5102bc5666b56237ff9471870a10562cc7b51e0bd5199af304d03aae08ffc88f

Analysis

max time kernel
91s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
29/11/2022, 07:57

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

5102bc5666b56237ff9471870a10562cc7b51e0bd5199af304d03aae08ffc88f.dll
Size

168KB
MD5

9dfde919f10b586067b83b0bc9e7919d
SHA1

6530468d608e4a2193f3d51db1b57bf4edf0d357
SHA256

5102bc5666b56237ff9471870a10562cc7b51e0bd5199af304d03aae08ffc88f
SHA512

0cd9056dd86c5f524e2aec2ffd3ecd78331bb362ca7ad96e9b960855aeedb8af9bb2d61264c7c902eb2ad9a4728559642d32f9d803ab51264d4b2f11ff74db24
SSDEEP

3072:zU56QNTz2RSGAj55pFoXg9PN0e2Hq8It7xQJ2KSGQ4AdGNlBc9H:o5tTzySGAj5bCwPpAhI9xOTScK

Score

8^/10

adware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1760	regsvr32mgr.exe

Installs/modifies Browser Helper Object 2 TTPs 1 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{56B38F40-4E70-11d4-A076-0080AD86BA2F}	regsvr32.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\regsvr32mgr.exe	regsvr32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3388	1760	WerFault.exe	82

Modifies registry class 42 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{56B38F40-4E70-11d4-A076-0080AD86BA2F}\VersionIndependentProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{56B38F40-4E70-11d4-A076-0080AD86BA2F}\Programmable	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{56B38F41-4E70-11D4-A076-0080AD86BA2F}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{56B38F42-4E70-11D4-A076-0080AD86BA2F}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{56B38F42-4E70-11D4-A076-0080AD86BA2F}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{56B38F41-4E70-11D4-A076-0080AD86BA2F}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{56B38F42-4E70-11D4-A076-0080AD86BA2F}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WebCGMHlprObj.WebCGMHlprObj.1\CLSID\ = "{56B38F40-4E70-11d4-A076-0080AD86BA2F}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{56B38F40-4E70-11d4-A076-0080AD86BA2F}\ProgID\ = "WebCGMHlprObj.WebCGMHlprObj.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{56B38F41-4E70-11D4-A076-0080AD86BA2F}\1.0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{56B38F41-4E70-11D4-A076-0080AD86BA2F}\1.0\FLAGS	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{56B38F41-4E70-11D4-A076-0080AD86BA2F}\1.0\FLAGS\ = "0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{56B38F41-4E70-11D4-A076-0080AD86BA2F}\1.0\0\win32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WebCGMHlprObj.WebCGMHlprObj\CurVer\ = "WebCGMHlprObj.WebCGMHlprObj.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{56B38F40-4E70-11d4-A076-0080AD86BA2F}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{56B38F41-4E70-11D4-A076-0080AD86BA2F}\1.0\0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{56B38F42-4E70-11D4-A076-0080AD86BA2F}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{56B38F42-4E70-11D4-A076-0080AD86BA2F}\TypeLib\ = "{56B38F41-4E70-11D4-A076-0080AD86BA2F}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WebCGMHlprObj.WebCGMHlprObj.1\ = "WebCGMHlprObj Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{56B38F40-4E70-11d4-A076-0080AD86BA2F}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{56B38F41-4E70-11D4-A076-0080AD86BA2F}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\5102bc5666b56237ff9471870a10562cc7b51e0bd5199af304d03aae08ffc88f.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{56B38F42-4E70-11D4-A076-0080AD86BA2F}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{56B38F42-4E70-11D4-A076-0080AD86BA2F}\ = "IWebCGMHlprObj"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{56B38F42-4E70-11D4-A076-0080AD86BA2F}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WebCGMHlprObj.WebCGMHlprObj.1\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{56B38F40-4E70-11d4-A076-0080AD86BA2F}\ = "WebCGMHlprObj Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{56B38F40-4E70-11d4-A076-0080AD86BA2F}\VersionIndependentProgID\ = "WebCGMHlprObj.WebCGMHlprObj"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{56B38F42-4E70-11D4-A076-0080AD86BA2F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WebCGMHlprObj.WebCGMHlprObj	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WebCGMHlprObj.WebCGMHlprObj\CurVer	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{56B38F42-4E70-11D4-A076-0080AD86BA2F}\ = "IWebCGMHlprObj"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{56B38F42-4E70-11D4-A076-0080AD86BA2F}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{56B38F42-4E70-11D4-A076-0080AD86BA2F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WebCGMHlprObj.WebCGMHlprObj.1	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WebCGMHlprObj.WebCGMHlprObj\ = "WebCGMHlprObj Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{56B38F40-4E70-11d4-A076-0080AD86BA2F}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{56B38F40-4E70-11d4-A076-0080AD86BA2F}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\5102bc5666b56237ff9471870a10562cc7b51e0bd5199af304d03aae08ffc88f.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{56B38F41-4E70-11D4-A076-0080AD86BA2F}\1.0\HELPDIR	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{56B38F42-4E70-11D4-A076-0080AD86BA2F}\TypeLib\ = "{56B38F41-4E70-11D4-A076-0080AD86BA2F}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{56B38F40-4E70-11d4-A076-0080AD86BA2F}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{56B38F41-4E70-11D4-A076-0080AD86BA2F}\1.0\ = "CGM Open BHO 1.0 Type Library"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{56B38F42-4E70-11D4-A076-0080AD86BA2F}	regsvr32.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3488 wrote to memory of 3720	3488	regsvr32.exe	81
PID 3488 wrote to memory of 3720	3488	regsvr32.exe	81
PID 3488 wrote to memory of 3720	3488	regsvr32.exe	81
PID 3720 wrote to memory of 1760	3720	regsvr32.exe	82
PID 3720 wrote to memory of 1760	3720	regsvr32.exe	82
PID 3720 wrote to memory of 1760	3720	regsvr32.exe	82

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\5102bc5666b56237ff9471870a10562cc7b51e0bd5199af304d03aae08ffc88f.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:3488
- C:\Windows\SysWOW64\regsvr32.exe
  /s C:\Users\Admin\AppData\Local\Temp\5102bc5666b56237ff9471870a10562cc7b51e0bd5199af304d03aae08ffc88f.dll
  2⤵
  - Installs/modifies Browser Helper Object
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3720
- - C:\Windows\SysWOW64\regsvr32mgr.exe
    C:\Windows\SysWOW64\regsvr32mgr.exe
    3⤵
    - Executes dropped EXE
    PID:1760
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1760 -s 368
      4⤵
      Program crash
      PID:3388

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 1760 -ip 1760
1⤵
PID:2960

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\regsvr32mgr.exe

Filesize
73KB

MD5
1f7208d47a1a95e8fb2c73b178702366

SHA1
0a7e7dbac42b9bd20d0e615ad4cd0013ccefaaf4

SHA256
7b38de09421a2efc6a59b17e8ab75d281c7794429aac33dd9653d68ad6d705fd

SHA512
df56d5ab9ecaa7d0d3857589db0917e024eda9d4bec43d5d8bea84165a038e162330f65e5dd00ddfb7ed9b2d6f71e68a849677e911d07c5409597fd87c8ae16e

Download Submit
C:\Windows\SysWOW64\regsvr32mgr.exe

Filesize
73KB

MD5
1f7208d47a1a95e8fb2c73b178702366

SHA1
0a7e7dbac42b9bd20d0e615ad4cd0013ccefaaf4

SHA256
7b38de09421a2efc6a59b17e8ab75d281c7794429aac33dd9653d68ad6d705fd

SHA512
df56d5ab9ecaa7d0d3857589db0917e024eda9d4bec43d5d8bea84165a038e162330f65e5dd00ddfb7ed9b2d6f71e68a849677e911d07c5409597fd87c8ae16e

Download Submit
memory/1760-136-0x0000000002170000-0x000000000222E000-memory.dmp

Filesize
760KB

Download