a9f3b8a813d7077825f0c17f9cbcff86ca1b883413675badd7adc00d5221dd01

Analysis

max time kernel
122s
max time network
126s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
13-11-2024 01:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a9f3b8a813d7077825f0c17f9cbcff86ca1b883413675badd7adc00d5221dd01.exe
Size

532KB
MD5

3c00accded5db6b17070663be4e2725a
SHA1

680d4a496abab8e1a4c61ea0e488dffab1db1416
SHA256

a9f3b8a813d7077825f0c17f9cbcff86ca1b883413675badd7adc00d5221dd01
SHA512

154317933533fc93d9e50c9a2f23682a90b9014dd317f34a5b026e9abafc3561ead619f5642ec1c3a50a7640020623d2cf57b360e9ae1f8e1d2f6d4b63bf7abb
SSDEEP

12288:gCmLpJTyNXSYoGkZCOLpn45/MQ51dqhkKq:gCmtJTyN0pCOtn45/jzQhk9

Score

7^/10

adware bootkit discovery persistence stealer upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x00050000000195b3-59.dat	acprotect

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\»®´ÊËÑË÷.lnk	setup.exe

Executes dropped EXE 5 IoCs

pid	Process
2788	setup.exe
2060	setup_s86.exe
2956	setup_s86.exe
2772	setup_01cncw01.exe
1556	Search.exe

Loads dropped DLL 37 IoCs

pid	Process
2872	a9f3b8a813d7077825f0c17f9cbcff86ca1b883413675badd7adc00d5221dd01.exe
2872	a9f3b8a813d7077825f0c17f9cbcff86ca1b883413675badd7adc00d5221dd01.exe
2060	setup_s86.exe
2060	setup_s86.exe
2060	setup_s86.exe
2060	setup_s86.exe
2788	setup.exe
2788	setup.exe
2788	setup.exe
2060	setup_s86.exe
2956	setup_s86.exe
2956	setup_s86.exe
2956	setup_s86.exe
2772	setup_01cncw01.exe
2772	setup_01cncw01.exe
2772	setup_01cncw01.exe
2956	setup_s86.exe
2956	setup_s86.exe
1448	regsvr32.exe
1208	rundll32.exe
1208	rundll32.exe
1208	rundll32.exe
2964	rundll32.exe
1208	rundll32.exe
2964	rundll32.exe
2964	rundll32.exe
2964	rundll32.exe
2964	rundll32.exe
2964	rundll32.exe
2788	setup.exe
2788	setup.exe
2788	setup.exe
2788	setup.exe
1556	Search.exe
1556	Search.exe
1556	Search.exe
1556	Search.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Installs/modifies Browser Helper Object 2 TTPs 2 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6671A431-5C3D-463d-A7CF-5587F9B7E191}	setup_s86.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{6671A431-5C3D-463d-A7CF-5587F9B7E191}\ = "MMSAssist"	setup_s86.exe

Writes to the Master Boot Record (MBR) 1 TTPs 3 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	setup.exe
File opened for modification	\??\PhysicalDrive0	rundll32.exe
File opened for modification	\??\PhysicalDrive0	Search.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000a0000000170f8-36.dat	upx
behavioral1/memory/2772-50-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral1/files/0x00050000000195b3-59.dat	upx
behavioral1/memory/2956-62-0x0000000010000000-0x000000001001C000-memory.dmp	upx
behavioral1/memory/2956-120-0x0000000010000000-0x000000001001C000-memory.dmp	upx
behavioral1/memory/1208-132-0x0000000010000000-0x000000001001C000-memory.dmp	upx
behavioral1/memory/2964-133-0x0000000010000000-0x000000001001C000-memory.dmp	upx
behavioral1/memory/2772-138-0x0000000000400000-0x0000000000423000-memory.dmp	upx

Drops file in Program Files directory 29 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\wsearch\allverx.dat.tmp	setup.exe
File created	C:\Program Files (x86)\wsearch\setup.tmp	setup.exe
File created	C:\Program Files (x86)\wsearch\Mouse1.dll.zgx.tmp	setup.exe
File opened for modification	C:\Program Files (x86)\wsearch\Mouse1.dll.zgx	setup.exe
File created	C:\Program Files (x86)\wsearch\mupdate.exe	setup.exe
File created	C:\Program Files (x86)\wsearch\sysupdate.ini.tmp	setup.exe
File opened for modification	C:\Program Files (x86)\wsearch\sysupdate.ini	setup.exe
File created	C:\Program Files (x86)\wsearch\mUninstall.exe	setup.exe
File created	C:\Program Files (x86)\wsearch\Mouse1.dll.zgx	setup.exe
File created	C:\Program Files (x86)\wsearch\Search.exe.tmp	setup.exe
File created	C:\Program Files (x86)\wsearch\Search.exe	setup.exe
File created	C:\Program Files (x86)\wsearch\SearchM.dll.zgx.tmp	setup.exe
File opened for modification	C:\Program Files (x86)\wsearch\SearchM.dll.zgx	setup.exe
File opened for modification	C:\Program Files (x86)\wsearch\mUninstall.exe	setup.exe
File created	C:\Program Files (x86)\MMSAssist\mms.ini	setup_s86.exe
File opened for modification	C:\Program Files (x86)\wsearch\SearchM.dll	setup.exe
File created	C:\Program Files (x86)\wsearch\SearchM.dll.zgx	setup.exe
File created	C:\Program Files (x86)\wsearch\sysupdate.ini	setup.exe
File opened for modification	C:\Program Files (x86)\wsearch\allverx.dat	setup.exe
File created	C:\Program Files (x86)\wsearch\_uninstall	setup.exe
File opened for modification	C:\Program Files (x86)\wsearch\Search.exe	setup.exe
File created	C:\Program Files (x86)\wsearch\allverx.dat	setup.exe
File opened for modification	C:\Program Files (x86)\wsearch\Mouse1.dll	setup.exe
File created	C:\Program Files (x86)\wsearch\mupdate.exe.tmp	setup.exe
File opened for modification	C:\Program Files (x86)\wsearch\sysadInfo.ini	setup.exe
File opened for modification	C:\Program Files (x86)\wsearch\mupdate.exe	setup.exe
File created	C:\Program Files (x86)\MMSAssist\MMSAssist.dll	setup_s86.exe
File created	C:\Program Files (x86)\wsearch\mUninstall.exe.tmp	setup.exe
File opened for modification	C:\Program Files (x86)\wsearch\sysadInfo.ini	Search.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup_01cncw01.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a9f3b8a813d7077825f0c17f9cbcff86ca1b883413675badd7adc00d5221dd01.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup_s86.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup_s86.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Search.exe

Modifies Internet Explorer settings 1 TTPs 7 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{6671A433-5C3D-463d-A7CF-5587F9B7E191}\MenuText = "MMSAssist¹¤¾ßÌõÉèÖÃ"	setup_s86.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{6671A433-5C3D-463d-A7CF-5587F9B7E191}\MenuStatusBar = "´ò¿ªMMSAssist¹¤¾ßÌõÉèÖÃ½çÃæ"	setup_s86.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\MenuExt\ >> ²ÊÐÅ·¢ËÍ <<	setup_s86.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\MenuExt\ >> ²ÊÐÅ·¢ËÍ <<\ = "res://C:\\Program Files (x86)\\MMSAssist\\MMSAssist.dll/mms.htm"	setup_s86.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{6671A433-5C3D-463d-A7CF-5587F9B7E191}	setup_s86.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{6671A433-5C3D-463d-A7CF-5587F9B7E191}\CLSID = "{1FBA04EE-3024-11d2-8F1F-0000F87ABD16}"	setup_s86.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{6671A433-5C3D-463d-A7CF-5587F9B7E191}\ClsidExtension = "{6671A432-5C3D-463d-A7CF-5587F9B7E191}"	setup_s86.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{74289A7A-E652-4A57-A6B9-EE64AD532A8D}\TypeLib\ = "{077525AC-C681-4139-8C3E-B582BDD375C7}"	setup_s86.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MMSBho.MMSAssist\ = "MMSAssist BHO"	setup_s86.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6671A432-5C3D-463d-A7CF-5587F9B7E191}	setup_s86.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SearchM.Search\CurVer	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FD536575-73F7-42A3-9E9F-11688F1A006A}\1.0\FLAGS	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FD536575-73F7-42A3-9E9F-11688F1A006A}\1.0\FLAGS\ = "0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4E1ACE40-F681-4CC4-A7C0-AD1E6C9AD86F}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{077525AC-C681-4139-8C3E-B582BDD375C7}\1.0\0\win32	setup_s86.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4E1ACE40-F681-4CC4-A7C0-AD1E6C9AD86F}\TypeLib	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6671A432-5C3D-463d-A7CF-5587F9B7E191}\VersionIndependentProgID	setup_s86.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4E1ACE40-F681-4CC4-A7C0-AD1E6C9AD86F}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6671A431-5C3D-463D-A7CF-5587F9B7E191}\InprocServer32\ThreadingModel = "Apartment"	setup_s86.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{74289A79-E652-4A57-A6B9-EE64AD532A8D}\TypeLib\Version = "1.0"	setup_s86.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MMSBho.MMSAssist.1	setup_s86.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MMSBho.MMSAssistMenu\CurVer\ = "MMSBho.MMSAssist.1"	setup_s86.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6671A432-5C3D-463d-A7CF-5587F9B7E191}\VersionIndependentProgID\ = "MMSBho.MMSAssistMenu"	setup_s86.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{74289A79-E652-4A57-A6B9-EE64AD532A8D}\ProxyStubClsid32	setup_s86.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{74289A7A-E652-4A57-A6B9-EE64AD532A8D}\TypeLib\ = "{077525AC-C681-4139-8C3E-B582BDD375C7}"	setup_s86.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MMSBho.MMSAssistMenu.1\ = "MMSAssistMenu"	setup_s86.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6671A432-5C3D-463d-A7CF-5587F9B7E191}	setup_s86.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6671A432-5C3D-463d-A7CF-5587F9B7E191}\ = "MMSAssistMenu"	setup_s86.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6671A431-5C3D-463d-A7CF-5587F9B7E191}\Programmable	setup_s86.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4E1ACE40-F681-4CC4-A7C0-AD1E6C9AD86F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{74289A79-E652-4A57-A6B9-EE64AD532A8D}\ = "IMMSAssist"	setup_s86.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FD536575-73F7-42A3-9E9F-11688F1A006A}\1.0\0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{74289A7A-E652-4A57-A6B9-EE64AD532A8D}	setup_s86.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{74289A79-E652-4A57-A6B9-EE64AD532A8D}\TypeLib\ = "{077525AC-C681-4139-8C3E-B582BDD375C7}"	setup_s86.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{74289A79-E652-4A57-A6B9-EE64AD532A8D}\TypeLib	setup_s86.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6671A431-5C3D-463d-A7CF-5587F9B7E191}\InprocServer32	setup_s86.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{594BE7B2-23B0-4FAE-A2B9-0C21CC1417CE}\ = "Search Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{077525AC-C681-4139-8C3E-B582BDD375C7}\1.0\0	setup_s86.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MMSBho.MMSAssist.1\CLSID\ = "{6671A431-5C3D-463d-A7CF-5587F9B7E191}"	setup_s86.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{74289A79-E652-4A57-A6B9-EE64AD532A8D}\TypeLib	setup_s86.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6671A431-5C3D-463d-A7CF-5587F9B7E191}\TypeLib	setup_s86.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6671A432-5C3D-463d-A7CF-5587F9B7E191}\Programmable	setup_s86.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6671A432-5C3D-463d-A7CF-5587F9B7E191}\TypeLib\ = "{077525AC-C681-4139-8C3E-B582BDD375C7}"	setup_s86.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{74289A79-E652-4A57-A6B9-EE64AD532A8D}	setup_s86.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{74289A7A-E652-4A57-A6B9-EE64AD532A8D}\ProxyStubClsid32	setup_s86.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MMSBho.MMSAssist	setup_s86.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MMSBho.MMSAssistMenu\CLSID\ = "{6671A432-5C3D-463d-A7CF-5587F9B7E191}"	setup_s86.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6671A431-5C3D-463d-A7CF-5587F9B7E191}	setup_s86.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{077525AC-C681-4139-8C3E-B582BDD375C7}	setup_s86.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6671A431-5C3D-463d-A7CF-5587F9B7E191}\InprocServer32\ = "C:\\Program Files (x86)\\MMSAssist\\MMSAssist.dll"	setup_s86.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SearchM.Search.1\ = "Search Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MMSBho.MMSAssist\CLSID\ = "{6671A431-5C3D-463d-A7CF-5587F9B7E191}"	setup_s86.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4E1ACE40-F681-4CC4-A7C0-AD1E6C9AD86F}\ProxyStubClsid32	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6671A431-5C3D-463D-A7CF-5587F9B7E191}	setup_s86.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FD536575-73F7-42A3-9E9F-11688F1A006A}\1.0\ = "SearchM 1.0 Type Library"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FD536575-73F7-42A3-9E9F-11688F1A006A}\1.0\0\win32	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6671A431-5C3D-463d-A7CF-5587F9B7E191}\ProgID	setup_s86.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{077525AC-C681-4139-8C3E-B582BDD375C7}\1.0\0\win32\ = "C:\\PROGRA~2\\MMSASS~1\\MMSASS~1.DLL"	setup_s86.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6671A432-5C3D-463d-A7CF-5587F9B7E191}\TypeLib	setup_s86.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6671A431-5C3D-463D-A7CF-5587F9B7E191}\InprocServer32\ = "C:\\Program Files (x86)\\MMSAssist\\MMSAssist.dll"	setup_s86.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6671A432-5C3D-463d-A7CF-5587F9B7E191}\TypeLib	setup_s86.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{74289A79-E652-4A57-A6B9-EE64AD532A8D}\ = "IMMSAssist"	setup_s86.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6671A431-5C3D-463d-A7CF-5587F9B7E191}\InprocServer32\ThreadingModel = "Apartment"	setup_s86.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6671A432-5C3D-463d-A7CF-5587F9B7E191}\InprocServer32	setup_s86.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{594BE7B2-23B0-4FAE-A2B9-0C21CC1417CE}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{74289A79-E652-4A57-A6B9-EE64AD532A8D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	setup_s86.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{74289A7A-E652-4A57-A6B9-EE64AD532A8D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	setup_s86.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MMSBho.MMSAssistMenu.1\CLSID	setup_s86.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{594BE7B2-23B0-4FAE-A2B9-0C21CC1417CE}\ProgID\ = "SearchM.Search.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6671A431-5C3D-463D-A7CF-5587F9B7E191}	setup_s86.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MMSBho.MMSAssist.1\ = "MMSAssist BHO"	setup_s86.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeRestorePrivilege	2788	setup.exe
Token: SeBackupPrivilege	2788	setup.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
2788	setup.exe
1556	Search.exe
1556	Search.exe
1556	Search.exe
1556	Search.exe

Suspicious use of WriteProcessMemory 63 IoCs

description	pid	Process	procid_target
PID 2872 wrote to memory of 2788	2872	a9f3b8a813d7077825f0c17f9cbcff86ca1b883413675badd7adc00d5221dd01.exe	30
PID 2872 wrote to memory of 2788	2872	a9f3b8a813d7077825f0c17f9cbcff86ca1b883413675badd7adc00d5221dd01.exe	30
PID 2872 wrote to memory of 2788	2872	a9f3b8a813d7077825f0c17f9cbcff86ca1b883413675badd7adc00d5221dd01.exe	30
PID 2872 wrote to memory of 2788	2872	a9f3b8a813d7077825f0c17f9cbcff86ca1b883413675badd7adc00d5221dd01.exe	30
PID 2872 wrote to memory of 2788	2872	a9f3b8a813d7077825f0c17f9cbcff86ca1b883413675badd7adc00d5221dd01.exe	30
PID 2872 wrote to memory of 2788	2872	a9f3b8a813d7077825f0c17f9cbcff86ca1b883413675badd7adc00d5221dd01.exe	30
PID 2872 wrote to memory of 2788	2872	a9f3b8a813d7077825f0c17f9cbcff86ca1b883413675badd7adc00d5221dd01.exe	30
PID 2872 wrote to memory of 2060	2872	a9f3b8a813d7077825f0c17f9cbcff86ca1b883413675badd7adc00d5221dd01.exe	31
PID 2872 wrote to memory of 2060	2872	a9f3b8a813d7077825f0c17f9cbcff86ca1b883413675badd7adc00d5221dd01.exe	31
PID 2872 wrote to memory of 2060	2872	a9f3b8a813d7077825f0c17f9cbcff86ca1b883413675badd7adc00d5221dd01.exe	31
PID 2872 wrote to memory of 2060	2872	a9f3b8a813d7077825f0c17f9cbcff86ca1b883413675badd7adc00d5221dd01.exe	31
PID 2872 wrote to memory of 2060	2872	a9f3b8a813d7077825f0c17f9cbcff86ca1b883413675badd7adc00d5221dd01.exe	31
PID 2872 wrote to memory of 2060	2872	a9f3b8a813d7077825f0c17f9cbcff86ca1b883413675badd7adc00d5221dd01.exe	31
PID 2872 wrote to memory of 2060	2872	a9f3b8a813d7077825f0c17f9cbcff86ca1b883413675badd7adc00d5221dd01.exe	31
PID 2060 wrote to memory of 2956	2060	setup_s86.exe	32
PID 2060 wrote to memory of 2956	2060	setup_s86.exe	32
PID 2060 wrote to memory of 2956	2060	setup_s86.exe	32
PID 2060 wrote to memory of 2956	2060	setup_s86.exe	32
PID 2060 wrote to memory of 2956	2060	setup_s86.exe	32
PID 2060 wrote to memory of 2956	2060	setup_s86.exe	32
PID 2060 wrote to memory of 2956	2060	setup_s86.exe	32
PID 2060 wrote to memory of 2772	2060	setup_s86.exe	33
PID 2060 wrote to memory of 2772	2060	setup_s86.exe	33
PID 2060 wrote to memory of 2772	2060	setup_s86.exe	33
PID 2060 wrote to memory of 2772	2060	setup_s86.exe	33
PID 2060 wrote to memory of 2772	2060	setup_s86.exe	33
PID 2060 wrote to memory of 2772	2060	setup_s86.exe	33
PID 2060 wrote to memory of 2772	2060	setup_s86.exe	33
PID 2772 wrote to memory of 2704	2772	setup_01cncw01.exe	34
PID 2772 wrote to memory of 2704	2772	setup_01cncw01.exe	34
PID 2772 wrote to memory of 2704	2772	setup_01cncw01.exe	34
PID 2772 wrote to memory of 2704	2772	setup_01cncw01.exe	34
PID 2772 wrote to memory of 2704	2772	setup_01cncw01.exe	34
PID 2772 wrote to memory of 2704	2772	setup_01cncw01.exe	34
PID 2772 wrote to memory of 2704	2772	setup_01cncw01.exe	34
PID 2788 wrote to memory of 1448	2788	setup.exe	35
PID 2788 wrote to memory of 1448	2788	setup.exe	35
PID 2788 wrote to memory of 1448	2788	setup.exe	35
PID 2788 wrote to memory of 1448	2788	setup.exe	35
PID 2788 wrote to memory of 1448	2788	setup.exe	35
PID 2788 wrote to memory of 1448	2788	setup.exe	35
PID 2788 wrote to memory of 1448	2788	setup.exe	35
PID 2956 wrote to memory of 2964	2956	setup_s86.exe	36
PID 2956 wrote to memory of 2964	2956	setup_s86.exe	36
PID 2956 wrote to memory of 2964	2956	setup_s86.exe	36
PID 2956 wrote to memory of 2964	2956	setup_s86.exe	36
PID 2956 wrote to memory of 2964	2956	setup_s86.exe	36
PID 2956 wrote to memory of 2964	2956	setup_s86.exe	36
PID 2956 wrote to memory of 2964	2956	setup_s86.exe	36
PID 2956 wrote to memory of 1208	2956	setup_s86.exe	37
PID 2956 wrote to memory of 1208	2956	setup_s86.exe	37
PID 2956 wrote to memory of 1208	2956	setup_s86.exe	37
PID 2956 wrote to memory of 1208	2956	setup_s86.exe	37
PID 2956 wrote to memory of 1208	2956	setup_s86.exe	37
PID 2956 wrote to memory of 1208	2956	setup_s86.exe	37
PID 2956 wrote to memory of 1208	2956	setup_s86.exe	37
PID 2788 wrote to memory of 1556	2788	setup.exe	38
PID 2788 wrote to memory of 1556	2788	setup.exe	38
PID 2788 wrote to memory of 1556	2788	setup.exe	38
PID 2788 wrote to memory of 1556	2788	setup.exe	38
PID 2788 wrote to memory of 1556	2788	setup.exe	38
PID 2788 wrote to memory of 1556	2788	setup.exe	38
PID 2788 wrote to memory of 1556	2788	setup.exe	38

C:\Users\Admin\AppData\Local\Temp\a9f3b8a813d7077825f0c17f9cbcff86ca1b883413675badd7adc00d5221dd01.exe
"C:\Users\Admin\AppData\Local\Temp\a9f3b8a813d7077825f0c17f9cbcff86ca1b883413675badd7adc00d5221dd01.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2872
- C:\Users\Admin\AppData\Local\Temp\5c4f49e3-42df-4a92-a98c-be051469f08b\setup.exe
  C:\Users\Admin\AppData\Local\Temp\5c4f49e3-42df-4a92-a98c-be051469f08b\setup.exe
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Loads dropped DLL
  - Writes to the Master Boot Record (MBR)
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2788
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32 "C:\Program Files (x86)\wsearch\searchm.dll" -s
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    PID:1448
- - C:\Program Files (x86)\wsearch\Search.exe
    "C:\Program Files (x86)\wsearch\Search.exe" us
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Writes to the Master Boot Record (MBR)
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1556
- C:\Users\Admin\AppData\Local\Temp\5c4f49e3-42df-4a92-a98c-be051469f08b\setup_s86.exe
  C:\Users\Admin\AppData\Local\Temp\5c4f49e3-42df-4a92-a98c-be051469f08b\setup_s86.exe /S /R0
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2060
- - C:\Users\Admin\AppData\Local\Temp\348e6168-5966-4535-9fa2-6734ab6d3967\setup_s86.exe
    C:\Users\Admin\AppData\Local\Temp\348e6168-5966-4535-9fa2-6734ab6d3967\setup_s86.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Installs/modifies Browser Helper Object
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2956
  - - C:\Windows\SysWOW64\rundll32.exe
      C:\PROGRA~2\MMSASS~1\MMSASS~1.DLL,EasyFunc
      4⤵
      Loads dropped DLL
      Writes to the Master Boot Record (MBR)
      System Location Discovery: System Language Discovery
      PID:2964
  - - C:\Windows\SysWOW64\rundll32.exe
      C:\PROGRA~2\MMSASS~1\MMSASS~1.DLL,EasyFunc
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:1208
- - C:\Users\Admin\AppData\Local\Temp\348e6168-5966-4535-9fa2-6734ab6d3967\setup_01cncw01.exe
    C:\Users\Admin\AppData\Local\Temp\348e6168-5966-4535-9fa2-6734ab6d3967\setup_01cncw01.exe /S /R0
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2772
  - - C:\Windows\SysWOW64\regsvr32.exe
      "C:\Windows\System32\regsvr32.exe" /s dtservice.dll /S /R0
      4⤵
      System Location Discovery: System Language Discovery
      PID:2704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Browser Extensions

T1176

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~2\MMSASS~1\mms.ini

Filesize
109B

MD5
6e30f8f2fe8d7db530e8a3ee56148f71

SHA1
bc1692fa78eba3eea4af73e04124a43aa60f48a0

SHA256
0c4bf097293013f20f2d8b79756c049ecd31b78e55079a3055490b7f9c1ae4c8

SHA512
5182f43107d5872d9438a13161e0e96d9d0e1df9f9c2ca6e15015e2b9f8b07011440abb69fdc1c7de421436414155f7ecbda2d0b42f35bb7bcc36dff8c54a4d5

Download Submit
C:\Program Files (x86)\wsearch\Mouse1.dll

Filesize
64KB

MD5
23dc474fa7d3f168893a0636ec39e8b3

SHA1
1d20d251dde02aaa1b34c8681f7a2f60b5af98cf

SHA256
b7063981dc266732e4cc464a07f2eca1e2b0aa5cb8d792199051bd7771a0661a

SHA512
75e43e5963b07da4550416593453557a789041f5a662071de59a49f0cffa8fae748b1ab02f464f24a8facdc078923834b0a4ee23309b6c7438a06ba2ffe47097

Download Submit
C:\Program Files (x86)\wsearch\searchm.dll

Filesize
40KB

MD5
e087ca7bd81e37c81f825eb6418ab004

SHA1
cb97cdf077624ac84c0c091b85f0af5a219217c0

SHA256
6c5170a251cc9276c0568ad07aad23524efa8362f2b7a58cc0b0b76c92c11858

SHA512
f36b074cdd541394f96d2d8ebee29baa83b5913973d6b742f79e78f869ee87a197e41f3a2639692733e9413466144590b9a5488a97918421b9b63ff9fcd50530

Download Submit
C:\Program Files (x86)\wsearch\sysadInfo.ini

Filesize
25B

MD5
598e9b90b57c0153e34c30332f044c9a

SHA1
775d3e64d21c5f4d1023bd05ffe638eadc7e1474

SHA256
c504fc16c030f1a80a770b912395c5dd2966a9b18149ae456096d60ba67e4b96

SHA512
48ae053006b3eba2f9bd995feae7f4d71301ab7eabeb4200f24c85722c74c8099ca5dbc8622314dc64b2c6f0905918a00984c91732e2fcfd9fc6ce9817fd2e36

Download Submit
C:\Program Files (x86)\wsearch\sysadInfo.ini

Filesize
47B

MD5
7d29a67301e7733e431f2dea9122e907

SHA1
b5a47348aed9d914199a46b0db051d10b87f3ed0

SHA256
c4a476630be920afc418e43debff3d51c13ecc334b63c19d4e4754eb5698cefb

SHA512
801b1468ecf55748e911147126afceec2982c32fb3dda9c35cc0224cbb20549a368c2063eaef165c176aae0a030b5c56ed5ab339a8a36d4de83e243d6f037fab

Download Submit
C:\Program Files (x86)\wsearch\sysupdate.ini

Filesize
63B

MD5
a3c6f56e44fd905ccddaa02484cf2864

SHA1
fff91ff19af16ba4c6e579a4d8e5612b609fed3a

SHA256
a7568b4423a2a024ad327016632c76c79a8d2df62119de90b67e8ade236816c9

SHA512
1060cbb7603c063fcd931d166382a85981abfbb85a926704c3092116ce55d58490e2754af3be2d5848469f5c2cd6e35728455fb0e9af8da26930a4209a1c5332

Download Submit
\Program Files (x86)\MMSAssist\MMSAssist.dll

Filesize
35KB

MD5
0b2766051d9fdaab37ed2f5aa5375deb

SHA1
0fa903c94e2880918bef4a618e0d7cdbb20b0401

SHA256
5134d0f86c6f1af64ec6b634711833e0f706066acc668a2e57d9fff493383da9

SHA512
3be65597b50e278938a92a771a41a2c8ae3c5de978fafcf8e34ec2267b5dbeff2769869f235ba7eb4a57381972439fa02c7aaae71721b194202aa65f48cf29cf

Download Submit
\Program Files (x86)\wsearch\Search.exe

Filesize
128KB

MD5
38f7505baa41babeb4b674582eed4bd3

SHA1
943d339092953b7655e2ab2db78c578b3fcc6ece

SHA256
ed17df692787452404530ca05e5a33a215272ff95dfe3fc34162d7dd44fe6dd2

SHA512
9e1ea332a101106fa6cd6a730d00affc263e418f41a2b111a4212f363bd3dcc6a716e355ab7a79bc9ea16bc3f96beaad9062edcf3259368dd3669327be3b2a73

Download Submit
\Users\Admin\AppData\Local\Temp\348e6168-5966-4535-9fa2-6734ab6d3967\Setup_s86.exe

Filesize
62KB

MD5
2944145db28891a98dbe7a3bd53277f1

SHA1
eacdc784f0e7562f5f47be96c8de5bcfd1c62ecb

SHA256
f17995a576e8f03dd82e8b0359c74ae629bff9c8c9850fa19aae9a72a9c040b4

SHA512
95224c48a7a9210824011a93eaa4208ef8fd1ad0d702c5f49819d2e753f5105d92f492a9895e5418b6c38d55a219c7ef0b990ba17116b7c1933e8c42b1237a95

Download Submit
\Users\Admin\AppData\Local\Temp\348e6168-5966-4535-9fa2-6734ab6d3967\setup_01cncw01.exe

Filesize
65KB

MD5
9cba20149aa9b7caa99414655fc3fd26

SHA1
3f1ffdf865984bdef6c513e4ce280dbac893037c

SHA256
7cf861a4063807fecda85d37ca1f9effab6efa4ab2a5ec60ed89f407c72c5007

SHA512
e53e2895663a0c0b52c9e3c4a66cfd9ebeb28f9552ae2adcde1b6142866312ff5b8a9cad226f9ca9da39af74a8aa7e11b69d207ce29a5ee4a9765999616b0159

Download Submit
\Users\Admin\AppData\Local\Temp\5c4f49e3-42df-4a92-a98c-be051469f08b\Setup_s86.exe

Filesize
240KB

MD5
7f9fbada8a80cee46962cb8f191db6f0

SHA1
0ae14944174981e89a08001a214b6cf5a1f1da59

SHA256
488d4bfad05e370516e92f6b824a8c751ea00d66a32ca0ebc5b05aca5e4d08f9

SHA512
6ba518c9a02835b8eb5621e7caaca6d5a805bc1e0c093ab41396c0fe3e4a286d136d7b83704b60591186fa2a9cea37462d9cafab20c3a9a11f9975b542fe0499

Download Submit
\Users\Admin\AppData\Local\Temp\5c4f49e3-42df-4a92-a98c-be051469f08b\setup.exe

Filesize
180KB

MD5
c132031b0cbdd0fd485efd0bbcd78c3e

SHA1
e7295c3c9a253bee169c8c0a997876895d7a9e9b

SHA256
c1ef5b4cc978d33ff628b31dab1be761db750967ca5f08a4b851b05ff7ec7f81

SHA512
8ef62e686aa9d501496b548b09d310fb14c2d8fa44ee458a42e6462d36142372550dd257d50b27f81d0033e6de5bb0baa0b09cddb0168735af0f99303ef1251d

Download Submit
memory/1208-132-0x0000000010000000-0x000000001001C000-memory.dmp

Filesize
112KB

Download
memory/2060-38-0x00000000002E0000-0x0000000000303000-memory.dmp

Filesize
140KB

Download
memory/2772-138-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2772-141-0x0000000000240000-0x000000000024D000-memory.dmp

Filesize
52KB

Download
memory/2772-50-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2772-51-0x0000000000240000-0x0000000000263000-memory.dmp

Filesize
140KB

Download
memory/2772-52-0x0000000000240000-0x0000000000263000-memory.dmp

Filesize
140KB

Download
memory/2772-53-0x0000000000240000-0x0000000000263000-memory.dmp

Filesize
140KB

Download
memory/2956-120-0x0000000010000000-0x000000001001C000-memory.dmp

Filesize
112KB

Download
memory/2956-62-0x0000000010000000-0x000000001001C000-memory.dmp

Filesize
112KB

Download
memory/2964-133-0x0000000010000000-0x000000001001C000-memory.dmp

Filesize
112KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads