1d53b3b394b0dadc

SHA1
3047134ae9cbabcd0b9fe06bb17e792ab68427ea

SHA256
e63cda93ddd56795414f23107112da3089f31a9da9bb8bbbde3850d6415d324e

SHA512
e9e0d04a7e033da2adc4f9844bbcb95467facf8ef8184c9cbc1a6aaeceaa15eb3bb410fbfea7e248c2fdd3e2159270fd4ec897efd27aa1a7bafdca7c1b677f64

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
8e3c9b5620bbdaa4baee7ad860e60502

SHA1
d42f371bc3618c79f575289969466265e4dcaeb9

SHA256
e737b6bf96a34067636480db6ad4b95c786c1c2c1ad5c10e358f31c304d0df6f

SHA512
57a96aae2817a6f7d725c4c32988bec2217c320a814a3f5b9f7d39f5bd4daca32b65d711ec2d8c2d1b97ca15f8defa5e2bc769833a78c585aaa9c6d190bbf9b4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
2e3c723b8483171d44164d63f40d89ed

SHA1
851c168f7bc25ee29c330a8acf294a36418c943a

SHA256
a297fb47449bc5e25574a3c1b2b65f0646322b419cd1156c10d2b435d7778627

SHA512
6e5cd8844f389b8241ff18134778877a0e08f58bfbbcd798bf31156512a51adab6c9b76aeb43e328bc10ba8c7125c944183c5695b10788fa90306d2591bf1af0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
7ba84ed9e67c8224b09750ac714f8fc3

SHA1
8430e9871741c267d186031add8bcd3d31eea3e4

SHA256
3b9714e483cae68bc29d73f3f86d3103cf83107d5752aef6ca2329c35d59757e

SHA512
42ff8c472f1f77f0134515400d36d02d5213a3db64534a2f1ccb321eee86c86e67ba2165fbb36a00718aeff7159a8188f0e4d0557ec0955a00e6d4cdbfe16920

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a2ce790d02e92171b1544f95eced9058

SHA1
8c55ec18d9c8de140a18dac686aac67e8e6bb1ce

SHA256
80ad02ba1a9f8f9403a65f467f1a97bcb968261ba3153f17dcee0facdc15a700

SHA512
19d93a6ab3f47b7450b8751ee730ece225f9f68b6d2bfce528b1057643e2f8a1847718fe0dcac695d9afd73fde1b2ed799154212c8cab7320642932b3dcb4fbb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
1b817cfe099d6602d60464a91d2e7096

SHA1
8f497652fe72fc666fcd390ade3d40d5aea85f95

SHA256
f20ccfd7060102d6e3a0a8eac75f522116bc174853db5d439d7f1abc5057394f

SHA512
10c815498ac0e90989de2535901ebea625c369378cbd7131909f32bcef2a6d68289470e6fbb1ed91a581e9fe75fdbc56e69c110aa03c8d17d44683b2872dab1b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
01ce9127005a5de1ca704557f7399f36

SHA1
c4ad6f102027920d80a0329f410f86930fb3465e

SHA256
a62e82e0813e85d88eb7e59d6d5e629989d984e036a52325e14be738963ddcb8

SHA512
e7102d38e1b7e48f28c38ef8235d47aca9a1bd96ac168910a6fb26b5ab2eebdb0ab9999b827842d610f290d3e78e4b7738cb36614646af5b9ceb3f926c5f8166

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab30F2.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar4189.tmp

Filesize
40KB

MD5
e455a01876d1fed861237bb18c77c45f

SHA1
dbc0f4290332d5c6aef49787e9743882889062fb

SHA256
978d4847cf1e08d55f4037ceb200691342b74e500e9ce314cf47a6c477061380

SHA512
ca37155242ce597d46b5f416d895e66530404cce59007fef8bd0307fba4a57d21ee01c43c8effef582dedba5f9f5cccd81b3203c8ffde3f874b932465699a8e6

Download Submit
C:\Windows\SysWOW64\jumast.dll

Filesize
106KB

MD5
6d42aa568207eb238e59ccf795a4ec78

SHA1
e29f725a38e2af4c1b31e9780a9dd20d68e92579

SHA256
3fc0b32ddb308bb24b4af0824db7fc24b9cc98c46b4dfc330dc4cc0c5fdff2aa

SHA512
ef74a9519d869f7f813206bb7f2954b0210982701c8f8d478f5cbe413ce85cdb5c145f7e893768cc78c5aaecf7cce33788f2a41a57621ac3ae5a218b4cd2e584

Download Submit
\Windows\SysWOW64\jumast.dll

Filesize
144KB

MD5
d9b31a8af146b7b4b83f2fc70fd29368

SHA1
a60bb959885812c7515ba16e97ff5d0d87b2a5f1

SHA256
c7fee3b286ec939b1a132a7c2815b84546116f7ce6f1c729ae29c33429f111c0

SHA512
9f3af1f39b3f1a090749b2207fc2a07bead18a66f99f3eb2f190479e986ff260e4ef309b942938b71771e268ba58773a8894c3fe139528686c2e0e940853c9c9

Download Submit
memory/1244-28-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/1244-0-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads