d1052a876bb6385292b5223ba5b3d766c46164506e61c507385e3485bde3fb21

Resubmissions

03/09/2024, 12:59

240903-p8fbhsxcll 5

03/09/2024, 12:57

240903-p7blyaxcjj 3

Analysis

max time kernel
148s
max time network
136s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
03/09/2024, 12:59

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

NoWayBack.exe
Size

2.9MB
MD5

659e5ad588ec5fdcfb1c5aa949fb484c
SHA1

4bbd9d83a63e5222c984b142f346e32866da5d1d
SHA256

d1052a876bb6385292b5223ba5b3d766c46164506e61c507385e3485bde3fb21
SHA512

b19e3cd27b15e7c908e709c18ed7f2a88f0e9d5d7d76e1118d860ff05d6c64c32a4dcfa8167899d2a074c818ec78c0699983c030abdaed2e946ab5498aa49aba
SSDEEP

6144:SO1n4wbXaX0+HTR6qaPSjWxcvr2LCQQVMjhy6I/7dsWw:Sm4GnuTR6R6v/hMNyV/Gx

Score

5^/10

Malware Config

Signatures

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	SearchProtocolHost.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\ESE.TXT	SearchIndexer.exe
File created	C:\Windows\cluttscape.exe	NoWayBack.exe
File opened for modification	C:\Windows\cluttscape.exe	NoWayBack.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e734c15101feda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp3\UserChoice\ProgId = "AppXqj98qxeaynz6dv4459ayz6bnqxbyaqcs"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\FileAssociations\ProgIds\_.crw = "1"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.cr2	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mpeg	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\FileAssociations\ProgIds\_.mp4v = "1"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.raw\UserChoice	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wmv\UserChoice\ProgId = "AppX6eg8h5sxqq90pv53845wmnbewywdqq5h"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mpg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m3u	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.HTM\UserChoice\ProgId = "AppX4hxtad77fbk3jkkeerkrm0ze94wjf3s9"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mov	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.adt\UserChoice	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jpg\UserChoice\ProgId = "AppX43hnxtbyyps62jhe9sqpdzxn1790zetc"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp3\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.TS\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.png\UserChoice	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp4v\UserChoice	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\FileAssociations\ProgIds\_.bmp = "1"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\FileAssociations\ProgIds\_.mpv2 = "1"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\FileAssociations\ProgIds\_.dib = "1"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jpg	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\FileAssociations\ProgIds\_.3g2 = "1"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\FileAssociations\ProgIds\_.wma = "1"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\FileAssociations\ProgIds\_.avi = "1"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005a09254d01feda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.bmp\UserChoice\ProgId = "AppX43hnxtbyyps62jhe9sqpdzxn1790zetc"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\FileAssociations\ProgIds\_.jpeg = "1"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mpv2\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.png	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\FileAssociations\ProgIds\_.jpg = "1"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jpg\UserChoice\Hash = "iWozBC/m3+U="	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mpeg\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.3g2\UserChoice\Hash = "p6wmDArPgV8="	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\FileAssociations\ProgIds\_.M2TS = "1"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe

Suspicious use of AdjustPrivilegeToken 26 IoCs

description	pid	Process
Token: 33	4056	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4056	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4056	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4056	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4056	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4056	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4056	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4056	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4056	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4056	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4056	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4056	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4056	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4056	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4056	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4056	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4056	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4056	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4056	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4056	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4056	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4056	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4056	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4056	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4056	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4056	SearchIndexer.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4056 wrote to memory of 3192	4056	SearchIndexer.exe	79
PID 4056 wrote to memory of 3192	4056	SearchIndexer.exe	79
PID 4056 wrote to memory of 2488	4056	SearchIndexer.exe	80
PID 4056 wrote to memory of 2488	4056	SearchIndexer.exe	80

C:\Users\Admin\AppData\Local\Temp\NoWayBack.exe
"C:\Users\Admin\AppData\Local\Temp\NoWayBack.exe"
1⤵
- Drops file in Windows directory
PID:4212

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2212

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4056
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  PID:3192
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 684 688 696 8192 692
  2⤵
  - Modifies data under HKEY_USERS
  PID:2488

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2488-49-0x000001AB84270000-0x000001AB84280000-memory.dmp

Filesize
64KB

Download
memory/2488-73-0x000001AB84270000-0x000001AB84280000-memory.dmp

Filesize
64KB

Download
memory/2488-79-0x000001AB84270000-0x000001AB84280000-memory.dmp

Filesize
64KB

Download
memory/2488-82-0x000001AB84270000-0x000001AB84280000-memory.dmp

Filesize
64KB

Download
memory/2488-83-0x000001AB84270000-0x000001AB84280000-memory.dmp

Filesize
64KB

Download
memory/2488-43-0x000001AB84250000-0x000001AB84260000-memory.dmp

Filesize
64KB

Download
memory/2488-67-0x000001AB84270000-0x000001AB84280000-memory.dmp

Filesize
64KB

Download
memory/2488-66-0x000001AB84270000-0x000001AB84280000-memory.dmp

Filesize
64KB

Download
memory/2488-65-0x000001AB84270000-0x000001AB84280000-memory.dmp

Filesize
64KB

Download
memory/2488-64-0x000001AB84270000-0x000001AB84280000-memory.dmp

Filesize
64KB

Download
memory/2488-61-0x000001AB84270000-0x000001AB84280000-memory.dmp

Filesize
64KB

Download
memory/2488-60-0x000001AB84270000-0x000001AB84280000-memory.dmp

Filesize
64KB

Download
memory/2488-59-0x000001AB84270000-0x000001AB84280000-memory.dmp

Filesize
64KB

Download
memory/2488-58-0x000001AB84270000-0x000001AB84280000-memory.dmp

Filesize
64KB

Download
memory/2488-57-0x000001AB84270000-0x000001AB84280000-memory.dmp

Filesize
64KB

Download
memory/2488-54-0x000001AB84270000-0x000001AB84280000-memory.dmp

Filesize
64KB

Download
memory/2488-50-0x000001AB84270000-0x000001AB84280000-memory.dmp

Filesize
64KB

Download
memory/2488-85-0x000001AB84270000-0x000001AB84280000-memory.dmp

Filesize
64KB

Download
memory/2488-74-0x000001AB84270000-0x000001AB84280000-memory.dmp

Filesize
64KB

Download
memory/2488-48-0x000001AB84270000-0x000001AB84280000-memory.dmp

Filesize
64KB

Download
memory/2488-46-0x000001AB84270000-0x000001AB84280000-memory.dmp

Filesize
64KB

Download
memory/2488-45-0x000001AB84270000-0x000001AB84280000-memory.dmp

Filesize
64KB

Download
memory/2488-68-0x000001AB84250000-0x000001AB84260000-memory.dmp

Filesize
64KB

Download
memory/2488-72-0x000001AB84270000-0x000001AB84280000-memory.dmp

Filesize
64KB

Download
memory/2488-69-0x000001AB84270000-0x000001AB84280000-memory.dmp

Filesize
64KB

Download
memory/2488-51-0x000001AB84270000-0x000001AB84280000-memory.dmp

Filesize
64KB

Download
memory/2488-75-0x000001AB84270000-0x000001AB84280000-memory.dmp

Filesize
64KB

Download
memory/2488-76-0x000001AB84270000-0x000001AB84280000-memory.dmp

Filesize
64KB

Download
memory/2488-86-0x000001AB84270000-0x000001AB84280000-memory.dmp

Filesize
64KB

Download
memory/2488-84-0x000001AB84270000-0x000001AB84280000-memory.dmp

Filesize
64KB

Download
memory/2488-89-0x000001AB84270000-0x000001AB84280000-memory.dmp

Filesize
64KB

Download
memory/4056-36-0x0000024B7D670000-0x0000024B7D678000-memory.dmp

Filesize
32KB

Download
memory/4056-20-0x0000024B79110000-0x0000024B79120000-memory.dmp

Filesize
64KB

Download
memory/4056-4-0x0000024B79010000-0x0000024B79020000-memory.dmp

Filesize
64KB

Download
memory/4212-1-0x00000286903F0000-0x00000286906DA000-memory.dmp

Filesize
2.9MB

Download
memory/4212-0-0x00007FFE454A3000-0x00007FFE454A4000-memory.dmp

Filesize
4KB

Download