75f76a90bc450781f179e4aeedb7d7a0f35815a9629c4def937496a517236baf

Analysis

max time kernel
12s
max time network
12s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
12/01/2024, 03:40

Sharing

Copy URL Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

55634b080e1ce397d516a5f5a03d903c.exe
Size

244KB
MD5

55634b080e1ce397d516a5f5a03d903c
SHA1

1e422fe68928bb036f2b8efe3bc793dffecd6f59
SHA256

75f76a90bc450781f179e4aeedb7d7a0f35815a9629c4def937496a517236baf
SHA512

c8eedbcf7e34586fd788e5a65a113357cb1c1309b2d115aa821668052231f1880215c4afe779acbf1998e734d0df6dabc79dc3e4324be120a08e2e8484d11717
SSDEEP

3072:1wJIGQRyuFDbHMXPDD9lds4i1jpq49DnQ5fHOtPgViI:1LGQRyutbH6zdy1jpq49nmfHOtP6iI

Score

8^/10

adware persistence stealer

Malware Config

Signatures

Sets DLL path for service in the registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Iprip\Parameters\ServiceDll = "C:\\WINDOWS\\SYSTEM32\\liprip.dll"	ipw.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Iprip\Parameters\ServiceDll = "C:\\Windows\\system32\\liprip.dll"	svchost.exe

Executes dropped EXE 1 IoCs

pid	Process
2184	ipw.exe

Loads dropped DLL 4 IoCs

pid	Process
3044	55634b080e1ce397d516a5f5a03d903c.exe
3044	55634b080e1ce397d516a5f5a03d903c.exe
2804	svchost.exe
2804	svchost.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\repst = "C:\\Windows\\system32\\iprep.exe"	svchost.exe

Installs/modifies Browser Helper Object 2 TTPs 2 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BF50AC63-19DA-487E-AD4A-0B452D823B59}\	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{BF50AC63-19DA-487E-AD4A-0B452D823B59}\	svchost.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\fsutk.dll	svchost.exe
File created	C:\Windows\SysWOW64\iprep.exe	svchost.exe
File created	C:\Windows\SysWOW64\fsutk.dll	55634b080e1ce397d516a5f5a03d903c.exe
File created	C:\WINDOWS\SysWOW64\liprip.dll	ipw.exe

Modifies data under HKEY_USERS 49 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software	svchost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Autodesk	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Autodesk\AutoCAD	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{BF50AC63-19DA-487E-AD4A-0B452D823B59}\Version = "*"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{BF50AC63-19DA-487E-AD4A-0B452D823B59}\Flags = "0"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{BF50AC63-19DA-487E-AD4A-0B452D823B59}\	svchost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{BF50AC63-19DA-487E-AD4A-0B452D823B59}	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Autodesk\AutoCAD\R16.1	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{BF50AC63-19DA-487E-AD4A-0B452D823B59}	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{BF50AC63-19DA-487E-AD4A-0B452D823B59}\	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{BF50AC63-19DA-487E-AD4A-0B452D823B59}\	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{BF50AC63-19DA-487E-AD4A-0B452D823B59}\Flags = "0"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Autodesk\AutoCAD\R16.0	svchost.exe
Key created	\REGISTRY\USER\S-1-5-19	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Ext	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Autodesk\AutoCAD\R17.2	svchost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Ext	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Autodesk\AutoCAD\R17.0	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{BF50AC63-19DA-487E-AD4A-0B452D823B59}\	svchost.exe
Key created	\REGISTRY\USER\S-1-5-18	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{BF50AC63-19DA-487E-AD4A-0B452D823B59}\	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion	svchost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Ext\Settings	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{BF50AC63-19DA-487E-AD4A-0B452D823B59}\Version = "*"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{BF50AC63-19DA-487E-AD4A-0B452D823B59}\Flags = "0"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Autodesk\AutoCAD\R17.1	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{BF50AC63-19DA-487E-AD4A-0B452D823B59}\	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{BF50AC63-19DA-487E-AD4A-0B452D823B59}\Version = "*"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Ext\Settings	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows	svchost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft	svchost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Autodesk\AutoCAD\R16.2	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{BF50AC63-19DA-487E-AD4A-0B452D823B59}\	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{BF50AC63-19DA-487E-AD4A-0B452D823B59}	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Autodesk\AutoCAD\R18.0	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{BF50AC63-19DA-487E-AD4A-0B452D823B59}	svchost.exe

Modifies registry class 22 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IEHlprObj.IEHlprObj\	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BF50AC63-19DA-487E-AD4A-0B452D823B59}\InprocServer32\ThreadingModel = "Apartment"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BF50AC63-19DA-487E-AD4A-0B452D823B59}\ProgID\ = "IEHlprObj.IEHlprObj.1"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BF50AC63-19DA-487E-AD4A-0B452D823B59}\VersionIndependentProgID\ = "IEHlprObj.IEHlprObj"	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IEHlprObj.IEHlprObj.1\	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IEHlprObj.IEHlprObj.1\ = "QuickFlash"	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IEHlprObj.IEHlprObj.1\CLSID\	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BF50AC63-19DA-487E-AD4A-0B452D823B59}\	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BF50AC63-19DA-487E-AD4A-0B452D823B59}\ = "QuickFlash"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BF50AC63-19DA-487E-AD4A-0B452D823B59}\Programmable\	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BF50AC63-19DA-487E-AD4A-0B452D823B59}\ProgID\	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BF50AC63-19DA-487E-AD4A-0B452D823B59}\Programmable\	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IEHlprObj.IEHlprObj\CurVer\	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IEHlprObj.IEHlprObj\CurVer\ = "IEHlprObj.IEHlprObj.1"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IEHlprObj.IEHlprObj.1\CLSID\ = "{BF50AC63-19DA-487E-AD4A-0B452D823B59}"	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AF604EFE-8897-11D1-B944-00A0C90312E1}\InProcServer32\	ipw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AF604EFE-8897-11D1-B944-00A0C90312E1}\InProcServer32\	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BF50AC63-19DA-487E-AD4A-0B452D823B59}\InprocServer32\	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BF50AC63-19DA-487E-AD4A-0B452D823B59}\InprocServer32\ = "C:\\Windows\\SysWow64\\fsutk.dll"	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BF50AC63-19DA-487E-AD4A-0B452D823B59}\VersionIndependentProgID\	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IEHlprObj.IEHlprObj\ = "QuickFlash"	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0E5CBF21-D15F-11d0-8301-00AA005B4383}\InProcServer32\	svchost.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2804	svchost.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3044	55634b080e1ce397d516a5f5a03d903c.exe
2184	ipw.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3044 wrote to memory of 2184	3044	55634b080e1ce397d516a5f5a03d903c.exe	28
PID 3044 wrote to memory of 2184	3044	55634b080e1ce397d516a5f5a03d903c.exe	28
PID 3044 wrote to memory of 2184	3044	55634b080e1ce397d516a5f5a03d903c.exe	28
PID 3044 wrote to memory of 2184	3044	55634b080e1ce397d516a5f5a03d903c.exe	28

C:\Users\Admin\AppData\Local\Temp\55634b080e1ce397d516a5f5a03d903c.exe
"C:\Users\Admin\AppData\Local\Temp\55634b080e1ce397d516a5f5a03d903c.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3044
- C:\Users\Admin\AppData\Local\Temp\ipw.exe
  "C:\Users\Admin\AppData\Local\Temp\ipw.exe"
  2⤵
  - Sets DLL path for service in the registry
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:2184

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
- Sets DLL path for service in the registry
- Loads dropped DLL
- Adds Run key to start application
- Installs/modifies Browser Helper Object
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:2804

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:1172

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
1⤵
PID:2936

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Browser Extensions

T1176

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ipw.exe

Filesize
20KB

MD5
3d161c3e76f0738283ff77a7aba607d0

SHA1
5a7d9527826117e1eb72519b69b8546f9fe47a9e

SHA256
ad37e27137f87ec4b6b0a3b183967029df9db30e389469153b48c662676ed18e

SHA512
b309fbbf49fd64c81b59346007f463246e0840885600a836e3a51a0551f89ae9ce0419b976dc9068928bd491819be2351b3d58b3e9bfaf281a6e8606d1e4fdc3

Download Submit
C:\Windows\SysWOW64\fsutk.dll

Filesize
116KB

MD5
b00ca4f0376b4ce77b42caff8b056e3f

SHA1
f46204ac2745c7a116785b31d6da16beedcd9040

SHA256
f80f9abb4b7e99ba632ca6e48dba6ff3503d6993d4c53bf502574f21976e0ca2

SHA512
d0b81ef6ac8744adaf4c24275c42ea779b54a077a01b07df45992211923c5fbe2c4a5b92bf1566f5d4bdbfd3b04f60d758ca03506053ca41d830e4b320b621b5

Download Submit
\??\c:\$Recycle.bin\int.dat

Filesize
220KB

MD5
1e351ebec08b1380a1e990048a12986a

SHA1
a9b632a8fadd7fd20020e81ded6f61bd2c05c419

SHA256
fd98308fa9847c3e3a5669f8fe65509427a3301c35fafe8ba7bd04dd5bf55f82

SHA512
a6d558e4663f712856fb60be74d912e513e3f90e3a8f3cdcfb01e1f568d2c588e111707e76918fe1336e750f39c6e5ec0854c82fa4522c9ee1c3a59b4074d475

Download Submit
\??\c:\windows\SysWOW64\liprip.dll

Filesize
84KB

MD5
2ce2cec9a3065c2354d65210d78de6b3

SHA1
1b2a3fed8ee249820c27c11da8add47326d06a06

SHA256
588d7f7610487162a0908694900b142c3dcc6fed7af7c90a55371c7755262a10

SHA512
2ef114db42f793ad8a74f472fbb317fe652f3acd63ecc96807062ecfcedc1dfb6bfd9aca556518ad348afb10faf8e2bab139781f7d74e43dc49fa2547ea3c4e2

Download Submit
memory/1172-81-0x0000000002E10000-0x0000000002E11000-memory.dmp

Filesize
4KB

Download
memory/2804-18-0x00000000000A0000-0x00000000000C0000-memory.dmp

Filesize
128KB

Download
memory/2936-136-0x0000000002AB0000-0x0000000002AB1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads