fae53b8c4a70e9901b91631f20d2c6567e458689d1f26281d8061d14dfa02f81

General

Target

fae53b8c4a70e9901b91631f20d2c6567e458689d1f26281d8061d14dfa02f81.exe
Size

265KB
MD5

01d42a360315f10cdc05ac9eb8c12e76
SHA1

c05035fb3010c9142c646adececa7e62a594d6e6
SHA256

fae53b8c4a70e9901b91631f20d2c6567e458689d1f26281d8061d14dfa02f81
SHA512

63dbecac6ce6e5f12f66a51b25f6b2a86c7047f86bd2965a2154120f8a62628d59c7932153ffdf51ac9bbda78bd017173571d9b51e67e59ac554b27daafac708
SSDEEP

6144:CHLTGLpvNW09sgbN6TIKLSglwYR5B8elcig7c:CuLplHas0IKLSgG0snr7

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 1 IoCs

pid	Process
964	fae53b8c4a70e9901b91631f20d2c6567e458689d1f26281d8061d14dfa02f81.exe

Installs/modifies Browser Helper Object 2 TTPs 2 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{500BCA15-57A7-4eaf-8143-8C619470B13D}\ = "XML module"	fae53b8c4a70e9901b91631f20d2c6567e458689d1f26281d8061d14dfa02f81.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{500BCA15-57A7-4eaf-8143-8C619470B13D}	fae53b8c4a70e9901b91631f20d2c6567e458689d1f26281d8061d14dfa02f81.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\msxml71.dll	fae53b8c4a70e9901b91631f20d2c6567e458689d1f26281d8061d14dfa02f81.exe

Modifies registry class 27 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\XML.XML.1\ = "XML Class"	fae53b8c4a70e9901b91631f20d2c6567e458689d1f26281d8061d14dfa02f81.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\XML.XML.1\CLSID	fae53b8c4a70e9901b91631f20d2c6567e458689d1f26281d8061d14dfa02f81.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9233C3C0-1472-4091-A505-5580A23BB4AC}	fae53b8c4a70e9901b91631f20d2c6567e458689d1f26281d8061d14dfa02f81.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{500BCA15-57A7-4eaf-8143-8C619470B13D}\VersionIndependentProgID	fae53b8c4a70e9901b91631f20d2c6567e458689d1f26281d8061d14dfa02f81.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\XML.XML.1\CLSID\ = "{500BCA15-57A7-4eaf-8143-8C619470B13D}"	fae53b8c4a70e9901b91631f20d2c6567e458689d1f26281d8061d14dfa02f81.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{500BCA15-57A7-4eaf-8143-8C619470B13D}\Install = "OK"	fae53b8c4a70e9901b91631f20d2c6567e458689d1f26281d8061d14dfa02f81.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\XML.XML\CurVer	fae53b8c4a70e9901b91631f20d2c6567e458689d1f26281d8061d14dfa02f81.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{500BCA15-57A7-4eaf-8143-8C619470B13D}\ProgID	fae53b8c4a70e9901b91631f20d2c6567e458689d1f26281d8061d14dfa02f81.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{500BCA15-57A7-4eaf-8143-8C619470B13D}\TypeLib	fae53b8c4a70e9901b91631f20d2c6567e458689d1f26281d8061d14dfa02f81.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\XML.XML	fae53b8c4a70e9901b91631f20d2c6567e458689d1f26281d8061d14dfa02f81.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{500BCA15-57A7-4eaf-8143-8C619470B13D}\ = "XML Class"	fae53b8c4a70e9901b91631f20d2c6567e458689d1f26281d8061d14dfa02f81.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9233C3C0-1472-4091-A505-5580A23BB4AC}\.0\ = "XML Library"	fae53b8c4a70e9901b91631f20d2c6567e458689d1f26281d8061d14dfa02f81.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\XML.XML\CurVer\ = "XML.XML.1"	fae53b8c4a70e9901b91631f20d2c6567e458689d1f26281d8061d14dfa02f81.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9233C3C0-1472-4091-A505-5580A23BB4AC}\.0	fae53b8c4a70e9901b91631f20d2c6567e458689d1f26281d8061d14dfa02f81.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9233C3C0-1472-4091-A505-5580A23BB4AC}\.0\ = "C:\\Windows\\SysWow64\\msxml71.dll"	fae53b8c4a70e9901b91631f20d2c6567e458689d1f26281d8061d14dfa02f81.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{500BCA15-57A7-4eaf-8143-8C619470B13D}\InprocServer32	fae53b8c4a70e9901b91631f20d2c6567e458689d1f26281d8061d14dfa02f81.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{500BCA15-57A7-4eaf-8143-8C619470B13D}\VersionIndependentProgID\ = "XML.XML"	fae53b8c4a70e9901b91631f20d2c6567e458689d1f26281d8061d14dfa02f81.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\XML.XML\CLSID	fae53b8c4a70e9901b91631f20d2c6567e458689d1f26281d8061d14dfa02f81.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{500BCA15-57A7-4eaf-8143-8C619470B13D}	fae53b8c4a70e9901b91631f20d2c6567e458689d1f26281d8061d14dfa02f81.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\XML.XML\ = "XML Class"	fae53b8c4a70e9901b91631f20d2c6567e458689d1f26281d8061d14dfa02f81.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\XML.XML\CLSID\ = "{500BCA15-57A7-4eaf-8143-8C619470B13D}"	fae53b8c4a70e9901b91631f20d2c6567e458689d1f26281d8061d14dfa02f81.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\XML.XML.1	fae53b8c4a70e9901b91631f20d2c6567e458689d1f26281d8061d14dfa02f81.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{500BCA15-57A7-4eaf-8143-8C619470B13D}\InprocServer32\ThreadingModel = "Apartment"	fae53b8c4a70e9901b91631f20d2c6567e458689d1f26281d8061d14dfa02f81.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{500BCA15-57A7-4eaf-8143-8C619470B13D}\Programmable	fae53b8c4a70e9901b91631f20d2c6567e458689d1f26281d8061d14dfa02f81.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{500BCA15-57A7-4eaf-8143-8C619470B13D}\TypeLib\ = "{9233C3C0-1472-4091-A505-5580A23BB4AC}"	fae53b8c4a70e9901b91631f20d2c6567e458689d1f26281d8061d14dfa02f81.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{500BCA15-57A7-4eaf-8143-8C619470B13D}\InprocServer32\ = "C:\\Windows\\SysWow64\\msxml71.dll"	fae53b8c4a70e9901b91631f20d2c6567e458689d1f26281d8061d14dfa02f81.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{500BCA15-57A7-4eaf-8143-8C619470B13D}\ProgID\ = "XML.XML.1"	fae53b8c4a70e9901b91631f20d2c6567e458689d1f26281d8061d14dfa02f81.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
964	fae53b8c4a70e9901b91631f20d2c6567e458689d1f26281d8061d14dfa02f81.exe

C:\Users\Admin\AppData\Local\Temp\fae53b8c4a70e9901b91631f20d2c6567e458689d1f26281d8061d14dfa02f81.exe
"C:\Users\Admin\AppData\Local\Temp\fae53b8c4a70e9901b91631f20d2c6567e458689d1f26281d8061d14dfa02f81.exe"
1⤵
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:964

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Browser Extensions

1

T1176

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\SysWOW64\msxml71.dll

Filesize
237KB

MD5
fdebed0875e8ea77372b9703034eec15

SHA1
1ce22cb0ff6ef6a5f8507e57a7471472f0eae2db

SHA256
bbfadd1feb4ed9ba20a857d38f98bb8a14b4f6106637c2a3c2a68f36a15925c4

SHA512
647865cc46031ca249f1ca8fc36c70af5eeeaecadda9b4698d35f7b94721be7c55c86d24394c565d348e87e45eda8e1df33c4cde73183ba1252dfd4f1c360c8c

Download Submit
memory/964-54-0x0000000075DA1000-0x0000000075DA3000-memory.dmp

Filesize
8KB

Download
memory/964-55-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/964-57-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download

Analysis

Sharing