00d250402c1ffa84b7564e20fe10de9adb0611400cccbea1c689ebb759d77e5a

General

Target

00d250402c1ffa84b7564e20fe10de9adb0611400cccbea1c689ebb759d77e5a.exe
Size

632KB
MD5

81969455d579798b16e46099bc1befe4
SHA1

51206957215717be58da7027c0509aab0d4fbaaa
SHA256

00d250402c1ffa84b7564e20fe10de9adb0611400cccbea1c689ebb759d77e5a
SHA512

6f7be945b5be56c7e6474668f163a9f190eeeacd4fa0d8ade077dc765aabfde43bd3055bcbb46f86d7d3c7c05647f0bcdd572ab27a40558406288b1bc3e2a033

Score

7^/10

adware discovery spyware stealer

Malware Config

Signatures

Loads dropped DLL 2 IoCs

Processes:

00d250402c1ffa84b7564e20fe10de9adb0611400cccbea1c689ebb759d77e5a.exeregsvr32.exe

pid process

2868 00d250402c1ffa84b7564e20fe10de9adb0611400cccbea1c689ebb759d77e5a.exe
2236 regsvr32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Installs/modifies Browser Helper Object 2 TTPs
BHOs are DLL modules which act as plugins for Internet Explorer.
stealer adware

Modify Registry
T1112

Browser Extensions
T1176

Drops file in Program Files directory 22 IoCs

Processes:

00d250402c1ffa84b7564e20fe10de9adb0611400cccbea1c689ebb759d77e5a.exe

description	ioc	process
File created	C:\Program Files (x86)\MediaViewV1\MediaViewV1alpha7632\ff\install.rdf	00d250402c1ffa84b7564e20fe10de9adb0611400cccbea1c689ebb759d77e5a.exe
File created	C:\Program Files (x86)\MediaViewV1\MediaViewV1alpha7632\ff\chrome\content\ffMediaViewV1alpha7632.js	00d250402c1ffa84b7564e20fe10de9adb0611400cccbea1c689ebb759d77e5a.exe
File created	C:\Program Files (x86)\MediaViewV1\MediaViewV1alpha7632\ff\chrome\content\overlay.xul	00d250402c1ffa84b7564e20fe10de9adb0611400cccbea1c689ebb759d77e5a.exe
File opened for modification	C:\Program Files (x86)\MediaViewV1\MediaViewV1alpha7632\ff\chrome\content\overlay.xul	00d250402c1ffa84b7564e20fe10de9adb0611400cccbea1c689ebb759d77e5a.exe
File opened for modification	C:\Program Files (x86)\MediaViewV1\MediaViewV1alpha7632\ff\chrome\content\icons\Thumbs.db	00d250402c1ffa84b7564e20fe10de9adb0611400cccbea1c689ebb759d77e5a.exe
File created	C:\Program Files (x86)\MediaViewV1\MediaViewV1alpha7632\ie\MediaViewV1alpha7632.dll	00d250402c1ffa84b7564e20fe10de9adb0611400cccbea1c689ebb759d77e5a.exe
File opened for modification	C:\Program Files (x86)\MediaViewV1\MediaViewV1alpha7632\ch\MediaViewV1alpha7632.crx	00d250402c1ffa84b7564e20fe10de9adb0611400cccbea1c689ebb759d77e5a.exe
File opened for modification	C:\Program Files (x86)\MediaViewV1\MediaViewV1alpha7632\ff\chrome.manifest	00d250402c1ffa84b7564e20fe10de9adb0611400cccbea1c689ebb759d77e5a.exe
File created	C:\Program Files (x86)\MediaViewV1\MediaViewV1alpha7632\ff\chrome\content\icons\default\MediaViewV1alpha7632_32.png	00d250402c1ffa84b7564e20fe10de9adb0611400cccbea1c689ebb759d77e5a.exe
File opened for modification	C:\Program Files (x86)\MediaViewV1\MediaViewV1alpha7632\ff\chrome\content\icons\default	00d250402c1ffa84b7564e20fe10de9adb0611400cccbea1c689ebb759d77e5a.exe
File created	C:\Program Files (x86)\MediaViewV1\MediaViewV1alpha7632\uninstall.exe	00d250402c1ffa84b7564e20fe10de9adb0611400cccbea1c689ebb759d77e5a.exe
File opened for modification	C:\Program Files (x86)\MediaViewV1\MediaViewV1alpha7632\ff\install.rdf	00d250402c1ffa84b7564e20fe10de9adb0611400cccbea1c689ebb759d77e5a.exe
File opened for modification	C:\Program Files (x86)\MediaViewV1\MediaViewV1alpha7632\ff\chrome\content	00d250402c1ffa84b7564e20fe10de9adb0611400cccbea1c689ebb759d77e5a.exe
File created	C:\Program Files (x86)\MediaViewV1\MediaViewV1alpha7632\ff\chrome\content\ffMediaViewV1alpha7632ffaction.js	00d250402c1ffa84b7564e20fe10de9adb0611400cccbea1c689ebb759d77e5a.exe
File opened for modification	C:\Program Files (x86)\MediaViewV1\MediaViewV1alpha7632\ff\chrome\content\icons	00d250402c1ffa84b7564e20fe10de9adb0611400cccbea1c689ebb759d77e5a.exe
File created	C:\Program Files (x86)\MediaViewV1\MediaViewV1alpha7632\ff\chrome\content\icons\Thumbs.db	00d250402c1ffa84b7564e20fe10de9adb0611400cccbea1c689ebb759d77e5a.exe
File created	C:\Program Files (x86)\MediaViewV1\MediaViewV1alpha7632\ff\chrome.manifest	00d250402c1ffa84b7564e20fe10de9adb0611400cccbea1c689ebb759d77e5a.exe
File opened for modification	C:\Program Files (x86)\MediaViewV1\MediaViewV1alpha7632\ff\chrome	00d250402c1ffa84b7564e20fe10de9adb0611400cccbea1c689ebb759d77e5a.exe
File opened for modification	C:\Program Files (x86)\MediaViewV1\MediaViewV1alpha7632\ff\chrome\content\ffMediaViewV1alpha7632ffaction.js	00d250402c1ffa84b7564e20fe10de9adb0611400cccbea1c689ebb759d77e5a.exe
File created	C:\Program Files (x86)\MediaViewV1\MediaViewV1alpha7632\ch\MediaViewV1alpha7632.crx	00d250402c1ffa84b7564e20fe10de9adb0611400cccbea1c689ebb759d77e5a.exe
File opened for modification	C:\Program Files (x86)\MediaViewV1\MediaViewV1alpha7632\ff\chrome\content\ffMediaViewV1alpha7632.js	00d250402c1ffa84b7564e20fe10de9adb0611400cccbea1c689ebb759d77e5a.exe
File opened for modification	C:\Program Files (x86)\MediaViewV1\MediaViewV1alpha7632\ff\chrome\content\icons\default\MediaViewV1alpha7632_32.png	00d250402c1ffa84b7564e20fe10de9adb0611400cccbea1c689ebb759d77e5a.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

00d250402c1ffa84b7564e20fe10de9adb0611400cccbea1c689ebb759d77e5a.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Internet Explorer\Approved Extensions	00d250402c1ffa84b7564e20fe10de9adb0611400cccbea1c689ebb759d77e5a.exe

Modifies registry class 34 IoCs

Processes:

regsvr32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{189BA7C6-40E2-4B11-AA13-638E2C7B1829}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{189BA7C6-40E2-4B11-AA13-638E2C7B1829}\1.1\0\win32\ = "C:\\Program Files (x86)\\MediaViewV1\\MediaViewV1alpha7632\\ie\\MediaViewV1alpha7632.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{189BA7C6-40E2-4B11-AA13-638E2C7B1829}\1.1\HELPDIR	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D28ECA3E-E732-4A0D-91C8-D0FF4A2E9067}\TypeLib\ = "{189BA7C6-40E2-4B11-AA13-638E2C7B1829}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D28ECA3E-E732-4A0D-91C8-D0FF4A2E9067}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D28ECA3E-E732-4A0D-91C8-D0FF4A2E9067}\TypeLib\ = "{189BA7C6-40E2-4B11-AA13-638E2C7B1829}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D28ECA3E-E732-4A0D-91C8-D0FF4A2E9067}\TypeLib\Version = "1.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{d1d7e559-9e68-4132-8098-1052d891f55b}\InprocServer32\ = "C:\\Program Files (x86)\\MediaViewV1\\MediaViewV1alpha7632\\ie\\MediaViewV1alpha7632.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{d1d7e559-9e68-4132-8098-1052d891f55b}\TypeLib\ = "{189ba7c6-40e2-4b11-aa13-638e2c7b1829}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D28ECA3E-E732-4A0D-91C8-D0FF4A2E9067}\ = "IMediaViewV1alpha7632BHO"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D28ECA3E-E732-4A0D-91C8-D0FF4A2E9067}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D28ECA3E-E732-4A0D-91C8-D0FF4A2E9067}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{d1d7e559-9e68-4132-8098-1052d891f55b}\Programmable	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{d1d7e559-9e68-4132-8098-1052d891f55b}\Version\ = "1.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{189BA7C6-40E2-4B11-AA13-638E2C7B1829}\1.1	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{189BA7C6-40E2-4B11-AA13-638E2C7B1829}\1.1\0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D28ECA3E-E732-4A0D-91C8-D0FF4A2E9067}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D28ECA3E-E732-4A0D-91C8-D0FF4A2E9067}\TypeLib\Version = "1.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D28ECA3E-E732-4A0D-91C8-D0FF4A2E9067}\ = "IMediaViewV1alpha7632BHO"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D28ECA3E-E732-4A0D-91C8-D0FF4A2E9067}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{d1d7e559-9e68-4132-8098-1052d891f55b}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{d1d7e559-9e68-4132-8098-1052d891f55b}\ = "MediaViewV1alpha7632"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{d1d7e559-9e68-4132-8098-1052d891f55b}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{189BA7C6-40E2-4B11-AA13-638E2C7B1829}\1.1\HELPDIR\ = "C:\\Program Files (x86)\\MediaViewV1\\MediaViewV1alpha7632\\ie"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D28ECA3E-E732-4A0D-91C8-D0FF4A2E9067}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{d1d7e559-9e68-4132-8098-1052d891f55b}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{d1d7e559-9e68-4132-8098-1052d891f55b}\Version	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{189BA7C6-40E2-4B11-AA13-638E2C7B1829}\1.1\ = "MediaViewV1alpha7632Lib"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{189BA7C6-40E2-4B11-AA13-638E2C7B1829}\1.1\FLAGS\ = "0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{189BA7C6-40E2-4B11-AA13-638E2C7B1829}\1.1\FLAGS	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{189BA7C6-40E2-4B11-AA13-638E2C7B1829}\1.1\0\win32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D28ECA3E-E732-4A0D-91C8-D0FF4A2E9067}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D28ECA3E-E732-4A0D-91C8-D0FF4A2E9067}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{d1d7e559-9e68-4132-8098-1052d891f55b}\InprocServer32	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

00d250402c1ffa84b7564e20fe10de9adb0611400cccbea1c689ebb759d77e5a.exe

pid	process
2868	00d250402c1ffa84b7564e20fe10de9adb0611400cccbea1c689ebb759d77e5a.exe
2868	00d250402c1ffa84b7564e20fe10de9adb0611400cccbea1c689ebb759d77e5a.exe
2868	00d250402c1ffa84b7564e20fe10de9adb0611400cccbea1c689ebb759d77e5a.exe
2868	00d250402c1ffa84b7564e20fe10de9adb0611400cccbea1c689ebb759d77e5a.exe
2868	00d250402c1ffa84b7564e20fe10de9adb0611400cccbea1c689ebb759d77e5a.exe
2868	00d250402c1ffa84b7564e20fe10de9adb0611400cccbea1c689ebb759d77e5a.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

00d250402c1ffa84b7564e20fe10de9adb0611400cccbea1c689ebb759d77e5a.exe

description	pid	process	target process
PID 2868 wrote to memory of 2236	2868	00d250402c1ffa84b7564e20fe10de9adb0611400cccbea1c689ebb759d77e5a.exe	regsvr32.exe
PID 2868 wrote to memory of 2236	2868	00d250402c1ffa84b7564e20fe10de9adb0611400cccbea1c689ebb759d77e5a.exe	regsvr32.exe
PID 2868 wrote to memory of 2236	2868	00d250402c1ffa84b7564e20fe10de9adb0611400cccbea1c689ebb759d77e5a.exe	regsvr32.exe

C:\Users\Admin\AppData\Local\Temp\00d250402c1ffa84b7564e20fe10de9adb0611400cccbea1c689ebb759d77e5a.exe
"C:\Users\Admin\AppData\Local\Temp\00d250402c1ffa84b7564e20fe10de9adb0611400cccbea1c689ebb759d77e5a.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2868

C:\Windows\SysWOW64\regsvr32.exe
regsvr32 "C:\Program Files (x86)\MediaViewV1\MediaViewV1alpha7632\ie\MediaViewV1alpha7632.dll" /s
2⤵
- Loads dropped DLL
- Modifies registry class
PID:2236

C:\Windows\SysWOW64\gpupdate.exe
"C:\Windows\System32\gpupdate.exe" /force
2⤵
PID:4472

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:332

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:4072

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Browser Extensions

1

T1176

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\MediaViewV1\MediaViewV1alpha7632\ie\MediaViewV1alpha7632.dll
Filesize
85KB

MD5
e2143f6b74295c6593266c2bebd30d74

SHA1
36c514e81645fa26e9a090a555769220b430553a

SHA256
962388dea3c443df52814fd9813ca2d53cc6e02ccb0a050fc5d6a604d22f52bf

SHA512
cccce9222ef906d65318ed8c7aade5aaf88a490754befe47585044c739f4cdc740e0f68063311d8c459cb122cd4cebd083e5f63358da8a5643e2fbaa1b5671c8

Download Submit
C:\Program Files (x86)\MediaViewV1\MediaViewV1alpha7632\ie\MediaViewV1alpha7632.dll
Filesize
51KB

MD5
10100a0851019b8b97fef2a370c62283

SHA1
ef1c7d8a6aac6bcc7d828c78523c23429733efde

SHA256
3d8d99d3f3464f6e0d3cba36794e74949e92b40b210ddf8518b1a0d90a502f37

SHA512
8d5bfcc679e37919d9172b41701ec15a210b2caf1eafd4fa1642d6f34d6cc33def53ea6e28a11f937dfa3215777be19dca51ce6ce89c494a1b889b4253a49095

Download Submit
C:\Users\Admin\AppData\Local\Temp\nss345F.tmp\aminsis.dll
Filesize
93KB

MD5
eddef2902cbdde92b77507c18056f864

SHA1
86ce0d9df02aada77e943bcb91e2869325566fdd

SHA256
53071363bb0f58cdfc572279eb00a99ac9d6ee604dd9204fb5be5e129aca04d5

SHA512
610b9374ad0f8bbb99e76183ccbee9784c85f3eaa481b186f618e48662cbe69c1cb00882af8da04fec6d2a64f630e80604649a57f4bf1abf13dd251ba051bf5d

Download Submit
memory/2236-131-0x0000000000000000-mapping.dmp

Download
memory/4472-134-0x0000000000000000-mapping.dmp

Download

pid	process
2868	00d250402c1ffa84b7564e20fe10de9adb0611400cccbea1c689ebb759d77e5a.exe
2236	regsvr32.exe

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads