ce543d690f342b07fc6ae5391c55471974c82fa709cc60c05b9fe5bf99b4a6cb

Analysis

max time kernel
151s
max time network
137s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
14-03-2024 10:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c863a0a4e77703d9a80828a57a4a5dd1.exe
Size

380KB
MD5

c863a0a4e77703d9a80828a57a4a5dd1
SHA1

281dc30f9a609fe7848c516386e410b7c07bef8d
SHA256

ce543d690f342b07fc6ae5391c55471974c82fa709cc60c05b9fe5bf99b4a6cb
SHA512

e945b2163e484fc5b50cb5a30f6fe78d697cd85dfe530ea3029acc6615fb71debb001ebc81bc6a8c25d70cdd5ab6a00edf92887de30635cf66e993b805041763
SSDEEP

3072:SCnYm1MFQPmGyjoE79IRBnQWa3ELYyJzwHywrM6jCQVJV9fbYV8n+VY1y7xkMutR:SzDFQkjoE7u63qamQDvfbcXS1cbm

Score

7^/10

adware discovery persistence stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2152	InfoWise.exe

Loads dropped DLL 8 IoCs

pid	Process
2184	regsvr32.exe
2188	c863a0a4e77703d9a80828a57a4a5dd1.exe
2188	c863a0a4e77703d9a80828a57a4a5dd1.exe
2152	InfoWise.exe
2152	InfoWise.exe
2152	InfoWise.exe
2152	InfoWise.exe
2624	regsvr32.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\InfoWise = "C:\\Program Files (x86)\\InfoWise\\InfoWise.exe"	InfoWise.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Installs/modifies Browser Helper Object 2 TTPs 3 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{915F8F6C-1030-43A2-AB9A-1097DD1B870A}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{915F8F6C-1030-43A2-AB9A-1097DD1B870A}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{915F8F6C-1030-43A2-AB9A-1097DD1B870A}	regsvr32.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\InfoWise\InfoWise.exe	c863a0a4e77703d9a80828a57a4a5dd1.exe
File created	C:\Program Files (x86)\InfoWise\InfoWise.dll	c863a0a4e77703d9a80828a57a4a5dd1.exe
File created	C:\Program Files (x86)\InfoWise\adck.dll	c863a0a4e77703d9a80828a57a4a5dd1.exe
File created	C:\Program Files (x86)\InfoWise\uninstall.exe	c863a0a4e77703d9a80828a57a4a5dd1.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 5 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\SearchScopes\{9EF2602F-6922-41b4-A234-572E36612DA6}\DisplayName = "Yahoo (info-way.kr)"	c863a0a4e77703d9a80828a57a4a5dd1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\SearchScopes\{9EF2602F-6922-41b4-A234-572E36612DA6}\URL = "http://info-way.kr/addPages/?id=IW00&k={searchTerms}"	c863a0a4e77703d9a80828a57a4a5dd1.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\SearchScopes\{9EF2602F-6922-41b4-A234-572E36612DA6}\CodePage = "949"	c863a0a4e77703d9a80828a57a4a5dd1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\SearchScopes\DefaultScope = "{9EF2602F-6922-41b4-A234-572E36612DA6}"	c863a0a4e77703d9a80828a57a4a5dd1.exe
Key created	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\SearchScopes\{9EF2602F-6922-41b4-A234-572E36612DA6}	c863a0a4e77703d9a80828a57a4a5dd1.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\InfoWise.InfoWiseHelper.1\CLSID\ = "{915F8F6C-1030-43A2-AB9A-1097DD1B870A}"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{915F8F6C-1030-43A2-AB9A-1097DD1B870A}\Programmable	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{915F8F6C-1030-43A2-AB9A-1097DD1B870A}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{915F8F6C-1030-43A2-AB9A-1097DD1B870A}\ProgID\ = "InfoWise.InfoWiseHelper.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{915F8F6C-1030-43A2-AB9A-1097DD1B870A}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{915F8F6C-1030-43A2-AB9A-1097DD1B870A}\VersionIndependentProgID\ = "InfoWise.InfoWiseHelper"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E0473124-6B1C-4EB0-99AE-6D96EA6DD387}\1.0\FLAGS	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E0473124-6B1C-4EB0-99AE-6D96EA6DD387}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\InfoWise\\"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\InfoWise.InfoWiseHelper\ = "InfoWiseHelper Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\InfoWise.InfoWiseHelper\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A3B9D99A-B47A-4D7E-A954-A2861801DF81}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\InfoWise.InfoWiseHelper.1\ = "InfoWiseHelper Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{915F8F6C-1030-43A2-AB9A-1097DD1B870A}\Programmable	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{915F8F6C-1030-43A2-AB9A-1097DD1B870A}\VersionIndependentProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\InfoWise.InfoWiseHelper\ = "InfoWiseHelper Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{915F8F6C-1030-43A2-AB9A-1097DD1B870A}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E0473124-6B1C-4EB0-99AE-6D96EA6DD387}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E0473124-6B1C-4EB0-99AE-6D96EA6DD387}\1.0\HELPDIR	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A3B9D99A-B47A-4D7E-A954-A2861801DF81}\TypeLib	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{915F8F6C-1030-43A2-AB9A-1097DD1B870A}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E0473124-6B1C-4EB0-99AE-6D96EA6DD387}\1.0\0\win32\ = "C:\\Program Files (x86)\\InfoWise\\InfoWise.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A3B9D99A-B47A-4D7E-A954-A2861801DF81}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A3B9D99A-B47A-4D7E-A954-A2861801DF81}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{A3B9D99A-B47A-4D7E-A954-A2861801DF81}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\InfoWise.InfoWiseHelper\CLSID\ = "{915F8F6C-1030-43A2-AB9A-1097DD1B870A}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\InfoWise.InfoWiseHelper\CurVer\ = "InfoWise.InfoWiseHelper.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{915F8F6C-1030-43A2-AB9A-1097DD1B870A}\ProgID\ = "InfoWise.InfoWiseHelper.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{915F8F6C-1030-43A2-AB9A-1097DD1B870A}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E0473124-6B1C-4EB0-99AE-6D96EA6DD387}\1.0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\InfoWise.InfoWiseHelper.1\ = "InfoWiseHelper Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\InfoWise.InfoWiseHelper	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{915F8F6C-1030-43A2-AB9A-1097DD1B870A}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{A3B9D99A-B47A-4D7E-A954-A2861801DF81}\TypeLib\ = "{E0473124-6B1C-4EB0-99AE-6D96EA6DD387}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E0473124-6B1C-4EB0-99AE-6D96EA6DD387}\1.0\ = "InfoWise 1.0 Type Library"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A3B9D99A-B47A-4D7E-A954-A2861801DF81}\TypeLib\Version = "1.0"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{915F8F6C-1030-43A2-AB9A-1097DD1B870A}\TypeLib	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{915F8F6C-1030-43A2-AB9A-1097DD1B870A}\VersionIndependentProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{915F8F6C-1030-43A2-AB9A-1097DD1B870A}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\InfoWise.InfoWiseHelper.1\CLSID\ = "{915F8F6C-1030-43A2-AB9A-1097DD1B870A}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\InfoWise.InfoWiseHelper\CLSID\ = "{915F8F6C-1030-43A2-AB9A-1097DD1B870A}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{915F8F6C-1030-43A2-AB9A-1097DD1B870A}\TypeLib\ = "{E0473124-6B1C-4EB0-99AE-6D96EA6DD387}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E0473124-6B1C-4EB0-99AE-6D96EA6DD387}\1.0\0\win32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A3B9D99A-B47A-4D7E-A954-A2861801DF81}\ = "IInfoWiseHelper"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{915F8F6C-1030-43A2-AB9A-1097DD1B870A}\VersionIndependentProgID\ = "InfoWise.InfoWiseHelper"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\InfoWise.InfoWiseHelper\CurVer\ = "InfoWise.InfoWiseHelper.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{A3B9D99A-B47A-4D7E-A954-A2861801DF81}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{915F8F6C-1030-43A2-AB9A-1097DD1B870A}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\InfoWise.InfoWiseHelper.1	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{915F8F6C-1030-43A2-AB9A-1097DD1B870A}\VersionIndependentProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E0473124-6B1C-4EB0-99AE-6D96EA6DD387}\1.0\FLAGS\ = "0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{915F8F6C-1030-43A2-AB9A-1097DD1B870A}\InprocServer32\ = "C:\\PROGRA~2\\InfoWise\\InfoWise.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{A3B9D99A-B47A-4D7E-A954-A2861801DF81}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{915F8F6C-1030-43A2-AB9A-1097DD1B870A}\Programmable	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{915F8F6C-1030-43A2-AB9A-1097DD1B870A}\TypeLib\ = "{E0473124-6B1C-4EB0-99AE-6D96EA6DD387}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{915F8F6C-1030-43A2-AB9A-1097DD1B870A}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{915F8F6C-1030-43A2-AB9A-1097DD1B870A}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{A3B9D99A-B47A-4D7E-A954-A2861801DF81}\ = "IInfoWiseHelper"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{915F8F6C-1030-43A2-AB9A-1097DD1B870A}\ = "InfoWiseHelper Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A3B9D99A-B47A-4D7E-A954-A2861801DF81}\TypeLib\ = "{E0473124-6B1C-4EB0-99AE-6D96EA6DD387}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\InfoWise.InfoWiseHelper\CurVer	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{915F8F6C-1030-43A2-AB9A-1097DD1B870A}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{A3B9D99A-B47A-4D7E-A954-A2861801DF81}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E0473124-6B1C-4EB0-99AE-6D96EA6DD387}\1.0\0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{A3B9D99A-B47A-4D7E-A954-A2861801DF81}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2188	c863a0a4e77703d9a80828a57a4a5dd1.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeRestorePrivilege	2188	c863a0a4e77703d9a80828a57a4a5dd1.exe
Token: SeBackupPrivilege	2188	c863a0a4e77703d9a80828a57a4a5dd1.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
2188	c863a0a4e77703d9a80828a57a4a5dd1.exe
2188	c863a0a4e77703d9a80828a57a4a5dd1.exe
2152	InfoWise.exe
2152	InfoWise.exe
2152	InfoWise.exe
2152	InfoWise.exe
2152	InfoWise.exe
2152	InfoWise.exe
2152	InfoWise.exe
2152	InfoWise.exe
2152	InfoWise.exe
2152	InfoWise.exe
2152	InfoWise.exe
2152	InfoWise.exe
2152	InfoWise.exe
2152	InfoWise.exe
2152	InfoWise.exe
2152	InfoWise.exe
2152	InfoWise.exe
2152	InfoWise.exe
2152	InfoWise.exe
2152	InfoWise.exe
2152	InfoWise.exe
2152	InfoWise.exe
2152	InfoWise.exe
2152	InfoWise.exe
2152	InfoWise.exe
2152	InfoWise.exe
2152	InfoWise.exe
2152	InfoWise.exe
2152	InfoWise.exe
2152	InfoWise.exe
2152	InfoWise.exe
2152	InfoWise.exe
2152	InfoWise.exe
2152	InfoWise.exe
2152	InfoWise.exe
2152	InfoWise.exe
2152	InfoWise.exe
2152	InfoWise.exe
2152	InfoWise.exe
2152	InfoWise.exe
2152	InfoWise.exe
2152	InfoWise.exe
2152	InfoWise.exe
2152	InfoWise.exe
2152	InfoWise.exe
2152	InfoWise.exe
2152	InfoWise.exe
2152	InfoWise.exe
2152	InfoWise.exe
2152	InfoWise.exe
2152	InfoWise.exe
2152	InfoWise.exe
2152	InfoWise.exe
2152	InfoWise.exe
2152	InfoWise.exe
2152	InfoWise.exe
2152	InfoWise.exe
2152	InfoWise.exe
2152	InfoWise.exe
2152	InfoWise.exe
2152	InfoWise.exe
2152	InfoWise.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 2188 wrote to memory of 2184	2188	c863a0a4e77703d9a80828a57a4a5dd1.exe	28
PID 2188 wrote to memory of 2184	2188	c863a0a4e77703d9a80828a57a4a5dd1.exe	28
PID 2188 wrote to memory of 2184	2188	c863a0a4e77703d9a80828a57a4a5dd1.exe	28
PID 2188 wrote to memory of 2184	2188	c863a0a4e77703d9a80828a57a4a5dd1.exe	28
PID 2188 wrote to memory of 2184	2188	c863a0a4e77703d9a80828a57a4a5dd1.exe	28
PID 2188 wrote to memory of 2184	2188	c863a0a4e77703d9a80828a57a4a5dd1.exe	28
PID 2188 wrote to memory of 2184	2188	c863a0a4e77703d9a80828a57a4a5dd1.exe	28
PID 2188 wrote to memory of 2152	2188	c863a0a4e77703d9a80828a57a4a5dd1.exe	29
PID 2188 wrote to memory of 2152	2188	c863a0a4e77703d9a80828a57a4a5dd1.exe	29
PID 2188 wrote to memory of 2152	2188	c863a0a4e77703d9a80828a57a4a5dd1.exe	29
PID 2188 wrote to memory of 2152	2188	c863a0a4e77703d9a80828a57a4a5dd1.exe	29
PID 2188 wrote to memory of 2152	2188	c863a0a4e77703d9a80828a57a4a5dd1.exe	29
PID 2188 wrote to memory of 2152	2188	c863a0a4e77703d9a80828a57a4a5dd1.exe	29
PID 2188 wrote to memory of 2152	2188	c863a0a4e77703d9a80828a57a4a5dd1.exe	29
PID 2152 wrote to memory of 2624	2152	InfoWise.exe	30
PID 2152 wrote to memory of 2624	2152	InfoWise.exe	30
PID 2152 wrote to memory of 2624	2152	InfoWise.exe	30
PID 2152 wrote to memory of 2624	2152	InfoWise.exe	30
PID 2152 wrote to memory of 2624	2152	InfoWise.exe	30
PID 2152 wrote to memory of 2624	2152	InfoWise.exe	30
PID 2152 wrote to memory of 2624	2152	InfoWise.exe	30

C:\Users\Admin\AppData\Local\Temp\c863a0a4e77703d9a80828a57a4a5dd1.exe
"C:\Users\Admin\AppData\Local\Temp\c863a0a4e77703d9a80828a57a4a5dd1.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2188
- C:\Windows\SysWOW64\regsvr32.exe
  regsvr32 /s "C:\Program Files (x86)\InfoWise\InfoWise.dll"
  2⤵
  - Loads dropped DLL
  - Installs/modifies Browser Helper Object
  - Modifies registry class
  PID:2184
- C:\Program Files (x86)\InfoWise\InfoWise.exe
  "C:\Program Files (x86)\InfoWise\InfoWise.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2152
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32 /s "C:\Program Files (x86)\InfoWise\InfoWise.dll"
    3⤵
    - Loads dropped DLL
    - Installs/modifies Browser Helper Object
    - Modifies registry class
    PID:2624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Browser Extensions

T1176

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\InfoWise\InfoWise.dll

Filesize
141KB

MD5
6fced7c67dbdaf4dc8a801e8583e4946

SHA1
5f369325d8ecd09f9e484919a3aa6ec10cd5c7cf

SHA256
d4ac0a652a8329be83ac900ef64307dfe89d5b1c8e9515e91dc3020e14540909

SHA512
026ae57915daf70c5dfd1f3538b64a4ea0bda1eda0c99c4f102252dc456e965b16321c96bec46ae75dc4159dafc77f2208f00f156af16315dbea1fa0f4ff1476

Download Submit
C:\Program Files (x86)\InfoWise\adck.dll

Filesize
93KB

MD5
d179ee13ab3b654068098808e9d3e8ed

SHA1
746d09b9f0be675892795fb747e235a6569a515f

SHA256
1ba9995d48aad3137db4fe7af9f88fec0bde610bfa9e5542f365705e9b966f7d

SHA512
4da555ff6193b1eb500b50457fc8b602cdee27dd364a448781ee0f122cda2a936f2345bf78166b087ab658291709bf605972bd5e19edbc14021570a9858e022c

Download Submit
\Program Files (x86)\InfoWise\InfoWise.exe

Filesize
81KB

MD5
876f072756a9a5cc1d069f5aa2da1e20

SHA1
6cb50fc6b0deefeb08618a936d8ef925b9c79b5c

SHA256
4c563d204a34219330d8847b5b7ec80bda602caa029cbc5cfe8f516d65ae78f5

SHA512
55b953ba99f5edb1f924c50a8c9d0ce63cd9e646d7335ad7b181a4605e2375929936248660b3d51ae38cbb7ec1ca36e438c2ffa29d3e1a64d80452f5866200d5

Download Submit