7a01b6f6c639d80933c7f60dbde344a1a12f20088af192b74c13c28d2810aed3

General

Target

4785d3a3efa5e29793049412371587d5.exe
Size

375KB
MD5

4785d3a3efa5e29793049412371587d5
SHA1

025e645ac5beab6195ac18dcf45730d60afa8bdb
SHA256

7a01b6f6c639d80933c7f60dbde344a1a12f20088af192b74c13c28d2810aed3
SHA512

497624a931bbbcb02bef78a78aded48b417fd09dc2ed3e5fbfcdd6cdc76a708e41c3a1c52b2883c7e8db9b03f00be72d3a8172787452cb9dcf8523699bc59d19

Score

7^/10

adware stealer

Malware Config

Signatures

Loads dropped DLL 1 IoCs

Processes:

4785d3a3efa5e29793049412371587d5.exe

pid process

1680 4785d3a3efa5e29793049412371587d5.exe
Installs/modifies Browser Helper Object 2 TTPs
BHOs are DLL modules which act as plugins for Internet Explorer.
stealer adware

Modify Registry
T1112

Browser Extensions
T1176

pid	process
1680	4785d3a3efa5e29793049412371587d5.exe

Drops file in System32 directory 7 IoCs

Processes:

4785d3a3efa5e29793049412371587d5.exe

description	ioc	process
File created	C:\Windows\SysWOW64\CBRun.rar	4785d3a3efa5e29793049412371587d5.exe
File created	C:\Windows\SysWOW64\CBExt.bpl	4785d3a3efa5e29793049412371587d5.exe
File created	C:\Windows\SysWOW64\CBRun.bpl	4785d3a3efa5e29793049412371587d5.exe
File created	C:\Windows\SysWOW64\AppCache.v2.dat	4785d3a3efa5e29793049412371587d5.exe
File opened for modification	C:\Windows\SysWOW64\AppCache.v2.dat	4785d3a3efa5e29793049412371587d5.exe
File opened for modification	C:\Windows\SysWOW64\gdiplus.dll	4785d3a3efa5e29793049412371587d5.exe
File created	C:\Windows\SysWOW64\gdiplus.dll	4785d3a3efa5e29793049412371587d5.exe

Modifies Internet Explorer settings 1 TTPs 30 IoCs

adware spyware

Modify Registry

T1112

Processes:

IEXPLORE.EXE4785d3a3efa5e29793049412371587d5.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\DEPoff = "1"	4785d3a3efa5e29793049412371587d5.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\DEPon = "1"	4785d3a3efa5e29793049412371587d5.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{87CCFB91-3E18-11EB-8500-DE8B8BF990D6} = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "314721039"	IEXPLORE.EXE

Modifies registry class 186 IoCs

Processes:

4785d3a3efa5e29793049412371587d5.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E80FD4F4-DEFA-41C7-A5EE-8E75C22C3077}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	4785d3a3efa5e29793049412371587d5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLXBaseAppX.CLXBaseRun	4785d3a3efa5e29793049412371587d5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{81C57AAD-F991-48E5-A42D-51AF23F40150}\ToolboxBitmap32\ = "C:\\Windows\\SysWow64\\CBRun.bpl,1"	4785d3a3efa5e29793049412371587d5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DAF593D9-515A-4869-864D-8DCE6D7DCB91}\MiscStatus\ = "0"	4785d3a3efa5e29793049412371587d5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{51C34CCD-02E7-487F-900A-80F01B807969}\TypeLib\Version = "1.0"	4785d3a3efa5e29793049412371587d5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{569137C9-A7AA-41FB-AC5A-116E8C91399D}\ = "IIntelliObjX"	4785d3a3efa5e29793049412371587d5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6FAB0FBD-2252-4825-A581-512F9EE939C3}\TypeLib\Version = "1.0"	4785d3a3efa5e29793049412371587d5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BFEE3E69-F75C-4ED7-A3FE-1CF67C096D64}\MiscStatus\1	4785d3a3efa5e29793049412371587d5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BFEE3E69-F75C-4ED7-A3FE-1CF67C096D64}\Verb\0\ = "Properties,0,2"	4785d3a3efa5e29793049412371587d5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{81C57AAD-F991-48E5-A42D-51AF23F40150}\MiscStatus\1	4785d3a3efa5e29793049412371587d5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CCC51463-1F85-462B-A8FA-A8428805B304}\1.0	4785d3a3efa5e29793049412371587d5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{51C34CCD-02E7-487F-900A-80F01B807969}\TypeLib\ = "{CCC51463-1F85-462B-A8FA-A8428805B304}"	4785d3a3efa5e29793049412371587d5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{569137C9-A7AA-41FB-AC5A-116E8C91399D}\ProxyStubClsid32	4785d3a3efa5e29793049412371587d5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLXBaseAppX.EmbedWordX\ = "EmbedWordX Control"	4785d3a3efa5e29793049412371587d5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{81C57AAD-F991-48E5-A42D-51AF23F40150}\TypeLib\ = "{CCC51463-1F85-462B-A8FA-A8428805B304}"	4785d3a3efa5e29793049412371587d5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DAE1419C-B543-4AD0-BDD4-065E1A505269}\InprocServer32\ = "C:\\Windows\\SysWow64\\CBRun.bpl"	4785d3a3efa5e29793049412371587d5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0981FBA3-F54A-4C81-B343-53A1C7B78CD9}\TypeLib\Version = "1.0"	4785d3a3efa5e29793049412371587d5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLXBaseAppX.EmbedWordX\Clsid	4785d3a3efa5e29793049412371587d5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BFEE3E69-F75C-4ED7-A3FE-1CF67C096D64}\Control	4785d3a3efa5e29793049412371587d5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLXBaseAppX.IntelliObjX\Clsid\ = "{DAF593D9-515A-4869-864D-8DCE6D7DCB91}"	4785d3a3efa5e29793049412371587d5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0981FBA3-F54A-4C81-B343-53A1C7B78CD9}\ = "ICLXBaseRun"	4785d3a3efa5e29793049412371587d5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BFEE3E69-F75C-4ED7-A3FE-1CF67C096D64}\Version\ = "1.0"	4785d3a3efa5e29793049412371587d5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DAF593D9-515A-4869-864D-8DCE6D7DCB91}\MiscStatus\1\ = "205201"	4785d3a3efa5e29793049412371587d5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLXBaseAppX.CBXNSHandler\Clsid	4785d3a3efa5e29793049412371587d5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DAE1419C-B543-4AD0-BDD4-065E1A505269}\ProgID	4785d3a3efa5e29793049412371587d5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DAE1419C-B543-4AD0-BDD4-065E1A505269}\InprocServer32	4785d3a3efa5e29793049412371587d5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CCC51463-1F85-462B-A8FA-A8428805B304}	4785d3a3efa5e29793049412371587d5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{51C34CCD-02E7-487F-900A-80F01B807969}\ProxyStubClsid32	4785d3a3efa5e29793049412371587d5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{569137C9-A7AA-41FB-AC5A-116E8C91399D}\TypeLib\ = "{CCC51463-1F85-462B-A8FA-A8428805B304}"	4785d3a3efa5e29793049412371587d5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6FAB0FBD-2252-4825-A581-512F9EE939C3}	4785d3a3efa5e29793049412371587d5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BFEE3E69-F75C-4ED7-A3FE-1CF67C096D64}\MiscStatus	4785d3a3efa5e29793049412371587d5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{81C57AAD-F991-48E5-A42D-51AF23F40150}\Verb\	4785d3a3efa5e29793049412371587d5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLXBaseAppX.IntelliObjX	4785d3a3efa5e29793049412371587d5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DAF593D9-515A-4869-864D-8DCE6D7DCB91}\TypeLib\ = "{CCC51463-1F85-462B-A8FA-A8428805B304}"	4785d3a3efa5e29793049412371587d5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0981FBA3-F54A-4C81-B343-53A1C7B78CD9}\ProxyStubClsid32	4785d3a3efa5e29793049412371587d5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6FAB0FBD-2252-4825-A581-512F9EE939C3}\TypeLib	4785d3a3efa5e29793049412371587d5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{A46ADB95-7678-4C80-95EA-A6C48DF2E5BC}\TypeLib\ = "{CCC51463-1F85-462B-A8FA-A8428805B304}"	4785d3a3efa5e29793049412371587d5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BFEE3E69-F75C-4ED7-A3FE-1CF67C096D64}\ = "EmbedWordX Control"	4785d3a3efa5e29793049412371587d5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BFEE3E69-F75C-4ED7-A3FE-1CF67C096D64}\InprocServer32\ = "C:\\Windows\\SysWow64\\CBRun.bpl"	4785d3a3efa5e29793049412371587d5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DAF593D9-515A-4869-864D-8DCE6D7DCB91}\ProgID\ = "CLXBaseAppX.IntelliObjX"	4785d3a3efa5e29793049412371587d5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DAF593D9-515A-4869-864D-8DCE6D7DCB91}\Version\ = "1.0"	4785d3a3efa5e29793049412371587d5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0981FBA3-F54A-4C81-B343-53A1C7B78CD9}\TypeLib\Version = "1.0"	4785d3a3efa5e29793049412371587d5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{569137C9-A7AA-41FB-AC5A-116E8C91399D}	4785d3a3efa5e29793049412371587d5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{A46ADB95-7678-4C80-95EA-A6C48DF2E5BC}	4785d3a3efa5e29793049412371587d5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{A46ADB95-7678-4C80-95EA-A6C48DF2E5BC}\ProxyStubClsid32	4785d3a3efa5e29793049412371587d5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A46ADB95-7678-4C80-95EA-A6C48DF2E5BC}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	4785d3a3efa5e29793049412371587d5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DAF593D9-515A-4869-864D-8DCE6D7DCB91}\Verb\0	4785d3a3efa5e29793049412371587d5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CCC51463-1F85-462B-A8FA-A8428805B304}\1.0\0\win32	4785d3a3efa5e29793049412371587d5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0981FBA3-F54A-4C81-B343-53A1C7B78CD9}	4785d3a3efa5e29793049412371587d5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A46ADB95-7678-4C80-95EA-A6C48DF2E5BC}\ = "IEmbedWordX"	4785d3a3efa5e29793049412371587d5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{81C57AAD-F991-48E5-A42D-51AF23F40150}\Verb\0\ = "Properties,0,2"	4785d3a3efa5e29793049412371587d5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DAF593D9-515A-4869-864D-8DCE6D7DCB91}\ToolboxBitmap32\ = "C:\\Windows\\SysWow64\\CBRun.bpl,2"	4785d3a3efa5e29793049412371587d5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DAE1419C-B543-4AD0-BDD4-065E1A505269}\InprocServer32\ThreadingModel = "Apartment"	4785d3a3efa5e29793049412371587d5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A46ADB95-7678-4C80-95EA-A6C48DF2E5BC}\ProxyStubClsid32	4785d3a3efa5e29793049412371587d5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0981FBA3-F54A-4C81-B343-53A1C7B78CD9}\TypeLib\ = "{CCC51463-1F85-462B-A8FA-A8428805B304}"	4785d3a3efa5e29793049412371587d5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{569137C9-A7AA-41FB-AC5A-116E8C91399D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	4785d3a3efa5e29793049412371587d5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{569137C9-A7AA-41FB-AC5A-116E8C91399D}\TypeLib\Version = "1.0"	4785d3a3efa5e29793049412371587d5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6FAB0FBD-2252-4825-A581-512F9EE939C3}\TypeLib\ = "{CCC51463-1F85-462B-A8FA-A8428805B304}"	4785d3a3efa5e29793049412371587d5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6FAB0FBD-2252-4825-A581-512F9EE939C3}	4785d3a3efa5e29793049412371587d5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E80FD4F4-DEFA-41C7-A5EE-8E75C22C3077}	4785d3a3efa5e29793049412371587d5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E80FD4F4-DEFA-41C7-A5EE-8E75C22C3077}	4785d3a3efa5e29793049412371587d5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{81C57AAD-F991-48E5-A42D-51AF23F40150}\Version	4785d3a3efa5e29793049412371587d5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{81C57AAD-F991-48E5-A42D-51AF23F40150}\Version\ = "1.0"	4785d3a3efa5e29793049412371587d5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DAF593D9-515A-4869-864D-8DCE6D7DCB91}\InprocServer32\ = "C:\\Windows\\SysWow64\\CBRun.bpl"	4785d3a3efa5e29793049412371587d5.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

IEXPLORE.EXE

pid process

936 IEXPLORE.EXE
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

IEXPLORE.EXEIEXPLORE.EXE

pid process

936 IEXPLORE.EXE
936 IEXPLORE.EXE
1620 IEXPLORE.EXE
1620 IEXPLORE.EXE
1620 IEXPLORE.EXE
1620 IEXPLORE.EXE

pid	process
936	IEXPLORE.EXE

pid	process
936	IEXPLORE.EXE
936	IEXPLORE.EXE
1620	IEXPLORE.EXE
1620	IEXPLORE.EXE
1620	IEXPLORE.EXE
1620	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

4785d3a3efa5e29793049412371587d5.exeIEXPLORE.EXE

description	pid	process	target process
PID 1680 wrote to memory of 936	1680	4785d3a3efa5e29793049412371587d5.exe	IEXPLORE.EXE
PID 1680 wrote to memory of 936	1680	4785d3a3efa5e29793049412371587d5.exe	IEXPLORE.EXE
PID 1680 wrote to memory of 936	1680	4785d3a3efa5e29793049412371587d5.exe	IEXPLORE.EXE
PID 1680 wrote to memory of 936	1680	4785d3a3efa5e29793049412371587d5.exe	IEXPLORE.EXE
PID 936 wrote to memory of 1620	936	IEXPLORE.EXE	IEXPLORE.EXE
PID 936 wrote to memory of 1620	936	IEXPLORE.EXE	IEXPLORE.EXE
PID 936 wrote to memory of 1620	936	IEXPLORE.EXE	IEXPLORE.EXE
PID 936 wrote to memory of 1620	936	IEXPLORE.EXE	IEXPLORE.EXE
PID 936 wrote to memory of 1620	936	IEXPLORE.EXE	IEXPLORE.EXE
PID 936 wrote to memory of 1620	936	IEXPLORE.EXE	IEXPLORE.EXE
PID 936 wrote to memory of 1620	936	IEXPLORE.EXE	IEXPLORE.EXE

C:\Users\Admin\AppData\Local\Temp\4785d3a3efa5e29793049412371587d5.exe
"C:\Users\Admin\AppData\Local\Temp\4785d3a3efa5e29793049412371587d5.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1680

C:\Program Files\Internet Explorer\IEXPLORE.EXE
"C:\Program Files\Internet Explorer\IEXPLORE.EXE"
2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:936

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:936 CREDAT:275457 /prefetch:2
3⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1620

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Browser Extensions

1

T1176

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\2W37GNIV.txt
MD5
afa78891ec0e348435bc7a1537793dbb

SHA1
dc7c58b860ff42a79766685c969901ed91608e64

SHA256
03b883df38b5f8b3e91050c54befbdba00412f1a28e31769000367305921fcf5

SHA512
1f9fb96cf3c5e57b60268c93e3e89b35062cb3ac6f8681652cddaae0deccac7cf992a2775a683857442f99149de31a20a1ab48242167e63edc18d226470a7dc2

Download Submit
\Windows\SysWOW64\CBRun.bpl
MD5
45682678083ba2f948dd6517e1b5323b

SHA1
990c6cd98510d1d73d61bc652d2900894da0a319

SHA256
4a0d3d5680985b883446801a6e4b71d20abc643a5b8272a214defbf18843066c

SHA512
a81fb6ba09c0bec253d1c5580a27c188962293ef64a56f8ed08c7c1cf53da4579725b63266555768cc2a112688c0c46672dab33550675f9d9e9b7db7a357a92f

Download Submit
memory/936-9-0x0000000000000000-mapping.dmp

Download
memory/1620-10-0x0000000000000000-mapping.dmp

Download
memory/1652-3-0x000007FEF6460000-0x000007FEF66DA000-memory.dmp

Filesize
2.5MB

Download
memory/1680-2-0x0000000000340000-0x0000000000388000-memory.dmp

Filesize
288KB

Download
memory/1680-5-0x0000000000510000-0x0000000000520000-memory.dmp

Filesize
64KB

Download
memory/1680-6-0x0000000003080000-0x000000000313A000-memory.dmp

Filesize
744KB

Download
memory/1680-7-0x0000000001FE0000-0x0000000002001000-memory.dmp

Filesize
132KB

Download
memory/1680-8-0x0000000004B60000-0x0000000004C1A000-memory.dmp

Filesize
744KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads