577a7ec9e58665b9b840ce9618e2d330c065dc9a7d7b2109f52e392b77e839c4

Analysis

max time kernel
138s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
20-06-2024 03:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

UrlUpdate.exe
Size

152KB
MD5

df4c70adfe3ee8e7d0a7d396754681ea
SHA1

86d6bc8e6961a01aa689909d678512e0e3bc202c
SHA256

94a6a81ad5c12aec33d7274e43ed8197cd476bb9680724995631fd971e8a3d86
SHA512

94e8fa6c92cbb30320b2067158549e6079be66489c4a2c8008ec7675d9135cddd477137b3c08fe7e7a41d2da6fcc3732d9ae10e8bc47226108938249fa33fa4e
SSDEEP

3072:T6npLFsb893Sn3dkJht04WD2spOL/KGKlhcpguZh5pXK1zZcsbAM:+0nNke4WdUL/KGKlhcpguZHpXK1z0M

Score

7^/10

adware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3660	urlupdate1.exe

Installs/modifies Browser Helper Object 2 TTPs 5 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{72CEEE43-C350-4932-B3DC-B6201F01EFCB}	ntmurl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{72CEEE43-C350-4932-B3DC-B6201F01EFCB}\NoExplorer	ntmurl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D815AB8A-E840-4054-B37D-943893116452}	ntmurl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D815AB8A-E840-4054-B37D-943893116452}\NoExplorer	ntmurl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D815AB8A-E840-4054-B37D-943893116452}	REG.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\NSearcher.exe	ntmurl.exe
File opened for modification	C:\Windows\SysWOW64\NSearcher.exe	ntmurl.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files\Netimo\NSearcher\NSearcher.exe	ntmurl.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
456	sc.exe

Modifies Internet Explorer settings 1 TTPs 17 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Enable Browser Extensions = "yes"	ntmurl.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Internet Explorer\MenuExt\ÀÌ ´Ü¾î °Ë»ö(&S)\contexts = "48"	ntmurl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Explorer Bars	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{72CEEE43-C350-4932-B3DC-B6201F01EFCB}\URL = "http://search.netimo.net/ntmsearch.html?where=all&cp=ezsearch&adv=yahoo&type=forward&ssupply=1&q={searchTerms}"	ntmurl.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{72CEEE43-C350-4932-B3DC-B6201F01EFCB}\Codepage = "949"	ntmurl.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Internet Explorer\MenuExt\ÀÌ ´Ü¾î °Ë»ö(&S)\ = "res://C:\\Users\\Admin\\AppData\\Local\\Temp\\ntmurl.dll/SEARCH.HTM"	ntmurl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Explorer Bars\{6A294C45-07CC-426C-9512-6742053E462C}	REG.exe
Key created	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{72CEEE43-C350-4932-B3DC-B6201F01EFCB}\DisplayName = "¾ßÈÄ"	ntmurl.exe
Key created	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Software\Microsoft\Internet Explorer\Main	ntmurl.exe
Key created	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Software\Microsoft\Internet Explorer\Explorer Bars\{6A294C45-07CC-426C-9512-6742053E462C}	REG.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{6A294C45-07CC-426C-9512-6742053E462C}\BarSize = dc00000000000000	REG.exe
Key created	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Software\Microsoft\Internet Explorer\SearchScopes\{72CEEE43-C350-4932-B3DC-B6201F01EFCB}	ntmurl.exe
Key created	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Software\Microsoft\Internet Explorer\MenuExt\ÀÌ ´Ü¾î °Ë»ö(&S)	ntmurl.exe
Key created	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{6A294C45-07CC-426C-9512-6742053E462C}	REG.exe
Key created	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Software\Microsoft\Internet Explorer\SearchScopes	ntmurl.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\DefaultScope = "{72CEEE43-C350-4932-B3DC-B6201F01EFCB}"	ntmurl.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E9ECAA7A-3EAC-4F41-8375-84AC9D2AC3AF}\Programmable	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{738A3C47-189C-4B96-8ACE-985DD34AFF17}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ntmurl.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1E81505D-47A7-471B-B348-07BDA6159756}\Forward	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5A2B988C-5F30-47F7-97DA-0888B9FA0D15}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E72183BD-2FD6-4FEC-A806-BB3DE07A5E35}\TypeLib\ = "{C6E6B197-9348-449E-A149-384B208874B1}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{149BD92F-B28E-4C04-8B4D-46CDD176B7E4}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{323EDAF0-DD73-47E1-9C77-76261365F2A6}\ = "ntmURL.ISubclass"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{044D0F63-C274-40B2-8F50-F09A06DCFBE1}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3B07FABA-099B-4D62-9780-D254A04E32F5}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C48E43A2-A7B7-4293-A13A-F4B29158A0BB}\ProgID\ = "ntmURL.IURLHelper"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0E9BF828-7362-4850-9FE7-59E26521AC34}\ = "_CSBCriteria"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ntmURL.ISubclass\Clsid\ = "{323EDAF0-DD73-47E1-9C77-76261365F2A6}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D815AB8A-E840-4054-B37D-943893116452}\Implemented Categories\{40FC6ED5-2438-11CF-A3DB-080036F12502}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FA496C82-EF15-498A-9281-71C17D2E83B1}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FBA8A473-BB88-4DDC-AB67-0EE6BF4788A9}\VERSION	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ntmURL.CSideBar	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72CEEE43-C350-4932-B3DC-B6201F01EFCB}\TypeLib\ = "{C6E6B197-9348-449E-A149-384B208874B1}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3F16DB30-C562-41AD-A3B3-4D405BBBEFEE}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FA496C82-EF15-498A-9281-71C17D2E83B1}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E9ECAA7A-3EAC-4F41-8375-84AC9D2AC3AF}\TypeLib\ = "{C6E6B197-9348-449E-A149-384B208874B1}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FBA8A473-BB88-4DDC-AB67-0EE6BF4788A9}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72CEEE43-C350-4932-B3DC-B6201F01EFCB}\VERSION	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ntmURL.GSubclass\ = "ntmURL.GSubclass"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{044D0F63-C274-40B2-8F50-F09A06DCFBE1}\TypeLib\ = "{C6E6B197-9348-449E-A149-384B208874B1}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3F16DB30-C562-41AD-A3B3-4D405BBBEFEE}\ = "_ISubclass"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A625F501-206F-4713-9DE1-DD3AF4AC4BF9}\TypeLib\ = "{C6E6B197-9348-449E-A149-384B208874B1}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3D00D2AA-A077-4914-A046-62E2A7BA9C11}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ntmURL.CTimer	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ntmURL.ISubclass	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{22FD679B-DCE6-4B67-BC7A-EBE8326D40DB}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3F16DB30-C562-41AD-A3B3-4D405BBBEFEE}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FA496C82-EF15-498A-9281-71C17D2E83B1}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FBA8A473-BB88-4DDC-AB67-0EE6BF4788A9}\ProgID\ = "ntmURL.IInputObjectCallback"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{884DA533-61D6-43BD-AF00-BB3E961BFD29}\Programmable	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72CEEE43-C350-4932-B3DC-B6201F01EFCB}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ntmURL.IURLHelper	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E72183BD-2FD6-4FEC-A806-BB3DE07A5E35}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72CEEE43-C350-4932-B3DC-B6201F01EFCB}\Implemented Categories\{40FC6ED5-2438-11CF-A3DB-080036F12502}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3D00D2AA-A077-4914-A046-62E2A7BA9C11}\ = "IURLHelper"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{738A3C47-189C-4B96-8ACE-985DD34AFF17}\ProgID\ = "ntmURL.CSBCriteria"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5A2B988C-5F30-47F7-97DA-0888B9FA0D15}\VERSION\ = "1045.4"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\efindersidebar.CSideBar\Clsid	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FBA8A473-BB88-4DDC-AB67-0EE6BF4788A9}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F8A3508D-B8F0-4619-94D1-A85A54B9ABAE}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C6E6B197-9348-449E-A149-384B208874B1}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{044D0F63-C274-40B2-8F50-F09A06DCFBE1}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DD8BFC7F-4A69-4C23-B496-78B301B5193F}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FBA8A473-BB88-4DDC-AB67-0EE6BF4788A9}\ = "ntmURL.IInputObjectCallback"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ntmURL.IURLHelper\ = "ntmURL.IURLHelper"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BEA1FA35-AC92-4978-8556-0AFCD9B52FA2}\ = "CSideBar"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{26893EEF-3781-4234-8D71-EF9C394156A3}\ = "_CSBCriterion"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{738A3C47-189C-4B96-8ACE-985DD34AFF17}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1E81505D-47A7-471B-B348-07BDA6159756}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6A294C45-07CC-426C-9512-6742053E462C}\Implemented Categories	REG.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E9ECAA7A-3EAC-4F41-8375-84AC9D2AC3AF}\InprocServer32	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{884DA533-61D6-43BD-AF00-BB3E961BFD29}	ntmurl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6A294C45-07CC-426C-9512-6742053E462C}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C36516DD-9577-4347-B0DC-D3641BDBEB36}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DD8BFC7F-4A69-4C23-B496-78B301B5193F}\TypeLib\ = "{C6E6B197-9348-449E-A149-384B208874B1}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{149BD92F-B28E-4C04-8B4D-46CDD176B7E4}\ = "CSBCriterion"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{884DA533-61D6-43BD-AF00-BB3E961BFD29}\Programmable	ntmurl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BEA1FA35-AC92-4978-8556-0AFCD9B52FA2}\TypeLib\ = "{22FD679B-DCE6-4B67-BC7A-EBE8326D40DB}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D815AB8A-E840-4054-B37D-943893116452}\ = "ezsearch"	ntmurl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0E9BF828-7362-4850-9FE7-59E26521AC34}\TypeLib\ = "{C6E6B197-9348-449E-A149-384B208874B1}"	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
3660	urlupdate1.exe
3660	urlupdate1.exe
3660	urlupdate1.exe
3660	urlupdate1.exe
3660	urlupdate1.exe
3660	urlupdate1.exe
3660	urlupdate1.exe
3660	urlupdate1.exe
3660	urlupdate1.exe
3660	urlupdate1.exe
3660	urlupdate1.exe
3660	urlupdate1.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
3780	UrlUpdate.exe
3660	urlupdate1.exe
1600	ntmurl.exe
3036	iewindow.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 3780 wrote to memory of 3660	3780	UrlUpdate.exe	83
PID 3780 wrote to memory of 3660	3780	UrlUpdate.exe	83
PID 3780 wrote to memory of 3660	3780	UrlUpdate.exe	83
PID 3660 wrote to memory of 1600	3660	urlupdate1.exe	87
PID 3660 wrote to memory of 1600	3660	urlupdate1.exe	87
PID 3660 wrote to memory of 1600	3660	urlupdate1.exe	87
PID 1600 wrote to memory of 3092	1600	ntmurl.exe	91
PID 1600 wrote to memory of 3092	1600	ntmurl.exe	91
PID 1600 wrote to memory of 3092	1600	ntmurl.exe	91
PID 1600 wrote to memory of 2068	1600	ntmurl.exe	93
PID 1600 wrote to memory of 2068	1600	ntmurl.exe	93
PID 1600 wrote to memory of 2068	1600	ntmurl.exe	93
PID 1600 wrote to memory of 456	1600	ntmurl.exe	94
PID 1600 wrote to memory of 456	1600	ntmurl.exe	94
PID 1600 wrote to memory of 456	1600	ntmurl.exe	94
PID 1600 wrote to memory of 1472	1600	ntmurl.exe	95
PID 1600 wrote to memory of 1472	1600	ntmurl.exe	95
PID 1600 wrote to memory of 1472	1600	ntmurl.exe	95
PID 1600 wrote to memory of 3532	1600	ntmurl.exe	98
PID 1600 wrote to memory of 3532	1600	ntmurl.exe	98
PID 1600 wrote to memory of 3532	1600	ntmurl.exe	98
PID 1600 wrote to memory of 3228	1600	ntmurl.exe	100
PID 1600 wrote to memory of 3228	1600	ntmurl.exe	100
PID 1600 wrote to memory of 3228	1600	ntmurl.exe	100
PID 1600 wrote to memory of 3700	1600	ntmurl.exe	102
PID 1600 wrote to memory of 3700	1600	ntmurl.exe	102
PID 1600 wrote to memory of 3700	1600	ntmurl.exe	102
PID 1600 wrote to memory of 3036	1600	ntmurl.exe	104
PID 1600 wrote to memory of 3036	1600	ntmurl.exe	104
PID 1600 wrote to memory of 3036	1600	ntmurl.exe	104

C:\Users\Admin\AppData\Local\Temp\UrlUpdate.exe
"C:\Users\Admin\AppData\Local\Temp\UrlUpdate.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3780
- C:\Users\Admin\AppData\Local\Temp\urlupdate1.exe
  C:\Users\Admin\AppData\Local\Temp\urlupdate1.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3660
- - C:\Users\Admin\AppData\Local\Temp\ntmurl.exe
    C:\Users\Admin\AppData\Local\Temp\ntmurl.exe install scope addressbar
    3⤵
    - Installs/modifies Browser Helper Object
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - Modifies Internet Explorer settings
    - Modifies registry class
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1600
  - - C:\Windows\SysWOW64\regsvr32.exe
      regsvr32.exe /s "C:\Users\Admin\AppData\Local\Temp\ntmurl.dll"
      4⤵
      Modifies registry class
      PID:3092
  - - C:\Users\Admin\AppData\Local\Temp\nnlogon.exe
      "C:\Users\Admin\AppData\Local\Temp\nnlogon.exe" -i
      4⤵
      PID:2068
  - - C:\Windows\SysWOW64\sc.exe
      sc start efinderservice
      4⤵
      Launches sc.exe
      PID:456
  - - C:\Windows\SysWOW64\regsvr32.exe
      regsvr32.exe /s "C:\Users\Admin\AppData\Local\Temp\efsbar.dll"
      4⤵
      Modifies registry class
      PID:1472
  - - C:\Windows\SysWOW64\REG.exe
      REG IMPORT "C:\Users\Admin\AppData\Local\Temp\sbinstall.reg"
      4⤵
      Installs/modifies Browser Helper Object
      Modifies Internet Explorer settings
      Modifies registry class
      PID:3532
  - - C:\Windows\SysWOW64\REG.exe
      REG IMPORT "C:\Users\Admin\AppData\Local\Temp\sbinstall.reg"
      4⤵
      Modifies Internet Explorer settings
      PID:3228
  - - C:\Windows\SysWOW64\REG.exe
      REG IMPORT "C:\Users\Admin\AppData\Local\Temp\bbuninstall.reg"
      4⤵
      PID:3700
  - - C:\Users\Admin\AppData\Local\Temp\iewindow.exe
      C:\Users\Admin\AppData\Local\Temp\iewindow.exe
      4⤵
      Suspicious use of SetWindowsHookEx
      PID:3036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\bbuninstall.reg

Filesize
442B

MD5
d1b9ce8ba9d227e61b8200e837a791da

SHA1
5ae250f8c2191376d9a07d80c356cedf976a7575

SHA256
3f0c9bf08a9cdcdb96c2401271dc2bf0316adc6d4b01dde12c0d9da32594690d

SHA512
265d60be34fa0457e7a7073ccfacf7748b8bddf003589cc53e6e9f2d055a0b442fe21521b78d2e2321faeab7f401eeca7d7f32b3ba65c8d64fdaa521b243965c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nautoup.log

Filesize
584B

MD5
ecacfdea795bad965c17f5f5be299271

SHA1
8273953e6382d61ef2a5c8ad9bcf60de57bdacee

SHA256
b708e86033abcb3159491ae6236f03bb0bc193b2b343378d4bdd8c9d4eaa4e62

SHA512
0045aa376348e8e4f3c5d1d3919f23878d3dd2cd6913e7916912b0492df0441f7b592dfc535ee83192df6431aa98b91693b8b0ae690db5c90b5a79a1976aa5bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\nnlogon.ini

Filesize
324B

MD5
538db3509cc0579e39a151e618cc0cdd

SHA1
382d4259c2ec86e5ad33b94a5d9601007383aa4e

SHA256
3447a237c8d3c323476c6546a6fa915c12e6dc09741428c4f0062412cabedd7d

SHA512
c64cedb604536a6390b5a79529fd85227288d00340e528e5cde5bf1c978d57ad8701171dfe90c2eb9286e9f25a8e9675c47ff44f064bcee421d258835289ebf1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nnlogon.log

Filesize
382B

MD5
729b717441624c6a216fbb0de26ce54a

SHA1
f25a7ef88de77f653224a7c68bedd8898f36b753

SHA256
7d63699a4b288cb8893f1524e8c5ef449e83037f21bc151fac9bcfd7325b9640

SHA512
ea35eeac9c2f75e3e1fb0eceecea9e788167d01a95015c7bf17bc1b31461d027381c2dc81b88816156f14b83606b40b393ed859d8b5b83f485f9e1744ce2f3a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\sbinstall.reg

Filesize
830B

MD5
99efeac3859992432d0973cbac6e9b30

SHA1
6f987006f2fe72031084bb86e18ed2f7ba4807e6

SHA256
a89c9dcc2775d7b98f177fd55c553e5b00d1800a59322e1e1e854a79620868ae

SHA512
42c441aade296c8acce5d424b919e14476d0da84a552dba118c7487415540020687fe290849214dc8067fdbc35a7a6002cd687faf048d7d2e495fd476b3788e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\sbinstall.reg

Filesize
324B

MD5
058f2758bb8063271a5c5c6257ea9cd2

SHA1
6928513ee55a2a32871c08f1a3aa890c6147b074

SHA256
2e58e8a351d814537317d27c339272ec69e611daa63c7df80a3dc8666096fc98

SHA512
0bc4a847b8aaf00f596ef97a9942882a224397b5af52628417695724d4b9dec07547f48003c902493e71832c1622305736d7119e5a278822ab55cfccef1df1a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\tags.mdb

Filesize
232KB

MD5
0dbcc4146cc0f83f1d3c628cefa2cfba

SHA1
f26860cc75c1359cac09802ce1afc51fc9d7e68e

SHA256
7b5c87a3acc8c205a382515c4cf7e4a55d5ef1d1c276602ae4bf43f5bfe3567e

SHA512
0b05c8e6c3d142f26502744982e627737df633776f4108a90beb0e555891c3c0cb73e4acd82ff4a4fd55e769dffc5516ec6fe0e3aed357528aef56fbb39042e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\urlupdate1.exe

Filesize
152KB

MD5
df4c70adfe3ee8e7d0a7d396754681ea

SHA1
86d6bc8e6961a01aa689909d678512e0e3bc202c

SHA256
94a6a81ad5c12aec33d7274e43ed8197cd476bb9680724995631fd971e8a3d86

SHA512
94e8fa6c92cbb30320b2067158549e6079be66489c4a2c8008ec7675d9135cddd477137b3c08fe7e7a41d2da6fcc3732d9ae10e8bc47226108938249fa33fa4e

Download Submit
C:\nautoup.log

Filesize
218B

MD5
3a14f56b2be7331351b5f52803957b57

SHA1
7b65af8466c66022e3099dabc067b819f6b9e0e3

SHA256
0373a483cce59fe7d6ced1d9bd287bbd83399289574c306e9967db60574d0fb0

SHA512
f80b5a18e1b1d7788a5b98e0874765ddae7db4d6ea9a4e34defec1eb28d98a41dcadcc7610ee4c3cbc52ea9e4f5229aed848332d9aa86f9e55bfff24b3732008

Download Submit