3161a806fde2267e5b8d752e1fc9080fde9c245eb25a80032c0ca9d7601d73a6

General

Target

3161a806fde2267e5b8d752e1fc9080fde9c245eb25a80032c0ca9d7601d73a6.exe
Size

6KB
MD5

4687585f511d6b98d97e558acad3c78c
SHA1

321752e18b449df2a8720dad68bfc718520c4574
SHA256

3161a806fde2267e5b8d752e1fc9080fde9c245eb25a80032c0ca9d7601d73a6
SHA512

e4f08ae49a027508714934907872aa3e1c3d32effebe487495bfb17e0ca0df5775baeffeb8e2b4362830ea4bce1c62c78ef8221b56a34e4e0a086baf7d12be6b

Score

7^/10

adware stealer

Malware Config

Signatures

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1728 cmd.exe
Installs/modifies Browser Helper Object 2 TTPs
BHOs are DLL modules which act as plugins for Internet Explorer.
stealer adware

Modify Registry
T1112

Browser Extensions
T1176
Drops file in System32 directory 1 IoCs

Processes:

3161a806fde2267e5b8d752e1fc9080fde9c245eb25a80032c0ca9d7601d73a6.exe

description ioc process

File created C:\Windows\SysWOW64\mswapi.dll 3161a806fde2267e5b8d752e1fc9080fde9c245eb25a80032c0ca9d7601d73a6.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
1728	cmd.exe

description	ioc	process
File created	C:\Windows\SysWOW64\mswapi.dll	3161a806fde2267e5b8d752e1fc9080fde9c245eb25a80032c0ca9d7601d73a6.exe

Modifies registry class 5 IoCs

Processes:

3161a806fde2267e5b8d752e1fc9080fde9c245eb25a80032c0ca9d7601d73a6.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e3a729da-eabc-df50-1842-dfd682644311}\InprocServer32\ThreadingModel = "Apartment"	3161a806fde2267e5b8d752e1fc9080fde9c245eb25a80032c0ca9d7601d73a6.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e3a729da-eabc-df50-1842-dfd682644311}\script = 18b449998991e1c3e4419ee7a62493f2f4b2fffd7e28bd7ebd9dc45fb9b2a2edaf8e41	3161a806fde2267e5b8d752e1fc9080fde9c245eb25a80032c0ca9d7601d73a6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e3a729da-eabc-df50-1842-dfd682644311}	3161a806fde2267e5b8d752e1fc9080fde9c245eb25a80032c0ca9d7601d73a6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e3a729da-eabc-df50-1842-dfd682644311}\InprocServer32	3161a806fde2267e5b8d752e1fc9080fde9c245eb25a80032c0ca9d7601d73a6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e3a729da-eabc-df50-1842-dfd682644311}\InprocServer32\ = "C:\\Windows\\SysWow64\\mswapi.dll"	3161a806fde2267e5b8d752e1fc9080fde9c245eb25a80032c0ca9d7601d73a6.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

3161a806fde2267e5b8d752e1fc9080fde9c245eb25a80032c0ca9d7601d73a6.exe

description	pid	process	target process
PID 1968 wrote to memory of 1728	1968	3161a806fde2267e5b8d752e1fc9080fde9c245eb25a80032c0ca9d7601d73a6.exe	cmd.exe
PID 1968 wrote to memory of 1728	1968	3161a806fde2267e5b8d752e1fc9080fde9c245eb25a80032c0ca9d7601d73a6.exe	cmd.exe
PID 1968 wrote to memory of 1728	1968	3161a806fde2267e5b8d752e1fc9080fde9c245eb25a80032c0ca9d7601d73a6.exe	cmd.exe
PID 1968 wrote to memory of 1728	1968	3161a806fde2267e5b8d752e1fc9080fde9c245eb25a80032c0ca9d7601d73a6.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\3161a806fde2267e5b8d752e1fc9080fde9c245eb25a80032c0ca9d7601d73a6.exe
"C:\Users\Admin\AppData\Local\Temp\3161a806fde2267e5b8d752e1fc9080fde9c245eb25a80032c0ca9d7601d73a6.exe"
1⤵
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1968

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\delt.bat" "
2⤵
- Deletes itself
PID:1728

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Browser Extensions

1

T1176

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\delt.bat
Filesize
278B

MD5
b7209cce88de99dc13fa6d7f3e5c1758

SHA1
710a7e00120090fb1f5674a217492d96522de068

SHA256
2ca3a83dae23f590fe3c75abf910ab2b2291a12e138d63cca8f1f87bad1bbb18

SHA512
705edac1637af8b692c2fd83da43654054c469be6b8f4f1afb9a7959211c9d666e931f167ba2680ac02e5d3e9163eedfbf27fa2508a02a4710c8cdf64cdf4564

Download Submit
memory/1728-55-0x0000000000000000-mapping.dmp

Download
memory/1968-54-0x00000000764C1000-0x00000000764C3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing