5ce368d2918d0b47e6c655272e6ce606d45055a47af1d46fdb9eb5f34d1e0d4f

Analysis

max time kernel
90s
max time network
17s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
21/09/2024, 01:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5ce368d2918d0b47e6c655272e6ce606d45055a47af1d46fdb9eb5f34d1e0d4fN.exe
Size

1.4MB
MD5

e42de366e13ae419a023036d59d8d840
SHA1

f0d6a98a169e48934b2057c26987729ced0027dc
SHA256

5ce368d2918d0b47e6c655272e6ce606d45055a47af1d46fdb9eb5f34d1e0d4f
SHA512

851465f82084f62dde57dbf404aa3003d9943c7b8b5063b04e72802b2cbe9d244c487c50105950d307999c6b93d38750c06cc95cc6c9fee4af87d97e4a43befa
SSDEEP

24576:CBUTLTZsWkBChsDTesmoFbMWkzEvqdBahBHxPjX+//JNnAfZHMr2pePWkyw0vYeE:0kn3aTePod5kzEMahBRCHJNnws2Qr0wx

Score

7^/10

adware discovery stealer

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
2216	4204_adknowledgept.exe
2372	alotservice.exe
2480	4204_adknowledgept_ff.exe

Loads dropped DLL 8 IoCs

pid	Process
2748	5ce368d2918d0b47e6c655272e6ce606d45055a47af1d46fdb9eb5f34d1e0d4fN.exe
2216	4204_adknowledgept.exe
2216	4204_adknowledgept.exe
2216	4204_adknowledgept.exe
2748	5ce368d2918d0b47e6c655272e6ce606d45055a47af1d46fdb9eb5f34d1e0d4fN.exe
2748	5ce368d2918d0b47e6c655272e6ce606d45055a47af1d46fdb9eb5f34d1e0d4fN.exe
2748	5ce368d2918d0b47e6c655272e6ce606d45055a47af1d46fdb9eb5f34d1e0d4fN.exe
2748	5ce368d2918d0b47e6c655272e6ce606d45055a47af1d46fdb9eb5f34d1e0d4fN.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Installs/modifies Browser Helper Object 2 TTPs 3 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{85F5CF95-EC8F-49fc-BB3F-38C79455CBA2}	4204_adknowledgept.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{85F5CF95-EC8F-49fc-BB3F-38C79455CBA2}\ = "ALOT Appbar Helper"	4204_adknowledgept.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{85F5CF95-EC8F-49fc-BB3F-38C79455CBA2}\NoExplorer = "1"	4204_adknowledgept.exe

Drops file in Program Files directory 7 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\alotappbar\bin\BHO\ALOTHelperBHO.dll	4204_adknowledgept.exe
File opened for modification	C:\Program Files (x86)\alotappbar\bin\BHO\ALOTHelperBHO.dll	4204_adknowledgept.exe
File created	C:\Program Files (x86)\alotappbar\alotUninst.exe	4204_adknowledgept.exe
File created	C:\Program Files (x86)\alotappbar\bin\ALOTSettings.exe	4204_adknowledgept.exe
File created	C:\Program Files (x86)\alotappbar\bin\alotappbar.dll	4204_adknowledgept.exe
File created	C:\Program Files (x86)\alotappbar\bin\alotwidgets.exe	4204_adknowledgept.exe
File created	C:\Program Files (x86)\alotappbar\bin\alothelper.dll	4204_adknowledgept.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5ce368d2918d0b47e6c655272e6ce606d45055a47af1d46fdb9eb5f34d1e0d4fN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4204_adknowledgept.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	alotservice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4204_adknowledgept_ff.exe

NSIS installer 2 IoCs

installer

resource	yara_rule
behavioral1/files/0x00060000000186dd-193.dat	nsis_installer_1
behavioral1/files/0x00060000000186dd-193.dat	nsis_installer_2

Modifies Internet Explorer settings 1 TTPs 13 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar\{A531D99C-5A22-449b-83DA-872725C6D0ED} = "ALOT Appbar"	4204_adknowledgept.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C42103E4-7D10-4cc9-B2B4-C546BCCF8706}\AppName = "alotsettings.exe"	4204_adknowledgept.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{343263AB-D732-4066-A274-4A487A07F108}\AppName = "alotwidgets.exe"	4204_adknowledgept.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{343263AB-D732-4066-A274-4A487A07F108}\AppPath = "C:\\Program Files (x86)\\alotappbar\\bin"	4204_adknowledgept.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C42103E4-7D10-4cc9-B2B4-C546BCCF8706}	4204_adknowledgept.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C42103E4-7D10-4cc9-B2B4-C546BCCF8706}\Policy = "3"	4204_adknowledgept.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Toolbar	4204_adknowledgept.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration	4204_adknowledgept.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{A531D99C-5A22-449b-83DA-872725C6D0ED} = 00	4204_adknowledgept.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{85F5CF95-EC8F-49fc-BB3F-38C79455CBA2} = 00	4204_adknowledgept.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C42103E4-7D10-4cc9-B2B4-C546BCCF8706}\AppPath = "C:\\Program Files (x86)\\alotappbar\\bin"	4204_adknowledgept.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{343263AB-D732-4066-A274-4A487A07F108}	4204_adknowledgept.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{343263AB-D732-4066-A274-4A487A07F108}\Policy = "3"	4204_adknowledgept.exe

Modifies registry class 10 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A531D99C-5A22-449b-83DA-872725C6D0ED}\InprocServer32\ThreadingModel = "Apartment"	4204_adknowledgept.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{85F5CF95-EC8F-49fc-BB3F-38C79455CBA2}\InprocServer32	4204_adknowledgept.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{85F5CF95-EC8F-49fc-BB3F-38C79455CBA2}\InprocServer32\ = "C:\\Program Files (x86)\\alotappbar\\bin\\BHO\\ALOTHelperBHO.dll"	4204_adknowledgept.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A531D99C-5A22-449b-83DA-872725C6D0ED}	4204_adknowledgept.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A531D99C-5A22-449b-83DA-872725C6D0ED}\InprocServer32	4204_adknowledgept.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{85F5CF95-EC8F-49fc-BB3F-38C79455CBA2}	4204_adknowledgept.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{85F5CF95-EC8F-49fc-BB3F-38C79455CBA2}\ = "ALOT Appbar Helper"	4204_adknowledgept.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{85F5CF95-EC8F-49fc-BB3F-38C79455CBA2}\InprocServer32\ThreadingModel = "Apartment"	4204_adknowledgept.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A531D99C-5A22-449b-83DA-872725C6D0ED}\ = "ALOT Appbar"	4204_adknowledgept.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A531D99C-5A22-449b-83DA-872725C6D0ED}\InprocServer32\ = "C:\\Program Files (x86)\\alotappbar\\bin\\ALOTHelper.dll"	4204_adknowledgept.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
2216	4204_adknowledgept.exe
2216	4204_adknowledgept.exe
2216	4204_adknowledgept.exe
2216	4204_adknowledgept.exe
2216	4204_adknowledgept.exe
2216	4204_adknowledgept.exe
2216	4204_adknowledgept.exe
2216	4204_adknowledgept.exe
2372	alotservice.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2748 wrote to memory of 2216	2748	5ce368d2918d0b47e6c655272e6ce606d45055a47af1d46fdb9eb5f34d1e0d4fN.exe	30
PID 2748 wrote to memory of 2216	2748	5ce368d2918d0b47e6c655272e6ce606d45055a47af1d46fdb9eb5f34d1e0d4fN.exe	30
PID 2748 wrote to memory of 2216	2748	5ce368d2918d0b47e6c655272e6ce606d45055a47af1d46fdb9eb5f34d1e0d4fN.exe	30
PID 2748 wrote to memory of 2216	2748	5ce368d2918d0b47e6c655272e6ce606d45055a47af1d46fdb9eb5f34d1e0d4fN.exe	30
PID 2748 wrote to memory of 2480	2748	5ce368d2918d0b47e6c655272e6ce606d45055a47af1d46fdb9eb5f34d1e0d4fN.exe	32
PID 2748 wrote to memory of 2480	2748	5ce368d2918d0b47e6c655272e6ce606d45055a47af1d46fdb9eb5f34d1e0d4fN.exe	32
PID 2748 wrote to memory of 2480	2748	5ce368d2918d0b47e6c655272e6ce606d45055a47af1d46fdb9eb5f34d1e0d4fN.exe	32
PID 2748 wrote to memory of 2480	2748	5ce368d2918d0b47e6c655272e6ce606d45055a47af1d46fdb9eb5f34d1e0d4fN.exe	32

C:\Users\Admin\AppData\Local\Temp\5ce368d2918d0b47e6c655272e6ce606d45055a47af1d46fdb9eb5f34d1e0d4fN.exe
"C:\Users\Admin\AppData\Local\Temp\5ce368d2918d0b47e6c655272e6ce606d45055a47af1d46fdb9eb5f34d1e0d4fN.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2748
- C:\Users\Admin\AppData\Local\Temp\4204_adknowledgept.exe
  C:\Users\Admin\AppData\Local\Temp\4204_adknowledgept.exe /S /NOLAUNCH
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Installs/modifies Browser Helper Object
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:2216
- C:\Users\Admin\AppData\Local\Temp\4204_adknowledgept_ff.exe
  C:\Users\Admin\AppData\Local\Temp\4204_adknowledgept_ff.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2480

C:\Users\Admin\AppData\LocalLow\alotservice\alotservice.exe
C:\Users\Admin\AppData\LocalLow\alotservice\alotservice.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2372

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\alotappbar\toolbar.xml

Filesize
45KB

MD5
27463ddae5418d028d0e4b67693b61d1

SHA1
4e4b93661abc10d954fcf80f5a47884d34debbdd

SHA256
a7c112b4c4267219f6d1e03d557234554e0d5aaa251e76eae6925fbf86cb950a

SHA512
42571060c18621cdea267e88796d637f3baef114f316422ead3cac2cf7219064aa2dbe437a388e786295b432197a8c32d8937192e5da7bd8a4c0e12ef02e0840

Download Submit
C:\Users\Admin\AppData\LocalLow\alotservice\alotservice.exe

Filesize
196KB

MD5
3d90c2c37ead8f51f7a4ecb5cbb24fce

SHA1
ddddab02f62282f3d2d49c6ee638da2df774839b

SHA256
c178d65e4f91afaccb7d8ead7288215e7a887c189c82e3a4df27d6930b648c54

SHA512
d5e6a0f05c820a62cceac49c96f56e9089c335c02de3f14227b1494fc0bfade8881a25d1d462611121cc1249fc78f8c99d5810f814c82f8df843f7a4fd2387a6

Download Submit
C:\Users\Admin\AppData\LocalLow\alotservice\service.xml

Filesize
437B

MD5
0916d1e4b861dd72d335155732128aac

SHA1
2bf0ca3d41f2313de5b5043647bfa23dbca6f2ee

SHA256
6cfc87740824696363710232ab64484e043849f10057b143865ffc9a911dcc78

SHA512
4e2d406432663db4b30bc61199f8174bbe43f2d0c8287a2da9ffd6e068e56c1e33ca00b498e8a20f957537339ea9e000154532b062f122c0e81e3275238b4400

Download Submit
C:\Users\Admin\AppData\LocalLow\alotservice\service.xml.backup

Filesize
332B

MD5
75cecfa33e6e03cb00b12cc52d48fb81

SHA1
e439eb23facd80ee769bc151819eb3b1576c438d

SHA256
9e7c8ed36f6bc384bb17fd22d374a89f0a5bca8e1cd39c74139b4d8c550da1e6

SHA512
0e4611c334e36f93895669b2a309defe89fe9ea2bea823122c053fa93dd2c6424c019061ab91afe8c4dca850914a382e254c266ef4ec03d1bfdd3be2eeb6b842

Download Submit
C:\Users\Admin\AppData\Local\Temp\4204_adknowledgept.exe

Filesize
1.1MB

MD5
365a16d067623e31b20bed5165649473

SHA1
3034fa4971efed7e56df54df482b70e7b555537c

SHA256
e222a717b3c76ec83f55f88d1113f4abc6be660e809db00889d2aff404798eef

SHA512
412137ca836d52ef53b7e1facd982c86f3d407ed3035c96045df99788c46a170dafe5f5b54dc3ed2751137a12451ee55d72f4ec972096c29bdae06bf2789c5f9

Download Submit
\Users\Admin\AppData\Local\Temp\4204_adknowledgept_ff.exe

Filesize
341KB

MD5
2fb1893b73994524974efa64a6d1a5d2

SHA1
a997c892e71502df0ac4db6a2cecfb56dd30fab1

SHA256
e820e75366e369a30b777595721e610af2985485453774c9764ab8dbc5cfb455

SHA512
13c26267837942745cb0bea5e49d9090a1dcf9514f49129222340169daa6e14d759b2034ff77e1b9f914c6589590fe414ae415abf3d668371b89517fae906459

Download Submit
\Users\Admin\AppData\Local\Temp\nst820D.tmp\System.dll

Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
\Users\Admin\AppData\Local\Temp\nst820D.tmp\inetc.dll

Filesize
20KB

MD5
e541458cfe66ef95ffbea40eaaa07289

SHA1
caec1233f841ee72004231a3027b13cdeb13274c

SHA256
3bce87b66d9272c82421920c34b0216e12c57a437d1955c36f23c74c1a01d420

SHA512
0bf6313e4cb7bbdcfba828fb791540b630adc58c43aa4b5ba77790367d0f34f76077cd84cc62e2a2c98c788a88547f32a11e549873d172c5aa2753124847cd0c

Download Submit
\Users\Admin\AppData\Local\Temp\nsz7C63.tmp\System.dll

Filesize
11KB

MD5
b9f430f71c7144d8ff4ab94be2785aa6

SHA1
c5c1e153caff7ad1d221a9acc8bbb831f05ccb05

SHA256
b496e81a74ce871236abcd096fb9a6b210b456bebaa7464fa844b3241e51a655

SHA512
c7ce431b6a1493fd7d1fe1b1c823ad22b582c43c8eb2fb6a471c648dd9df9953277c89932c66afd598d43ea36f4a8602e84cd175115266943071cbc8ce204099

Download Submit
\Users\Admin\AppData\Local\Temp\nsz7C63.tmp\installhelper.dll

Filesize
254KB

MD5
4cf4f52c1bec27e7b0f98acb291ab8e9

SHA1
73b9e7e43bd79212af54c9ade8e8a813c40e6bf9

SHA256
1df98f32dcea672ee2287c6b5cf5810ede6a90b1e3c9348ee36198a062711d9b

SHA512
daee3a6afca82a6029e9e540e6ded992b0a1ca2903c84d1991768d447abce9c74adcb4df2f76c5d586ccc9d489a359352d362717164784dc8ba9b6b2e4e14f9c

Download Submit
memory/2372-168-0x0000000000140000-0x0000000000141000-memory.dmp

Filesize
4KB

Download