01baf1d8b42b779575cc89dd4600d488a1b70d4957329f47f97e9cee2b12d430

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
31/12/2023, 00:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

218c7421b6efda2d6fd250180c5b43b8.exe
Size

153KB
MD5

218c7421b6efda2d6fd250180c5b43b8
SHA1

094a3f9d1b4c3710c7ec5175f98fab8cc58c2ba1
SHA256

01baf1d8b42b779575cc89dd4600d488a1b70d4957329f47f97e9cee2b12d430
SHA512

37f7980165273c74f87c7e0d93b0dc215f76f338801d6963a7fec106ca3551d5f279cd5d1f16cdced57218610b050f58a54af8f01ada64602ebba11b862db446
SSDEEP

1536:p8nXOBSKn1kfZ0I58RVun1AZj7wPnNOJLMEJFtiL0wkej2qRyK6iiyHOLA59TA5g:fBnsZ0I58RVY1AgeXJA0Y2TthLA590u

Score

7^/10

adware stealer

Malware Config

Signatures

Loads dropped DLL 4 IoCs

pid	Process
1816	rundll32.exe
1816	rundll32.exe
1816	rundll32.exe
1816	rundll32.exe

Installs/modifies Browser Helper Object 2 TTPs 3 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{a172dec3-ad16-43cd-8a6b-1c3442a7850d}\ = "3454720"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{a172dec3-ad16-43cd-8a6b-1c3442a7850d}	rundll32.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\iifdaxxW.dll	218c7421b6efda2d6fd250180c5b43b8.exe

Modifies registry class 5 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{a172dec3-ad16-43cd-8a6b-1c3442a7850d}\InprocServer32\ = "C:\\Windows\\SysWow64\\iifdaxxW.dll"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{a172dec3-ad16-43cd-8a6b-1c3442a7850d}\InprocServer32\ThreadingModel = "free"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{a172dec3-ad16-43cd-8a6b-1c3442a7850d}	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{a172dec3-ad16-43cd-8a6b-1c3442a7850d}\InprocServer32	rundll32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2180 wrote to memory of 1816	2180	218c7421b6efda2d6fd250180c5b43b8.exe	28
PID 2180 wrote to memory of 1816	2180	218c7421b6efda2d6fd250180c5b43b8.exe	28
PID 2180 wrote to memory of 1816	2180	218c7421b6efda2d6fd250180c5b43b8.exe	28
PID 2180 wrote to memory of 1816	2180	218c7421b6efda2d6fd250180c5b43b8.exe	28
PID 2180 wrote to memory of 1816	2180	218c7421b6efda2d6fd250180c5b43b8.exe	28
PID 2180 wrote to memory of 1816	2180	218c7421b6efda2d6fd250180c5b43b8.exe	28
PID 2180 wrote to memory of 1816	2180	218c7421b6efda2d6fd250180c5b43b8.exe	28

C:\Users\Admin\AppData\Local\Temp\218c7421b6efda2d6fd250180c5b43b8.exe
"C:\Users\Admin\AppData\Local\Temp\218c7421b6efda2d6fd250180c5b43b8.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2180
- C:\Windows\SysWOW64\rundll32.exe
  rundll32 "C:\Windows\system32\iifdaxxW.dll",a
  2⤵
  - Loads dropped DLL
  - Installs/modifies Browser Helper Object
  - Modifies registry class
  PID:1816

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\iifdaxxW.dll

Filesize
111KB

MD5
59d489af4b36bf56e25a97b4105536d7

SHA1
cc4f684b10d2917f296475810112c3bed48c3b76

SHA256
22bb0a836570085a3389847aa55d0df5581fa32a9268137c9bf462042f7a5f91

SHA512
c6b0d6a6d825bcf9c325d86b84b3c824490bbd51e38e751bef149fef95f017029e7506ca9d4ee2c535a8bd1e88f8e736cf89871cc416eade74021708aed3c13c

Download Submit