7dd6a41983390e1ea6988bdc89bc7937d9e9a41cba51d2e6ac1f0d3aedb04e96

Analysis

max time kernel
244s
max time network
333s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
28/11/2022, 04:49

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

7dd6a41983390e1ea6988bdc89bc7937d9e9a41cba51d2e6ac1f0d3aedb04e96.exe
Size

27KB
MD5

080f5013e526f380450ae819c22abf81
SHA1

80e85ed828ae0754cc27ac24c69de18f62d9f3f6
SHA256

7dd6a41983390e1ea6988bdc89bc7937d9e9a41cba51d2e6ac1f0d3aedb04e96
SHA512

2129fdb93e9d42aba7b501c0159b523a463dfc35be4330e8c998abdef9b4d36fe30fcc8a2e35577797ce645c7459eb52f7f8ec0fba409b34c1ea53bf2f304ead
SSDEEP

384:KoRugNY1yLfQ4hFKX+q1Rrx2l6E3nZ0BRfeuAuqaVNkP13OVIGfn3bEuf:9XhQ/uqZ2l6E3n+/guqaHg9qnNf

Score

6^/10

adware stealer

Malware Config

Signatures

Installs/modifies Browser Helper Object 2 TTPs 2 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2E246FAE-8420-11D9-870D-000C2917DE7F}	7dd6a41983390e1ea6988bdc89bc7937d9e9a41cba51d2e6ac1f0d3aedb04e96.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{2E246FAE-8420-11D9-870D-000C2917DE7F}\	7dd6a41983390e1ea6988bdc89bc7937d9e9a41cba51d2e6ac1f0d3aedb04e96.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\WINDOWS\SYSTEM\Loader.dll	7dd6a41983390e1ea6988bdc89bc7937d9e9a41cba51d2e6ac1f0d3aedb04e96.exe

Modifies registry class 13 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2E246FAE-8420-11D9-870D-000C2917DE7F}	7dd6a41983390e1ea6988bdc89bc7937d9e9a41cba51d2e6ac1f0d3aedb04e96.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2E246FAE-8420-11D9-870D-000C2917DE7F}\ = "Loader Class"	7dd6a41983390e1ea6988bdc89bc7937d9e9a41cba51d2e6ac1f0d3aedb04e96.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2E246FAE-8420-11D9-870D-000C2917DE7F}\InprocServer32\ThreadingModel = "Apartment"	7dd6a41983390e1ea6988bdc89bc7937d9e9a41cba51d2e6ac1f0d3aedb04e96.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2E246FAE-8420-11D9-870D-000C2917DE7F}\ProgID	7dd6a41983390e1ea6988bdc89bc7937d9e9a41cba51d2e6ac1f0d3aedb04e96.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2E246FAE-8420-11D9-870D-000C2917DE7F}\ProgID\ = "Loader.LoaderObj.1"	7dd6a41983390e1ea6988bdc89bc7937d9e9a41cba51d2e6ac1f0d3aedb04e96.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2E246FAE-8420-11D9-870D-000C2917DE7F}\TypeLib	7dd6a41983390e1ea6988bdc89bc7937d9e9a41cba51d2e6ac1f0d3aedb04e96.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2E246FAE-8420-11D9-870D-000C2917DE7F}\TypeLib\ = "{FA5E664F-F78C-407A-AC4C-F8DC7FF394B9}"	7dd6a41983390e1ea6988bdc89bc7937d9e9a41cba51d2e6ac1f0d3aedb04e96.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2E246FAE-8420-11D9-870D-000C2917DE7F}\VersionIndependentProgID\ = "Loader.LoaderObj"	7dd6a41983390e1ea6988bdc89bc7937d9e9a41cba51d2e6ac1f0d3aedb04e96.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2E246FAE-8420-11D9-870D-000C2917DE7F}\InprocServer32	7dd6a41983390e1ea6988bdc89bc7937d9e9a41cba51d2e6ac1f0d3aedb04e96.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2E246FAE-8420-11D9-870D-000C2917DE7F}\InprocServer32\ = "C:\\WINDOWS\\SYSTEM\\Loader.dll"	7dd6a41983390e1ea6988bdc89bc7937d9e9a41cba51d2e6ac1f0d3aedb04e96.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2E246FAE-8420-11D9-870D-000C2917DE7F}\Programmable	7dd6a41983390e1ea6988bdc89bc7937d9e9a41cba51d2e6ac1f0d3aedb04e96.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2E246FAE-8420-11D9-870D-000C2917DE7F}\Programmable\	7dd6a41983390e1ea6988bdc89bc7937d9e9a41cba51d2e6ac1f0d3aedb04e96.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2E246FAE-8420-11D9-870D-000C2917DE7F}\VersionIndependentProgID	7dd6a41983390e1ea6988bdc89bc7937d9e9a41cba51d2e6ac1f0d3aedb04e96.exe

C:\Users\Admin\AppData\Local\Temp\7dd6a41983390e1ea6988bdc89bc7937d9e9a41cba51d2e6ac1f0d3aedb04e96.exe
"C:\Users\Admin\AppData\Local\Temp\7dd6a41983390e1ea6988bdc89bc7937d9e9a41cba51d2e6ac1f0d3aedb04e96.exe"
1⤵
- Installs/modifies Browser Helper Object
- Drops file in Windows directory
- Modifies registry class
PID:1488

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1488-54-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download