a1f29cd6c20034f92ccca24939d2aad5054c26ea89a42c88856469b1d6c6058f

General

Target

a1f29cd6c20034f92ccca24939d2aad5054c26ea89a42c88856469b1d6c6058f.exe
Size

132KB
MD5

1ed78fc38a21e92a182cce94a1c470ee
SHA1

98e18d7505e45c89cfb322b7f6300ca9ec623f33
SHA256

a1f29cd6c20034f92ccca24939d2aad5054c26ea89a42c88856469b1d6c6058f
SHA512

6c8e4d31d6f0fb84298e1bbd58c15fe1f2f0940c31b7e283d05392cab8599d4df643dec282eaac4c05b75e65ce21ddde2ac5dceab0907a8c887981b022aa3544

Score

9^/10

adware stealer upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 2 IoCs

Detects file using ACProtect software.

Processes:

resource	yara_rule
C:\Windows\SysWOW64\avicap3.dll	acprotect
C:\Windows\SysWOW64\avicap3.dll	acprotect

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Windows\SysWOW64\avicap3.dll	upx
C:\Windows\SysWOW64\avicap3.dll	upx

Loads dropped DLL 2 IoCs

Processes:

a1f29cd6c20034f92ccca24939d2aad5054c26ea89a42c88856469b1d6c6058f.exe

pid	process
4532	a1f29cd6c20034f92ccca24939d2aad5054c26ea89a42c88856469b1d6c6058f.exe
4532	a1f29cd6c20034f92ccca24939d2aad5054c26ea89a42c88856469b1d6c6058f.exe

Installs/modifies Browser Helper Object 2 TTPs
BHOs are DLL modules which act as plugins for Internet Explorer.
stealer adware

Modify Registry
T1112

Browser Extensions
T1176

Modifies registry class 6 IoCs

Processes:

a1f29cd6c20034f92ccca24939d2aad5054c26ea89a42c88856469b1d6c6058f.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F64ED182-6535-4B9B-80B8-7B2AE466CE60}\InprocServer32	a1f29cd6c20034f92ccca24939d2aad5054c26ea89a42c88856469b1d6c6058f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	a1f29cd6c20034f92ccca24939d2aad5054c26ea89a42c88856469b1d6c6058f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	a1f29cd6c20034f92ccca24939d2aad5054c26ea89a42c88856469b1d6c6058f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F64ED182-6535-4B9B-80B8-7B2AE466CE60}	a1f29cd6c20034f92ccca24939d2aad5054c26ea89a42c88856469b1d6c6058f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F64ED182-6535-4B9B-80B8-7B2AE466CE60}\InprocServer32\ = "C:\\Windows\\SysWow64\\avicap3.dll"	a1f29cd6c20034f92ccca24939d2aad5054c26ea89a42c88856469b1d6c6058f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F64ED182-6535-4B9B-80B8-7B2AE466CE60}\InprocServer32\ThreadingModel = "apartment"	a1f29cd6c20034f92ccca24939d2aad5054c26ea89a42c88856469b1d6c6058f.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

a1f29cd6c20034f92ccca24939d2aad5054c26ea89a42c88856469b1d6c6058f.exe

pid	process
4532	a1f29cd6c20034f92ccca24939d2aad5054c26ea89a42c88856469b1d6c6058f.exe
4532	a1f29cd6c20034f92ccca24939d2aad5054c26ea89a42c88856469b1d6c6058f.exe

C:\Users\Admin\AppData\Local\Temp\a1f29cd6c20034f92ccca24939d2aad5054c26ea89a42c88856469b1d6c6058f.exe
"C:\Users\Admin\AppData\Local\Temp\a1f29cd6c20034f92ccca24939d2aad5054c26ea89a42c88856469b1d6c6058f.exe"
1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4532

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Browser Extensions

1

T1176

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\avicap3.dll
Filesize
86KB

MD5
4df772463f5042b81d22087483e7ed34

SHA1
8ecabe637b2240c61fe30b2e2c2857831e956d1c

SHA256
207a2bffd792bd4f5075c80d4f5bb365db764c26d704d332acb06f44439d9e2f

SHA512
29c1354b39eb92517ae6431cbd7c7f9f636d29caf915aacf3f4083d1650541f40e2e62fab1104811781ec00987726f81ce4d1e23c9287e0a957e78cb3a6c9d1d

Download Submit
C:\Windows\SysWOW64\avicap3.dll
Filesize
86KB

MD5
4df772463f5042b81d22087483e7ed34

SHA1
8ecabe637b2240c61fe30b2e2c2857831e956d1c

SHA256
207a2bffd792bd4f5075c80d4f5bb365db764c26d704d332acb06f44439d9e2f

SHA512
29c1354b39eb92517ae6431cbd7c7f9f636d29caf915aacf3f4083d1650541f40e2e62fab1104811781ec00987726f81ce4d1e23c9287e0a957e78cb3a6c9d1d

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads