7a01b6f6c639d80933c7f60dbde344a1a12f20088af192b74c13c28d2810aed3

General

Target

4785d3a3efa5e29793049412371587d5.exe
Size

375KB
MD5

4785d3a3efa5e29793049412371587d5
SHA1

025e645ac5beab6195ac18dcf45730d60afa8bdb
SHA256

7a01b6f6c639d80933c7f60dbde344a1a12f20088af192b74c13c28d2810aed3
SHA512

497624a931bbbcb02bef78a78aded48b417fd09dc2ed3e5fbfcdd6cdc76a708e41c3a1c52b2883c7e8db9b03f00be72d3a8172787452cb9dcf8523699bc59d19

Score

7^/10

adware stealer

Malware Config

Signatures

Loads dropped DLL 2 IoCs

Processes:

4785d3a3efa5e29793049412371587d5.exe

pid process

4632 4785d3a3efa5e29793049412371587d5.exe
4632 4785d3a3efa5e29793049412371587d5.exe
Installs/modifies Browser Helper Object 2 TTPs
BHOs are DLL modules which act as plugins for Internet Explorer.
stealer adware

Modify Registry
T1112

Browser Extensions
T1176

pid	process
4632	4785d3a3efa5e29793049412371587d5.exe
4632	4785d3a3efa5e29793049412371587d5.exe

Drops file in System32 directory 5 IoCs

Processes:

4785d3a3efa5e29793049412371587d5.exe

description	ioc	process
File created	C:\Windows\SysWOW64\CBRun.rar	4785d3a3efa5e29793049412371587d5.exe
File created	C:\Windows\SysWOW64\CBExt.bpl	4785d3a3efa5e29793049412371587d5.exe
File created	C:\Windows\SysWOW64\CBRun.bpl	4785d3a3efa5e29793049412371587d5.exe
File created	C:\Windows\SysWOW64\AppCache.v2.dat	4785d3a3efa5e29793049412371587d5.exe
File opened for modification	C:\Windows\SysWOW64\AppCache.v2.dat	4785d3a3efa5e29793049412371587d5.exe

Modifies Internet Explorer settings 1 TTPs 42 IoCs

adware spyware

Modify Registry

T1112

Processes:

IEXPLORE.EXEIEXPLORE.EXE4785d3a3efa5e29793049412371587d5.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$WordPress	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{79B577A8-3E18-11EB-BEBD-EEE2FDE4DDD4} = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$MediaWiki	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\FlipAhead\NextUpdateDate = "314769601"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 4	IEXPLORE.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\DEPoff = "1"	4785d3a3efa5e29793049412371587d5.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30855717"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\FlipAhead	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$blogger	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$http://www.typepad.com/	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate\NextUpdateDate = "314737609"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "314721015"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1315186269"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Discuz!	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 3	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Telligent	IEXPLORE.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\DEPon = "1"	4785d3a3efa5e29793049412371587d5.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30855717"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1310030021"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1310030021"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30855717"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\FlipAhead\FileVersion = "2016061511"	IEXPLORE.EXE

Modifies registry class 186 IoCs

Processes:

4785d3a3efa5e29793049412371587d5.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0981FBA3-F54A-4C81-B343-53A1C7B78CD9}\TypeLib	4785d3a3efa5e29793049412371587d5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0981FBA3-F54A-4C81-B343-53A1C7B78CD9}\TypeLib\ = "{CCC51463-1F85-462B-A8FA-A8428805B304}"	4785d3a3efa5e29793049412371587d5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{51C34CCD-02E7-487F-900A-80F01B807969}	4785d3a3efa5e29793049412371587d5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{51C34CCD-02E7-487F-900A-80F01B807969}	4785d3a3efa5e29793049412371587d5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{51C34CCD-02E7-487F-900A-80F01B807969}\TypeLib\Version = "1.0"	4785d3a3efa5e29793049412371587d5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{81C57AAD-F991-48E5-A42D-51AF23F40150}	4785d3a3efa5e29793049412371587d5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BFEE3E69-F75C-4ED7-A3FE-1CF67C096D64}\ToolboxBitmap32	4785d3a3efa5e29793049412371587d5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DAF593D9-515A-4869-864D-8DCE6D7DCB91}\Verb\0\ = "Properties,0,2"	4785d3a3efa5e29793049412371587d5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0981FBA3-F54A-4C81-B343-53A1C7B78CD9}	4785d3a3efa5e29793049412371587d5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0981FBA3-F54A-4C81-B343-53A1C7B78CD9}\ = "ICLXBaseRun"	4785d3a3efa5e29793049412371587d5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E80FD4F4-DEFA-41C7-A5EE-8E75C22C3077}	4785d3a3efa5e29793049412371587d5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E80FD4F4-DEFA-41C7-A5EE-8E75C22C3077}\ = "IEmbedWordXEvents"	4785d3a3efa5e29793049412371587d5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BFEE3E69-F75C-4ED7-A3FE-1CF67C096D64}	4785d3a3efa5e29793049412371587d5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BFEE3E69-F75C-4ED7-A3FE-1CF67C096D64}\InprocServer32\ = "C:\\Windows\\SysWow64\\CBRun.bpl"	4785d3a3efa5e29793049412371587d5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DAF593D9-515A-4869-864D-8DCE6D7DCB91}\ = "IntelliObjX Control"	4785d3a3efa5e29793049412371587d5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DAE1419C-B543-4AD0-BDD4-065E1A505269}\InprocServer32\ThreadingModel = "Apartment"	4785d3a3efa5e29793049412371587d5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CCC51463-1F85-462B-A8FA-A8428805B304}\1.0\HELPDIR\ = "C:\\Windows\\SysWow64\\"	4785d3a3efa5e29793049412371587d5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0981FBA3-F54A-4C81-B343-53A1C7B78CD9}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	4785d3a3efa5e29793049412371587d5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{569137C9-A7AA-41FB-AC5A-116E8C91399D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	4785d3a3efa5e29793049412371587d5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BFEE3E69-F75C-4ED7-A3FE-1CF67C096D64}\InprocServer32	4785d3a3efa5e29793049412371587d5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLXBaseAppX.EmbedWordX\Clsid	4785d3a3efa5e29793049412371587d5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLXBaseAppX.CLXBaseRun\Clsid\ = "{81C57AAD-F991-48E5-A42D-51AF23F40150}"	4785d3a3efa5e29793049412371587d5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{81C57AAD-F991-48E5-A42D-51AF23F40150}\InprocServer32\ThreadingModel = "Apartment"	4785d3a3efa5e29793049412371587d5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{51C34CCD-02E7-487F-900A-80F01B807969}\ = "ICLXBaseRunEvents"	4785d3a3efa5e29793049412371587d5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{569137C9-A7AA-41FB-AC5A-116E8C91399D}\TypeLib\ = "{CCC51463-1F85-462B-A8FA-A8428805B304}"	4785d3a3efa5e29793049412371587d5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E80FD4F4-DEFA-41C7-A5EE-8E75C22C3077}\TypeLib\ = "{CCC51463-1F85-462B-A8FA-A8428805B304}"	4785d3a3efa5e29793049412371587d5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A46ADB95-7678-4C80-95EA-A6C48DF2E5BC}\TypeLib\ = "{CCC51463-1F85-462B-A8FA-A8428805B304}"	4785d3a3efa5e29793049412371587d5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BFEE3E69-F75C-4ED7-A3FE-1CF67C096D64}\ = "EmbedWordX Control"	4785d3a3efa5e29793049412371587d5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BFEE3E69-F75C-4ED7-A3FE-1CF67C096D64}\Version	4785d3a3efa5e29793049412371587d5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6FAB0FBD-2252-4825-A581-512F9EE939C3}\TypeLib	4785d3a3efa5e29793049412371587d5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E80FD4F4-DEFA-41C7-A5EE-8E75C22C3077}\TypeLib	4785d3a3efa5e29793049412371587d5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BFEE3E69-F75C-4ED7-A3FE-1CF67C096D64}\Verb\0	4785d3a3efa5e29793049412371587d5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CCC51463-1F85-462B-A8FA-A8428805B304}\1.0\ = "CLXBaseAppX Library"	4785d3a3efa5e29793049412371587d5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{51C34CCD-02E7-487F-900A-80F01B807969}\TypeLib\Version = "1.0"	4785d3a3efa5e29793049412371587d5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLXBaseAppX.EmbedWordX	4785d3a3efa5e29793049412371587d5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DAF593D9-515A-4869-864D-8DCE6D7DCB91}\ProgID\ = "CLXBaseAppX.IntelliObjX"	4785d3a3efa5e29793049412371587d5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DAF593D9-515A-4869-864D-8DCE6D7DCB91}\Control	4785d3a3efa5e29793049412371587d5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0981FBA3-F54A-4C81-B343-53A1C7B78CD9}\TypeLib\ = "{CCC51463-1F85-462B-A8FA-A8428805B304}"	4785d3a3efa5e29793049412371587d5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BFEE3E69-F75C-4ED7-A3FE-1CF67C096D64}\TypeLib\ = "{CCC51463-1F85-462B-A8FA-A8428805B304}"	4785d3a3efa5e29793049412371587d5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{81C57AAD-F991-48E5-A42D-51AF23F40150}\ProgID	4785d3a3efa5e29793049412371587d5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DAF593D9-515A-4869-864D-8DCE6D7DCB91}\InprocServer32	4785d3a3efa5e29793049412371587d5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CCC51463-1F85-462B-A8FA-A8428805B304}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\CBRun.bpl"	4785d3a3efa5e29793049412371587d5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0981FBA3-F54A-4C81-B343-53A1C7B78CD9}\ProxyStubClsid32	4785d3a3efa5e29793049412371587d5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{51C34CCD-02E7-487F-900A-80F01B807969}\ = "ICLXBaseRunEvents"	4785d3a3efa5e29793049412371587d5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{51C34CCD-02E7-487F-900A-80F01B807969}\ProxyStubClsid32	4785d3a3efa5e29793049412371587d5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A46ADB95-7678-4C80-95EA-A6C48DF2E5BC}	4785d3a3efa5e29793049412371587d5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{81C57AAD-F991-48E5-A42D-51AF23F40150}\ = "CLXBaseRun Control"	4785d3a3efa5e29793049412371587d5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{81C57AAD-F991-48E5-A42D-51AF23F40150}\Verb	4785d3a3efa5e29793049412371587d5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0981FBA3-F54A-4C81-B343-53A1C7B78CD9}\TypeLib	4785d3a3efa5e29793049412371587d5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{51C34CCD-02E7-487F-900A-80F01B807969}\ProxyStubClsid32	4785d3a3efa5e29793049412371587d5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{569137C9-A7AA-41FB-AC5A-116E8C91399D}	4785d3a3efa5e29793049412371587d5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{569137C9-A7AA-41FB-AC5A-116E8C91399D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	4785d3a3efa5e29793049412371587d5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6FAB0FBD-2252-4825-A581-512F9EE939C3}\TypeLib	4785d3a3efa5e29793049412371587d5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E80FD4F4-DEFA-41C7-A5EE-8E75C22C3077}\ProxyStubClsid32	4785d3a3efa5e29793049412371587d5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DAF593D9-515A-4869-864D-8DCE6D7DCB91}\Version\ = "1.0"	4785d3a3efa5e29793049412371587d5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CCC51463-1F85-462B-A8FA-A8428805B304}	4785d3a3efa5e29793049412371587d5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{569137C9-A7AA-41FB-AC5A-116E8C91399D}\ProxyStubClsid32	4785d3a3efa5e29793049412371587d5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A46ADB95-7678-4C80-95EA-A6C48DF2E5BC}\ = "IEmbedWordX"	4785d3a3efa5e29793049412371587d5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BFEE3E69-F75C-4ED7-A3FE-1CF67C096D64}\Control\	4785d3a3efa5e29793049412371587d5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DAF593D9-515A-4869-864D-8DCE6D7DCB91}\Verb\0	4785d3a3efa5e29793049412371587d5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLXBaseAppX.CBXNSHandler\Clsid\ = "{DAE1419C-B543-4AD0-BDD4-065E1A505269}"	4785d3a3efa5e29793049412371587d5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6FAB0FBD-2252-4825-A581-512F9EE939C3}\ = "IIntelliObjXEvents"	4785d3a3efa5e29793049412371587d5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E80FD4F4-DEFA-41C7-A5EE-8E75C22C3077}\TypeLib	4785d3a3efa5e29793049412371587d5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A46ADB95-7678-4C80-95EA-A6C48DF2E5BC}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	4785d3a3efa5e29793049412371587d5.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

IEXPLORE.EXE

pid process

2196 IEXPLORE.EXE
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

IEXPLORE.EXEIEXPLORE.EXE

pid process

2196 IEXPLORE.EXE
2196 IEXPLORE.EXE
572 IEXPLORE.EXE
572 IEXPLORE.EXE
572 IEXPLORE.EXE
572 IEXPLORE.EXE

pid	process
2196	IEXPLORE.EXE

pid	process
2196	IEXPLORE.EXE
2196	IEXPLORE.EXE
572	IEXPLORE.EXE
572	IEXPLORE.EXE
572	IEXPLORE.EXE
572	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

4785d3a3efa5e29793049412371587d5.exeIEXPLORE.EXE

description	pid	process	target process
PID 4632 wrote to memory of 2196	4632	4785d3a3efa5e29793049412371587d5.exe	IEXPLORE.EXE
PID 4632 wrote to memory of 2196	4632	4785d3a3efa5e29793049412371587d5.exe	IEXPLORE.EXE
PID 2196 wrote to memory of 572	2196	IEXPLORE.EXE	IEXPLORE.EXE
PID 2196 wrote to memory of 572	2196	IEXPLORE.EXE	IEXPLORE.EXE
PID 2196 wrote to memory of 572	2196	IEXPLORE.EXE	IEXPLORE.EXE

C:\Users\Admin\AppData\Local\Temp\4785d3a3efa5e29793049412371587d5.exe
"C:\Users\Admin\AppData\Local\Temp\4785d3a3efa5e29793049412371587d5.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4632

C:\Program Files\Internet Explorer\IEXPLORE.EXE
"C:\Program Files\Internet Explorer\IEXPLORE.EXE"
2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2196

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2196 CREDAT:82945 /prefetch:2
3⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:572

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Browser Extensions

1

T1176

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
MD5
1b4c9d3d647e5489e1d94e9309c7fda0

SHA1
578bd02d4c76aa8b01d6f4cc951d7012027e1de8

SHA256
df6c5ff85128a807b4fc40afa8d3a2f59ee9d0c3370e7fdedd601c3835afa557

SHA512
55970044c2bb71e232a1b573bda0939e64f4620dac41bb66a0dea19e5b10139a42985623bd69a7cc0d09b85bc7e6f6875620512d0d1bcd18b44a68f7a736677a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
MD5
fbf1bfa311e71858cbb4a7c32bb89eda

SHA1
ac2b31ad2c6e43ee9dd2bf11e8c0243ecba66cf6

SHA256
3fa044c66a923dba82ea7539388b536e1c6e9c4b2bbeca82d6c53232f6299609

SHA512
02bbd31fde7166308b81c048456f16e6135d3cd77b98590b1b5b78400a767733c5b094cf13f70248db2a59581c3cde43496b3aa56f0e06979b97e1579b45b734

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\8PCZXBJT.cookie
MD5
b68133fb9566ad2bba019f78a6cfabd5

SHA1
ad6181e47b256326127130c5c5e1b0ddd10f4fbe

SHA256
06b659e429eda4527bd203af9983574eef3f47639d8c8933f35ce1753268074e

SHA512
52bc1af9eee2172267e724fb975fdd305d2a7aa36e873fb9558cbdd67c35a2de56743a13cf3cfc0f31d321e1786d233396604b979fd6d1b410db4584622cd98c

Download Submit
\Windows\SysWOW64\CBRun.bpl
MD5
45682678083ba2f948dd6517e1b5323b

SHA1
990c6cd98510d1d73d61bc652d2900894da0a319

SHA256
4a0d3d5680985b883446801a6e4b71d20abc643a5b8272a214defbf18843066c

SHA512
a81fb6ba09c0bec253d1c5580a27c188962293ef64a56f8ed08c7c1cf53da4579725b63266555768cc2a112688c0c46672dab33550675f9d9e9b7db7a357a92f

Download Submit
\Windows\SysWOW64\CBRun.bpl
MD5
45682678083ba2f948dd6517e1b5323b

SHA1
990c6cd98510d1d73d61bc652d2900894da0a319

SHA256
4a0d3d5680985b883446801a6e4b71d20abc643a5b8272a214defbf18843066c

SHA512
a81fb6ba09c0bec253d1c5580a27c188962293ef64a56f8ed08c7c1cf53da4579725b63266555768cc2a112688c0c46672dab33550675f9d9e9b7db7a357a92f

Download Submit
memory/572-10-0x0000000000000000-mapping.dmp

Download
memory/2196-9-0x0000000000000000-mapping.dmp

Download
memory/4632-2-0x0000000002250000-0x0000000002298000-memory.dmp

Filesize
288KB

Download
memory/4632-5-0x0000000002610000-0x0000000002620000-memory.dmp

Filesize
64KB

Download
memory/4632-6-0x00000000047B0000-0x000000000486A000-memory.dmp

Filesize
744KB

Download
memory/4632-7-0x0000000002D20000-0x0000000002D41000-memory.dmp

Filesize
132KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads