0faa3ec8135ca39680f49453f9168e6306a8ee6c70d9a7d1def1a30108671728

General

Target

0faa3ec8135ca39680f49453f9168e6306a8ee6c70d9a7d1def1a30108671728.exe
Size

280KB
MD5

12dd15c9f7cfb47a66b1dac85538a1c8
SHA1

90632644dce5818b5a4c4e582a6ba58b0a713662
SHA256

0faa3ec8135ca39680f49453f9168e6306a8ee6c70d9a7d1def1a30108671728
SHA512

09f619b1e5b98355f59d2a9723786723cc92fd755e6804a3ef4f0f004042293f89f451d8964f2bbef001c825d88cf633552fb3fb4639702655131849bf46515b
SSDEEP

6144:SbRKBQFcxM2msySPRIX8lSr8dahmYqKPNYYrADbfETqU6Qmuk3P:EIuOxM4RIslSQdBKNJrA3flFuE

Score

6^/10

adware stealer

Malware Config

Signatures

Installs/modifies Browser Helper Object 2 TTPs 2 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

Processes:

0faa3ec8135ca39680f49453f9168e6306a8ee6c70d9a7d1def1a30108671728.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\	0faa3ec8135ca39680f49453f9168e6306a8ee6c70d9a7d1def1a30108671728.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\	0faa3ec8135ca39680f49453f9168e6306a8ee6c70d9a7d1def1a30108671728.exe

Drops file in Windows directory 1 IoCs

Processes:

0faa3ec8135ca39680f49453f9168e6306a8ee6c70d9a7d1def1a30108671728.exe

description ioc process

File opened for modification C:\Windows\swvw342.dll 0faa3ec8135ca39680f49453f9168e6306a8ee6c70d9a7d1def1a30108671728.exe

description	ioc	process
File opened for modification	C:\Windows\swvw342.dll	0faa3ec8135ca39680f49453f9168e6306a8ee6c70d9a7d1def1a30108671728.exe

Modifies registry class 2 IoCs

Processes:

0faa3ec8135ca39680f49453f9168e6306a8ee6c70d9a7d1def1a30108671728.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PerkyNews.clsPerkyNews	0faa3ec8135ca39680f49453f9168e6306a8ee6c70d9a7d1def1a30108671728.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PerkyNews.clsPerkyNews\Clsid	0faa3ec8135ca39680f49453f9168e6306a8ee6c70d9a7d1def1a30108671728.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

0faa3ec8135ca39680f49453f9168e6306a8ee6c70d9a7d1def1a30108671728.exe

pid process

1456 0faa3ec8135ca39680f49453f9168e6306a8ee6c70d9a7d1def1a30108671728.exe

pid	process
1456	0faa3ec8135ca39680f49453f9168e6306a8ee6c70d9a7d1def1a30108671728.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

0faa3ec8135ca39680f49453f9168e6306a8ee6c70d9a7d1def1a30108671728.execmd.exe

description	pid	process	target process
PID 1456 wrote to memory of 1696	1456	0faa3ec8135ca39680f49453f9168e6306a8ee6c70d9a7d1def1a30108671728.exe	cmd.exe
PID 1456 wrote to memory of 1696	1456	0faa3ec8135ca39680f49453f9168e6306a8ee6c70d9a7d1def1a30108671728.exe	cmd.exe
PID 1456 wrote to memory of 1696	1456	0faa3ec8135ca39680f49453f9168e6306a8ee6c70d9a7d1def1a30108671728.exe	cmd.exe
PID 1456 wrote to memory of 1696	1456	0faa3ec8135ca39680f49453f9168e6306a8ee6c70d9a7d1def1a30108671728.exe	cmd.exe
PID 1696 wrote to memory of 624	1696	cmd.exe	reg.exe
PID 1696 wrote to memory of 624	1696	cmd.exe	reg.exe
PID 1696 wrote to memory of 624	1696	cmd.exe	reg.exe
PID 1696 wrote to memory of 624	1696	cmd.exe	reg.exe
PID 1456 wrote to memory of 1208	1456	0faa3ec8135ca39680f49453f9168e6306a8ee6c70d9a7d1def1a30108671728.exe	regsvr32.exe
PID 1456 wrote to memory of 1208	1456	0faa3ec8135ca39680f49453f9168e6306a8ee6c70d9a7d1def1a30108671728.exe	regsvr32.exe
PID 1456 wrote to memory of 1208	1456	0faa3ec8135ca39680f49453f9168e6306a8ee6c70d9a7d1def1a30108671728.exe	regsvr32.exe
PID 1456 wrote to memory of 1208	1456	0faa3ec8135ca39680f49453f9168e6306a8ee6c70d9a7d1def1a30108671728.exe	regsvr32.exe
PID 1456 wrote to memory of 1208	1456	0faa3ec8135ca39680f49453f9168e6306a8ee6c70d9a7d1def1a30108671728.exe	regsvr32.exe
PID 1456 wrote to memory of 1208	1456	0faa3ec8135ca39680f49453f9168e6306a8ee6c70d9a7d1def1a30108671728.exe	regsvr32.exe
PID 1456 wrote to memory of 1208	1456	0faa3ec8135ca39680f49453f9168e6306a8ee6c70d9a7d1def1a30108671728.exe	regsvr32.exe

C:\Users\Admin\AppData\Local\Temp\0faa3ec8135ca39680f49453f9168e6306a8ee6c70d9a7d1def1a30108671728.exe
"C:\Users\Admin\AppData\Local\Temp\0faa3ec8135ca39680f49453f9168e6306a8ee6c70d9a7d1def1a30108671728.exe"
1⤵
- Installs/modifies Browser Helper Object
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1456

C:\Windows\SysWOW64\cmd.exe
C:\Windows\System32\cmd.exe /k %windir%\System32\reg.exe ADDHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System/v EnableLUA /t REG_DWORD /d 0 /f
2⤵
- Suspicious use of WriteProcessMemory
PID:1696

C:\Windows\SysWOW64\reg.exe
C:\Windows\System32\reg.exe ADDHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System/v EnableLUA /t REG_DWORD /d 0 /f
3⤵
PID:624

C:\Windows\SysWOW64\regsvr32.exe
regsvr32.exe /s C:\Windows\swvw342.dll
2⤵
PID:1208

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Browser Extensions

1

T1176

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\swvw342.dll
Filesize
5KB

MD5
d339494b72933d4a06af03ce3f8209bd

SHA1
35351ffae51a5f976711c8b333a110f1fabbc985

SHA256
9bac745f60d62d4cad6376740869da91755ed905f4b802112ff7962ae07c3e04

SHA512
45cb150955bdd48f709b692d8d823cf532f08b7048462c20d2f77a4881e1016108f471a9b5c8744de04ed70b4b05531b5c6f01f57b39a8044970b877abc199f7

Download Submit
memory/624-59-0x0000000000000000-mapping.dmp

Download
memory/1208-60-0x0000000000000000-mapping.dmp

Download
memory/1456-56-0x0000000075B51000-0x0000000075B53000-memory.dmp

Filesize
8KB

Download
memory/1696-57-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads