fd8daa617e124543707d7e9ac4ce3137f3d0b242d451a3b765c2c74e3abe9cf2

General

Target

fd8daa617e124543707d7e9ac4ce3137f3d0b242d451a3b765c2c74e3abe9cf2.exe
Size

375KB
MD5

95c61f88877e5318bbc67724217cd424
SHA1

6c9e9bb00a43b11c3752f4e7ba5c9b0f525f6fa0
SHA256

fd8daa617e124543707d7e9ac4ce3137f3d0b242d451a3b765c2c74e3abe9cf2
SHA512

3abba7059e8bc612a050ad1f52f06b7cec3407f3ec7900bb45fcb20f3aaa753f16067dcebad61bb83c58415199a37c3b40faca52d29b3580b093b0433edfe97f

Score

8^/10

adware stealer

Malware Config

Signatures

Downloads MZ/PE file
Loads dropped DLL 1 IoCs

Processes:

fd8daa617e124543707d7e9ac4ce3137f3d0b242d451a3b765c2c74e3abe9cf2.exe

pid process

1644 fd8daa617e124543707d7e9ac4ce3137f3d0b242d451a3b765c2c74e3abe9cf2.exe
Installs/modifies Browser Helper Object 2 TTPs
BHOs are DLL modules which act as plugins for Internet Explorer.
stealer adware

Modify Registry
T1112

Browser Extensions
T1176

pid	process
1644	fd8daa617e124543707d7e9ac4ce3137f3d0b242d451a3b765c2c74e3abe9cf2.exe

Drops file in System32 directory 7 IoCs

Processes:

fd8daa617e124543707d7e9ac4ce3137f3d0b242d451a3b765c2c74e3abe9cf2.exe

description	ioc	process
File created	C:\Windows\SysWOW64\CBRun.rar	fd8daa617e124543707d7e9ac4ce3137f3d0b242d451a3b765c2c74e3abe9cf2.exe
File created	C:\Windows\SysWOW64\CBExt.bpl	fd8daa617e124543707d7e9ac4ce3137f3d0b242d451a3b765c2c74e3abe9cf2.exe
File created	C:\Windows\SysWOW64\CBRun.bpl	fd8daa617e124543707d7e9ac4ce3137f3d0b242d451a3b765c2c74e3abe9cf2.exe
File created	C:\Windows\SysWOW64\AppCache.v2.dat	fd8daa617e124543707d7e9ac4ce3137f3d0b242d451a3b765c2c74e3abe9cf2.exe
File opened for modification	C:\Windows\SysWOW64\AppCache.v2.dat	fd8daa617e124543707d7e9ac4ce3137f3d0b242d451a3b765c2c74e3abe9cf2.exe
File opened for modification	C:\Windows\SysWOW64\gdiplus.dll	fd8daa617e124543707d7e9ac4ce3137f3d0b242d451a3b765c2c74e3abe9cf2.exe
File created	C:\Windows\SysWOW64\gdiplus.dll	fd8daa617e124543707d7e9ac4ce3137f3d0b242d451a3b765c2c74e3abe9cf2.exe

Modifies Internet Explorer settings 1 TTPs 30 IoCs

adware spyware

Modify Registry

T1112

Processes:

fd8daa617e124543707d7e9ac4ce3137f3d0b242d451a3b765c2c74e3abe9cf2.exeIEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\DEPoff = "1"	fd8daa617e124543707d7e9ac4ce3137f3d0b242d451a3b765c2c74e3abe9cf2.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\DEPon = "1"	fd8daa617e124543707d7e9ac4ce3137f3d0b242d451a3b765c2c74e3abe9cf2.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{47152201-D8F1-11EC-8E3C-66DE0394A5F7} = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "359894108"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	IEXPLORE.EXE

Modifies registry class 64 IoCs

Processes:

fd8daa617e124543707d7e9ac4ce3137f3d0b242d451a3b765c2c74e3abe9cf2.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DAE1419C-B543-4AD0-BDD4-065E1A505269}\InprocServer32\ThreadingModel = "Apartment"	fd8daa617e124543707d7e9ac4ce3137f3d0b242d451a3b765c2c74e3abe9cf2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0981FBA3-F54A-4C81-B343-53A1C7B78CD9}\TypeLib\ = "{CCC51463-1F85-462B-A8FA-A8428805B304}"	fd8daa617e124543707d7e9ac4ce3137f3d0b242d451a3b765c2c74e3abe9cf2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{A46ADB95-7678-4C80-95EA-A6C48DF2E5BC}\TypeLib\Version = "1.0"	fd8daa617e124543707d7e9ac4ce3137f3d0b242d451a3b765c2c74e3abe9cf2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A46ADB95-7678-4C80-95EA-A6C48DF2E5BC}\ = "IEmbedWordX"	fd8daa617e124543707d7e9ac4ce3137f3d0b242d451a3b765c2c74e3abe9cf2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{81C57AAD-F991-48E5-A42D-51AF23F40150}\InprocServer32	fd8daa617e124543707d7e9ac4ce3137f3d0b242d451a3b765c2c74e3abe9cf2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DAF593D9-515A-4869-864D-8DCE6D7DCB91}	fd8daa617e124543707d7e9ac4ce3137f3d0b242d451a3b765c2c74e3abe9cf2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BFEE3E69-F75C-4ED7-A3FE-1CF67C096D64}\ProgID\ = "CLXBaseAppX.EmbedWordX"	fd8daa617e124543707d7e9ac4ce3137f3d0b242d451a3b765c2c74e3abe9cf2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{81C57AAD-F991-48E5-A42D-51AF23F40150}\Version	fd8daa617e124543707d7e9ac4ce3137f3d0b242d451a3b765c2c74e3abe9cf2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DAE1419C-B543-4AD0-BDD4-065E1A505269}\ = "CBXNSHandler"	fd8daa617e124543707d7e9ac4ce3137f3d0b242d451a3b765c2c74e3abe9cf2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CCC51463-1F85-462B-A8FA-A8428805B304}\1.0\ = "CLXBaseAppX Library"	fd8daa617e124543707d7e9ac4ce3137f3d0b242d451a3b765c2c74e3abe9cf2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CCC51463-1F85-462B-A8FA-A8428805B304}\1.0\FLAGS	fd8daa617e124543707d7e9ac4ce3137f3d0b242d451a3b765c2c74e3abe9cf2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0981FBA3-F54A-4C81-B343-53A1C7B78CD9}	fd8daa617e124543707d7e9ac4ce3137f3d0b242d451a3b765c2c74e3abe9cf2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A46ADB95-7678-4C80-95EA-A6C48DF2E5BC}\ProxyStubClsid32	fd8daa617e124543707d7e9ac4ce3137f3d0b242d451a3b765c2c74e3abe9cf2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BFEE3E69-F75C-4ED7-A3FE-1CF67C096D64}\ProgID	fd8daa617e124543707d7e9ac4ce3137f3d0b242d451a3b765c2c74e3abe9cf2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DAE1419C-B543-4AD0-BDD4-065E1A505269}\InprocServer32	fd8daa617e124543707d7e9ac4ce3137f3d0b242d451a3b765c2c74e3abe9cf2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{569137C9-A7AA-41FB-AC5A-116E8C91399D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	fd8daa617e124543707d7e9ac4ce3137f3d0b242d451a3b765c2c74e3abe9cf2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E80FD4F4-DEFA-41C7-A5EE-8E75C22C3077}\ProxyStubClsid32	fd8daa617e124543707d7e9ac4ce3137f3d0b242d451a3b765c2c74e3abe9cf2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BFEE3E69-F75C-4ED7-A3FE-1CF67C096D64}\InprocServer32	fd8daa617e124543707d7e9ac4ce3137f3d0b242d451a3b765c2c74e3abe9cf2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{81C57AAD-F991-48E5-A42D-51AF23F40150}\InprocServer32\ = "C:\\Windows\\SysWow64\\CBRun.bpl"	fd8daa617e124543707d7e9ac4ce3137f3d0b242d451a3b765c2c74e3abe9cf2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{81C57AAD-F991-48E5-A42D-51AF23F40150}\MiscStatus\1	fd8daa617e124543707d7e9ac4ce3137f3d0b242d451a3b765c2c74e3abe9cf2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BFEE3E69-F75C-4ED7-A3FE-1CF67C096D64}\ = "EmbedWordX Control"	fd8daa617e124543707d7e9ac4ce3137f3d0b242d451a3b765c2c74e3abe9cf2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{81C57AAD-F991-48E5-A42D-51AF23F40150}\MiscStatus\ = "0"	fd8daa617e124543707d7e9ac4ce3137f3d0b242d451a3b765c2c74e3abe9cf2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{81C57AAD-F991-48E5-A42D-51AF23F40150}\Verb	fd8daa617e124543707d7e9ac4ce3137f3d0b242d451a3b765c2c74e3abe9cf2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CCC51463-1F85-462B-A8FA-A8428805B304}\1.0\0	fd8daa617e124543707d7e9ac4ce3137f3d0b242d451a3b765c2c74e3abe9cf2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{569137C9-A7AA-41FB-AC5A-116E8C91399D}	fd8daa617e124543707d7e9ac4ce3137f3d0b242d451a3b765c2c74e3abe9cf2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{569137C9-A7AA-41FB-AC5A-116E8C91399D}\ = "IIntelliObjX"	fd8daa617e124543707d7e9ac4ce3137f3d0b242d451a3b765c2c74e3abe9cf2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6FAB0FBD-2252-4825-A581-512F9EE939C3}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	fd8daa617e124543707d7e9ac4ce3137f3d0b242d451a3b765c2c74e3abe9cf2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A46ADB95-7678-4C80-95EA-A6C48DF2E5BC}\TypeLib\Version = "1.0"	fd8daa617e124543707d7e9ac4ce3137f3d0b242d451a3b765c2c74e3abe9cf2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DAF593D9-515A-4869-864D-8DCE6D7DCB91}\Version\ = "1.0"	fd8daa617e124543707d7e9ac4ce3137f3d0b242d451a3b765c2c74e3abe9cf2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DAE1419C-B543-4AD0-BDD4-065E1A505269}\ProgID\ = "CLXBaseAppX.CBXNSHandler"	fd8daa617e124543707d7e9ac4ce3137f3d0b242d451a3b765c2c74e3abe9cf2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0981FBA3-F54A-4C81-B343-53A1C7B78CD9}\ProxyStubClsid32	fd8daa617e124543707d7e9ac4ce3137f3d0b242d451a3b765c2c74e3abe9cf2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0981FBA3-F54A-4C81-B343-53A1C7B78CD9}\TypeLib\Version = "1.0"	fd8daa617e124543707d7e9ac4ce3137f3d0b242d451a3b765c2c74e3abe9cf2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLXBaseAppX.CBXNSHandler\ = "CBXNSHandler"	fd8daa617e124543707d7e9ac4ce3137f3d0b242d451a3b765c2c74e3abe9cf2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{81C57AAD-F991-48E5-A42D-51AF23F40150}\MiscStatus	fd8daa617e124543707d7e9ac4ce3137f3d0b242d451a3b765c2c74e3abe9cf2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DAF593D9-515A-4869-864D-8DCE6D7DCB91}\MiscStatus\1	fd8daa617e124543707d7e9ac4ce3137f3d0b242d451a3b765c2c74e3abe9cf2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CCC51463-1F85-462B-A8FA-A8428805B304}\1.0	fd8daa617e124543707d7e9ac4ce3137f3d0b242d451a3b765c2c74e3abe9cf2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0981FBA3-F54A-4C81-B343-53A1C7B78CD9}\ProxyStubClsid32	fd8daa617e124543707d7e9ac4ce3137f3d0b242d451a3b765c2c74e3abe9cf2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{569137C9-A7AA-41FB-AC5A-116E8C91399D}\ = "IIntelliObjX"	fd8daa617e124543707d7e9ac4ce3137f3d0b242d451a3b765c2c74e3abe9cf2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6FAB0FBD-2252-4825-A581-512F9EE939C3}\ProxyStubClsid32	fd8daa617e124543707d7e9ac4ce3137f3d0b242d451a3b765c2c74e3abe9cf2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A46ADB95-7678-4C80-95EA-A6C48DF2E5BC}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	fd8daa617e124543707d7e9ac4ce3137f3d0b242d451a3b765c2c74e3abe9cf2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BFEE3E69-F75C-4ED7-A3FE-1CF67C096D64}	fd8daa617e124543707d7e9ac4ce3137f3d0b242d451a3b765c2c74e3abe9cf2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BFEE3E69-F75C-4ED7-A3FE-1CF67C096D64}\MiscStatus\ = "0"	fd8daa617e124543707d7e9ac4ce3137f3d0b242d451a3b765c2c74e3abe9cf2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DAF593D9-515A-4869-864D-8DCE6D7DCB91}\InprocServer32\ = "C:\\Windows\\SysWow64\\CBRun.bpl"	fd8daa617e124543707d7e9ac4ce3137f3d0b242d451a3b765c2c74e3abe9cf2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{51C34CCD-02E7-487F-900A-80F01B807969}\TypeLib\ = "{CCC51463-1F85-462B-A8FA-A8428805B304}"	fd8daa617e124543707d7e9ac4ce3137f3d0b242d451a3b765c2c74e3abe9cf2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E80FD4F4-DEFA-41C7-A5EE-8E75C22C3077}\TypeLib	fd8daa617e124543707d7e9ac4ce3137f3d0b242d451a3b765c2c74e3abe9cf2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E80FD4F4-DEFA-41C7-A5EE-8E75C22C3077}\TypeLib\Version = "1.0"	fd8daa617e124543707d7e9ac4ce3137f3d0b242d451a3b765c2c74e3abe9cf2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{A46ADB95-7678-4C80-95EA-A6C48DF2E5BC}\ProxyStubClsid32	fd8daa617e124543707d7e9ac4ce3137f3d0b242d451a3b765c2c74e3abe9cf2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A46ADB95-7678-4C80-95EA-A6C48DF2E5BC}\TypeLib	fd8daa617e124543707d7e9ac4ce3137f3d0b242d451a3b765c2c74e3abe9cf2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLXBaseAppX.IntelliObjX\Clsid	fd8daa617e124543707d7e9ac4ce3137f3d0b242d451a3b765c2c74e3abe9cf2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLXBaseAppX.IntelliObjX\Clsid\ = "{DAF593D9-515A-4869-864D-8DCE6D7DCB91}"	fd8daa617e124543707d7e9ac4ce3137f3d0b242d451a3b765c2c74e3abe9cf2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DAF593D9-515A-4869-864D-8DCE6D7DCB91}\TypeLib\ = "{CCC51463-1F85-462B-A8FA-A8428805B304}"	fd8daa617e124543707d7e9ac4ce3137f3d0b242d451a3b765c2c74e3abe9cf2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{51C34CCD-02E7-487F-900A-80F01B807969}\ = "ICLXBaseRunEvents"	fd8daa617e124543707d7e9ac4ce3137f3d0b242d451a3b765c2c74e3abe9cf2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E80FD4F4-DEFA-41C7-A5EE-8E75C22C3077}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	fd8daa617e124543707d7e9ac4ce3137f3d0b242d451a3b765c2c74e3abe9cf2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E80FD4F4-DEFA-41C7-A5EE-8E75C22C3077}\TypeLib\Version = "1.0"	fd8daa617e124543707d7e9ac4ce3137f3d0b242d451a3b765c2c74e3abe9cf2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLXBaseAppX.EmbedWordX\Clsid\ = "{BFEE3E69-F75C-4ED7-A3FE-1CF67C096D64}"	fd8daa617e124543707d7e9ac4ce3137f3d0b242d451a3b765c2c74e3abe9cf2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLXBaseAppX.IntelliObjX\ = "IntelliObjX Control"	fd8daa617e124543707d7e9ac4ce3137f3d0b242d451a3b765c2c74e3abe9cf2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLXBaseAppX.CLXBaseRun\Clsid\ = "{81C57AAD-F991-48E5-A42D-51AF23F40150}"	fd8daa617e124543707d7e9ac4ce3137f3d0b242d451a3b765c2c74e3abe9cf2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{81C57AAD-F991-48E5-A42D-51AF23F40150}\MiscStatus\1\ = "205201"	fd8daa617e124543707d7e9ac4ce3137f3d0b242d451a3b765c2c74e3abe9cf2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{81C57AAD-F991-48E5-A42D-51AF23F40150}\ToolboxBitmap32	fd8daa617e124543707d7e9ac4ce3137f3d0b242d451a3b765c2c74e3abe9cf2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{51C34CCD-02E7-487F-900A-80F01B807969}\TypeLib	fd8daa617e124543707d7e9ac4ce3137f3d0b242d451a3b765c2c74e3abe9cf2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A46ADB95-7678-4C80-95EA-A6C48DF2E5BC}\TypeLib\ = "{CCC51463-1F85-462B-A8FA-A8428805B304}"	fd8daa617e124543707d7e9ac4ce3137f3d0b242d451a3b765c2c74e3abe9cf2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BFEE3E69-F75C-4ED7-A3FE-1CF67C096D64}\TypeLib	fd8daa617e124543707d7e9ac4ce3137f3d0b242d451a3b765c2c74e3abe9cf2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BFEE3E69-F75C-4ED7-A3FE-1CF67C096D64}\Control\	fd8daa617e124543707d7e9ac4ce3137f3d0b242d451a3b765c2c74e3abe9cf2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLXBaseAppX.CLXBaseRun	fd8daa617e124543707d7e9ac4ce3137f3d0b242d451a3b765c2c74e3abe9cf2.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

IEXPLORE.EXE

pid process

1956 IEXPLORE.EXE
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

IEXPLORE.EXEIEXPLORE.EXE

pid process

1956 IEXPLORE.EXE
1956 IEXPLORE.EXE
1488 IEXPLORE.EXE
1488 IEXPLORE.EXE
1488 IEXPLORE.EXE
1488 IEXPLORE.EXE

pid	process
1956	IEXPLORE.EXE

pid	process
1956	IEXPLORE.EXE
1956	IEXPLORE.EXE
1488	IEXPLORE.EXE
1488	IEXPLORE.EXE
1488	IEXPLORE.EXE
1488	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

fd8daa617e124543707d7e9ac4ce3137f3d0b242d451a3b765c2c74e3abe9cf2.exeIEXPLORE.EXE

description	pid	process	target process
PID 1644 wrote to memory of 1956	1644	fd8daa617e124543707d7e9ac4ce3137f3d0b242d451a3b765c2c74e3abe9cf2.exe	IEXPLORE.EXE
PID 1644 wrote to memory of 1956	1644	fd8daa617e124543707d7e9ac4ce3137f3d0b242d451a3b765c2c74e3abe9cf2.exe	IEXPLORE.EXE
PID 1644 wrote to memory of 1956	1644	fd8daa617e124543707d7e9ac4ce3137f3d0b242d451a3b765c2c74e3abe9cf2.exe	IEXPLORE.EXE
PID 1644 wrote to memory of 1956	1644	fd8daa617e124543707d7e9ac4ce3137f3d0b242d451a3b765c2c74e3abe9cf2.exe	IEXPLORE.EXE
PID 1956 wrote to memory of 1488	1956	IEXPLORE.EXE	IEXPLORE.EXE
PID 1956 wrote to memory of 1488	1956	IEXPLORE.EXE	IEXPLORE.EXE
PID 1956 wrote to memory of 1488	1956	IEXPLORE.EXE	IEXPLORE.EXE
PID 1956 wrote to memory of 1488	1956	IEXPLORE.EXE	IEXPLORE.EXE
PID 1956 wrote to memory of 1488	1956	IEXPLORE.EXE	IEXPLORE.EXE
PID 1956 wrote to memory of 1488	1956	IEXPLORE.EXE	IEXPLORE.EXE
PID 1956 wrote to memory of 1488	1956	IEXPLORE.EXE	IEXPLORE.EXE

C:\Users\Admin\AppData\Local\Temp\fd8daa617e124543707d7e9ac4ce3137f3d0b242d451a3b765c2c74e3abe9cf2.exe
"C:\Users\Admin\AppData\Local\Temp\fd8daa617e124543707d7e9ac4ce3137f3d0b242d451a3b765c2c74e3abe9cf2.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1644

C:\Program Files\Internet Explorer\IEXPLORE.EXE
"C:\Program Files\Internet Explorer\IEXPLORE.EXE"
2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1956

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1956 CREDAT:275457 /prefetch:2
3⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1488

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Browser Extensions

1

T1176

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\5LHUFCVW.txt
Filesize
601B

MD5
1aef0088e8b3cd48dd8af81d5b0eb6d8

SHA1
f3e8d0c0d034c054f2d8debe5caa658a210e1722

SHA256
7691ec7b9f975f6bd5bc6ea708192a663070158d84dba2de6f2841ecfbccb186

SHA512
eeeaf238c63c50bf3f8bba5381d173da6ddfe87001fdd6f3222a07c14d459b338f56cb6e086b41c72f928ba31cfe7ee857d8199d684f8f1b614af0f310cd0378

Download Submit
\Windows\SysWOW64\CBRun.bpl
Filesize
7.2MB

MD5
45682678083ba2f948dd6517e1b5323b

SHA1
990c6cd98510d1d73d61bc652d2900894da0a319

SHA256
4a0d3d5680985b883446801a6e4b71d20abc643a5b8272a214defbf18843066c

SHA512
a81fb6ba09c0bec253d1c5580a27c188962293ef64a56f8ed08c7c1cf53da4579725b63266555768cc2a112688c0c46672dab33550675f9d9e9b7db7a357a92f

Download Submit
memory/1644-54-0x0000000076781000-0x0000000076783000-memory.dmp

Filesize
8KB

Download
memory/1644-56-0x0000000001C80000-0x0000000001CC8000-memory.dmp

Filesize
288KB

Download
memory/1644-62-0x0000000003DC0000-0x0000000004505000-memory.dmp

Filesize
7.3MB

Download
memory/1644-64-0x0000000002120000-0x0000000002130000-memory.dmp

Filesize
64KB

Download
memory/1644-77-0x0000000002130000-0x0000000002151000-memory.dmp

Filesize
132KB

Download
memory/1644-85-0x00000000048D0000-0x000000000498A000-memory.dmp

Filesize
744KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads