36b37024d4f31a0877ec5db4047fdbdbc0869ee47761478c8cde9859b04b1b90

Analysis

max time kernel
141s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
26-12-2023 04:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

558f52b3ce97e3a6b4a161971fe96524.exe
Size

22KB
MD5

558f52b3ce97e3a6b4a161971fe96524
SHA1

8e0c1013e9ad7bb86aacb6d22bdbc64a0f64a88f
SHA256

36b37024d4f31a0877ec5db4047fdbdbc0869ee47761478c8cde9859b04b1b90
SHA512

9bb1dfc17c7cdd5f80df4ee41fb9cc5578d832b7f719e3eae07b2776accc4314b184688268f48a7b432c81a5d22959b87a0a71b73df2aa139a45c8ee49ee7b07
SSDEEP

384:2MaUcpSyBP0hpbSisLaeuTzMSW8No9A3pNbJdfS3flBJLQG6MEiOYDzkATvNSjYF:6vPoWhuT9W8y6pNbJgvlBd/6niOYDzVa

Score

6^/10

adware stealer

Malware Config

Signatures

Installs/modifies Browser Helper Object 2 TTPs 2 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}	558f52b3ce97e3a6b4a161971fe96524.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}	558f52b3ce97e3a6b4a161971fe96524.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\cdpart.dll	558f52b3ce97e3a6b4a161971fe96524.exe

Modifies registry class 17 IoCs

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}\ProgID	558f52b3ce97e3a6b4a161971fe96524.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}\InprocServer32	558f52b3ce97e3a6b4a161971fe96524.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\VersionIndependentProgID	558f52b3ce97e3a6b4a161971fe96524.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\Programmable	558f52b3ce97e3a6b4a161971fe96524.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}\Programmable	558f52b3ce97e3a6b4a161971fe96524.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\TypeLib	558f52b3ce97e3a6b4a161971fe96524.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}\Version	558f52b3ce97e3a6b4a161971fe96524.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}\TypeLib	558f52b3ce97e3a6b4a161971fe96524.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\InprocServer32	558f52b3ce97e3a6b4a161971fe96524.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}	558f52b3ce97e3a6b4a161971fe96524.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}\Implemented Categories	558f52b3ce97e3a6b4a161971fe96524.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}\VersionIndependentProgID	558f52b3ce97e3a6b4a161971fe96524.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}	558f52b3ce97e3a6b4a161971fe96524.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}	558f52b3ce97e3a6b4a161971fe96524.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\ProgID	558f52b3ce97e3a6b4a161971fe96524.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\Implemented Categories	558f52b3ce97e3a6b4a161971fe96524.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}	558f52b3ce97e3a6b4a161971fe96524.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
3596	558f52b3ce97e3a6b4a161971fe96524.exe
3596	558f52b3ce97e3a6b4a161971fe96524.exe
3596	558f52b3ce97e3a6b4a161971fe96524.exe
3596	558f52b3ce97e3a6b4a161971fe96524.exe
3596	558f52b3ce97e3a6b4a161971fe96524.exe
3596	558f52b3ce97e3a6b4a161971fe96524.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	3596	558f52b3ce97e3a6b4a161971fe96524.exe
Token: SeDebugPrivilege	3596	558f52b3ce97e3a6b4a161971fe96524.exe
Token: SeDebugPrivilege	3596	558f52b3ce97e3a6b4a161971fe96524.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3596 wrote to memory of 624	3596	558f52b3ce97e3a6b4a161971fe96524.exe	87
PID 3596 wrote to memory of 624	3596	558f52b3ce97e3a6b4a161971fe96524.exe	87
PID 3596 wrote to memory of 624	3596	558f52b3ce97e3a6b4a161971fe96524.exe	87

C:\Users\Admin\AppData\Local\Temp\558f52b3ce97e3a6b4a161971fe96524.exe
"C:\Users\Admin\AppData\Local\Temp\558f52b3ce97e3a6b4a161971fe96524.exe"
1⤵
- Installs/modifies Browser Helper Object
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3596

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads