99ecb8fe08339f5a1ef6790d2102b38f7b17cf8f74a258f6020ab2075b2734bf

Analysis

max time kernel
88s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
14-02-2024 18:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9c5d2ad17b6e100bf79c7ac19de0b289.exe
Size

289KB
MD5

9c5d2ad17b6e100bf79c7ac19de0b289
SHA1

7da2598504baaed90d03a647da4dcf8521e8aa83
SHA256

99ecb8fe08339f5a1ef6790d2102b38f7b17cf8f74a258f6020ab2075b2734bf
SHA512

38a95d72dcfe0a24463d628fa0990c1f3c44fd47303071b17fd1a43707438a6a33a74ee3c9ba7f7b255db3e2401d9486938ec2bc5189d22870c484f27a0400c3
SSDEEP

6144:BWTVOOe/I6hnI1xZCskNu/ib9ooKQnTdx3CBYYv/7rpDP1aP0KW0+r:Kme0QaEoxOZcP0Ks

Score

7^/10

adware stealer upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

Processes:

resource	yara_rule
C:\Windows\IIUOUBBNNGI	acprotect

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

9c5d2ad17b6e100bf79c7ac19de0b289.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	9c5d2ad17b6e100bf79c7ac19de0b289.exe

Loads dropped DLL 1 IoCs

Processes:

regsvr32.exe

pid process

4976 regsvr32.exe

pid	process
4976	regsvr32.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4512-0-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/4512-7-0x0000000000400000-0x0000000000421000-memory.dmp	upx

Installs/modifies Browser Helper Object 2 TTPs 2 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

Processes:

9c5d2ad17b6e100bf79c7ac19de0b289.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C12FC24B-A7B9-487F-9603-5481EBF00C6F}	9c5d2ad17b6e100bf79c7ac19de0b289.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C12FC24B-A7B9-487F-9603-5481EBF00C6F}\	9c5d2ad17b6e100bf79c7ac19de0b289.exe

Drops file in Windows directory 3 IoCs

Processes:

9c5d2ad17b6e100bf79c7ac19de0b289.exe

description	ioc	process
File created	C:\Windows\ikunbeps.dll	9c5d2ad17b6e100bf79c7ac19de0b289.exe
File opened for modification	C:\Windows\ikunbeps.dll	9c5d2ad17b6e100bf79c7ac19de0b289.exe
File created	C:\Windows\IIUOUBBNNGI	9c5d2ad17b6e100bf79c7ac19de0b289.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 52 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31088501"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\www.google.com\ = "25"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31088501"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "414700984"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "25"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1334393609"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Software\Microsoft\Internet Explorer\IESettingSync	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\google.com\NumberOfSubdomains = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31088501"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1334393609"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Software\Microsoft\Internet Explorer\DOMStorage\google.com	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\google.com\Total = "25"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1335331261"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000cfa71eb1212ca24fab6a788c17de622100000000020000000000106600000001000020000000e4b14c7a5e49c5a61f9073326763954b79f7d680ce4a49768df18d187a8a8e91000000000e8000000002000020000000b7795f54997d6cc5abbbae38e2ac22038a27284bcec93782c87d02b93ca52ce72000000082ba75a6f9c5b7b872d4e4619e3a80bd8bd3e3c1422b9e9bdbe019f97a9f12bd4000000098e2e5921bb4bd2a8ccfbc8c30704408099f94d1186802e26b3c0ad800c4fdbc401d39b793c51e0f9d0174dfe4ff56b84c28a48d2853a3b673742da4f859ac36	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{7B164AA4-CB68-11EE-9ECD-FAD2FAC7202F} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\google.com	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = d01ad250755fda01	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000cfa71eb1212ca24fab6a788c17de62210000000002000000000010660000000100002000000098e7ec23b7d152b755e8f201f1e9948da50b3b128d6a6700107e2d7aa1704622000000000e80000000020000200000005fcb0de10ef420bd66b2524137a8437fb45a210d2a90474f6225e688acd3ab14200000003558c2d35ffdd584f0be7e37cac30ff798e4afb4e4fcad655acb0a38a730bdfd40000000e5f025dd43a657fdec83178f2cc8be1bd9e2acc2d5fce404bf5d179a76fbeda05b779ad8d19c4cdb1f1bdee241eb55fbd366ef95e414bd49a0f3896914266e04	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.google.com	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1335331261"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31088501"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = d0fcd650755fda01	iexplore.exe

Modifies registry class 55 IoCs

Processes:

regsvr32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{6549E485-C533-4E58-BA92-9FBCD2F6E839}\1.0\HELPDIR\ = "C:\\Windows\\"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{16C65D96-EF19-4439-A6EA-F73A8BEC4DF0}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{16C65D96-EF19-4439-A6EA-F73A8BEC4DF0}\ = "IntfVideo"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{16C65D96-EF19-4439-A6EA-F73A8BEC4DF0}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\bho.bho	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\ikunbeps.dll\AppID = "{C12FC24B-A7B9-487F-9603-5481EBF00C6F}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{16C65D96-EF19-4439-A6EA-F73A8BEC4DF0}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C12FC24B-A7B9-487F-9603-5481EBF00C6F}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C12FC24B-A7B9-487F-9603-5481EBF00C6F}\ = "SVC plugin"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\ikunbeps.dll	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C12FC24B-A7B9-487F-9603-5481EBF00C6F}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C12FC24B-A7B9-487F-9603-5481EBF00C6F}\TypeLib\ = "{6549E485-C533-4E58-BA92-9FBCD2F6E839}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{6549E485-C533-4E58-BA92-9FBCD2F6E839}\1.0\ = "YouTube plugin"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{6549E485-C533-4E58-BA92-9FBCD2F6E839}\1.0\0\win32\ = "C:\\Windows\\ikunbeps.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{16C65D96-EF19-4439-A6EA-F73A8BEC4DF0}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{16C65D96-EF19-4439-A6EA-F73A8BEC4DF0}\TypeLib	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C12FC24B-A7B9-487F-9603-5481EBF00C6F}\Elevation\Enabled = "1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{6549E485-C533-4E58-BA92-9FBCD2F6E839}\1.0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C12FC24B-A7B9-487F-9603-5481EBF00C6F}\Version\ = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Component Categories	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{16C65D96-EF19-4439-A6EA-F73A8BEC4DF0}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{16C65D96-EF19-4439-A6EA-F73A8BEC4DF0}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{16C65D96-EF19-4439-A6EA-F73A8BEC4DF0}\TypeLib\ = "{6549E485-C533-4E58-BA92-9FBCD2F6E839}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{C12FC24B-A7B9-487F-9603-5481EBF00C6F}\DllSurrogate	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{16C65D96-EF19-4439-A6EA-F73A8BEC4DF0}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{16C65D96-EF19-4439-A6EA-F73A8BEC4DF0}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{6549E485-C533-4E58-BA92-9FBCD2F6E839}\1.0\0\win32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\bho.bho\ = "SVC plugin"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C12FC24B-A7B9-487F-9603-5481EBF00C6F}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C12FC24B-A7B9-487F-9603-5481EBF00C6F}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C12FC24B-A7B9-487F-9603-5481EBF00C6F}\Elevation	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C12FC24B-A7B9-487F-9603-5481EBF00C6F}\Implemented Categories	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{6549E485-C533-4E58-BA92-9FBCD2F6E839}\1.0\FLAGS\ = "0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{16C65D96-EF19-4439-A6EA-F73A8BEC4DF0}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C12FC24B-A7B9-487F-9603-5481EBF00C6F}\AppID = "{C12FC24B-A7B9-487F-9603-5481EBF00C6F}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{6549E485-C533-4E58-BA92-9FBCD2F6E839}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{16C65D96-EF19-4439-A6EA-F73A8BEC4DF0}\ = "IntfVideo"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C12FC24B-A7B9-487F-9603-5481EBF00C6F}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C12FC24B-A7B9-487F-9603-5481EBF00C6F}\InprocServer32\ = "C:\\Windows\\ikunbeps.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\bho.bho\Clsid	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Component Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{6549E485-C533-4E58-BA92-9FBCD2F6E839}\1.0\FLAGS	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{16C65D96-EF19-4439-A6EA-F73A8BEC4DF0}\TypeLib\ = "{6549E485-C533-4E58-BA92-9FBCD2F6E839}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C12FC24B-A7B9-487F-9603-5481EBF00C6F}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C12FC24B-A7B9-487F-9603-5481EBF00C6F}\ProgID\ = "bho.bho"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{C12FC24B-A7B9-487F-9603-5481EBF00C6F}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C12FC24B-A7B9-487F-9603-5481EBF00C6F}\LocalizedString = "@C:\\Windows\\ikunbeps.dll,-313"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C12FC24B-A7B9-487F-9603-5481EBF00C6F}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\bho.bho\Clsid\ = "{C12FC24B-A7B9-487F-9603-5481EBF00C6F}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C12FC24B-A7B9-487F-9603-5481EBF00C6F}\Version	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{C12FC24B-A7B9-487F-9603-5481EBF00C6F}\ = "SVC plugin"	regsvr32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{C12FC24B-A7B9-487F-9603-5481EBF00C6F}\AccessPermission = 01000480440000005400000000000000140000000200300002000000000014000300000001010000000000050400000000001400030000000101000000000005120000000102000000000005200000002002000001020000000000052000000020020000	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{6549E485-C533-4E58-BA92-9FBCD2F6E839}\1.0\0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{6549E485-C533-4E58-BA92-9FBCD2F6E839}\1.0\HELPDIR	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Component Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

9c5d2ad17b6e100bf79c7ac19de0b289.exe

pid process

4512 9c5d2ad17b6e100bf79c7ac19de0b289.exe
4512 9c5d2ad17b6e100bf79c7ac19de0b289.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

4508 iexplore.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

4508 iexplore.exe
4508 iexplore.exe
748 IEXPLORE.EXE
748 IEXPLORE.EXE
748 IEXPLORE.EXE
748 IEXPLORE.EXE

pid	process
4512	9c5d2ad17b6e100bf79c7ac19de0b289.exe
4512	9c5d2ad17b6e100bf79c7ac19de0b289.exe

pid	process
4508	iexplore.exe

pid	process
4508	iexplore.exe
4508	iexplore.exe
748	IEXPLORE.EXE
748	IEXPLORE.EXE
748	IEXPLORE.EXE
748	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

9c5d2ad17b6e100bf79c7ac19de0b289.exeiexplore.exe

description	pid	process	target process
PID 4512 wrote to memory of 4976	4512	9c5d2ad17b6e100bf79c7ac19de0b289.exe	regsvr32.exe
PID 4512 wrote to memory of 4976	4512	9c5d2ad17b6e100bf79c7ac19de0b289.exe	regsvr32.exe
PID 4512 wrote to memory of 4976	4512	9c5d2ad17b6e100bf79c7ac19de0b289.exe	regsvr32.exe
PID 4512 wrote to memory of 4508	4512	9c5d2ad17b6e100bf79c7ac19de0b289.exe	iexplore.exe
PID 4512 wrote to memory of 4508	4512	9c5d2ad17b6e100bf79c7ac19de0b289.exe	iexplore.exe
PID 4508 wrote to memory of 748	4508	iexplore.exe	IEXPLORE.EXE
PID 4508 wrote to memory of 748	4508	iexplore.exe	IEXPLORE.EXE
PID 4508 wrote to memory of 748	4508	iexplore.exe	IEXPLORE.EXE

C:\Users\Admin\AppData\Local\Temp\9c5d2ad17b6e100bf79c7ac19de0b289.exe
"C:\Users\Admin\AppData\Local\Temp\9c5d2ad17b6e100bf79c7ac19de0b289.exe"
1⤵
- Checks computer location settings
- Installs/modifies Browser Helper Object
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4512

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" /s "C:\Windows\ikunbeps.dll"
2⤵
- Loads dropped DLL
- Modifies registry class
PID:4976

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" http://www.google.com/search?q=sex download
2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4508

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4508 CREDAT:17410 /prefetch:2
3⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:748

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize
471B

MD5
5708ba8437c3b654a20c9aad797a0fbb

SHA1
78e86a55e2ab057d3aafc088560212be264b1aff

SHA256
455c614ca1af0ede1275448b32cb8e1c66722320151aa978f259b82afb228758

SHA512
b15d59d6dc0da7a3ae05f0f0ec01b478f6f633211af08313fa026e58e6e71a6baae72cd2aa01579829e54f4687645d499a57f4e16334f9de0689af9cdd24de38

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize
404B

MD5
b1a3da7121763b5fece78970199c33b6

SHA1
28f5f0be82f71dfd3020612b6c0beaeb0dab747d

SHA256
68cd171ee19970227ac6f7c7ff632b10e41fddfc9f02a57231f1500d0c671700

SHA512
102926ee9b70c4497a7e38bc4f36187a61826cb34ddbb16ce14a0049d5f80f91399f9836bef8c9efc859450c271e509e6c1979b831b2c17fb7bc822b94608c7d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\verB834.tmp
Filesize
15KB

MD5
1a545d0052b581fbb2ab4c52133846bc

SHA1
62f3266a9b9925cd6d98658b92adec673cbe3dd3

SHA256
557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1

SHA512
bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\buhspo8\imagestore.dat
Filesize
5KB

MD5
04a8e12d875bbc3360ea42845e740ed0

SHA1
52896f2627954a543404fa054947dc4933166115

SHA256
83c7fdacb0fdd3d3c3b020a02a1c97618827d586d67e73ebdc51dd1a4cc308bb

SHA512
928a65221dadd0f7538d6f300d72ea9c85ecccf07e29217c721bf365a1437fced39d41fe0a67e3222513465df91967be97a21abd069075f21bf0044e58e53fc1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\0SGFK56Z\recaptcha__en[1].js
Filesize
489KB

MD5
ca50556eed6c3ec820e1e84b8b8c4c89

SHA1
94b412b047930720ea1cf6e26279821859f6a666

SHA256
5aa02ad9ec4550065de8002ea1108be5d10bbb1173d2f3447f88ce1af317d4bd

SHA512
acf6180697b349825c18ec7372c894a455c44683a72c7416fe2abee46873a585bdba99b0167dbe77bca6582928de4f01a41a79899f61f5b30e3974b8c159e1b8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\0SGFK56Z\suggestions[1].en-US
Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\BMK4G1YN\styles__ltr[1].css
Filesize
55KB

MD5
eb4bc511f79f7a1573b45f5775b3a99b

SHA1
d910fb51ad7316aa54f055079374574698e74b35

SHA256
7859a62e04b0acb06516eb12454de6673883ecfaeaed6c254659bca7cd59c050

SHA512
ec9bdf1c91b6262b183fd23f640eac22016d1f42db631380676ed34b962e01badda91f9cbdfa189b42fe3182a992f1b95a7353af41e41b2d6e1dab17e87637a0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\QTPKWBD2\favicon[1].ico
Filesize
5KB

MD5
f3418a443e7d841097c714d69ec4bcb8

SHA1
49263695f6b0cdd72f45cf1b775e660fdc36c606

SHA256
6da5620880159634213e197fafca1dde0272153be3e4590818533fab8d040770

SHA512
82d017c4b7ec8e0c46e8b75da0ca6a52fd8bce7fcf4e556cbdf16b49fc81be9953fe7e25a05f63ecd41c7272e8bb0a9fd9aedf0ac06cb6032330b096b3702563

Download Submit
C:\Windows\IIUOUBBNNGI
Filesize
246KB

MD5
c90370a618f0505e6d190c6fa175aeaa

SHA1
7a260db073f691c3679bd1e8cf17ba934d290b18

SHA256
ae87350bcdda0fba4914ae063686574767ac37794fb9355125e27030fd17ae97

SHA512
7315ae09c0b3f0f8a3e35c3360a93d2381ebba3c515a3dee138fad9dc22b527684f988057e3f3f4e502d9f4d4c99591d83e2a3eed0f573819dac8885bfa44486

Download Submit
memory/4512-0-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/4512-7-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/4976-11-0x0000000001040000-0x0000000001041000-memory.dmp

Filesize
4KB

Download
memory/4976-10-0x0000000000400000-0x00000000004AC000-memory.dmp

Filesize
688KB

Download