90160dac413cabeaca19fac459501c04772b2448be834415576fb1c7f4e42300

General

Target

90160dac413cabeaca19fac459501c04772b2448be834415576fb1c7f4e42300.exe
Size

258KB
MD5

64f2d3ba1c5af7ab5ad266d831a3994b
SHA1

00269dfd14f7fe83542779d184d1339c28025363
SHA256

90160dac413cabeaca19fac459501c04772b2448be834415576fb1c7f4e42300
SHA512

a22ce0d42283d979735e0cc8c9eb00fef7b2afa45b922e49c7f069bde8736042d9f27a892eeebbae2c1e0100e4bf0f10c95cd18c02b8cdf02271364f03e9d47a

Score

7^/10

adware stealer

Malware Config

Signatures

Loads dropped DLL 2 IoCs

Processes:

Regsvr32.exe

pid process

5076 Regsvr32.exe
5076 Regsvr32.exe
Installs/modifies Browser Helper Object 2 TTPs
BHOs are DLL modules which act as plugins for Internet Explorer.
stealer adware

Modify Registry
T1112

Browser Extensions
T1176

pid	process
5076	Regsvr32.exe
5076	Regsvr32.exe

Drops file in System32 directory 2 IoCs

Processes:

90160dac413cabeaca19fac459501c04772b2448be834415576fb1c7f4e42300.exe

description	ioc	process
File created	C:\Windows\SysWOW64\hnqatcifeptaz.dll	90160dac413cabeaca19fac459501c04772b2448be834415576fb1c7f4e42300.exe
File opened for modification	C:\Windows\SysWOW64\popfiles.ini	90160dac413cabeaca19fac459501c04772b2448be834415576fb1c7f4e42300.exe

Drops file in Windows directory 1 IoCs

Processes:

90160dac413cabeaca19fac459501c04772b2448be834415576fb1c7f4e42300.exe

description ioc process

File created C:\Windows\cc123.dll 90160dac413cabeaca19fac459501c04772b2448be834415576fb1c7f4e42300.exe

description	ioc	process
File created	C:\Windows\cc123.dll	90160dac413cabeaca19fac459501c04772b2448be834415576fb1c7f4e42300.exe

Modifies registry class 5 IoCs

Processes:

Regsvr32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EB16D2B9-8AA5-4CD7-A9F2-72A4D3078327}\InprocServer32\ThreadingModel = "Apartment"	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EB16D2B9-8AA5-4CD7-A9F2-72A4D3078327}	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EB16D2B9-8AA5-4CD7-A9F2-72A4D3078327}\	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EB16D2B9-8AA5-4CD7-A9F2-72A4D3078327}\InprocServer32	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EB16D2B9-8AA5-4CD7-A9F2-72A4D3078327}\InprocServer32\ = "C:\\Windows\\SysWow64\\hnqatcifeptaz.dll"	Regsvr32.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

90160dac413cabeaca19fac459501c04772b2448be834415576fb1c7f4e42300.exe

description	pid	process	target process
PID 4160 wrote to memory of 5076	4160	90160dac413cabeaca19fac459501c04772b2448be834415576fb1c7f4e42300.exe	Regsvr32.exe
PID 4160 wrote to memory of 5076	4160	90160dac413cabeaca19fac459501c04772b2448be834415576fb1c7f4e42300.exe	Regsvr32.exe
PID 4160 wrote to memory of 5076	4160	90160dac413cabeaca19fac459501c04772b2448be834415576fb1c7f4e42300.exe	Regsvr32.exe

C:\Users\Admin\AppData\Local\Temp\90160dac413cabeaca19fac459501c04772b2448be834415576fb1c7f4e42300.exe
"C:\Users\Admin\AppData\Local\Temp\90160dac413cabeaca19fac459501c04772b2448be834415576fb1c7f4e42300.exe"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4160

C:\Windows\SysWOW64\Regsvr32.exe
Regsvr32.exe /s C:\Windows\system32\hnqatcifeptaz.dll
2⤵
- Loads dropped DLL
- Modifies registry class
PID:5076

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Browser Extensions

1

T1176

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\hnqatcifeptaz.dll
Filesize
527KB

MD5
a1561fd87d501e750337b82686fb20c1

SHA1
c9c9e4030dafbad436c00c6006a880f261957d25

SHA256
236e1a50dd21715deadb2f801cb4eddb0af6f7774389461f0d708a40d393be6d

SHA512
e63b3cb9c478026b0e951f3b77f7ff28a2867cd3ceddda5903e6efad087024def361dc5d8d97a0505bf0e0ee13777cddd30d7350836afb0ffe68b899808b22bc

Download Submit
C:\Windows\SysWOW64\hnqatcifeptaz.dll
Filesize
527KB

MD5
a1561fd87d501e750337b82686fb20c1

SHA1
c9c9e4030dafbad436c00c6006a880f261957d25

SHA256
236e1a50dd21715deadb2f801cb4eddb0af6f7774389461f0d708a40d393be6d

SHA512
e63b3cb9c478026b0e951f3b77f7ff28a2867cd3ceddda5903e6efad087024def361dc5d8d97a0505bf0e0ee13777cddd30d7350836afb0ffe68b899808b22bc

Download Submit
C:\Windows\SysWOW64\hnqatcifeptaz.dll
Filesize
527KB

MD5
a1561fd87d501e750337b82686fb20c1

SHA1
c9c9e4030dafbad436c00c6006a880f261957d25

SHA256
236e1a50dd21715deadb2f801cb4eddb0af6f7774389461f0d708a40d393be6d

SHA512
e63b3cb9c478026b0e951f3b77f7ff28a2867cd3ceddda5903e6efad087024def361dc5d8d97a0505bf0e0ee13777cddd30d7350836afb0ffe68b899808b22bc

Download Submit
memory/5076-130-0x0000000000000000-mapping.dmp

Download
memory/5076-134-0x0000000000C40000-0x0000000000CC8000-memory.dmp

Filesize
544KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads