04b7ee705566fc1d29ae3e4b4c1a3e2d2cf1856e1973140429c17ed8924ae378

General

Target

04b7ee705566fc1d29ae3e4b4c1a3e2d2cf1856e1973140429c17ed8924ae378.exe
Size

951KB
MD5

7a75c57c59b4c420b1c00cd04f0d1b47
SHA1

03aadda0e578fe79dcc2b8ada1184ada651b1072
SHA256

04b7ee705566fc1d29ae3e4b4c1a3e2d2cf1856e1973140429c17ed8924ae378
SHA512

dff90ca3cf57d84405707c3ea59a771d01da3b1a1db92dcf04f07923355b409595ca8cd5c178f6d25c6956a55a3790c5df9b930fafbb199c31af8f3e9af52e2d

Score

7^/10

adware discovery spyware stealer

Malware Config

Signatures

Loads dropped DLL 2 IoCs

Processes:

04b7ee705566fc1d29ae3e4b4c1a3e2d2cf1856e1973140429c17ed8924ae378.exeregsvr32.exe

pid process

1928 04b7ee705566fc1d29ae3e4b4c1a3e2d2cf1856e1973140429c17ed8924ae378.exe
3520 regsvr32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Installs/modifies Browser Helper Object 2 TTPs
BHOs are DLL modules which act as plugins for Internet Explorer.
stealer adware

Modify Registry
T1112

Browser Extensions
T1176

Drops file in Program Files directory 22 IoCs

Processes:

04b7ee705566fc1d29ae3e4b4c1a3e2d2cf1856e1973140429c17ed8924ae378.exe

description	ioc	process
File created	C:\Program Files (x86)\WebexpEnhancedV1\WebexpEnhancedV1alpha1670\ff\install.rdf	04b7ee705566fc1d29ae3e4b4c1a3e2d2cf1856e1973140429c17ed8924ae378.exe
File opened for modification	C:\Program Files (x86)\WebexpEnhancedV1\WebexpEnhancedV1alpha1670\ff\install.rdf	04b7ee705566fc1d29ae3e4b4c1a3e2d2cf1856e1973140429c17ed8924ae378.exe
File created	C:\Program Files (x86)\WebexpEnhancedV1\WebexpEnhancedV1alpha1670\ff\chrome\content\ffWebexpEnhancedV1alpha1670.js	04b7ee705566fc1d29ae3e4b4c1a3e2d2cf1856e1973140429c17ed8924ae378.exe
File opened for modification	C:\Program Files (x86)\WebexpEnhancedV1\WebexpEnhancedV1alpha1670\ff\chrome\content\icons	04b7ee705566fc1d29ae3e4b4c1a3e2d2cf1856e1973140429c17ed8924ae378.exe
File created	C:\Program Files (x86)\WebexpEnhancedV1\WebexpEnhancedV1alpha1670\ff\chrome\content\icons\Thumbs.db	04b7ee705566fc1d29ae3e4b4c1a3e2d2cf1856e1973140429c17ed8924ae378.exe
File opened for modification	C:\Program Files (x86)\WebexpEnhancedV1\WebexpEnhancedV1alpha1670\ff\chrome\content\icons\Thumbs.db	04b7ee705566fc1d29ae3e4b4c1a3e2d2cf1856e1973140429c17ed8924ae378.exe
File opened for modification	C:\Program Files (x86)\WebexpEnhancedV1\WebexpEnhancedV1alpha1670\ff\chrome\content	04b7ee705566fc1d29ae3e4b4c1a3e2d2cf1856e1973140429c17ed8924ae378.exe
File opened for modification	C:\Program Files (x86)\WebexpEnhancedV1\WebexpEnhancedV1alpha1670\ff\chrome\content\ffWebexpEnhancedV1alpha1670.js	04b7ee705566fc1d29ae3e4b4c1a3e2d2cf1856e1973140429c17ed8924ae378.exe
File opened for modification	C:\Program Files (x86)\WebexpEnhancedV1\WebexpEnhancedV1alpha1670\ff\chrome\content\ffWebexpEnhancedV1alpha1670ffaction.js	04b7ee705566fc1d29ae3e4b4c1a3e2d2cf1856e1973140429c17ed8924ae378.exe
File created	C:\Program Files (x86)\WebexpEnhancedV1\WebexpEnhancedV1alpha1670\ff\chrome\content\icons\default\WebexpEnhancedV1alpha1670_32.png	04b7ee705566fc1d29ae3e4b4c1a3e2d2cf1856e1973140429c17ed8924ae378.exe
File created	C:\Program Files (x86)\WebexpEnhancedV1\WebexpEnhancedV1alpha1670\uninstall.exe	04b7ee705566fc1d29ae3e4b4c1a3e2d2cf1856e1973140429c17ed8924ae378.exe
File created	C:\Program Files (x86)\WebexpEnhancedV1\WebexpEnhancedV1alpha1670\ff\chrome\content\ffWebexpEnhancedV1alpha1670ffaction.js	04b7ee705566fc1d29ae3e4b4c1a3e2d2cf1856e1973140429c17ed8924ae378.exe
File opened for modification	C:\Program Files (x86)\WebexpEnhancedV1\WebexpEnhancedV1alpha1670\ff\chrome\content\overlay.xul	04b7ee705566fc1d29ae3e4b4c1a3e2d2cf1856e1973140429c17ed8924ae378.exe
File created	C:\Program Files (x86)\WebexpEnhancedV1\WebexpEnhancedV1alpha1670\ie\WebexpEnhancedV1alpha1670.dll	04b7ee705566fc1d29ae3e4b4c1a3e2d2cf1856e1973140429c17ed8924ae378.exe
File created	C:\Program Files (x86)\WebexpEnhancedV1\WebexpEnhancedV1alpha1670\ch\WebexpEnhancedV1alpha1670.crx	04b7ee705566fc1d29ae3e4b4c1a3e2d2cf1856e1973140429c17ed8924ae378.exe
File opened for modification	C:\Program Files (x86)\WebexpEnhancedV1\WebexpEnhancedV1alpha1670\ch\WebexpEnhancedV1alpha1670.crx	04b7ee705566fc1d29ae3e4b4c1a3e2d2cf1856e1973140429c17ed8924ae378.exe
File created	C:\Program Files (x86)\WebexpEnhancedV1\WebexpEnhancedV1alpha1670\ff\chrome.manifest	04b7ee705566fc1d29ae3e4b4c1a3e2d2cf1856e1973140429c17ed8924ae378.exe
File opened for modification	C:\Program Files (x86)\WebexpEnhancedV1\WebexpEnhancedV1alpha1670\ff\chrome.manifest	04b7ee705566fc1d29ae3e4b4c1a3e2d2cf1856e1973140429c17ed8924ae378.exe
File opened for modification	C:\Program Files (x86)\WebexpEnhancedV1\WebexpEnhancedV1alpha1670\ff\chrome	04b7ee705566fc1d29ae3e4b4c1a3e2d2cf1856e1973140429c17ed8924ae378.exe
File created	C:\Program Files (x86)\WebexpEnhancedV1\WebexpEnhancedV1alpha1670\ff\chrome\content\overlay.xul	04b7ee705566fc1d29ae3e4b4c1a3e2d2cf1856e1973140429c17ed8924ae378.exe
File opened for modification	C:\Program Files (x86)\WebexpEnhancedV1\WebexpEnhancedV1alpha1670\ff\chrome\content\icons\default	04b7ee705566fc1d29ae3e4b4c1a3e2d2cf1856e1973140429c17ed8924ae378.exe
File opened for modification	C:\Program Files (x86)\WebexpEnhancedV1\WebexpEnhancedV1alpha1670\ff\chrome\content\icons\default\WebexpEnhancedV1alpha1670_32.png	04b7ee705566fc1d29ae3e4b4c1a3e2d2cf1856e1973140429c17ed8924ae378.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

04b7ee705566fc1d29ae3e4b4c1a3e2d2cf1856e1973140429c17ed8924ae378.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Internet Explorer\Approved Extensions	04b7ee705566fc1d29ae3e4b4c1a3e2d2cf1856e1973140429c17ed8924ae378.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\Approved Extensions\{8c11e3aa-4b56-4a4b-b5c5-ed5d1344a534} = 51667a6c4c1d3b1bbaff059663182d00a8cda61d1200e92a	04b7ee705566fc1d29ae3e4b4c1a3e2d2cf1856e1973140429c17ed8924ae378.exe

Modifies registry class 36 IoCs

Processes:

regsvr32.exe04b7ee705566fc1d29ae3e4b4c1a3e2d2cf1856e1973140429c17ed8924ae378.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8c11e3aa-4b56-4a4b-b5c5-ed5d1344a534}\Version\ = "1.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{27C30EE1-333B-4815-8AEE-4C12B0FF1581}\1.1\ = "WebexpEnhancedV1alpha1670Lib"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{27C30EE1-333B-4815-8AEE-4C12B0FF1581}\1.1\FLAGS\ = "0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{ADA9D95B-8F7B-4607-820F-ECA516FFFBF8}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{ADA9D95B-8F7B-4607-820F-ECA516FFFBF8}\TypeLib\ = "{27C30EE1-333B-4815-8AEE-4C12B0FF1581}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{ADA9D95B-8F7B-4607-820F-ECA516FFFBF8}\TypeLib\Version = "1.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{27C30EE1-333B-4815-8AEE-4C12B0FF1581}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{27C30EE1-333B-4815-8AEE-4C12B0FF1581}\1.1\FLAGS	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{27C30EE1-333B-4815-8AEE-4C12B0FF1581}\1.1\HELPDIR\ = "C:\\Program Files (x86)\\WebexpEnhancedV1\\WebexpEnhancedV1alpha1670\\ie"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8c11e3aa-4b56-4a4b-b5c5-ed5d1344a534}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8c11e3aa-4b56-4a4b-b5c5-ed5d1344a534}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{27C30EE1-333B-4815-8AEE-4C12B0FF1581}\1.1\0\win32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{ADA9D95B-8F7B-4607-820F-ECA516FFFBF8}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{ADA9D95B-8F7B-4607-820F-ECA516FFFBF8}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8c11e3aa-4b56-4a4b-b5c5-ed5d1344a534}\InprocServer32\ = "C:\\Program Files (x86)\\WebexpEnhancedV1\\WebexpEnhancedV1alpha1670\\ie\\WebexpEnhancedV1alpha1670.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{27C30EE1-333B-4815-8AEE-4C12B0FF1581}\1.1\0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{27C30EE1-333B-4815-8AEE-4C12B0FF1581}\1.1\HELPDIR	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{ADA9D95B-8F7B-4607-820F-ECA516FFFBF8}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{ADA9D95B-8F7B-4607-820F-ECA516FFFBF8}\ = "IWebexpEnhancedV1alpha1670BHO"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{ADA9D95B-8F7B-4607-820F-ECA516FFFBF8}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{ADA9D95B-8F7B-4607-820F-ECA516FFFBF8}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{ADA9D95B-8F7B-4607-820F-ECA516FFFBF8}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{ADA9D95B-8F7B-4607-820F-ECA516FFFBF8}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8c11e3aa-4b56-4a4b-b5c5-ed5d1344a534}	04b7ee705566fc1d29ae3e4b4c1a3e2d2cf1856e1973140429c17ed8924ae378.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8c11e3aa-4b56-4a4b-b5c5-ed5d1344a534}\ = "WebexpEnhancedV1alpha1670"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8c11e3aa-4b56-4a4b-b5c5-ed5d1344a534}\TypeLib\ = "{27c30ee1-333b-4815-8aee-4c12b0ff1581}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8c11e3aa-4b56-4a4b-b5c5-ed5d1344a534}\Version	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{27C30EE1-333B-4815-8AEE-4C12B0FF1581}\1.1\0\win32\ = "C:\\Program Files (x86)\\WebexpEnhancedV1\\WebexpEnhancedV1alpha1670\\ie\\WebexpEnhancedV1alpha1670.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{ADA9D95B-8F7B-4607-820F-ECA516FFFBF8}\ = "IWebexpEnhancedV1alpha1670BHO"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8c11e3aa-4b56-4a4b-b5c5-ed5d1344a534}\ = "Webexp Enhanced"	04b7ee705566fc1d29ae3e4b4c1a3e2d2cf1856e1973140429c17ed8924ae378.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{ADA9D95B-8F7B-4607-820F-ECA516FFFBF8}\TypeLib\ = "{27C30EE1-333B-4815-8AEE-4C12B0FF1581}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8c11e3aa-4b56-4a4b-b5c5-ed5d1344a534}\Programmable	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8c11e3aa-4b56-4a4b-b5c5-ed5d1344a534}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8c11e3aa-4b56-4a4b-b5c5-ed5d1344a534}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{27C30EE1-333B-4815-8AEE-4C12B0FF1581}\1.1	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{ADA9D95B-8F7B-4607-820F-ECA516FFFBF8}\TypeLib\Version = "1.1"	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

04b7ee705566fc1d29ae3e4b4c1a3e2d2cf1856e1973140429c17ed8924ae378.exe

pid	process
1928	04b7ee705566fc1d29ae3e4b4c1a3e2d2cf1856e1973140429c17ed8924ae378.exe
1928	04b7ee705566fc1d29ae3e4b4c1a3e2d2cf1856e1973140429c17ed8924ae378.exe
1928	04b7ee705566fc1d29ae3e4b4c1a3e2d2cf1856e1973140429c17ed8924ae378.exe
1928	04b7ee705566fc1d29ae3e4b4c1a3e2d2cf1856e1973140429c17ed8924ae378.exe
1928	04b7ee705566fc1d29ae3e4b4c1a3e2d2cf1856e1973140429c17ed8924ae378.exe
1928	04b7ee705566fc1d29ae3e4b4c1a3e2d2cf1856e1973140429c17ed8924ae378.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

04b7ee705566fc1d29ae3e4b4c1a3e2d2cf1856e1973140429c17ed8924ae378.exe

description	pid	process	target process
PID 1928 wrote to memory of 3520	1928	04b7ee705566fc1d29ae3e4b4c1a3e2d2cf1856e1973140429c17ed8924ae378.exe	regsvr32.exe
PID 1928 wrote to memory of 3520	1928	04b7ee705566fc1d29ae3e4b4c1a3e2d2cf1856e1973140429c17ed8924ae378.exe	regsvr32.exe
PID 1928 wrote to memory of 3520	1928	04b7ee705566fc1d29ae3e4b4c1a3e2d2cf1856e1973140429c17ed8924ae378.exe	regsvr32.exe

C:\Users\Admin\AppData\Local\Temp\04b7ee705566fc1d29ae3e4b4c1a3e2d2cf1856e1973140429c17ed8924ae378.exe
"C:\Users\Admin\AppData\Local\Temp\04b7ee705566fc1d29ae3e4b4c1a3e2d2cf1856e1973140429c17ed8924ae378.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1928

C:\Windows\SysWOW64\regsvr32.exe
regsvr32 "C:\Program Files (x86)\WebexpEnhancedV1\WebexpEnhancedV1alpha1670\ie\WebexpEnhancedV1alpha1670.dll" /s
2⤵
- Loads dropped DLL
- Modifies registry class
PID:3520

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Browser Extensions

1

T1176

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\WebexpEnhancedV1\WebexpEnhancedV1alpha1670\ie\WebexpEnhancedV1alpha1670.dll
Filesize
85KB

MD5
f0d3d087605a21a70aec3078318c7ab4

SHA1
1f129d79bef6181109e30813e3ac67379802abd0

SHA256
6c767b6600202e931bbd878ef3bf5951f8d077e3b1fd32246cb781234b61d661

SHA512
8380cebb8c4cb06cc08e96ab34041487afbaf35a6eda6c8d486832f114cadcf557f61060ca2c8f650120c43364d64715eb973a2e61d0ed0cb5f89c7e5c45d14c

Download Submit
C:\Program Files (x86)\WebexpEnhancedV1\WebexpEnhancedV1alpha1670\ie\WebexpEnhancedV1alpha1670.dll
Filesize
85KB

MD5
f0d3d087605a21a70aec3078318c7ab4

SHA1
1f129d79bef6181109e30813e3ac67379802abd0

SHA256
6c767b6600202e931bbd878ef3bf5951f8d077e3b1fd32246cb781234b61d661

SHA512
8380cebb8c4cb06cc08e96ab34041487afbaf35a6eda6c8d486832f114cadcf557f61060ca2c8f650120c43364d64715eb973a2e61d0ed0cb5f89c7e5c45d14c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsjDE50.tmp\aminsis.dll
Filesize
816KB

MD5
9e572388e5ef693ffd6ac7a0a53aa5ab

SHA1
8aec75a79c6ccc96d998a9f4ea68b20540eb3e0e

SHA256
bb12ecdbd2c8ec32ae5903b096815e160d8798d4c89dcd4b493dcb9be3b0d403

SHA512
97fef04ca20cdf59869d8b0709d5216c07bcba455562f37a613293671946f1224d8ddc2e9fc7040c7c764391b2aeaa772e62e8c2cd7c566ed70060982efa3590

Download Submit
memory/3520-131-0x0000000000000000-mapping.dmp

Download

pid	process
1928	04b7ee705566fc1d29ae3e4b4c1a3e2d2cf1856e1973140429c17ed8924ae378.exe
3520	regsvr32.exe

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads