024d8f1ad5dce7c7d6b23adad0a7a69dbb2efb046b1ee9ec0510551557a8f6e6

General

Target

024d8f1ad5dce7c7d6b23adad0a7a69dbb2efb046b1ee9ec0510551557a8f6e6.exe
Size

1000KB
MD5

425e54bd9569b5083e5db069b895ff43
SHA1

1d95ea09365ef6b4a95bf98e72e051b31f742cbe
SHA256

024d8f1ad5dce7c7d6b23adad0a7a69dbb2efb046b1ee9ec0510551557a8f6e6
SHA512

45acfb6b7b125dbdb5af60c3206630286b726c23beb6d37d4f15612569fbd88243cae6068f9b9956624f0840d586aec53a783d402dcc433810c222c286351c6b

Score

7^/10

adware discovery spyware stealer

Malware Config

Signatures

Loads dropped DLL 2 IoCs

Processes:

024d8f1ad5dce7c7d6b23adad0a7a69dbb2efb046b1ee9ec0510551557a8f6e6.exeregsvr32.exe

pid process

5088 024d8f1ad5dce7c7d6b23adad0a7a69dbb2efb046b1ee9ec0510551557a8f6e6.exe
4880 regsvr32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Installs/modifies Browser Helper Object 2 TTPs
BHOs are DLL modules which act as plugins for Internet Explorer.
stealer adware

Modify Registry
T1112

Browser Extensions
T1176

Drops file in Program Files directory 22 IoCs

Processes:

024d8f1ad5dce7c7d6b23adad0a7a69dbb2efb046b1ee9ec0510551557a8f6e6.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\VideoPlayerV3\VideoPlayerV3beta5756\ff\install.rdf	024d8f1ad5dce7c7d6b23adad0a7a69dbb2efb046b1ee9ec0510551557a8f6e6.exe
File opened for modification	C:\Program Files (x86)\VideoPlayerV3\VideoPlayerV3beta5756\ff\chrome\content	024d8f1ad5dce7c7d6b23adad0a7a69dbb2efb046b1ee9ec0510551557a8f6e6.exe
File opened for modification	C:\Program Files (x86)\VideoPlayerV3\VideoPlayerV3beta5756\ff\chrome\content\ffVideoPlayerV3beta5756ffaction.js	024d8f1ad5dce7c7d6b23adad0a7a69dbb2efb046b1ee9ec0510551557a8f6e6.exe
File created	C:\Program Files (x86)\VideoPlayerV3\VideoPlayerV3beta5756\ff\chrome\content\overlay.xul	024d8f1ad5dce7c7d6b23adad0a7a69dbb2efb046b1ee9ec0510551557a8f6e6.exe
File opened for modification	C:\Program Files (x86)\VideoPlayerV3\VideoPlayerV3beta5756\ff\chrome\content\icons	024d8f1ad5dce7c7d6b23adad0a7a69dbb2efb046b1ee9ec0510551557a8f6e6.exe
File created	C:\Program Files (x86)\VideoPlayerV3\VideoPlayerV3beta5756\ie\VideoPlayerV3beta5756.dll	024d8f1ad5dce7c7d6b23adad0a7a69dbb2efb046b1ee9ec0510551557a8f6e6.exe
File created	C:\Program Files (x86)\VideoPlayerV3\VideoPlayerV3beta5756\ch\VideoPlayerV3beta5756.crx	024d8f1ad5dce7c7d6b23adad0a7a69dbb2efb046b1ee9ec0510551557a8f6e6.exe
File created	C:\Program Files (x86)\VideoPlayerV3\VideoPlayerV3beta5756\ff\install.rdf	024d8f1ad5dce7c7d6b23adad0a7a69dbb2efb046b1ee9ec0510551557a8f6e6.exe
File opened for modification	C:\Program Files (x86)\VideoPlayerV3\VideoPlayerV3beta5756\ff\chrome\content\icons\default\VideoPlayerV3beta5756_32.png	024d8f1ad5dce7c7d6b23adad0a7a69dbb2efb046b1ee9ec0510551557a8f6e6.exe
File created	C:\Program Files (x86)\VideoPlayerV3\VideoPlayerV3beta5756\ff\chrome\content\ffVideoPlayerV3beta5756ffaction.js	024d8f1ad5dce7c7d6b23adad0a7a69dbb2efb046b1ee9ec0510551557a8f6e6.exe
File opened for modification	C:\Program Files (x86)\VideoPlayerV3\VideoPlayerV3beta5756\ff\chrome\content\overlay.xul	024d8f1ad5dce7c7d6b23adad0a7a69dbb2efb046b1ee9ec0510551557a8f6e6.exe
File opened for modification	C:\Program Files (x86)\VideoPlayerV3\VideoPlayerV3beta5756\ff\chrome\content\icons\Thumbs.db	024d8f1ad5dce7c7d6b23adad0a7a69dbb2efb046b1ee9ec0510551557a8f6e6.exe
File opened for modification	C:\Program Files (x86)\VideoPlayerV3\VideoPlayerV3beta5756\ff\chrome\content\icons\default	024d8f1ad5dce7c7d6b23adad0a7a69dbb2efb046b1ee9ec0510551557a8f6e6.exe
File created	C:\Program Files (x86)\VideoPlayerV3\VideoPlayerV3beta5756\ff\chrome\content\icons\default\VideoPlayerV3beta5756_32.png	024d8f1ad5dce7c7d6b23adad0a7a69dbb2efb046b1ee9ec0510551557a8f6e6.exe
File opened for modification	C:\Program Files (x86)\VideoPlayerV3\VideoPlayerV3beta5756\ch\VideoPlayerV3beta5756.crx	024d8f1ad5dce7c7d6b23adad0a7a69dbb2efb046b1ee9ec0510551557a8f6e6.exe
File opened for modification	C:\Program Files (x86)\VideoPlayerV3\VideoPlayerV3beta5756\ff\chrome.manifest	024d8f1ad5dce7c7d6b23adad0a7a69dbb2efb046b1ee9ec0510551557a8f6e6.exe
File opened for modification	C:\Program Files (x86)\VideoPlayerV3\VideoPlayerV3beta5756\ff\chrome\content\ffVideoPlayerV3beta5756.js	024d8f1ad5dce7c7d6b23adad0a7a69dbb2efb046b1ee9ec0510551557a8f6e6.exe
File created	C:\Program Files (x86)\VideoPlayerV3\VideoPlayerV3beta5756\uninstall.exe	024d8f1ad5dce7c7d6b23adad0a7a69dbb2efb046b1ee9ec0510551557a8f6e6.exe
File created	C:\Program Files (x86)\VideoPlayerV3\VideoPlayerV3beta5756\ff\chrome.manifest	024d8f1ad5dce7c7d6b23adad0a7a69dbb2efb046b1ee9ec0510551557a8f6e6.exe
File opened for modification	C:\Program Files (x86)\VideoPlayerV3\VideoPlayerV3beta5756\ff\chrome	024d8f1ad5dce7c7d6b23adad0a7a69dbb2efb046b1ee9ec0510551557a8f6e6.exe
File created	C:\Program Files (x86)\VideoPlayerV3\VideoPlayerV3beta5756\ff\chrome\content\ffVideoPlayerV3beta5756.js	024d8f1ad5dce7c7d6b23adad0a7a69dbb2efb046b1ee9ec0510551557a8f6e6.exe
File created	C:\Program Files (x86)\VideoPlayerV3\VideoPlayerV3beta5756\ff\chrome\content\icons\Thumbs.db	024d8f1ad5dce7c7d6b23adad0a7a69dbb2efb046b1ee9ec0510551557a8f6e6.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

024d8f1ad5dce7c7d6b23adad0a7a69dbb2efb046b1ee9ec0510551557a8f6e6.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Internet Explorer\Approved Extensions	024d8f1ad5dce7c7d6b23adad0a7a69dbb2efb046b1ee9ec0510551557a8f6e6.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\Approved Extensions\{88c52b52-b8f7-48ff-b353-232df37a0ab9} = 51667a6c4c1d3b1b4237d192c2eb9902ae5b686df23e46a7	024d8f1ad5dce7c7d6b23adad0a7a69dbb2efb046b1ee9ec0510551557a8f6e6.exe

Modifies registry class 36 IoCs

Processes:

regsvr32.exe024d8f1ad5dce7c7d6b23adad0a7a69dbb2efb046b1ee9ec0510551557a8f6e6.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{88c52b52-b8f7-48ff-b353-232df37a0ab9}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F9A4E4EE-91C5-491C-909C-18693B586D8D}\1.1\FLAGS	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F9A4E4EE-91C5-491C-909C-18693B586D8D}\1.1\FLAGS\ = "0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{88c52b52-b8f7-48ff-b353-232df37a0ab9}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D1B1338D-2C75-4A94-A17B-5744F2B0FF58}\ = "IVideoPlayerV3beta5756BHO"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D1B1338D-2C75-4A94-A17B-5744F2B0FF58}\TypeLib\ = "{F9A4E4EE-91C5-491C-909C-18693B586D8D}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D1B1338D-2C75-4A94-A17B-5744F2B0FF58}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{88c52b52-b8f7-48ff-b353-232df37a0ab9}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{88c52b52-b8f7-48ff-b353-232df37a0ab9}\Version\ = "1.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F9A4E4EE-91C5-491C-909C-18693B586D8D}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D1B1338D-2C75-4A94-A17B-5744F2B0FF58}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D1B1338D-2C75-4A94-A17B-5744F2B0FF58}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{88c52b52-b8f7-48ff-b353-232df37a0ab9}\ = "VideoPlayerV3beta5756"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F9A4E4EE-91C5-491C-909C-18693B586D8D}\1.1	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F9A4E4EE-91C5-491C-909C-18693B586D8D}\1.1\0\win32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F9A4E4EE-91C5-491C-909C-18693B586D8D}\1.1\HELPDIR\ = "C:\\Program Files (x86)\\VideoPlayerV3\\VideoPlayerV3beta5756\\ie"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{88c52b52-b8f7-48ff-b353-232df37a0ab9}\ = "Video Player"	024d8f1ad5dce7c7d6b23adad0a7a69dbb2efb046b1ee9ec0510551557a8f6e6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D1B1338D-2C75-4A94-A17B-5744F2B0FF58}\TypeLib\Version = "1.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{88c52b52-b8f7-48ff-b353-232df37a0ab9}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{88c52b52-b8f7-48ff-b353-232df37a0ab9}\InprocServer32\ = "C:\\Program Files (x86)\\VideoPlayerV3\\VideoPlayerV3beta5756\\ie\\VideoPlayerV3beta5756.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{88c52b52-b8f7-48ff-b353-232df37a0ab9}\TypeLib\ = "{f9a4e4ee-91c5-491c-909c-18693b586d8d}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F9A4E4EE-91C5-491C-909C-18693B586D8D}\1.1\ = "VideoPlayerV3beta5756Lib"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F9A4E4EE-91C5-491C-909C-18693B586D8D}\1.1\HELPDIR	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{88c52b52-b8f7-48ff-b353-232df37a0ab9}\Version	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D1B1338D-2C75-4A94-A17B-5744F2B0FF58}\ = "IVideoPlayerV3beta5756BHO"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D1B1338D-2C75-4A94-A17B-5744F2B0FF58}\TypeLib\ = "{F9A4E4EE-91C5-491C-909C-18693B586D8D}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{88c52b52-b8f7-48ff-b353-232df37a0ab9}	024d8f1ad5dce7c7d6b23adad0a7a69dbb2efb046b1ee9ec0510551557a8f6e6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D1B1338D-2C75-4A94-A17B-5744F2B0FF58}\TypeLib\Version = "1.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F9A4E4EE-91C5-491C-909C-18693B586D8D}\1.1\0\win32\ = "C:\\Program Files (x86)\\VideoPlayerV3\\VideoPlayerV3beta5756\\ie\\VideoPlayerV3beta5756.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D1B1338D-2C75-4A94-A17B-5744F2B0FF58}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D1B1338D-2C75-4A94-A17B-5744F2B0FF58}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D1B1338D-2C75-4A94-A17B-5744F2B0FF58}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D1B1338D-2C75-4A94-A17B-5744F2B0FF58}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{88c52b52-b8f7-48ff-b353-232df37a0ab9}\Programmable	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F9A4E4EE-91C5-491C-909C-18693B586D8D}\1.1\0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D1B1338D-2C75-4A94-A17B-5744F2B0FF58}\TypeLib	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

024d8f1ad5dce7c7d6b23adad0a7a69dbb2efb046b1ee9ec0510551557a8f6e6.exe

pid	process
5088	024d8f1ad5dce7c7d6b23adad0a7a69dbb2efb046b1ee9ec0510551557a8f6e6.exe
5088	024d8f1ad5dce7c7d6b23adad0a7a69dbb2efb046b1ee9ec0510551557a8f6e6.exe
5088	024d8f1ad5dce7c7d6b23adad0a7a69dbb2efb046b1ee9ec0510551557a8f6e6.exe
5088	024d8f1ad5dce7c7d6b23adad0a7a69dbb2efb046b1ee9ec0510551557a8f6e6.exe
5088	024d8f1ad5dce7c7d6b23adad0a7a69dbb2efb046b1ee9ec0510551557a8f6e6.exe
5088	024d8f1ad5dce7c7d6b23adad0a7a69dbb2efb046b1ee9ec0510551557a8f6e6.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

024d8f1ad5dce7c7d6b23adad0a7a69dbb2efb046b1ee9ec0510551557a8f6e6.exe

description	pid	process	target process
PID 5088 wrote to memory of 4880	5088	024d8f1ad5dce7c7d6b23adad0a7a69dbb2efb046b1ee9ec0510551557a8f6e6.exe	regsvr32.exe
PID 5088 wrote to memory of 4880	5088	024d8f1ad5dce7c7d6b23adad0a7a69dbb2efb046b1ee9ec0510551557a8f6e6.exe	regsvr32.exe
PID 5088 wrote to memory of 4880	5088	024d8f1ad5dce7c7d6b23adad0a7a69dbb2efb046b1ee9ec0510551557a8f6e6.exe	regsvr32.exe

C:\Users\Admin\AppData\Local\Temp\024d8f1ad5dce7c7d6b23adad0a7a69dbb2efb046b1ee9ec0510551557a8f6e6.exe
"C:\Users\Admin\AppData\Local\Temp\024d8f1ad5dce7c7d6b23adad0a7a69dbb2efb046b1ee9ec0510551557a8f6e6.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5088

C:\Windows\SysWOW64\regsvr32.exe
regsvr32 "C:\Program Files (x86)\VideoPlayerV3\VideoPlayerV3beta5756\ie\VideoPlayerV3beta5756.dll" /s
2⤵
- Loads dropped DLL
- Modifies registry class
PID:4880

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Browser Extensions

1

T1176

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\VideoPlayerV3\VideoPlayerV3beta5756\ie\VideoPlayerV3beta5756.dll
Filesize
85KB

MD5
da60dccb0d31520366cf00377174f678

SHA1
1e395db131f3ef4aec99fadf1a3363a2205b6028

SHA256
01cdd6df65348a5d7ade83e79b5c5a86912eadcb8bca33754732fb79d5d16a88

SHA512
b77e1d004d2c49257da1cf54da6a20ec75068eed13458ca9077ec8ff1c01f843f0aab2942bb6dc39c20df6c0f9f84df1aa0983c169b0425e8f1ec105afd336a8

Download Submit
C:\Program Files (x86)\VideoPlayerV3\VideoPlayerV3beta5756\ie\VideoPlayerV3beta5756.dll
Filesize
85KB

MD5
da60dccb0d31520366cf00377174f678

SHA1
1e395db131f3ef4aec99fadf1a3363a2205b6028

SHA256
01cdd6df65348a5d7ade83e79b5c5a86912eadcb8bca33754732fb79d5d16a88

SHA512
b77e1d004d2c49257da1cf54da6a20ec75068eed13458ca9077ec8ff1c01f843f0aab2942bb6dc39c20df6c0f9f84df1aa0983c169b0425e8f1ec105afd336a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsrE6AC.tmp\aminsis.dll
Filesize
822KB

MD5
678a22e736f3bfa0d74ae2b1133a4c77

SHA1
964bbaf745a2b82bc23de0879b221bf6551b7283

SHA256
c5799cbab76464874e857fbd16600c4b33298d809f4ef27a07b21f8724614f14

SHA512
058fa4ee5272623fcc9267958ad6d7befeb74efa079b8fa8e461830ec05b96ed933014360eac5ab61eff890b8ec1ea268d8b2781999515ed27ba0333751baa4a

Download Submit
memory/4880-131-0x0000000000000000-mapping.dmp

Download

pid	process
5088	024d8f1ad5dce7c7d6b23adad0a7a69dbb2efb046b1ee9ec0510551557a8f6e6.exe
4880	regsvr32.exe

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads