bd4fe9e82e9bb499e8ebf119416cd2f57d6f94ecf2fd2b7fb02f28ba071c411a

Analysis

max time kernel
146s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
07/12/2022, 01:19

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

bd4fe9e82e9bb499e8ebf119416cd2f57d6f94ecf2fd2b7fb02f28ba071c411a.exe
Size

1.1MB
MD5

8846b0761255af29bd5fa2ed409c71ea
SHA1

eeb349c0f99c6348d2bb564ab4f68fc637af25fb
SHA256

bd4fe9e82e9bb499e8ebf119416cd2f57d6f94ecf2fd2b7fb02f28ba071c411a
SHA512

90a9e551dced717241695075bd4e12e1f84858583b100801041647d8794f7c2ddc2de4d2592d1673b85f0a430f939d4aaa5bc45b47798d7c2660f35aacfa5368
SSDEEP

24576:4hBlWCe04RvcOdMSsDxmYRtWGsa0leTiiqTJ:4hBLBWgmYRMQweT

Score

8^/10

adware persistence stealer

Malware Config

Signatures

Sets file execution options in registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ctfmon.exe	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ctfmon.exe\Debugger = "C:\\Windows\\system32\\ctfmon_eo.exe"	regsvr32.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	bd4fe9e82e9bb499e8ebf119416cd2f57d6f94ecf2fd2b7fb02f28ba071c411a.exe

Loads dropped DLL 1 IoCs

pid	Process
5100	regsvr32.exe

Installs/modifies Browser Helper Object 2 TTPs 3 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{87077A48-8831-3145-B111-D1C4542BDF04}	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{87077A48-8831-3145-B111-D1C4542BDF04}\IExplore = "1"	regsvr32.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\xwr61087.dll	bd4fe9e82e9bb499e8ebf119416cd2f57d6f94ecf2fd2b7fb02f28ba071c411a.exe
File created	C:\Windows\SysWOW64\ctfmon_eo.exe	regsvr32.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 448 set thread context of 5020	448	bd4fe9e82e9bb499e8ebf119416cd2f57d6f94ecf2fd2b7fb02f28ba071c411a.exe	80

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
540	5020	WerFault.exe	80

Modifies registry class 41 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{453532DD-658C-3393-B252-8E36D6E94DC5}\ = "IDOMPeek"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{453532DD-658C-3393-B252-8E36D6E94DC5}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\D.1\CLSID\ = "{87077A48-8831-3145-B111-D1C4542BDF04}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{87077A48-8831-3145-B111-D1C4542BDF04}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{87077A48-8831-3145-B111-D1C4542BDF04}\ProgID\ = "D.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BEFD7B5F-BCF8-3190-AB4B-E6ECF0223628}\1.0\FLAGS\ = "0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BEFD7B5F-BCF8-3190-AB4B-E6ECF0223628}\1.0\0\win32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\D.1	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{87077A48-8831-3145-B111-D1C4542BDF04}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{453532DD-658C-3393-B252-8E36D6E94DC5}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{453532DD-658C-3393-B252-8E36D6E94DC5}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{453532DD-658C-3393-B252-8E36D6E94DC5}\ = "IDOMPeek"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\D\ = "D"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BEFD7B5F-BCF8-3190-AB4B-E6ECF0223628}\1.0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BEFD7B5F-BCF8-3190-AB4B-E6ECF0223628}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\xwr61087.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{453532DD-658C-3393-B252-8E36D6E94DC5}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{453532DD-658C-3393-B252-8E36D6E94DC5}\TypeLib\ = "{BEFD7B5F-BCF8-3190-AB4B-E6ECF0223628}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{87077A48-8831-3145-B111-D1C4542BDF04}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{87077A48-8831-3145-B111-D1C4542BDF04}\VersionIndependentProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BEFD7B5F-BCF8-3190-AB4B-E6ECF0223628}\1.0\ = "LIB"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{453532DD-658C-3393-B252-8E36D6E94DC5}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\D.1\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{453532DD-658C-3393-B252-8E36D6E94DC5}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{453532DD-658C-3393-B252-8E36D6E94DC5}\TypeLib\ = "{BEFD7B5F-BCF8-3190-AB4B-E6ECF0223628}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{453532DD-658C-3393-B252-8E36D6E94DC5}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{453532DD-658C-3393-B252-8E36D6E94DC5}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\D\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{87077A48-8831-3145-B111-D1C4542BDF04}\VersionIndependentProgID\ = "D"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BEFD7B5F-BCF8-3190-AB4B-E6ECF0223628}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BEFD7B5F-BCF8-3190-AB4B-E6ECF0223628}\1.0\FLAGS	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BEFD7B5F-BCF8-3190-AB4B-E6ECF0223628}\1.0\0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{87077A48-8831-3145-B111-D1C4542BDF04}\InprocServer32\ = "C:\\Windows\\SysWow64\\xwr61087.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{87077A48-8831-3145-B111-D1C4542BDF04}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{453532DD-658C-3393-B252-8E36D6E94DC5}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{453532DD-658C-3393-B252-8E36D6E94DC5}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BEFD7B5F-BCF8-3190-AB4B-E6ECF0223628}\1.0\HELPDIR\ = "C:\\Windows\\SysWow64\\"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\D.1\ = "D"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\D	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\D\CLSID\ = "{87077A48-8831-3145-B111-D1C4542BDF04}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{87077A48-8831-3145-B111-D1C4542BDF04}\ = "D"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BEFD7B5F-BCF8-3190-AB4B-E6ECF0223628}\1.0\HELPDIR	regsvr32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 448 wrote to memory of 5020	448	bd4fe9e82e9bb499e8ebf119416cd2f57d6f94ecf2fd2b7fb02f28ba071c411a.exe	80
PID 448 wrote to memory of 5020	448	bd4fe9e82e9bb499e8ebf119416cd2f57d6f94ecf2fd2b7fb02f28ba071c411a.exe	80
PID 448 wrote to memory of 5020	448	bd4fe9e82e9bb499e8ebf119416cd2f57d6f94ecf2fd2b7fb02f28ba071c411a.exe	80
PID 448 wrote to memory of 5020	448	bd4fe9e82e9bb499e8ebf119416cd2f57d6f94ecf2fd2b7fb02f28ba071c411a.exe	80
PID 448 wrote to memory of 5100	448	bd4fe9e82e9bb499e8ebf119416cd2f57d6f94ecf2fd2b7fb02f28ba071c411a.exe	84
PID 448 wrote to memory of 5100	448	bd4fe9e82e9bb499e8ebf119416cd2f57d6f94ecf2fd2b7fb02f28ba071c411a.exe	84
PID 448 wrote to memory of 5100	448	bd4fe9e82e9bb499e8ebf119416cd2f57d6f94ecf2fd2b7fb02f28ba071c411a.exe	84

C:\Users\Admin\AppData\Local\Temp\bd4fe9e82e9bb499e8ebf119416cd2f57d6f94ecf2fd2b7fb02f28ba071c411a.exe
"C:\Users\Admin\AppData\Local\Temp\bd4fe9e82e9bb499e8ebf119416cd2f57d6f94ecf2fd2b7fb02f28ba071c411a.exe"
1⤵
- Checks computer location settings
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:448
- C:\Users\Admin\AppData\Local\Temp\bd4fe9e82e9bb499e8ebf119416cd2f57d6f94ecf2fd2b7fb02f28ba071c411a.exe
  C:\Users\Admin\AppData\Local\Temp\bd4fe9e82e9bb499e8ebf119416cd2f57d6f94ecf2fd2b7fb02f28ba071c411a.exe
  2⤵
  PID:5020
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5020 -s 12
    3⤵
    - Program crash
    PID:540
- C:\Windows\SysWOW64\regsvr32.exe
  "C:\Windows\System32\regsvr32.exe" /s C:\Windows\system32\xwr61087.dll
  2⤵
  - Sets file execution options in registry
  - Loads dropped DLL
  - Installs/modifies Browser Helper Object
  - Drops file in System32 directory
  - Modifies registry class
  PID:5100

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 5020 -ip 5020
1⤵
PID:2128

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Browser Extensions

T1176

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\xwr61087.dll

Filesize
196KB

MD5
ae8d9f806941a55303375b03fa3ae77b

SHA1
5f83ad57d65ae8eb1acb8a74d0d7cc1dfa18b6ec

SHA256
c466b07cd702b18d05a0f85da15a89107b31b41a6f20044192010783ea5ed062

SHA512
0c78a5d45e5f2e498126fd9aacd9a064c31fd824ad28b438ea7de528326ed9153b1632239aeb44a61b7c8a573b12033b23500f32f370d379d357ab9596903c33

Download Submit
C:\Windows\SysWOW64\xwr61087.dll

Filesize
196KB

MD5
ae8d9f806941a55303375b03fa3ae77b

SHA1
5f83ad57d65ae8eb1acb8a74d0d7cc1dfa18b6ec

SHA256
c466b07cd702b18d05a0f85da15a89107b31b41a6f20044192010783ea5ed062

SHA512
0c78a5d45e5f2e498126fd9aacd9a064c31fd824ad28b438ea7de528326ed9153b1632239aeb44a61b7c8a573b12033b23500f32f370d379d357ab9596903c33

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads