5cbb7af1ab7f0d8de6026001ea504da34d5ab917eca99d3285eab59f67f3177f

Analysis

max time kernel
0s
max time network
126s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
26/12/2023, 01:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

49ca85dbd5095b14997e7a22c36ce5e1.exe
Size

245KB
MD5

49ca85dbd5095b14997e7a22c36ce5e1
SHA1

c2d98f85b0cb72173dc01cca1bce491ea572dfff
SHA256

5cbb7af1ab7f0d8de6026001ea504da34d5ab917eca99d3285eab59f67f3177f
SHA512

33203bc02aea4f3c48b08b4b758c14761e9b92c5a2949150950c070846a4a29eb9337d256bcbcbc46d3ab8cf3c8e80044572cbe14e5d97735bafc21919cc774a
SSDEEP

6144:h1OgDPdkBAFZWjadD4s55gL0WRPl5a1hRYpBuVnW:h1OgLdaOIFraG+nW

Score

7^/10

adware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2124	5073e05a4220a.exe

Loads dropped DLL 2 IoCs

pid	Process
2124	5073e05a4220a.exe
2124	5073e05a4220a.exe

Installs/modifies Browser Helper Object 2 TTPs 4 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7623C192-C3FE-549D-0144-1571B1716396}	5073e05a4220a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7623C192-C3FE-549D-0144-1571B1716396}\ = "wxDownload"	5073e05a4220a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7623C192-C3FE-549D-0144-1571B1716396}\NoExplorer = "1"	5073e05a4220a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7623C192-C3FE-549D-0144-1571B1716396}	5073e05a4220a.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

NSIS installer 4 IoCs

installer

resource	yara_rule
behavioral2/files/0x0007000000023208-12.dat	nsis_installer_1
behavioral2/files/0x0007000000023208-12.dat	nsis_installer_2
behavioral2/files/0x000600000002322c-53.dat	nsis_installer_1
behavioral2/files/0x000600000002322c-53.dat	nsis_installer_2

Modifies registry class 34 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7623C192-C3FE-549D-0144-1571B1716396}\ = "wxDownload Class"	5073e05a4220a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7623C192-C3FE-549D-0144-1571B1716396}\ProgID	5073e05a4220a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7623C192-C3FE-549D-0144-1571B1716396}\ProgID	5073e05a4220a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7623C192-C3FE-549D-0144-1571B1716396}\VersionIndependentProgID	5073e05a4220a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0	5073e05a4220a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\5073e05a42243.ocx.5073e05a42243.ocx	5073e05a4220a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7623C192-C3FE-549D-0144-1571B1716396}\VersionIndependentProgID\ = "5073e05a42243.ocx"	5073e05a4220a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7623C192-C3FE-549D-0144-1571B1716396}\InprocServer32	5073e05a4220a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}	5073e05a4220a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win32\ = "C:\\ProgramData\\wxDownload\\5073e05a42243.ocx"	5073e05a4220a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\HELPDIR	5073e05a4220a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\5073e05a42243.ocx.5073e05a42243.ocx.4\CLSID\ = "{7623C192-C3FE-549D-0144-1571B1716396}"	5073e05a4220a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\5073e05a42243.ocx.5073e05a42243.ocx\ = "wxDownload"	5073e05a4220a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\5073e05a42243.ocx.5073e05a42243.ocx\CLSID\ = "{7623C192-C3FE-549D-0144-1571B1716396}"	5073e05a4220a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7623C192-C3FE-549D-0144-1571B1716396}\ProgID\ = "5073e05a42243.ocx.4"	5073e05a4220a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7623C192-C3FE-549D-0144-1571B1716396}\InprocServer32	5073e05a4220a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\ = "IEPluginLib"	5073e05a4220a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\5073e05a42243.ocx.5073e05a42243.ocx.4	5073e05a4220a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win32	5073e05a4220a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7623C192-C3FE-549D-0144-1571B1716396}\Programmable	5073e05a4220a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\5073e05a42243.ocx.5073e05a42243.ocx\CurVer\ = "5073e05a42243.ocx.4"	5073e05a4220a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7623C192-C3FE-549D-0144-1571B1716396}\VersionIndependentProgID	5073e05a4220a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7623C192-C3FE-549D-0144-1571B1716396}\InprocServer32\ = "C:\\ProgramData\\wxDownload\\5073e05a42243.ocx"	5073e05a4220a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7623C192-C3FE-549D-0144-1571B1716396}\Programmable	5073e05a4220a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\FLAGS	5073e05a4220a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\5073e05a42243.ocx.5073e05a42243.ocx\CLSID	5073e05a4220a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\FLAGS\ = "0"	5073e05a4220a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\5073e05a42243.ocx.5073e05a42243.ocx.4\CLSID	5073e05a4220a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\5073e05a42243.ocx.5073e05a42243.ocx\CurVer	5073e05a4220a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7623C192-C3FE-549D-0144-1571B1716396}	5073e05a4220a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7623C192-C3FE-549D-0144-1571B1716396}\InprocServer32\ThreadingModel = "Apartment"	5073e05a4220a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7623C192-C3FE-549D-0144-1571B1716396}	5073e05a4220a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0	5073e05a4220a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\5073e05a42243.ocx.5073e05a42243.ocx.4\ = "wxDownload"	5073e05a4220a.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2484 wrote to memory of 2124	2484	49ca85dbd5095b14997e7a22c36ce5e1.exe	92
PID 2484 wrote to memory of 2124	2484	49ca85dbd5095b14997e7a22c36ce5e1.exe	92
PID 2484 wrote to memory of 2124	2484	49ca85dbd5095b14997e7a22c36ce5e1.exe	92

C:\Users\Admin\AppData\Local\Temp\49ca85dbd5095b14997e7a22c36ce5e1.exe
"C:\Users\Admin\AppData\Local\Temp\49ca85dbd5095b14997e7a22c36ce5e1.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2484
- C:\Users\Admin\AppData\Local\Temp\7zS4D64.tmp\5073e05a4220a.exe
  .\5073e05a4220a.exe /s
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Installs/modifies Browser Helper Object
  - Modifies registry class
  PID:2124

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\wxDownload\5073e05a42243.ocx

Filesize
151KB

MD5
c78c6140cb88ef4dc94f999291bb5ab1

SHA1
65b47ed5ec889e0e558c79a13a81193fc59b8ce9

SHA256
6cfc7fb43715fb13c53ab2a29b68f3a0a0f285c85d1b1443f2c5e73526646851

SHA512
ac8865cb1bec889ba493cad3f4c4bac87bfb2fdb15c518626ffa5f8ac6799a6f5c84f358d3e7d35824d6aba29af46c1078acdf30c3bd93981be61312baf6bd26

Download Submit
C:\ProgramData\wxDownload\uninstall.exe

Filesize
48KB

MD5
a724dac649142fef71fe4b529684e969

SHA1
e2878e84886ec53a1332ad969a825062526b5cd4

SHA256
b58c58b5073034d74c5d93902bbb9d402be063e907bdf77115b55bbb99af21dc

SHA512
9f475ad52fa2b7f82e74df87c02e42f937b5e3b62773b7d51cb53facfcc8b4934ad3c2fc21496cfabaa4dd103a309ed5cccad1ad3d6037f6c4f3a540e3e9d5b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4D64.tmp\5073e05a4220a.exe

Filesize
65KB

MD5
4ccf1a317aa8539c857835e4ebe9c806

SHA1
223b73d09d7398f40aff3ccc569e66cae3886ee9

SHA256
4529889c5575cd4e28b3691f0489c806442840292a9e459ada4dab3e024cc242

SHA512
ecab68799b5a51c7d2a3735a9b3c17ba20a315618aa9575a5b02d5d4535716966031a26982012669f069dbfd8a6ab62f95737b7c402bf680f3a498900f627312

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4D64.tmp\5073e05a4227b.html

Filesize
4KB

MD5
a23c3c0f55c7572a14ed3c3d1767ac38

SHA1
cb169db17be884b2a51e6569accb70413826c500

SHA256
11f199c534034d7e94d95b21bb8adbff654880cdd2afdb231574c89e2ddbe16a

SHA512
db75ea1827e6461b3999d188e635c7d8e74b670a97f8cc889c3b37028819e7d516d821f0159e9ce105286e5b9b5acfb8c86b4f153ae0ad5b46335883656a2758

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4D64.tmp\5073e05a422b4.js

Filesize
9B

MD5
99fa5d714d971a49b67de27e0d8871be

SHA1
d0621e846ea60fa8d0b2c8e622e495af49cd7359

SHA256
f560d76474380da948a0c5ab8682dc026822d9685268c592f315224b1b968bf6

SHA512
2fec19e4f2a974227922a7e057890141523ae73fbfa127f9e8cd00dff71b29abb93cb865c6d74ecf3df8bca440c558d4fbf2f80e82cc9636320ab5edb95ebad5

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4D64.tmp\settings.ini

Filesize
753B

MD5
4526fe6d4925e4284dbc8fe2f077a4be

SHA1
65eee3a6a7c2bc875f22f2ddcc9124a002af7204

SHA256
10a59b99552d259a16e8e97e2cc20d75fc33fa8392d4c9da4acd27de71d586c8

SHA512
72e4d8cc38014a4bc6e59110883d5b3ee624afb80cc433c26c8ff5d512697e042570cc034e1a57289b8ae24635b2fb20f528736600713ff1783bc1ea4b464558

Download Submit
C:\Users\Admin\AppData\Local\Temp\nss4E11.tmp\UserInfo.dll

Filesize
4KB

MD5
7579ade7ae1747a31960a228ce02e666

SHA1
8ec8571a296737e819dcf86353a43fcf8ec63351

SHA256
564c80dec62d76c53497c40094db360ff8a36e0dc1bda8383d0f9583138997f5

SHA512
a88bc56e938374c333b0e33cb72951635b5d5a98b9cb2d6785073cbcad23bf4c0f9f69d3b7e87b46c76eb03ced9bb786844ce87656a9e3df4ca24acf43d7a05b

Download Submit