f0cccead9c7b601d53c2898a5a78b75f7697a09bb999df05569656aa10a6e769

Analysis

max time kernel
147s
max time network
124s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
15/07/2024, 17:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

IETab.exe
Size

102KB
MD5

d4d3eaf1936ba7bc33c9915a9d15443b
SHA1

17a662a957539473dd73b494248cf538e1a1736b
SHA256

5e4beb7e70af6f40217db1869da66458e1fedb5452dfafa1985384615876b1ea
SHA512

eb99e6d9db330e43cf0e0c143a071ee2bc809485c44098fb740583d037b7ab177992fdb7c5a0ead75951625966bf2c03038178102654da326a7fc125b3abaa95
SSDEEP

1536:W+7u94k1sUMzPxnhwwiKJQAUN/AlnwVZVAQAYrMnnPQAbRp:W+7u94V0wNJGN/gQArnPQA3

Score

6^/10

adware persistence stealer

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\IETab = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IETab.exe"	IETab.exe

Installs/modifies Browser Helper Object 2 TTPs 1 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{1EB1BC6A-0A39-420F-8F7B-9E797426A792}	regsvr32.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Main\TabProcGrowth = "0"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\TabProcGrowth = "0"	regsvr32.exe

Modifies registry class 46 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IETab.InSideBand.1\ = "InSideBand Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IETab.InSideBand\CurVer\ = "IETab.InSideBand.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1EB1BC6A-0A39-420F-8F7B-9E797426A792}\ProgID\ = "IETab.InSideBand.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1EB1BC6A-0A39-420F-8F7B-9E797426A792}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1EB1BC6A-0A39-420F-8F7B-9E797426A792}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IETab.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DC40EBFB-929E-400E-AA4B-5BC683900A8E}\1.0\ = "IETab 1.0 Type Library"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DC40EBFB-929E-400E-AA4B-5BC683900A8E}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IETab.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{17625A54-760C-4C42-B04E-E59339BC2DA1}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{17625A54-760C-4C42-B04E-E59339BC2DA1}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IETab.InSideBand\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IETab.InSideBand\CurVer	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1EB1BC6A-0A39-420F-8F7B-9E797426A792}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1EB1BC6A-0A39-420F-8F7B-9E797426A792}\Programmable	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{17625A54-760C-4C42-B04E-E59339BC2DA1}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IETab.InSideBand.1	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IETab.InSideBand.1\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IETab.InSideBand\ = "InSideBand Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1EB1BC6A-0A39-420F-8F7B-9E797426A792}\ = "IETab"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DC40EBFB-929E-400E-AA4B-5BC683900A8E}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DC40EBFB-929E-400E-AA4B-5BC683900A8E}\1.0\0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{17625A54-760C-4C42-B04E-E59339BC2DA1}\ = "IInSideBand"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{17625A54-760C-4C42-B04E-E59339BC2DA1}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1EB1BC6A-0A39-420F-8F7B-9E797426A792}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DC40EBFB-929E-400E-AA4B-5BC683900A8E}\1.0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{17625A54-760C-4C42-B04E-E59339BC2DA1}\TypeLib\ = "{DC40EBFB-929E-400E-AA4B-5BC683900A8E}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{17625A54-760C-4C42-B04E-E59339BC2DA1}\ = "IInSideBand"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IETab.InSideBand.1\CLSID\ = "{1EB1BC6A-0A39-420F-8F7B-9E797426A792}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1EB1BC6A-0A39-420F-8F7B-9E797426A792}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1EB1BC6A-0A39-420F-8F7B-9E797426A792}\VersionIndependentProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1EB1BC6A-0A39-420F-8F7B-9E797426A792}\VersionIndependentProgID\ = "IETab.InSideBand"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1EB1BC6A-0A39-420F-8F7B-9E797426A792}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DC40EBFB-929E-400E-AA4B-5BC683900A8E}\1.0\FLAGS\ = "0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DC40EBFB-929E-400E-AA4B-5BC683900A8E}\1.0\HELPDIR	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DC40EBFB-929E-400E-AA4B-5BC683900A8E}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{17625A54-760C-4C42-B04E-E59339BC2DA1}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{17625A54-760C-4C42-B04E-E59339BC2DA1}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IETab.InSideBand\CLSID\ = "{1EB1BC6A-0A39-420F-8F7B-9E797426A792}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1EB1BC6A-0A39-420F-8F7B-9E797426A792}\TypeLib\ = "{DC40EBFB-929E-400E-AA4B-5BC683900A8E}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IETab.InSideBand	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{17625A54-760C-4C42-B04E-E59339BC2DA1}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DC40EBFB-929E-400E-AA4B-5BC683900A8E}\1.0\FLAGS	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DC40EBFB-929E-400E-AA4B-5BC683900A8E}\1.0\0\win32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{17625A54-760C-4C42-B04E-E59339BC2DA1}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{17625A54-760C-4C42-B04E-E59339BC2DA1}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{17625A54-760C-4C42-B04E-E59339BC2DA1}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{17625A54-760C-4C42-B04E-E59339BC2DA1}\TypeLib\ = "{DC40EBFB-929E-400E-AA4B-5BC683900A8E}"	regsvr32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2400	IETab.exe
2400	IETab.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2400 wrote to memory of 1976	2400	IETab.exe	30
PID 2400 wrote to memory of 1976	2400	IETab.exe	30
PID 2400 wrote to memory of 1976	2400	IETab.exe	30
PID 2400 wrote to memory of 1976	2400	IETab.exe	30
PID 2400 wrote to memory of 1976	2400	IETab.exe	30
PID 2400 wrote to memory of 1976	2400	IETab.exe	30
PID 2400 wrote to memory of 1976	2400	IETab.exe	30

C:\Users\Admin\AppData\Local\Temp\IETab.exe
"C:\Users\Admin\AppData\Local\Temp\IETab.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2400
- C:\Windows\SysWOW64\regsvr32.exe
  regsvr32 /s "C:\Users\Admin\AppData\Local\Temp\IETab.dll"
  2⤵
  - Installs/modifies Browser Helper Object
  - Modifies Internet Explorer settings
  - Modifies registry class
  PID:1976

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Browser Extensions

T1176

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads