0432c70314ff72c043ba26100ca4cdde73ab0835a1a603cb081927b78355df59

General

Target

0432c70314ff72c043ba26100ca4cdde73ab0835a1a603cb081927b78355df59.exe
Size

124KB
MD5

4a941c20ea45693c6ea35a1c255a2655
SHA1

0aa45e376192dcbdd9c4f377949f36f1a3ec1b18
SHA256

0432c70314ff72c043ba26100ca4cdde73ab0835a1a603cb081927b78355df59
SHA512

014f15ddf87d8b3147c8eeb1f4abb793e688755dae0db95b25908b159ba1edf6d3a04af5509337f4d8485ba85ba494164017159309cade009337fb1d6073e83b

Score

7^/10

adware discovery stealer

Malware Config

Signatures

Loads dropped DLL 1 IoCs

Processes:

regsvr32.exe

pid process

2020 regsvr32.exe
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Installs/modifies Browser Helper Object 2 TTPs
BHOs are DLL modules which act as plugins for Internet Explorer.
stealer adware

Modify Registry
T1112

Browser Extensions
T1176

pid	process
2020	regsvr32.exe

Drops file in Program Files directory 2 IoCs

Processes:

0432c70314ff72c043ba26100ca4cdde73ab0835a1a603cb081927b78355df59.exe

description	ioc	process
File created	C:\Program Files (x86)\Common Files\PushWare\Uninst.exe	0432c70314ff72c043ba26100ca4cdde73ab0835a1a603cb081927b78355df59.exe
File created	C:\Program Files (x86)\Common Files\PushWare\cpush.dll	0432c70314ff72c043ba26100ca4cdde73ab0835a1a603cb081927b78355df59.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 64 IoCs

Processes:

regsvr32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\NewCosoMediumPop.PopCoso\ = "CPopupBlock Object"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CDE9EB54-A08E-4570-B748-13F5DDB5781C}\InprocServer32\ThreadingModel = "apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{11F09AFE-75AD-4E52-AB43-E09E9351CE17}\TypeLib\ = "{DE2267BD-B163-407F-9E8D-6ADEC771E7AB}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DE2267BD-B163-407F-9E8D-6ADEC771E7AB}\1.0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DE2267BD-B163-407F-9E8D-6ADEC771E7AB}\1.0\ = "NewAdPopup 1.0 Type Library"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\NewCosoMediumPop.PopCoso.1	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\NewCosoMediumPop.PopCoso\CurVer\ = "NewCosoMediumPop.PopCoso.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CDE9EB54-A08E-4570-B748-13F5DDB5781C}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\NexyAdPopup.AYLogic	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\NexyAdPopup.AYLogic\CLSID\ = "{11F09AFE-75AD-4E52-AB43-E09E9351CE17}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{50C4CDD9-22D7-49FF-AC6D-7D4D528A3AB2}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{50C4CDD9-22D7-49FF-AC6D-7D4D528A3AB2}\ = "IPopupBlock"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\NewCosoMediumPop.PopCoso\CLSID\ = "{CDE9EB54-A08E-4570-B748-13F5DDB5781C}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\NexyAdPopup.AYLogic.1\ = "IELogic Helper"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\NexyAdPopup.AYLogic.1\CLSID\ = "{11F09AFE-75AD-4E52-AB43-E09E9351CE17}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{11F09AFE-75AD-4E52-AB43-E09E9351CE17}\VersionIndependentProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{50C4CDD9-22D7-49FF-AC6D-7D4D528A3AB2}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{50C4CDD9-22D7-49FF-AC6D-7D4D528A3AB2}\TypeLib\ = "{DE2267BD-B163-407F-9E8D-6ADEC771E7AB}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{11F09AFD-75AD-4E51-AB43-E09E9351CE16}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\NexyAdPopup.AYLogic.1	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\NexyAdPopup.AYLogic\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\NexyAdPopup.AYLogic\CurVer	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{11F09AFE-75AD-4E52-AB43-E09E9351CE17}\Programmable	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0AD3AB16-6D0E-4F04-8660-FB1F36BC2DC0}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0AD3AB16-6D0E-4F04-8660-FB1F36BC2DC0}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{50C4CDD9-22D7-49FF-AC6D-7D4D528A3AB2}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CDE9EB54-A08E-4570-B748-13F5DDB5781C}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{11F09AFE-75AD-4E52-AB43-E09E9351CE17}\ = "IELogic Helper"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DE2267BD-B163-407F-9E8D-6ADEC771E7AB}\1.0\FLAGS\ = "0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0AD3AB16-6D0E-4F04-8660-FB1F36BC2DC0}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\NexyAdPopup.AYLogic.1\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{50C4CDD9-22D7-49FF-AC6D-7D4D528A3AB2}\TypeLib\ = "{DE2267BD-B163-407F-9E8D-6ADEC771E7AB}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{11F09AFE-75AD-4E52-AB43-E09E9351CE17}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CDE9EB54-A08E-4570-B748-13F5DDB5781C}\TypeLib\ = "{DE2267BD-B163-407F-9E8D-6ADEC771E7AB}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0AD3AB16-6D0E-4F04-8660-FB1F36BC2DC0}\TypeLib\ = "{DE2267BD-B163-407F-9E8D-6ADEC771E7AB}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\NewCosoMediumPop.PopCoso.1\CLSID\ = "{CDE9EB54-A08E-4570-B748-13F5DDB5781C}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0AD3AB16-6D0E-4F04-8660-FB1F36BC2DC0}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0AD3AB16-6D0E-4F04-8660-FB1F36BC2DC0}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{50C4CDD9-22D7-49FF-AC6D-7D4D528A3AB2}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{50C4CDD9-22D7-49FF-AC6D-7D4D528A3AB2}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\NewCosoMediumPop.PopCoso.1\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CDE9EB54-A08E-4570-B748-13F5DDB5781C}\ProgID\ = "NewCosoMediumPop.PopCoso.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CDE9EB54-A08E-4570-B748-13F5DDB5781C}\Programmable	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{11F09AFE-75AD-4E52-AB43-E09E9351CE17}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{11F09AFE-75AD-4E52-AB43-E09E9351CE17}\VersionIndependentProgID\ = "NexyAdPopup.AYLogic"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DE2267BD-B163-407F-9E8D-6ADEC771E7AB}\1.0\FLAGS	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0AD3AB16-6D0E-4F04-8660-FB1F36BC2DC0}\ = "IAdLogic"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0AD3AB16-6D0E-4F04-8660-FB1F36BC2DC0}\TypeLib\ = "{DE2267BD-B163-407F-9E8D-6ADEC771E7AB}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CDE9EB54-A08E-4570-B748-13F5DDB5781C}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{50C4CDD9-22D7-49FF-AC6D-7D4D528A3AB2}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{11F09AFD-75AD-4E51-AB43-E09E9351CE16}\InprocServer32\ = "C:\\Program Files (x86)\\Common Files\\PushWare\\cpush.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0AD3AB16-6D0E-4F04-8660-FB1F36BC2DC0}\ = "IAdLogic"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CDE9EB54-A08E-4570-B748-13F5DDB5781C}\InprocServer32\ = "C:\\Program Files (x86)\\Common Files\\PushWare\\cpush.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{11F09AFE-75AD-4E52-AB43-E09E9351CE17}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0AD3AB16-6D0E-4F04-8660-FB1F36BC2DC0}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0AD3AB16-6D0E-4F04-8660-FB1F36BC2DC0}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0AD3AB16-6D0E-4F04-8660-FB1F36BC2DC0}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{50C4CDD9-22D7-49FF-AC6D-7D4D528A3AB2}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CDE9EB54-A08E-4570-B748-13F5DDB5781C}\ = "CPopupBlock Object"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{50C4CDD9-22D7-49FF-AC6D-7D4D528A3AB2}\ = "IPopupBlock"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{11F09AFE-75AD-4E52-AB43-E09E9351CE17}\ProgID\ = "NexyAdPopup.AYLogic.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DE2267BD-B163-407F-9E8D-6ADEC771E7AB}\1.0\0\win32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DE2267BD-B163-407F-9E8D-6ADEC771E7AB}\1.0\0\win32\ = "C:\\Program Files (x86)\\Common Files\\PushWare\\cpush.dll"	regsvr32.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

0432c70314ff72c043ba26100ca4cdde73ab0835a1a603cb081927b78355df59.exe

description	pid	process	target process
PID 1648 wrote to memory of 2020	1648	0432c70314ff72c043ba26100ca4cdde73ab0835a1a603cb081927b78355df59.exe	regsvr32.exe
PID 1648 wrote to memory of 2020	1648	0432c70314ff72c043ba26100ca4cdde73ab0835a1a603cb081927b78355df59.exe	regsvr32.exe
PID 1648 wrote to memory of 2020	1648	0432c70314ff72c043ba26100ca4cdde73ab0835a1a603cb081927b78355df59.exe	regsvr32.exe
PID 1648 wrote to memory of 2020	1648	0432c70314ff72c043ba26100ca4cdde73ab0835a1a603cb081927b78355df59.exe	regsvr32.exe
PID 1648 wrote to memory of 2020	1648	0432c70314ff72c043ba26100ca4cdde73ab0835a1a603cb081927b78355df59.exe	regsvr32.exe
PID 1648 wrote to memory of 2020	1648	0432c70314ff72c043ba26100ca4cdde73ab0835a1a603cb081927b78355df59.exe	regsvr32.exe
PID 1648 wrote to memory of 2020	1648	0432c70314ff72c043ba26100ca4cdde73ab0835a1a603cb081927b78355df59.exe	regsvr32.exe

C:\Users\Admin\AppData\Local\Temp\0432c70314ff72c043ba26100ca4cdde73ab0835a1a603cb081927b78355df59.exe
"C:\Users\Admin\AppData\Local\Temp\0432c70314ff72c043ba26100ca4cdde73ab0835a1a603cb081927b78355df59.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1648

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\Common Files\PushWare\cpush.dll"
2⤵
- Loads dropped DLL
- Modifies registry class
PID:2020

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Browser Extensions

1

T1176

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\PushWare\cpush.dll
Filesize
196KB

MD5
fada4a6ec005be09b1f8e522dbb0523b

SHA1
656fae532b081d19d37141e151cef8a7d6886d3e

SHA256
6c99c5b631a1b494a6b8e14841bd2dd0992389da4a875106e19741831343bcf4

SHA512
cb18a6f287e5f1069071233f42f543e8cd86be760efcf60a217670b45de384127bbdf24a90b7cfbfb1ffda7b52980ba631b8a52f3aa057c7e563901f78f87249

Download Submit
\Program Files (x86)\Common Files\PushWare\cpush.dll
Filesize
196KB

MD5
fada4a6ec005be09b1f8e522dbb0523b

SHA1
656fae532b081d19d37141e151cef8a7d6886d3e

SHA256
6c99c5b631a1b494a6b8e14841bd2dd0992389da4a875106e19741831343bcf4

SHA512
cb18a6f287e5f1069071233f42f543e8cd86be760efcf60a217670b45de384127bbdf24a90b7cfbfb1ffda7b52980ba631b8a52f3aa057c7e563901f78f87249

Download Submit
memory/1648-54-0x0000000075F61000-0x0000000075F63000-memory.dmp

Filesize
8KB

Download
memory/2020-55-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads