15d23abcefee7d1150ce075e553498a9d3a5063d635d504921aa44b0217cede5

Analysis

max time kernel
120s
max time network
125s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
25-12-2023 15:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2b2fe155ff43455b4ef8a37d1720f6bc.exe
Size

1.5MB
MD5

2b2fe155ff43455b4ef8a37d1720f6bc
SHA1

2dbf046d587361c26521ea472e2e3954bb608aad
SHA256

15d23abcefee7d1150ce075e553498a9d3a5063d635d504921aa44b0217cede5
SHA512

776c9867d70d3c4dde3b7126bd2881bd0f9453194b064594e50d0b2419a703fbbffe7aff2d6fc38b871356db90c28e68171d97cc59517c8512bf69db5374d299
SSDEEP

24576:IN2oRwe5tnI+yhS4vMhFX9XiQkapN3SmT8Q2yMDA5WPFZgoujK4R6M+pKGn:IN2oee5xIWb9yQ53BT37YZBGTRmpKGn

Score

7^/10

adware discovery persistence spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2344	GfWt_QQUe6c.exe

Loads dropped DLL 4 IoCs

pid	Process
1700	2b2fe155ff43455b4ef8a37d1720f6bc.exe
2344	GfWt_QQUe6c.exe
2992	regsvr32.exe
2604	regsvr32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Registers COM server for autorun 1 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{96276B6B-F132-DB9B-4AEA-C8FE1900ECC2}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{96276B6B-F132-DB9B-4AEA-C8FE1900ECC2}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{96276B6B-F132-DB9B-4AEA-C8FE1900ECC2}\InprocServer32\ = "C:\\Program Files (x86)\\SearchNewTab\\Xve_EapkmO.x64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{96276B6B-F132-DB9B-4AEA-C8FE1900ECC2}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\bbpjhmngcibakhjjnldilnndkpllhmho\1.0\manifest.json	GfWt_QQUe6c.exe

Installs/modifies Browser Helper Object 2 TTPs 8 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{96276B6B-F132-DB9B-4AEA-C8FE1900ECC2}\ = "SearchNewTab"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{96276B6B-F132-DB9B-4AEA-C8FE1900ECC2}\NoExplorer = "1"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{96276B6B-F132-DB9B-4AEA-C8FE1900ECC2}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{96276B6B-F132-DB9B-4AEA-C8FE1900ECC2}	GfWt_QQUe6c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{96276B6B-F132-DB9B-4AEA-C8FE1900ECC2}\ = "SearchNewTab"	GfWt_QQUe6c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{96276B6B-F132-DB9B-4AEA-C8FE1900ECC2}\NoExplorer = "1"	GfWt_QQUe6c.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{96276B6B-F132-DB9B-4AEA-C8FE1900ECC2}	GfWt_QQUe6c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{96276B6B-F132-DB9B-4AEA-C8FE1900ECC2}	regsvr32.exe

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\SearchNewTab\Xve_EapkmO.dll	GfWt_QQUe6c.exe
File opened for modification	C:\Program Files (x86)\SearchNewTab\Xve_EapkmO.dll	GfWt_QQUe6c.exe
File created	C:\Program Files (x86)\SearchNewTab\Xve_EapkmO.tlb	GfWt_QQUe6c.exe
File opened for modification	C:\Program Files (x86)\SearchNewTab\Xve_EapkmO.tlb	GfWt_QQUe6c.exe
File created	C:\Program Files (x86)\SearchNewTab\Xve_EapkmO.dat	GfWt_QQUe6c.exe
File opened for modification	C:\Program Files (x86)\SearchNewTab\Xve_EapkmO.dat	GfWt_QQUe6c.exe
File created	C:\Program Files (x86)\SearchNewTab\Xve_EapkmO.x64.dll	GfWt_QQUe6c.exe
File opened for modification	C:\Program Files (x86)\SearchNewTab\Xve_EapkmO.x64.dll	GfWt_QQUe6c.exe

Modifies Internet Explorer settings 1 TTPs 8 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key deleted	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration	GfWt_QQUe6c.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{96276B6B-F132-DB9B-4AEA-C8FE1900ECC2}	regsvr32.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{96276B6B-F132-DB9B-4AEA-C8FE1900ECC2}	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration	GfWt_QQUe6c.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{96276B6B-F132-DB9B-4AEA-C8FE1900ECC2}	GfWt_QQUe6c.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{96276B6B-F132-DB9B-4AEA-C8FE1900ECC2}	GfWt_QQUe6c.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{96276B6B-F132-DB9B-4AEA-C8FE1900ECC2}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{96276B6B-F132-DB9B-4AEA-C8FE1900ECC2}\ProgID\ = "SearchNewTab.1.0"	GfWt_QQUe6c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ = "IIEPluginMain"	GfWt_QQUe6c.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{96276B6B-F132-DB9B-4AEA-C8FE1900ECC2}\VersionIndependentProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SearchNewTab.SearchNewTab\ = "SearchNewTab"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{96276B6B-F132-DB9B-4AEA-C8FE1900ECC2}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{96276B6B-F132-DB9B-4AEA-C8FE1900ECC2}\InprocServer32	GfWt_QQUe6c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	GfWt_QQUe6c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SearchNewTab.SearchNewTab\CLSID\ = "{96276B6B-F132-DB9B-4AEA-C8FE1900ECC2}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SearchNewTab.SearchNewTab.1.0\ = "SearchNewTab"	GfWt_QQUe6c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{96276B6B-F132-DB9B-4AEA-C8FE1900ECC2}\VersionIndependentProgID\ = "SearchNewTab"	GfWt_QQUe6c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{96276B6B-F132-DB9B-4AEA-C8FE1900ECC2}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win64\ = "C:\\Program Files (x86)\\SearchNewTab\\Xve_EapkmO.x64.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0	GfWt_QQUe6c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}	GfWt_QQUe6c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	GfWt_QQUe6c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	GfWt_QQUe6c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SearchNewTab.SearchNewTab\CurVer\ = "SearchNewTab.1.0"	GfWt_QQUe6c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{96276B6B-F132-DB9B-4AEA-C8FE1900ECC2}\InprocServer32\ThreadingModel = "Apartment"	GfWt_QQUe6c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\HELPDIR	GfWt_QQUe6c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ProxyStubClsid32	GfWt_QQUe6c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}	GfWt_QQUe6c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib	GfWt_QQUe6c.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{96276B6B-F132-DB9B-4AEA-C8FE1900ECC2}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SearchNewTab.SearchNewTab.1.0\CLSID	GfWt_QQUe6c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	GfWt_QQUe6c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\ = "IEPluginLib"	GfWt_QQUe6c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib	GfWt_QQUe6c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{96276B6B-F132-DB9B-4AEA-C8FE1900ECC2}\Programmable	GfWt_QQUe6c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{96276B6B-F132-DB9B-4AEA-C8FE1900ECC2}\InprocServer32\ = "C:\\Program Files (x86)\\SearchNewTab\\Xve_EapkmO.dll"	GfWt_QQUe6c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ = "IRegistry"	GfWt_QQUe6c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SearchNewTab.SearchNewTab.1.0\ = "SearchNewTab"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{96276B6B-F132-DB9B-4AEA-C8FE1900ECC2}\ = "SearchNewTab"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{96276B6B-F132-DB9B-4AEA-C8FE1900ECC2}\ProgID	GfWt_QQUe6c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ = "IIEPluginMain"	GfWt_QQUe6c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SearchNewTab.SearchNewTab.1.0	GfWt_QQUe6c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32	GfWt_QQUe6c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib	GfWt_QQUe6c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ProxyStubClsid32	GfWt_QQUe6c.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{96276B6B-F132-DB9B-4AEA-C8FE1900ECC2}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SearchNewTab.SearchNewTab\CurVer	GfWt_QQUe6c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\FLAGS	GfWt_QQUe6c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{96276B6B-F132-DB9B-4AEA-C8FE1900ECC2}\ProgID	GfWt_QQUe6c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\SearchNewTab"	GfWt_QQUe6c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SearchNewTab.SearchNewTab.1.0\CLSID\ = "{96276B6B-F132-DB9B-4AEA-C8FE1900ECC2}"	GfWt_QQUe6c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SearchNewTab.SearchNewTab\CLSID	GfWt_QQUe6c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib\Version = "1.0"	GfWt_QQUe6c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ProxyStubClsid32	GfWt_QQUe6c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{96276B6B-F132-DB9B-4AEA-C8FE1900ECC2}\Programmable	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win32	GfWt_QQUe6c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}	GfWt_QQUe6c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib\Version = "1.0"	GfWt_QQUe6c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SearchNewTab.SearchNewTab\CLSID\ = "{96276B6B-F132-DB9B-4AEA-C8FE1900ECC2}"	GfWt_QQUe6c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}	GfWt_QQUe6c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}	GfWt_QQUe6c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ = "IRegistry"	GfWt_QQUe6c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	GfWt_QQUe6c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{96276B6B-F132-DB9B-4AEA-C8FE1900ECC2}\VersionIndependentProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{96276B6B-F132-DB9B-4AEA-C8FE1900ECC2}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win64	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{96276B6B-F132-DB9B-4AEA-C8FE1900ECC2}\VersionIndependentProgID	GfWt_QQUe6c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win32\ = "C:\\Program Files (x86)\\SearchNewTab\\Xve_EapkmO.dll"	GfWt_QQUe6c.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{96276B6B-F132-DB9B-4AEA-C8FE1900ECC2}\Programmable	GfWt_QQUe6c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib	GfWt_QQUe6c.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 1700 wrote to memory of 2344	1700	2b2fe155ff43455b4ef8a37d1720f6bc.exe	28
PID 1700 wrote to memory of 2344	1700	2b2fe155ff43455b4ef8a37d1720f6bc.exe	28
PID 1700 wrote to memory of 2344	1700	2b2fe155ff43455b4ef8a37d1720f6bc.exe	28
PID 1700 wrote to memory of 2344	1700	2b2fe155ff43455b4ef8a37d1720f6bc.exe	28
PID 1700 wrote to memory of 2344	1700	2b2fe155ff43455b4ef8a37d1720f6bc.exe	28
PID 1700 wrote to memory of 2344	1700	2b2fe155ff43455b4ef8a37d1720f6bc.exe	28
PID 1700 wrote to memory of 2344	1700	2b2fe155ff43455b4ef8a37d1720f6bc.exe	28
PID 2344 wrote to memory of 2992	2344	GfWt_QQUe6c.exe	29
PID 2344 wrote to memory of 2992	2344	GfWt_QQUe6c.exe	29
PID 2344 wrote to memory of 2992	2344	GfWt_QQUe6c.exe	29
PID 2344 wrote to memory of 2992	2344	GfWt_QQUe6c.exe	29
PID 2344 wrote to memory of 2992	2344	GfWt_QQUe6c.exe	29
PID 2344 wrote to memory of 2992	2344	GfWt_QQUe6c.exe	29
PID 2344 wrote to memory of 2992	2344	GfWt_QQUe6c.exe	29
PID 2992 wrote to memory of 2604	2992	regsvr32.exe	30
PID 2992 wrote to memory of 2604	2992	regsvr32.exe	30
PID 2992 wrote to memory of 2604	2992	regsvr32.exe	30
PID 2992 wrote to memory of 2604	2992	regsvr32.exe	30
PID 2992 wrote to memory of 2604	2992	regsvr32.exe	30
PID 2992 wrote to memory of 2604	2992	regsvr32.exe	30
PID 2992 wrote to memory of 2604	2992	regsvr32.exe	30

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID	GfWt_QQUe6c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{96276B6B-F132-DB9B-4AEA-C8FE1900ECC2} = "1"	GfWt_QQUe6c.exe

C:\Users\Admin\AppData\Local\Temp\2b2fe155ff43455b4ef8a37d1720f6bc.exe
"C:\Users\Admin\AppData\Local\Temp\2b2fe155ff43455b4ef8a37d1720f6bc.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1700
- C:\Users\Admin\AppData\Local\Temp\00294823\GfWt_QQUe6c.exe
  "C:\Users\Admin\AppData\Local\Temp/00294823/GfWt_QQUe6c.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops Chrome extension
  - Installs/modifies Browser Helper Object
  - Drops file in Program Files directory
  - Modifies Internet Explorer settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2344
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32.exe /s "C:\Program Files (x86)\SearchNewTab\Xve_EapkmO.x64.dll"
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2992
  - - C:\Windows\system32\regsvr32.exe
      /s "C:\Program Files (x86)\SearchNewTab\Xve_EapkmO.x64.dll"
      4⤵
      Loads dropped DLL
      Registers COM server for autorun
      Installs/modifies Browser Helper Object
      Modifies Internet Explorer settings
      Modifies registry class
      PID:2604

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Browser Extensions

T1176

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\00294823\GfWt_QQUe6c.dat

Filesize
3KB

MD5
03ff2dd4213abb57bb28e63f868c95d5

SHA1
5d744ef9414ce7609c96a12b8fe662e4e790d305

SHA256
4cc23d215c5eaa4301398a177b10c10b60230aa0fce675dbc146fea6a5ac4f17

SHA512
9c5d9249cf389e720a0af89fe3c72fb7f40a92674f0dbe2f51091774b2bdb2cb75aeb5fc098ea853d71f59e4102744b7d09f9bb8872a822cc4555d845d9a0863

Download Submit
C:\Users\Admin\AppData\Local\Temp\00294823\Xve_EapkmO.dll

Filesize
416KB

MD5
b5e8219112f5de28e71487fd8c367b8f

SHA1
cc60f4497ee2328e43e89474c412d75a90be2e1b

SHA256
e23b94a809d4306dce3c0fb5a7dc76ad25e133cb74daa489629419ba1d849ebe

SHA512
d4dd2a41ab9c17125263824f3f4b5c6f3a5f8dc7c78adc298391a6a18b495a521388e2c8524c5050b7452df89d048a12b014e711fef7e4ed8b439d8959a7357d

Download Submit
C:\Users\Admin\AppData\Local\Temp\00294823\Xve_EapkmO.tlb

Filesize
3KB

MD5
8d1f5f85eefb09e07c0f1357289b7251

SHA1
f9e39ac9d8e978d8fe834c527a6160eb58392e77

SHA256
2e46c45652d03653c407468ca871f4e910b4cec36af85853e2bd06f3fb7ad4ae

SHA512
df483e23bf19f90b07cf70d5e4bf7a26ece3bea39cc78b0dd652d179890000ec2c603841f5354e27676f60055094e13749ad6fc11dcf56aa8be32a8a7d916fd7

Download Submit
C:\Users\Admin\AppData\Local\Temp\00294823\Xve_EapkmO.x64.dll

Filesize
463KB

MD5
51869d78edfbeb04d0805522d9232518

SHA1
4c1a736dbf800b83580265a6c6ae2ebd13e0b3cc

SHA256
5b9f026657796490c626a88c1b7533fc23a1ee92b4bad819f4d0940e18d0c7ae

SHA512
9f99165b2c27df5f43131d857340aeb197d24b00a7176943c98f9b45bd7919e4ce002f68c9c1ed03424f42a1ce94ff3968b315cf9f6d2edfba708d86fc2c03fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\00294823\bbpjhmngcibakhjjnldilnndkpllhmho\background.html

Filesize
149B

MD5
1c4a4a605292435f6f90567d1ec7d14d

SHA1
a1039ac67205eee1e3c74e2c1b0274a80b3c1d6f

SHA256
d3009efe3326358da89d48e592e9956b264439c9c0ce061ded7a15ec79a288c4

SHA512
16b13eff613b12e69032dcbef78cbb28580d78f0f87d09d8e70f691de2c88b1341a8a489c182989d7b64a7d2e791d5db16c9c95d8dc8fead3f0078c00232d270

Download Submit
C:\Users\Admin\AppData\Local\Temp\00294823\bbpjhmngcibakhjjnldilnndkpllhmho\content.js

Filesize
197B

MD5
5f9891607f65f433b0690bae7088b2c1

SHA1
b4edb7579dca34dcd00bca5d2c13cbc5c8fac0de

SHA256
fb01e87250ac9985ed08d97f2f99937a52998ea9faebdc88e4071d6517e1ea6b

SHA512
76018b39e4b62ff9ea92709d12b0255f33e8402dfc649ed403382eebc22fb37c347c403534a7792e6b5de0ed0a5d97a09b69f0ffc39031cb0d4c7d79e9440c7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\00294823\bbpjhmngcibakhjjnldilnndkpllhmho\dpsCAOwUab49.js

Filesize
5KB

MD5
b560786d46883698194c3a7d2201ba7a

SHA1
558be16064812534afd705dc939facc01e80c708

SHA256
f67a13acea629892c1c15dc6f8c46af149ff2ee5d66bf7b2f076e61ee7445a90

SHA512
224e905fed42f713aed7db49cd75fc935bfdd5a40e73fcaa4965dea465cbab19326284b45e7283f44609927bfaf6a62cba4364ce5a023910872875e0cc3513c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\00294823\bbpjhmngcibakhjjnldilnndkpllhmho\lsdb.js

Filesize
559B

MD5
209b7ae0b6d8c3f9687c979d03b08089

SHA1
6449f8bff917115eef4e7488fae61942a869200f

SHA256
e3cf0049af8b9f6cb4f0223ccb8438f4b0c75863684c944450015868a0c45704

SHA512
1b38d5509283ef25de550b43ef2535dee1a13eff12ad5093f513165a47eec631bcc993242e2ce640f36c61974431ae2555bd6e2a97aba91eb689b7cd4bf25a25

Download Submit
C:\Users\Admin\AppData\Local\Temp\00294823\bbpjhmngcibakhjjnldilnndkpllhmho\manifest.json

Filesize
554B

MD5
1442a9e536e94d6b50798ae27e8d2fce

SHA1
f060dd8cf1f7abaf6d1e4c3ef8110845d803a0ea

SHA256
d1652678db28a88503ed4a52d8e4fad2160af4a355c5b36738299f5b54294c2d

SHA512
aadced78ea820eb6ea8157f89da089f10a5f10b0f8b3cf43589acd14e0fc512fc3c338763ca3dbb1781073f094bfb2a9011b6f367a41f73675a63beda17e98c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\00294823\bbpjhmngcibakhjjnldilnndkpllhmho\newtab.html

Filesize
374B

MD5
9588354a04f3d90c9b8d12e14eb4dee9

SHA1
96fb04fce40b0023d99baca6a791369dd664a98b

SHA256
4c417cf2bc431ae250ca1dc949aea3011b301a351e5a9a8f33cafed11426febe

SHA512
b9d73779c8c7437111122e6c9bc6ecc9f32442ae33b1b337fb0f073f586ad7dcf2f5ea1585ecea2ff8bb93dde6ac551521b10a5123e27c764c331047954e021b

Download Submit
C:\Users\Admin\AppData\Local\Temp\00294823\bbpjhmngcibakhjjnldilnndkpllhmho\sqlite.js

Filesize
1KB

MD5
3c2f2379f989ebffc16c7177e65dbfd3

SHA1
f5875b3e64297a1469e0d8eaefb622c8aba878ac

SHA256
bc885518d6002782361542845ec5d64be8a9e7584aeaabd3e4ced3cab7321b18

SHA512
70193979c15100580dd10c0676e208f77c09e5ccd2b9dc04198cd8c9c2508494712694fbb960b65205333c7fe53c9196293748954643491eaaa41be0f467f3d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\00294823\[email protected]\bootstrap.js

Filesize
2KB

MD5
1b53c596cfb1aa2209446ff64c17dabd

SHA1
2542da14728dcdbe1763f1ee39fe9ceae38ad414

SHA256
a7dfea4bf7e1d46a8b8e64ccfb2cf35017e3a5b350eead26d6671254d2b3c46f

SHA512
be54481675c38ef6a41697cf8cd3ab5a0b126922b192732a9c587dd8905b74b66c79eb0c849f62bbe8934979a894be63734b0ad59ffae295f5797cbfaa327030

Download Submit
C:\Users\Admin\AppData\Local\Temp\00294823\[email protected]\chrome.manifest

Filesize
114B

MD5
f4f64d09ddbc688c2a9d2338c8784385

SHA1
71f1fcb9dfc56207327215ac9614d82196c65a96

SHA256
46b1269a54eeb3455665f1fa71b2a625df3d061d3fcc802ee3c7afc987da9865

SHA512
b1f9211cc5acdac61eb845bdbc12b4aedd42280dbd1a4f6b5f5cf4f6373ac2dec5ebeb212540dc90a3c99cee656d58581ba1a59e69e6124d5d402d0f94b956ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\00294823\[email protected]\content\bg.js

Filesize
9KB

MD5
b03a5d76900a6e88bddcf1e82b48e62d

SHA1
3fd6e680d9a0a0b83a4ebcc5980a1aad514268b4

SHA256
4e8d2958ae020658fecef5cff59fcda64848a89f56fe01b424facccc3ef929b5

SHA512
4a93b71e34646e2fe0a7340595c5fcca19a79520cf55a3f2f7ed0f0fb5f51456aac0b71e6d59508a7746238973bb1a54b9935f0e93907555b4d5449964913fef

Download Submit
C:\Users\Admin\AppData\Local\Temp\00294823\[email protected]\install.rdf

Filesize
603B

MD5
b3b9d431673b08e019dc8d619061a31f

SHA1
8d298e57b63433a6412b0413445c6ced4d218493

SHA256
dc5e24a553eed22b5132af42305ff88101d86664717d2c63d948ceb12827f2f4

SHA512
3cf1a619972c7cd985e7c855ed57687f5a8e6989d0f8928f1dd72b5a83b417758a2bc09130e09168b0f096c213342ea571fd2112db2c3f226c5b2485fc8d9184

Download Submit
\Users\Admin\AppData\Local\Temp\00294823\GfWt_QQUe6c.exe

Filesize
482KB

MD5
2f21b030acc94619252a33d36dc2694c

SHA1
82c9801ec0d132500bc823defe9aaa1b8679d198

SHA256
bf0a543d607d8c4f6a64ceb3a09488cfd7631191eb2c6ff6db3532ff1d34a62b

SHA512
27cb565725965634f7ee0b50ec1502cc188273194c4960545d503e91891d59d842d7a1c3f4b3347d501dd2e5ee89af9b148be1c7fbc6df65488a675eb42e030f

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads