8554134af5bff5ce0ded7b59df4ba8fdd5817bdea0cfc4885b9e512b1c503c6d

Analysis

max time kernel
93s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
08-11-2024 13:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8554134af5bff5ce0ded7b59df4ba8fdd5817bdea0cfc4885b9e512b1c503c6dN.exe
Size

776KB
MD5

8266de60dee21cf8fdd9995c66da4d00
SHA1

bdd1c5c6b8e508dffaf0ee6ff43f7a33c79edea8
SHA256

8554134af5bff5ce0ded7b59df4ba8fdd5817bdea0cfc4885b9e512b1c503c6d
SHA512

53d91cd9ec7da2aed1c39a39fcb47d4e3750c2e0c0a427d70a6f6d4e6fb4091bae21423a0a86a8c827d116b6180f2f37e9c46fe314660118be760986a3fe8935
SSDEEP

12288:C5Tn5QBJTU+o8PQe2J4qPtzbAW/rZZyo292fI8hHP0HFd7GOmDks:ClyDTUaQf4qzbNDyo294rHPy7GO9s

Score

7^/10

adware discovery persistence stealer upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x0007000000023c85-61.dat	acprotect

Executes dropped EXE 2 IoCs

pid	Process
2124	enumerate_gtu.exe
4952	enumst.exe

Loads dropped DLL 17 IoCs

pid	Process
4572	8554134af5bff5ce0ded7b59df4ba8fdd5817bdea0cfc4885b9e512b1c503c6dN.exe
4572	8554134af5bff5ce0ded7b59df4ba8fdd5817bdea0cfc4885b9e512b1c503c6dN.exe
4572	8554134af5bff5ce0ded7b59df4ba8fdd5817bdea0cfc4885b9e512b1c503c6dN.exe
4572	8554134af5bff5ce0ded7b59df4ba8fdd5817bdea0cfc4885b9e512b1c503c6dN.exe
4572	8554134af5bff5ce0ded7b59df4ba8fdd5817bdea0cfc4885b9e512b1c503c6dN.exe
4572	8554134af5bff5ce0ded7b59df4ba8fdd5817bdea0cfc4885b9e512b1c503c6dN.exe
4572	8554134af5bff5ce0ded7b59df4ba8fdd5817bdea0cfc4885b9e512b1c503c6dN.exe
4572	8554134af5bff5ce0ded7b59df4ba8fdd5817bdea0cfc4885b9e512b1c503c6dN.exe
4572	8554134af5bff5ce0ded7b59df4ba8fdd5817bdea0cfc4885b9e512b1c503c6dN.exe
4572	8554134af5bff5ce0ded7b59df4ba8fdd5817bdea0cfc4885b9e512b1c503c6dN.exe
4572	8554134af5bff5ce0ded7b59df4ba8fdd5817bdea0cfc4885b9e512b1c503c6dN.exe
4572	8554134af5bff5ce0ded7b59df4ba8fdd5817bdea0cfc4885b9e512b1c503c6dN.exe
4572	8554134af5bff5ce0ded7b59df4ba8fdd5817bdea0cfc4885b9e512b1c503c6dN.exe
4572	8554134af5bff5ce0ded7b59df4ba8fdd5817bdea0cfc4885b9e512b1c503c6dN.exe
4572	8554134af5bff5ce0ded7b59df4ba8fdd5817bdea0cfc4885b9e512b1c503c6dN.exe
4572	8554134af5bff5ce0ded7b59df4ba8fdd5817bdea0cfc4885b9e512b1c503c6dN.exe
4572	8554134af5bff5ce0ded7b59df4ba8fdd5817bdea0cfc4885b9e512b1c503c6dN.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Enumerate_gt = "\"C:\\Program Files (x86)\\enumerate\\gt\\enumerate_gtu.exe\" subcmd"	8554134af5bff5ce0ded7b59df4ba8fdd5817bdea0cfc4885b9e512b1c503c6dN.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Installs/modifies Browser Helper Object 2 TTPs 3 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{EB8E1EEB-EBFD-4E80-8B01-555558E0CC20}	8554134af5bff5ce0ded7b59df4ba8fdd5817bdea0cfc4885b9e512b1c503c6dN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{EB8E1EEB-EBFD-4E80-8B01-555558E0CC20}\ = "Enumerate Top Search - GT"	8554134af5bff5ce0ded7b59df4ba8fdd5817bdea0cfc4885b9e512b1c503c6dN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{EB8E1EEB-EBFD-4E80-8B01-555558E0CC20}\NoExplorer = "1"	8554134af5bff5ce0ded7b59df4ba8fdd5817bdea0cfc4885b9e512b1c503c6dN.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4572-55-0x0000000002460000-0x0000000002472000-memory.dmp	upx
behavioral2/memory/4572-57-0x0000000002460000-0x0000000002472000-memory.dmp	upx
behavioral2/files/0x0007000000023c85-61.dat	upx

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\enumerate\gt\uninstall.exe	8554134af5bff5ce0ded7b59df4ba8fdd5817bdea0cfc4885b9e512b1c503c6dN.exe
File created	C:\Program Files (x86)\enumerate\gt\enumerate_gt.dll	8554134af5bff5ce0ded7b59df4ba8fdd5817bdea0cfc4885b9e512b1c503c6dN.exe
File created	C:\Program Files (x86)\enumerate\gt\enumerate_gtu.exe	8554134af5bff5ce0ded7b59df4ba8fdd5817bdea0cfc4885b9e512b1c503c6dN.exe
File created	C:\Program Files (x86)\enumerate\gt\enumst.exe	8554134af5bff5ce0ded7b59df4ba8fdd5817bdea0cfc4885b9e512b1c503c6dN.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4024	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8554134af5bff5ce0ded7b59df4ba8fdd5817bdea0cfc4885b9e512b1c503c6dN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	enumerate_gtu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	enumst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{75AE2228-E06B-4955-8C3F-BF0D5636DC50}	8554134af5bff5ce0ded7b59df4ba8fdd5817bdea0cfc4885b9e512b1c503c6dN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{75AE2228-E06B-4955-8C3F-BF0D5636DC50}\AppName = "enumerate_gtu.exe"	8554134af5bff5ce0ded7b59df4ba8fdd5817bdea0cfc4885b9e512b1c503c6dN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{75AE2228-E06B-4955-8C3F-BF0D5636DC50}\AppPath = "C:\\Program Files (x86)\\enumerate\\gt\\"	8554134af5bff5ce0ded7b59df4ba8fdd5817bdea0cfc4885b9e512b1c503c6dN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{75AE2228-E06B-4955-8C3F-BF0D5636DC50}\Policy = "3"	8554134af5bff5ce0ded7b59df4ba8fdd5817bdea0cfc4885b9e512b1c503c6dN.exe

Modifies registry class 51 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{BD40DBED-D944-4F69-80AE-97D12B265831}\ = "enumerate_gt_fileone"	8554134af5bff5ce0ded7b59df4ba8fdd5817bdea0cfc4885b9e512b1c503c6dN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\enumerate_gt_fileone.enumerate_gt_fil.1\CLSID	8554134af5bff5ce0ded7b59df4ba8fdd5817bdea0cfc4885b9e512b1c503c6dN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EB8E1EEB-EBFD-4E80-8B01-555558E0CC20}\ = "Enumerate Top Search - GT"	8554134af5bff5ce0ded7b59df4ba8fdd5817bdea0cfc4885b9e512b1c503c6dN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EB8E1EEB-EBFD-4E80-8B01-555558E0CC20}\ProgID	8554134af5bff5ce0ded7b59df4ba8fdd5817bdea0cfc4885b9e512b1c503c6dN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EB8E1EEB-EBFD-4E80-8B01-555558E0CC20}\Programmable	8554134af5bff5ce0ded7b59df4ba8fdd5817bdea0cfc4885b9e512b1c503c6dN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{51C15B02-C027-49E8-B37C-F6477F6E142C}	8554134af5bff5ce0ded7b59df4ba8fdd5817bdea0cfc4885b9e512b1c503c6dN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{BD40DBED-D944-4F69-80AE-97D12B265831}	8554134af5bff5ce0ded7b59df4ba8fdd5817bdea0cfc4885b9e512b1c503c6dN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\enumerate_gt_fileone.DLL	8554134af5bff5ce0ded7b59df4ba8fdd5817bdea0cfc4885b9e512b1c503c6dN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\enumerate_gt_fileone.enumerate_gt_fil.1\ = "enumerate_gt_fileoneSO Class"	8554134af5bff5ce0ded7b59df4ba8fdd5817bdea0cfc4885b9e512b1c503c6dN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\enumerate_gt_fileone.enumerate_gt_fileo\CurVer\ = "enumerate_gt_fileone.enumerate_gt_fil.1"	8554134af5bff5ce0ded7b59df4ba8fdd5817bdea0cfc4885b9e512b1c503c6dN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EB8E1EEB-EBFD-4E80-8B01-555558E0CC20}	8554134af5bff5ce0ded7b59df4ba8fdd5817bdea0cfc4885b9e512b1c503c6dN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EB8E1EEB-EBFD-4E80-8B01-555558E0CC20}\InprocServer32	8554134af5bff5ce0ded7b59df4ba8fdd5817bdea0cfc4885b9e512b1c503c6dN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{51C15B02-C027-49E8-B37C-F6477F6E142C}\1.0	8554134af5bff5ce0ded7b59df4ba8fdd5817bdea0cfc4885b9e512b1c503c6dN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1E46ACB7-67F5-42BB-AECB-67203D5BAC69}\ = "Ienumerate_gt_fileoneSO"	8554134af5bff5ce0ded7b59df4ba8fdd5817bdea0cfc4885b9e512b1c503c6dN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EB8E1EEB-EBFD-4E80-8B01-555558E0CC20}\InprocServer32\ThreadingModel = "Apartment"	8554134af5bff5ce0ded7b59df4ba8fdd5817bdea0cfc4885b9e512b1c503c6dN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{51C15B02-C027-49E8-B37C-F6477F6E142C}\1.0\ = "enumerate_gt_fileone 1.0 Çü½Ä ¶óÀÌºê·¯¸®"	8554134af5bff5ce0ded7b59df4ba8fdd5817bdea0cfc4885b9e512b1c503c6dN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1E46ACB7-67F5-42BB-AECB-67203D5BAC69}\ = "Ienumerate_gt_fileoneSO"	8554134af5bff5ce0ded7b59df4ba8fdd5817bdea0cfc4885b9e512b1c503c6dN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1E46ACB7-67F5-42BB-AECB-67203D5BAC69}\TypeLib\Version = "1.0"	8554134af5bff5ce0ded7b59df4ba8fdd5817bdea0cfc4885b9e512b1c503c6dN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\enumerate_gt_fileone.enumerate_gt_fileo\CLSID	8554134af5bff5ce0ded7b59df4ba8fdd5817bdea0cfc4885b9e512b1c503c6dN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\enumerate_gt_fileone.enumerate_gt_fileo\CLSID\ = "{EB8E1EEB-EBFD-4E80-8B01-555558E0CC20}"	8554134af5bff5ce0ded7b59df4ba8fdd5817bdea0cfc4885b9e512b1c503c6dN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EB8E1EEB-EBFD-4E80-8B01-555558E0CC20}\VersionIndependentProgID	8554134af5bff5ce0ded7b59df4ba8fdd5817bdea0cfc4885b9e512b1c503c6dN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{51C15B02-C027-49E8-B37C-F6477F6E142C}\1.0\FLAGS	8554134af5bff5ce0ded7b59df4ba8fdd5817bdea0cfc4885b9e512b1c503c6dN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1E46ACB7-67F5-42BB-AECB-67203D5BAC69}\TypeLib\Version = "1.0"	8554134af5bff5ce0ded7b59df4ba8fdd5817bdea0cfc4885b9e512b1c503c6dN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1E46ACB7-67F5-42BB-AECB-67203D5BAC69}\ProxyStubClsid32	8554134af5bff5ce0ded7b59df4ba8fdd5817bdea0cfc4885b9e512b1c503c6dN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1E46ACB7-67F5-42BB-AECB-67203D5BAC69}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	8554134af5bff5ce0ded7b59df4ba8fdd5817bdea0cfc4885b9e512b1c503c6dN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\enumerate_gt_fileone.enumerate_gt_fil.1	8554134af5bff5ce0ded7b59df4ba8fdd5817bdea0cfc4885b9e512b1c503c6dN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\enumerate_gt_fileone.enumerate_gt_fil.1\CLSID\ = "{EB8E1EEB-EBFD-4E80-8B01-555558E0CC20}"	8554134af5bff5ce0ded7b59df4ba8fdd5817bdea0cfc4885b9e512b1c503c6dN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\enumerate_gt_fileone.enumerate_gt_fileo	8554134af5bff5ce0ded7b59df4ba8fdd5817bdea0cfc4885b9e512b1c503c6dN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\enumerate_gt_fileone.enumerate_gt_fileo\ = "enumerate_gt_fileoneSO Class"	8554134af5bff5ce0ded7b59df4ba8fdd5817bdea0cfc4885b9e512b1c503c6dN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EB8E1EEB-EBFD-4E80-8B01-555558E0CC20}\InprocServer32\ = "C:\\Program Files (x86)\\enumerate\\gt\\enumerate_gt.dll"	8554134af5bff5ce0ded7b59df4ba8fdd5817bdea0cfc4885b9e512b1c503c6dN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{51C15B02-C027-49E8-B37C-F6477F6E142C}\1.0\HELPDIR\	8554134af5bff5ce0ded7b59df4ba8fdd5817bdea0cfc4885b9e512b1c503c6dN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1E46ACB7-67F5-42BB-AECB-67203D5BAC69}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	8554134af5bff5ce0ded7b59df4ba8fdd5817bdea0cfc4885b9e512b1c503c6dN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1E46ACB7-67F5-42BB-AECB-67203D5BAC69}\TypeLib	8554134af5bff5ce0ded7b59df4ba8fdd5817bdea0cfc4885b9e512b1c503c6dN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EB8E1EEB-EBFD-4E80-8B01-555558E0CC20}\AppID = "{BD40DBED-D944-4F69-80AE-97D12B265831}"	8554134af5bff5ce0ded7b59df4ba8fdd5817bdea0cfc4885b9e512b1c503c6dN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1E46ACB7-67F5-42BB-AECB-67203D5BAC69}\TypeLib	8554134af5bff5ce0ded7b59df4ba8fdd5817bdea0cfc4885b9e512b1c503c6dN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EB8E1EEB-EBFD-4E80-8B01-555558E0CC20}\VersionIndependentProgID\ = "enumerate_gt_fileone.enumerate_gt_fileo"	8554134af5bff5ce0ded7b59df4ba8fdd5817bdea0cfc4885b9e512b1c503c6dN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EB8E1EEB-EBFD-4E80-8B01-555558E0CC20}\TypeLib	8554134af5bff5ce0ded7b59df4ba8fdd5817bdea0cfc4885b9e512b1c503c6dN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EB8E1EEB-EBFD-4E80-8B01-555558E0CC20}\TypeLib\ = "{51C15B02-C027-49E8-B37C-F6477F6E142C}"	8554134af5bff5ce0ded7b59df4ba8fdd5817bdea0cfc4885b9e512b1c503c6dN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{51C15B02-C027-49E8-B37C-F6477F6E142C}\1.0\0	8554134af5bff5ce0ded7b59df4ba8fdd5817bdea0cfc4885b9e512b1c503c6dN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{51C15B02-C027-49E8-B37C-F6477F6E142C}\1.0\0\win32	8554134af5bff5ce0ded7b59df4ba8fdd5817bdea0cfc4885b9e512b1c503c6dN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{51C15B02-C027-49E8-B37C-F6477F6E142C}\1.0\0\win32\ = "C:\\Program Files (x86)\\enumerate\\gt\\enumerate_gt.dll"	8554134af5bff5ce0ded7b59df4ba8fdd5817bdea0cfc4885b9e512b1c503c6dN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1E46ACB7-67F5-42BB-AECB-67203D5BAC69}\TypeLib\ = "{51C15B02-C027-49E8-B37C-F6477F6E142C}"	8554134af5bff5ce0ded7b59df4ba8fdd5817bdea0cfc4885b9e512b1c503c6dN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1E46ACB7-67F5-42BB-AECB-67203D5BAC69}	8554134af5bff5ce0ded7b59df4ba8fdd5817bdea0cfc4885b9e512b1c503c6dN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1E46ACB7-67F5-42BB-AECB-67203D5BAC69}\TypeLib\ = "{51C15B02-C027-49E8-B37C-F6477F6E142C}"	8554134af5bff5ce0ded7b59df4ba8fdd5817bdea0cfc4885b9e512b1c503c6dN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\enumerate_gt_fileone.DLL\AppID = "{BD40DBED-D944-4F69-80AE-97D12B265831}"	8554134af5bff5ce0ded7b59df4ba8fdd5817bdea0cfc4885b9e512b1c503c6dN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\enumerate_gt_fileone.enumerate_gt_fileo\CurVer	8554134af5bff5ce0ded7b59df4ba8fdd5817bdea0cfc4885b9e512b1c503c6dN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EB8E1EEB-EBFD-4E80-8B01-555558E0CC20}\ProgID\ = "enumerate_gt_fileone.enumerate_gt_fil.1"	8554134af5bff5ce0ded7b59df4ba8fdd5817bdea0cfc4885b9e512b1c503c6dN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{51C15B02-C027-49E8-B37C-F6477F6E142C}\1.0\FLAGS\ = "0"	8554134af5bff5ce0ded7b59df4ba8fdd5817bdea0cfc4885b9e512b1c503c6dN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{51C15B02-C027-49E8-B37C-F6477F6E142C}\1.0\HELPDIR	8554134af5bff5ce0ded7b59df4ba8fdd5817bdea0cfc4885b9e512b1c503c6dN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1E46ACB7-67F5-42BB-AECB-67203D5BAC69}	8554134af5bff5ce0ded7b59df4ba8fdd5817bdea0cfc4885b9e512b1c503c6dN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1E46ACB7-67F5-42BB-AECB-67203D5BAC69}\ProxyStubClsid32	8554134af5bff5ce0ded7b59df4ba8fdd5817bdea0cfc4885b9e512b1c503c6dN.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2260	schtasks.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
4572	8554134af5bff5ce0ded7b59df4ba8fdd5817bdea0cfc4885b9e512b1c503c6dN.exe
4572	8554134af5bff5ce0ded7b59df4ba8fdd5817bdea0cfc4885b9e512b1c503c6dN.exe
4572	8554134af5bff5ce0ded7b59df4ba8fdd5817bdea0cfc4885b9e512b1c503c6dN.exe
4572	8554134af5bff5ce0ded7b59df4ba8fdd5817bdea0cfc4885b9e512b1c503c6dN.exe
4572	8554134af5bff5ce0ded7b59df4ba8fdd5817bdea0cfc4885b9e512b1c503c6dN.exe
4572	8554134af5bff5ce0ded7b59df4ba8fdd5817bdea0cfc4885b9e512b1c503c6dN.exe
4572	8554134af5bff5ce0ded7b59df4ba8fdd5817bdea0cfc4885b9e512b1c503c6dN.exe
4572	8554134af5bff5ce0ded7b59df4ba8fdd5817bdea0cfc4885b9e512b1c503c6dN.exe
4572	8554134af5bff5ce0ded7b59df4ba8fdd5817bdea0cfc4885b9e512b1c503c6dN.exe
4572	8554134af5bff5ce0ded7b59df4ba8fdd5817bdea0cfc4885b9e512b1c503c6dN.exe
4572	8554134af5bff5ce0ded7b59df4ba8fdd5817bdea0cfc4885b9e512b1c503c6dN.exe
4572	8554134af5bff5ce0ded7b59df4ba8fdd5817bdea0cfc4885b9e512b1c503c6dN.exe
4952	enumst.exe
4952	enumst.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2124	enumerate_gtu.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2124	enumerate_gtu.exe
2124	enumerate_gtu.exe
4952	enumst.exe
4952	enumst.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 4572 wrote to memory of 1824	4572	8554134af5bff5ce0ded7b59df4ba8fdd5817bdea0cfc4885b9e512b1c503c6dN.exe	99
PID 4572 wrote to memory of 1824	4572	8554134af5bff5ce0ded7b59df4ba8fdd5817bdea0cfc4885b9e512b1c503c6dN.exe	99
PID 4572 wrote to memory of 1824	4572	8554134af5bff5ce0ded7b59df4ba8fdd5817bdea0cfc4885b9e512b1c503c6dN.exe	99
PID 1824 wrote to memory of 2260	1824	cmd.exe	101
PID 1824 wrote to memory of 2260	1824	cmd.exe	101
PID 1824 wrote to memory of 2260	1824	cmd.exe	101
PID 4572 wrote to memory of 2124	4572	8554134af5bff5ce0ded7b59df4ba8fdd5817bdea0cfc4885b9e512b1c503c6dN.exe	102
PID 4572 wrote to memory of 2124	4572	8554134af5bff5ce0ded7b59df4ba8fdd5817bdea0cfc4885b9e512b1c503c6dN.exe	102
PID 4572 wrote to memory of 2124	4572	8554134af5bff5ce0ded7b59df4ba8fdd5817bdea0cfc4885b9e512b1c503c6dN.exe	102
PID 4572 wrote to memory of 4952	4572	8554134af5bff5ce0ded7b59df4ba8fdd5817bdea0cfc4885b9e512b1c503c6dN.exe	103
PID 4572 wrote to memory of 4952	4572	8554134af5bff5ce0ded7b59df4ba8fdd5817bdea0cfc4885b9e512b1c503c6dN.exe	103
PID 4572 wrote to memory of 4952	4572	8554134af5bff5ce0ded7b59df4ba8fdd5817bdea0cfc4885b9e512b1c503c6dN.exe	103
PID 4952 wrote to memory of 4024	4952	enumst.exe	105
PID 4952 wrote to memory of 4024	4952	enumst.exe	105
PID 4952 wrote to memory of 4024	4952	enumst.exe	105
PID 4572 wrote to memory of 1372	4572	8554134af5bff5ce0ded7b59df4ba8fdd5817bdea0cfc4885b9e512b1c503c6dN.exe	107
PID 4572 wrote to memory of 1372	4572	8554134af5bff5ce0ded7b59df4ba8fdd5817bdea0cfc4885b9e512b1c503c6dN.exe	107
PID 4572 wrote to memory of 1372	4572	8554134af5bff5ce0ded7b59df4ba8fdd5817bdea0cfc4885b9e512b1c503c6dN.exe	107

C:\Users\Admin\AppData\Local\Temp\8554134af5bff5ce0ded7b59df4ba8fdd5817bdea0cfc4885b9e512b1c503c6dN.exe
"C:\Users\Admin\AppData\Local\Temp\8554134af5bff5ce0ded7b59df4ba8fdd5817bdea0cfc4885b9e512b1c503c6dN.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Installs/modifies Browser Helper Object
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4572
- C:\Windows\SysWOW64\cmd.exe
  cmd /C schtasks /Create /F /TN "enumerategt" /SC ONLOGON /TR "'C:\Program Files (x86)\enumerate\gt\enumerate_gtu.exe' schcmd" /rL HIGHEST
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1824
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /Create /F /TN "enumerategt" /SC ONLOGON /TR "'C:\Program Files (x86)\enumerate\gt\enumerate_gtu.exe' schcmd" /rL HIGHEST
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:2260
- C:\Program Files (x86)\enumerate\gt\enumerate_gtu.exe
  "C:\Program Files (x86)\enumerate\gt\enumerate_gtu.exe" Updatecmd
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  PID:2124
- C:\Program Files (x86)\enumerate\gt\enumst.exe
  "C:\Program Files (x86)\enumerate\gt\enumst.exe" Updatecmd
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4952
- - C:\Windows\SysWOW64\sc.exe
    sc query npf
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:4024
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c \DelUS.bat
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1372

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Browser Extensions

T1176

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\DelUS.bat

Filesize
266B

MD5
2e472f065fa23d2bce27b06c9750e69b

SHA1
6b27f0e63189c9033e06a3a79e0b1b31f8a4579e

SHA256
822a99939b203fe246f1dead9f43ae2402347de836b84f6558468fb45981811a

SHA512
fa2b8f450cef97d5fc2f90576b24d728491cb9b2a808ef0159af5a8333ec0496cecf4f4997030c3e4d3d9a88b89fd35d985e3bbf5e85900233b7d8c6e23613ae

Download Submit
C:\Program Files (x86)\enumerate\gt\enumerate_gt.dll

Filesize
212KB

MD5
f6118553c91b465310c9bb4518df7dc2

SHA1
8ca6eb680435d6d295e3aa3d448b6e5f98619650

SHA256
a12457b93fde731d24eae3361ab9ff9a1b13fdb5d81d08df4af4bcd88823d3c1

SHA512
7f3d40aebe63484ba9a8d641967adf8e5fd54d4ec8bf0c8ef3ad0626a8d15ca13960a0842dfc4e38f4100f26a6cb2636ee9f760289c8818a41bb7c430e3aa5e5

Download Submit
C:\Program Files (x86)\enumerate\gt\enumerate_gtu.exe

Filesize
952KB

MD5
90bcb9a27ee951a4c14aebfc9e1705e5

SHA1
3813d0878b2df1fe54050ea2280252df5bc15969

SHA256
ec70c5810a29a6e4039f47d969896a64cbf926682cfa8b7c5da080918575f0a5

SHA512
2676fea3be40fedd3aaa67db585f867ada3ff111eb892652d83dfea0404fb0107e3388b651d09ef4cec3c899699e8009ab44a88b4abd33a273728642177f8bce

Download Submit
C:\Program Files (x86)\enumerate\gt\enumst.exe

Filesize
1.2MB

MD5
5d9dcfde4bf008764a64951b4b6b8d4d

SHA1
3880a422e0ee1b62038e01b3147108a3c4fa13f6

SHA256
3a4daee62a78f3fd0a6ce92037071ea49680d682ca5c3fb353686bd4f962126f

SHA512
902408c56aba96743839aa7bda79cce48b5710fa190454a0edfb5f8b528fdab02151b60223c129d9fbbeba619b88889f3053ed4e7e518e3d5367668af6043dfb

Download Submit
C:\Users\Admin\AppData\Local\Temp\nskF7C0.tmp\DLLWebCount.dll

Filesize
32KB

MD5
248536afcb6f59c1797f079a0da15b63

SHA1
7fa238f871b357c66168728ab1bb38addcfba3f8

SHA256
9c5f4eeadc9c2881bc02b45d757b35d3bfd2dc7d917d2e8fde2917fabf48908f

SHA512
b82accc8530650ebae8d4f8752002c2d23ab7b29e958e6c14731ad186a0fcdbbab937723a540de62d58f4659580843191fd53cb415e07167d7b55cd174a79652

Download Submit
C:\Users\Admin\AppData\Local\Temp\nskF7C0.tmp\IEKill.dll

Filesize
28KB

MD5
090f0ab18996feae6c0a62d83b2149c6

SHA1
5292898561ad88630088ae22fb877dfc7146ee77

SHA256
914536dd97645de7789666da5dc03d02f4fbe0593214678e6e1982a02a8a1c4d

SHA512
2fccda2cb95583fdb184b7edaa7ae088ca484e06d020159bf9776e36b660c6672812b7e821b111fa52d63ad5e2ce70602dc117edc2eba3c46029653c5ef5ffc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\nskF7C0.tmp\KillProcDLL.dll

Filesize
32KB

MD5
83142eac84475f4ca889c73f10d9c179

SHA1
dbe43c0de8ef881466bd74861b2e5b17598b5ce8

SHA256
ae2f1658656e554f37e6eac896475a3862841a18ffc6fad2754e2d3525770729

SHA512
1c66eab21f0c9e0b99ecc3844516a6978f52e0c7f489405a427532ecbe78947c37dac5b4c8b722cc8bc1edfb74ba4824519d56099e587e754e5c668701e83bd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nskF7C0.tmp\SelfDelete.dll

Filesize
24KB

MD5
ddc0d6806073a5b034104c88288ca762

SHA1
9663cc10c496f05d6167e19c3920245040e5e431

SHA256
2f4767da9dc7e720d910d32d451674cd08b7892ca753ec5c10b11fe85e12f06b

SHA512
545ca797a397cfcbd9b5d3bd2da2e3219ba7a294e541831655c5763a7f17480fd0b990d0c2e58ba8c71f81d85472b2da6d079b8211b44c40c8c36d21168ec054

Download Submit
C:\Users\Admin\AppData\Local\Temp\nskF7C0.tmp\UnProtectMode.dll

Filesize
200KB

MD5
d37323d733078a8da425ad71a51d1462

SHA1
7061f1f388c6fa0159d614ded01251da4e4b7e4b

SHA256
e1a0b1168a87ac0d140b3a394efda23148a8907093898e0a2549079009d318e3

SHA512
f7e0780aa18785c1402d7233b67fabb61cefa8568e71cd4ca37405eafc7a340053836b16fdebc2ce351b7ddeac28d17a43091904ba443269cac1e7e4f46bd929

Download Submit
C:\Users\Admin\AppData\Local\Temp\nskF7C0.tmp\nsExec.dll

Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\nskF7C0.tmp\version.dll

Filesize
22KB

MD5
fbe588b15eb1bd86defade69f796b56f

SHA1
2f63cf44039addddb22c2c0497673b49e6b3ad7a

SHA256
31144e8b156fe87317073c48a09abcb033fda8dbdd96986c4abea8c00c00355f

SHA512
e1a9e29e4c62e77a2ec2c539344f0b5a8cd67ca3fd8dfefb0b0666a992eb2fabadb0034d439c4adbbdffd9c9439f23ee5757fac0ed669d3c9db48f50c677143d

Download Submit
memory/4572-66-0x0000000002460000-0x0000000002472000-memory.dmp

Filesize
72KB

Download
memory/4572-67-0x0000000002460000-0x0000000002472000-memory.dmp

Filesize
72KB

Download
memory/4572-57-0x0000000002460000-0x0000000002472000-memory.dmp

Filesize
72KB

Download
memory/4572-55-0x0000000002460000-0x0000000002472000-memory.dmp

Filesize
72KB

Download