b902f6a246639061d879e49133bff336f6c10c2dd27ce6593dfc0f1894ca00c4

General

Target

b902f6a246639061d879e49133bff336f6c10c2dd27ce6593dfc0f1894ca00c4.exe
Size

471KB
MD5

b6ea755015a6831da0d45300d8f1f121
SHA1

3c63a91abcb5827b250d71c810241433ec1f9635
SHA256

b902f6a246639061d879e49133bff336f6c10c2dd27ce6593dfc0f1894ca00c4
SHA512

4a166d9f9f7ca38e79c861a01d1ea977a86ac1c39929b7220415ee8319ae6ba637a808a88ba48097604de21d777bab9b10bc4bc9ab7016bded760d8f1fa3588b

Score

10^/10

adware persistence stealer

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

b902f6a246639061d879e49133bff336f6c10c2dd27ce6593dfc0f1894ca00c4.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,"	b902f6a246639061d879e49133bff336f6c10c2dd27ce6593dfc0f1894ca00c4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	b902f6a246639061d879e49133bff336f6c10c2dd27ce6593dfc0f1894ca00c4.exe

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

Processes:

b902f6a246639061d879e49133bff336f6c10c2dd27ce6593dfc0f1894ca00c4.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\SysWow64\\drivers\\spools.exe \"%1\" %*"	b902f6a246639061d879e49133bff336f6c10c2dd27ce6593dfc0f1894ca00c4.exe

Drops file in Drivers directory 2 IoCs

Processes:

b902f6a246639061d879e49133bff336f6c10c2dd27ce6593dfc0f1894ca00c4.exe

description	ioc	process
File created	C:\Windows\SysWOW64\drivers\spools.exe	b902f6a246639061d879e49133bff336f6c10c2dd27ce6593dfc0f1894ca00c4.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	b902f6a246639061d879e49133bff336f6c10c2dd27ce6593dfc0f1894ca00c4.exe

Sets service image path in registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

b902f6a246639061d879e49133bff336f6c10c2dd27ce6593dfc0f1894ca00c4.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	b902f6a246639061d879e49133bff336f6c10c2dd27ce6593dfc0f1894ca00c4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\cftmon.exe"	b902f6a246639061d879e49133bff336f6c10c2dd27ce6593dfc0f1894ca00c4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	b902f6a246639061d879e49133bff336f6c10c2dd27ce6593dfc0f1894ca00c4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\cftmon.exe"	b902f6a246639061d879e49133bff336f6c10c2dd27ce6593dfc0f1894ca00c4.exe

Installs/modifies Browser Helper Object 2 TTPs
BHOs are DLL modules which act as plugins for Internet Explorer.
stealer adware

Modify Registry
T1112

Browser Extensions
T1176

Modifies WinLogon 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

b902f6a246639061d879e49133bff336f6c10c2dd27ce6593dfc0f1894ca00c4.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\UIHost = "logonui.exe"	b902f6a246639061d879e49133bff336f6c10c2dd27ce6593dfc0f1894ca00c4.exe

Modifies registry class 1 IoCs

Processes:

b902f6a246639061d879e49133bff336f6c10c2dd27ce6593dfc0f1894ca00c4.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\SysWow64\\drivers\\spools.exe \"%1\" %*"	b902f6a246639061d879e49133bff336f6c10c2dd27ce6593dfc0f1894ca00c4.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

b902f6a246639061d879e49133bff336f6c10c2dd27ce6593dfc0f1894ca00c4.exe

description	pid	process	target process
PID 1420 wrote to memory of 1472	1420	b902f6a246639061d879e49133bff336f6c10c2dd27ce6593dfc0f1894ca00c4.exe	reg.exe
PID 1420 wrote to memory of 1472	1420	b902f6a246639061d879e49133bff336f6c10c2dd27ce6593dfc0f1894ca00c4.exe	reg.exe
PID 1420 wrote to memory of 1472	1420	b902f6a246639061d879e49133bff336f6c10c2dd27ce6593dfc0f1894ca00c4.exe	reg.exe
PID 1420 wrote to memory of 1472	1420	b902f6a246639061d879e49133bff336f6c10c2dd27ce6593dfc0f1894ca00c4.exe	reg.exe

C:\Users\Admin\AppData\Local\Temp\b902f6a246639061d879e49133bff336f6c10c2dd27ce6593dfc0f1894ca00c4.exe
"C:\Users\Admin\AppData\Local\Temp\b902f6a246639061d879e49133bff336f6c10c2dd27ce6593dfc0f1894ca00c4.exe"
1⤵
- Modifies WinLogon for persistence
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Modifies WinLogon
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1420

C:\Windows\SysWOW64\reg.exe
reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects" /f
2⤵
PID:1472

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

2

T1004

Change Default File Association

1

T1042

Registry Run Keys / Startup Folder

2

T1060

Browser Extensions

1

T1176

Privilege Escalation

Defense Evasion

Modify Registry

6

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1420-60-0x0000000074FB1000-0x0000000074FB3000-memory.dmp

Filesize
8KB

Download
memory/1472-59-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads