b982c620f911121e56892429ae7b318cb5497a16f84829df93532ef79711e40b

Analysis

max time kernel
321s
max time network
345s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
03/12/2022, 06:32

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

b982c620f911121e56892429ae7b318cb5497a16f84829df93532ef79711e40b.exe
Size

2.0MB
MD5

898b3495d3c1c59271bc65446c6fd086
SHA1

feb7ad6ca92cbcb73fdaaf5d1a83bfeade76a12e
SHA256

b982c620f911121e56892429ae7b318cb5497a16f84829df93532ef79711e40b
SHA512

e5a176d540e850af8b01baaf6131d40d2b00c44978992ae8ebbdc2b592cd6bba4cd4373187db457a5ee052619bf1b42e5589e8f36f08eeebae4f8e12f46ac162
SSDEEP

49152:GIDi3FQMNkM8k1yNMO9y4FYUJhTvRG+DvtJ2:FD+O7w4DQ4q6hTvtvy

Score

8^/10

adware stealer

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
4640	ASSetup.exe
4184	mailhome.exe
4064	TheWorld_OEM_12.exe

Loads dropped DLL 3 IoCs

pid	Process
4560	b982c620f911121e56892429ae7b318cb5497a16f84829df93532ef79711e40b.exe
4560	b982c620f911121e56892429ae7b318cb5497a16f84829df93532ef79711e40b.exe
2388	Regsvr32.exe

Installs/modifies Browser Helper Object 2 TTPs 1 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{9E7F0F05-23CF-4575-9049-7DDB9D39AA8E}	Regsvr32.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\PROGRA~1\fx678Toolbar\fx678Toolbar.dll	ASSetup.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\ime\SPTIPIMERS.ini	ASSetup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

NSIS installer 8 IoCs

installer

resource	yara_rule
behavioral2/files/0x0008000000022dee-137.dat	nsis_installer_1
behavioral2/files/0x0008000000022dee-137.dat	nsis_installer_2
behavioral2/files/0x0008000000022dee-138.dat	nsis_installer_1
behavioral2/files/0x0008000000022dee-138.dat	nsis_installer_2
behavioral2/files/0x0008000000022df6-140.dat	nsis_installer_1
behavioral2/files/0x0008000000022df6-140.dat	nsis_installer_2
behavioral2/files/0x0008000000022df6-142.dat	nsis_installer_1
behavioral2/files/0x0008000000022df6-142.dat	nsis_installer_2

Modifies registry class 11 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\fx678Toolbar.ShowBarEx\Clsid\ = "{9E7F0F05-23CF-4575-9049-7DDB9D39AA8E}"	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9E7F0F05-23CF-4575-9049-7DDB9D39AA8E}\ProgID	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9E7F0F05-23CF-4575-9049-7DDB9D39AA8E}\ProgID\ = "fx678Toolbar.ShowBarEx"	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9E7F0F05-23CF-4575-9049-7DDB9D39AA8E}\InprocServer32\ThreadingModel = "Apartment"	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\fx678Toolbar.ShowBarEx	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\fx678Toolbar.ShowBarEx\Clsid	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9E7F0F05-23CF-4575-9049-7DDB9D39AA8E}\InprocServer32\ = "C:\\PROGRA~1\\FX678T~1\\FX678T~1.DLL"	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\fx678Toolbar.ShowBarEx\	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9E7F0F05-23CF-4575-9049-7DDB9D39AA8E}	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9E7F0F05-23CF-4575-9049-7DDB9D39AA8E}\	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9E7F0F05-23CF-4575-9049-7DDB9D39AA8E}\InprocServer32	Regsvr32.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4560 wrote to memory of 4640	4560	b982c620f911121e56892429ae7b318cb5497a16f84829df93532ef79711e40b.exe	80
PID 4560 wrote to memory of 4640	4560	b982c620f911121e56892429ae7b318cb5497a16f84829df93532ef79711e40b.exe	80
PID 4560 wrote to memory of 4640	4560	b982c620f911121e56892429ae7b318cb5497a16f84829df93532ef79711e40b.exe	80
PID 4560 wrote to memory of 4184	4560	b982c620f911121e56892429ae7b318cb5497a16f84829df93532ef79711e40b.exe	81
PID 4560 wrote to memory of 4184	4560	b982c620f911121e56892429ae7b318cb5497a16f84829df93532ef79711e40b.exe	81
PID 4560 wrote to memory of 4184	4560	b982c620f911121e56892429ae7b318cb5497a16f84829df93532ef79711e40b.exe	81
PID 4560 wrote to memory of 4064	4560	b982c620f911121e56892429ae7b318cb5497a16f84829df93532ef79711e40b.exe	82
PID 4560 wrote to memory of 4064	4560	b982c620f911121e56892429ae7b318cb5497a16f84829df93532ef79711e40b.exe	82
PID 4560 wrote to memory of 4064	4560	b982c620f911121e56892429ae7b318cb5497a16f84829df93532ef79711e40b.exe	82
PID 4640 wrote to memory of 2388	4640	ASSetup.exe	85
PID 4640 wrote to memory of 2388	4640	ASSetup.exe	85
PID 4640 wrote to memory of 2388	4640	ASSetup.exe	85

C:\Users\Admin\AppData\Local\Temp\b982c620f911121e56892429ae7b318cb5497a16f84829df93532ef79711e40b.exe
"C:\Users\Admin\AppData\Local\Temp\b982c620f911121e56892429ae7b318cb5497a16f84829df93532ef79711e40b.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4560
- C:\Users\Admin\AppData\Local\Temp\ASSetup.exe
  "C:\Users\Admin\AppData\Local\Temp\ASSetup.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:4640
- - C:\Windows\SysWOW64\Regsvr32.exe
    Regsvr32.exe /s C:\PROGRA~1\fx678Toolbar\fx678Toolbar.dll
    3⤵
    - Loads dropped DLL
    - Installs/modifies Browser Helper Object
    - Modifies registry class
    PID:2388
- C:\Users\Admin\AppData\Local\Temp\mailhome.exe
  "C:\Users\Admin\AppData\Local\Temp\mailhome.exe"
  2⤵
  - Executes dropped EXE
  PID:4184
- C:\Users\Admin\AppData\Local\Temp\TheWorld_OEM_12.exe
  "C:\Users\Admin\AppData\Local\Temp\TheWorld_OEM_12.exe"
  2⤵
  - Executes dropped EXE
  PID:4064

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~1\fx678Toolbar\fx678Toolbar.dll

Filesize
594KB

MD5
5302316ac7c0d99ee3d9ed5a10840d77

SHA1
2b9da391cd3758462404f707176b56d191cd5d47

SHA256
53494a614acca432bf78ac682f37f72a3700827f91351ff5b849b5497085cd25

SHA512
d4b54d8fe9b2f1beadf76c7c258a9fe54fb25e19d8c92305e18ee7c7605102fe67e91be3875c7cf9e836fcf61aa1d348b7ce6e58a984690ba5533303a164499e

Download Submit
C:\Program Files\fx678Toolbar\fx678Toolbar.dll

Filesize
594KB

MD5
5302316ac7c0d99ee3d9ed5a10840d77

SHA1
2b9da391cd3758462404f707176b56d191cd5d47

SHA256
53494a614acca432bf78ac682f37f72a3700827f91351ff5b849b5497085cd25

SHA512
d4b54d8fe9b2f1beadf76c7c258a9fe54fb25e19d8c92305e18ee7c7605102fe67e91be3875c7cf9e836fcf61aa1d348b7ce6e58a984690ba5533303a164499e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ASSetup.exe

Filesize
1.0MB

MD5
e2bbbeab11a442dd9debaa59633b7ee8

SHA1
8b50b659a81e3341feaa8d65b65255e8c6d6b9da

SHA256
516e892abf2663ef70e9973d77141a2c29c1e7e4dabe5cb4626158b9c6cf086f

SHA512
72d261cead61cae4241bde00a469b27ad4cab84e6d611da0cefc9dfceca8f682a0a9d2479739d2d029e0aa506ec7d96ee57edfbd3cd5f70ba38383a8067690f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\ASSetup.exe

Filesize
1.0MB

MD5
e2bbbeab11a442dd9debaa59633b7ee8

SHA1
8b50b659a81e3341feaa8d65b65255e8c6d6b9da

SHA256
516e892abf2663ef70e9973d77141a2c29c1e7e4dabe5cb4626158b9c6cf086f

SHA512
72d261cead61cae4241bde00a469b27ad4cab84e6d611da0cefc9dfceca8f682a0a9d2479739d2d029e0aa506ec7d96ee57edfbd3cd5f70ba38383a8067690f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\TheWorld_OEM_12.exe

Filesize
759KB

MD5
748f7baa7a435dc70986cfbff0a61d9e

SHA1
d7a2196fdb08a89dd275f99e8d009fa3ccf15315

SHA256
495dbdf0cb4a8f214bee7cd5c1c8b65a870ab2bc3707569e7cf310f1d5684dc2

SHA512
4c0b0f6f3548376b2955f824d1f44dbf2863aa04096b4ea7199bdc9d4acb6c59ceceb0bf4c6fd33469b3a1c828739fd02cf74f0f393256c7ab57477b5bd560a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\TheWorld_OEM_12.exe

Filesize
759KB

MD5
748f7baa7a435dc70986cfbff0a61d9e

SHA1
d7a2196fdb08a89dd275f99e8d009fa3ccf15315

SHA256
495dbdf0cb4a8f214bee7cd5c1c8b65a870ab2bc3707569e7cf310f1d5684dc2

SHA512
4c0b0f6f3548376b2955f824d1f44dbf2863aa04096b4ea7199bdc9d4acb6c59ceceb0bf4c6fd33469b3a1c828739fd02cf74f0f393256c7ab57477b5bd560a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\mailhome.exe

Filesize
765KB

MD5
7e30246aa6e39ad06fcd471f65cbd9e0

SHA1
6de1516336b44330aac3b1d14be39dd9e5673d77

SHA256
c9e9cf6a9f02b8f3dd2f7989e1bcd3c960df192319a775e03cb7f0cd4d267b77

SHA512
5c3d2c89bc5178789b8f3e556f7e950076329033e103ce96b9858c425651628ad83dbb672ad26aeb99e5e2a2b492b6f8b9b49afe52240e076f2e13b0c5de203a

Download Submit
C:\Users\Admin\AppData\Local\Temp\mailhome.exe

Filesize
765KB

MD5
7e30246aa6e39ad06fcd471f65cbd9e0

SHA1
6de1516336b44330aac3b1d14be39dd9e5673d77

SHA256
c9e9cf6a9f02b8f3dd2f7989e1bcd3c960df192319a775e03cb7f0cd4d267b77

SHA512
5c3d2c89bc5178789b8f3e556f7e950076329033e103ce96b9858c425651628ad83dbb672ad26aeb99e5e2a2b492b6f8b9b49afe52240e076f2e13b0c5de203a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nss55A9.tmp\System.dll

Filesize
9KB

MD5
afd989ef7eec6bf952bedfce541fe236

SHA1
5654b71c5b1089c2cec6381d8da5bd14a14e1a37

SHA256
5e97602008ba004c72d58f71e77ffe0a0ea01103867eb12a9ec0f28e72f440d8

SHA512
f4e3d88477d39218667dd482a08904b2b69435db7d1fdd492380544aff83895d393a288c329da69074b69c68f51db45f694dfea81fc12fa2042ed43b3d06440c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nss55A9.tmp\System.dll

Filesize
9KB

MD5
afd989ef7eec6bf952bedfce541fe236

SHA1
5654b71c5b1089c2cec6381d8da5bd14a14e1a37

SHA256
5e97602008ba004c72d58f71e77ffe0a0ea01103867eb12a9ec0f28e72f440d8

SHA512
f4e3d88477d39218667dd482a08904b2b69435db7d1fdd492380544aff83895d393a288c329da69074b69c68f51db45f694dfea81fc12fa2042ed43b3d06440c

Download Submit