Analysis
-
max time kernel
123s -
max time network
160s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
27-05-2022 20:12
Static task
static1
Behavioral task
behavioral1
Sample
04b7ee705566fc1d29ae3e4b4c1a3e2d2cf1856e1973140429c17ed8924ae378.exe
Resource
win7-20220414-en
General
-
Target
04b7ee705566fc1d29ae3e4b4c1a3e2d2cf1856e1973140429c17ed8924ae378.exe
-
Size
951KB
-
MD5
7a75c57c59b4c420b1c00cd04f0d1b47
-
SHA1
03aadda0e578fe79dcc2b8ada1184ada651b1072
-
SHA256
04b7ee705566fc1d29ae3e4b4c1a3e2d2cf1856e1973140429c17ed8924ae378
-
SHA512
dff90ca3cf57d84405707c3ea59a771d01da3b1a1db92dcf04f07923355b409595ca8cd5c178f6d25c6956a55a3790c5df9b930fafbb199c31af8f3e9af52e2d
Malware Config
Signatures
-
Loads dropped DLL 2 IoCs
Processes:
04b7ee705566fc1d29ae3e4b4c1a3e2d2cf1856e1973140429c17ed8924ae378.exeregsvr32.exepid process 1928 04b7ee705566fc1d29ae3e4b4c1a3e2d2cf1856e1973140429c17ed8924ae378.exe 3520 regsvr32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Installs/modifies Browser Helper Object 2 TTPs
BHOs are DLL modules which act as plugins for Internet Explorer.
-
Drops file in Program Files directory 22 IoCs
Processes:
04b7ee705566fc1d29ae3e4b4c1a3e2d2cf1856e1973140429c17ed8924ae378.exedescription ioc process File created C:\Program Files (x86)\WebexpEnhancedV1\WebexpEnhancedV1alpha1670\ff\install.rdf 04b7ee705566fc1d29ae3e4b4c1a3e2d2cf1856e1973140429c17ed8924ae378.exe File opened for modification C:\Program Files (x86)\WebexpEnhancedV1\WebexpEnhancedV1alpha1670\ff\install.rdf 04b7ee705566fc1d29ae3e4b4c1a3e2d2cf1856e1973140429c17ed8924ae378.exe File created C:\Program Files (x86)\WebexpEnhancedV1\WebexpEnhancedV1alpha1670\ff\chrome\content\ffWebexpEnhancedV1alpha1670.js 04b7ee705566fc1d29ae3e4b4c1a3e2d2cf1856e1973140429c17ed8924ae378.exe File opened for modification C:\Program Files (x86)\WebexpEnhancedV1\WebexpEnhancedV1alpha1670\ff\chrome\content\icons 04b7ee705566fc1d29ae3e4b4c1a3e2d2cf1856e1973140429c17ed8924ae378.exe File created C:\Program Files (x86)\WebexpEnhancedV1\WebexpEnhancedV1alpha1670\ff\chrome\content\icons\Thumbs.db 04b7ee705566fc1d29ae3e4b4c1a3e2d2cf1856e1973140429c17ed8924ae378.exe File opened for modification C:\Program Files (x86)\WebexpEnhancedV1\WebexpEnhancedV1alpha1670\ff\chrome\content\icons\Thumbs.db 04b7ee705566fc1d29ae3e4b4c1a3e2d2cf1856e1973140429c17ed8924ae378.exe File opened for modification C:\Program Files (x86)\WebexpEnhancedV1\WebexpEnhancedV1alpha1670\ff\chrome\content 04b7ee705566fc1d29ae3e4b4c1a3e2d2cf1856e1973140429c17ed8924ae378.exe File opened for modification C:\Program Files (x86)\WebexpEnhancedV1\WebexpEnhancedV1alpha1670\ff\chrome\content\ffWebexpEnhancedV1alpha1670.js 04b7ee705566fc1d29ae3e4b4c1a3e2d2cf1856e1973140429c17ed8924ae378.exe File opened for modification C:\Program Files (x86)\WebexpEnhancedV1\WebexpEnhancedV1alpha1670\ff\chrome\content\ffWebexpEnhancedV1alpha1670ffaction.js 04b7ee705566fc1d29ae3e4b4c1a3e2d2cf1856e1973140429c17ed8924ae378.exe File created C:\Program Files (x86)\WebexpEnhancedV1\WebexpEnhancedV1alpha1670\ff\chrome\content\icons\default\WebexpEnhancedV1alpha1670_32.png 04b7ee705566fc1d29ae3e4b4c1a3e2d2cf1856e1973140429c17ed8924ae378.exe File created C:\Program Files (x86)\WebexpEnhancedV1\WebexpEnhancedV1alpha1670\uninstall.exe 04b7ee705566fc1d29ae3e4b4c1a3e2d2cf1856e1973140429c17ed8924ae378.exe File created C:\Program Files (x86)\WebexpEnhancedV1\WebexpEnhancedV1alpha1670\ff\chrome\content\ffWebexpEnhancedV1alpha1670ffaction.js 04b7ee705566fc1d29ae3e4b4c1a3e2d2cf1856e1973140429c17ed8924ae378.exe File opened for modification C:\Program Files (x86)\WebexpEnhancedV1\WebexpEnhancedV1alpha1670\ff\chrome\content\overlay.xul 04b7ee705566fc1d29ae3e4b4c1a3e2d2cf1856e1973140429c17ed8924ae378.exe File created C:\Program Files (x86)\WebexpEnhancedV1\WebexpEnhancedV1alpha1670\ie\WebexpEnhancedV1alpha1670.dll 04b7ee705566fc1d29ae3e4b4c1a3e2d2cf1856e1973140429c17ed8924ae378.exe File created C:\Program Files (x86)\WebexpEnhancedV1\WebexpEnhancedV1alpha1670\ch\WebexpEnhancedV1alpha1670.crx 04b7ee705566fc1d29ae3e4b4c1a3e2d2cf1856e1973140429c17ed8924ae378.exe File opened for modification C:\Program Files (x86)\WebexpEnhancedV1\WebexpEnhancedV1alpha1670\ch\WebexpEnhancedV1alpha1670.crx 04b7ee705566fc1d29ae3e4b4c1a3e2d2cf1856e1973140429c17ed8924ae378.exe File created C:\Program Files (x86)\WebexpEnhancedV1\WebexpEnhancedV1alpha1670\ff\chrome.manifest 04b7ee705566fc1d29ae3e4b4c1a3e2d2cf1856e1973140429c17ed8924ae378.exe File opened for modification C:\Program Files (x86)\WebexpEnhancedV1\WebexpEnhancedV1alpha1670\ff\chrome.manifest 04b7ee705566fc1d29ae3e4b4c1a3e2d2cf1856e1973140429c17ed8924ae378.exe File opened for modification C:\Program Files (x86)\WebexpEnhancedV1\WebexpEnhancedV1alpha1670\ff\chrome 04b7ee705566fc1d29ae3e4b4c1a3e2d2cf1856e1973140429c17ed8924ae378.exe File created C:\Program Files (x86)\WebexpEnhancedV1\WebexpEnhancedV1alpha1670\ff\chrome\content\overlay.xul 04b7ee705566fc1d29ae3e4b4c1a3e2d2cf1856e1973140429c17ed8924ae378.exe File opened for modification C:\Program Files (x86)\WebexpEnhancedV1\WebexpEnhancedV1alpha1670\ff\chrome\content\icons\default 04b7ee705566fc1d29ae3e4b4c1a3e2d2cf1856e1973140429c17ed8924ae378.exe File opened for modification C:\Program Files (x86)\WebexpEnhancedV1\WebexpEnhancedV1alpha1670\ff\chrome\content\icons\default\WebexpEnhancedV1alpha1670_32.png 04b7ee705566fc1d29ae3e4b4c1a3e2d2cf1856e1973140429c17ed8924ae378.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Processes:
04b7ee705566fc1d29ae3e4b4c1a3e2d2cf1856e1973140429c17ed8924ae378.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Internet Explorer\Approved Extensions 04b7ee705566fc1d29ae3e4b4c1a3e2d2cf1856e1973140429c17ed8924ae378.exe Set value (data) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\Approved Extensions\{8c11e3aa-4b56-4a4b-b5c5-ed5d1344a534} = 51667a6c4c1d3b1bbaff059663182d00a8cda61d1200e92a 04b7ee705566fc1d29ae3e4b4c1a3e2d2cf1856e1973140429c17ed8924ae378.exe -
Modifies registry class 36 IoCs
Processes:
regsvr32.exe04b7ee705566fc1d29ae3e4b4c1a3e2d2cf1856e1973140429c17ed8924ae378.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8c11e3aa-4b56-4a4b-b5c5-ed5d1344a534}\Version\ = "1.1" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{27C30EE1-333B-4815-8AEE-4C12B0FF1581}\1.1\ = "WebexpEnhancedV1alpha1670Lib" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{27C30EE1-333B-4815-8AEE-4C12B0FF1581}\1.1\FLAGS\ = "0" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{ADA9D95B-8F7B-4607-820F-ECA516FFFBF8} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{ADA9D95B-8F7B-4607-820F-ECA516FFFBF8}\TypeLib\ = "{27C30EE1-333B-4815-8AEE-4C12B0FF1581}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{ADA9D95B-8F7B-4607-820F-ECA516FFFBF8}\TypeLib\Version = "1.1" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{27C30EE1-333B-4815-8AEE-4C12B0FF1581} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{27C30EE1-333B-4815-8AEE-4C12B0FF1581}\1.1\FLAGS regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{27C30EE1-333B-4815-8AEE-4C12B0FF1581}\1.1\HELPDIR\ = "C:\\Program Files (x86)\\WebexpEnhancedV1\\WebexpEnhancedV1alpha1670\\ie" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8c11e3aa-4b56-4a4b-b5c5-ed5d1344a534} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8c11e3aa-4b56-4a4b-b5c5-ed5d1344a534}\InprocServer32\ThreadingModel = "Apartment" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{27C30EE1-333B-4815-8AEE-4C12B0FF1581}\1.1\0\win32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{ADA9D95B-8F7B-4607-820F-ECA516FFFBF8}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{ADA9D95B-8F7B-4607-820F-ECA516FFFBF8}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8c11e3aa-4b56-4a4b-b5c5-ed5d1344a534}\InprocServer32\ = "C:\\Program Files (x86)\\WebexpEnhancedV1\\WebexpEnhancedV1alpha1670\\ie\\WebexpEnhancedV1alpha1670.dll" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{27C30EE1-333B-4815-8AEE-4C12B0FF1581}\1.1\0 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{27C30EE1-333B-4815-8AEE-4C12B0FF1581}\1.1\HELPDIR regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{ADA9D95B-8F7B-4607-820F-ECA516FFFBF8} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{ADA9D95B-8F7B-4607-820F-ECA516FFFBF8}\ = "IWebexpEnhancedV1alpha1670BHO" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{ADA9D95B-8F7B-4607-820F-ECA516FFFBF8}\ProxyStubClsid32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{ADA9D95B-8F7B-4607-820F-ECA516FFFBF8}\TypeLib regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{ADA9D95B-8F7B-4607-820F-ECA516FFFBF8}\ProxyStubClsid32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{ADA9D95B-8F7B-4607-820F-ECA516FFFBF8}\TypeLib regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8c11e3aa-4b56-4a4b-b5c5-ed5d1344a534} 04b7ee705566fc1d29ae3e4b4c1a3e2d2cf1856e1973140429c17ed8924ae378.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8c11e3aa-4b56-4a4b-b5c5-ed5d1344a534}\ = "WebexpEnhancedV1alpha1670" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8c11e3aa-4b56-4a4b-b5c5-ed5d1344a534}\TypeLib\ = "{27c30ee1-333b-4815-8aee-4c12b0ff1581}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8c11e3aa-4b56-4a4b-b5c5-ed5d1344a534}\Version regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{27C30EE1-333B-4815-8AEE-4C12B0FF1581}\1.1\0\win32\ = "C:\\Program Files (x86)\\WebexpEnhancedV1\\WebexpEnhancedV1alpha1670\\ie\\WebexpEnhancedV1alpha1670.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{ADA9D95B-8F7B-4607-820F-ECA516FFFBF8}\ = "IWebexpEnhancedV1alpha1670BHO" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8c11e3aa-4b56-4a4b-b5c5-ed5d1344a534}\ = "Webexp Enhanced" 04b7ee705566fc1d29ae3e4b4c1a3e2d2cf1856e1973140429c17ed8924ae378.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{ADA9D95B-8F7B-4607-820F-ECA516FFFBF8}\TypeLib\ = "{27C30EE1-333B-4815-8AEE-4C12B0FF1581}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8c11e3aa-4b56-4a4b-b5c5-ed5d1344a534}\Programmable regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8c11e3aa-4b56-4a4b-b5c5-ed5d1344a534}\InprocServer32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8c11e3aa-4b56-4a4b-b5c5-ed5d1344a534}\TypeLib regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{27C30EE1-333B-4815-8AEE-4C12B0FF1581}\1.1 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{ADA9D95B-8F7B-4607-820F-ECA516FFFBF8}\TypeLib\Version = "1.1" regsvr32.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
04b7ee705566fc1d29ae3e4b4c1a3e2d2cf1856e1973140429c17ed8924ae378.exepid process 1928 04b7ee705566fc1d29ae3e4b4c1a3e2d2cf1856e1973140429c17ed8924ae378.exe 1928 04b7ee705566fc1d29ae3e4b4c1a3e2d2cf1856e1973140429c17ed8924ae378.exe 1928 04b7ee705566fc1d29ae3e4b4c1a3e2d2cf1856e1973140429c17ed8924ae378.exe 1928 04b7ee705566fc1d29ae3e4b4c1a3e2d2cf1856e1973140429c17ed8924ae378.exe 1928 04b7ee705566fc1d29ae3e4b4c1a3e2d2cf1856e1973140429c17ed8924ae378.exe 1928 04b7ee705566fc1d29ae3e4b4c1a3e2d2cf1856e1973140429c17ed8924ae378.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
04b7ee705566fc1d29ae3e4b4c1a3e2d2cf1856e1973140429c17ed8924ae378.exedescription pid process target process PID 1928 wrote to memory of 3520 1928 04b7ee705566fc1d29ae3e4b4c1a3e2d2cf1856e1973140429c17ed8924ae378.exe regsvr32.exe PID 1928 wrote to memory of 3520 1928 04b7ee705566fc1d29ae3e4b4c1a3e2d2cf1856e1973140429c17ed8924ae378.exe regsvr32.exe PID 1928 wrote to memory of 3520 1928 04b7ee705566fc1d29ae3e4b4c1a3e2d2cf1856e1973140429c17ed8924ae378.exe regsvr32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\04b7ee705566fc1d29ae3e4b4c1a3e2d2cf1856e1973140429c17ed8924ae378.exe"C:\Users\Admin\AppData\Local\Temp\04b7ee705566fc1d29ae3e4b4c1a3e2d2cf1856e1973140429c17ed8924ae378.exe"1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32 "C:\Program Files (x86)\WebexpEnhancedV1\WebexpEnhancedV1alpha1670\ie\WebexpEnhancedV1alpha1670.dll" /s2⤵
- Loads dropped DLL
- Modifies registry class
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\WebexpEnhancedV1\WebexpEnhancedV1alpha1670\ie\WebexpEnhancedV1alpha1670.dllFilesize
85KB
MD5f0d3d087605a21a70aec3078318c7ab4
SHA11f129d79bef6181109e30813e3ac67379802abd0
SHA2566c767b6600202e931bbd878ef3bf5951f8d077e3b1fd32246cb781234b61d661
SHA5128380cebb8c4cb06cc08e96ab34041487afbaf35a6eda6c8d486832f114cadcf557f61060ca2c8f650120c43364d64715eb973a2e61d0ed0cb5f89c7e5c45d14c
-
C:\Program Files (x86)\WebexpEnhancedV1\WebexpEnhancedV1alpha1670\ie\WebexpEnhancedV1alpha1670.dllFilesize
85KB
MD5f0d3d087605a21a70aec3078318c7ab4
SHA11f129d79bef6181109e30813e3ac67379802abd0
SHA2566c767b6600202e931bbd878ef3bf5951f8d077e3b1fd32246cb781234b61d661
SHA5128380cebb8c4cb06cc08e96ab34041487afbaf35a6eda6c8d486832f114cadcf557f61060ca2c8f650120c43364d64715eb973a2e61d0ed0cb5f89c7e5c45d14c
-
C:\Users\Admin\AppData\Local\Temp\nsjDE50.tmp\aminsis.dllFilesize
816KB
MD59e572388e5ef693ffd6ac7a0a53aa5ab
SHA18aec75a79c6ccc96d998a9f4ea68b20540eb3e0e
SHA256bb12ecdbd2c8ec32ae5903b096815e160d8798d4c89dcd4b493dcb9be3b0d403
SHA51297fef04ca20cdf59869d8b0709d5216c07bcba455562f37a613293671946f1224d8ddc2e9fc7040c7c764391b2aeaa772e62e8c2cd7c566ed70060982efa3590
-
memory/3520-131-0x0000000000000000-mapping.dmp