8b11b495598ce685b5cdee48839bb6737a90d819819e434af166b905bf0085b5

General

Target

8b11b495598ce685b5cdee48839bb6737a90d819819e434af166b905bf0085b5.exe
Size

122KB
MD5

cfd22ac046396078452079aa17ab7be7
SHA1

d4749cde32bd7317862dba79c2740fc5d7b0fe11
SHA256

8b11b495598ce685b5cdee48839bb6737a90d819819e434af166b905bf0085b5
SHA512

661f74a444a521ce1a18866c8ef103c15de55aa03de3d979ad58c43f2145bc4eac7fc1a25aa3801d36d9b61ef39a4216b80bf1914deba3d829cd1977f25c3ce3
SSDEEP

3072:EmeDmBqskJXvmZzbuxUXW6iHTNnE/ympni42YJPx:E8ERt6ihnE/7F

Score

7^/10

adware discovery stealer

Malware Config

Signatures

Loads dropped DLL 1 IoCs

Processes:

regsvr32.exe

pid process

736 regsvr32.exe
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

pid	process
736	regsvr32.exe

Installs/modifies Browser Helper Object 2 TTPs 2 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

Processes:

regsvr32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{11F09AFD-75AD-4E51-AB43-E09E9351CE16}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{11F09AFD-75AD-4E51-AB43-E09E9351CE16}\ = "AdPopup"	regsvr32.exe

Drops file in Program Files directory 2 IoCs

Processes:

8b11b495598ce685b5cdee48839bb6737a90d819819e434af166b905bf0085b5.exe

description	ioc	process
File created	C:\Program Files (x86)\Common Files\PushWare\Uninst.exe	8b11b495598ce685b5cdee48839bb6737a90d819819e434af166b905bf0085b5.exe
File created	C:\Program Files (x86)\Common Files\PushWare\cpush.dll	8b11b495598ce685b5cdee48839bb6737a90d819819e434af166b905bf0085b5.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 64 IoCs

Processes:

regsvr32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{50C4CDD9-22D7-49FF-AC6D-7D4D528A3AB2}\TypeLib\ = "{DE2267BD-B163-407F-9E8D-6ADEC771E7AB}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CDE9EB54-A08E-4570-B748-13F5DDB5781C}\TypeLib\ = "{DE2267BD-B163-407F-9E8D-6ADEC771E7AB}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MezcAdPopup.BYLogc\ = "CAdLogic Object"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{34A12A06-48C0-420D-8F11-73552EE9631A}\VersionIndependentProgID\ = "NewAdPopup.ToolbarDetector"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{34A12A06-48C0-420D-8F11-73552EE9631A}\TypeLib\ = "{DE2267BD-B163-407F-9E8D-6ADEC771E7AB}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{50C4CDD9-22D7-49FF-AC6D-7D4D528A3AB2}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{11F09AFD-75AD-4E51-AB43-E09E9351CE16}\AppID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{34A12A06-48C0-420D-8F11-73552EE9631A}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CDE9EB54-A08E-4570-B748-13F5DDB5781C}\VersionIndependentProgID\ = "MewBoioMediaPop.PopBoio"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\NewAdPopup.ToolbarDetector.1	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\NewAdPopup.ToolbarDetector.1\CLSID\ = "{34A12A06-48C0-420D-8F11-73552EE9631A}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{34A12A06-48C0-420D-8F11-73552EE9631A}\InprocServer32\ = "C:\\Program Files (x86)\\Common Files\\PushWare\\cpush.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2F685B36-C53A-4653-9231-1DAE5736DE45}\TypeLib\ = "{DE2267BD-B163-407F-9E8D-6ADEC771E7AB}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2F685B36-C53A-4653-9231-1DAE5736DE45}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CDE9EB54-A08E-4570-B748-13F5DDB5781C}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CDE9EB54-A08E-4570-B748-13F5DDB5781C}\ProgID\ = "MewBoioMediaPop.PopBoio.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DE2267BD-B163-407F-9E8D-6ADEC771E7AB}\1.0\HELPDIR	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2F685B36-C53A-4653-9231-1DAE5736DE45}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MezcAdPopup.BYLogc.1\ = "CAdLogic Object"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MezcAdPopup.BYLogc\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{34A12A06-48C0-420D-8F11-73552EE9631A}\AppID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0AD3AB16-6D0E-4F04-8660-FB1F36BC2DC0}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{11F09AFD-75AD-4E51-AB43-E09E9351CE16}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\NewAdPopup.ToolbarDetector\CurVer	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{11F09AFD-75AD-4E51-AB43-E09E9351CE16}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0AD3AB16-6D0E-4F04-8660-FB1F36BC2DC0}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{50C4CDD9-22D7-49FF-AC6D-7D4D528A3AB2}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{50C4CDD9-22D7-49FF-AC6D-7D4D528A3AB2}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{50C4CDD9-22D7-49FF-AC6D-7D4D528A3AB2}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CDE9EB54-A08E-4570-B748-13F5DDB5781C}\Programmable	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MezcAdPopup.BYLogc.1\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2F685B36-C53A-4653-9231-1DAE5736DE45}\ = "IToolbarDetector"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MewBoioMediaPop.PopBoio	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DE2267BD-B163-407F-9E8D-6ADEC771E7AB}\1.0\0\win32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0AD3AB16-6D0E-4F04-8660-FB1F36BC2DC0}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0AD3AB16-6D0E-4F04-8660-FB1F36BC2DC0}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{50C4CDD9-22D7-49FF-AC6D-7D4D528A3AB2}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MezcAdPopup.BYLogc.1\CLSID\ = "{11F09AFD-75AD-4E51-AB43-E09E9351CE16}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0AD3AB16-6D0E-4F04-8660-FB1F36BC2DC0}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0AD3AB16-6D0E-4F04-8660-FB1F36BC2DC0}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{50C4CDD9-22D7-49FF-AC6D-7D4D528A3AB2}\ = "IPopupBlock"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{34A12A06-48C0-420D-8F11-73552EE9631A}\ProgID\ = "NewAdPopup.ToolbarDetector.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DE2267BD-B163-407F-9E8D-6ADEC771E7AB}\1.0\0\win32\ = "C:\\Program Files (x86)\\Common Files\\PushWare\\cpush.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{50C4CDD9-22D7-49FF-AC6D-7D4D528A3AB2}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{11F09AFD-75AD-4E51-AB43-E09E9351CE16}\VersionIndependentProgID\ = "MezcAdPopup.BYLogc"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\NewAdPopup.ToolbarDetector.1\ = "CToolbarDetector Object"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0AD3AB16-6D0E-4F04-8660-FB1F36BC2DC0}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2F685B36-C53A-4653-9231-1DAE5736DE45}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{34A12A06-48C0-420D-8F11-73552EE9631A}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DE2267BD-B163-407F-9E8D-6ADEC771E7AB}\1.0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DE2267BD-B163-407F-9E8D-6ADEC771E7AB}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{50C4CDD9-22D7-49FF-AC6D-7D4D528A3AB2}\ = "IPopupBlock"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2F685B36-C53A-4653-9231-1DAE5736DE45}\TypeLib\ = "{DE2267BD-B163-407F-9E8D-6ADEC771E7AB}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\NewAdPopup.ToolbarDetector\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\NewAdPopup.ToolbarDetector\CLSID\ = "{34A12A06-48C0-420D-8F11-73552EE9631A}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{34A12A06-48C0-420D-8F11-73552EE9631A}\InprocServer32\ThreadingModel = "apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MewBoioMediaPop.PopBoio\CurVer\ = "MewBoioMediaPop.PopBoio.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\NewAdPopup.ToolbarDetector\CurVer\ = "NewAdPopup.ToolbarDetector.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{50C4CDD9-22D7-49FF-AC6D-7D4D528A3AB2}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2F685B36-C53A-4653-9231-1DAE5736DE45}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2F685B36-C53A-4653-9231-1DAE5736DE45}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2F685B36-C53A-4653-9231-1DAE5736DE45}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{11F09AFD-75AD-4E51-AB43-E09E9351CE16}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DE2267BD-B163-407F-9E8D-6ADEC771E7AB}\1.0\ = "NewAdPopup 1.0 Type Library"	regsvr32.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

8b11b495598ce685b5cdee48839bb6737a90d819819e434af166b905bf0085b5.exe

description	pid	process	target process
PID 2028 wrote to memory of 736	2028	8b11b495598ce685b5cdee48839bb6737a90d819819e434af166b905bf0085b5.exe	regsvr32.exe
PID 2028 wrote to memory of 736	2028	8b11b495598ce685b5cdee48839bb6737a90d819819e434af166b905bf0085b5.exe	regsvr32.exe
PID 2028 wrote to memory of 736	2028	8b11b495598ce685b5cdee48839bb6737a90d819819e434af166b905bf0085b5.exe	regsvr32.exe
PID 2028 wrote to memory of 736	2028	8b11b495598ce685b5cdee48839bb6737a90d819819e434af166b905bf0085b5.exe	regsvr32.exe
PID 2028 wrote to memory of 736	2028	8b11b495598ce685b5cdee48839bb6737a90d819819e434af166b905bf0085b5.exe	regsvr32.exe
PID 2028 wrote to memory of 736	2028	8b11b495598ce685b5cdee48839bb6737a90d819819e434af166b905bf0085b5.exe	regsvr32.exe
PID 2028 wrote to memory of 736	2028	8b11b495598ce685b5cdee48839bb6737a90d819819e434af166b905bf0085b5.exe	regsvr32.exe

C:\Users\Admin\AppData\Local\Temp\8b11b495598ce685b5cdee48839bb6737a90d819819e434af166b905bf0085b5.exe
"C:\Users\Admin\AppData\Local\Temp\8b11b495598ce685b5cdee48839bb6737a90d819819e434af166b905bf0085b5.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2028

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\Common Files\PushWare\cpush.dll"
2⤵
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Modifies registry class
PID:736

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Browser Extensions

1

T1176

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\PushWare\cpush.dll
Filesize
192KB

MD5
bfdbdf62c357e9b45d91472d256e9e90

SHA1
23e0a82afae565143bd4f09327f4c20c21076922

SHA256
557d603e74554d5ad7e32d198a7c529c8b3aeac3c90fbcb64a87bc6df5515241

SHA512
ccead0a144df2fcbdf3591344a2825d65ac005d03fd46cb48f05bd2ceddf873232a3073693e21db36c26cd6a83b146e027bf759b3eeb4e04666d5e8d302c95e1

Download Submit
\Program Files (x86)\Common Files\PushWare\cpush.dll
Filesize
192KB

MD5
bfdbdf62c357e9b45d91472d256e9e90

SHA1
23e0a82afae565143bd4f09327f4c20c21076922

SHA256
557d603e74554d5ad7e32d198a7c529c8b3aeac3c90fbcb64a87bc6df5515241

SHA512
ccead0a144df2fcbdf3591344a2825d65ac005d03fd46cb48f05bd2ceddf873232a3073693e21db36c26cd6a83b146e027bf759b3eeb4e04666d5e8d302c95e1

Download Submit
memory/736-55-0x0000000000000000-mapping.dmp

Download
memory/2028-54-0x0000000076651000-0x0000000076653000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads