7fc4182ebf0b609a4a3ddecb7c53f9ffda1dad9c6fbe8a404ac1919c711449c8

Analysis

max time kernel
150s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
12/02/2024, 02:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

95fef0c257d1c33e4921d1ed272b6027.exe
Size

31KB
MD5

95fef0c257d1c33e4921d1ed272b6027
SHA1

23903d45e95dc0869a92bfc7637b40411e57e037
SHA256

7fc4182ebf0b609a4a3ddecb7c53f9ffda1dad9c6fbe8a404ac1919c711449c8
SHA512

d2d57745359016c1004dfc55d4898aa97803efb790cd0717797524f622e5125ace3cee558e929e506388be8e40941e7b0411828943c6ac976a25324926d60fce
SSDEEP

768:vUCCHQwCFF4AEAe6tgyzs/vZVry4E7PLDdjnHnbcuyD7U:vUCCHQv7zYusnZV3QLprnouy8

Score

8^/10

adware discovery persistence stealer upx

Malware Config

Signatures

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\explorer\run	sbmntr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\start = "C:\\Program Files (x86)\\NetProject\\sbmntr.exe"	sbmntr.exe

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x0006000000023209-7.dat	acprotect

Executes dropped EXE 2 IoCs

pid	Process
4468	sbmntr.exe
3492	sbsm.exe

Loads dropped DLL 1 IoCs

pid	Process
4468	sbmntr.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/904-0-0x0000000000400000-0x0000000000411000-memory.dmp	upx
behavioral2/files/0x0006000000023208-5.dat	upx
behavioral2/memory/4468-4-0x0000000000400000-0x000000000040D000-memory.dmp	upx
behavioral2/files/0x0006000000023209-7.dat	upx
behavioral2/memory/904-16-0x0000000000400000-0x0000000000411000-memory.dmp	upx
behavioral2/memory/4468-17-0x0000000000400000-0x000000000040D000-memory.dmp	upx

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Installs/modifies Browser Helper Object 2 TTPs 3 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7C109800-A5D5-438F-9640-18D17E168B88}	sbmntr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7C109800-A5D5-438F-9640-18D17E168B88}\	sbmntr.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	sbmntr.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\NetProject\sbmntr.exe	95fef0c257d1c33e4921d1ed272b6027.exe
File created	C:\Program Files (x86)\NetProject\sbmdl.dll	sbmntr.exe
File created	C:\Program Files (x86)\NetProject\sbsm.exe	sbmntr.exe
File created	C:\Program Files (x86)\NetProject\sbun.exe	95fef0c257d1c33e4921d1ed272b6027.exe

Modifies Internet Explorer settings 1 TTPs 11 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Software\Microsoft\Internet Explorer\SearchScopes\{DAED9266-8C28-4C1C-8B58-5C66EFF1D302}	sbmntr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{DAED9266-8C28-4C1C-8B58-5C66EFF1D302}\DisplayName = "Search"	sbmntr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{DAED9266-8C28-4C1C-8B58-5C66EFF1D302}\URL = "http://www.gatetofind.com/index.php?b=1&t=0&q={searchTerms}"	sbmntr.exe
Key created	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Software\Microsoft\Internet Explorer\SearchScopes	sbmntr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{9034A523-D068-4BE8-A284-9DF278BE776E}	sbmntr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{9034A523-D068-4BE8-A284-9DF278BE776E}\MenuText = "IE Anti-Spyware"	sbmntr.exe
Key created	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Software\Microsoft\Internet Explorer\Search	sbmntr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\DefaultScope = "{DAED9266-8C28-4C1C-8B58-5C66EFF1D302}"	sbmntr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{9034A523-D068-4BE8-A284-9DF278BE776E}\Exec = "http://www.ieservicegate.com/redirect.php"	sbmntr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{9034A523-D068-4BE8-A284-9DF278BE776E}\CLSID = "{1FBA04EE-3024-11d2-8F1F-0000F87ABD16}"	sbmntr.exe
Key created	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Software\Microsoft\Internet Explorer\Main	sbmntr.exe

Modifies registry class 6 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{7C109800-A5D5-438F-9640-18D17E168B88}\InprocServer32	sbmntr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7C109800-A5D5-438F-9640-18D17E168B88}\InprocServer32\ = "C:\\Program Files (x86)\\NetProject\\sbmdl.dll"	sbmntr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7C109800-A5D5-438F-9640-18D17E168B88}\InprocServer32\ThreadingModel = "Apartment"	sbmntr.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID	sbmntr.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{7C109800-A5D5-438F-9640-18D17E168B88}	sbmntr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7C109800-A5D5-438F-9640-18D17E168B88}\xxx = "xxx"	sbmntr.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
904	95fef0c257d1c33e4921d1ed272b6027.exe
904	95fef0c257d1c33e4921d1ed272b6027.exe
4468	sbmntr.exe
4468	sbmntr.exe
3492	sbsm.exe
3492	sbsm.exe
4468	sbmntr.exe
4468	sbmntr.exe
3492	sbsm.exe
3492	sbsm.exe
4468	sbmntr.exe
4468	sbmntr.exe
3492	sbsm.exe
3492	sbsm.exe
4468	sbmntr.exe
4468	sbmntr.exe
3492	sbsm.exe
3492	sbsm.exe
4468	sbmntr.exe
4468	sbmntr.exe
3492	sbsm.exe
3492	sbsm.exe
4468	sbmntr.exe
4468	sbmntr.exe
3492	sbsm.exe
3492	sbsm.exe
4468	sbmntr.exe
4468	sbmntr.exe
3492	sbsm.exe
3492	sbsm.exe
4468	sbmntr.exe
4468	sbmntr.exe
3492	sbsm.exe
3492	sbsm.exe
4468	sbmntr.exe
4468	sbmntr.exe
3492	sbsm.exe
3492	sbsm.exe
4468	sbmntr.exe
4468	sbmntr.exe
3492	sbsm.exe
3492	sbsm.exe
4468	sbmntr.exe
4468	sbmntr.exe
3492	sbsm.exe
3492	sbsm.exe
4468	sbmntr.exe
4468	sbmntr.exe
3492	sbsm.exe
3492	sbsm.exe
4468	sbmntr.exe
4468	sbmntr.exe
3492	sbsm.exe
3492	sbsm.exe
4468	sbmntr.exe
4468	sbmntr.exe
3492	sbsm.exe
3492	sbsm.exe
4468	sbmntr.exe
4468	sbmntr.exe
3492	sbsm.exe
3492	sbsm.exe
4468	sbmntr.exe
4468	sbmntr.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 904 wrote to memory of 4468	904	95fef0c257d1c33e4921d1ed272b6027.exe	84
PID 904 wrote to memory of 4468	904	95fef0c257d1c33e4921d1ed272b6027.exe	84
PID 904 wrote to memory of 4468	904	95fef0c257d1c33e4921d1ed272b6027.exe	84
PID 4468 wrote to memory of 3492	4468	sbmntr.exe	85
PID 4468 wrote to memory of 3492	4468	sbmntr.exe	85
PID 4468 wrote to memory of 3492	4468	sbmntr.exe	85

C:\Users\Admin\AppData\Local\Temp\95fef0c257d1c33e4921d1ed272b6027.exe
"C:\Users\Admin\AppData\Local\Temp\95fef0c257d1c33e4921d1ed272b6027.exe"
1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:904
- C:\Program Files (x86)\NetProject\sbmntr.exe
  "C:\Program Files (x86)\NetProject\sbmntr.exe"
  2⤵
  - Adds policy Run key to start application
  - Executes dropped EXE
  - Loads dropped DLL
  - Installs/modifies Browser Helper Object
  - Drops file in Program Files directory
  - Modifies Internet Explorer settings
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4468
- - C:\Program Files (x86)\NetProject\sbsm.exe
    "C:\Program Files (x86)\NetProject\sbsm.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:3492

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Browser Extensions

T1176

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\NetProject\sbmdl.dll

Filesize
10KB

MD5
8ac5c4e5765360e409f6e7d60ee3d86f

SHA1
027f9513ae003dc842533586a85947b7ce229247

SHA256
feff23f82b0556b145acdd5ea3f4da2582abf6567f0d0ad54eb15bdfd15a9cf9

SHA512
1cead8a5d55e6e88ff7676f3495688f59cb2991c562282f8a8d4bd7739e6d445d97b38cdb115b0e551e52f75aeeb224758a69d5439e97a179610402f411f611d

Download Submit
C:\Program Files (x86)\NetProject\sbmntr.exe

Filesize
19KB

MD5
3e3ef49c846543a4b284d54bbe1dc70e

SHA1
f1830871007ce7e6739d2d2a812a90f282a897a2

SHA256
10e1da579988d54dbdc353254ca0bb39f6ec6017fa8fb3f72e784fcf16f40feb

SHA512
a2fc16a39621ea29e0b11d8ae55c952fb411ffc0ef8dbaa72202fcea1e855499d3f7f1b81417e36911b651fe10067086a28287fe4b94015830470b9ba1b44259

Download Submit
C:\Program Files (x86)\NetProject\sbsm.exe

Filesize
5KB

MD5
c28d57d1894f3b2efccee5b55689ced5

SHA1
4f3884dfa98121d1da4f3748084fd4437d1fae55

SHA256
4c8207d5af11ea61a5bad1f8743a399596fb8768b73b8acd1bca65d310cf65a8

SHA512
21049018685511e8942ffc3c7538f5987bba0b5cf5e22769e057379553526e8aedebf987c6e2775a7ef5a6ca2460c02b16fe0155ab3efbea2d9cf73767accc2f

Download Submit
memory/904-0-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/904-16-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4468-4-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/4468-10-0x0000000010000000-0x000000001000B000-memory.dmp

Filesize
44KB

Download
memory/4468-17-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/4468-19-0x0000000010000000-0x000000001000B000-memory.dmp

Filesize
44KB

Download