0e5f9593166a9dd14c097be31a34c1e154436b37bde539921dde57e261ac70b6

Analysis

max time kernel
120s
max time network
116s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
20/08/2024, 09:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

616bf95fe0f8ef817bbfd88a4122b3c0N.exe
Size

260KB
MD5

616bf95fe0f8ef817bbfd88a4122b3c0
SHA1

2049e90d1f10e58862c47cf253268c010eaa7318
SHA256

0e5f9593166a9dd14c097be31a34c1e154436b37bde539921dde57e261ac70b6
SHA512

833349879d3b7157d89b6497f58d62b6c71f5cc46839bd20213d0e420ff2ce2b027a5fb2655c31ad296cf3d445b46d468c683800a7a2aaa0f1a76ca5d0027595
SSDEEP

6144:RyZcAuFcCf38XolyxnDFJ6VNeVt7OUYfjOkT+Ekkr+fOyN1TUMDh:YTOcCf6yVQIdL41f9IWh

Score

10^/10

adware discovery evasion persistence stealer trojan

Malware Config

Signatures

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	MsiExec.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	616bf95fe0f8ef817bbfd88a4122b3c0N.exe

Executes dropped EXE 2 IoCs

pid	Process
1016	Localizar.exe
1928	Localizar.exe

Loads dropped DLL 10 IoCs

pid	Process
2244	MsiExec.exe
2244	MsiExec.exe
1580	MsiExec.exe
2244	MsiExec.exe
2244	MsiExec.exe
2244	MsiExec.exe
2244	MsiExec.exe
2244	MsiExec.exe
1928	Localizar.exe
1016	Localizar.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\harmonie = "C:\\Program Files (x86)\\Internet Explorer\\Internet Explorer\\Localizar.exe"	Localizar.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\harmonie = "C:\\Program Files (x86)\\Internet Explorer\\Internet Explorer\\Localizar.exe"	Localizar.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe

Installs/modifies Browser Helper Object 2 TTPs 1 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5ADEFB9E-B824-45e6-86E2-2B7941F5D6A3}	msiexec.exe

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Internet Explorer\Internet Explorer\Interop.SHDocVw.DLL	msiexec.exe
File created	C:\Program Files (x86)\Internet Explorer\Internet Explorer\cylx.ocx	msiexec.exe
File created	C:\Program Files (x86)\Internet Explorer\Internet Explorer\fridde.dll	msiexec.exe
File created	C:\Program Files (x86)\Internet Explorer\Internet Explorer\Localizar.exe	msiexec.exe
File created	C:\Program Files (x86)\Internet Explorer\Internet Explorer\fridde.InstallState	MsiExec.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8280.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI83E8.tmp	msiexec.exe
File created	C:\Windows\Installer\e5780fb.msi	msiexec.exe
File created	C:\Windows\Installer\e5780f7.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e5780f7.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI81F2.tmp	msiexec.exe
File created	C:\Windows\Installer\SourceHash{F252D5E8-241C-47F8-ACFD-443705BBD721}	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8174.tmp	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Localizar.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	616bf95fe0f8ef817bbfd88a4122b3c0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Localizar.exe

Modifies Internet Explorer settings 1 TTPs 8 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\AboutURLs\	Localizar.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AboutURLs\Tabs = "www.ara4.pro"	Localizar.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\	Localizar.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPageShow = "1"	Localizar.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\AboutURLs\	Localizar.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AboutURLs\Tabs = "www.ara4.pro"	Localizar.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\	Localizar.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPageShow = "1"	Localizar.exe

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\26\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27	msiexec.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C241AF96-ABCA-4AF3-A312-C5371486B6C2}\TypeLib	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C757DB35-06E6-42BB-B001-58EDAEF6CB51}\TypeLib	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADEFB9E-B824-45E6-86E2-2B7941F5D6A3}\Implemented Categories\{62C8FE65-4EBB-45E7-B440-6E39B2CDBF29}	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{737E18BB-1EB0-3C3E-8876-5236127A03DB}\InprocServer32\1.0.0.1	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F6FC6887-BD53-4480-B079-A1FECB7479B7}\ProxyStubClsid32	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F6FC6887-BD53-4480-B079-A1FECB7479B7}\ = "UserControl1"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files (x86)\|Internet Explorer\|Internet Explorer\|fridde.dll	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADEFB9E-B824-45E6-86E2-2B7941F5D6A3}\Implemented Categories	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADEFB9E-B824-45E6-86E2-2B7941F5D6A3}\InprocServer32\1.0.0.1\CodeBase = "C:\\Program Files (x86)\\Internet Explorer\\Internet Explorer\\fridde.dll"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C757DB35-06E6-42BB-B001-58EDAEF6CB51}\ToolboxBitmap32\ = "C:\\Program Files (x86)\\Internet Explorer\\Internet Explorer\\cylx.ocx, 30000"	MsiExec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8E5D252FC1428F74CADF447350BB7D12\Language = "1033"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C241AF96-ABCA-4AF3-A312-C5371486B6C2}\ProxyStubClsid32	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C757DB35-06E6-42BB-B001-58EDAEF6CB51}\ToolboxBitmap32	MsiExec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8E5D252FC1428F74CADF447350BB7D12\Version = "184549376"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8E5D252FC1428F74CADF447350BB7D12\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{801AD3BD-9B29-4727-B08C-3DFC75813298}\1.0\ = "Projectik"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C241AF96-ABCA-4AF3-A312-C5371486B6C2}\TypeLib\Version = "1.0"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Projectik.UserControl1\Clsid\ = "{C757DB35-06E6-42BB-B001-58EDAEF6CB51}"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F6FC6887-BD53-4480-B079-A1FECB7479B7}\TypeLib\ = "{801AD3BD-9B29-4727-B08C-3DFC75813298}"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\DABFC6E43B79B574DAD4176F87082691	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{737E18BB-1EB0-3C3E-8876-5236127A03DB}\InprocServer32\CodeBase = "C:\\Program Files (x86)\\Internet Explorer\\Internet Explorer\\fridde.dll"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{737E18BB-1EB0-3C3E-8876-5236127A03DB}	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\kopedas.Installer1\CLSID	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADEFB9E-B824-45E6-86E2-2B7941F5D6A3}\InprocServer32\ThreadingModel = "Both"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{801AD3BD-9B29-4727-B08C-3DFC75813298}\1.0\0\win32\ = "C:\\Program Files (x86)\\Internet Explorer\\Internet Explorer\\cylx.ocx"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F6FC6887-BD53-4480-B079-A1FECB7479B7}\TypeLib	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{737E18BB-1EB0-3C3E-8876-5236127A03DB}\ = "kopedas.Installer1"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADEFB9E-B824-45E6-86E2-2B7941F5D6A3}\ProgId	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{5ADEFB9E-B824-45E6-86E2-2B7941F5D6A3}\InprocServer32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADEFB9E-B824-45E6-86E2-2B7941F5D6A3}\InprocServer32\Class = "kopedas.fri"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C241AF96-ABCA-4AF3-A312-C5371486B6C2}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C241AF96-ABCA-4AF3-A312-C5371486B6C2}\TypeLib\ = "{801AD3BD-9B29-4727-B08C-3DFC75813298}"	MsiExec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8E5D252FC1428F74CADF447350BB7D12\Clients = 3a0000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C241AF96-ABCA-4AF3-A312-C5371486B6C2}\TypeLib	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C757DB35-06E6-42BB-B001-58EDAEF6CB51}\ = "Projectik.UserControl1"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\kopedas.Installer1\ = "kopedas.Installer1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{737E18BB-1EB0-3C3E-8876-5236127A03DB}\InprocServer32\ = "mscoree.dll"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{737E18BB-1EB0-3C3E-8876-5236127A03DB}\InprocServer32\RuntimeVersion = "v2.0.50727"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADEFB9E-B824-45E6-86E2-2B7941F5D6A3}\InprocServer32\CodeBase = "C:\\Program Files (x86)\\Internet Explorer\\Internet Explorer\\fridde.dll"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{737E18BB-1EB0-3C3E-8876-5236127A03DB}\InprocServer32\1.0.0.1\CodeBase = "C:\\Program Files (x86)\\Internet Explorer\\Internet Explorer\\fridde.dll"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C241AF96-ABCA-4AF3-A312-C5371486B6C2}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C757DB35-06E6-42BB-B001-58EDAEF6CB51}\InprocServer32	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C757DB35-06E6-42BB-B001-58EDAEF6CB51}\Control	MsiExec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files (x86)\|Internet Explorer\|Internet Explorer\|fridde.dll\fridde,Version="1.0.0.1",Culture="neutral",ProcessorArchitecture="MSIL" = 27002600240074007600530045002d002e003f004e005e0075006900350033004400560073002d003e0036007b006e0039002c0074006c004900420052005e0066004900700059004000430041007300360000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8E5D252FC1428F74CADF447350BB7D12\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C241AF96-ABCA-4AF3-A312-C5371486B6C2}\ = "UserControl1"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\kopedas.fri\CLSID\ = "{5ADEFB9E-B824-45E6-86E2-2B7941F5D6A3}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{737E18BB-1EB0-3C3E-8876-5236127A03DB}\InprocServer32\1.0.0.1\Class = "kopedas.Installer1"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{801AD3BD-9B29-4727-B08C-3DFC75813298}\1.0\HELPDIR	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F6FC6887-BD53-4480-B079-A1FECB7479B7}\TypeLib\Version = "1.0"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C757DB35-06E6-42BB-B001-58EDAEF6CB51}\VERSION\ = "1.0"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F6FC6887-BD53-4480-B079-A1FECB7479B7}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{801AD3BD-9B29-4727-B08C-3DFC75813298}\1.0	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C241AF96-ABCA-4AF3-A312-C5371486B6C2}\TypeLib\ = "{801AD3BD-9B29-4727-B08C-3DFC75813298}"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C757DB35-06E6-42BB-B001-58EDAEF6CB51}\MiscStatus	MsiExec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\kopedas.fri	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C241AF96-ABCA-4AF3-A312-C5371486B6C2}\ = "__UserControl1"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8E5D252FC1428F74CADF447350BB7D12\SourceList\Media	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{801AD3BD-9B29-4727-B08C-3DFC75813298}\1.0\FLAGS	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C241AF96-ABCA-4AF3-A312-C5371486B6C2}\ProxyStubClsid32	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C757DB35-06E6-42BB-B001-58EDAEF6CB51}\InprocServer32\ = "C:\\Program Files (x86)\\Internet Explorer\\Internet Explorer\\cylx.ocx"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F6FC6887-BD53-4480-B079-A1FECB7479B7}\ProxyStubClsid	MsiExec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{5ADEFB9E-B824-45E6-86E2-2B7941F5D6A3}\Implemented Categories\{62C8FE65-4EBB-45E7-B440-6E39B2CDBF29}	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F6FC6887-BD53-4480-B079-A1FECB7479B7}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	MsiExec.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3716	msiexec.exe
3716	msiexec.exe
1016	Localizar.exe
1016	Localizar.exe
1016	Localizar.exe
1016	Localizar.exe
1016	Localizar.exe
1016	Localizar.exe
1016	Localizar.exe
1016	Localizar.exe
1016	Localizar.exe
1016	Localizar.exe
1016	Localizar.exe
1016	Localizar.exe
1016	Localizar.exe
1016	Localizar.exe
1016	Localizar.exe
1016	Localizar.exe
1016	Localizar.exe
1016	Localizar.exe
1016	Localizar.exe
1016	Localizar.exe
1016	Localizar.exe
1016	Localizar.exe
1016	Localizar.exe
1016	Localizar.exe
1016	Localizar.exe
1016	Localizar.exe
1016	Localizar.exe
1016	Localizar.exe
1016	Localizar.exe
1016	Localizar.exe
1016	Localizar.exe
1016	Localizar.exe
1016	Localizar.exe
1016	Localizar.exe
1016	Localizar.exe
1016	Localizar.exe
1016	Localizar.exe
1016	Localizar.exe
1016	Localizar.exe
1016	Localizar.exe
1016	Localizar.exe
1016	Localizar.exe
1016	Localizar.exe
1016	Localizar.exe
1016	Localizar.exe
1016	Localizar.exe
1016	Localizar.exe
1016	Localizar.exe
1016	Localizar.exe
1016	Localizar.exe
1016	Localizar.exe
1016	Localizar.exe
1016	Localizar.exe
1016	Localizar.exe
1016	Localizar.exe
1016	Localizar.exe
1016	Localizar.exe
1016	Localizar.exe
1016	Localizar.exe
1016	Localizar.exe
1016	Localizar.exe
1016	Localizar.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4148	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4148	msiexec.exe
Token: SeSecurityPrivilege	3716	msiexec.exe
Token: SeCreateTokenPrivilege	4148	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4148	msiexec.exe
Token: SeLockMemoryPrivilege	4148	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4148	msiexec.exe
Token: SeMachineAccountPrivilege	4148	msiexec.exe
Token: SeTcbPrivilege	4148	msiexec.exe
Token: SeSecurityPrivilege	4148	msiexec.exe
Token: SeTakeOwnershipPrivilege	4148	msiexec.exe
Token: SeLoadDriverPrivilege	4148	msiexec.exe
Token: SeSystemProfilePrivilege	4148	msiexec.exe
Token: SeSystemtimePrivilege	4148	msiexec.exe
Token: SeProfSingleProcessPrivilege	4148	msiexec.exe
Token: SeIncBasePriorityPrivilege	4148	msiexec.exe
Token: SeCreatePagefilePrivilege	4148	msiexec.exe
Token: SeCreatePermanentPrivilege	4148	msiexec.exe
Token: SeBackupPrivilege	4148	msiexec.exe
Token: SeRestorePrivilege	4148	msiexec.exe
Token: SeShutdownPrivilege	4148	msiexec.exe
Token: SeDebugPrivilege	4148	msiexec.exe
Token: SeAuditPrivilege	4148	msiexec.exe
Token: SeSystemEnvironmentPrivilege	4148	msiexec.exe
Token: SeChangeNotifyPrivilege	4148	msiexec.exe
Token: SeRemoteShutdownPrivilege	4148	msiexec.exe
Token: SeUndockPrivilege	4148	msiexec.exe
Token: SeSyncAgentPrivilege	4148	msiexec.exe
Token: SeEnableDelegationPrivilege	4148	msiexec.exe
Token: SeManageVolumePrivilege	4148	msiexec.exe
Token: SeImpersonatePrivilege	4148	msiexec.exe
Token: SeCreateGlobalPrivilege	4148	msiexec.exe
Token: SeRestorePrivilege	3716	msiexec.exe
Token: SeTakeOwnershipPrivilege	3716	msiexec.exe
Token: SeRestorePrivilege	3716	msiexec.exe
Token: SeTakeOwnershipPrivilege	3716	msiexec.exe
Token: SeRestorePrivilege	3716	msiexec.exe
Token: SeTakeOwnershipPrivilege	3716	msiexec.exe
Token: SeRestorePrivilege	3716	msiexec.exe
Token: SeTakeOwnershipPrivilege	3716	msiexec.exe
Token: SeRestorePrivilege	3716	msiexec.exe
Token: SeTakeOwnershipPrivilege	3716	msiexec.exe
Token: SeRestorePrivilege	3716	msiexec.exe
Token: SeTakeOwnershipPrivilege	3716	msiexec.exe
Token: SeRestorePrivilege	3716	msiexec.exe
Token: SeTakeOwnershipPrivilege	3716	msiexec.exe
Token: SeRestorePrivilege	3716	msiexec.exe
Token: SeTakeOwnershipPrivilege	3716	msiexec.exe
Token: SeRestorePrivilege	3716	msiexec.exe
Token: SeTakeOwnershipPrivilege	3716	msiexec.exe
Token: SeRestorePrivilege	3716	msiexec.exe
Token: SeTakeOwnershipPrivilege	3716	msiexec.exe
Token: SeRestorePrivilege	3716	msiexec.exe
Token: SeTakeOwnershipPrivilege	3716	msiexec.exe
Token: SeRestorePrivilege	3716	msiexec.exe
Token: SeTakeOwnershipPrivilege	3716	msiexec.exe
Token: SeRestorePrivilege	3716	msiexec.exe
Token: SeTakeOwnershipPrivilege	3716	msiexec.exe
Token: SeRestorePrivilege	3716	msiexec.exe
Token: SeTakeOwnershipPrivilege	3716	msiexec.exe
Token: SeRestorePrivilege	3716	msiexec.exe
Token: SeTakeOwnershipPrivilege	3716	msiexec.exe
Token: SeRestorePrivilege	3716	msiexec.exe
Token: SeTakeOwnershipPrivilege	3716	msiexec.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1016	Localizar.exe
1928	Localizar.exe
1928	Localizar.exe
1016	Localizar.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2964 wrote to memory of 4148	2964	616bf95fe0f8ef817bbfd88a4122b3c0N.exe	85
PID 2964 wrote to memory of 4148	2964	616bf95fe0f8ef817bbfd88a4122b3c0N.exe	85
PID 2964 wrote to memory of 4148	2964	616bf95fe0f8ef817bbfd88a4122b3c0N.exe	85
PID 3716 wrote to memory of 2244	3716	msiexec.exe	90
PID 3716 wrote to memory of 2244	3716	msiexec.exe	90
PID 3716 wrote to memory of 2244	3716	msiexec.exe	90
PID 3716 wrote to memory of 1580	3716	msiexec.exe	91
PID 3716 wrote to memory of 1580	3716	msiexec.exe	91
PID 3716 wrote to memory of 1580	3716	msiexec.exe	91
PID 2244 wrote to memory of 1016	2244	MsiExec.exe	92
PID 2244 wrote to memory of 1016	2244	MsiExec.exe	92
PID 2244 wrote to memory of 1016	2244	MsiExec.exe	92
PID 2244 wrote to memory of 1928	2244	MsiExec.exe	93
PID 2244 wrote to memory of 1928	2244	MsiExec.exe	93
PID 2244 wrote to memory of 1928	2244	MsiExec.exe	93

C:\Users\Admin\AppData\Local\Temp\616bf95fe0f8ef817bbfd88a4122b3c0N.exe
"C:\Users\Admin\AppData\Local\Temp\616bf95fe0f8ef817bbfd88a4122b3c0N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2964
- C:\Windows\SysWOW64\msiexec.exe
  "C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\mooom.msi" /q
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:4148

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Installs/modifies Browser Helper Object
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3716
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding A0D3BAB866E94D375339E086F3C5DD84
  2⤵
  - UAC bypass
  - Loads dropped DLL
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2244
- - C:\Program Files (x86)\Internet Explorer\Internet Explorer\Localizar.exe
    "C:\Program Files (x86)\Internet Explorer\Internet Explorer\Localizar.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1016
- - C:\Program Files (x86)\Internet Explorer\Internet Explorer\Localizar.exe
    "C:\Program Files (x86)\Internet Explorer\Internet Explorer\Localizar.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:1928
- C:\Windows\syswow64\MsiExec.exe
  "C:\Windows\syswow64\MsiExec.exe" /Y "C:\Program Files (x86)\Internet Explorer\Internet Explorer\cylx.ocx"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  PID:1580

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Browser Extensions

T1176

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e5780fa.rbs

Filesize
12KB

MD5
bb4190d1af092431198063431c8bb2dd

SHA1
fd0db2e7af4762ff90f2aaa0817817fd0f264e6d

SHA256
dd762ab6a32dc96dc670fd630c4f07e4b3a703a955136c31be5e68944cd23cc5

SHA512
6c91d72fd7f85ff3f1f7b47ec74fc1ed4bc3fcbd6227b560b984c04a7998ea0669eafa8f14fa2bcd074f067e9b09fca9ceaef4d89b35bfcc888d7f3cd8677904

Download Submit
C:\Program Files (x86)\Internet Explorer\Internet Explorer\Localizar.exe

Filesize
20KB

MD5
5e20672477949ca5d09a7469755ebefd

SHA1
6c8fd50ef41e7a2137fe7fe850b979fe51d37e0b

SHA256
8456d79f725956a647d91ac15bd07ff2f3fd59ce304a01e1a725e1539f1a4ff4

SHA512
0794562416b504e65c998f19b11820f1f01afef90949ec4dae3c73da0f357c94fb04097130cc1340ac3fd1b68f38fe8d477d129d71e70d439e8b221c1548b7a0

Download Submit
C:\Program Files (x86)\Internet Explorer\Internet Explorer\cylx.ocx

Filesize
32KB

MD5
1a2a7e92d75005ef141d2574e31325ea

SHA1
e77a7f9fece1048fc2cdb264c20d345a4154ef5d

SHA256
8e8eb6b3ab2301131ff91d398061ee0ee272cad48b795a3fecfe9357481bd9c7

SHA512
0d770c59e56ca6610da9ff74007776ed48bf501a74006ad5e2984fadac563e3a483ba8c929183302df83c12f401a16834e950210abb3fa24c195ac279331ea0f

Download Submit
C:\Program Files (x86)\Internet Explorer\Internet Explorer\fridde.dll

Filesize
20KB

MD5
9a8338d008a6fa61aed335bcd8e25a74

SHA1
9e85dcc46fa5e15f903239426b1b94789c6d7cd9

SHA256
35ddb720a070b9bf18119edf612ae0bfa18202cdab35b47e06f33a26613a9652

SHA512
fc57ca3197ca4ce1d88d4c101a8adf8c4c03d82385bfe517417050c148e329d52c9423b4392d6d8b3bdd676b6bdbd5d485d03321223bdd2127a271c40b5d937b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\mooom.msi

Filesize
387KB

MD5
b96b3f7337b054df810a95bd43caa383

SHA1
40ca4141189ca7983ad7461253df8906d6dcf5a1

SHA256
853ec3662878ad7b77c2f879edaab8296b8b2a4ecde252cc8a0d5d3e3f27276a

SHA512
9962fd3d3de4a12eec7b2818b58f3bda349f12fc2786c12da1e0ac06bcac67c354b85a12a224afb1df6aa032f097d9d498f58e80117b79ca3f5a51303027a2cf

Download Submit
C:\Windows\Installer\MSI8174.tmp

Filesize
209KB

MD5
f6a25d999d9d84f6675e1756da57f3f0

SHA1
1a33d32feb96730824996b59d5ba38446ae5d609

SHA256
21100a197e3674e9f68a5dd92ed14a15c1b86611bf7003021cb35beaacf23032

SHA512
b2fa4013eecd0747e6f7575058140e95a0755030b58156c9c3246cddb62ff141342872b900ba01e4b2551a6f495f414410dc24ff32ed2e7109c21f038a9dbfa0

Download Submit
C:\Windows\Installer\MSI83E8.tmp

Filesize
63KB

MD5
67cf69315774a0d416a320a3c809bda7

SHA1
3fd19a4444f7c649c1714c4f1273be9d6ce6a7b7

SHA256
588dd2168b1f16b8af094282ccb9f59304d658d3f10d1f3a9c2f2d045e0d8f38

SHA512
546c0a559eaec6de1322ec992deb63eab6865931ce4584610e684c8aa6e3cfcfe0b542c507933ba847d00893eddf443a2fff5a05d112c88f0fdbd2f003afb00b

Download Submit