c6db2516cb2952d63e025fbb090ba4f2ed09200ba3441ed70d178ec332c53aa7

General

Target

c6db2516cb2952d63e025fbb090ba4f2ed09200ba3441ed70d178ec332c53aa7.exe
Size

14KB
MD5

274ad61d4ec3c001871f72748d14a28e
SHA1

427fd975d3dfb3c6a25b0423a49b094b6c4a9a13
SHA256

c6db2516cb2952d63e025fbb090ba4f2ed09200ba3441ed70d178ec332c53aa7
SHA512

d128a39ec0af8da29380b5a57d04d06b14dfdd05ae64d89c591f569cae54b7de9872272269d17798a403bf68290baad8d4364de0520c4adbb9f04a8ea730eb4d
SSDEEP

384:fzNCtWp0gOIIO94gnTlvGtRqTvp8uZ4ZdqmifoL8EU/cY:fzcIxPnp6R+RpZWdqmyW8J/cY

Score

8^/10

adware persistence stealer

Malware Config

Signatures

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\explorer\run	c6db2516cb2952d63e025fbb090ba4f2ed09200ba3441ed70d178ec332c53aa7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\nvctrl.exe = "nvctrl.exe"	c6db2516cb2952d63e025fbb090ba4f2ed09200ba3441ed70d178ec332c53aa7.exe

Loads dropped DLL 2 IoCs

pid	Process
1476	c6db2516cb2952d63e025fbb090ba4f2ed09200ba3441ed70d178ec332c53aa7.exe
1476	c6db2516cb2952d63e025fbb090ba4f2ed09200ba3441ed70d178ec332c53aa7.exe

Installs/modifies Browser Helper Object 2 TTPs 5 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	c6db2516cb2952d63e025fbb090ba4f2ed09200ba3441ed70d178ec332c53aa7.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4da4616d-7e6e-4fd9-a2d5-b6c535733e22}	c6db2516cb2952d63e025fbb090ba4f2ed09200ba3441ed70d178ec332c53aa7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4da4616d-7e6e-4fd9-a2d5-b6c535733e22}\	c6db2516cb2952d63e025fbb090ba4f2ed09200ba3441ed70d178ec332c53aa7.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}	c6db2516cb2952d63e025fbb090ba4f2ed09200ba3441ed70d178ec332c53aa7.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}	c6db2516cb2952d63e025fbb090ba4f2ed09200ba3441ed70d178ec332c53aa7.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\ncompat.tlb	c6db2516cb2952d63e025fbb090ba4f2ed09200ba3441ed70d178ec332c53aa7.exe
File created	C:\Windows\SysWOW64\msvol.tlb	c6db2516cb2952d63e025fbb090ba4f2ed09200ba3441ed70d178ec332c53aa7.exe
File created	C:\Windows\SysWOW64\hp740C.tmp	c6db2516cb2952d63e025fbb090ba4f2ed09200ba3441ed70d178ec332c53aa7.exe
File opened for modification	C:\Windows\SysWOW64\ncompat.tlb	c6db2516cb2952d63e025fbb090ba4f2ed09200ba3441ed70d178ec332c53aa7.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main	c6db2516cb2952d63e025fbb090ba4f2ed09200ba3441ed70d178ec332c53aa7.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Search	c6db2516cb2952d63e025fbb090ba4f2ed09200ba3441ed70d178ec332c53aa7.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\SearchUrl	c6db2516cb2952d63e025fbb090ba4f2ed09200ba3441ed70d178ec332c53aa7.exe

Modifies registry class 7 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4DA4616D-7E6E-4FD9-A2D5-B6C535733E22}\ = "HomepageBHO"	c6db2516cb2952d63e025fbb090ba4f2ed09200ba3441ed70d178ec332c53aa7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4DA4616D-7E6E-4FD9-A2D5-B6C535733E22}\InprocServer32	c6db2516cb2952d63e025fbb090ba4f2ed09200ba3441ed70d178ec332c53aa7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4DA4616D-7E6E-4FD9-A2D5-B6C535733E22}\InprocServer32\ = "C:\\Windows\\SysWow64\\hp740C.tmp"	c6db2516cb2952d63e025fbb090ba4f2ed09200ba3441ed70d178ec332c53aa7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4DA4616D-7E6E-4FD9-A2D5-B6C535733E22}\InprocServer32\ThreadingModel = "Apartment"	c6db2516cb2952d63e025fbb090ba4f2ed09200ba3441ed70d178ec332c53aa7.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{4da4616d-7e6e-4fd9-a2d5-b6c535733e22}\InprocServer32	c6db2516cb2952d63e025fbb090ba4f2ed09200ba3441ed70d178ec332c53aa7.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID	c6db2516cb2952d63e025fbb090ba4f2ed09200ba3441ed70d178ec332c53aa7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4DA4616D-7E6E-4FD9-A2D5-B6C535733E22}	c6db2516cb2952d63e025fbb090ba4f2ed09200ba3441ed70d178ec332c53aa7.exe

C:\Users\Admin\AppData\Local\Temp\c6db2516cb2952d63e025fbb090ba4f2ed09200ba3441ed70d178ec332c53aa7.exe
"C:\Users\Admin\AppData\Local\Temp\c6db2516cb2952d63e025fbb090ba4f2ed09200ba3441ed70d178ec332c53aa7.exe"
1⤵
- Adds policy Run key to start application
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Modifies registry class
PID:1476

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Browser Extensions

1

T1176

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

3

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\hp740C.tmp

Filesize
9KB

MD5
931e1b24bb318fd8efae76109360f941

SHA1
1e34f6be01109ac62dca58a6ae31c89b66a75374

SHA256
485e9afdc54e443a2e98c70fd02128e031f8b351083973f89b6e65468161a9b5

SHA512
698532949a0051ff9bfba9c1fac1a1e0954752694742f4decbe90e47c1f878ad810f67e857f18864088f5a8cc1918428696820307540553919f78d648714acef

Download Submit
C:\Windows\SysWOW64\msvol.tlb

Filesize
5KB

MD5
8a39b4d99b10e3a75d2421588572ca13

SHA1
2de633e161a5023ee2dfea7eacb8fcc8b76735b7

SHA256
680274b4a83f8bbfeba8df2bdff253e1548a413b4079babe3ae236b95ae5b35b

SHA512
d4a131caf6db49a4ca7d261db18565f070524eb2e38a5d3dc4a2de19f6db301b4903044da424bc1172f81d572c47c6cb2b387228c84b611bc7fa9e127745517e

Download Submit
memory/1476-133-0x0000000010000000-0x0000000010012000-memory.dmp

Filesize
72KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads