Overview
overview
7Static
static
30262065334...18.exe
windows7-x64
70262065334...18.exe
windows10-2004-x64
7$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3$PLUGINSDI...ib.dll
windows7-x64
3$PLUGINSDI...ib.dll
windows10-2004-x64
3$PLUGINSDI...ec.dll
windows7-x64
3$PLUGINSDI...ec.dll
windows10-2004-x64
3$R0.dll
windows7-x64
1$R0.dll
windows10-2004-x64
1$R2/NSIS.L...2_.exe
windows7-x64
1$R2/NSIS.L...2_.exe
windows10-2004-x64
1$SYSDIR/DWSHK80.dll
windows7-x64
1$SYSDIR/DWSHK80.dll
windows10-2004-x64
1$SYSDIR/MSVBVM60.dll
windows7-x64
1$SYSDIR/MSVBVM60.dll
windows10-2004-x64
1$SYSDIR/VB6KO.dll
windows7-x64
1$SYSDIR/VB6KO.dll
windows10-2004-x64
1$SYSDIR/dwsbc80.dll
windows7-x64
1$SYSDIR/dwsbc80.dll
windows10-2004-x64
1$SYSDIR/dw...80.dll
windows7-x64
1$SYSDIR/dw...80.dll
windows10-2004-x64
1UrlUpdate.exe
windows7-x64
7UrlUpdate.exe
windows10-2004-x64
7efbbar.dll
windows7-x64
1efbbar.dll
windows10-2004-x64
1efsbar.dll
windows7-x64
1efsbar.dll
windows10-2004-x64
1iewindow.exe
windows7-x64
1iewindow.exe
windows10-2004-x64
1nnlogon.exe
windows7-x64
1nnlogon.exe
windows10-2004-x64
1Analysis
-
max time kernel
117s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
20/06/2024, 03:22 UTC
Static task
static1
Behavioral task
behavioral1
Sample
02620653340ad8d2a425b5e5f8af258f_JaffaCakes118.exe
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral2
Sample
02620653340ad8d2a425b5e5f8af258f_JaffaCakes118.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240611-en
windows7-x64
Behavioral task
behavioral4
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
$PLUGINSDIR/TypeLib.dll
Resource
win7-20240611-en
windows7-x64
Behavioral task
behavioral6
Sample
$PLUGINSDIR/TypeLib.dll
Resource
win10v2004-20240611-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
$PLUGINSDIR/nsExec.dll
Resource
win7-20240508-en
windows7-x64
Behavioral task
behavioral8
Sample
$PLUGINSDIR/nsExec.dll
Resource
win10v2004-20240611-en
windows10-2004-x64
Behavioral task
behavioral9
Sample
$R0.dll
Resource
win7-20240220-en
windows7-x64
Behavioral task
behavioral10
Sample
$R0.dll
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral11
Sample
$R2/NSIS.Library.RegTool.v3.$_2_.exe
Resource
win7-20231129-en
windows7-x64
Behavioral task
behavioral12
Sample
$R2/NSIS.Library.RegTool.v3.$_2_.exe
Resource
win10v2004-20240611-en
windows10-2004-x64
Behavioral task
behavioral13
Sample
$SYSDIR/DWSHK80.dll
Resource
win7-20240419-en
windows7-x64
Behavioral task
behavioral14
Sample
$SYSDIR/DWSHK80.dll
Resource
win10v2004-20240611-en
windows10-2004-x64
Behavioral task
behavioral15
Sample
$SYSDIR/MSVBVM60.dll
Resource
win7-20240508-en
windows7-x64
Behavioral task
behavioral16
Sample
$SYSDIR/MSVBVM60.dll
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral17
Sample
$SYSDIR/VB6KO.dll
Resource
win7-20240508-en
windows7-x64
Behavioral task
behavioral18
Sample
$SYSDIR/VB6KO.dll
Resource
win10v2004-20240611-en
windows10-2004-x64
Behavioral task
behavioral19
Sample
$SYSDIR/dwsbc80.dll
Resource
win7-20240508-en
windows7-x64
Behavioral task
behavioral20
Sample
$SYSDIR/dwsbc80.dll
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral21
Sample
$SYSDIR/dwshengine80.dll
Resource
win7-20231129-en
windows7-x64
Behavioral task
behavioral22
Sample
$SYSDIR/dwshengine80.dll
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral23
Sample
UrlUpdate.exe
Resource
win7-20240220-en
windows7-x64
Behavioral task
behavioral24
Sample
UrlUpdate.exe
Resource
win10v2004-20240611-en
windows10-2004-x64
Behavioral task
behavioral25
Sample
efbbar.dll
Resource
win7-20240611-en
windows7-x64
Behavioral task
behavioral26
Sample
efbbar.dll
Resource
win10v2004-20240611-en
windows10-2004-x64
Behavioral task
behavioral27
Sample
efsbar.dll
Resource
win7-20240611-en
windows7-x64
Behavioral task
behavioral28
Sample
efsbar.dll
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral29
Sample
iewindow.exe
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral30
Sample
iewindow.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral31
Sample
nnlogon.exe
Resource
win7-20240220-en
windows7-x64
Behavioral task
behavioral32
Sample
nnlogon.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
General
-
Target
UrlUpdate.exe
-
Size
152KB
-
MD5
df4c70adfe3ee8e7d0a7d396754681ea
-
SHA1
86d6bc8e6961a01aa689909d678512e0e3bc202c
-
SHA256
94a6a81ad5c12aec33d7274e43ed8197cd476bb9680724995631fd971e8a3d86
-
SHA512
94e8fa6c92cbb30320b2067158549e6079be66489c4a2c8008ec7675d9135cddd477137b3c08fe7e7a41d2da6fcc3732d9ae10e8bc47226108938249fa33fa4e
-
SSDEEP
3072:T6npLFsb893Sn3dkJht04WD2spOL/KGKlhcpguZh5pXK1zZcsbAM:+0nNke4WdUL/KGKlhcpguZHpXK1z0M
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2108 urlupdate1.exe -
Loads dropped DLL 1 IoCs
pid Process 2252 UrlUpdate.exe -
Installs/modifies Browser Helper Object 2 TTPs 5 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{72CEEE43-C350-4932-B3DC-B6201F01EFCB} ntmurl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{72CEEE43-C350-4932-B3DC-B6201F01EFCB}\NoExplorer ntmurl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D815AB8A-E840-4054-B37D-943893116452} ntmurl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{D815AB8A-E840-4054-B37D-943893116452}\NoExplorer ntmurl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D815AB8A-E840-4054-B37D-943893116452} REG.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\NSearcher.exe ntmurl.exe File opened for modification C:\Windows\SysWOW64\NSearcher.exe ntmurl.exe -
Drops file in Program Files directory 1 IoCs
description ioc Process File created C:\Program Files\Netimo\NSearcher\NSearcher.exe ntmurl.exe -
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 1020 sc.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MenuExt ntmurl.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MenuExt\ÀÌ ´Ü¾î °Ë»ö(&S)\ = "res://C:\\Users\\Admin\\AppData\\Local\\Temp\\ntmurl.dll/SEARCH.HTM" ntmurl.exe Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MenuExt\ÀÌ ´Ü¾î °Ë»ö(&S)\contexts = "48" ntmurl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Explorer Bars\{6A294C45-07CC-426C-9512-6742053E462C} REG.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main ntmurl.exe Set value (data) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Explorer Bars\{6A294C45-07CC-426C-9512-6742053E462C}\BarSize = dc00000000000000 REG.exe Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\SearchScopes\{72CEEE43-C350-4932-B3DC-B6201F01EFCB}\Codepage = "949" ntmurl.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\Enable Browser Extensions = "yes" ntmurl.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Explorer Bars REG.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\SearchScopes ntmurl.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\SearchScopes\{72CEEE43-C350-4932-B3DC-B6201F01EFCB} ntmurl.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\SearchScopes\{72CEEE43-C350-4932-B3DC-B6201F01EFCB}\URL = "http://search.netimo.net/ntmsearch.html?where=all&cp=ezsearch&adv=yahoo&type=forward&ssupply=1&q={searchTerms}" ntmurl.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\SearchScopes\{72CEEE43-C350-4932-B3DC-B6201F01EFCB}\DisplayName = "¾ßÈÄ" ntmurl.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MenuExt\ÀÌ ´Ü¾î °Ë»ö(&S) ntmurl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Explorer Bars REG.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Explorer Bars\{6A294C45-07CC-426C-9512-6742053E462C} REG.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\SearchScopes\DefaultScope = "{72CEEE43-C350-4932-B3DC-B6201F01EFCB}" ntmurl.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3F16DB30-C562-41AD-A3B3-4D405BBBEFEE}\TypeLib\Version = "415.4" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{26893EEF-3781-4234-8D71-EF9C394156A3}\TypeLib\Version = "415.4" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{72CEEE43-C350-4932-B3DC-B6201F01EFCB}\Programmable regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TYPELIB\{C6E6B197-9348-449E-A149-384B208874B1}\415.4\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ntmurl.dll" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3B07FABA-099B-4D62-9780-D254A04E32F5} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3B07FABA-099B-4D62-9780-D254A04E32F5}\TypeLib\ = "{C6E6B197-9348-449E-A149-384B208874B1}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0E9BF828-7362-4850-9FE7-59E26521AC34}\ = "_CSBCriteria" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DD8BFC7F-4A69-4C23-B496-78B301B5193F} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E9ECAA7A-3EAC-4F41-8375-84AC9D2AC3AF}\ProgID regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{72CEEE43-C350-4932-B3DC-B6201F01EFCB}\ProgID\ = "ntmURL.CHandler" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TYPELIB\{C6E6B197-9348-449E-A149-384B208874B1} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3B07FABA-099B-4D62-9780-D254A04E32F5}\ProxyStubClsid32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F8A3508D-B8F0-4619-94D1-A85A54B9ABAE}\TypeLib\Version = "1.0" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F8A3508D-B8F0-4619-94D1-A85A54B9ABAE}\ = "_CHandler" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6A294C45-07CC-426C-9512-6742053E462C}\VERSION\ = "1.0" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{044D0F63-C274-40B2-8F50-F09A06DCFBE1} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3D00D2AA-A077-4914-A046-62E2A7BA9C11}\Forward regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3D00D2AA-A077-4914-A046-62E2A7BA9C11}\ProxyStubClsid32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6A294C45-07CC-426C-9512-6742053E462C} ntmurl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{738A3C47-189C-4B96-8ACE-985DD34AFF17}\InprocServer32\ThreadingModel = "Apartment" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FBA8A473-BB88-4DDC-AB67-0EE6BF4788A9}\ProgID\ = "ntmURL.IInputObjectCallback" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BEA1FA35-AC92-4978-8556-0AFCD9B52FA2}\ = "_CSideBar" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D815AB8A-E840-4054-B37D-943893116452}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\efsbar.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A625F501-206F-4713-9DE1-DD3AF4AC4BF9}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E9ECAA7A-3EAC-4F41-8375-84AC9D2AC3AF}\TypeLib\ = "{C6E6B197-9348-449E-A149-384B208874B1}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1E81505D-47A7-471B-B348-07BDA6159756}\ = "CSideBar" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{FA496C82-EF15-498A-9281-71C17D2E83B1}\TypeLib regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{738A3C47-189C-4B96-8ACE-985DD34AFF17}\ProgID\ = "ntmURL.CSBCriteria" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{FA496C82-EF15-498A-9281-71C17D2E83B1}\ProxyStubClsid regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E72183BD-2FD6-4FEC-A806-BB3DE07A5E35}\ = "CHandler" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C48E43A2-A7B7-4293-A13A-F4B29158A0BB}\VERSION\ = "1045.4" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5A2B988C-5F30-47F7-97DA-0888B9FA0D15}\ProgID\ = "ntmURL.GSubclass" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C36516DD-9577-4347-B0DC-D3641BDBEB36}\ProxyStubClsid regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\efindersidebar.CSideBar\Clsid\ = "{6A294C45-07CC-426C-9512-6742053E462C}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3F16DB30-C562-41AD-A3B3-4D405BBBEFEE}\TypeLib\Version = "415.4" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5A2B988C-5F30-47F7-97DA-0888B9FA0D15}\TypeLib\ = "{C6E6B197-9348-449E-A149-384B208874B1}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D815AB8A-E840-4054-B37D-943893116452} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3B07FABA-099B-4D62-9780-D254A04E32F5}\ = "_IInputObjectCallback" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0E9BF828-7362-4850-9FE7-59E26521AC34}\ = "_CSBCriteria" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{738A3C47-189C-4B96-8ACE-985DD34AFF17}\Implemented Categories regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{884DA533-61D6-43BD-AF00-BB3E961BFD29}\Implemented Categories ntmurl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BEA1FA35-AC92-4978-8556-0AFCD9B52FA2}\ProxyStubClsid regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{A625F501-206F-4713-9DE1-DD3AF4AC4BF9}\TypeLib\ = "{C6E6B197-9348-449E-A149-384B208874B1}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ntmURL.CTimer\Clsid regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\efindersidebar.CSideBar regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D815AB8A-E840-4054-B37D-943893116452}\InprocServer32\ThreadingModel = "Apartment" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FBA8A473-BB88-4DDC-AB67-0EE6BF4788A9}\Programmable regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ntmURL.CHandler regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{738A3C47-189C-4B96-8ACE-985DD34AFF17}\ProgID regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{884DA533-61D6-43BD-AF00-BB3E961BFD29}\ProgID\ = "ntmURL.CSideBar" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ntmURL.CHandler\Clsid regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E9ECAA7A-3EAC-4F41-8375-84AC9D2AC3AF}\VERSION regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ntmURL.IInputObjectCallback regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F8A3508D-B8F0-4619-94D1-A85A54B9ABAE}\TypeLib\Version = "1.0" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{738A3C47-189C-4B96-8ACE-985DD34AFF17}\Programmable regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C36516DD-9577-4347-B0DC-D3641BDBEB36}\ = "CTimer" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6A294C45-07CC-426C-9512-6742053E462C}\ProgID regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3B07FABA-099B-4D62-9780-D254A04E32F5}\ = "IInputObjectCallback" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E72183BD-2FD6-4FEC-A806-BB3DE07A5E35}\ProxyStubClsid32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DD8BFC7F-4A69-4C23-B496-78B301B5193F}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ntmURL.CSBCriteria\Clsid regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{72CEEE43-C350-4932-B3DC-B6201F01EFCB} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DD8BFC7F-4A69-4C23-B496-78B301B5193F}\ = "CTimer" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BEA1FA35-AC92-4978-8556-0AFCD9B52FA2}\TypeLib\ = "{22FD679B-DCE6-4B67-BC7A-EBE8326D40DB}" regsvr32.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 2108 urlupdate1.exe 2108 urlupdate1.exe 2108 urlupdate1.exe 2108 urlupdate1.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 2252 UrlUpdate.exe 2108 urlupdate1.exe 2440 ntmurl.exe 2388 iewindow.exe -
Suspicious use of WriteProcessMemory 49 IoCs
description pid Process procid_target PID 2252 wrote to memory of 2108 2252 UrlUpdate.exe 28 PID 2252 wrote to memory of 2108 2252 UrlUpdate.exe 28 PID 2252 wrote to memory of 2108 2252 UrlUpdate.exe 28 PID 2252 wrote to memory of 2108 2252 UrlUpdate.exe 28 PID 2252 wrote to memory of 2108 2252 UrlUpdate.exe 28 PID 2252 wrote to memory of 2108 2252 UrlUpdate.exe 28 PID 2252 wrote to memory of 2108 2252 UrlUpdate.exe 28 PID 2108 wrote to memory of 2440 2108 urlupdate1.exe 29 PID 2108 wrote to memory of 2440 2108 urlupdate1.exe 29 PID 2108 wrote to memory of 2440 2108 urlupdate1.exe 29 PID 2108 wrote to memory of 2440 2108 urlupdate1.exe 29 PID 2440 wrote to memory of 3024 2440 ntmurl.exe 30 PID 2440 wrote to memory of 3024 2440 ntmurl.exe 30 PID 2440 wrote to memory of 3024 2440 ntmurl.exe 30 PID 2440 wrote to memory of 3024 2440 ntmurl.exe 30 PID 2440 wrote to memory of 3024 2440 ntmurl.exe 30 PID 2440 wrote to memory of 3024 2440 ntmurl.exe 30 PID 2440 wrote to memory of 3024 2440 ntmurl.exe 30 PID 2440 wrote to memory of 2212 2440 ntmurl.exe 31 PID 2440 wrote to memory of 2212 2440 ntmurl.exe 31 PID 2440 wrote to memory of 2212 2440 ntmurl.exe 31 PID 2440 wrote to memory of 2212 2440 ntmurl.exe 31 PID 2440 wrote to memory of 1020 2440 ntmurl.exe 32 PID 2440 wrote to memory of 1020 2440 ntmurl.exe 32 PID 2440 wrote to memory of 1020 2440 ntmurl.exe 32 PID 2440 wrote to memory of 1020 2440 ntmurl.exe 32 PID 2440 wrote to memory of 1736 2440 ntmurl.exe 33 PID 2440 wrote to memory of 1736 2440 ntmurl.exe 33 PID 2440 wrote to memory of 1736 2440 ntmurl.exe 33 PID 2440 wrote to memory of 1736 2440 ntmurl.exe 33 PID 2440 wrote to memory of 1736 2440 ntmurl.exe 33 PID 2440 wrote to memory of 1736 2440 ntmurl.exe 33 PID 2440 wrote to memory of 1736 2440 ntmurl.exe 33 PID 2440 wrote to memory of 1560 2440 ntmurl.exe 36 PID 2440 wrote to memory of 1560 2440 ntmurl.exe 36 PID 2440 wrote to memory of 1560 2440 ntmurl.exe 36 PID 2440 wrote to memory of 1560 2440 ntmurl.exe 36 PID 2440 wrote to memory of 340 2440 ntmurl.exe 38 PID 2440 wrote to memory of 340 2440 ntmurl.exe 38 PID 2440 wrote to memory of 340 2440 ntmurl.exe 38 PID 2440 wrote to memory of 340 2440 ntmurl.exe 38 PID 2440 wrote to memory of 2312 2440 ntmurl.exe 40 PID 2440 wrote to memory of 2312 2440 ntmurl.exe 40 PID 2440 wrote to memory of 2312 2440 ntmurl.exe 40 PID 2440 wrote to memory of 2312 2440 ntmurl.exe 40 PID 2440 wrote to memory of 2388 2440 ntmurl.exe 42 PID 2440 wrote to memory of 2388 2440 ntmurl.exe 42 PID 2440 wrote to memory of 2388 2440 ntmurl.exe 42 PID 2440 wrote to memory of 2388 2440 ntmurl.exe 42
Processes
-
C:\Users\Admin\AppData\Local\Temp\UrlUpdate.exe"C:\Users\Admin\AppData\Local\Temp\UrlUpdate.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2252 -
C:\Users\Admin\AppData\Local\Temp\urlupdate1.exeC:\Users\Admin\AppData\Local\Temp\urlupdate1.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2108 -
C:\Users\Admin\AppData\Local\Temp\ntmurl.exeC:\Users\Admin\AppData\Local\Temp\ntmurl.exe install scope addressbar3⤵
- Installs/modifies Browser Helper Object
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2440 -
C:\Windows\SysWOW64\regsvr32.exeregsvr32.exe /s "C:\Users\Admin\AppData\Local\Temp\ntmurl.dll"4⤵
- Modifies registry class
PID:3024
-
-
C:\Users\Admin\AppData\Local\Temp\nnlogon.exe"C:\Users\Admin\AppData\Local\Temp\nnlogon.exe" -i4⤵PID:2212
-
-
C:\Windows\SysWOW64\sc.exesc start efinderservice4⤵
- Launches sc.exe
PID:1020
-
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32.exe /s "C:\Users\Admin\AppData\Local\Temp\efsbar.dll"4⤵
- Modifies registry class
PID:1736
-
-
C:\Windows\SysWOW64\REG.exeREG IMPORT "C:\Users\Admin\AppData\Local\Temp\sbinstall.reg"4⤵
- Installs/modifies Browser Helper Object
- Modifies Internet Explorer settings
PID:1560
-
-
C:\Windows\SysWOW64\REG.exeREG IMPORT "C:\Users\Admin\AppData\Local\Temp\sbinstall.reg"4⤵
- Modifies Internet Explorer settings
PID:340
-
-
C:\Windows\SysWOW64\REG.exeREG IMPORT "C:\Users\Admin\AppData\Local\Temp\bbuninstall.reg"4⤵PID:2312
-
-
C:\Users\Admin\AppData\Local\Temp\iewindow.exeC:\Users\Admin\AppData\Local\Temp\iewindow.exe4⤵
- Suspicious use of SetWindowsHookEx
PID:2388
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
755B
MD5846444f8094c4c64779a1487344f6472
SHA1a79f4eca69692f66978912e9994e9d2b8565b08e
SHA256805f1c58946bfda2635d0b9ca8723dc5f306fb00e4508ae188caa0f0a24b16a3
SHA51295657d0b90df18460854af78869a3eb3c693603d5fd2fc2aad079dc18fee5488dc08df91be352010b0bf661bc07dcd787227a3b74bbe17ef5c1b54f5e45eb92c
-
Filesize
442B
MD5d1b9ce8ba9d227e61b8200e837a791da
SHA15ae250f8c2191376d9a07d80c356cedf976a7575
SHA2563f0c9bf08a9cdcdb96c2401271dc2bf0316adc6d4b01dde12c0d9da32594690d
SHA512265d60be34fa0457e7a7073ccfacf7748b8bddf003589cc53e6e9f2d055a0b442fe21521b78d2e2321faeab7f401eeca7d7f32b3ba65c8d64fdaa521b243965c
-
Filesize
371B
MD5274578edd13251ea77c2a63c99556c30
SHA192219693f1fcb2e554786de7fa34ab64bb1713bb
SHA25619bb112c27f6af09bd3bcd6a58f86e0005f39522d4bb93432f1e913042e96165
SHA51242dea94ea9f2a9001eeee376b1fac39d6e00d999314ef36839ced39c4e197056a850b3baf5fc33230ae985826628d63de8f086e060162ba6280a7952e02d66a6
-
Filesize
1KB
MD53e77231c9fd413fa94790881d91613fe
SHA18cf9a1cc263882bc294ffe2d1ff5d24ae4540c1e
SHA256bb3f6b0647b4e51e12be08ef1f4292d15903990b3efa46e73038471451675011
SHA51264d6161ce31acd657fe274eb2c1bcdf3cd9bee233f214ea8acaf7da1e45abff1f726392ab48f1b92c8db03f1e165380717a148e623b824234c7268044f8239e2
-
Filesize
324B
MD5538db3509cc0579e39a151e618cc0cdd
SHA1382d4259c2ec86e5ad33b94a5d9601007383aa4e
SHA2563447a237c8d3c323476c6546a6fa915c12e6dc09741428c4f0062412cabedd7d
SHA512c64cedb604536a6390b5a79529fd85227288d00340e528e5cde5bf1c978d57ad8701171dfe90c2eb9286e9f25a8e9675c47ff44f064bcee421d258835289ebf1
-
Filesize
293B
MD5343d729b8c5192b5d6519dff5abdc9f8
SHA134a10fc20f056a61a9c8a706cd723c2c474ea0ca
SHA256ec5daece8787762edc3d28407358beab0362c004547aa6937941205ec3fad1a0
SHA5124703bc272ec1aae32a3592d9afe83c2a886c924485e4e77e4daf5e28375843c5da1f5ec73824562aa3ad9d36ee3a032a93f689dc759ef97b283b6b216596c954
-
Filesize
830B
MD599efeac3859992432d0973cbac6e9b30
SHA16f987006f2fe72031084bb86e18ed2f7ba4807e6
SHA256a89c9dcc2775d7b98f177fd55c553e5b00d1800a59322e1e1e854a79620868ae
SHA51242c441aade296c8acce5d424b919e14476d0da84a552dba118c7487415540020687fe290849214dc8067fdbc35a7a6002cd687faf048d7d2e495fd476b3788e3
-
Filesize
324B
MD5058f2758bb8063271a5c5c6257ea9cd2
SHA16928513ee55a2a32871c08f1a3aa890c6147b074
SHA2562e58e8a351d814537317d27c339272ec69e611daa63c7df80a3dc8666096fc98
SHA5120bc4a847b8aaf00f596ef97a9942882a224397b5af52628417695724d4b9dec07547f48003c902493e71832c1622305736d7119e5a278822ab55cfccef1df1a7
-
Filesize
232KB
MD5e794b6261cf1813091db92cf0563a6bb
SHA1636546a00885e834915a9320fdf747ae2cc07c76
SHA25600a12a1b9132fddf2202de9f97ccaf83264a79d5a932974ef37510a5780997de
SHA5128e19e391db5c9023d33e860dd73e37099229d8730fe7ddbfd1bc3aadf9c7288ec58f29c47bf0aff9f3f00edda22be3374f83a970ce0e082014dbf45c95417d0d
-
Filesize
160B
MD5a3f15fb605bd7885c66a4181e4b9e661
SHA16c1f8c5286f1d6bc33754ad2b96b92861e39c956
SHA25679f16ef1a13262e965d6490902a74dee9d9818dde39c6c3ef159443816e2e8a5
SHA5129c0302647a03d5e0be2b0cec4e585f9ae714d971d55057e28eeada0ce3011f19c4de555d7e204e815988a908d49fb2e5b4bac2d662cd7c7bf3219da9ec9c7a51
-
Filesize
152KB
MD5df4c70adfe3ee8e7d0a7d396754681ea
SHA186d6bc8e6961a01aa689909d678512e0e3bc202c
SHA25694a6a81ad5c12aec33d7274e43ed8197cd476bb9680724995631fd971e8a3d86
SHA51294e8fa6c92cbb30320b2067158549e6079be66489c4a2c8008ec7675d9135cddd477137b3c08fe7e7a41d2da6fcc3732d9ae10e8bc47226108938249fa33fa4e