43dd818938f2a189ae43dcaffa558ad39d518aa60ac096f0cdc0f1c35677a249

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
15-07-2024 18:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

$PLUGINSDIR/Download_Energy.exe
Size

5.0MB
MD5

dd06d5bd99414adff053f29bd65abc49
SHA1

42827374cbaf21d4c58ed23644d38ade04916a61
SHA256

086c59c0cf90d477fb338e6af61647d02b169174c5e6aa0c3a5c9a29a19b74b9
SHA512

ef35ec985d997f9acf88223a00a41987e041054942ff823d52054eb7ece4556daef4eeee5d4590f23ca3236057009aca501794ac3d8d7d3359059fc8331b94ea
SSDEEP

98304:6wzOEtUIZUWlakoJOYm38KPKUU3lTzkOKVmhCtD8/WYJ7Kk:5/UIZvaZJW8K0Tz1KECtUWs

Score

8^/10

adware discovery spyware stealer

Malware Config

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
16	2236	rundll32.exe
17	2236	rundll32.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	GLB9191.tmp

Executes dropped EXE 6 IoCs

pid	Process
1492	GLB9191.tmp
4956	STUBWR~1.EXE
3212	conduitinstaller.exe
2128	ct1269415_ie.exe
4952	ct1269415_ff.exe
3188	ct1269415_ch.exe

Loads dropped DLL 37 IoCs

pid	Process
1492	GLB9191.tmp
1492	GLB9191.tmp
1492	GLB9191.tmp
4956	STUBWR~1.EXE
3212	conduitinstaller.exe
3212	conduitinstaller.exe
3212	conduitinstaller.exe
3212	conduitinstaller.exe
3212	conduitinstaller.exe
2128	ct1269415_ie.exe
2128	ct1269415_ie.exe
2128	ct1269415_ie.exe
2128	ct1269415_ie.exe
2128	ct1269415_ie.exe
2128	ct1269415_ie.exe
2128	ct1269415_ie.exe
2128	ct1269415_ie.exe
2128	ct1269415_ie.exe
2128	ct1269415_ie.exe
2128	ct1269415_ie.exe
2128	ct1269415_ie.exe
2128	ct1269415_ie.exe
2412	rundll32.exe
2236	rundll32.exe
3212	conduitinstaller.exe
3212	conduitinstaller.exe
4952	ct1269415_ff.exe
4952	ct1269415_ff.exe
3212	conduitinstaller.exe
3212	conduitinstaller.exe
3188	ct1269415_ch.exe
3188	ct1269415_ch.exe
3188	ct1269415_ch.exe
3188	ct1269415_ch.exe
3188	ct1269415_ch.exe
3188	ct1269415_ch.exe
3188	ct1269415_ch.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Installs/modifies Browser Helper Object 2 TTPs 7 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{ad708c09-d51b-45b3-9d28-4eba2681febf}\NoExplorer = "1"	ct1269415_ie.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	ct1269415_ie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\	ct1269415_ie.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{ad708c09-d51b-45b3-9d28-4eba2681febf}	ct1269415_ie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{ad708c09-d51b-45b3-9d28-4eba2681febf}\	ct1269415_ie.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{ad708c09-d51b-45b3-9d28-4eba2681febf}	ct1269415_ie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{ad708c09-d51b-45b3-9d28-4eba2681febf}\ = "Download Energy"	ct1269415_ie.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\GLBSINST.%$D	GLB9191.tmp

Drops file in Program Files directory 12 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Download_Energy\Download_EnergyToolbarHelper.exe	ct1269415_ie.exe
File created	C:\Program Files (x86)\Download_Energy\tbDown.dll	ct1269415_ie.exe
File created	C:\Program Files (x86)\Download_Energy\GottenAppsContextMenu.xml	ct1269415_ie.exe
File created	C:\Program Files (x86)\Download_Energy\SharedAppsContextMenu.xml	ct1269415_ie.exe
File created	C:\Program Files (x86)\Download_Energy\uninstall.exe	ct1269415_ie.exe
File created	C:\Program Files (x86)\Conduit\Community Alerts\Alert.dll	ct1269415_ie.exe
File opened for modification	C:\Program Files (x86)\Download_Energy\	ct1269415_ie.exe
File created	C:\Program Files (x86)\Download_Energy\toolbar.cfg	ct1269415_ie.exe
File created	C:\Program Files (x86)\Download_Energy\prxtbDown.dll	ct1269415_ie.exe
File created	C:\Program Files (x86)\Download_Energy\ldrtbDown.dll	ct1269415_ie.exe
File created	C:\Program Files (x86)\Download_Energy\OtherAppsContextMenu.xml	ct1269415_ie.exe
File created	C:\Program Files (x86)\Download_Energy\ToolbarContextMenu.xml	ct1269415_ie.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

NSIS installer 8 IoCs

installer

resource	yara_rule
behavioral4/files/0x0007000000023473-150.dat	nsis_installer_1
behavioral4/files/0x0007000000023473-150.dat	nsis_installer_2
behavioral4/files/0x0010000000023476-166.dat	nsis_installer_1
behavioral4/files/0x0010000000023476-166.dat	nsis_installer_2
behavioral4/files/0x0007000000023471-300.dat	nsis_installer_1
behavioral4/files/0x0007000000023471-300.dat	nsis_installer_2
behavioral4/files/0x0007000000023472-468.dat	nsis_installer_1
behavioral4/files/0x0007000000023472-468.dat	nsis_installer_2

Modifies Internet Explorer settings 1 TTPs 20 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Use Search Asst = "no"	ct1269415_ie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Toolbar\{AD708C09-D51B-45B3-9D28-4EBA2681FEBF} = "Download Energy Toolbar"	ct1269415_ie.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPageShow = "1"	ct1269415_ie.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Toolbar	ct1269415_ie.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{BB34C183-D36B-4716-B3ED-950F64E319C4}\Policy = "3"	ct1269415_ie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5501C14F-F312-4080-BE58-CEB141DA51DF}\AppPath = "C:\\Users\\Admin\\AppData\\Local\\Conduit\\CT1269415"	ct1269415_ie.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5501C14F-F312-4080-BE58-CEB141DA51DF}\Policy = "3"	ct1269415_ie.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks\{ad708c09-d51b-45b3-9d28-4eba2681febf}	ct1269415_ie.exe
Key created	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	ct1269415_ie.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{BB34C183-D36B-4716-B3ED-950F64E319C4}	ct1269415_ie.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\SOFTWARE\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{ad708c09-d51b-45b3-9d28-4eba2681febf}	ct1269415_ie.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Enable Browser Extensions = "yes"	ct1269415_ie.exe
Key created	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Software\Microsoft\Internet Explorer\URLSearchHooks	ct1269415_ie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{BB34C183-D36B-4716-B3ED-950F64E319C4}\AppPath = "C:\\Program Files (x86)\\Download_Energy瘀"	ct1269415_ie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{BB34C183-D36B-4716-B3ED-950F64E319C4}\AppName = "Download_EnergyToolbarHelper.exe"	ct1269415_ie.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5501C14F-F312-4080-BE58-CEB141DA51DF}	ct1269415_ie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5501C14F-F312-4080-BE58-CEB141DA51DF}\AppName = "Download_EnergyAutoUpdateHelper.exe"	ct1269415_ie.exe
Key created	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration	ct1269415_ie.exe
Key created	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Software\Microsoft\Internet Explorer\Main	ct1269415_ie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Toolbar\{ad708c09-d51b-45b3-9d28-4eba2681febf} = "Download_Energy Toolbar"	ct1269415_ie.exe

Modifies Internet Explorer start page 1 TTPs 1 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://search.conduit.com?SearchSource=10&ctid=CT1269415"	ct1269415_ie.exe

Modifies registry class 22 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AD708C09-D51B-45B3-9D28-4EBA2681FEBF}	ct1269415_ie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AD708C09-D51B-45B3-9D28-4EBA2681FEBF}\ = "Download Energy Toolbar"	ct1269415_ie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AD708C09-D51B-45B3-9D28-4EBA2681FEBF}\InprocServer32\ThreadingModel = "Apartment"	ct1269415_ie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{929A8D4E-87AC-4604-B216-A5A2A2925762}\VersionIndependentProgID\ = "Toolbar.CT1269415"	ct1269415_ie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3c471948-f874-49f5-b338-4f214a2ee0b1}\InprocServer32\ = "C:\\Program Files (x86)\\Conduit\\Community Alerts\\Alert.dll"	ct1269415_ie.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AD708C09-D51B-45B3-9D28-4EBA2681FEBF}\InprocServer32	ct1269415_ie.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{929a8d4e-87ac-4604-b216-a5a2a2925762}\ProgID	ct1269415_ie.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Toolbar.CT1269415\CLSID	ct1269415_ie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Toolbar.CT1269415\CLSID\ = "{929a8d4e-87ac-4604-b216-a5a2a2925762}"	ct1269415_ie.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3c471948-f874-49f5-b338-4f214a2ee0b1}\InprocServer32	ct1269415_ie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AD708C09-D51B-45B3-9D28-4EBA2681FEBF}\InprocServer32\ = "C:\\Program Files (x86)\\Download_Energy\\prxtbDown.dll"	ct1269415_ie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{929A8D4E-87AC-4604-B216-A5A2A2925762}\InprocServer32\ = "C:\\Program Files (x86)\\Download_Energy\\prxtbDown.dll"	ct1269415_ie.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{929a8d4e-87ac-4604-b216-a5a2a2925762}\VersionIndependentProgID	ct1269415_ie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3c471948-f874-49f5-b338-4f214a2ee0b1}\ = "Conduit Community Alerts"	ct1269415_ie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3c471948-f874-49f5-b338-4f214a2ee0b1}\InprocServer32\ThreadingModel = "Apartment"	ct1269415_ie.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Toolbar.CT1269415	ct1269415_ie.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3c471948-f874-49f5-b338-4f214a2ee0b1}	ct1269415_ie.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{929A8D4E-87AC-4604-B216-A5A2A2925762}	ct1269415_ie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{929A8D4E-87AC-4604-B216-A5A2A2925762}\ = "Download Energy API Server"	ct1269415_ie.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{929A8D4E-87AC-4604-B216-A5A2A2925762}\InprocServer32	ct1269415_ie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{929A8D4E-87AC-4604-B216-A5A2A2925762}\InprocServer32\ThreadingModel = "Apartment"	ct1269415_ie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{929A8D4E-87AC-4604-B216-A5A2A2925762}\ProgID\ = "Toolbar.CT1269415"	ct1269415_ie.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2128	ct1269415_ie.exe
2128	ct1269415_ie.exe
3188	ct1269415_ch.exe
3188	ct1269415_ch.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
4956	STUBWR~1.EXE
3212	conduitinstaller.exe
2128	ct1269415_ie.exe
4952	ct1269415_ff.exe
3188	ct1269415_ch.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 4752 wrote to memory of 1492	4752	Download_Energy.exe	83
PID 4752 wrote to memory of 1492	4752	Download_Energy.exe	83
PID 4752 wrote to memory of 1492	4752	Download_Energy.exe	83
PID 1492 wrote to memory of 4956	1492	GLB9191.tmp	87
PID 1492 wrote to memory of 4956	1492	GLB9191.tmp	87
PID 1492 wrote to memory of 4956	1492	GLB9191.tmp	87
PID 4956 wrote to memory of 3212	4956	STUBWR~1.EXE	89
PID 4956 wrote to memory of 3212	4956	STUBWR~1.EXE	89
PID 4956 wrote to memory of 3212	4956	STUBWR~1.EXE	89
PID 3212 wrote to memory of 2128	3212	conduitinstaller.exe	90
PID 3212 wrote to memory of 2128	3212	conduitinstaller.exe	90
PID 3212 wrote to memory of 2128	3212	conduitinstaller.exe	90
PID 2128 wrote to memory of 2236	2128	ct1269415_ie.exe	91
PID 2128 wrote to memory of 2236	2128	ct1269415_ie.exe	91
PID 2128 wrote to memory of 2236	2128	ct1269415_ie.exe	91
PID 2128 wrote to memory of 2412	2128	ct1269415_ie.exe	92
PID 2128 wrote to memory of 2412	2128	ct1269415_ie.exe	92
PID 2128 wrote to memory of 2412	2128	ct1269415_ie.exe	92
PID 3212 wrote to memory of 4952	3212	conduitinstaller.exe	93
PID 3212 wrote to memory of 4952	3212	conduitinstaller.exe	93
PID 3212 wrote to memory of 4952	3212	conduitinstaller.exe	93
PID 3212 wrote to memory of 3188	3212	conduitinstaller.exe	94
PID 3212 wrote to memory of 3188	3212	conduitinstaller.exe	94
PID 3212 wrote to memory of 3188	3212	conduitinstaller.exe	94

C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Download_Energy.exe
"C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Download_Energy.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4752
- C:\Users\Admin\AppData\Local\Temp\GLB9191.tmp
  C:\Users\Admin\AppData\Local\Temp\GLB9191.tmp 4736 C:\Users\Admin\AppData\Local\Temp\$PLUGI~1\DOWNLO~1.EXE
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:1492
- - C:\Users\Admin\AppData\Local\Temp\CT1269~1\STUBWR~1.EXE
    "C:\Users\Admin\AppData\Local\Temp\CT1269~1\STUBWR~1.EXE" -parameters=C:\Users\Admin\AppData\Local\Temp\CT1269415\parameters.csf
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4956
  - - C:\Users\Admin\AppData\Local\Temp\conduitinstaller.exe
      C:\Users\Admin\AppData\Local\Temp\conduitinstaller.exe -StartPage=TRUE -DefaultSearch=TRUE -SearchFromAddress=TRUE -InstallId=CT1269415_download_energy.exe -OpenUninstallPage=TRUE -Fix404=TRUE -EnableAlerts=TRUE -showPersonalCompDialog=FALSE -ctid=CT1269415 -ie=C:\Users\Admin\AppData\Local\Temp\CT1269415\CT1269415_ie.exe -ff=C:\Users\Admin\AppData\Local\Temp\CT1269415\CT1269415_ff.exe -ch=C:\Users\Admin\AppData\Local\Temp\CT1269415\CT1269415_ch.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:3212
    - - \??\c:\users\admin\appdata\local\temp\ct1269415\ct1269415_ie.exe
        
        "c:\users\admin\appdata\local\temp\ct1269415\ct1269415_ie.exe" /s -silent -startpage=true -defaultsearch=true -showwelcomepage=false -openwelcomedialog=false -showpersonalcompdialog=false -fix404=true -searchfromaddress=true -searchfromadress=true -openuninstallpage=true -defaultsearchdisplayname= -defaultsearchurl= -enablealerts=true -installtype=ConduitNSISIntegration -installid=ct1269415_download_energy.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Installs/modifies Browser Helper Object
        Drops file in Program Files directory
        Modifies Internet Explorer settings
        Modifies Internet Explorer start page
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2128
      - C:\Windows\SysWOW64\rundll32.exe
        
        rundll32 "C:\Program Files (x86)\Download_Energy\tbDown.dll" DllSendInstallationUsage New Installation
        6⤵
        Blocklisted process makes network request
        Loads dropped DLL
        
        PID:2236
      - C:\Windows\SysWOW64\rundll32.exe
        
        rundll32 "C:\Program Files (x86)\Download_Energy\tbDown.dll" DllVerifyEnableExtension
        6⤵
        Loads dropped DLL
        
        PID:2412
    - - \??\c:\users\admin\appdata\local\temp\ct1269415\ct1269415_ff.exe
        
        "c:\users\admin\appdata\local\temp\ct1269415\ct1269415_ff.exe" /s -silent -startpage=true -defaultsearch=true -showwelcomepage=false -openwelcomedialog=false -showpersonalcompdialog=false -fix404=true -searchfromaddress=true -searchfromadress=true -openuninstallpage=true -defaultsearchdisplayname= -defaultsearchurl= -enablealerts=true -installtype=ConduitNSISIntegration -installid=ct1269415_download_energy.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:4952
    - - \??\c:\users\admin\appdata\local\temp\ct1269415\ct1269415_ch.exe
        
        "c:\users\admin\appdata\local\temp\ct1269415\ct1269415_ch.exe" /s -silent -startpage=true -defaultsearch=true -showwelcomepage=false -openwelcomedialog=false -showpersonalcompdialog=false -fix404=true -searchfromaddress=true -searchfromadress=true -openuninstallpage=true -defaultsearchdisplayname= -defaultsearchurl= -enablealerts=true -installtype=ConduitNSISIntegration -installid=ct1269415_download_energy.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:3188

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Conduit\Community Alerts\Alert.dll

Filesize
623KB

MD5
6796f6e449f90a543dc3345538acc46f

SHA1
97bccd25561f44e9b13f05f6eef083c9ce9ba529

SHA256
f22e58cdfe94d4a5fbbf2795a743b167ed9923e289e14654631e0077dd306c1d

SHA512
f4402027bf1d40f550aab809b17f3bb8543ae76694d1a0ca429c6e1a0e2eacd835b81c4d8f13debed5c80e51c4214991ec8dba8f3a5731b8e5c8ff88e047685a

Download Submit
C:\Program Files (x86)\Download_Energy\prxtbDown.dll

Filesize
172KB

MD5
4c163bd2a5905d18893ee311608e8c54

SHA1
a2d929a9864513c0e8ed84aad622ef6adcc9b950

SHA256
4553d99f1f146e2359ceb60987d904bafd24843b71d3e95c358776f3a1d5c6f1

SHA512
e1c7b44dc683f58c7c7b66b2448ed19c4e846b35f4018592c2d87191f3d8a2e4649ec3c92aa2f444b249f8ac27e5f2e7fe1cefbedd5d12721d21335a1c55afb1

Download Submit
C:\Program Files (x86)\Download_Energy\toolbar.cfg

Filesize
27B

MD5
e9554810d9fb5a0452acc4b13f4f3048

SHA1
8b71243ecae23e3884cd0265982e5cfe5464c48a

SHA256
92dcbbc5d0ac2f28103c8f33be2d9e898686e417666ae142518fd52c8b5c1442

SHA512
6cd5142906f5f98e261d7b49799e20b80b9a5503458a78d234d38c25bd977a6e7c53ee114b898f71a99efd49e4fe5d03871a11077060ca7cddeffe7a1c810cb7

Download Submit
C:\Users\Admin\AppData\LocalLow\Download_Energy\ldrtbDown.dll

Filesize
257KB

MD5
76b3946090c94bb38dbbca54ac8ff9f7

SHA1
1e00782fec3ca539ae30f866502633ff550356c6

SHA256
d3f942951b10476d7f16124295bbacd6da61f63edee8d136260715cc4d929e99

SHA512
7c5e1231e6a0174f6c0c88c12bccdef673fd81001f746b7b4e543e73b078312b2fa808bda1616e93f98d44df99ee0d31a9bef2a7adcda783d6b21db7c897e793

Download Submit
C:\Users\Admin\AppData\Local\Temp\CT1269~1\STUBWR~1.EXE

Filesize
97KB

MD5
87dcb1143c2a515d56f037ebf0215497

SHA1
134c06000cfe366632119e2557efe6f7e2fc7d12

SHA256
2ee653f167f4590da82ca4acc65ca02a38ccfedccf14e9f2684e92efa98ce238

SHA512
135ee4231c64508c5655ef16d7a78d73117e6c0bd220c3801cad5e713b653178c2ba73d65b2db44ecfdbcbfd67d08944ca8bbee4d54a91f3573ef0890ed998ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\GLB9191.tmp

Filesize
70KB

MD5
ec2a767238b46a96b4633d795a893272

SHA1
11e5809cda56b0d900a37cd6271afe91102a660e

SHA256
62706eb6fcb52d3b9162118e10cdf775d94961bbef26f965b4fd6af74cef9fea

SHA512
6290dbddb4533b726fd6b12dbf0efb191a62eb052742bd724cbe52ab128ac0d12555c246117554c5d1701446123ffad7afdd4cf70ed5846fd9d17e5f40bc94b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\GLC923D.tmp

Filesize
161KB

MD5
8c97d8bb1470c6498e47b12c5a03ce39

SHA1
15d233b22f1c3d756dca29bcc0021e6fb0b8cdf7

SHA256
a87f19f9fee475d2b2e82acfb4589be6d816b613064cd06826e1d4c147beb50a

SHA512
7ad0b2b0319da52152c2595ee45045d0c06b157cdaaa56ad57dde9736be3e45fd7357949126f80d3e72b21510f9bf69d010d51b3967a7644662808beed067c3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\GLK925E.tmp

Filesize
33KB

MD5
517419cae37f6c78c80f9b7d0fbb8661

SHA1
a9e419f3d9ef589522556e0920c84fe37a548873

SHA256
bfe7e013cfb85e78b994d3ad34eca08286494a835cb85f1d7bced3df6fe93a11

SHA512
5046565443cf463b6fa4d2d5868879efc6a9db969bf05e3c80725b99bd091ce062cfe66c5551eb1cc5f00a38f2cfcda1f36fb4d60d9ff816c4ec3107b5a0df40

Download Submit
C:\Users\Admin\AppData\Local\Temp\conduitinstaller.exe

Filesize
66KB

MD5
36b6faa2d8e00ae98f510046d3213426

SHA1
cf3df77b5f97153f1fb93c297988e8be2c732021

SHA256
62d58a2002ecac027c678ab735705b8628df3723b36c4b0de3c09e3ba0b86cc7

SHA512
155f61ef988d25bdeed34928aef7662299a9ca65846b94feca9e6dba01a33895535b78d2a11c1a4425c4772f3b7673ef20f83479c6d13f2a3b53d79cef6572ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsbAF4C.tmp\Processes.dll

Filesize
58KB

MD5
7a69b2f909c684b261c5e295e95351c6

SHA1
05df8e4e072bd877e5a641608ee35f2cdcf544fb

SHA256
59a81b8119a2e2bc2dcc22d8dbf87b20d6fe8c734930bf86d326cd2708f99358

SHA512
aaccf1bd2254a65c7f8f300fe60b028b95f921d03e6507154d56ad2161dfdda8cd7716d00cff7c4512040bca8610ab7a0684cefec4eb729b98874aa35b5c5a97

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd9C02.tmp\System.dll

Filesize
11KB

MD5
959ea64598b9a3e494c00e8fa793be7e

SHA1
40f284a3b92c2f04b1038def79579d4b3d066ee0

SHA256
03cd57ab00236c753e7ddeee8ee1c10839ace7c426769982365531042e1f6f8b

SHA512
5e765e090f712beffce40c5264674f430b08719940d66e3a4d4a516fd4ade859f7853f614d9d6bbb602780de54e11110d66dbb0f9ca20ef6096ede531f9f6d64

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsfACAC.tmp\ZipDLL.dll

Filesize
163KB

MD5
2dc35ddcabcb2b24919b9afae4ec3091

SHA1
9eeed33c3abc656353a7ebd1c66af38cccadd939

SHA256
6bbeb39747f1526752980d4dbec2fe2c7347f3cc983a79c92561b92fe472e7a1

SHA512
0ccac336924f684da1f73db2dd230a0c932c5b4115ae1fa0e708b9db5e39d2a07dc54dac8d95881a42069cbb2c2886e880cdad715deda83c0de38757a0f6a901

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsfAD49.tmp

Filesize
348B

MD5
6e7b34e4caf29351bec697bb88cd8250

SHA1
d8c440bba344da13b944b7e896cafc9879d33c8c

SHA256
92310f7d8da063154260648db3997488f250583ff45856302cb717e1c63cfb92

SHA512
b28d65b149d8f284a8a772d1e4b8c4a75bdc123f587675600ec5fd6872c2323839fee37643a8b5528f17490ed8bb87e9af60a1ac6731bdadd10a05ba482ad781

Download Submit
C:\Users\Admin\AppData\Local\Temp\nss99A1.tmp\nsExec.dll

Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst9C13.tmp.tbDown.dll

Filesize
4.2MB

MD5
dfa962af859e83bb93583fe02bc1b952

SHA1
289b1ba933c86178df96c3b9bc5bcbe81585c525

SHA256
2d9a113818f5bf0d2040a4b20abb6b8a792a44d352b5fd9787cb1f55f3a20564

SHA512
9f95f961be6375e57f25e0574145b09d99155525eb0b11222cb4ebaf04d962024b0e97d516e59cb7aa5e24f3c7d70aa3573fc5c0f8ae5f387e6d6ecd82855274

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsx9A0E.tmp\ConduitInetc.dll

Filesize
24KB

MD5
cde6b5a14b902c89dcc24abbf655398f

SHA1
65977aaac6d8649f8c3d9b5a61d13b0d8d08293b

SHA256
0c094a41a0aff981f5e20b4c720d8930586162379240242a6d0b22872af6e375

SHA512
e8203560d0d4c15662ccd65e91a36985d5c2f16ceed70258ee8b4f3e698f97ec7e9b8c40d2fad7ce38fd1a2ac0cd2e88d39cbab1409bd15bbf66a0b755e6262f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsx9A0E.tmp\System.dll

Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vcc2x7ul.Admin\extensions\{ad708c09-d51b-45b3-9d28-4eba2681febf}\install.rdf

Filesize
1KB

MD5
b88873081ef727a57fcb83f139187e76

SHA1
b8b64d94c26bb96fae04337309d6669078cdbe31

SHA256
3f33cee36e946f109ec3da46f76c1249e4ad32664058bdcbc5cdee8bf99c80c8

SHA512
d90b8b71040b69ac5cf0546dabe4e96f43da54541b530dc2849023512326252c30c0a19798d4f8aebc5c5453d51b0b2676e760a6c00e969c1b0d9889bd8aed76

Download Submit
\??\c:\users\admin\appdata\local\temp\ct1269415\ct1269415_ch.exe

Filesize
1.5MB

MD5
4174a4ef5dd85acdce10d3b5542682ef

SHA1
4e3c1a28a15cde2a99735a505c97766e94b0c6b2

SHA256
7de4029042edb182262bff1e908666482e546ec891995b0a47ffd77dda82e73c

SHA512
fd34875804cddde2bfaa24483a6be4fe4cd2f463fc28f8c17537f40aae8a029a34a188f2401c3837e870d66bc5636884ab7ca623046e1175c3caa36fb6df34ff

Download Submit
\??\c:\users\admin\appdata\local\temp\ct1269415\ct1269415_ff.exe

Filesize
1.3MB

MD5
154e2a4cada94b9254292891d491722c

SHA1
4387e9d021a4ed4f5aead9e3da0c0273cc4ab6ac

SHA256
5bf62b048d0de7d2f2185d2145c4c1cf21aba6243f544637abaccef5cf3a74db

SHA512
2725cdcb619e592dbb9558f6cd0f6da467e80d53b979dcd7550bc6e6c532ca56db782cf739b70fe91bc9c483098a2d21177fdf1d5d19095ecd8e4268643ab57f

Download Submit
\??\c:\users\admin\appdata\local\temp\ct1269415\ct1269415_ie.exe

Filesize
2.0MB

MD5
d354475b2321ab524c9e2a66e5fce98c

SHA1
257f628e6c89abe976dd3af915006c2f666040fb

SHA256
605988df8c781931fd15e8bb449aa3616554ab251e86f3e4840e2cbdd62fb4bb

SHA512
45adcfbb34e578277ba202d061c372a5529be6c381b90e61afd16e119569c75aa6f3a9cf5cb9cec94e22b03e338cfce5f5dc56538f71f1bce36647241027ed3c

Download Submit
\??\c:\users\admin\appdata\local\temp\ct1269415\parameters.csf

Filesize
422B

MD5
b13853bf1a8e169ec5dc9e3bdae8dc32

SHA1
5d2884d6ae9191be3d98d56f06745b429fdcffd6

SHA256
283f72535efa20a2ff434a79c99e1ec90e6efd2b273a49bd886525bc55fb3726

SHA512
07282f403e15b4a5f051d4aaff3c7b7f83e76a10a4fa3542777a562afed81af1e629cc4a9c960e8951f60153e02a479b90a23455ab1df9f1c110627cecfa66b5

Download Submit
memory/2128-274-0x0000000003270000-0x0000000003311000-memory.dmp

Filesize
644KB

Download
memory/2128-207-0x0000000003270000-0x00000000036A8000-memory.dmp

Filesize
4.2MB

Download
memory/2128-229-0x0000000003800000-0x000000000382F000-memory.dmp

Filesize
188KB

Download
memory/2128-248-0x0000000003890000-0x00000000038D3000-memory.dmp

Filesize
268KB

Download
memory/2128-264-0x0000000003980000-0x0000000003DB8000-memory.dmp

Filesize
4.2MB

Download
memory/2128-255-0x0000000003B20000-0x0000000003F58000-memory.dmp

Filesize
4.2MB

Download
memory/3188-487-0x00000000022C0000-0x00000000022ED000-memory.dmp

Filesize
180KB

Download
memory/3188-516-0x00000000022C0000-0x00000000022D3000-memory.dmp

Filesize
76KB

Download