bd20a38cf4b3c160d6a9196600d5537985c615e365190da99d4f2ec6788e48f7

Analysis

max time kernel
121s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
19/09/2022, 14:19

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

bd20a38cf4b3c160d6a9196600d5537985c615e365190da99d4f2ec6788e48f7.exe
Size

36KB
MD5

933b4213300a7a93c317954b09f4e17e
SHA1

2aa38c56e92a99345251f71cf470ef5f4938def9
SHA256

bd20a38cf4b3c160d6a9196600d5537985c615e365190da99d4f2ec6788e48f7
SHA512

5742c6f366e12b4a9c2f244b62709abaf2b8ebd8ed3b3334faba75fa4631257cf42bd4a514c3ff0f2e19dd6a0eeba70d8a677c471d166d1a4d9dd7091836a624
SSDEEP

768:GRcetMCMx3EY9KP5mP3KASn6kSEB3bNzIkLyrSG7Q:hicPEhmPn85NDLyrx7Q

Score

7^/10

adware discovery stealer

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	bd20a38cf4b3c160d6a9196600d5537985c615e365190da99d4f2ec6788e48f7.exe

Loads dropped DLL 1 IoCs

pid	Process
4308	regsvr32.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Installs/modifies Browser Helper Object 2 TTPs 3 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{15421B84-3488-49A7-AD18-CBF84A3EFAF6}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{15421B84-3488-49A7-AD18-CBF84A3EFAF6}\ = "testCPV6"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{15421B84-3488-49A7-AD18-CBF84A3EFAF6}\NoExplorer = "1"	regsvr32.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\CPV\CPV7.dll.lzma	bd20a38cf4b3c160d6a9196600d5537985c615e365190da99d4f2ec6788e48f7.exe
File created	C:\Program Files (x86)\CPV\CPV7.dll	bd20a38cf4b3c160d6a9196600d5537985c615e365190da99d4f2ec6788e48f7.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 51 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{15421B84-3488-49A7-AD18-CBF84A3EFAF6}\VersionIndependentProgID\ = "testCPV6.BHO"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{FF46F4AB-A85F-487E-B399-3F191AC0FE23}\ = "testCPV6"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\testCPV6.DLL	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{15421B84-3488-49A7-AD18-CBF84A3EFAF6}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{15421B84-3488-49A7-AD18-CBF84A3EFAF6}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{63334394-3DA3-4B29-A041-03535909D361}\1.0\FLAGS	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{63334394-3DA3-4B29-A041-03535909D361}\1.0\FLAGS\ = "0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{63334394-3DA3-4B29-A041-03535909D361}\1.0\0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2E4A04A1-A24D-45AE-ACA4-949778400813}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\testCPV6.BHO.1\ = "BHO Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{15421B84-3488-49A7-AD18-CBF84A3EFAF6}\InprocServer32\ = "C:\\Program Files (x86)\\CPV\\CPV7.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2E4A04A1-A24D-45AE-ACA4-949778400813}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2E4A04A1-A24D-45AE-ACA4-949778400813}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2E4A04A1-A24D-45AE-ACA4-949778400813}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{15421B84-3488-49A7-AD18-CBF84A3EFAF6}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{63334394-3DA3-4B29-A041-03535909D361}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\CPV\\"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2E4A04A1-A24D-45AE-ACA4-949778400813}\ = "IBHO"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{15421B84-3488-49A7-AD18-CBF84A3EFAF6}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{15421B84-3488-49A7-AD18-CBF84A3EFAF6}\VersionIndependentProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{15421B84-3488-49A7-AD18-CBF84A3EFAF6}\Programmable	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2E4A04A1-A24D-45AE-ACA4-949778400813}\ = "IBHO"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2E4A04A1-A24D-45AE-ACA4-949778400813}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\testCPV6.BHO.1	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{15421B84-3488-49A7-AD18-CBF84A3EFAF6}\ProgID\ = "testCPV6.BHO.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\testCPV6.BHO\CurVer\ = "testCPV6.BHO.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{63334394-3DA3-4B29-A041-03535909D361}\1.0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{63334394-3DA3-4B29-A041-03535909D361}\1.0\ = "testCPV6 1.0 Type Library"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{63334394-3DA3-4B29-A041-03535909D361}\1.0\HELPDIR	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\testCPV6.DLL\AppID = "{FF46F4AB-A85F-487E-B399-3F191AC0FE23}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\testCPV6.BHO	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{63334394-3DA3-4B29-A041-03535909D361}\1.0\0\win32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{FF46F4AB-A85F-487E-B399-3F191AC0FE23}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{63334394-3DA3-4B29-A041-03535909D361}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{15421B84-3488-49A7-AD18-CBF84A3EFAF6}\AppID = "{FF46F4AB-A85F-487E-B399-3F191AC0FE23}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2E4A04A1-A24D-45AE-ACA4-949778400813}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2E4A04A1-A24D-45AE-ACA4-949778400813}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\testCPV6.BHO\CLSID\ = "{15421B84-3488-49A7-AD18-CBF84A3EFAF6}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{15421B84-3488-49A7-AD18-CBF84A3EFAF6}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\testCPV6.BHO\ = "BHO Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\testCPV6.BHO\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\testCPV6.BHO\CurVer	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{15421B84-3488-49A7-AD18-CBF84A3EFAF6}\ = "BHO Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{15421B84-3488-49A7-AD18-CBF84A3EFAF6}\TypeLib\ = "{63334394-3DA3-4B29-A041-03535909D361}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{63334394-3DA3-4B29-A041-03535909D361}\1.0\0\win32\ = "C:\\Program Files (x86)\\CPV\\CPV7.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\testCPV6.BHO.1\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\testCPV6.BHO.1\CLSID\ = "{15421B84-3488-49A7-AD18-CBF84A3EFAF6}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2E4A04A1-A24D-45AE-ACA4-949778400813}\TypeLib\ = "{63334394-3DA3-4B29-A041-03535909D361}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2E4A04A1-A24D-45AE-ACA4-949778400813}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2E4A04A1-A24D-45AE-ACA4-949778400813}\TypeLib\ = "{63334394-3DA3-4B29-A041-03535909D361}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2E4A04A1-A24D-45AE-ACA4-949778400813}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2E4A04A1-A24D-45AE-ACA4-949778400813}\TypeLib	regsvr32.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4104 wrote to memory of 4436	4104	bd20a38cf4b3c160d6a9196600d5537985c615e365190da99d4f2ec6788e48f7.exe	82
PID 4104 wrote to memory of 4436	4104	bd20a38cf4b3c160d6a9196600d5537985c615e365190da99d4f2ec6788e48f7.exe	82
PID 4104 wrote to memory of 4436	4104	bd20a38cf4b3c160d6a9196600d5537985c615e365190da99d4f2ec6788e48f7.exe	82
PID 4104 wrote to memory of 4308	4104	bd20a38cf4b3c160d6a9196600d5537985c615e365190da99d4f2ec6788e48f7.exe	83
PID 4104 wrote to memory of 4308	4104	bd20a38cf4b3c160d6a9196600d5537985c615e365190da99d4f2ec6788e48f7.exe	83
PID 4104 wrote to memory of 4308	4104	bd20a38cf4b3c160d6a9196600d5537985c615e365190da99d4f2ec6788e48f7.exe	83

C:\Users\Admin\AppData\Local\Temp\bd20a38cf4b3c160d6a9196600d5537985c615e365190da99d4f2ec6788e48f7.exe
"C:\Users\Admin\AppData\Local\Temp\bd20a38cf4b3c160d6a9196600d5537985c615e365190da99d4f2ec6788e48f7.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:4104
- C:\Windows\SysWOW64\regsvr32.exe
  "C:\Windows\System32\regsvr32.exe" /u /s CPV6.dll
  2⤵
  PID:4436
- C:\Windows\SysWOW64\regsvr32.exe
  "C:\Windows\System32\regsvr32.exe" /s CPV7.dll
  2⤵
  - Loads dropped DLL
  - Installs/modifies Browser Helper Object
  - Modifies registry class
  PID:4308

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\CPV\CPV7.dll

Filesize
50KB

MD5
58bb18142ea3738a44e2720224b3ed7a

SHA1
46bf897609e472bbdc61bda2a0a619c2019ea4c4

SHA256
3255bc73fdeb71c116514d34e89f1e1af8387f36f1c0413531b23b61a9193fcf

SHA512
10f32dbfd8664972ea1c493440a23d25cd1eca3910d93fa3c2764f69e0c2856f4307dda22c4f322c250844a1a0c43ddd3709e58dafba3d1e663b25d9b220a5f6

Download Submit
C:\Program Files (x86)\CPV\CPV7.dll

Filesize
50KB

MD5
58bb18142ea3738a44e2720224b3ed7a

SHA1
46bf897609e472bbdc61bda2a0a619c2019ea4c4

SHA256
3255bc73fdeb71c116514d34e89f1e1af8387f36f1c0413531b23b61a9193fcf

SHA512
10f32dbfd8664972ea1c493440a23d25cd1eca3910d93fa3c2764f69e0c2856f4307dda22c4f322c250844a1a0c43ddd3709e58dafba3d1e663b25d9b220a5f6

Download Submit