86a9207a660578087882bb0b0c289e44177c870eaa7db39e744fdc777dc0c1c7

Analysis

max time kernel
187s
max time network
196s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
29-11-2022 06:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

86a9207a660578087882bb0b0c289e44177c870eaa7db39e744fdc777dc0c1c7.dll
Size

768KB
MD5

548b208d1ac38287734b298944da6f2c
SHA1

cd6d83fc57c4496cd53018dd457b6df760d4f27b
SHA256

86a9207a660578087882bb0b0c289e44177c870eaa7db39e744fdc777dc0c1c7
SHA512

34c14ed3c5290df3751c0cd3b4a56c44bd3e82e85c83a1c5fa33c7c0bda9b9de5cd6acac7ecf1052bc68f559bc162a734f5468c4b07eaf0b89cc7915fdaf721a
SSDEEP

12288:6JP94MqFRmeMWt0m9SumMm6BOaMnLHtUXmMaffIEGpzK6FSkFvUFzq10GX+fOD5E:IBm0U0aSumBzEa45pzvj10GXDVE

Score

6^/10

adware stealer

Malware Config

Signatures

Installs/modifies Browser Helper Object 2 TTPs 1 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

Processes:

regsvr32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{FCADDC14-BD46-408A-9842-CDBE1C6D37EB}	regsvr32.exe

Modifies registry class 5 IoCs

Processes:

regsvr32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FCADDC14-BD46-408A-9842-CDBE1C6D37EB}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\86a9207a660578087882bb0b0c289e44177c870eaa7db39e744fdc777dc0c1c7.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FCADDC14-BD46-408A-9842-CDBE1C6D37EB}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FCADDC14-BD46-408A-9842-CDBE1C6D37EB}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FCADDC14-BD46-408A-9842-CDBE1C6D37EB}\	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FCADDC14-BD46-408A-9842-CDBE1C6D37EB}\InprocServer32	regsvr32.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

regsvr32.exe

pid process

3192 regsvr32.exe

pid	process
3192	regsvr32.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

regsvr32.exe

description	pid	process	target process
PID 3592 wrote to memory of 3192	3592	regsvr32.exe	regsvr32.exe
PID 3592 wrote to memory of 3192	3592	regsvr32.exe	regsvr32.exe
PID 3592 wrote to memory of 3192	3592	regsvr32.exe	regsvr32.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\86a9207a660578087882bb0b0c289e44177c870eaa7db39e744fdc777dc0c1c7.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:3592

C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\86a9207a660578087882bb0b0c289e44177c870eaa7db39e744fdc777dc0c1c7.dll
2⤵
- Installs/modifies Browser Helper Object
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3192

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3192-132-0x0000000000000000-mapping.dmp

Download
memory/3192-133-0x00000000021C0000-0x000000000233E000-memory.dmp

Filesize
1.5MB

Download
memory/3192-134-0x0000000002400000-0x000000000245A000-memory.dmp

Filesize
360KB

Download