Analysis
-
max time kernel
33s -
max time network
42s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
24-11-2022 22:17
Static task
static1
Behavioral task
behavioral1
Sample
9052224281f0841b0a2dc3c632d80dfc3dcc360cd2cab14858270b59a61943e7.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
9052224281f0841b0a2dc3c632d80dfc3dcc360cd2cab14858270b59a61943e7.exe
Resource
win10v2004-20220812-en
General
-
Target
9052224281f0841b0a2dc3c632d80dfc3dcc360cd2cab14858270b59a61943e7.exe
-
Size
4.2MB
-
MD5
cb3fe73c8b7a46e2cc3a32b66c3a4dcd
-
SHA1
f4592c09d2168d3d1f20f84b192dcdc715fc8c18
-
SHA256
9052224281f0841b0a2dc3c632d80dfc3dcc360cd2cab14858270b59a61943e7
-
SHA512
c082552087fc58f0ffb832913e98dcef48165eef516f9e79459aaf2d55ff763ca3191e1056b66fd8e5ec5f81cdd9b61250c0c01862c521371451c1b82a46ee9e
-
SSDEEP
98304:ivv3jh4d44WDZK0GELFn5EnBmbGp4Qf+pnzG:ivv/FDBWB/+QmxG
Malware Config
Signatures
-
Registers COM server for autorun 1 TTPs 4 IoCs
Processes:
regsvr32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{46d32954-2e52-4389-adc0-8140c0241508}\InprocServer32\ = "C:\\Program Files (x86)\\SmartOnes\\QnmcXDlXQE2KBV.x64.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{46d32954-2e52-4389-adc0-8140c0241508}\InprocServer32\ThreadingModel = "Apartment" regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{46d32954-2e52-4389-adc0-8140c0241508}\InprocServer32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{46d32954-2e52-4389-adc0-8140c0241508}\InprocServer32 regsvr32.exe -
Loads dropped DLL 3 IoCs
Processes:
9052224281f0841b0a2dc3c632d80dfc3dcc360cd2cab14858270b59a61943e7.exeregsvr32.exeregsvr32.exepid process 1160 9052224281f0841b0a2dc3c632d80dfc3dcc360cd2cab14858270b59a61943e7.exe 1696 regsvr32.exe 1956 regsvr32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Installs/modifies Browser Helper Object 2 TTPs 8 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
Processes:
9052224281f0841b0a2dc3c632d80dfc3dcc360cd2cab14858270b59a61943e7.exeregsvr32.exedescription ioc process Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{46d32954-2e52-4389-adc0-8140c0241508} 9052224281f0841b0a2dc3c632d80dfc3dcc360cd2cab14858270b59a61943e7.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{46d32954-2e52-4389-adc0-8140c0241508} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{46d32954-2e52-4389-adc0-8140c0241508}\ = "SmartOnes" regsvr32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{46d32954-2e52-4389-adc0-8140c0241508}\NoExplorer = "1" regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{46d32954-2e52-4389-adc0-8140c0241508} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{46d32954-2e52-4389-adc0-8140c0241508} 9052224281f0841b0a2dc3c632d80dfc3dcc360cd2cab14858270b59a61943e7.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{46d32954-2e52-4389-adc0-8140c0241508}\ = "SmartOnes" 9052224281f0841b0a2dc3c632d80dfc3dcc360cd2cab14858270b59a61943e7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{46d32954-2e52-4389-adc0-8140c0241508}\NoExplorer = "1" 9052224281f0841b0a2dc3c632d80dfc3dcc360cd2cab14858270b59a61943e7.exe -
Drops file in Program Files directory 8 IoCs
Processes:
9052224281f0841b0a2dc3c632d80dfc3dcc360cd2cab14858270b59a61943e7.exedescription ioc process File opened for modification C:\Program Files (x86)\SmartOnes\QnmcXDlXQE2KBV.dll 9052224281f0841b0a2dc3c632d80dfc3dcc360cd2cab14858270b59a61943e7.exe File created C:\Program Files (x86)\SmartOnes\QnmcXDlXQE2KBV.tlb 9052224281f0841b0a2dc3c632d80dfc3dcc360cd2cab14858270b59a61943e7.exe File opened for modification C:\Program Files (x86)\SmartOnes\QnmcXDlXQE2KBV.tlb 9052224281f0841b0a2dc3c632d80dfc3dcc360cd2cab14858270b59a61943e7.exe File created C:\Program Files (x86)\SmartOnes\QnmcXDlXQE2KBV.dat 9052224281f0841b0a2dc3c632d80dfc3dcc360cd2cab14858270b59a61943e7.exe File opened for modification C:\Program Files (x86)\SmartOnes\QnmcXDlXQE2KBV.dat 9052224281f0841b0a2dc3c632d80dfc3dcc360cd2cab14858270b59a61943e7.exe File created C:\Program Files (x86)\SmartOnes\QnmcXDlXQE2KBV.x64.dll 9052224281f0841b0a2dc3c632d80dfc3dcc360cd2cab14858270b59a61943e7.exe File opened for modification C:\Program Files (x86)\SmartOnes\QnmcXDlXQE2KBV.x64.dll 9052224281f0841b0a2dc3c632d80dfc3dcc360cd2cab14858270b59a61943e7.exe File created C:\Program Files (x86)\SmartOnes\QnmcXDlXQE2KBV.dll 9052224281f0841b0a2dc3c632d80dfc3dcc360cd2cab14858270b59a61943e7.exe -
Processes:
9052224281f0841b0a2dc3c632d80dfc3dcc360cd2cab14858270b59a61943e7.exeregsvr32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration 9052224281f0841b0a2dc3c632d80dfc3dcc360cd2cab14858270b59a61943e7.exe Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{46d32954-2e52-4389-adc0-8140c0241508} 9052224281f0841b0a2dc3c632d80dfc3dcc360cd2cab14858270b59a61943e7.exe Key deleted \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{46D32954-2E52-4389-ADC0-8140C0241508} 9052224281f0841b0a2dc3c632d80dfc3dcc360cd2cab14858270b59a61943e7.exe Key deleted \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration 9052224281f0841b0a2dc3c632d80dfc3dcc360cd2cab14858270b59a61943e7.exe Key deleted \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{46D32954-2E52-4389-ADC0-8140C0241508} regsvr32.exe Key deleted \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration regsvr32.exe Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration regsvr32.exe Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{46d32954-2e52-4389-adc0-8140c0241508} regsvr32.exe -
Modifies registry class 64 IoCs
Processes:
9052224281f0841b0a2dc3c632d80dfc3dcc360cd2cab14858270b59a61943e7.exeregsvr32.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\..9\CLSID 9052224281f0841b0a2dc3c632d80dfc3dcc360cd2cab14858270b59a61943e7.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\TypeLib 9052224281f0841b0a2dc3c632d80dfc3dcc360cd2cab14858270b59a61943e7.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\TypeLib\Version = "1.0" 9052224281f0841b0a2dc3c632d80dfc3dcc360cd2cab14858270b59a61943e7.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{46d32954-2e52-4389-adc0-8140c0241508} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{46d32954-2e52-4389-adc0-8140c0241508}\ProgID regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\..9\ = "SmartOnes" 9052224281f0841b0a2dc3c632d80dfc3dcc360cd2cab14858270b59a61943e7.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\. 9052224281f0841b0a2dc3c632d80dfc3dcc360cd2cab14858270b59a61943e7.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{46d32954-2e52-4389-adc0-8140c0241508}\ProgID 9052224281f0841b0a2dc3c632d80dfc3dcc360cd2cab14858270b59a61943e7.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}" 9052224281f0841b0a2dc3c632d80dfc3dcc360cd2cab14858270b59a61943e7.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\ProxyStubClsid32 9052224281f0841b0a2dc3c632d80dfc3dcc360cd2cab14858270b59a61943e7.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib\Version = "1.0" 9052224281f0841b0a2dc3c632d80dfc3dcc360cd2cab14858270b59a61943e7.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{46d32954-2e52-4389-adc0-8140c0241508}\InprocServer32\ThreadingModel = "Apartment" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}" 9052224281f0841b0a2dc3c632d80dfc3dcc360cd2cab14858270b59a61943e7.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\..9\CLSID\ = "{46d32954-2e52-4389-adc0-8140c0241508}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.\ = "SmartOnes" 9052224281f0841b0a2dc3c632d80dfc3dcc360cd2cab14858270b59a61943e7.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{46d32954-2e52-4389-adc0-8140c0241508}\InprocServer32\ThreadingModel = "Apartment" 9052224281f0841b0a2dc3c632d80dfc3dcc360cd2cab14858270b59a61943e7.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\ = "IPlaghinMein" 9052224281f0841b0a2dc3c632d80dfc3dcc360cd2cab14858270b59a61943e7.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF} 9052224281f0841b0a2dc3c632d80dfc3dcc360cd2cab14858270b59a61943e7.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" 9052224281f0841b0a2dc3c632d80dfc3dcc360cd2cab14858270b59a61943e7.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\TypeLib\Version = "1.0" 9052224281f0841b0a2dc3c632d80dfc3dcc360cd2cab14858270b59a61943e7.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{46d32954-2e52-4389-adc0-8140c0241508}\ = "SmartOnes" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{46d32954-2e52-4389-adc0-8140c0241508}\InprocServer32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{46d32954-2e52-4389-adc0-8140c0241508}\InprocServer32\ = "C:\\Program Files (x86)\\SmartOnes\\QnmcXDlXQE2KBV.x64.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\ = "ILocalStorage" 9052224281f0841b0a2dc3c632d80dfc3dcc360cd2cab14858270b59a61943e7.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC} 9052224281f0841b0a2dc3c632d80dfc3dcc360cd2cab14858270b59a61943e7.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.\CLSID 9052224281f0841b0a2dc3c632d80dfc3dcc360cd2cab14858270b59a61943e7.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.\CLSID\ = "{46d32954-2e52-4389-adc0-8140c0241508}" 9052224281f0841b0a2dc3c632d80dfc3dcc360cd2cab14858270b59a61943e7.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{46d32954-2e52-4389-adc0-8140c0241508}\InprocServer32 9052224281f0841b0a2dc3c632d80dfc3dcc360cd2cab14858270b59a61943e7.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\FLAGS 9052224281f0841b0a2dc3c632d80dfc3dcc360cd2cab14858270b59a61943e7.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\HELPDIR 9052224281f0841b0a2dc3c632d80dfc3dcc360cd2cab14858270b59a61943e7.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\ProxyStubClsid32 9052224281f0841b0a2dc3c632d80dfc3dcc360cd2cab14858270b59a61943e7.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\..9\ = "SmartOnes" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{46d32954-2e52-4389-adc0-8140c0241508}\ = "SmartOnes" 9052224281f0841b0a2dc3c632d80dfc3dcc360cd2cab14858270b59a61943e7.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{46D32954-2E52-4389-ADC0-8140C0241508}\Implemented Categories 9052224281f0841b0a2dc3c632d80dfc3dcc360cd2cab14858270b59a61943e7.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}" 9052224281f0841b0a2dc3c632d80dfc3dcc360cd2cab14858270b59a61943e7.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" 9052224281f0841b0a2dc3c632d80dfc3dcc360cd2cab14858270b59a61943e7.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC} 9052224281f0841b0a2dc3c632d80dfc3dcc360cd2cab14858270b59a61943e7.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{46d32954-2e52-4389-adc0-8140c0241508}\VersionIndependentProgID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\ProxyStubClsid32 9052224281f0841b0a2dc3c632d80dfc3dcc360cd2cab14858270b59a61943e7.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ProxyStubClsid32 9052224281f0841b0a2dc3c632d80dfc3dcc360cd2cab14858270b59a61943e7.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ = "IRegistry" 9052224281f0841b0a2dc3c632d80dfc3dcc360cd2cab14858270b59a61943e7.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.\CLSID\ = "{46d32954-2e52-4389-adc0-8140c0241508}" regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{46d32954-2e52-4389-adc0-8140c0241508}\Programmable regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{46d32954-2e52-4389-adc0-8140c0241508}\VersionIndependentProgID\ regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{46d32954-2e52-4389-adc0-8140c0241508}\Programmable regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\..9\CLSID\ = "{46d32954-2e52-4389-adc0-8140c0241508}" 9052224281f0841b0a2dc3c632d80dfc3dcc360cd2cab14858270b59a61943e7.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win32 9052224281f0841b0a2dc3c632d80dfc3dcc360cd2cab14858270b59a61943e7.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\ProxyStubClsid32 9052224281f0841b0a2dc3c632d80dfc3dcc360cd2cab14858270b59a61943e7.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\TypeLib\Version = "1.0" 9052224281f0841b0a2dc3c632d80dfc3dcc360cd2cab14858270b59a61943e7.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" 9052224281f0841b0a2dc3c632d80dfc3dcc360cd2cab14858270b59a61943e7.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.\CurVer\ = ".9" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.\ = "SmartOnes" regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{46d32954-2e52-4389-adc0-8140c0241508}\InprocServer32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\..9 9052224281f0841b0a2dc3c632d80dfc3dcc360cd2cab14858270b59a61943e7.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755} 9052224281f0841b0a2dc3c632d80dfc3dcc360cd2cab14858270b59a61943e7.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" 9052224281f0841b0a2dc3c632d80dfc3dcc360cd2cab14858270b59a61943e7.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\ = "IPlaghinMein" 9052224281f0841b0a2dc3c632d80dfc3dcc360cd2cab14858270b59a61943e7.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\TypeLib 9052224281f0841b0a2dc3c632d80dfc3dcc360cd2cab14858270b59a61943e7.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" 9052224281f0841b0a2dc3c632d80dfc3dcc360cd2cab14858270b59a61943e7.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF} 9052224281f0841b0a2dc3c632d80dfc3dcc360cd2cab14858270b59a61943e7.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}" 9052224281f0841b0a2dc3c632d80dfc3dcc360cd2cab14858270b59a61943e7.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.\CurVer\ = ".9" 9052224281f0841b0a2dc3c632d80dfc3dcc360cd2cab14858270b59a61943e7.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{46d32954-2e52-4389-adc0-8140c0241508} 9052224281f0841b0a2dc3c632d80dfc3dcc360cd2cab14858270b59a61943e7.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{46d32954-2e52-4389-adc0-8140c0241508}\VersionIndependentProgID\ 9052224281f0841b0a2dc3c632d80dfc3dcc360cd2cab14858270b59a61943e7.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
9052224281f0841b0a2dc3c632d80dfc3dcc360cd2cab14858270b59a61943e7.exepid process 1160 9052224281f0841b0a2dc3c632d80dfc3dcc360cd2cab14858270b59a61943e7.exe 1160 9052224281f0841b0a2dc3c632d80dfc3dcc360cd2cab14858270b59a61943e7.exe 1160 9052224281f0841b0a2dc3c632d80dfc3dcc360cd2cab14858270b59a61943e7.exe 1160 9052224281f0841b0a2dc3c632d80dfc3dcc360cd2cab14858270b59a61943e7.exe 1160 9052224281f0841b0a2dc3c632d80dfc3dcc360cd2cab14858270b59a61943e7.exe 1160 9052224281f0841b0a2dc3c632d80dfc3dcc360cd2cab14858270b59a61943e7.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
9052224281f0841b0a2dc3c632d80dfc3dcc360cd2cab14858270b59a61943e7.exedescription pid process Token: SeDebugPrivilege 1160 9052224281f0841b0a2dc3c632d80dfc3dcc360cd2cab14858270b59a61943e7.exe Token: SeDebugPrivilege 1160 9052224281f0841b0a2dc3c632d80dfc3dcc360cd2cab14858270b59a61943e7.exe Token: SeDebugPrivilege 1160 9052224281f0841b0a2dc3c632d80dfc3dcc360cd2cab14858270b59a61943e7.exe Token: SeDebugPrivilege 1160 9052224281f0841b0a2dc3c632d80dfc3dcc360cd2cab14858270b59a61943e7.exe Token: SeDebugPrivilege 1160 9052224281f0841b0a2dc3c632d80dfc3dcc360cd2cab14858270b59a61943e7.exe Token: SeDebugPrivilege 1160 9052224281f0841b0a2dc3c632d80dfc3dcc360cd2cab14858270b59a61943e7.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
9052224281f0841b0a2dc3c632d80dfc3dcc360cd2cab14858270b59a61943e7.exeregsvr32.exedescription pid process target process PID 1160 wrote to memory of 1696 1160 9052224281f0841b0a2dc3c632d80dfc3dcc360cd2cab14858270b59a61943e7.exe regsvr32.exe PID 1160 wrote to memory of 1696 1160 9052224281f0841b0a2dc3c632d80dfc3dcc360cd2cab14858270b59a61943e7.exe regsvr32.exe PID 1160 wrote to memory of 1696 1160 9052224281f0841b0a2dc3c632d80dfc3dcc360cd2cab14858270b59a61943e7.exe regsvr32.exe PID 1160 wrote to memory of 1696 1160 9052224281f0841b0a2dc3c632d80dfc3dcc360cd2cab14858270b59a61943e7.exe regsvr32.exe PID 1160 wrote to memory of 1696 1160 9052224281f0841b0a2dc3c632d80dfc3dcc360cd2cab14858270b59a61943e7.exe regsvr32.exe PID 1160 wrote to memory of 1696 1160 9052224281f0841b0a2dc3c632d80dfc3dcc360cd2cab14858270b59a61943e7.exe regsvr32.exe PID 1160 wrote to memory of 1696 1160 9052224281f0841b0a2dc3c632d80dfc3dcc360cd2cab14858270b59a61943e7.exe regsvr32.exe PID 1696 wrote to memory of 1956 1696 regsvr32.exe regsvr32.exe PID 1696 wrote to memory of 1956 1696 regsvr32.exe regsvr32.exe PID 1696 wrote to memory of 1956 1696 regsvr32.exe regsvr32.exe PID 1696 wrote to memory of 1956 1696 regsvr32.exe regsvr32.exe PID 1696 wrote to memory of 1956 1696 regsvr32.exe regsvr32.exe PID 1696 wrote to memory of 1956 1696 regsvr32.exe regsvr32.exe PID 1696 wrote to memory of 1956 1696 regsvr32.exe regsvr32.exe -
System policy modification 1 TTPs 2 IoCs
Processes:
9052224281f0841b0a2dc3c632d80dfc3dcc360cd2cab14858270b59a61943e7.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID 9052224281f0841b0a2dc3c632d80dfc3dcc360cd2cab14858270b59a61943e7.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{46d32954-2e52-4389-adc0-8140c0241508} = "1" 9052224281f0841b0a2dc3c632d80dfc3dcc360cd2cab14858270b59a61943e7.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\9052224281f0841b0a2dc3c632d80dfc3dcc360cd2cab14858270b59a61943e7.exe"C:\Users\Admin\AppData\Local\Temp\9052224281f0841b0a2dc3c632d80dfc3dcc360cd2cab14858270b59a61943e7.exe"1⤵
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32.exe /s "C:\Program Files (x86)\SmartOnes\QnmcXDlXQE2KBV.x64.dll"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\regsvr32.exe/s "C:\Program Files (x86)\SmartOnes\QnmcXDlXQE2KBV.x64.dll"3⤵
- Registers COM server for autorun
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Modifies Internet Explorer settings
- Modifies registry class
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\SmartOnes\QnmcXDlXQE2KBV.datFilesize
3KB
MD513b872d40d7a8f1dabfc2bf19db75e48
SHA13e9e7b353de3ce85738cfb7f4b617acac9b78fa3
SHA25644f7bbc6183a9a9d46065f16deb750a4a538304b4511d73ceda63e45072e94a6
SHA512e3345340f694dfb32be9e90199885e56d9a5c437da070bfd08ffa30abdd82ca0292c677fe992b0cbc5005f422fc76213ab6c6f92e04dc848122da46ccb5cc7cb
-
C:\Program Files (x86)\SmartOnes\QnmcXDlXQE2KBV.tlbFilesize
3KB
MD580b66ebf00d9d7c1904175c81cf3b1e1
SHA125edfc73c30f45e1254ddec9bdc5854d0f5c3c1b
SHA2565691ef6a5460131e8fbebeed40d4f0fb81ff49e25a08d45df2178bb8d486672a
SHA512396db976a5a56df11be3f46e16908341b33be7b374c92674550a563885012c056b7213ab873745e98bf4681bf12882632260363c578105decda25a2d249fdb9d
-
C:\Program Files (x86)\SmartOnes\QnmcXDlXQE2KBV.x64.dllFilesize
881KB
MD58cb4c5980306da615fd3a3c0b7124d95
SHA104c3ab5e547e3644e8627f9a548a56c112792499
SHA256ce12f2e485306ea9a8bd019ffd6a62d846259bac4ba0ec71d81b43ab32470d43
SHA5121852f4cf028c72869f215a8efff6c7244e2c67cde1230eb633a0d700fce957774dade7a50fcd7b760f395b3e242a5701ab88496e5551f778d208bcf182e0bedf
-
\Program Files (x86)\SmartOnes\QnmcXDlXQE2KBV.dllFilesize
747KB
MD5075a34d90e4395f320b3266b2a6cc2c0
SHA1c04c7386f13b45f5cc8424109d369e1e2427e5ec
SHA25682550996793875d5d60d0479968dd63ff127ac705aca610110bc3f6ca127e8dc
SHA5122618fb83c62bfd2ea6925d15417a86144d0133c1db3d6020b93ff6bac19adf47c1d31a10fcc31010e0fd6c2bd6f0a4537763715c57b74ad094ce8d6aedbf896a
-
\Program Files (x86)\SmartOnes\QnmcXDlXQE2KBV.x64.dllFilesize
881KB
MD58cb4c5980306da615fd3a3c0b7124d95
SHA104c3ab5e547e3644e8627f9a548a56c112792499
SHA256ce12f2e485306ea9a8bd019ffd6a62d846259bac4ba0ec71d81b43ab32470d43
SHA5121852f4cf028c72869f215a8efff6c7244e2c67cde1230eb633a0d700fce957774dade7a50fcd7b760f395b3e242a5701ab88496e5551f778d208bcf182e0bedf
-
\Program Files (x86)\SmartOnes\QnmcXDlXQE2KBV.x64.dllFilesize
881KB
MD58cb4c5980306da615fd3a3c0b7124d95
SHA104c3ab5e547e3644e8627f9a548a56c112792499
SHA256ce12f2e485306ea9a8bd019ffd6a62d846259bac4ba0ec71d81b43ab32470d43
SHA5121852f4cf028c72869f215a8efff6c7244e2c67cde1230eb633a0d700fce957774dade7a50fcd7b760f395b3e242a5701ab88496e5551f778d208bcf182e0bedf
-
memory/1160-54-0x0000000075A91000-0x0000000075A93000-memory.dmpFilesize
8KB
-
memory/1160-55-0x0000000002980000-0x0000000002A4E000-memory.dmpFilesize
824KB
-
memory/1696-61-0x0000000000000000-mapping.dmp
-
memory/1956-65-0x0000000000000000-mapping.dmp
-
memory/1956-66-0x000007FEFBB21000-0x000007FEFBB23000-memory.dmpFilesize
8KB