5f734747806c67f29a5f8703ec51264cdfae0417ee5e03007c756b787d710593

Analysis

max time kernel
150s
max time network
121s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
04/02/2024, 02:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8e0642d9a769d5e1c1e7015834b61896.exe
Size

19KB
MD5

8e0642d9a769d5e1c1e7015834b61896
SHA1

39179bac45811ed1084df1a1ee427042706b4d85
SHA256

5f734747806c67f29a5f8703ec51264cdfae0417ee5e03007c756b787d710593
SHA512

ce9edb7f926df2c2fd8a092bff2a2139b1899587249783b878f1634f900fc3c28968291f92158b9100fb533ef6366de0153f4667cba36fd88ef3557127d05fdf
SSDEEP

384:sPjUi92wYlu/CLi3RYDRDtDxyiWoearIY1hQDIwAQoHdLlaNJawcudoD7UZ:s2sOTDxyhzRJ1RoHdLYnbcuyD7U

Score

8^/10

adware persistence stealer upx

Malware Config

Signatures

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\explorer\run	8e0642d9a769d5e1c1e7015834b61896.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\start = "C:\\Users\\Admin\\AppData\\Local\\Temp\\8e0642d9a769d5e1c1e7015834b61896.exe"	8e0642d9a769d5e1c1e7015834b61896.exe

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x000b0000000122de-2.dat	acprotect

Executes dropped EXE 1 IoCs

pid	Process
2360	sbsm.exe

Loads dropped DLL 3 IoCs

pid	Process
2940	8e0642d9a769d5e1c1e7015834b61896.exe
2940	8e0642d9a769d5e1c1e7015834b61896.exe
2940	8e0642d9a769d5e1c1e7015834b61896.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2940-1-0x0000000000400000-0x000000000040D000-memory.dmp	upx
behavioral1/files/0x000b0000000122de-2.dat	upx
behavioral1/memory/2940-4-0x0000000010000000-0x000000001000A000-memory.dmp	upx
behavioral1/memory/2940-13-0x0000000000400000-0x000000000040D000-memory.dmp	upx

Installs/modifies Browser Helper Object 2 TTPs 3 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7C109800-A5D5-438F-9640-18D17E168B88}	8e0642d9a769d5e1c1e7015834b61896.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{7C109800-A5D5-438F-9640-18D17E168B88}\	8e0642d9a769d5e1c1e7015834b61896.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	8e0642d9a769d5e1c1e7015834b61896.exe

Modifies Internet Explorer settings 1 TTPs 11 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\SearchScopes\{DAED9266-8C28-4C1C-8B58-5C66EFF1D302}\DisplayName = "Search"	8e0642d9a769d5e1c1e7015834b61896.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\SearchScopes\{DAED9266-8C28-4C1C-8B58-5C66EFF1D302}\URL = "http://www.gatetofind.com/index.php?b=1&t=0&q={searchTerms}"	8e0642d9a769d5e1c1e7015834b61896.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\SearchScopes\DefaultScope = "{DAED9266-8C28-4C1C-8B58-5C66EFF1D302}"	8e0642d9a769d5e1c1e7015834b61896.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{9034A523-D068-4BE8-A284-9DF278BE776E}\MenuText = "IE Anti-Spyware"	8e0642d9a769d5e1c1e7015834b61896.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{9034A523-D068-4BE8-A284-9DF278BE776E}\CLSID = "{1FBA04EE-3024-11d2-8F1F-0000F87ABD16}"	8e0642d9a769d5e1c1e7015834b61896.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Main	8e0642d9a769d5e1c1e7015834b61896.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Search	8e0642d9a769d5e1c1e7015834b61896.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\SearchScopes\{DAED9266-8C28-4C1C-8B58-5C66EFF1D302}	8e0642d9a769d5e1c1e7015834b61896.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\SearchScopes	8e0642d9a769d5e1c1e7015834b61896.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{9034A523-D068-4BE8-A284-9DF278BE776E}	8e0642d9a769d5e1c1e7015834b61896.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{9034A523-D068-4BE8-A284-9DF278BE776E}\Exec = "http://www.ieservicegate.com/redirect.php"	8e0642d9a769d5e1c1e7015834b61896.exe

Modifies registry class 6 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{7C109800-A5D5-438F-9640-18D17E168B88}	8e0642d9a769d5e1c1e7015834b61896.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7C109800-A5D5-438F-9640-18D17E168B88}\xxx = "xxx"	8e0642d9a769d5e1c1e7015834b61896.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{7C109800-A5D5-438F-9640-18D17E168B88}\InprocServer32	8e0642d9a769d5e1c1e7015834b61896.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7C109800-A5D5-438F-9640-18D17E168B88}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\sbmdl.dll"	8e0642d9a769d5e1c1e7015834b61896.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7C109800-A5D5-438F-9640-18D17E168B88}\InprocServer32\ThreadingModel = "Apartment"	8e0642d9a769d5e1c1e7015834b61896.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID	8e0642d9a769d5e1c1e7015834b61896.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2940	8e0642d9a769d5e1c1e7015834b61896.exe
2360	sbsm.exe
2940	8e0642d9a769d5e1c1e7015834b61896.exe
2360	sbsm.exe
2940	8e0642d9a769d5e1c1e7015834b61896.exe
2360	sbsm.exe
2940	8e0642d9a769d5e1c1e7015834b61896.exe
2360	sbsm.exe
2940	8e0642d9a769d5e1c1e7015834b61896.exe
2360	sbsm.exe
2940	8e0642d9a769d5e1c1e7015834b61896.exe
2360	sbsm.exe
2940	8e0642d9a769d5e1c1e7015834b61896.exe
2360	sbsm.exe
2940	8e0642d9a769d5e1c1e7015834b61896.exe
2360	sbsm.exe
2940	8e0642d9a769d5e1c1e7015834b61896.exe
2360	sbsm.exe
2940	8e0642d9a769d5e1c1e7015834b61896.exe
2360	sbsm.exe
2940	8e0642d9a769d5e1c1e7015834b61896.exe
2360	sbsm.exe
2940	8e0642d9a769d5e1c1e7015834b61896.exe
2360	sbsm.exe
2940	8e0642d9a769d5e1c1e7015834b61896.exe
2360	sbsm.exe
2940	8e0642d9a769d5e1c1e7015834b61896.exe
2360	sbsm.exe
2940	8e0642d9a769d5e1c1e7015834b61896.exe
2360	sbsm.exe
2940	8e0642d9a769d5e1c1e7015834b61896.exe
2360	sbsm.exe
2940	8e0642d9a769d5e1c1e7015834b61896.exe
2360	sbsm.exe
2940	8e0642d9a769d5e1c1e7015834b61896.exe
2360	sbsm.exe
2940	8e0642d9a769d5e1c1e7015834b61896.exe
2360	sbsm.exe
2940	8e0642d9a769d5e1c1e7015834b61896.exe
2360	sbsm.exe
2940	8e0642d9a769d5e1c1e7015834b61896.exe
2360	sbsm.exe
2940	8e0642d9a769d5e1c1e7015834b61896.exe
2360	sbsm.exe
2940	8e0642d9a769d5e1c1e7015834b61896.exe
2360	sbsm.exe
2940	8e0642d9a769d5e1c1e7015834b61896.exe
2360	sbsm.exe
2940	8e0642d9a769d5e1c1e7015834b61896.exe
2360	sbsm.exe
2940	8e0642d9a769d5e1c1e7015834b61896.exe
2360	sbsm.exe
2940	8e0642d9a769d5e1c1e7015834b61896.exe
2360	sbsm.exe
2940	8e0642d9a769d5e1c1e7015834b61896.exe
2360	sbsm.exe
2940	8e0642d9a769d5e1c1e7015834b61896.exe
2360	sbsm.exe
2940	8e0642d9a769d5e1c1e7015834b61896.exe
2360	sbsm.exe
2940	8e0642d9a769d5e1c1e7015834b61896.exe
2360	sbsm.exe
2940	8e0642d9a769d5e1c1e7015834b61896.exe
2360	sbsm.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2940 wrote to memory of 2360	2940	8e0642d9a769d5e1c1e7015834b61896.exe	28
PID 2940 wrote to memory of 2360	2940	8e0642d9a769d5e1c1e7015834b61896.exe	28
PID 2940 wrote to memory of 2360	2940	8e0642d9a769d5e1c1e7015834b61896.exe	28
PID 2940 wrote to memory of 2360	2940	8e0642d9a769d5e1c1e7015834b61896.exe	28

C:\Users\Admin\AppData\Local\Temp\8e0642d9a769d5e1c1e7015834b61896.exe
"C:\Users\Admin\AppData\Local\Temp\8e0642d9a769d5e1c1e7015834b61896.exe"
1⤵
- Adds policy Run key to start application
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2940
- C:\Users\Admin\AppData\Local\Temp\sbsm.exe
  C:\Users\Admin\AppData\Local\Temp\sbsm.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2360

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Browser Extensions

T1176

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\sbsm.exe

Filesize
5KB

MD5
4cb83b321c98de8d7c95d6dec7b40e9e

SHA1
e7f737adfa4e23730a7ae660eff75aea8c927652

SHA256
bf5cf202e647e8f2ebe518295a9f95df7a99e88d9df00f941fc1c091e54c66b6

SHA512
ebc00c802c273ce04cc19a3fc43e5eb31408824a45c2cd8dbe0f776bd57af373ec226af8825a1cd3c4e1c1ba1e8819b6d6b1005869c0817d4a08c004ed9e5016

Download Submit
\Users\Admin\AppData\Local\Temp\sbmdl.dll

Filesize
10KB

MD5
91f8b2bc18cd1cbd92c3e66461b209e6

SHA1
34dc391b1b41c8d78a7486b42450fb60e43ed878

SHA256
626f43dc734d66530287023647419ecbea868a8a1fa20804efd5d608fafe6dd7

SHA512
12d70feba9c006213d54947d4c1178d7b9d381591d6a2af07fc1b939fcc9cd587fac050e295d697279668e674a9463309428a9d2bb3636de91faac817ea209fd

Download Submit
memory/2940-1-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/2940-4-0x0000000010000000-0x000000001000A000-memory.dmp

Filesize
40KB

Download
memory/2940-13-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/2940-15-0x0000000010000000-0x000000001000A000-memory.dmp

Filesize
40KB

Download