Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
24-11-2022 21:04
Static task
static1
Behavioral task
behavioral1
Sample
a8e3f00d79a4d822c0b948bb6ffd62dda26d0b3bd4516023375b0b066d2f6d61.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
a8e3f00d79a4d822c0b948bb6ffd62dda26d0b3bd4516023375b0b066d2f6d61.exe
Resource
win10v2004-20220812-en
General
-
Target
a8e3f00d79a4d822c0b948bb6ffd62dda26d0b3bd4516023375b0b066d2f6d61.exe
-
Size
4.6MB
-
MD5
8acc0dc47b3516acad01ee8a25c865c5
-
SHA1
cd77b9f79e224c8de0e50bd872dfae17c82983f1
-
SHA256
a8e3f00d79a4d822c0b948bb6ffd62dda26d0b3bd4516023375b0b066d2f6d61
-
SHA512
e02246623b9d4a6c17f901d1837feaa75b90a06c2b74917730d1a8ff1403ff98b02c2a7ce327c4df27fc0a304e32bc0f6841c4183b258f17cbfc865b0357507d
-
SSDEEP
49152:9heoGUjQAuwgnz0p+jGnLJBTC4+Gmr4/ewu+tETYlmOnhEOP0VijkZmyjdI78aOk:MGgop+jkP24pm2G+ETYLhjsVijk0CI
Malware Config
Signatures
-
Registers COM server for autorun 1 TTPs 4 IoCs
Processes:
regsvr32.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DC34CD73-9A5F-2536-08F8-267F0728C70C}\InprocServer32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DC34CD73-9A5F-2536-08F8-267F0728C70C}\InprocServer32\ = "C:\\Program Files (x86)\\BoomCheap\\hBNfQv_rr.x64.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DC34CD73-9A5F-2536-08F8-267F0728C70C}\InprocServer32\ThreadingModel = "Apartment" regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DC34CD73-9A5F-2536-08F8-267F0728C70C}\InprocServer32 regsvr32.exe -
Loads dropped DLL 3 IoCs
Processes:
a8e3f00d79a4d822c0b948bb6ffd62dda26d0b3bd4516023375b0b066d2f6d61.exeregsvr32.exeregsvr32.exepid process 5108 a8e3f00d79a4d822c0b948bb6ffd62dda26d0b3bd4516023375b0b066d2f6d61.exe 1216 regsvr32.exe 1992 regsvr32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Installs/modifies Browser Helper Object 2 TTPs 8 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
Processes:
a8e3f00d79a4d822c0b948bb6ffd62dda26d0b3bd4516023375b0b066d2f6d61.exeregsvr32.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DC34CD73-9A5F-2536-08F8-267F0728C70C} a8e3f00d79a4d822c0b948bb6ffd62dda26d0b3bd4516023375b0b066d2f6d61.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DC34CD73-9A5F-2536-08F8-267F0728C70C}\ = "BoomCheap" a8e3f00d79a4d822c0b948bb6ffd62dda26d0b3bd4516023375b0b066d2f6d61.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DC34CD73-9A5F-2536-08F8-267F0728C70C}\NoExplorer = "1" a8e3f00d79a4d822c0b948bb6ffd62dda26d0b3bd4516023375b0b066d2f6d61.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DC34CD73-9A5F-2536-08F8-267F0728C70C} a8e3f00d79a4d822c0b948bb6ffd62dda26d0b3bd4516023375b0b066d2f6d61.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DC34CD73-9A5F-2536-08F8-267F0728C70C} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DC34CD73-9A5F-2536-08F8-267F0728C70C}\ = "BoomCheap" regsvr32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DC34CD73-9A5F-2536-08F8-267F0728C70C}\NoExplorer = "1" regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DC34CD73-9A5F-2536-08F8-267F0728C70C} regsvr32.exe -
Drops file in Program Files directory 8 IoCs
Processes:
a8e3f00d79a4d822c0b948bb6ffd62dda26d0b3bd4516023375b0b066d2f6d61.exedescription ioc process File created C:\Program Files (x86)\BoomCheap\hBNfQv_rr.dat a8e3f00d79a4d822c0b948bb6ffd62dda26d0b3bd4516023375b0b066d2f6d61.exe File opened for modification C:\Program Files (x86)\BoomCheap\hBNfQv_rr.dat a8e3f00d79a4d822c0b948bb6ffd62dda26d0b3bd4516023375b0b066d2f6d61.exe File created C:\Program Files (x86)\BoomCheap\hBNfQv_rr.x64.dll a8e3f00d79a4d822c0b948bb6ffd62dda26d0b3bd4516023375b0b066d2f6d61.exe File opened for modification C:\Program Files (x86)\BoomCheap\hBNfQv_rr.x64.dll a8e3f00d79a4d822c0b948bb6ffd62dda26d0b3bd4516023375b0b066d2f6d61.exe File created C:\Program Files (x86)\BoomCheap\hBNfQv_rr.dll a8e3f00d79a4d822c0b948bb6ffd62dda26d0b3bd4516023375b0b066d2f6d61.exe File opened for modification C:\Program Files (x86)\BoomCheap\hBNfQv_rr.dll a8e3f00d79a4d822c0b948bb6ffd62dda26d0b3bd4516023375b0b066d2f6d61.exe File created C:\Program Files (x86)\BoomCheap\hBNfQv_rr.tlb a8e3f00d79a4d822c0b948bb6ffd62dda26d0b3bd4516023375b0b066d2f6d61.exe File opened for modification C:\Program Files (x86)\BoomCheap\hBNfQv_rr.tlb a8e3f00d79a4d822c0b948bb6ffd62dda26d0b3bd4516023375b0b066d2f6d61.exe -
Processes:
regsvr32.exea8e3f00d79a4d822c0b948bb6ffd62dda26d0b3bd4516023375b0b066d2f6d61.exedescription ioc process Key deleted \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\MICROSOFT\INTERNET EXPLORER\APPROVEDEXTENSIONSMIGRATION\{DC34CD73-9A5F-2536-08F8-267F0728C70C} regsvr32.exe Key deleted \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\ApprovedExtensionsMigration regsvr32.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\ApprovedExtensionsMigration regsvr32.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{DC34CD73-9A5F-2536-08F8-267F0728C70C} regsvr32.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\ApprovedExtensionsMigration a8e3f00d79a4d822c0b948bb6ffd62dda26d0b3bd4516023375b0b066d2f6d61.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{DC34CD73-9A5F-2536-08F8-267F0728C70C} a8e3f00d79a4d822c0b948bb6ffd62dda26d0b3bd4516023375b0b066d2f6d61.exe Key deleted \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\MICROSOFT\INTERNET EXPLORER\APPROVEDEXTENSIONSMIGRATION\{DC34CD73-9A5F-2536-08F8-267F0728C70C} a8e3f00d79a4d822c0b948bb6ffd62dda26d0b3bd4516023375b0b066d2f6d61.exe Key deleted \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\ApprovedExtensionsMigration a8e3f00d79a4d822c0b948bb6ffd62dda26d0b3bd4516023375b0b066d2f6d61.exe -
Modifies registry class 64 IoCs
Processes:
regsvr32.exea8e3f00d79a4d822c0b948bb6ffd62dda26d0b3bd4516023375b0b066d2f6d61.exedescription ioc process Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DC34CD73-9A5F-2536-08F8-267F0728C70C}\Programmable regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\FLAGS a8e3f00d79a4d822c0b948bb6ffd62dda26d0b3bd4516023375b0b066d2f6d61.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\TypeLib a8e3f00d79a4d822c0b948bb6ffd62dda26d0b3bd4516023375b0b066d2f6d61.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" a8e3f00d79a4d822c0b948bb6ffd62dda26d0b3bd4516023375b0b066d2f6d61.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DC34CD73-9A5F-2536-08F8-267F0728C70C}\ProgID\ = "BoomCheap.1.0" a8e3f00d79a4d822c0b948bb6ffd62dda26d0b3bd4516023375b0b066d2f6d61.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\ProxyStubClsid32 a8e3f00d79a4d822c0b948bb6ffd62dda26d0b3bd4516023375b0b066d2f6d61.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DC34CD73-9A5F-2536-08F8-267F0728C70C}\InprocServer32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}" a8e3f00d79a4d822c0b948bb6ffd62dda26d0b3bd4516023375b0b066d2f6d61.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\TypeLib\Version = "1.0" a8e3f00d79a4d822c0b948bb6ffd62dda26d0b3bd4516023375b0b066d2f6d61.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BoomCheap.BoomCheap\CurVer\ = "BoomCheap.1.0" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DC34CD73-9A5F-2536-08F8-267F0728C70C} a8e3f00d79a4d822c0b948bb6ffd62dda26d0b3bd4516023375b0b066d2f6d61.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DC34CD73-9A5F-2536-08F8-267F0728C70C}\ProgID a8e3f00d79a4d822c0b948bb6ffd62dda26d0b3bd4516023375b0b066d2f6d61.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\ProxyStubClsid32 a8e3f00d79a4d822c0b948bb6ffd62dda26d0b3bd4516023375b0b066d2f6d61.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}" a8e3f00d79a4d822c0b948bb6ffd62dda26d0b3bd4516023375b0b066d2f6d61.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC} a8e3f00d79a4d822c0b948bb6ffd62dda26d0b3bd4516023375b0b066d2f6d61.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DC34CD73-9A5F-2536-08F8-267F0728C70C}\Implemented Categories regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BoomCheap.BoomCheap\CLSID\ = "{DC34CD73-9A5F-2536-08F8-267F0728C70C}" a8e3f00d79a4d822c0b948bb6ffd62dda26d0b3bd4516023375b0b066d2f6d61.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DC34CD73-9A5F-2536-08F8-267F0728C70C}\ = "BoomCheap" a8e3f00d79a4d822c0b948bb6ffd62dda26d0b3bd4516023375b0b066d2f6d61.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0 a8e3f00d79a4d822c0b948bb6ffd62dda26d0b3bd4516023375b0b066d2f6d61.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DC34CD73-9A5F-2536-08F8-267F0728C70C}\ProgID\ = "BoomCheap.1.0" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BoomCheap.BoomCheap.1.0\CLSID a8e3f00d79a4d822c0b948bb6ffd62dda26d0b3bd4516023375b0b066d2f6d61.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BoomCheap.BoomCheap.1.0\CLSID\ = "{DC34CD73-9A5F-2536-08F8-267F0728C70C}" a8e3f00d79a4d822c0b948bb6ffd62dda26d0b3bd4516023375b0b066d2f6d61.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DC34CD73-9A5F-2536-08F8-267F0728C70C}\ = "BoomCheap" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DC34CD73-9A5F-2536-08F8-267F0728C70C} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DC34CD73-9A5F-2536-08F8-267F0728C70C}\InprocServer32 a8e3f00d79a4d822c0b948bb6ffd62dda26d0b3bd4516023375b0b066d2f6d61.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\ = "ILocalStorage" a8e3f00d79a4d822c0b948bb6ffd62dda26d0b3bd4516023375b0b066d2f6d61.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}" a8e3f00d79a4d822c0b948bb6ffd62dda26d0b3bd4516023375b0b066d2f6d61.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\TypeLib\Version = "1.0" a8e3f00d79a4d822c0b948bb6ffd62dda26d0b3bd4516023375b0b066d2f6d61.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0} a8e3f00d79a4d822c0b948bb6ffd62dda26d0b3bd4516023375b0b066d2f6d61.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\TypeLib a8e3f00d79a4d822c0b948bb6ffd62dda26d0b3bd4516023375b0b066d2f6d61.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\TypeLib a8e3f00d79a4d822c0b948bb6ffd62dda26d0b3bd4516023375b0b066d2f6d61.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ = "IRegistry" a8e3f00d79a4d822c0b948bb6ffd62dda26d0b3bd4516023375b0b066d2f6d61.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DC34CD73-9A5F-2536-08F8-267F0728C70C}\VersionIndependentProgID a8e3f00d79a4d822c0b948bb6ffd62dda26d0b3bd4516023375b0b066d2f6d61.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DC34CD73-9A5F-2536-08F8-267F0728C70C}\InprocServer32\ = "C:\\Program Files (x86)\\BoomCheap\\hBNfQv_rr.dll" a8e3f00d79a4d822c0b948bb6ffd62dda26d0b3bd4516023375b0b066d2f6d61.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DC34CD73-9A5F-2536-08F8-267F0728C70C}\VersionIndependentProgID a8e3f00d79a4d822c0b948bb6ffd62dda26d0b3bd4516023375b0b066d2f6d61.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ProxyStubClsid32 a8e3f00d79a4d822c0b948bb6ffd62dda26d0b3bd4516023375b0b066d2f6d61.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib a8e3f00d79a4d822c0b948bb6ffd62dda26d0b3bd4516023375b0b066d2f6d61.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}" a8e3f00d79a4d822c0b948bb6ffd62dda26d0b3bd4516023375b0b066d2f6d61.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib\Version = "1.0" a8e3f00d79a4d822c0b948bb6ffd62dda26d0b3bd4516023375b0b066d2f6d61.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib a8e3f00d79a4d822c0b948bb6ffd62dda26d0b3bd4516023375b0b066d2f6d61.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}" a8e3f00d79a4d822c0b948bb6ffd62dda26d0b3bd4516023375b0b066d2f6d61.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DC34CD73-9A5F-2536-08F8-267F0728C70C}\VersionIndependentProgID\ = "BoomCheap" a8e3f00d79a4d822c0b948bb6ffd62dda26d0b3bd4516023375b0b066d2f6d61.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DC34CD73-9A5F-2536-08F8-267F0728C70C}\Programmable a8e3f00d79a4d822c0b948bb6ffd62dda26d0b3bd4516023375b0b066d2f6d61.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DC34CD73-9A5F-2536-08F8-267F0728C70C}\Programmable a8e3f00d79a4d822c0b948bb6ffd62dda26d0b3bd4516023375b0b066d2f6d61.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DC34CD73-9A5F-2536-08F8-267F0728C70C}\ProgID a8e3f00d79a4d822c0b948bb6ffd62dda26d0b3bd4516023375b0b066d2f6d61.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0} a8e3f00d79a4d822c0b948bb6ffd62dda26d0b3bd4516023375b0b066d2f6d61.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\ = "ILocalStorage" a8e3f00d79a4d822c0b948bb6ffd62dda26d0b3bd4516023375b0b066d2f6d61.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BoomCheap.BoomCheap\ = "BoomCheap" regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DC34CD73-9A5F-2536-08F8-267F0728C70C} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BoomCheap.BoomCheap.1.0\ = "BoomCheap" a8e3f00d79a4d822c0b948bb6ffd62dda26d0b3bd4516023375b0b066d2f6d61.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BoomCheap.BoomCheap\ = "BoomCheap" a8e3f00d79a4d822c0b948bb6ffd62dda26d0b3bd4516023375b0b066d2f6d61.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DC34CD73-9A5F-2536-08F8-267F0728C70C}\InprocServer32\ThreadingModel = "Apartment" a8e3f00d79a4d822c0b948bb6ffd62dda26d0b3bd4516023375b0b066d2f6d61.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\TypeLib\Version = "1.0" a8e3f00d79a4d822c0b948bb6ffd62dda26d0b3bd4516023375b0b066d2f6d61.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" a8e3f00d79a4d822c0b948bb6ffd62dda26d0b3bd4516023375b0b066d2f6d61.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC} a8e3f00d79a4d822c0b948bb6ffd62dda26d0b3bd4516023375b0b066d2f6d61.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DC34CD73-9A5F-2536-08F8-267F0728C70C}\Programmable regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BoomCheap.BoomCheap\CurVer\ = "BoomCheap.1.0" a8e3f00d79a4d822c0b948bb6ffd62dda26d0b3bd4516023375b0b066d2f6d61.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" a8e3f00d79a4d822c0b948bb6ffd62dda26d0b3bd4516023375b0b066d2f6d61.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}" a8e3f00d79a4d822c0b948bb6ffd62dda26d0b3bd4516023375b0b066d2f6d61.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\ProxyStubClsid32 a8e3f00d79a4d822c0b948bb6ffd62dda26d0b3bd4516023375b0b066d2f6d61.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\TypeLib\Version = "1.0" a8e3f00d79a4d822c0b948bb6ffd62dda26d0b3bd4516023375b0b066d2f6d61.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DC34CD73-9A5F-2536-08F8-267F0728C70C}\ProgID regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DC34CD73-9A5F-2536-08F8-267F0728C70C}\VersionIndependentProgID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BoomCheap.BoomCheap.1.0 a8e3f00d79a4d822c0b948bb6ffd62dda26d0b3bd4516023375b0b066d2f6d61.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
a8e3f00d79a4d822c0b948bb6ffd62dda26d0b3bd4516023375b0b066d2f6d61.exeregsvr32.exedescription pid process target process PID 5108 wrote to memory of 1216 5108 a8e3f00d79a4d822c0b948bb6ffd62dda26d0b3bd4516023375b0b066d2f6d61.exe regsvr32.exe PID 5108 wrote to memory of 1216 5108 a8e3f00d79a4d822c0b948bb6ffd62dda26d0b3bd4516023375b0b066d2f6d61.exe regsvr32.exe PID 5108 wrote to memory of 1216 5108 a8e3f00d79a4d822c0b948bb6ffd62dda26d0b3bd4516023375b0b066d2f6d61.exe regsvr32.exe PID 1216 wrote to memory of 1992 1216 regsvr32.exe regsvr32.exe PID 1216 wrote to memory of 1992 1216 regsvr32.exe regsvr32.exe -
System policy modification 1 TTPs 1 IoCs
Processes:
a8e3f00d79a4d822c0b948bb6ffd62dda26d0b3bd4516023375b0b066d2f6d61.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{DC34CD73-9A5F-2536-08F8-267F0728C70C} = "1" a8e3f00d79a4d822c0b948bb6ffd62dda26d0b3bd4516023375b0b066d2f6d61.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a8e3f00d79a4d822c0b948bb6ffd62dda26d0b3bd4516023375b0b066d2f6d61.exe"C:\Users\Admin\AppData\Local\Temp\a8e3f00d79a4d822c0b948bb6ffd62dda26d0b3bd4516023375b0b066d2f6d61.exe"1⤵
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32.exe /s "C:\Program Files (x86)\BoomCheap\hBNfQv_rr.x64.dll"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\regsvr32.exe/s "C:\Program Files (x86)\BoomCheap\hBNfQv_rr.x64.dll"3⤵
- Registers COM server for autorun
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Modifies Internet Explorer settings
- Modifies registry class
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\BoomCheap\hBNfQv_rr.datFilesize
4KB
MD592e6dd9ae88ca1504765cbfe7c88fac6
SHA14679a513622550b4e8ecd317524b0b87f350e1d6
SHA256e917625162898e1379f634d283113d5b91f61c18d3453b19c98dc3935f58148f
SHA51214911630726da44af83938928cc0d6b78c3995cbf2e1f4db767c5df8a179fb16067797e7a95d310a2a060836f58d339c3d348c394ae251839e610c355d2a4f39
-
C:\Program Files (x86)\BoomCheap\hBNfQv_rr.dllFilesize
755KB
MD563e9398a76ae6e5d95d97108f792fc39
SHA1fc85020bf16dcf1961c01e9e27e9fea1b53991f3
SHA2566751b1114b2be7585825a4cd412e98390f43dc981ac06eb326941cc4d2997ae2
SHA512e18f0e3b84cd1e54f32dc6764cb2cd635a74aafb67e38a6d6cb8e4146e000650f1c464a5fbe8dc0b2364f61bac4d47adaaa801c3efcad1b38c18736dd19990f0
-
C:\Program Files (x86)\BoomCheap\hBNfQv_rr.tlbFilesize
3KB
MD5bb4329f83ddf3322ca225aad6e22d888
SHA1affebe55d944adda34347a8246439dc2c0efb805
SHA256d70fbe4ee77d0e6d8199470997eedc1ddb8b94c665b14091718343fe15168305
SHA5121d02eef9ba5937351d78c6fa04ba58fde26c3d7a77e234dc1283e7d9edb8942ab9b485b09429562b4288ef32da27f63ae647f36be3838dfcdb8b3bbe95827770
-
C:\Program Files (x86)\BoomCheap\hBNfQv_rr.x64.dllFilesize
891KB
MD5628b7a7ac42e2ddf53e8256b34ba4cce
SHA14442437a22f6dd03aa22adf2654a55bfa70927d8
SHA2561b54c342462c9badcff17c5c9c31dc209dbd5a400583e3c5296cca5cc3ffc9fe
SHA512f1d48cbbb076a0458ffb51fef15fb360902bedb29af166ca7beb57d5f107715f9f57ace67a396957f7e4dac6550974093bb05e5598e47a815cb0bde3a3fc47af
-
C:\Program Files (x86)\BoomCheap\hBNfQv_rr.x64.dllFilesize
891KB
MD5628b7a7ac42e2ddf53e8256b34ba4cce
SHA14442437a22f6dd03aa22adf2654a55bfa70927d8
SHA2561b54c342462c9badcff17c5c9c31dc209dbd5a400583e3c5296cca5cc3ffc9fe
SHA512f1d48cbbb076a0458ffb51fef15fb360902bedb29af166ca7beb57d5f107715f9f57ace67a396957f7e4dac6550974093bb05e5598e47a815cb0bde3a3fc47af
-
C:\Program Files (x86)\BoomCheap\hBNfQv_rr.x64.dllFilesize
891KB
MD5628b7a7ac42e2ddf53e8256b34ba4cce
SHA14442437a22f6dd03aa22adf2654a55bfa70927d8
SHA2561b54c342462c9badcff17c5c9c31dc209dbd5a400583e3c5296cca5cc3ffc9fe
SHA512f1d48cbbb076a0458ffb51fef15fb360902bedb29af166ca7beb57d5f107715f9f57ace67a396957f7e4dac6550974093bb05e5598e47a815cb0bde3a3fc47af
-
memory/1216-138-0x0000000000000000-mapping.dmp
-
memory/1992-141-0x0000000000000000-mapping.dmp
-
memory/5108-132-0x0000000003CE0000-0x0000000003DAC000-memory.dmpFilesize
816KB