7cba40236777bc309e1f10cfd27baee2a74824ee9fb7fdae851ef08c0918fecc

Analysis

max time kernel
150s
max time network
122s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
11/03/2024, 15:15

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

c0ea776d578257a3e9dc5878a26528ce.exe
Size

19KB
MD5

c0ea776d578257a3e9dc5878a26528ce
SHA1

8a0c5a44fedcea2f912526491b3b1981a9fe4195
SHA256

7cba40236777bc309e1f10cfd27baee2a74824ee9fb7fdae851ef08c0918fecc
SHA512

b2deec12a6bd9f0ca2318f2c3d5de1523c8dbee8e4dcc398d7df83c20970f5297c5f145022a37f8d47bf0a28642fcc7614fe4d7ea19814ddc4509d803475b016
SSDEEP

384:5Pt5zScvboTV4yi7WfXHMzQthEUPiuOgLtNpbIgQPTPpEQZyv:5PP+czGriqccthViuZxNpbI9qh

Score

8^/10

adware persistence stealer upx

Malware Config

Signatures

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\explorer\run	c0ea776d578257a3e9dc5878a26528ce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\start = "C:\\Users\\Admin\\AppData\\Local\\Temp\\c0ea776d578257a3e9dc5878a26528ce.exe"	c0ea776d578257a3e9dc5878a26528ce.exe

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x000b00000001224c-2.dat	acprotect

Executes dropped EXE 1 IoCs

pid	Process
2564	iebtmm.exe

Loads dropped DLL 3 IoCs

pid	Process
1524	c0ea776d578257a3e9dc5878a26528ce.exe
1524	c0ea776d578257a3e9dc5878a26528ce.exe
1524	c0ea776d578257a3e9dc5878a26528ce.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1524-0-0x0000000000400000-0x000000000040D000-memory.dmp	upx
behavioral1/files/0x000b00000001224c-2.dat	upx
behavioral1/memory/1524-4-0x0000000010000000-0x000000001000A000-memory.dmp	upx
behavioral1/files/0x000c0000000132c6-6.dat	upx
behavioral1/memory/1524-8-0x0000000000330000-0x0000000000338000-memory.dmp	upx
behavioral1/memory/2564-14-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/1524-16-0x0000000000400000-0x000000000040D000-memory.dmp	upx
behavioral1/memory/2564-17-0x0000000000400000-0x0000000000408000-memory.dmp	upx

Installs/modifies Browser Helper Object 2 TTPs 3 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{300CF5C9-F02D-4CB8-ABED-9C229DA56825}	c0ea776d578257a3e9dc5878a26528ce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{300CF5C9-F02D-4CB8-ABED-9C229DA56825}\	c0ea776d578257a3e9dc5878a26528ce.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	c0ea776d578257a3e9dc5878a26528ce.exe

Modifies Internet Explorer settings 1 TTPs 11 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{9034A523-D068-4BE8-A284-9DF278BE776E}\Exec = "http://www.iexplorerfiles.com/redirect.php"	c0ea776d578257a3e9dc5878a26528ce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{9034A523-D068-4BE8-A284-9DF278BE776E}\CLSID = "{1FBA04EE-3024-11D2-8F1F-0000F87ABD16}"	c0ea776d578257a3e9dc5878a26528ce.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main	c0ea776d578257a3e9dc5878a26528ce.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Search	c0ea776d578257a3e9dc5878a26528ce.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\SearchScopes\DefaultScope = "{DAED9266-8C28-4C1C-8B58-5C66EFF1D302}"	c0ea776d578257a3e9dc5878a26528ce.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{9034A523-D068-4BE8-A284-9DF278BE776E}	c0ea776d578257a3e9dc5878a26528ce.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\SearchScopes\{DAED9266-8C28-4C1C-8B58-5C66EFF1D302}\URL = "http://www.alwayssearches.com/index.php?b=1&t=0&q={searchTerms}"	c0ea776d578257a3e9dc5878a26528ce.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\SearchScopes	c0ea776d578257a3e9dc5878a26528ce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{9034A523-D068-4BE8-A284-9DF278BE776E}\MenuText = "IE Anti-Spyware"	c0ea776d578257a3e9dc5878a26528ce.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\SearchScopes\{DAED9266-8C28-4C1C-8B58-5C66EFF1D302}	c0ea776d578257a3e9dc5878a26528ce.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\SearchScopes\{DAED9266-8C28-4C1C-8B58-5C66EFF1D302}\DisplayName = "Search"	c0ea776d578257a3e9dc5878a26528ce.exe

Modifies registry class 6 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{300CF5C9-F02D-4CB8-ABED-9C229DA56825}\InprocServer32	c0ea776d578257a3e9dc5878a26528ce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{300CF5C9-F02D-4CB8-ABED-9C229DA56825}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\iebt.dll"	c0ea776d578257a3e9dc5878a26528ce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{300CF5C9-F02D-4CB8-ABED-9C229DA56825}\InprocServer32\ThreadingModel = "Apartment"	c0ea776d578257a3e9dc5878a26528ce.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID	c0ea776d578257a3e9dc5878a26528ce.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{300CF5C9-F02D-4CB8-ABED-9C229DA56825}	c0ea776d578257a3e9dc5878a26528ce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{300CF5C9-F02D-4CB8-ABED-9C229DA56825}\www = "www"	c0ea776d578257a3e9dc5878a26528ce.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1524	c0ea776d578257a3e9dc5878a26528ce.exe
2564	iebtmm.exe
1524	c0ea776d578257a3e9dc5878a26528ce.exe
2564	iebtmm.exe
1524	c0ea776d578257a3e9dc5878a26528ce.exe
2564	iebtmm.exe
1524	c0ea776d578257a3e9dc5878a26528ce.exe
2564	iebtmm.exe
1524	c0ea776d578257a3e9dc5878a26528ce.exe
2564	iebtmm.exe
1524	c0ea776d578257a3e9dc5878a26528ce.exe
2564	iebtmm.exe
1524	c0ea776d578257a3e9dc5878a26528ce.exe
2564	iebtmm.exe
1524	c0ea776d578257a3e9dc5878a26528ce.exe
2564	iebtmm.exe
1524	c0ea776d578257a3e9dc5878a26528ce.exe
2564	iebtmm.exe
1524	c0ea776d578257a3e9dc5878a26528ce.exe
2564	iebtmm.exe
1524	c0ea776d578257a3e9dc5878a26528ce.exe
2564	iebtmm.exe
1524	c0ea776d578257a3e9dc5878a26528ce.exe
2564	iebtmm.exe
1524	c0ea776d578257a3e9dc5878a26528ce.exe
2564	iebtmm.exe
1524	c0ea776d578257a3e9dc5878a26528ce.exe
2564	iebtmm.exe
1524	c0ea776d578257a3e9dc5878a26528ce.exe
2564	iebtmm.exe
1524	c0ea776d578257a3e9dc5878a26528ce.exe
2564	iebtmm.exe
1524	c0ea776d578257a3e9dc5878a26528ce.exe
2564	iebtmm.exe
1524	c0ea776d578257a3e9dc5878a26528ce.exe
2564	iebtmm.exe
1524	c0ea776d578257a3e9dc5878a26528ce.exe
2564	iebtmm.exe
1524	c0ea776d578257a3e9dc5878a26528ce.exe
2564	iebtmm.exe
1524	c0ea776d578257a3e9dc5878a26528ce.exe
2564	iebtmm.exe
1524	c0ea776d578257a3e9dc5878a26528ce.exe
2564	iebtmm.exe
1524	c0ea776d578257a3e9dc5878a26528ce.exe
2564	iebtmm.exe
1524	c0ea776d578257a3e9dc5878a26528ce.exe
2564	iebtmm.exe
1524	c0ea776d578257a3e9dc5878a26528ce.exe
2564	iebtmm.exe
1524	c0ea776d578257a3e9dc5878a26528ce.exe
2564	iebtmm.exe
1524	c0ea776d578257a3e9dc5878a26528ce.exe
2564	iebtmm.exe
1524	c0ea776d578257a3e9dc5878a26528ce.exe
2564	iebtmm.exe
1524	c0ea776d578257a3e9dc5878a26528ce.exe
2564	iebtmm.exe
1524	c0ea776d578257a3e9dc5878a26528ce.exe
2564	iebtmm.exe
1524	c0ea776d578257a3e9dc5878a26528ce.exe
2564	iebtmm.exe
1524	c0ea776d578257a3e9dc5878a26528ce.exe
2564	iebtmm.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1524 wrote to memory of 2564	1524	c0ea776d578257a3e9dc5878a26528ce.exe	29
PID 1524 wrote to memory of 2564	1524	c0ea776d578257a3e9dc5878a26528ce.exe	29
PID 1524 wrote to memory of 2564	1524	c0ea776d578257a3e9dc5878a26528ce.exe	29
PID 1524 wrote to memory of 2564	1524	c0ea776d578257a3e9dc5878a26528ce.exe	29
PID 1524 wrote to memory of 2536	1524	c0ea776d578257a3e9dc5878a26528ce.exe	28
PID 1524 wrote to memory of 2536	1524	c0ea776d578257a3e9dc5878a26528ce.exe	28
PID 1524 wrote to memory of 2536	1524	c0ea776d578257a3e9dc5878a26528ce.exe	28
PID 1524 wrote to memory of 2536	1524	c0ea776d578257a3e9dc5878a26528ce.exe	28

C:\Users\Admin\AppData\Local\Temp\c0ea776d578257a3e9dc5878a26528ce.exe
"C:\Users\Admin\AppData\Local\Temp\c0ea776d578257a3e9dc5878a26528ce.exe"
1⤵
- Adds policy Run key to start application
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1524
- C:\Windows\SysWOW64\ctfmon.exe
  ctfmon.exe
  2⤵
  PID:2536
- C:\Users\Admin\AppData\Local\Temp\iebtmm.exe
  C:\Users\Admin\AppData\Local\Temp\iebtmm.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2564

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Browser Extensions

T1176

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\iebt.dll

Filesize
8KB

MD5
cab7b3fb6f69848a3113cf20b813cada

SHA1
7ee5d275903a9b625bb8e80e33a1daea803023fc

SHA256
6abae53cf6b688c9671fdb3bad7d42620cea51bf82904a11dfa41bdb41e11594

SHA512
a2eea28f618d211905f174903ac71f748834eec00183f5d110dd7f1e2f4064927bc804bc89ae13ddff4c5a2eb90a7ed75f04a752de5f51307ac574d620331e9a

Download Submit
\Users\Admin\AppData\Local\Temp\iebtmm.exe

Filesize
5KB

MD5
a7beeec36f425039971c9ae1c94644a6

SHA1
ac9d04f6ea3e13173ec7a46bbad5cff8e826c0dc

SHA256
14b10bb59d81b0d3bbe9e1f263a89ab4378ef43f7140fb02079450888a5ca287

SHA512
78847cf1f1734f3a0d5156d8d399d9ebd3469c9208568d9183570374d9d05966a0bc11c8dd787a2551854bcc7f4095f139fbfe683bc607a867ccc5a426bfb080

Download Submit
memory/1524-0-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/1524-4-0x0000000010000000-0x000000001000A000-memory.dmp

Filesize
40KB

Download
memory/1524-8-0x0000000000330000-0x0000000000338000-memory.dmp

Filesize
32KB

Download
memory/1524-15-0x0000000000330000-0x0000000000338000-memory.dmp

Filesize
32KB

Download
memory/1524-16-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/1524-18-0x0000000010000000-0x000000001000A000-memory.dmp

Filesize
40KB

Download
memory/1524-19-0x0000000000330000-0x0000000000338000-memory.dmp

Filesize
32KB

Download
memory/1524-22-0x0000000000330000-0x0000000000338000-memory.dmp

Filesize
32KB

Download
memory/2564-14-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2564-17-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download