cb7f3582d62719ea87d4ec30a44765f495edd85a5ea92916b16d373b08ce9189

Analysis

max time kernel
144s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
11/03/2024, 00:49

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

bf68377bf9d4040730e358df91d73fcf.exe
Size

111KB
MD5

bf68377bf9d4040730e358df91d73fcf
SHA1

212073d2e1094b7f07a3e6daf1b09ebcf15710a9
SHA256

cb7f3582d62719ea87d4ec30a44765f495edd85a5ea92916b16d373b08ce9189
SHA512

763dba98ea883b12ce8ccbe8fdaef33880f1d040ec6e05f7dfbda97b3b05132c9761f69595bbff1d1017bc1565bad9bef791aa9effb23f96c54d0dd4942763bc
SSDEEP

3072:3xzuS4uw/BdhYTyPHIgcPmYpnVU2rFa2R60La77e:3k6w/BMTyPKmYNVU2BNLa3e

Score

10^/10

adware evasion stealer

Malware Config

Signatures

Modifies firewall policy service 2 TTPs 4 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	bf68377bf9d4040730e358df91d73fcf.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications	bf68377bf9d4040730e358df91d73fcf.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Program Files\Internet Explorer\IEXPLORE.EXE = "C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE:*:Enabled:Internet Explorer"	bf68377bf9d4040730e358df91d73fcf.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	bf68377bf9d4040730e358df91d73fcf.exe

Installs/modifies Browser Helper Object 2 TTPs 1 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\browser helper objects\{36DBC179-A19F-48F2-B16A-6A3E19B42A87}	bf68377bf9d4040730e358df91d73fcf.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\ipv6monl.dll	bf68377bf9d4040730e358df91d73fcf.exe
File opened for modification	C:\Windows\SysWOW64\ipv6monl.dll	bf68377bf9d4040730e358df91d73fcf.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2144 set thread context of 2656	2144	bf68377bf9d4040730e358df91d73fcf.exe	87

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Enable Browser Extensions = "yes"	bf68377bf9d4040730e358df91d73fcf.exe

Modifies registry class 5 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{36DBC179-A19F-48F2-B16A-6A3E19B42A87}\InprocServer32\ThreadingModel = "apartment"	bf68377bf9d4040730e358df91d73fcf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{36DBC179-A19F-48F2-B16A-6A3E19B42A87}	bf68377bf9d4040730e358df91d73fcf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{36DBC179-A19F-48F2-B16A-6A3E19B42A87}	bf68377bf9d4040730e358df91d73fcf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{36DBC179-A19F-48F2-B16A-6A3E19B42A87}\InprocServer32	bf68377bf9d4040730e358df91d73fcf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{36DBC179-A19F-48F2-B16A-6A3E19B42A87}\InprocServer32\ = "C:\\Windows\\SysWow64\\ipv6monl.dll"	bf68377bf9d4040730e358df91d73fcf.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2656	bf68377bf9d4040730e358df91d73fcf.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 2144 wrote to memory of 2656	2144	bf68377bf9d4040730e358df91d73fcf.exe	87
PID 2144 wrote to memory of 2656	2144	bf68377bf9d4040730e358df91d73fcf.exe	87
PID 2144 wrote to memory of 2656	2144	bf68377bf9d4040730e358df91d73fcf.exe	87
PID 2144 wrote to memory of 2656	2144	bf68377bf9d4040730e358df91d73fcf.exe	87
PID 2144 wrote to memory of 2656	2144	bf68377bf9d4040730e358df91d73fcf.exe	87

C:\Users\Admin\AppData\Local\Temp\bf68377bf9d4040730e358df91d73fcf.exe
"C:\Users\Admin\AppData\Local\Temp\bf68377bf9d4040730e358df91d73fcf.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2144
- C:\Users\Admin\AppData\Local\Temp\bf68377bf9d4040730e358df91d73fcf.exe
  C:\Users\Admin\AppData\Local\Temp\bf68377bf9d4040730e358df91d73fcf.exe
  2⤵
  - Modifies firewall policy service
  - Installs/modifies Browser Helper Object
  - Drops file in System32 directory
  - Modifies Internet Explorer settings
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:2656

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Browser Extensions

T1176

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2144-1-0x0000000013140000-0x0000000013163000-memory.dmp

Filesize
140KB

Download
memory/2656-0-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/2656-3-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/2656-4-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/2656-7-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads