d96d7a605332733be0fcbbc69574d9018c10de1fbb429270f28899dff8430836

Analysis

max time kernel
121s
max time network
124s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
30/12/2023, 10:50

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

166a8373323e862687504f95022337ba.exe
Size

128KB
MD5

166a8373323e862687504f95022337ba
SHA1

a9b3da14668d9015026227f14974af09ecf4cc4e
SHA256

d96d7a605332733be0fcbbc69574d9018c10de1fbb429270f28899dff8430836
SHA512

14659f5a27ffd2c3016b7a84a35b5fc1c76c1cd8720a424cec6646afe4d99b741da2437d0c9cceb3e0d4c01a9794d2a54cbed58ce08822e9780bde0a78efa7f0
SSDEEP

3072:EmeDmBqskJ8bX/v44oVHVA9VS6TpCyA5GFevgY8qlK:E8P/w4GHW9VS6TpCy8GFggUK

Score

7^/10

adware discovery stealer

Malware Config

Signatures

Loads dropped DLL 1 IoCs

pid	Process
1748	regsvr32.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Installs/modifies Browser Helper Object 2 TTPs 2 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{11F09AFE-75AD-4E52-AB43-E09E9351CE17}\ = "AdPopup"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{11F09AFE-75AD-4E52-AB43-E09E9351CE17}	regsvr32.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Common Files\PushWare\Uninst.exe	166a8373323e862687504f95022337ba.exe
File created	C:\Program Files (x86)\Common Files\PushWare\cpush.dll	166a8373323e862687504f95022337ba.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CDE9EB54-A08E-4570-B748-13F5DDB5781C}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DE2267BD-B163-407F-9E8D-6ADEC771E7AB}\1.0\ = "NewAdPopup 1.0 Type Library"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0AD3AB16-6D0E-4F04-8660-FB1F36BC2DC0}\TypeLib\ = "{DE2267BD-B163-407F-9E8D-6ADEC771E7AB}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2F685B36-C53A-4653-9231-1DAE5736DE45}\ = "IToolbarDetector"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CDE9EB54-A08E-4570-B748-13F5DDB5781C}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CDE9EB54-A08E-4570-B748-13F5DDB5781C}\TypeLib\ = "{DE2267BD-B163-407F-9E8D-6ADEC771E7AB}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{11F09AFE-75AD-4E52-AB43-E09E9351CE17}\InprocServer32\ThreadingModel = "apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{34A12A06-48C0-420D-8F11-73552EE9631A}\ProgID\ = "NewAdPopup.ToolbarDetector.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{50C4CDD9-22D7-49FF-AC6D-7D4D528A3AB2}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\NewCosoMediumPop.PopCoso\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\NexwAdPopup.AWLogic.1	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{34A12A06-48C0-420D-8F11-73552EE9631A}\Programmable	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DE2267BD-B163-407F-9E8D-6ADEC771E7AB}\1.0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{50C4CDD9-22D7-49FF-AC6D-7D4D528A3AB2}\TypeLib\ = "{DE2267BD-B163-407F-9E8D-6ADEC771E7AB}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\NewAdPopup.ToolbarDetector.1	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0AD3AB16-6D0E-4F04-8660-FB1F36BC2DC0}\ = "IAdLogic"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{50C4CDD9-22D7-49FF-AC6D-7D4D528A3AB2}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2F685B36-C53A-4653-9231-1DAE5736DE45}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{11F09AFD-75AD-4E51-AB43-E09E9351CE16}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{11F09AFE-75AD-4E52-AB43-E09E9351CE17}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DE2267BD-B163-407F-9E8D-6ADEC771E7AB}\1.0\FLAGS	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DE2267BD-B163-407F-9E8D-6ADEC771E7AB}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\Common Files\\PushWare\\"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0AD3AB16-6D0E-4F04-8660-FB1F36BC2DC0}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\NexwAdPopup.AWLogic\CurVer\ = "NexwAdPopup.AWLogic.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{34A12A06-48C0-420D-8F11-73552EE9631A}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CDE9EB54-A08E-4570-B748-13F5DDB5781C}\InprocServer32\ThreadingModel = "apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DE2267BD-B163-407F-9E8D-6ADEC771E7AB}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DE2267BD-B163-407F-9E8D-6ADEC771E7AB}\1.0\0\win32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0AD3AB16-6D0E-4F04-8660-FB1F36BC2DC0}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{50C4CDD9-22D7-49FF-AC6D-7D4D528A3AB2}\ = "IPopupBlock"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{50C4CDD9-22D7-49FF-AC6D-7D4D528A3AB2}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CDE9EB54-A08E-4570-B748-13F5DDB5781C}\VersionIndependentProgID\ = "NewCosoMediumPop.PopCoso"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{11F09AFE-75AD-4E52-AB43-E09E9351CE17}\VersionIndependentProgID\ = "NexwAdPopup.AWLogic"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\NewAdPopup.ToolbarDetector\CLSID\ = "{34A12A06-48C0-420D-8F11-73552EE9631A}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{50C4CDD9-22D7-49FF-AC6D-7D4D528A3AB2}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\NexwAdPopup.AWLogic\CurVer	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0AD3AB16-6D0E-4F04-8660-FB1F36BC2DC0}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CDE9EB54-A08E-4570-B748-13F5DDB5781C}\ProgID\ = "NewCosoMediumPop.PopCoso.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CDE9EB54-A08E-4570-B748-13F5DDB5781C}\InprocServer32\ = "C:\\Program Files (x86)\\Common Files\\PushWare\\cpush.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{34A12A06-48C0-420D-8F11-73552EE9631A}\ = "CToolbarDetector Object"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2F685B36-C53A-4653-9231-1DAE5736DE45}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{11F09AFD-75AD-4E51-AB43-E09E9351CE16}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{11F09AFE-75AD-4E52-AB43-E09E9351CE17}\TypeLib\ = "{DE2267BD-B163-407F-9E8D-6ADEC771E7AB}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0AD3AB16-6D0E-4F04-8660-FB1F36BC2DC0}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2F685B36-C53A-4653-9231-1DAE5736DE45}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{11F09AFE-75AD-4E52-AB43-E09E9351CE17}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2F685B36-C53A-4653-9231-1DAE5736DE45}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\NewCosoMediumPop.PopCoso\CLSID\ = "{CDE9EB54-A08E-4570-B748-13F5DDB5781C}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\NexwAdPopup.AWLogic.1\ = "CAdLogic Object"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{11F09AFE-75AD-4E52-AB43-E09E9351CE17}\AppID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\NewAdPopup.ToolbarDetector.1\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2F685B36-C53A-4653-9231-1DAE5736DE45}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\NewCosoMediumPop.PopCoso\ = "CPopupBlock Object"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CDE9EB54-A08E-4570-B748-13F5DDB5781C}\AppID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0AD3AB16-6D0E-4F04-8660-FB1F36BC2DC0}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{50C4CDD9-22D7-49FF-AC6D-7D4D528A3AB2}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\NewCosoMediumPop.PopCoso.1	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\NewCosoMediumPop.PopCoso\CurVer\ = "NewCosoMediumPop.PopCoso.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\NexwAdPopup.AWLogic\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{50C4CDD9-22D7-49FF-AC6D-7D4D528A3AB2}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\NexwAdPopup.AWLogic.1\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{11F09AFE-75AD-4E52-AB43-E09E9351CE17}\ProgID\ = "NexwAdPopup.AWLogic.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\NewAdPopup.ToolbarDetector.1\ = "CToolbarDetector Object"	regsvr32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2032 wrote to memory of 1748	2032	166a8373323e862687504f95022337ba.exe	17
PID 2032 wrote to memory of 1748	2032	166a8373323e862687504f95022337ba.exe	17
PID 2032 wrote to memory of 1748	2032	166a8373323e862687504f95022337ba.exe	17
PID 2032 wrote to memory of 1748	2032	166a8373323e862687504f95022337ba.exe	17
PID 2032 wrote to memory of 1748	2032	166a8373323e862687504f95022337ba.exe	17
PID 2032 wrote to memory of 1748	2032	166a8373323e862687504f95022337ba.exe	17
PID 2032 wrote to memory of 1748	2032	166a8373323e862687504f95022337ba.exe	17

C:\Users\Admin\AppData\Local\Temp\166a8373323e862687504f95022337ba.exe
"C:\Users\Admin\AppData\Local\Temp\166a8373323e862687504f95022337ba.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2032
- C:\Windows\SysWOW64\regsvr32.exe
  "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\Common Files\PushWare\cpush.dll"
  2⤵
  - Loads dropped DLL
  - Installs/modifies Browser Helper Object
  - Modifies registry class
  PID:1748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads