02e1385fcb034399568d9f34e70537ef4da29c628a1e0abccdcf57571d69caa0

General

Target

02e1385fcb034399568d9f34e70537ef4da29c628a1e0abccdcf57571d69caa0.exe
Size

943KB
MD5

7d76846dc65ecfc757cc5f8ada1bd60d
SHA1

871bf291b91b32f1b3ffadfd7e2c95280310e451
SHA256

02e1385fcb034399568d9f34e70537ef4da29c628a1e0abccdcf57571d69caa0
SHA512

66d738cfa72b1127c1ec9618977d5059fce7b514869f1de55831972fa2b3ccf3a0d4399ad8e7d7cecc222ae1a886a2ce6b7de80fd8b257c92c10513a2e339634

Score

7^/10

adware discovery spyware stealer

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

02e1385fcb034399568d9f34e70537ef4da29c628a1e0abccdcf57571d69caa0.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	02e1385fcb034399568d9f34e70537ef4da29c628a1e0abccdcf57571d69caa0.exe

Loads dropped DLL 2 IoCs

Processes:

02e1385fcb034399568d9f34e70537ef4da29c628a1e0abccdcf57571d69caa0.exeregsvr32.exe

pid process

2884 02e1385fcb034399568d9f34e70537ef4da29c628a1e0abccdcf57571d69caa0.exe
3408 regsvr32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Installs/modifies Browser Helper Object 2 TTPs
BHOs are DLL modules which act as plugins for Internet Explorer.
stealer adware

Modify Registry
T1112

Browser Extensions
T1176

Drops file in System32 directory 4 IoCs

Processes:

02e1385fcb034399568d9f34e70537ef4da29c628a1e0abccdcf57571d69caa0.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\gpt.ini	02e1385fcb034399568d9f34e70537ef4da29c628a1e0abccdcf57571d69caa0.exe
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	02e1385fcb034399568d9f34e70537ef4da29c628a1e0abccdcf57571d69caa0.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	02e1385fcb034399568d9f34e70537ef4da29c628a1e0abccdcf57571d69caa0.exe
File opened for modification	C:\Windows\System32\GroupPolicy	02e1385fcb034399568d9f34e70537ef4da29c628a1e0abccdcf57571d69caa0.exe

Drops file in Program Files directory 22 IoCs

Processes:

02e1385fcb034399568d9f34e70537ef4da29c628a1e0abccdcf57571d69caa0.exe

description	ioc	process
File created	C:\Program Files (x86)\MediaPlayerV1\MediaPlayerV1alpha98\ff\install.rdf	02e1385fcb034399568d9f34e70537ef4da29c628a1e0abccdcf57571d69caa0.exe
File opened for modification	C:\Program Files (x86)\MediaPlayerV1\MediaPlayerV1alpha98\ff\chrome\content	02e1385fcb034399568d9f34e70537ef4da29c628a1e0abccdcf57571d69caa0.exe
File created	C:\Program Files (x86)\MediaPlayerV1\MediaPlayerV1alpha98\ff\chrome\content\ffMediaPlayerV1alpha98.js	02e1385fcb034399568d9f34e70537ef4da29c628a1e0abccdcf57571d69caa0.exe
File opened for modification	C:\Program Files (x86)\MediaPlayerV1\MediaPlayerV1alpha98\ff\chrome\content\ffMediaPlayerV1alpha98ffaction.js	02e1385fcb034399568d9f34e70537ef4da29c628a1e0abccdcf57571d69caa0.exe
File opened for modification	C:\Program Files (x86)\MediaPlayerV1\MediaPlayerV1alpha98\ff\chrome\content\overlay.xul	02e1385fcb034399568d9f34e70537ef4da29c628a1e0abccdcf57571d69caa0.exe
File opened for modification	C:\Program Files (x86)\MediaPlayerV1\MediaPlayerV1alpha98\ff\chrome\content\icons	02e1385fcb034399568d9f34e70537ef4da29c628a1e0abccdcf57571d69caa0.exe
File created	C:\Program Files (x86)\MediaPlayerV1\MediaPlayerV1alpha98\ch\MediaPlayerV1alpha98.crx	02e1385fcb034399568d9f34e70537ef4da29c628a1e0abccdcf57571d69caa0.exe
File opened for modification	C:\Program Files (x86)\MediaPlayerV1\MediaPlayerV1alpha98\ch\MediaPlayerV1alpha98.crx	02e1385fcb034399568d9f34e70537ef4da29c628a1e0abccdcf57571d69caa0.exe
File opened for modification	C:\Program Files (x86)\MediaPlayerV1\MediaPlayerV1alpha98\ff\chrome.manifest	02e1385fcb034399568d9f34e70537ef4da29c628a1e0abccdcf57571d69caa0.exe
File created	C:\Program Files (x86)\MediaPlayerV1\MediaPlayerV1alpha98\ff\chrome\content\ffMediaPlayerV1alpha98ffaction.js	02e1385fcb034399568d9f34e70537ef4da29c628a1e0abccdcf57571d69caa0.exe
File created	C:\Program Files (x86)\MediaPlayerV1\MediaPlayerV1alpha98\ff\chrome\content\icons\Thumbs.db	02e1385fcb034399568d9f34e70537ef4da29c628a1e0abccdcf57571d69caa0.exe
File opened for modification	C:\Program Files (x86)\MediaPlayerV1\MediaPlayerV1alpha98\ff\chrome\content\icons\Thumbs.db	02e1385fcb034399568d9f34e70537ef4da29c628a1e0abccdcf57571d69caa0.exe
File opened for modification	C:\Program Files (x86)\MediaPlayerV1\MediaPlayerV1alpha98\ff\chrome\content\icons\default	02e1385fcb034399568d9f34e70537ef4da29c628a1e0abccdcf57571d69caa0.exe
File created	C:\Program Files (x86)\MediaPlayerV1\MediaPlayerV1alpha98\ff\chrome.manifest	02e1385fcb034399568d9f34e70537ef4da29c628a1e0abccdcf57571d69caa0.exe
File opened for modification	C:\Program Files (x86)\MediaPlayerV1\MediaPlayerV1alpha98\ff\install.rdf	02e1385fcb034399568d9f34e70537ef4da29c628a1e0abccdcf57571d69caa0.exe
File opened for modification	C:\Program Files (x86)\MediaPlayerV1\MediaPlayerV1alpha98\ff\chrome	02e1385fcb034399568d9f34e70537ef4da29c628a1e0abccdcf57571d69caa0.exe
File created	C:\Program Files (x86)\MediaPlayerV1\MediaPlayerV1alpha98\ff\chrome\content\icons\default\MediaPlayerV1alpha98_32.png	02e1385fcb034399568d9f34e70537ef4da29c628a1e0abccdcf57571d69caa0.exe
File created	C:\Program Files (x86)\MediaPlayerV1\MediaPlayerV1alpha98\ie\MediaPlayerV1alpha98.dll	02e1385fcb034399568d9f34e70537ef4da29c628a1e0abccdcf57571d69caa0.exe
File opened for modification	C:\Program Files (x86)\MediaPlayerV1\MediaPlayerV1alpha98\ff\chrome\content\ffMediaPlayerV1alpha98.js	02e1385fcb034399568d9f34e70537ef4da29c628a1e0abccdcf57571d69caa0.exe
File created	C:\Program Files (x86)\MediaPlayerV1\MediaPlayerV1alpha98\ff\chrome\content\overlay.xul	02e1385fcb034399568d9f34e70537ef4da29c628a1e0abccdcf57571d69caa0.exe
File opened for modification	C:\Program Files (x86)\MediaPlayerV1\MediaPlayerV1alpha98\ff\chrome\content\icons\default\MediaPlayerV1alpha98_32.png	02e1385fcb034399568d9f34e70537ef4da29c628a1e0abccdcf57571d69caa0.exe
File created	C:\Program Files (x86)\MediaPlayerV1\MediaPlayerV1alpha98\uninstall.exe	02e1385fcb034399568d9f34e70537ef4da29c628a1e0abccdcf57571d69caa0.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

02e1385fcb034399568d9f34e70537ef4da29c628a1e0abccdcf57571d69caa0.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Internet Explorer\Approved Extensions	02e1385fcb034399568d9f34e70537ef4da29c628a1e0abccdcf57571d69caa0.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\Approved Extensions\{779895b3-b59a-414a-b601-511346f3df80} = 51667a6c4c1d3b1ba3898c6dafe62c0bab091a5347b7939e	02e1385fcb034399568d9f34e70537ef4da29c628a1e0abccdcf57571d69caa0.exe

Modifies registry class 36 IoCs

Processes:

regsvr32.exe02e1385fcb034399568d9f34e70537ef4da29c628a1e0abccdcf57571d69caa0.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5856DC83-4425-4C01-8D4D-C567203E0FCA}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5856DC83-4425-4C01-8D4D-C567203E0FCA}\TypeLib\ = "{8E14B861-3377-4571-842F-A37368840900}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{779895b3-b59a-414a-b601-511346f3df80}	02e1385fcb034399568d9f34e70537ef4da29c628a1e0abccdcf57571d69caa0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{779895b3-b59a-414a-b601-511346f3df80}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8E14B861-3377-4571-842F-A37368840900}\1.1\HELPDIR	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5856DC83-4425-4C01-8D4D-C567203E0FCA}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{779895b3-b59a-414a-b601-511346f3df80}\Programmable	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{779895b3-b59a-414a-b601-511346f3df80}\TypeLib\ = "{8e14b861-3377-4571-842f-a37368840900}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8E14B861-3377-4571-842F-A37368840900}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8E14B861-3377-4571-842F-A37368840900}\1.1	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5856DC83-4425-4C01-8D4D-C567203E0FCA}\ = "IMediaPlayerV1alpha98BHO"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5856DC83-4425-4C01-8D4D-C567203E0FCA}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5856DC83-4425-4C01-8D4D-C567203E0FCA}\TypeLib\Version = "1.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{779895b3-b59a-414a-b601-511346f3df80}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{779895b3-b59a-414a-b601-511346f3df80}\Version	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8E14B861-3377-4571-842F-A37368840900}\1.1\ = "MediaPlayerV1alpha98Lib"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8E14B861-3377-4571-842F-A37368840900}\1.1\FLAGS\ = "0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8E14B861-3377-4571-842F-A37368840900}\1.1\0\win32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5856DC83-4425-4C01-8D4D-C567203E0FCA}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{779895b3-b59a-414a-b601-511346f3df80}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{779895b3-b59a-414a-b601-511346f3df80}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{779895b3-b59a-414a-b601-511346f3df80}\Version\ = "1.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8E14B861-3377-4571-842F-A37368840900}\1.1\FLAGS	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5856DC83-4425-4C01-8D4D-C567203E0FCA}\ = "IMediaPlayerV1alpha98BHO"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8E14B861-3377-4571-842F-A37368840900}\1.1\0\win32\ = "C:\\Program Files (x86)\\MediaPlayerV1\\MediaPlayerV1alpha98\\ie\\MediaPlayerV1alpha98.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5856DC83-4425-4C01-8D4D-C567203E0FCA}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{779895b3-b59a-414a-b601-511346f3df80}\ = "Media Player"	02e1385fcb034399568d9f34e70537ef4da29c628a1e0abccdcf57571d69caa0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{779895b3-b59a-414a-b601-511346f3df80}\InprocServer32\ = "C:\\Program Files (x86)\\MediaPlayerV1\\MediaPlayerV1alpha98\\ie\\MediaPlayerV1alpha98.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8E14B861-3377-4571-842F-A37368840900}\1.1\HELPDIR\ = "C:\\Program Files (x86)\\MediaPlayerV1\\MediaPlayerV1alpha98\\ie"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5856DC83-4425-4C01-8D4D-C567203E0FCA}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5856DC83-4425-4C01-8D4D-C567203E0FCA}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5856DC83-4425-4C01-8D4D-C567203E0FCA}\TypeLib\Version = "1.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{779895b3-b59a-414a-b601-511346f3df80}\ = "MediaPlayerV1alpha98"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8E14B861-3377-4571-842F-A37368840900}\1.1\0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5856DC83-4425-4C01-8D4D-C567203E0FCA}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5856DC83-4425-4C01-8D4D-C567203E0FCA}\TypeLib\ = "{8E14B861-3377-4571-842F-A37368840900}"	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

02e1385fcb034399568d9f34e70537ef4da29c628a1e0abccdcf57571d69caa0.exe

pid	process
2884	02e1385fcb034399568d9f34e70537ef4da29c628a1e0abccdcf57571d69caa0.exe
2884	02e1385fcb034399568d9f34e70537ef4da29c628a1e0abccdcf57571d69caa0.exe
2884	02e1385fcb034399568d9f34e70537ef4da29c628a1e0abccdcf57571d69caa0.exe
2884	02e1385fcb034399568d9f34e70537ef4da29c628a1e0abccdcf57571d69caa0.exe
2884	02e1385fcb034399568d9f34e70537ef4da29c628a1e0abccdcf57571d69caa0.exe
2884	02e1385fcb034399568d9f34e70537ef4da29c628a1e0abccdcf57571d69caa0.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

02e1385fcb034399568d9f34e70537ef4da29c628a1e0abccdcf57571d69caa0.exe

description	pid	process	target process
PID 2884 wrote to memory of 3408	2884	02e1385fcb034399568d9f34e70537ef4da29c628a1e0abccdcf57571d69caa0.exe	regsvr32.exe
PID 2884 wrote to memory of 3408	2884	02e1385fcb034399568d9f34e70537ef4da29c628a1e0abccdcf57571d69caa0.exe	regsvr32.exe
PID 2884 wrote to memory of 3408	2884	02e1385fcb034399568d9f34e70537ef4da29c628a1e0abccdcf57571d69caa0.exe	regsvr32.exe
PID 2884 wrote to memory of 4928	2884	02e1385fcb034399568d9f34e70537ef4da29c628a1e0abccdcf57571d69caa0.exe	gpupdate.exe
PID 2884 wrote to memory of 4928	2884	02e1385fcb034399568d9f34e70537ef4da29c628a1e0abccdcf57571d69caa0.exe	gpupdate.exe
PID 2884 wrote to memory of 4928	2884	02e1385fcb034399568d9f34e70537ef4da29c628a1e0abccdcf57571d69caa0.exe	gpupdate.exe

C:\Users\Admin\AppData\Local\Temp\02e1385fcb034399568d9f34e70537ef4da29c628a1e0abccdcf57571d69caa0.exe
"C:\Users\Admin\AppData\Local\Temp\02e1385fcb034399568d9f34e70537ef4da29c628a1e0abccdcf57571d69caa0.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2884

C:\Windows\SysWOW64\regsvr32.exe
regsvr32 "C:\Program Files (x86)\MediaPlayerV1\MediaPlayerV1alpha98\ie\MediaPlayerV1alpha98.dll" /s
2⤵
- Loads dropped DLL
- Modifies registry class
PID:3408

C:\Windows\SysWOW64\gpupdate.exe
"C:\Windows\System32\gpupdate.exe" /force
2⤵
PID:4928

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:4292

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:4808

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Browser Extensions

1

T1176

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\MediaPlayerV1\MediaPlayerV1alpha98\ie\MediaPlayerV1alpha98.dll
Filesize
85KB

MD5
fc2a328b618dd721e4df06af8ae16ab8

SHA1
1db4d50870e2984beb237168411555f406f499ba

SHA256
24c9b08dd5167ee96e75a94db3e09abdbb682af7e4c70256b5bbc3e5b91d7a6b

SHA512
94140c5f5424e128eb9ebc10433ae62459924c25e7499676f38689823a7acfe62a4b3069bb2c3a16daaaba53610f9e3c0b2d147584a6973b92bc4f41f8cd3029

Download Submit
C:\Program Files (x86)\MediaPlayerV1\MediaPlayerV1alpha98\ie\MediaPlayerV1alpha98.dll
Filesize
85KB

MD5
fc2a328b618dd721e4df06af8ae16ab8

SHA1
1db4d50870e2984beb237168411555f406f499ba

SHA256
24c9b08dd5167ee96e75a94db3e09abdbb682af7e4c70256b5bbc3e5b91d7a6b

SHA512
94140c5f5424e128eb9ebc10433ae62459924c25e7499676f38689823a7acfe62a4b3069bb2c3a16daaaba53610f9e3c0b2d147584a6973b92bc4f41f8cd3029

Download Submit
C:\Users\Admin\AppData\Local\Temp\nscB4BF.tmp\aminsis.dll
Filesize
834KB

MD5
14ad04243334645f399639b028f21d17

SHA1
7368866dc95621a1407d2105d040da2cc9852ba9

SHA256
02d13f28df1314640474ee77cd202a2c0da8e1d609c614f8fdff4451f8ee63fa

SHA512
3859b6f6e7e46ba70fa0be24fd2ceadf3db746818f11a09109c7bb678ee4fc08824a0cf15c77df09c3b2bdc2a80067a98130660152f5ee61e4bd501ef5ed1728

Download Submit
memory/3408-131-0x0000000000000000-mapping.dmp

Download
memory/4928-134-0x0000000000000000-mapping.dmp

Download

pid	process
2884	02e1385fcb034399568d9f34e70537ef4da29c628a1e0abccdcf57571d69caa0.exe
3408	regsvr32.exe

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads