f39ea28e7b4e5185c591702662e235572f7961a672fb716260005f3263c280cb

Analysis

max time kernel
116s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
30-10-2022 16:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f39ea28e7b4e5185c591702662e235572f7961a672fb716260005f3263c280cb.exe
Size

263KB
MD5

8301ec0ef0b36327289bd855ab2e7840
SHA1

4ea0ef110e7cd3667382fca86e92452617632d11
SHA256

f39ea28e7b4e5185c591702662e235572f7961a672fb716260005f3263c280cb
SHA512

8d761df0c9c272bd22e6aec57f823c355f9e97692910abaf4a375abe035327e00b67a8517d8d6dd5489242e4291006b8f384d98493bf1ea492be7f6dc06a69e5
SSDEEP

6144:Jea9j1ehBossxwU9pmbXivsOqDytTUr8wOBfG8712x1TFDvggQ7miYoPA:JB8D7UWXCsZDgUrZf8QFDxQ7RPA

Score

7^/10

adware stealer

Malware Config

Signatures

Loads dropped DLL 1 IoCs

pid	Process
3472	Regsvr32.exe

Installs/modifies Browser Helper Object 2 TTPs 2 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C74CDF30-68C2-49B4-9918-EBD66B8D9FBF}	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C74CDF30-68C2-49B4-9918-EBD66B8D9FBF}\	Regsvr32.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\aqme.ini	f39ea28e7b4e5185c591702662e235572f7961a672fb716260005f3263c280cb.exe
File created	C:\Windows\SysWOW64\mqewfnlncnyvc.dll	f39ea28e7b4e5185c591702662e235572f7961a672fb716260005f3263c280cb.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\erttersbar.dll	f39ea28e7b4e5185c591702662e235572f7961a672fb716260005f3263c280cb.exe

Modifies registry class 11 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mqewfnlncnyvc.TIEBHOCom\Clsid\ = "{C74CDF30-68C2-49B4-9918-EBD66B8D9FBF}"	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C74CDF30-68C2-49B4-9918-EBD66B8D9FBF}\ProgID\ = "mqewfnlncnyvc.TIEBHOCom"	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C74CDF30-68C2-49B4-9918-EBD66B8D9FBF}	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mqewfnlncnyvc.TIEBHOCom\Clsid	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C74CDF30-68C2-49B4-9918-EBD66B8D9FBF}\InprocServer32\ = "C:\\Windows\\SysWow64\\mqewfnlncnyvc.dll"	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C74CDF30-68C2-49B4-9918-EBD66B8D9FBF}\InprocServer32\ThreadingModel = "Apartment"	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mqewfnlncnyvc.TIEBHOCom	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mqewfnlncnyvc.TIEBHOCom\	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C74CDF30-68C2-49B4-9918-EBD66B8D9FBF}\ProgID	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C74CDF30-68C2-49B4-9918-EBD66B8D9FBF}\	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C74CDF30-68C2-49B4-9918-EBD66B8D9FBF}\InprocServer32	Regsvr32.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1060 wrote to memory of 3472	1060	f39ea28e7b4e5185c591702662e235572f7961a672fb716260005f3263c280cb.exe	79
PID 1060 wrote to memory of 3472	1060	f39ea28e7b4e5185c591702662e235572f7961a672fb716260005f3263c280cb.exe	79
PID 1060 wrote to memory of 3472	1060	f39ea28e7b4e5185c591702662e235572f7961a672fb716260005f3263c280cb.exe	79

C:\Users\Admin\AppData\Local\Temp\f39ea28e7b4e5185c591702662e235572f7961a672fb716260005f3263c280cb.exe
"C:\Users\Admin\AppData\Local\Temp\f39ea28e7b4e5185c591702662e235572f7961a672fb716260005f3263c280cb.exe"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1060
- C:\Windows\SysWOW64\Regsvr32.exe
  Regsvr32.exe /s C:\Windows\system32\mqewfnlncnyvc.dll
  2⤵
  - Loads dropped DLL
  - Installs/modifies Browser Helper Object
  - Modifies registry class
  PID:3472

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\mqewfnlncnyvc.dll

Filesize
572KB

MD5
3a51e4cdc547a07461543a7f70ef8443

SHA1
b2421ae21616d392764a4a093d49c8d0878be85a

SHA256
f94d802e7c370374104393482605baafef9a77e8c5e0c7960b0f6aeaf1537b81

SHA512
2b4769eca2f62f7f3d06300b9009e0bd5038fed75f4b8754a239fb07edefd2c7f922baea9b119bba145fa678bccb6a22f6b398b6b5fb2797fb5a6056a475d5da

Download Submit
C:\Windows\SysWOW64\mqewfnlncnyvc.dll

Filesize
572KB

MD5
3a51e4cdc547a07461543a7f70ef8443

SHA1
b2421ae21616d392764a4a093d49c8d0878be85a

SHA256
f94d802e7c370374104393482605baafef9a77e8c5e0c7960b0f6aeaf1537b81

SHA512
2b4769eca2f62f7f3d06300b9009e0bd5038fed75f4b8754a239fb07edefd2c7f922baea9b119bba145fa678bccb6a22f6b398b6b5fb2797fb5a6056a475d5da

Download Submit
memory/1060-132-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/1060-136-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download