322b4a05172de19e907e56ce8294b3d575df226bbb3d267ac025d0802d740e96

Analysis

max time kernel
91s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
27-11-2022 22:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Pubwin4全自动安装绿色版.exe
Size

793KB
MD5

55d3ef73d31e9272c88145d243b7ead5
SHA1

ac9043c412533088c40e7eaf469147fd3fa06e01
SHA256

754f661ea3553ad517f14376ceb6d668df2ae68957a0d9282aac6a777a04c078
SHA512

06d4a2999b016636b73f0bc3713a56cf8ab94e479e8fc34a94c67ad4f7e8b44127afabe8dcf61a4f7fe87417db9bd2672cdc4a2ba3e3f285d90bfae5bf377aae
SSDEEP

24576:v2O/GlibdEQN+ixzLusZiSSyw4vBRY0Lr20x/Qqa:L+Qlx/9ZhSyw2LY0LCy2

Score

8^/10

adware stealer

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2772	d.exe
1384	dll.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	Pubwin4全自动安装绿色版.exe

Installs/modifies Browser Helper Object 2 TTPs 1 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{CE7C3CF0-4B15-11D1-ABED-709549C10000}	regedit.exe

Drops file in System32 directory 13 IoCs

description	ioc	Process
File created	C:\WINDOWS\SysWOW64\cvxdkeyb.vxd	dll.exe
File opened for modification	C:\WINDOWS\SysWOW64\cvxdkeyb.vxd	dll.exe
File created	C:\WINDOWS\SysWOW64\IEHelper.dll	dll.exe
File opened for modification	C:\WINDOWS\SysWOW64\IEHelper.dll	dll.exe
File created	C:\WINDOWS\SysWOW64\msdart32.dll	dll.exe
File opened for modification	C:\WINDOWS\SysWOW64\Msvcrtd.dll	dll.exe
File created	C:\WINDOWS\SysWOW64\Msvcrtd.dll	dll.exe
File created	C:\WINDOWS\SysWOW64\__tmp_rar_sfx_access_check_240568109	dll.exe
File created	C:\WINDOWS\SysWOW64\RunD1l.exe	dll.exe
File opened for modification	C:\WINDOWS\SysWOW64\RunD1l.exe	dll.exe
File opened for modification	C:\WINDOWS\SysWOW64\msdart32.dll	dll.exe
File created	C:\WINDOWS\SysWOW64\msvcp60.1	dll.exe
File opened for modification	C:\WINDOWS\SysWOW64\msvcp60.1	dll.exe

Drops file in Program Files directory 41 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Hintsoft\Pubclt\互联网\PageIcon.ico	Pubwin4全自动安装绿色版.exe
File created	C:\Program Files\Hintsoft\Pubclt\link.exe	Pubwin4全自动安装绿色版.exe
File opened for modification	C:\Program Files\Hintsoft	Pubwin4全自动安装绿色版.exe
File created	C:\Program Files\Hintsoft\Pubclt\SndBmp.exe	Pubwin4全自动安装绿色版.exe
File opened for modification	C:\Program Files\Hintsoft\Pubclt\办公\PageIcon.ico	Pubwin4全自动安装绿色版.exe
File created	C:\Program Files\Hintsoft\Pubclt\pubwinfl.exe	Pubwin4全自动安装绿色版.exe
File created	C:\Program Files\Hintsoft\Pubclt\pubwin.bat	Pubwin4全自动安装绿色版.exe
File created	C:\Program Files\Hintsoft\Pubclt\游戏\PageIcon.ico	Pubwin4全自动安装绿色版.exe
File created	C:\Program Files\Hintsoft\Pubclt\Pubwin4客户版.lnk	Pubwin4全自动安装绿色版.exe
File opened for modification	C:\Program Files\Hintsoft\Pubclt\Pubwin4客户版.lnk	Pubwin4全自动安装绿色版.exe
File created	C:\Program Files\Hintsoft\Pubclt\pubwin.dll	Pubwin4全自动安装绿色版.exe
File opened for modification	C:\Program Files\Hintsoft\Pubclt\pubwin.dll	Pubwin4全自动安装绿色版.exe
File created	C:\Program Files\Hintsoft\Pubclt\d.exe	Pubwin4全自动安装绿色版.exe
File created	C:\Program Files\Hintsoft\Pubclt\工具\PageIcon.ico	Pubwin4全自动安装绿色版.exe
File opened for modification	C:\Program Files\Hintsoft\Pubclt\工具\PageIcon.ico	Pubwin4全自动安装绿色版.exe
File opened for modification	C:\Program Files\Hintsoft\Pubclt\互联网	Pubwin4全自动安装绿色版.exe
File created	C:\Program Files\Hintsoft\Pubclt\__tmp_rar_sfx_access_check_240565734	Pubwin4全自动安装绿色版.exe
File opened for modification	C:\Program Files\Hintsoft\Pubclt\pubwinfl.exe	Pubwin4全自动安装绿色版.exe
File opened for modification	C:\Program Files\Hintsoft\Pubclt\办公	Pubwin4全自动安装绿色版.exe
File created	C:\Program Files\Hintsoft\Pubclt\sfdsafdas.reg	Pubwin4全自动安装绿色版.exe
File created	C:\Program Files\Hintsoft\Pubclt\办公\PageIcon.ico	Pubwin4全自动安装绿色版.exe
File opened for modification	C:\Program Files\Hintsoft\Pubclt\工具	Pubwin4全自动安装绿色版.exe
File opened for modification	C:\Program Files\Hintsoft\Pubclt	Pubwin4全自动安装绿色版.exe
File opened for modification	C:\Program Files\Hintsoft\Pubclt\Pubwin.exe	Pubwin4全自动安装绿色版.exe
File created	C:\Program Files\Hintsoft\Pubclt\pubwin.vxd	Pubwin4全自动安装绿色版.exe
File created	C:\Program Files\Hintsoft\Pubclt\dll.exe	Pubwin4全自动安装绿色版.exe
File opened for modification	C:\Program Files\Hintsoft\Pubclt\dll.exe	Pubwin4全自动安装绿色版.exe
File opened for modification	C:\Program Files\Hintsoft\Pubclt\RecLock.exe	Pubwin4全自动安装绿色版.exe
File opened for modification	C:\Program Files\Hintsoft\Pubclt\SndBmp.exe	Pubwin4全自动安装绿色版.exe
File created	C:\Program Files\Hintsoft\Pubclt\互联网\PageIcon.ico	Pubwin4全自动安装绿色版.exe
File opened for modification	C:\Program Files\Hintsoft\Pubclt\游戏\PageIcon.ico	Pubwin4全自动安装绿色版.exe
File opened for modification	C:\Program Files\Hintsoft\Pubclt\link.exe	Pubwin4全自动安装绿色版.exe
File opened for modification	C:\Program Files\Hintsoft\Pubclt\sfdsafdas.reg	Pubwin4全自动安装绿色版.exe
File opened for modification	C:\Program Files\Hintsoft\Pubclt\pubwin.bat	Pubwin4全自动安装绿色版.exe
File opened for modification	C:\Program Files\Hintsoft\Pubclt\d.exe	Pubwin4全自动安装绿色版.exe
File created	C:\Program Files\Hintsoft\Pubclt\Uninst.isu	Pubwin4全自动安装绿色版.exe
File opened for modification	C:\Program Files\Hintsoft\Pubclt\Uninst.isu	Pubwin4全自动安装绿色版.exe
File opened for modification	C:\Program Files\Hintsoft\Pubclt\游戏	Pubwin4全自动安装绿色版.exe
File created	C:\Program Files\Hintsoft\Pubclt\Pubwin.exe	Pubwin4全自动安装绿色版.exe
File opened for modification	C:\Program Files\Hintsoft\Pubclt\pubwin.vxd	Pubwin4全自动安装绿色版.exe
File created	C:\Program Files\Hintsoft\Pubclt\RecLock.exe	Pubwin4全自动安装绿色版.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 37 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CE7C3CE2-4B15-11D1-ABED-709549C10000}\1.0\0	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CE7C3CF0-4B15-11D1-ABED-709549C10000}\ = "IEHlprObj Class"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CE7C3CF0-4B15-11D1-ABED-709549C10000}\ProgID\ = "IEHlprObj.IEHlprObj.1"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IEHlprObj.IEHlprObj	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IEHlprObj.IEHlprObj\CurVer	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IEHlprObj.IEHlprObj\CurVer\ = "IEHlprObj.IEHlprObj.1"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{CE7C3CEF-4B15-11D1-ABED-709549C10000}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{CE7C3CEF-4B15-11D1-ABED-709549C10000}\TypeLib\ = "{CE7C3CE2-4B15-11D1-ABED-709549C10000}"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CE7C3CE2-4B15-11D1-ABED-709549C10000}\1.0\HELPDIR\ = "C:\\WINDOWS\\SysWow64\\"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CE7C3CF0-4B15-11D1-ABED-709549C10000}\Programmable	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{CE7C3CEF-4B15-11D1-ABED-709549C10000}\ProxyStubClsid32	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{CE7C3CEF-4B15-11D1-ABED-709549C10000}\TypeLib\Version = "1.0"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CE7C3CE2-4B15-11D1-ABED-709549C10000}\1.0\0\win32\ = "C:\\WINDOWS\\SysWow64\\IEHelper.dll"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CE7C3CF0-4B15-11D1-ABED-709549C10000}\InprocServer32\ = "C:\\WINDOWS\\SysWow64\\IEHelper.dll"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IEHlprObj.IEHlprObj.1	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IEHlprObj.IEHlprObj.1\CLSID	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{CE7C3CEF-4B15-11D1-ABED-709549C10000}	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{CE7C3CEF-4B15-11D1-ABED-709549C10000}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CE7C3CF0-4B15-11D1-ABED-709549C10000}\InprocServer32	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CE7C3CF0-4B15-11D1-ABED-709549C10000}\ProgID	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CE7C3CF0-4B15-11D1-ABED-709549C10000}\VersionIndependentProgID\ = "IEHlprObj.IEHlprObj"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IEHlprObj.IEHlprObj\ = "IEHlprObj Class"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CE7C3CE2-4B15-11D1-ABED-709549C10000}\1.0	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CE7C3CE2-4B15-11D1-ABED-709549C10000}\1.0\HELPDIR	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CE7C3CF0-4B15-11D1-ABED-709549C10000}	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CE7C3CF0-4B15-11D1-ABED-709549C10000}\InprocServer32\ThreadingModel = "Apartment"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CE7C3CF0-4B15-11D1-ABED-709549C10000}\VersionIndependentProgID	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IEHlprObj.IEHlprObj.1\CLSID\ = "{CE7C3CF0-4B15-11D1-ABED-709549C10000}"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{CE7C3CEF-4B15-11D1-ABED-709549C10000}\TypeLib	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CE7C3CE2-4B15-11D1-ABED-709549C10000}	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CE7C3CE2-4B15-11D1-ABED-709549C10000}\1.0\FLAGS\ = "0"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IEHlprObj.IEHlprObj.1\ = "IEHlprObj Class"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{CE7C3CEF-4B15-11D1-ABED-709549C10000}\ProxyStubClsid	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CE7C3CE2-4B15-11D1-ABED-709549C10000}\1.0\ = "IEHelper 1.0 Type Library"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CE7C3CE2-4B15-11D1-ABED-709549C10000}\1.0\0\win32	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CE7C3CE2-4B15-11D1-ABED-709549C10000}\1.0\FLAGS	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{CE7C3CEF-4B15-11D1-ABED-709549C10000}\ = "IIEHlprObj"	regedit.exe

Runs .reg file with regedit 1 IoCs

pid	Process
3032	regedit.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 5036 wrote to memory of 4904	5036	Pubwin4全自动安装绿色版.exe	82
PID 5036 wrote to memory of 4904	5036	Pubwin4全自动安装绿色版.exe	82
PID 5036 wrote to memory of 4904	5036	Pubwin4全自动安装绿色版.exe	82
PID 4904 wrote to memory of 3032	4904	cmd.exe	85
PID 4904 wrote to memory of 3032	4904	cmd.exe	85
PID 4904 wrote to memory of 3032	4904	cmd.exe	85
PID 4904 wrote to memory of 2772	4904	cmd.exe	86
PID 4904 wrote to memory of 2772	4904	cmd.exe	86
PID 4904 wrote to memory of 2772	4904	cmd.exe	86
PID 4904 wrote to memory of 1384	4904	cmd.exe	87
PID 4904 wrote to memory of 1384	4904	cmd.exe	87
PID 4904 wrote to memory of 1384	4904	cmd.exe	87

C:\Users\Admin\AppData\Local\Temp\Pubwin4全自动安装绿色版.exe
"C:\Users\Admin\AppData\Local\Temp\Pubwin4全自动安装绿色版.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:5036
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Program Files\Hintsoft\Pubclt\pubwin.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4904
- - C:\Windows\SysWOW64\regedit.exe
    regedit /s "C:\Program Files\Hintsoft\Pubclt\sfdsafdas.reg"
    3⤵
    - Installs/modifies Browser Helper Object
    - Modifies registry class
    - Runs .reg file with regedit
    PID:3032
- - C:\Program Files\Hintsoft\Pubclt\d.exe
    "C:\Program Files\Hintsoft\Pubclt\d.exe"
    3⤵
    - Executes dropped EXE
    PID:2772
- - C:\Program Files\Hintsoft\Pubclt\dll.exe
    "C:\Program Files\Hintsoft\Pubclt\dll.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    PID:1384

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Hintsoft\Pubclt\d.exe

Filesize
97KB

MD5
a6d8f1b53a95af7fdac33b543479ddc5

SHA1
ad016cb41804f0807203e6b2eaea1166fd80f8bf

SHA256
7183ce200099edacab3466cf6491d9709b509ac780c7a0076e846ba0562addac

SHA512
7bd7dc3d5e7405c108a6abda0ca613ad6302b406d9bc1ce45b8c2c8f14ffa12aba787ffa24fc91046068e23936cf1944637f86c34ba90b938c9a105a52fd50ec

Download Submit
C:\Program Files\Hintsoft\Pubclt\d.exe

Filesize
97KB

MD5
a6d8f1b53a95af7fdac33b543479ddc5

SHA1
ad016cb41804f0807203e6b2eaea1166fd80f8bf

SHA256
7183ce200099edacab3466cf6491d9709b509ac780c7a0076e846ba0562addac

SHA512
7bd7dc3d5e7405c108a6abda0ca613ad6302b406d9bc1ce45b8c2c8f14ffa12aba787ffa24fc91046068e23936cf1944637f86c34ba90b938c9a105a52fd50ec

Download Submit
C:\Program Files\Hintsoft\Pubclt\dll.exe

Filesize
346KB

MD5
462d38bc4a14a6a8623e243b12aa9e41

SHA1
9e10da01a290ce51697664153692c2bcbefd0f39

SHA256
ee15b2fa124ef38ae2d0bc9def1c56ad7942a348d7b56cd6c6295a7bb039f3ca

SHA512
4af87dbe52cc1ddd8520fe475f3355db1c15dc9a48513bd1538b6ed8c3cee9ccf9241c5e70161ad6a0bb708c7e9c595268f183dd64b8b462e5c34a47e8b91bcf

Download Submit
C:\Program Files\Hintsoft\Pubclt\dll.exe

Filesize
346KB

MD5
462d38bc4a14a6a8623e243b12aa9e41

SHA1
9e10da01a290ce51697664153692c2bcbefd0f39

SHA256
ee15b2fa124ef38ae2d0bc9def1c56ad7942a348d7b56cd6c6295a7bb039f3ca

SHA512
4af87dbe52cc1ddd8520fe475f3355db1c15dc9a48513bd1538b6ed8c3cee9ccf9241c5e70161ad6a0bb708c7e9c595268f183dd64b8b462e5c34a47e8b91bcf

Download Submit
C:\Program Files\Hintsoft\Pubclt\pubwin.bat

Filesize
145B

MD5
7ac158e3827531b6eae0c6ce0971fc95

SHA1
497d0dd591a6aaf7ac20f985ac5caa93e8c8a9b6

SHA256
9971221fd2ba0e7408e076807bcdbb0dd7361dd58883831bf05131920a0b1f02

SHA512
a8a2e54340c968444645445eca91b75a3db9d5597cfa0c7bbb2f751f914703d627a8f1a625626e754f8e2887ffde98d0e907a54a68048799c88d1279ca10cf4c

Download Submit
C:\Program Files\Hintsoft\Pubclt\sfdsafdas.reg

Filesize
4KB

MD5
59f156869799e564e44454df6a9d7eca

SHA1
d3fbfdea91d5b9a11b9cc34482e31d9bb5884a55

SHA256
38f1165790ef8b3aa6d628f3c529c83cfef71d56737fff81a08147f5bb30e2f7

SHA512
52564955920fe0985b29afe7f7bcd0a79dc3335c51bcf252e6946fef6f4028fc5c838ffbefac982aa7d57f624f2634199906a0f9e03536a01c89c8fb63600149

Download Submit