00d250402c1ffa84b7564e20fe10de9adb0611400cccbea1c689ebb759d77e5a

General

Target

00d250402c1ffa84b7564e20fe10de9adb0611400cccbea1c689ebb759d77e5a.exe
Size

632KB
MD5

81969455d579798b16e46099bc1befe4
SHA1

51206957215717be58da7027c0509aab0d4fbaaa
SHA256

00d250402c1ffa84b7564e20fe10de9adb0611400cccbea1c689ebb759d77e5a
SHA512

6f7be945b5be56c7e6474668f163a9f190eeeacd4fa0d8ade077dc765aabfde43bd3055bcbb46f86d7d3c7c05647f0bcdd572ab27a40558406288b1bc3e2a033

Score

7^/10

adware discovery spyware stealer

Malware Config

Signatures

Loads dropped DLL 2 IoCs

Processes:

00d250402c1ffa84b7564e20fe10de9adb0611400cccbea1c689ebb759d77e5a.exeregsvr32.exe

pid process

964 00d250402c1ffa84b7564e20fe10de9adb0611400cccbea1c689ebb759d77e5a.exe
1528 regsvr32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Installs/modifies Browser Helper Object 2 TTPs
BHOs are DLL modules which act as plugins for Internet Explorer.
stealer adware

Modify Registry
T1112

Browser Extensions
T1176

Drops file in System32 directory 3 IoCs

Processes:

00d250402c1ffa84b7564e20fe10de9adb0611400cccbea1c689ebb759d77e5a.exe

description	ioc	process
File opened for modification	C:\Windows\System32\GroupPolicy	00d250402c1ffa84b7564e20fe10de9adb0611400cccbea1c689ebb759d77e5a.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\gpt.ini	00d250402c1ffa84b7564e20fe10de9adb0611400cccbea1c689ebb759d77e5a.exe
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	00d250402c1ffa84b7564e20fe10de9adb0611400cccbea1c689ebb759d77e5a.exe

Drops file in Program Files directory 22 IoCs

Processes:

00d250402c1ffa84b7564e20fe10de9adb0611400cccbea1c689ebb759d77e5a.exe

description	ioc	process
File created	C:\Program Files (x86)\MediaViewV1\MediaViewV1alpha7632\ch\MediaViewV1alpha7632.crx	00d250402c1ffa84b7564e20fe10de9adb0611400cccbea1c689ebb759d77e5a.exe
File created	C:\Program Files (x86)\MediaViewV1\MediaViewV1alpha7632\ff\chrome\content\overlay.xul	00d250402c1ffa84b7564e20fe10de9adb0611400cccbea1c689ebb759d77e5a.exe
File opened for modification	C:\Program Files (x86)\MediaViewV1\MediaViewV1alpha7632\ff\chrome\content\icons	00d250402c1ffa84b7564e20fe10de9adb0611400cccbea1c689ebb759d77e5a.exe
File created	C:\Program Files (x86)\MediaViewV1\MediaViewV1alpha7632\uninstall.exe	00d250402c1ffa84b7564e20fe10de9adb0611400cccbea1c689ebb759d77e5a.exe
File created	C:\Program Files (x86)\MediaViewV1\MediaViewV1alpha7632\ie\MediaViewV1alpha7632.dll	00d250402c1ffa84b7564e20fe10de9adb0611400cccbea1c689ebb759d77e5a.exe
File opened for modification	C:\Program Files (x86)\MediaViewV1\MediaViewV1alpha7632\ff\chrome.manifest	00d250402c1ffa84b7564e20fe10de9adb0611400cccbea1c689ebb759d77e5a.exe
File opened for modification	C:\Program Files (x86)\MediaViewV1\MediaViewV1alpha7632\ff\chrome\content\ffMediaViewV1alpha7632.js	00d250402c1ffa84b7564e20fe10de9adb0611400cccbea1c689ebb759d77e5a.exe
File opened for modification	C:\Program Files (x86)\MediaViewV1\MediaViewV1alpha7632\ff\chrome\content\ffMediaViewV1alpha7632ffaction.js	00d250402c1ffa84b7564e20fe10de9adb0611400cccbea1c689ebb759d77e5a.exe
File opened for modification	C:\Program Files (x86)\MediaViewV1\MediaViewV1alpha7632\ff\chrome\content\overlay.xul	00d250402c1ffa84b7564e20fe10de9adb0611400cccbea1c689ebb759d77e5a.exe
File created	C:\Program Files (x86)\MediaViewV1\MediaViewV1alpha7632\ff\chrome\content\icons\Thumbs.db	00d250402c1ffa84b7564e20fe10de9adb0611400cccbea1c689ebb759d77e5a.exe
File opened for modification	C:\Program Files (x86)\MediaViewV1\MediaViewV1alpha7632\ff\chrome\content\icons\Thumbs.db	00d250402c1ffa84b7564e20fe10de9adb0611400cccbea1c689ebb759d77e5a.exe
File opened for modification	C:\Program Files (x86)\MediaViewV1\MediaViewV1alpha7632\ch\MediaViewV1alpha7632.crx	00d250402c1ffa84b7564e20fe10de9adb0611400cccbea1c689ebb759d77e5a.exe
File opened for modification	C:\Program Files (x86)\MediaViewV1\MediaViewV1alpha7632\ff\install.rdf	00d250402c1ffa84b7564e20fe10de9adb0611400cccbea1c689ebb759d77e5a.exe
File created	C:\Program Files (x86)\MediaViewV1\MediaViewV1alpha7632\ff\chrome\content\ffMediaViewV1alpha7632.js	00d250402c1ffa84b7564e20fe10de9adb0611400cccbea1c689ebb759d77e5a.exe
File opened for modification	C:\Program Files (x86)\MediaViewV1\MediaViewV1alpha7632\ff\chrome\content\icons\default	00d250402c1ffa84b7564e20fe10de9adb0611400cccbea1c689ebb759d77e5a.exe
File created	C:\Program Files (x86)\MediaViewV1\MediaViewV1alpha7632\ff\install.rdf	00d250402c1ffa84b7564e20fe10de9adb0611400cccbea1c689ebb759d77e5a.exe
File opened for modification	C:\Program Files (x86)\MediaViewV1\MediaViewV1alpha7632\ff\chrome	00d250402c1ffa84b7564e20fe10de9adb0611400cccbea1c689ebb759d77e5a.exe
File opened for modification	C:\Program Files (x86)\MediaViewV1\MediaViewV1alpha7632\ff\chrome\content	00d250402c1ffa84b7564e20fe10de9adb0611400cccbea1c689ebb759d77e5a.exe
File created	C:\Program Files (x86)\MediaViewV1\MediaViewV1alpha7632\ff\chrome\content\ffMediaViewV1alpha7632ffaction.js	00d250402c1ffa84b7564e20fe10de9adb0611400cccbea1c689ebb759d77e5a.exe
File created	C:\Program Files (x86)\MediaViewV1\MediaViewV1alpha7632\ff\chrome\content\icons\default\MediaViewV1alpha7632_32.png	00d250402c1ffa84b7564e20fe10de9adb0611400cccbea1c689ebb759d77e5a.exe
File opened for modification	C:\Program Files (x86)\MediaViewV1\MediaViewV1alpha7632\ff\chrome\content\icons\default\MediaViewV1alpha7632_32.png	00d250402c1ffa84b7564e20fe10de9adb0611400cccbea1c689ebb759d77e5a.exe
File created	C:\Program Files (x86)\MediaViewV1\MediaViewV1alpha7632\ff\chrome.manifest	00d250402c1ffa84b7564e20fe10de9adb0611400cccbea1c689ebb759d77e5a.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

00d250402c1ffa84b7564e20fe10de9adb0611400cccbea1c689ebb759d77e5a.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Approved Extensions	00d250402c1ffa84b7564e20fe10de9adb0611400cccbea1c689ebb759d77e5a.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Approved Extensions\{d1d7e559-9e68-4132-8098-1052d891f55b} = 51667a6c4c1d3b1b49fac5c05cc95a09949b5612dddbb647	00d250402c1ffa84b7564e20fe10de9adb0611400cccbea1c689ebb759d77e5a.exe

Modifies registry class 36 IoCs

Processes:

regsvr32.exe00d250402c1ffa84b7564e20fe10de9adb0611400cccbea1c689ebb759d77e5a.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{189BA7C6-40E2-4B11-AA13-638E2C7B1829}\1.1\0\win32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D28ECA3E-E732-4A0D-91C8-D0FF4A2E9067}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{d1d7e559-9e68-4132-8098-1052d891f55b}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{d1d7e559-9e68-4132-8098-1052d891f55b}\Programmable	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{d1d7e559-9e68-4132-8098-1052d891f55b}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{d1d7e559-9e68-4132-8098-1052d891f55b}\Version	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{d1d7e559-9e68-4132-8098-1052d891f55b}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D28ECA3E-E732-4A0D-91C8-D0FF4A2E9067}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D28ECA3E-E732-4A0D-91C8-D0FF4A2E9067}\TypeLib\Version = "1.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D28ECA3E-E732-4A0D-91C8-D0FF4A2E9067}\TypeLib\ = "{189BA7C6-40E2-4B11-AA13-638E2C7B1829}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D28ECA3E-E732-4A0D-91C8-D0FF4A2E9067}\TypeLib\ = "{189BA7C6-40E2-4B11-AA13-638E2C7B1829}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{d1d7e559-9e68-4132-8098-1052d891f55b}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{d1d7e559-9e68-4132-8098-1052d891f55b}\TypeLib\ = "{189ba7c6-40e2-4b11-aa13-638e2c7b1829}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{189BA7C6-40E2-4B11-AA13-638E2C7B1829}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{189BA7C6-40E2-4B11-AA13-638E2C7B1829}\1.1\0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{189BA7C6-40E2-4B11-AA13-638E2C7B1829}\1.1\HELPDIR	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D28ECA3E-E732-4A0D-91C8-D0FF4A2E9067}\ = "IMediaViewV1alpha7632BHO"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D28ECA3E-E732-4A0D-91C8-D0FF4A2E9067}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D28ECA3E-E732-4A0D-91C8-D0FF4A2E9067}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{d1d7e559-9e68-4132-8098-1052d891f55b}\Version\ = "1.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{189BA7C6-40E2-4B11-AA13-638E2C7B1829}\1.1	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{189BA7C6-40E2-4B11-AA13-638E2C7B1829}\1.1\FLAGS\ = "0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{189BA7C6-40E2-4B11-AA13-638E2C7B1829}\1.1\0\win32\ = "C:\\Program Files (x86)\\MediaViewV1\\MediaViewV1alpha7632\\ie\\MediaViewV1alpha7632.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{d1d7e559-9e68-4132-8098-1052d891f55b}	00d250402c1ffa84b7564e20fe10de9adb0611400cccbea1c689ebb759d77e5a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{189BA7C6-40E2-4B11-AA13-638E2C7B1829}\1.1\HELPDIR\ = "C:\\Program Files (x86)\\MediaViewV1\\MediaViewV1alpha7632\\ie"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D28ECA3E-E732-4A0D-91C8-D0FF4A2E9067}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D28ECA3E-E732-4A0D-91C8-D0FF4A2E9067}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D28ECA3E-E732-4A0D-91C8-D0FF4A2E9067}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{d1d7e559-9e68-4132-8098-1052d891f55b}\InprocServer32\ = "C:\\Program Files (x86)\\MediaViewV1\\MediaViewV1alpha7632\\ie\\MediaViewV1alpha7632.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D28ECA3E-E732-4A0D-91C8-D0FF4A2E9067}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D28ECA3E-E732-4A0D-91C8-D0FF4A2E9067}\TypeLib\Version = "1.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{d1d7e559-9e68-4132-8098-1052d891f55b}\ = "Media View"	00d250402c1ffa84b7564e20fe10de9adb0611400cccbea1c689ebb759d77e5a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{d1d7e559-9e68-4132-8098-1052d891f55b}\ = "MediaViewV1alpha7632"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{189BA7C6-40E2-4B11-AA13-638E2C7B1829}\1.1\ = "MediaViewV1alpha7632Lib"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{189BA7C6-40E2-4B11-AA13-638E2C7B1829}\1.1\FLAGS	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D28ECA3E-E732-4A0D-91C8-D0FF4A2E9067}\ = "IMediaViewV1alpha7632BHO"	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

00d250402c1ffa84b7564e20fe10de9adb0611400cccbea1c689ebb759d77e5a.exe

pid	process
964	00d250402c1ffa84b7564e20fe10de9adb0611400cccbea1c689ebb759d77e5a.exe
964	00d250402c1ffa84b7564e20fe10de9adb0611400cccbea1c689ebb759d77e5a.exe
964	00d250402c1ffa84b7564e20fe10de9adb0611400cccbea1c689ebb759d77e5a.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

00d250402c1ffa84b7564e20fe10de9adb0611400cccbea1c689ebb759d77e5a.exe

description	pid	process	target process
PID 964 wrote to memory of 1528	964	00d250402c1ffa84b7564e20fe10de9adb0611400cccbea1c689ebb759d77e5a.exe	regsvr32.exe
PID 964 wrote to memory of 1528	964	00d250402c1ffa84b7564e20fe10de9adb0611400cccbea1c689ebb759d77e5a.exe	regsvr32.exe
PID 964 wrote to memory of 1528	964	00d250402c1ffa84b7564e20fe10de9adb0611400cccbea1c689ebb759d77e5a.exe	regsvr32.exe
PID 964 wrote to memory of 1528	964	00d250402c1ffa84b7564e20fe10de9adb0611400cccbea1c689ebb759d77e5a.exe	regsvr32.exe
PID 964 wrote to memory of 1528	964	00d250402c1ffa84b7564e20fe10de9adb0611400cccbea1c689ebb759d77e5a.exe	regsvr32.exe
PID 964 wrote to memory of 1528	964	00d250402c1ffa84b7564e20fe10de9adb0611400cccbea1c689ebb759d77e5a.exe	regsvr32.exe
PID 964 wrote to memory of 1528	964	00d250402c1ffa84b7564e20fe10de9adb0611400cccbea1c689ebb759d77e5a.exe	regsvr32.exe

C:\Users\Admin\AppData\Local\Temp\00d250402c1ffa84b7564e20fe10de9adb0611400cccbea1c689ebb759d77e5a.exe
"C:\Users\Admin\AppData\Local\Temp\00d250402c1ffa84b7564e20fe10de9adb0611400cccbea1c689ebb759d77e5a.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:964

C:\Windows\SysWOW64\regsvr32.exe
regsvr32 "C:\Program Files (x86)\MediaViewV1\MediaViewV1alpha7632\ie\MediaViewV1alpha7632.dll" /s
2⤵
- Loads dropped DLL
- Modifies registry class
PID:1528

C:\Windows\SysWOW64\gpupdate.exe
"C:\Windows\System32\gpupdate.exe" /force
2⤵
PID:856

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Browser Extensions

1

T1176

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\MediaViewV1\MediaViewV1alpha7632\ie\MediaViewV1alpha7632.dll
Filesize
85KB

MD5
e2143f6b74295c6593266c2bebd30d74

SHA1
36c514e81645fa26e9a090a555769220b430553a

SHA256
962388dea3c443df52814fd9813ca2d53cc6e02ccb0a050fc5d6a604d22f52bf

SHA512
cccce9222ef906d65318ed8c7aade5aaf88a490754befe47585044c739f4cdc740e0f68063311d8c459cb122cd4cebd083e5f63358da8a5643e2fbaa1b5671c8

Download Submit
\Program Files (x86)\MediaViewV1\MediaViewV1alpha7632\ie\MediaViewV1alpha7632.dll
Filesize
85KB

MD5
e2143f6b74295c6593266c2bebd30d74

SHA1
36c514e81645fa26e9a090a555769220b430553a

SHA256
962388dea3c443df52814fd9813ca2d53cc6e02ccb0a050fc5d6a604d22f52bf

SHA512
cccce9222ef906d65318ed8c7aade5aaf88a490754befe47585044c739f4cdc740e0f68063311d8c459cb122cd4cebd083e5f63358da8a5643e2fbaa1b5671c8

Download Submit
\Users\Admin\AppData\Local\Temp\nsjCE2A.tmp\aminsis.dll
Filesize
99KB

MD5
7c563d580804bc0f6c400ff278bceb18

SHA1
3291122597ac536847bf2ec60f3dbce89ec3b19c

SHA256
323744dd6b3dc84c79b58aeaf97302805818f64d7b34b70425351e1e127dd276

SHA512
f1088c36054b8f0daaf4aed0f0c85f3cff52e3a1a172424dd710ee590f6d708aa2a42b9ba03fc92ff7b92a48be9a35a9f7fccb2c4c394619f808627295a0e9f4

Download Submit
memory/856-60-0x0000000000000000-mapping.dmp

Download
memory/964-54-0x00000000753B1000-0x00000000753B3000-memory.dmp

Filesize
8KB

Download
memory/1528-56-0x0000000000000000-mapping.dmp

Download

pid	process
964	00d250402c1ffa84b7564e20fe10de9adb0611400cccbea1c689ebb759d77e5a.exe
1528	regsvr32.exe

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads