Malware Analysis Report

2025-01-18 21:11

Sample ID 240325-e5qb7sba4x
Target dd3ca20a9d4391a41da3f3cd7016f31c
SHA256 aa02fc3fb002c200356b19b2a219a6f97904fcecf4e03f068d33cc7a013424a9
Tags
adware discovery persistence stealer upx
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

aa02fc3fb002c200356b19b2a219a6f97904fcecf4e03f068d33cc7a013424a9

Threat Level: Likely malicious

The file dd3ca20a9d4391a41da3f3cd7016f31c was found to be: Likely malicious.

Malicious Activity Summary

adware discovery persistence stealer upx

Adds policy Run key to start application

Executes dropped EXE

Loads dropped DLL

Deletes itself

UPX packed file

Checks computer location settings

ACProtect 1.3x - 1.4x DLL software

Checks installed software on the system

Installs/modifies Browser Helper Object

Drops file in Program Files directory

Enumerates physical storage devices

Unsigned PE

Modifies Internet Explorer settings

Modifies registry class

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-25 04:31

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-25 04:31

Reported

2024-03-25 04:34

Platform

win7-20240221-en

Max time kernel

150s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\dd3ca20a9d4391a41da3f3cd7016f31c.exe"

Signatures

Adds policy Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\explorer\run C:\Program Files (x86)\Web Technologies\iebtm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\start = "C:\\Program Files (x86)\\Web Technologies\\iebtm.exe" C:\Program Files (x86)\Web Technologies\iebtm.exe N/A

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Web Technologies\iebtm.exe N/A
N/A N/A C:\Program Files (x86)\Web Technologies\iebtmm.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks installed software on the system

discovery

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects C:\Program Files (x86)\Web Technologies\iebtm.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D46BEAA4-A304-40B3-A9DA-EC7F7F501F25} C:\Program Files (x86)\Web Technologies\iebtm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{D46BEAA4-A304-40B3-A9DA-EC7F7F501F25}\ C:\Program Files (x86)\Web Technologies\iebtm.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Web Technologies\iebtmm.exe C:\Program Files (x86)\Web Technologies\iebtm.exe N/A
File created C:\Program Files (x86)\Web Technologies\iebtm.exe C:\Users\Admin\AppData\Local\Temp\dd3ca20a9d4391a41da3f3cd7016f31c.exe N/A
File created C:\Program Files (x86)\Web Technologies\iebtu.exe C:\Users\Admin\AppData\Local\Temp\dd3ca20a9d4391a41da3f3cd7016f31c.exe N/A
File created C:\Program Files (x86)\Web Technologies\iebt.dll C:\Program Files (x86)\Web Technologies\iebtm.exe N/A

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\SearchScopes\{DAED9266-8C28-4C1C-8B58-5C66EFF1D302}\DisplayName = "Search" C:\Program Files (x86)\Web Technologies\iebtm.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files (x86)\Web Technologies\iebtm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{9034A523-D068-4BE8-A284-9DF278BE776E} C:\Program Files (x86)\Web Technologies\iebtm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{9034A523-D068-4BE8-A284-9DF278BE776E}\CLSID = "{1FBA04EE-3024-11d2-8F1F-0000F87ABD16}" C:\Program Files (x86)\Web Technologies\iebtm.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Web Technologies\iebtm.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\SearchScopes\{DAED9266-8C28-4C1C-8B58-5C66EFF1D302} C:\Program Files (x86)\Web Technologies\iebtm.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\SearchScopes\{DAED9266-8C28-4C1C-8B58-5C66EFF1D302}\URL = "http://www.searchgatelive.com/index.php?b=1&t=0&q={searchTerms}" C:\Program Files (x86)\Web Technologies\iebtm.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\SearchScopes\DefaultScope = "{DAED9266-8C28-4C1C-8B58-5C66EFF1D302}" C:\Program Files (x86)\Web Technologies\iebtm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{9034A523-D068-4BE8-A284-9DF278BE776E}\MenuText = "IE Anti-Spyware" C:\Program Files (x86)\Web Technologies\iebtm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{9034A523-D068-4BE8-A284-9DF278BE776E}\Exec = "http://www.ietoolsite.com/redirect.php" C:\Program Files (x86)\Web Technologies\iebtm.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Search C:\Program Files (x86)\Web Technologies\iebtm.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID C:\Program Files (x86)\Web Technologies\iebtm.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{D46BEAA4-A304-40B3-A9DA-EC7F7F501F25} C:\Program Files (x86)\Web Technologies\iebtm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D46BEAA4-A304-40B3-A9DA-EC7F7F501F25}\ddd = "ddd" C:\Program Files (x86)\Web Technologies\iebtm.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{D46BEAA4-A304-40B3-A9DA-EC7F7F501F25}\InprocServer32 C:\Program Files (x86)\Web Technologies\iebtm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D46BEAA4-A304-40B3-A9DA-EC7F7F501F25}\InprocServer32\ = "C:\\Program Files (x86)\\Web Technologies\\iebt.dll" C:\Program Files (x86)\Web Technologies\iebtm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D46BEAA4-A304-40B3-A9DA-EC7F7F501F25}\InprocServer32\ThreadingModel = "Apartment" C:\Program Files (x86)\Web Technologies\iebtm.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\dd3ca20a9d4391a41da3f3cd7016f31c.exe N/A
N/A N/A C:\Program Files (x86)\Web Technologies\iebtm.exe N/A
N/A N/A C:\Program Files (x86)\Web Technologies\iebtm.exe N/A
N/A N/A C:\Program Files (x86)\Web Technologies\iebtm.exe N/A
N/A N/A C:\Program Files (x86)\Web Technologies\iebtm.exe N/A
N/A N/A C:\Program Files (x86)\Web Technologies\iebtmm.exe N/A
N/A N/A C:\Program Files (x86)\Web Technologies\iebtm.exe N/A
N/A N/A C:\Program Files (x86)\Web Technologies\iebtmm.exe N/A
N/A N/A C:\Program Files (x86)\Web Technologies\iebtm.exe N/A
N/A N/A C:\Program Files (x86)\Web Technologies\iebtmm.exe N/A
N/A N/A C:\Program Files (x86)\Web Technologies\iebtm.exe N/A
N/A N/A C:\Program Files (x86)\Web Technologies\iebtmm.exe N/A
N/A N/A C:\Program Files (x86)\Web Technologies\iebtm.exe N/A
N/A N/A C:\Program Files (x86)\Web Technologies\iebtmm.exe N/A
N/A N/A C:\Program Files (x86)\Web Technologies\iebtm.exe N/A
N/A N/A C:\Program Files (x86)\Web Technologies\iebtmm.exe N/A
N/A N/A C:\Program Files (x86)\Web Technologies\iebtm.exe N/A
N/A N/A C:\Program Files (x86)\Web Technologies\iebtmm.exe N/A
N/A N/A C:\Program Files (x86)\Web Technologies\iebtm.exe N/A
N/A N/A C:\Program Files (x86)\Web Technologies\iebtmm.exe N/A
N/A N/A C:\Program Files (x86)\Web Technologies\iebtm.exe N/A
N/A N/A C:\Program Files (x86)\Web Technologies\iebtmm.exe N/A
N/A N/A C:\Program Files (x86)\Web Technologies\iebtm.exe N/A
N/A N/A C:\Program Files (x86)\Web Technologies\iebtmm.exe N/A
N/A N/A C:\Program Files (x86)\Web Technologies\iebtm.exe N/A
N/A N/A C:\Program Files (x86)\Web Technologies\iebtmm.exe N/A
N/A N/A C:\Program Files (x86)\Web Technologies\iebtm.exe N/A
N/A N/A C:\Program Files (x86)\Web Technologies\iebtmm.exe N/A
N/A N/A C:\Program Files (x86)\Web Technologies\iebtm.exe N/A
N/A N/A C:\Program Files (x86)\Web Technologies\iebtmm.exe N/A
N/A N/A C:\Program Files (x86)\Web Technologies\iebtm.exe N/A
N/A N/A C:\Program Files (x86)\Web Technologies\iebtmm.exe N/A
N/A N/A C:\Program Files (x86)\Web Technologies\iebtm.exe N/A
N/A N/A C:\Program Files (x86)\Web Technologies\iebtmm.exe N/A
N/A N/A C:\Program Files (x86)\Web Technologies\iebtm.exe N/A
N/A N/A C:\Program Files (x86)\Web Technologies\iebtmm.exe N/A
N/A N/A C:\Program Files (x86)\Web Technologies\iebtm.exe N/A
N/A N/A C:\Program Files (x86)\Web Technologies\iebtmm.exe N/A
N/A N/A C:\Program Files (x86)\Web Technologies\iebtm.exe N/A
N/A N/A C:\Program Files (x86)\Web Technologies\iebtmm.exe N/A
N/A N/A C:\Program Files (x86)\Web Technologies\iebtm.exe N/A
N/A N/A C:\Program Files (x86)\Web Technologies\iebtmm.exe N/A
N/A N/A C:\Program Files (x86)\Web Technologies\iebtm.exe N/A
N/A N/A C:\Program Files (x86)\Web Technologies\iebtmm.exe N/A
N/A N/A C:\Program Files (x86)\Web Technologies\iebtm.exe N/A
N/A N/A C:\Program Files (x86)\Web Technologies\iebtmm.exe N/A
N/A N/A C:\Program Files (x86)\Web Technologies\iebtm.exe N/A
N/A N/A C:\Program Files (x86)\Web Technologies\iebtmm.exe N/A
N/A N/A C:\Program Files (x86)\Web Technologies\iebtm.exe N/A
N/A N/A C:\Program Files (x86)\Web Technologies\iebtmm.exe N/A
N/A N/A C:\Program Files (x86)\Web Technologies\iebtm.exe N/A
N/A N/A C:\Program Files (x86)\Web Technologies\iebtmm.exe N/A
N/A N/A C:\Program Files (x86)\Web Technologies\iebtm.exe N/A
N/A N/A C:\Program Files (x86)\Web Technologies\iebtmm.exe N/A
N/A N/A C:\Program Files (x86)\Web Technologies\iebtm.exe N/A
N/A N/A C:\Program Files (x86)\Web Technologies\iebtmm.exe N/A
N/A N/A C:\Program Files (x86)\Web Technologies\iebtm.exe N/A
N/A N/A C:\Program Files (x86)\Web Technologies\iebtmm.exe N/A
N/A N/A C:\Program Files (x86)\Web Technologies\iebtm.exe N/A
N/A N/A C:\Program Files (x86)\Web Technologies\iebtmm.exe N/A
N/A N/A C:\Program Files (x86)\Web Technologies\iebtm.exe N/A
N/A N/A C:\Program Files (x86)\Web Technologies\iebtmm.exe N/A
N/A N/A C:\Program Files (x86)\Web Technologies\iebtm.exe N/A
N/A N/A C:\Program Files (x86)\Web Technologies\iebtmm.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2896 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\dd3ca20a9d4391a41da3f3cd7016f31c.exe C:\Windows\SysWOW64\ctfmon.exe
PID 2896 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\dd3ca20a9d4391a41da3f3cd7016f31c.exe C:\Windows\SysWOW64\ctfmon.exe
PID 2896 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\dd3ca20a9d4391a41da3f3cd7016f31c.exe C:\Windows\SysWOW64\ctfmon.exe
PID 2896 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\dd3ca20a9d4391a41da3f3cd7016f31c.exe C:\Windows\SysWOW64\ctfmon.exe
PID 2896 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\dd3ca20a9d4391a41da3f3cd7016f31c.exe C:\Program Files (x86)\Web Technologies\iebtm.exe
PID 2896 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\dd3ca20a9d4391a41da3f3cd7016f31c.exe C:\Program Files (x86)\Web Technologies\iebtm.exe
PID 2896 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\dd3ca20a9d4391a41da3f3cd7016f31c.exe C:\Program Files (x86)\Web Technologies\iebtm.exe
PID 2896 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\dd3ca20a9d4391a41da3f3cd7016f31c.exe C:\Program Files (x86)\Web Technologies\iebtm.exe
PID 2896 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\dd3ca20a9d4391a41da3f3cd7016f31c.exe C:\Windows\SysWOW64\cmd.exe
PID 2896 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\dd3ca20a9d4391a41da3f3cd7016f31c.exe C:\Windows\SysWOW64\cmd.exe
PID 2896 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\dd3ca20a9d4391a41da3f3cd7016f31c.exe C:\Windows\SysWOW64\cmd.exe
PID 2896 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\dd3ca20a9d4391a41da3f3cd7016f31c.exe C:\Windows\SysWOW64\cmd.exe
PID 2988 wrote to memory of 2428 N/A C:\Program Files (x86)\Web Technologies\iebtm.exe C:\Program Files (x86)\Web Technologies\iebtmm.exe
PID 2988 wrote to memory of 2428 N/A C:\Program Files (x86)\Web Technologies\iebtm.exe C:\Program Files (x86)\Web Technologies\iebtmm.exe
PID 2988 wrote to memory of 2428 N/A C:\Program Files (x86)\Web Technologies\iebtm.exe C:\Program Files (x86)\Web Technologies\iebtmm.exe
PID 2988 wrote to memory of 2428 N/A C:\Program Files (x86)\Web Technologies\iebtm.exe C:\Program Files (x86)\Web Technologies\iebtmm.exe

Processes

C:\Users\Admin\AppData\Local\Temp\dd3ca20a9d4391a41da3f3cd7016f31c.exe

"C:\Users\Admin\AppData\Local\Temp\dd3ca20a9d4391a41da3f3cd7016f31c.exe"

C:\Windows\SysWOW64\ctfmon.exe

ctfmon.exe

C:\Program Files (x86)\Web Technologies\iebtm.exe

"C:\Program Files (x86)\Web Technologies\iebtm.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\awer0.bat" "

C:\Program Files (x86)\Web Technologies\iebtmm.exe

"C:\Program Files (x86)\Web Technologies\iebtmm.exe"

Network

N/A

Files

\Program Files (x86)\Web Technologies\iebtm.exe

MD5 6bf8bb01527e74074f0fb558b77e0990
SHA1 3810f268a790b27e0757872b4b753fad505ef338
SHA256 c393bb3a09f96f7d4c2a9cb50a28818d8ff8c3fda0dcd72c2a4bb40c8621f8ce
SHA512 8ff8398652d8a0277c993b78bfaafabd564ede70b96d39a54fc1cb3265745600e6bba4eb8566a81ccfc4cff2cf34b23f9e3e49078053a6f60e4fc012b075e442

memory/2896-3-0x0000000000570000-0x000000000057D000-memory.dmp

memory/2896-10-0x0000000000570000-0x000000000057D000-memory.dmp

memory/2988-12-0x0000000000400000-0x000000000040D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\awer0.bat

MD5 d8be7da772c94c6d0dffd1e4056ca8da
SHA1 90adcbf9e6701584a16fa168d676a1fa8adf1da3
SHA256 f822d13549a12d68f15aa7ad8e73595b134764ae9c1744614a1967c1eabae7dd
SHA512 c4a9deed775cc837960e9d7713e700756b5614aa0d149ef4eebfd937083870dad102cd38c7c3be636b23e22cd0f4033aa6f703b75b60f0f2ec35f221d9c5bc76

\Program Files (x86)\Web Technologies\iebt.dll

MD5 c9a4040ed12a727e316668865af35da5
SHA1 467cea10c19ad6b695e3e8bceda1c5d0d80cb0ef
SHA256 160de3ea93e50d1193afe17b5d0f5e6b8470060e30f3045b10a355fb7499256b
SHA512 38230a7f63cc9b1c7e8793c4c20b97285d86c5f1e61f613429d805c4976e9668609fae6d315a56161aa8ff8eb93b698bc7d5b0bbf412753677008b3e633741ac

memory/2988-24-0x0000000010000000-0x000000001000A000-memory.dmp

\Program Files (x86)\Web Technologies\iebtmm.exe

MD5 9bff6165a7f8d5d9c9acaf26043b2acd
SHA1 25323d5400bc68ac503b54b2cc662446216e9400
SHA256 aaf9d3b6a44283ca3dcd29fb7a64cb96f3fee942896ca37fb3c9ffc11f1448d8
SHA512 01df2b642294005f14b7ca211a6866cd33663285e01e154d1911d8decab9181a4b391c6c303392246ba153adb86518282c9339068cee93974de99aabaabe386e

memory/2988-27-0x0000000000500000-0x0000000000508000-memory.dmp

memory/2988-33-0x0000000000500000-0x0000000000508000-memory.dmp

memory/2428-35-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2988-36-0x0000000000400000-0x000000000040D000-memory.dmp

memory/2428-37-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2988-38-0x0000000010000000-0x000000001000A000-memory.dmp

memory/2988-39-0x0000000000500000-0x0000000000508000-memory.dmp

memory/2988-40-0x0000000000500000-0x0000000000508000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-25 04:31

Reported

2024-03-25 04:34

Platform

win10v2004-20231215-en

Max time kernel

150s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\dd3ca20a9d4391a41da3f3cd7016f31c.exe"

Signatures

Adds policy Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\explorer\run C:\Program Files (x86)\Web Technologies\iebtm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\start = "C:\\Program Files (x86)\\Web Technologies\\iebtm.exe" C:\Program Files (x86)\Web Technologies\iebtm.exe N/A

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\dd3ca20a9d4391a41da3f3cd7016f31c.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Web Technologies\iebtm.exe N/A
N/A N/A C:\Program Files (x86)\Web Technologies\iebtmm.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Web Technologies\iebtm.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks installed software on the system

discovery

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D46BEAA4-A304-40B3-A9DA-EC7F7F501F25} C:\Program Files (x86)\Web Technologies\iebtm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D46BEAA4-A304-40B3-A9DA-EC7F7F501F25}\ C:\Program Files (x86)\Web Technologies\iebtm.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects C:\Program Files (x86)\Web Technologies\iebtm.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Web Technologies\iebtm.exe C:\Users\Admin\AppData\Local\Temp\dd3ca20a9d4391a41da3f3cd7016f31c.exe N/A
File created C:\Program Files (x86)\Web Technologies\iebtu.exe C:\Users\Admin\AppData\Local\Temp\dd3ca20a9d4391a41da3f3cd7016f31c.exe N/A
File created C:\Program Files (x86)\Web Technologies\iebt.dll C:\Program Files (x86)\Web Technologies\iebtm.exe N/A
File created C:\Program Files (x86)\Web Technologies\iebtmm.exe C:\Program Files (x86)\Web Technologies\iebtm.exe N/A

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{DAED9266-8C28-4C1C-8B58-5C66EFF1D302}\DisplayName = "Search" C:\Program Files (x86)\Web Technologies\iebtm.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{DAED9266-8C28-4C1C-8B58-5C66EFF1D302}\URL = "http://www.searchgatelive.com/index.php?b=1&t=0&q={searchTerms}" C:\Program Files (x86)\Web Technologies\iebtm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{9034A523-D068-4BE8-A284-9DF278BE776E} C:\Program Files (x86)\Web Technologies\iebtm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{9034A523-D068-4BE8-A284-9DF278BE776E}\Exec = "http://www.ietoolsite.com/redirect.php" C:\Program Files (x86)\Web Technologies\iebtm.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Software\Microsoft\Internet Explorer\SearchScopes\{DAED9266-8C28-4C1C-8B58-5C66EFF1D302} C:\Program Files (x86)\Web Technologies\iebtm.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\DefaultScope = "{DAED9266-8C28-4C1C-8B58-5C66EFF1D302}" C:\Program Files (x86)\Web Technologies\iebtm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{9034A523-D068-4BE8-A284-9DF278BE776E}\MenuText = "IE Anti-Spyware" C:\Program Files (x86)\Web Technologies\iebtm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{9034A523-D068-4BE8-A284-9DF278BE776E}\CLSID = "{1FBA04EE-3024-11d2-8F1F-0000F87ABD16}" C:\Program Files (x86)\Web Technologies\iebtm.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Software\Microsoft\Internet Explorer\Search C:\Program Files (x86)\Web Technologies\iebtm.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Web Technologies\iebtm.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files (x86)\Web Technologies\iebtm.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{D46BEAA4-A304-40B3-A9DA-EC7F7F501F25} C:\Program Files (x86)\Web Technologies\iebtm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D46BEAA4-A304-40B3-A9DA-EC7F7F501F25}\ddd = "ddd" C:\Program Files (x86)\Web Technologies\iebtm.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{D46BEAA4-A304-40B3-A9DA-EC7F7F501F25}\InprocServer32 C:\Program Files (x86)\Web Technologies\iebtm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D46BEAA4-A304-40B3-A9DA-EC7F7F501F25}\InprocServer32\ = "C:\\Program Files (x86)\\Web Technologies\\iebt.dll" C:\Program Files (x86)\Web Technologies\iebtm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D46BEAA4-A304-40B3-A9DA-EC7F7F501F25}\InprocServer32\ThreadingModel = "Apartment" C:\Program Files (x86)\Web Technologies\iebtm.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID C:\Program Files (x86)\Web Technologies\iebtm.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\dd3ca20a9d4391a41da3f3cd7016f31c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dd3ca20a9d4391a41da3f3cd7016f31c.exe N/A
N/A N/A C:\Program Files (x86)\Web Technologies\iebtm.exe N/A
N/A N/A C:\Program Files (x86)\Web Technologies\iebtm.exe N/A
N/A N/A C:\Program Files (x86)\Web Technologies\iebtm.exe N/A
N/A N/A C:\Program Files (x86)\Web Technologies\iebtm.exe N/A
N/A N/A C:\Program Files (x86)\Web Technologies\iebtm.exe N/A
N/A N/A C:\Program Files (x86)\Web Technologies\iebtm.exe N/A
N/A N/A C:\Program Files (x86)\Web Technologies\iebtmm.exe N/A
N/A N/A C:\Program Files (x86)\Web Technologies\iebtmm.exe N/A
N/A N/A C:\Program Files (x86)\Web Technologies\iebtm.exe N/A
N/A N/A C:\Program Files (x86)\Web Technologies\iebtmm.exe N/A
N/A N/A C:\Program Files (x86)\Web Technologies\iebtmm.exe N/A
N/A N/A C:\Program Files (x86)\Web Technologies\iebtm.exe N/A
N/A N/A C:\Program Files (x86)\Web Technologies\iebtmm.exe N/A
N/A N/A C:\Program Files (x86)\Web Technologies\iebtm.exe N/A
N/A N/A C:\Program Files (x86)\Web Technologies\iebtmm.exe N/A
N/A N/A C:\Program Files (x86)\Web Technologies\iebtm.exe N/A
N/A N/A C:\Program Files (x86)\Web Technologies\iebtmm.exe N/A
N/A N/A C:\Program Files (x86)\Web Technologies\iebtm.exe N/A
N/A N/A C:\Program Files (x86)\Web Technologies\iebtm.exe N/A
N/A N/A C:\Program Files (x86)\Web Technologies\iebtmm.exe N/A
N/A N/A C:\Program Files (x86)\Web Technologies\iebtm.exe N/A
N/A N/A C:\Program Files (x86)\Web Technologies\iebtmm.exe N/A
N/A N/A C:\Program Files (x86)\Web Technologies\iebtm.exe N/A
N/A N/A C:\Program Files (x86)\Web Technologies\iebtmm.exe N/A
N/A N/A C:\Program Files (x86)\Web Technologies\iebtm.exe N/A
N/A N/A C:\Program Files (x86)\Web Technologies\iebtmm.exe N/A
N/A N/A C:\Program Files (x86)\Web Technologies\iebtmm.exe N/A
N/A N/A C:\Program Files (x86)\Web Technologies\iebtm.exe N/A
N/A N/A C:\Program Files (x86)\Web Technologies\iebtm.exe N/A
N/A N/A C:\Program Files (x86)\Web Technologies\iebtmm.exe N/A
N/A N/A C:\Program Files (x86)\Web Technologies\iebtm.exe N/A
N/A N/A C:\Program Files (x86)\Web Technologies\iebtmm.exe N/A
N/A N/A C:\Program Files (x86)\Web Technologies\iebtm.exe N/A
N/A N/A C:\Program Files (x86)\Web Technologies\iebtmm.exe N/A
N/A N/A C:\Program Files (x86)\Web Technologies\iebtmm.exe N/A
N/A N/A C:\Program Files (x86)\Web Technologies\iebtm.exe N/A
N/A N/A C:\Program Files (x86)\Web Technologies\iebtmm.exe N/A
N/A N/A C:\Program Files (x86)\Web Technologies\iebtm.exe N/A
N/A N/A C:\Program Files (x86)\Web Technologies\iebtmm.exe N/A
N/A N/A C:\Program Files (x86)\Web Technologies\iebtm.exe N/A
N/A N/A C:\Program Files (x86)\Web Technologies\iebtmm.exe N/A
N/A N/A C:\Program Files (x86)\Web Technologies\iebtm.exe N/A
N/A N/A C:\Program Files (x86)\Web Technologies\iebtmm.exe N/A
N/A N/A C:\Program Files (x86)\Web Technologies\iebtm.exe N/A
N/A N/A C:\Program Files (x86)\Web Technologies\iebtmm.exe N/A
N/A N/A C:\Program Files (x86)\Web Technologies\iebtm.exe N/A
N/A N/A C:\Program Files (x86)\Web Technologies\iebtmm.exe N/A
N/A N/A C:\Program Files (x86)\Web Technologies\iebtm.exe N/A
N/A N/A C:\Program Files (x86)\Web Technologies\iebtm.exe N/A
N/A N/A C:\Program Files (x86)\Web Technologies\iebtmm.exe N/A
N/A N/A C:\Program Files (x86)\Web Technologies\iebtm.exe N/A
N/A N/A C:\Program Files (x86)\Web Technologies\iebtmm.exe N/A
N/A N/A C:\Program Files (x86)\Web Technologies\iebtmm.exe N/A
N/A N/A C:\Program Files (x86)\Web Technologies\iebtm.exe N/A
N/A N/A C:\Program Files (x86)\Web Technologies\iebtmm.exe N/A
N/A N/A C:\Program Files (x86)\Web Technologies\iebtm.exe N/A
N/A N/A C:\Program Files (x86)\Web Technologies\iebtmm.exe N/A
N/A N/A C:\Program Files (x86)\Web Technologies\iebtm.exe N/A
N/A N/A C:\Program Files (x86)\Web Technologies\iebtmm.exe N/A
N/A N/A C:\Program Files (x86)\Web Technologies\iebtm.exe N/A
N/A N/A C:\Program Files (x86)\Web Technologies\iebtmm.exe N/A
N/A N/A C:\Program Files (x86)\Web Technologies\iebtm.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\dd3ca20a9d4391a41da3f3cd7016f31c.exe

"C:\Users\Admin\AppData\Local\Temp\dd3ca20a9d4391a41da3f3cd7016f31c.exe"

C:\Program Files (x86)\Web Technologies\iebtm.exe

"C:\Program Files (x86)\Web Technologies\iebtm.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\awer0.bat" "

C:\Program Files (x86)\Web Technologies\iebtmm.exe

"C:\Program Files (x86)\Web Technologies\iebtmm.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp

Files

C:\Program Files (x86)\Web Technologies\iebtm.exe

MD5 6bf8bb01527e74074f0fb558b77e0990
SHA1 3810f268a790b27e0757872b4b753fad505ef338
SHA256 c393bb3a09f96f7d4c2a9cb50a28818d8ff8c3fda0dcd72c2a4bb40c8621f8ce
SHA512 8ff8398652d8a0277c993b78bfaafabd564ede70b96d39a54fc1cb3265745600e6bba4eb8566a81ccfc4cff2cf34b23f9e3e49078053a6f60e4fc012b075e442

memory/4060-6-0x0000000000400000-0x000000000040D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\awer0.bat

MD5 d8be7da772c94c6d0dffd1e4056ca8da
SHA1 90adcbf9e6701584a16fa168d676a1fa8adf1da3
SHA256 f822d13549a12d68f15aa7ad8e73595b134764ae9c1744614a1967c1eabae7dd
SHA512 c4a9deed775cc837960e9d7713e700756b5614aa0d149ef4eebfd937083870dad102cd38c7c3be636b23e22cd0f4033aa6f703b75b60f0f2ec35f221d9c5bc76

C:\Program Files (x86)\Web Technologies\iebt.dll

MD5 c9a4040ed12a727e316668865af35da5
SHA1 467cea10c19ad6b695e3e8bceda1c5d0d80cb0ef
SHA256 160de3ea93e50d1193afe17b5d0f5e6b8470060e30f3045b10a355fb7499256b
SHA512 38230a7f63cc9b1c7e8793c4c20b97285d86c5f1e61f613429d805c4976e9668609fae6d315a56161aa8ff8eb93b698bc7d5b0bbf412753677008b3e633741ac

memory/4060-14-0x0000000010000000-0x000000001000A000-memory.dmp

C:\Program Files (x86)\Web Technologies\iebtmm.exe

MD5 9bff6165a7f8d5d9c9acaf26043b2acd
SHA1 25323d5400bc68ac503b54b2cc662446216e9400
SHA256 aaf9d3b6a44283ca3dcd29fb7a64cb96f3fee942896ca37fb3c9ffc11f1448d8
SHA512 01df2b642294005f14b7ca211a6866cd33663285e01e154d1911d8decab9181a4b391c6c303392246ba153adb86518282c9339068cee93974de99aabaabe386e

memory/1964-18-0x0000000000400000-0x0000000000408000-memory.dmp

memory/4060-20-0x0000000000400000-0x000000000040D000-memory.dmp

memory/1964-21-0x0000000000400000-0x0000000000408000-memory.dmp

memory/4060-24-0x0000000010000000-0x000000001000A000-memory.dmp