a9f3b8a813d7077825f0c17f9cbcff86ca1b883413675badd7adc00d5221dd01

Analysis

max time kernel
121s
max time network
137s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
13-11-2024 01:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a9f3b8a813d7077825f0c17f9cbcff86ca1b883413675badd7adc00d5221dd01.exe
Size

532KB
MD5

3c00accded5db6b17070663be4e2725a
SHA1

680d4a496abab8e1a4c61ea0e488dffab1db1416
SHA256

a9f3b8a813d7077825f0c17f9cbcff86ca1b883413675badd7adc00d5221dd01
SHA512

154317933533fc93d9e50c9a2f23682a90b9014dd317f34a5b026e9abafc3561ead619f5642ec1c3a50a7640020623d2cf57b360e9ae1f8e1d2f6d4b63bf7abb
SSDEEP

12288:gCmLpJTyNXSYoGkZCOLpn45/MQ51dqhkKq:gCmtJTyN0pCOtn45/jzQhk9

Score

7^/10

adware bootkit discovery persistence stealer upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x000a000000023b7b-84.dat	acprotect

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	setup_01cncw01.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\»®´ÊËÑË÷.lnk	setup.exe

Executes dropped EXE 5 IoCs

pid	Process
1796	setup.exe
2224	setup_s86.exe
1996	setup_s86.exe
3428	setup_01cncw01.exe
1928	Search.exe

Loads dropped DLL 6 IoCs

pid	Process
1996	setup_s86.exe
4620	regsvr32.exe
1996	setup_s86.exe
2708	rundll32.exe
2656	rundll32.exe
1928	Search.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Installs/modifies Browser Helper Object 2 TTPs 2 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6671A431-5C3D-463d-A7CF-5587F9B7E191}\ = "MMSAssist"	setup_s86.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6671A431-5C3D-463d-A7CF-5587F9B7E191}	setup_s86.exe

Writes to the Master Boot Record (MBR) 1 TTPs 3 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	setup.exe
File opened for modification	\??\PhysicalDrive0	rundll32.exe
File opened for modification	\??\PhysicalDrive0	Search.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000a000000023b70-27.dat	upx
behavioral2/memory/3428-28-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral2/memory/1996-85-0x0000000010000000-0x000000001001C000-memory.dmp	upx
behavioral2/files/0x000a000000023b7b-84.dat	upx
behavioral2/memory/2708-98-0x0000000010000000-0x000000001001C000-memory.dmp	upx
behavioral2/memory/1996-95-0x0000000010000000-0x000000001001C000-memory.dmp	upx
behavioral2/memory/2656-101-0x0000000010000000-0x000000001001C000-memory.dmp	upx
behavioral2/memory/3428-124-0x0000000000400000-0x0000000000423000-memory.dmp	upx

Drops file in Program Files directory 29 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\wsearch\Search.exe	setup.exe
File created	C:\Program Files (x86)\wsearch\Mouse1.dll.zgx	setup.exe
File opened for modification	C:\Program Files (x86)\wsearch\sysupdate.ini	setup.exe
File created	C:\Program Files (x86)\wsearch\allverx.dat.tmp	setup.exe
File created	C:\Program Files (x86)\wsearch\sysupdate.ini.tmp	setup.exe
File created	C:\Program Files (x86)\MMSAssist\MMSAssist.dll	setup_s86.exe
File opened for modification	C:\Program Files (x86)\wsearch\mupdate.exe	setup.exe
File created	C:\Program Files (x86)\wsearch\SearchM.dll.zgx.tmp	setup.exe
File created	C:\Program Files (x86)\wsearch\SearchM.dll.zgx	setup.exe
File opened for modification	C:\Program Files (x86)\wsearch\Mouse1.dll	setup.exe
File created	C:\Program Files (x86)\wsearch\Mouse1.dll.zgx.tmp	setup.exe
File created	C:\Program Files (x86)\wsearch\mupdate.exe	setup.exe
File created	C:\Program Files (x86)\wsearch\sysupdate.ini	setup.exe
File created	C:\Program Files (x86)\wsearch\setup.tmp	setup.exe
File opened for modification	C:\Program Files (x86)\wsearch\SearchM.dll	setup.exe
File created	C:\Program Files (x86)\wsearch\Search.exe.tmp	setup.exe
File opened for modification	C:\Program Files (x86)\wsearch\sysadInfo.ini	setup.exe
File created	C:\Program Files (x86)\wsearch\Search.exe	setup.exe
File created	C:\Program Files (x86)\wsearch\allverx.dat	setup.exe
File opened for modification	C:\Program Files (x86)\wsearch\Mouse1.dll.zgx	setup.exe
File created	C:\Program Files (x86)\wsearch\mUninstall.exe.tmp	setup.exe
File created	C:\Program Files (x86)\wsearch\mUninstall.exe	setup.exe
File opened for modification	C:\Program Files (x86)\wsearch\sysadInfo.ini	Search.exe
File created	C:\Program Files (x86)\MMSAssist\mms.ini	setup_s86.exe
File created	C:\Program Files (x86)\wsearch\mupdate.exe.tmp	setup.exe
File opened for modification	C:\Program Files (x86)\wsearch\mUninstall.exe	setup.exe
File opened for modification	C:\Program Files (x86)\wsearch\allverx.dat	setup.exe
File created	C:\Program Files (x86)\wsearch\_uninstall	setup.exe
File opened for modification	C:\Program Files (x86)\wsearch\SearchM.dll.zgx	setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup_s86.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup_01cncw01.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Search.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a9f3b8a813d7077825f0c17f9cbcff86ca1b883413675badd7adc00d5221dd01.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup_s86.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe

Modifies Internet Explorer settings 1 TTPs 7 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\MenuExt\ >> ²ÊÐÅ·¢ËÍ <<	setup_s86.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\MenuExt\ >> ²ÊÐÅ·¢ËÍ <<\ = "res://C:\\Program Files (x86)\\MMSAssist\\MMSAssist.dll/mms.htm"	setup_s86.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{6671A433-5C3D-463d-A7CF-5587F9B7E191}	setup_s86.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{6671A433-5C3D-463d-A7CF-5587F9B7E191}\CLSID = "{1FBA04EE-3024-11d2-8F1F-0000F87ABD16}"	setup_s86.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{6671A433-5C3D-463d-A7CF-5587F9B7E191}\ClsidExtension = "{6671A432-5C3D-463d-A7CF-5587F9B7E191}"	setup_s86.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{6671A433-5C3D-463d-A7CF-5587F9B7E191}\MenuText = "MMSAssist¹¤¾ßÌõÉèÖÃ"	setup_s86.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{6671A433-5C3D-463d-A7CF-5587F9B7E191}\MenuStatusBar = "´ò¿ªMMSAssist¹¤¾ßÌõÉèÖÃ½çÃæ"	setup_s86.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6671A432-5C3D-463d-A7CF-5587F9B7E191}	setup_s86.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{594BE7B2-23B0-4FAE-A2B9-0C21CC1417CE}\InprocServer32\ = "C:\\PROGRA~2\\wsearch\\searchm.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{74289A79-E652-4A57-A6B9-EE64AD532A8D}\TypeLib	setup_s86.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{74289A79-E652-4A57-A6B9-EE64AD532A8D}\TypeLib\Version = "1.0"	setup_s86.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6671A431-5C3D-463d-A7CF-5587F9B7E191}\InprocServer32\ = "C:\\Program Files (x86)\\MMSAssist\\MMSAssist.dll"	setup_s86.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MMSBho.MMSAssistMenu.1\CLSID\ = "{6671A432-5C3D-463d-A7CF-5587F9B7E191}"	setup_s86.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SearchM.Search\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{74289A79-E652-4A57-A6B9-EE64AD532A8D}\TypeLib\Version = "1.0"	setup_s86.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{74289A79-E652-4A57-A6B9-EE64AD532A8D}\ = "IMMSAssist"	setup_s86.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MMSBho.MMSAssistMenu\CLSID	setup_s86.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6671A432-5C3D-463d-A7CF-5587F9B7E191}\InprocServer32\ThreadingModel = "Apartment"	setup_s86.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6671A431-5C3D-463d-A7CF-5587F9B7E191}\TypeLib	setup_s86.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FD536575-73F7-42A3-9E9F-11688F1A006A}\1.0\FLAGS	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SearchM.Search\CLSID\ = "{594BE7B2-23B0-4FAE-A2B9-0C21CC1417CE}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{594BE7B2-23B0-4FAE-A2B9-0C21CC1417CE}\ProgID\ = "SearchM.Search.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{74289A7A-E652-4A57-A6B9-EE64AD532A8D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	setup_s86.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6671A431-5C3D-463d-A7CF-5587F9B7E191}\TypeLib\ = "{077525AC-C681-4139-8C3E-B582BDD375C7}"	setup_s86.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6671A431-5C3D-463d-A7CF-5587F9B7E191}	setup_s86.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SearchM.Search.1\ = "Search Class"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6671A431-5C3D-463d-A7CF-5587F9B7E191}\ProgID	setup_s86.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4E1ACE40-F681-4CC4-A7C0-AD1E6C9AD86F}\TypeLib\ = "{FD536575-73F7-42A3-9E9F-11688F1A006A}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6671A431-5C3D-463D-A7CF-5587F9B7E191}\ = "MMSAssist"	setup_s86.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6671A431-5C3D-463D-A7CF-5587F9B7E191}\InprocServer32	setup_s86.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6671A432-5C3D-463d-A7CF-5587F9B7E191}\VersionIndependentProgID\ = "MMSBho.MMSAssistMenu"	setup_s86.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{594BE7B2-23B0-4FAE-A2B9-0C21CC1417CE}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4E1ACE40-F681-4CC4-A7C0-AD1E6C9AD86F}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4E1ACE40-F681-4CC4-A7C0-AD1E6C9AD86F}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6671A431-5C3D-463d-A7CF-5587F9B7E191}\InprocServer32\ = "C:\\PROGRA~2\\MMSASS~1\\MMSASS~1.DLL"	setup_s86.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6671A432-5C3D-463d-A7CF-5587F9B7E191}\ = "MMSAssistMenu"	setup_s86.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{594BE7B2-23B0-4FAE-A2B9-0C21CC1417CE}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{74289A7A-E652-4A57-A6B9-EE64AD532A8D}\TypeLib	setup_s86.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{594BE7B2-23B0-4FAE-A2B9-0C21CC1417CE}\TypeLib\ = "{FD536575-73F7-42A3-9E9F-11688F1A006A}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4E1ACE40-F681-4CC4-A7C0-AD1E6C9AD86F}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6671A431-5C3D-463D-A7CF-5587F9B7E191}\InprocServer32	setup_s86.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{74289A7A-E652-4A57-A6B9-EE64AD532A8D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	setup_s86.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MMSBho.MMSAssist.1	setup_s86.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6671A431-5C3D-463D-A7CF-5587F9B7E191}	setup_s86.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{74289A79-E652-4A57-A6B9-EE64AD532A8D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	setup_s86.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{594BE7B2-23B0-4FAE-A2B9-0C21CC1417CE}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6671A431-5C3D-463d-A7CF-5587F9B7E191}\Programmable	setup_s86.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6671A431-5C3D-463d-A7CF-5587F9B7E191}\TypeLib	setup_s86.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{594BE7B2-23B0-4FAE-A2B9-0C21CC1417CE}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MMSBho.MMSAssist	setup_s86.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SearchM.Search.1\CLSID\ = "{594BE7B2-23B0-4FAE-A2B9-0C21CC1417CE}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FD536575-73F7-42A3-9E9F-11688F1A006A}\1.0\0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4E1ACE40-F681-4CC4-A7C0-AD1E6C9AD86F}\TypeLib\ = "{FD536575-73F7-42A3-9E9F-11688F1A006A}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4E1ACE40-F681-4CC4-A7C0-AD1E6C9AD86F}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MMSBho.MMSAssist\CurVer\ = "MMSBho.MMSAssist.1"	setup_s86.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MMSBho.MMSAssist.1\CLSID\ = "{6671A431-5C3D-463d-A7CF-5587F9B7E191}"	setup_s86.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6671A432-5C3D-463d-A7CF-5587F9B7E191}	setup_s86.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6671A432-5C3D-463d-A7CF-5587F9B7E191}\VersionIndependentProgID	setup_s86.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{594BE7B2-23B0-4FAE-A2B9-0C21CC1417CE}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MMSBho.MMSAssist\CLSID	setup_s86.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6671A432-5C3D-463d-A7CF-5587F9B7E191}\TypeLib\ = "{077525AC-C681-4139-8C3E-B582BDD375C7}"	setup_s86.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6671A431-5C3D-463d-A7CF-5587F9B7E191}\VersionIndependentProgID	setup_s86.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4E1ACE40-F681-4CC4-A7C0-AD1E6C9AD86F}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MMSBho.MMSAssist\CurVer	setup_s86.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6671A431-5C3D-463d-A7CF-5587F9B7E191}\InprocServer32	setup_s86.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FD536575-73F7-42A3-9E9F-11688F1A006A}\1.0\0\win32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SearchM.Search\ = "Search Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{74289A79-E652-4A57-A6B9-EE64AD532A8D}\ProxyStubClsid32	setup_s86.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{74289A79-E652-4A57-A6B9-EE64AD532A8D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	setup_s86.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{74289A7A-E652-4A57-A6B9-EE64AD532A8D}\TypeLib\Version = "1.0"	setup_s86.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{077525AC-C681-4139-8C3E-B582BDD375C7}\1.0\HELPDIR	setup_s86.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
1796	setup.exe
1928	Search.exe
1928	Search.exe
1928	Search.exe
1928	Search.exe

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 1780 wrote to memory of 1796	1780	a9f3b8a813d7077825f0c17f9cbcff86ca1b883413675badd7adc00d5221dd01.exe	83
PID 1780 wrote to memory of 1796	1780	a9f3b8a813d7077825f0c17f9cbcff86ca1b883413675badd7adc00d5221dd01.exe	83
PID 1780 wrote to memory of 1796	1780	a9f3b8a813d7077825f0c17f9cbcff86ca1b883413675badd7adc00d5221dd01.exe	83
PID 1780 wrote to memory of 2224	1780	a9f3b8a813d7077825f0c17f9cbcff86ca1b883413675badd7adc00d5221dd01.exe	84
PID 1780 wrote to memory of 2224	1780	a9f3b8a813d7077825f0c17f9cbcff86ca1b883413675badd7adc00d5221dd01.exe	84
PID 1780 wrote to memory of 2224	1780	a9f3b8a813d7077825f0c17f9cbcff86ca1b883413675badd7adc00d5221dd01.exe	84
PID 2224 wrote to memory of 1996	2224	setup_s86.exe	85
PID 2224 wrote to memory of 1996	2224	setup_s86.exe	85
PID 2224 wrote to memory of 1996	2224	setup_s86.exe	85
PID 2224 wrote to memory of 3428	2224	setup_s86.exe	86
PID 2224 wrote to memory of 3428	2224	setup_s86.exe	86
PID 2224 wrote to memory of 3428	2224	setup_s86.exe	86
PID 1796 wrote to memory of 4620	1796	setup.exe	87
PID 1796 wrote to memory of 4620	1796	setup.exe	87
PID 1796 wrote to memory of 4620	1796	setup.exe	87
PID 1996 wrote to memory of 2708	1996	setup_s86.exe	88
PID 1996 wrote to memory of 2708	1996	setup_s86.exe	88
PID 1996 wrote to memory of 2708	1996	setup_s86.exe	88
PID 1996 wrote to memory of 2656	1996	setup_s86.exe	89
PID 1996 wrote to memory of 2656	1996	setup_s86.exe	89
PID 1996 wrote to memory of 2656	1996	setup_s86.exe	89
PID 1796 wrote to memory of 1928	1796	setup.exe	90
PID 1796 wrote to memory of 1928	1796	setup.exe	90
PID 1796 wrote to memory of 1928	1796	setup.exe	90
PID 3428 wrote to memory of 1432	3428	setup_01cncw01.exe	91
PID 3428 wrote to memory of 1432	3428	setup_01cncw01.exe	91
PID 3428 wrote to memory of 1432	3428	setup_01cncw01.exe	91

C:\Users\Admin\AppData\Local\Temp\a9f3b8a813d7077825f0c17f9cbcff86ca1b883413675badd7adc00d5221dd01.exe
"C:\Users\Admin\AppData\Local\Temp\a9f3b8a813d7077825f0c17f9cbcff86ca1b883413675badd7adc00d5221dd01.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1780
- C:\Users\Admin\AppData\Local\Temp\da074206-a55f-4847-ad3f-a2eb4a3ad6d8\setup.exe
  C:\Users\Admin\AppData\Local\Temp\da074206-a55f-4847-ad3f-a2eb4a3ad6d8\setup.exe
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Writes to the Master Boot Record (MBR)
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1796
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32 "C:\Program Files (x86)\wsearch\searchm.dll" -s
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    PID:4620
- - C:\Program Files (x86)\wsearch\Search.exe
    "C:\Program Files (x86)\wsearch\Search.exe" us
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Writes to the Master Boot Record (MBR)
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1928
- C:\Users\Admin\AppData\Local\Temp\da074206-a55f-4847-ad3f-a2eb4a3ad6d8\setup_s86.exe
  C:\Users\Admin\AppData\Local\Temp\da074206-a55f-4847-ad3f-a2eb4a3ad6d8\setup_s86.exe /S /R0
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2224
- - C:\Users\Admin\AppData\Local\Temp\4b9be714-b8ee-4e33-96d5-b74f376eda6e\setup_s86.exe
    C:\Users\Admin\AppData\Local\Temp\4b9be714-b8ee-4e33-96d5-b74f376eda6e\setup_s86.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Installs/modifies Browser Helper Object
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1996
  - - C:\Windows\SysWOW64\rundll32.exe
      C:\PROGRA~2\MMSASS~1\MMSASS~1.DLL,EasyFunc
      4⤵
      Loads dropped DLL
      Writes to the Master Boot Record (MBR)
      System Location Discovery: System Language Discovery
      PID:2708
  - - C:\Windows\SysWOW64\rundll32.exe
      C:\PROGRA~2\MMSASS~1\MMSASS~1.DLL,EasyFunc
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:2656
- - C:\Users\Admin\AppData\Local\Temp\4b9be714-b8ee-4e33-96d5-b74f376eda6e\setup_01cncw01.exe
    C:\Users\Admin\AppData\Local\Temp\4b9be714-b8ee-4e33-96d5-b74f376eda6e\setup_01cncw01.exe /S /R0
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3428
  - - C:\Windows\SysWOW64\regsvr32.exe
      "C:\Windows\System32\regsvr32.exe" /s dtservice.dll /S /R0
      4⤵
      System Location Discovery: System Language Discovery
      PID:1432

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Browser Extensions

T1176

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~2\MMSASS~1\MMSASS~1.DLL

Filesize
35KB

MD5
0b2766051d9fdaab37ed2f5aa5375deb

SHA1
0fa903c94e2880918bef4a618e0d7cdbb20b0401

SHA256
5134d0f86c6f1af64ec6b634711833e0f706066acc668a2e57d9fff493383da9

SHA512
3be65597b50e278938a92a771a41a2c8ae3c5de978fafcf8e34ec2267b5dbeff2769869f235ba7eb4a57381972439fa02c7aaae71721b194202aa65f48cf29cf

Download Submit
C:\PROGRA~2\MMSASS~1\mms.ini

Filesize
109B

MD5
6e30f8f2fe8d7db530e8a3ee56148f71

SHA1
bc1692fa78eba3eea4af73e04124a43aa60f48a0

SHA256
0c4bf097293013f20f2d8b79756c049ecd31b78e55079a3055490b7f9c1ae4c8

SHA512
5182f43107d5872d9438a13161e0e96d9d0e1df9f9c2ca6e15015e2b9f8b07011440abb69fdc1c7de421436414155f7ecbda2d0b42f35bb7bcc36dff8c54a4d5

Download Submit
C:\Program Files (x86)\wsearch\Mouse1.dll

Filesize
64KB

MD5
23dc474fa7d3f168893a0636ec39e8b3

SHA1
1d20d251dde02aaa1b34c8681f7a2f60b5af98cf

SHA256
b7063981dc266732e4cc464a07f2eca1e2b0aa5cb8d792199051bd7771a0661a

SHA512
75e43e5963b07da4550416593453557a789041f5a662071de59a49f0cffa8fae748b1ab02f464f24a8facdc078923834b0a4ee23309b6c7438a06ba2ffe47097

Download Submit
C:\Program Files (x86)\wsearch\Search.exe

Filesize
128KB

MD5
38f7505baa41babeb4b674582eed4bd3

SHA1
943d339092953b7655e2ab2db78c578b3fcc6ece

SHA256
ed17df692787452404530ca05e5a33a215272ff95dfe3fc34162d7dd44fe6dd2

SHA512
9e1ea332a101106fa6cd6a730d00affc263e418f41a2b111a4212f363bd3dcc6a716e355ab7a79bc9ea16bc3f96beaad9062edcf3259368dd3669327be3b2a73

Download Submit
C:\Program Files (x86)\wsearch\searchm.dll

Filesize
40KB

MD5
e087ca7bd81e37c81f825eb6418ab004

SHA1
cb97cdf077624ac84c0c091b85f0af5a219217c0

SHA256
6c5170a251cc9276c0568ad07aad23524efa8362f2b7a58cc0b0b76c92c11858

SHA512
f36b074cdd541394f96d2d8ebee29baa83b5913973d6b742f79e78f869ee87a197e41f3a2639692733e9413466144590b9a5488a97918421b9b63ff9fcd50530

Download Submit
C:\Program Files (x86)\wsearch\sysadInfo.ini

Filesize
25B

MD5
598e9b90b57c0153e34c30332f044c9a

SHA1
775d3e64d21c5f4d1023bd05ffe638eadc7e1474

SHA256
c504fc16c030f1a80a770b912395c5dd2966a9b18149ae456096d60ba67e4b96

SHA512
48ae053006b3eba2f9bd995feae7f4d71301ab7eabeb4200f24c85722c74c8099ca5dbc8622314dc64b2c6f0905918a00984c91732e2fcfd9fc6ce9817fd2e36

Download Submit
C:\Program Files (x86)\wsearch\sysadInfo.ini

Filesize
58B

MD5
f97c2db5861806dc880dc006a53bbbf1

SHA1
1581f94f201ad1eb1a4c41424d16e18de9a857a8

SHA256
afca412a4c257c8d4f79f60589703b15cd1b9c8dd603570e597d37b3f0c97b9c

SHA512
ffd0d231b8cf0d8e388c2e8a3a0ff620709a4b47cdebef7bd982c02b9001aa98f7ac0675a663f260c6dc4797219bd312469d06fd1b217399293ab5122166b2e2

Download Submit
C:\Program Files (x86)\wsearch\sysadInfo.ini

Filesize
47B

MD5
f3ded4515c32fa07a64eb37018da0e8b

SHA1
ca0edf7d4d034e6230d723cce338d46b79e0ab29

SHA256
31d714722d5965915fae49684017098f307b77b83f37a4c9070301628cb49e08

SHA512
f7b0b2ec3a4e8207dd71137b2bc844839c06f3aa0f2ea3ee9804750bb8f4c63888908a159373b038668cc4fdac184d8c053df5a726304cb7b50063a220041893

Download Submit
C:\Program Files (x86)\wsearch\sysupdate.ini

Filesize
63B

MD5
a3c6f56e44fd905ccddaa02484cf2864

SHA1
fff91ff19af16ba4c6e579a4d8e5612b609fed3a

SHA256
a7568b4423a2a024ad327016632c76c79a8d2df62119de90b67e8ade236816c9

SHA512
1060cbb7603c063fcd931d166382a85981abfbb85a926704c3092116ce55d58490e2754af3be2d5848469f5c2cd6e35728455fb0e9af8da26930a4209a1c5332

Download Submit
C:\Users\Admin\AppData\Local\Temp\4b9be714-b8ee-4e33-96d5-b74f376eda6e\Setup_s86.exe

Filesize
62KB

MD5
2944145db28891a98dbe7a3bd53277f1

SHA1
eacdc784f0e7562f5f47be96c8de5bcfd1c62ecb

SHA256
f17995a576e8f03dd82e8b0359c74ae629bff9c8c9850fa19aae9a72a9c040b4

SHA512
95224c48a7a9210824011a93eaa4208ef8fd1ad0d702c5f49819d2e753f5105d92f492a9895e5418b6c38d55a219c7ef0b990ba17116b7c1933e8c42b1237a95

Download Submit
C:\Users\Admin\AppData\Local\Temp\4b9be714-b8ee-4e33-96d5-b74f376eda6e\setup_01cncw01.exe

Filesize
65KB

MD5
9cba20149aa9b7caa99414655fc3fd26

SHA1
3f1ffdf865984bdef6c513e4ce280dbac893037c

SHA256
7cf861a4063807fecda85d37ca1f9effab6efa4ab2a5ec60ed89f407c72c5007

SHA512
e53e2895663a0c0b52c9e3c4a66cfd9ebeb28f9552ae2adcde1b6142866312ff5b8a9cad226f9ca9da39af74a8aa7e11b69d207ce29a5ee4a9765999616b0159

Download Submit
C:\Users\Admin\AppData\Local\Temp\da074206-a55f-4847-ad3f-a2eb4a3ad6d8\Setup_s86.exe

Filesize
240KB

MD5
7f9fbada8a80cee46962cb8f191db6f0

SHA1
0ae14944174981e89a08001a214b6cf5a1f1da59

SHA256
488d4bfad05e370516e92f6b824a8c751ea00d66a32ca0ebc5b05aca5e4d08f9

SHA512
6ba518c9a02835b8eb5621e7caaca6d5a805bc1e0c093ab41396c0fe3e4a286d136d7b83704b60591186fa2a9cea37462d9cafab20c3a9a11f9975b542fe0499

Download Submit
C:\Users\Admin\AppData\Local\Temp\da074206-a55f-4847-ad3f-a2eb4a3ad6d8\setup.exe

Filesize
180KB

MD5
c132031b0cbdd0fd485efd0bbcd78c3e

SHA1
e7295c3c9a253bee169c8c0a997876895d7a9e9b

SHA256
c1ef5b4cc978d33ff628b31dab1be761db750967ca5f08a4b851b05ff7ec7f81

SHA512
8ef62e686aa9d501496b548b09d310fb14c2d8fa44ee458a42e6462d36142372550dd257d50b27f81d0033e6de5bb0baa0b09cddb0168735af0f99303ef1251d

Download Submit
memory/1996-95-0x0000000010000000-0x000000001001C000-memory.dmp

Filesize
112KB

Download
memory/1996-85-0x0000000010000000-0x000000001001C000-memory.dmp

Filesize
112KB

Download
memory/2656-101-0x0000000010000000-0x000000001001C000-memory.dmp

Filesize
112KB

Download
memory/2708-98-0x0000000010000000-0x000000001001C000-memory.dmp

Filesize
112KB

Download
memory/3428-28-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3428-124-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads