cb7f3582d62719ea87d4ec30a44765f495edd85a5ea92916b16d373b08ce9189

General

Target

bf68377bf9d4040730e358df91d73fcf.exe
Size

111KB
MD5

bf68377bf9d4040730e358df91d73fcf
SHA1

212073d2e1094b7f07a3e6daf1b09ebcf15710a9
SHA256

cb7f3582d62719ea87d4ec30a44765f495edd85a5ea92916b16d373b08ce9189
SHA512

763dba98ea883b12ce8ccbe8fdaef33880f1d040ec6e05f7dfbda97b3b05132c9761f69595bbff1d1017bc1565bad9bef791aa9effb23f96c54d0dd4942763bc
SSDEEP

3072:3xzuS4uw/BdhYTyPHIgcPmYpnVU2rFa2R60La77e:3k6w/BMTyPKmYNVU2BNLa3e

Score

10^/10

adware evasion stealer

Malware Config

Signatures

Modifies firewall policy service 2 TTPs 2 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	bf68377bf9d4040730e358df91d73fcf.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Program Files\Internet Explorer\IEXPLORE.EXE = "C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE:*:Enabled:Internet Explorer"	bf68377bf9d4040730e358df91d73fcf.exe

Installs/modifies Browser Helper Object 2 TTPs 1 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\browser helper objects\{36DBC179-A19F-48F2-B16A-6A3E19B42A87}	bf68377bf9d4040730e358df91d73fcf.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\ipv6monl.dll	bf68377bf9d4040730e358df91d73fcf.exe
File opened for modification	C:\Windows\SysWOW64\ipv6monl.dll	bf68377bf9d4040730e358df91d73fcf.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2840 set thread context of 2912	2840	bf68377bf9d4040730e358df91d73fcf.exe	28

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\Main\Enable Browser Extensions = "yes"	bf68377bf9d4040730e358df91d73fcf.exe

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{36DBC179-A19F-48F2-B16A-6A3E19B42A87}	bf68377bf9d4040730e358df91d73fcf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{36DBC179-A19F-48F2-B16A-6A3E19B42A87}	bf68377bf9d4040730e358df91d73fcf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{36DBC179-A19F-48F2-B16A-6A3E19B42A87}\InprocServer32	bf68377bf9d4040730e358df91d73fcf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{36DBC179-A19F-48F2-B16A-6A3E19B42A87}\InprocServer32\ = "C:\\Windows\\SysWow64\\ipv6monl.dll"	bf68377bf9d4040730e358df91d73fcf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{36DBC179-A19F-48F2-B16A-6A3E19B42A87}\InprocServer32\ThreadingModel = "apartment"	bf68377bf9d4040730e358df91d73fcf.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2912	bf68377bf9d4040730e358df91d73fcf.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2840 wrote to memory of 2912	2840	bf68377bf9d4040730e358df91d73fcf.exe	28
PID 2840 wrote to memory of 2912	2840	bf68377bf9d4040730e358df91d73fcf.exe	28
PID 2840 wrote to memory of 2912	2840	bf68377bf9d4040730e358df91d73fcf.exe	28
PID 2840 wrote to memory of 2912	2840	bf68377bf9d4040730e358df91d73fcf.exe	28
PID 2840 wrote to memory of 2912	2840	bf68377bf9d4040730e358df91d73fcf.exe	28
PID 2840 wrote to memory of 2912	2840	bf68377bf9d4040730e358df91d73fcf.exe	28

C:\Users\Admin\AppData\Local\Temp\bf68377bf9d4040730e358df91d73fcf.exe
"C:\Users\Admin\AppData\Local\Temp\bf68377bf9d4040730e358df91d73fcf.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2840
- C:\Users\Admin\AppData\Local\Temp\bf68377bf9d4040730e358df91d73fcf.exe
  C:\Users\Admin\AppData\Local\Temp\bf68377bf9d4040730e358df91d73fcf.exe
  2⤵
  - Modifies firewall policy service
  - Installs/modifies Browser Helper Object
  - Drops file in System32 directory
  - Modifies Internet Explorer settings
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:2912

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Browser Extensions

1

T1176

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Modify Registry

3

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2840-4-0x0000000013140000-0x0000000013163000-memory.dmp

Filesize
140KB

Download
memory/2912-0-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/2912-1-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2912-3-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/2912-6-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/2912-9-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/2912-10-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads