519016cc5870145ecaf1c8e667b2fec720f3ff7ae781e16c475c3eedd799de8c

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
06-01-2024 17:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

46cb36ae4d38a4cac739d275fa0de663.exe
Size

69KB
MD5

46cb36ae4d38a4cac739d275fa0de663
SHA1

795510964aaee25eee25b6a42cdd8becb33f953e
SHA256

519016cc5870145ecaf1c8e667b2fec720f3ff7ae781e16c475c3eedd799de8c
SHA512

b6eedd25f0c0e52cf7f826a80841c7ad7509ef90c4e255e88a9b028604c1c12f66155f8422cdbf799afb54cd1bb91c4234c341867f7c3c48b204cc14d8eff5a3
SSDEEP

1536:g2nXNRCfuP68V5UzcbWcXBJPnNXs2b9ptx3mLBrhCxPqv/O3c9:gqXNqsK+1JvNXsc9In4Y/O3c9

Score

10^/10

adware evasion stealer

Malware Config

Signatures

Modifies firewall policy service 2 TTPs 4 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	46cb36ae4d38a4cac739d275fa0de663.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	46cb36ae4d38a4cac739d275fa0de663.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications	46cb36ae4d38a4cac739d275fa0de663.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Program Files\Internet Explorer\IEXPLORE.EXE = "C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE:*:Enabled:Internet Explorer"	46cb36ae4d38a4cac739d275fa0de663.exe

Installs/modifies Browser Helper Object 2 TTPs 1 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\browser helper obJects\{73364D99-1240-4dff-B11A-67E448373048}	46cb36ae4d38a4cac739d275fa0de663.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\ipv6mons.dll	46cb36ae4d38a4cac739d275fa0de663.exe
File opened for modification	C:\Windows\SysWOW64\ipv6mons.dll	46cb36ae4d38a4cac739d275fa0de663.exe

Modifies registry class 6 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{73364D99-1240-4dff-B11A-67E448373048}\InprocServer32\Enable Browser Extensions = "yes"	46cb36ae4d38a4cac739d275fa0de663.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\\{73364D99-1240-4dff-B11A-67E448373048}	46cb36ae4d38a4cac739d275fa0de663.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{73364D99-1240-4dff-B11A-67E448373048}	46cb36ae4d38a4cac739d275fa0de663.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{73364D99-1240-4dff-B11A-67E448373048}\InprocServer32	46cb36ae4d38a4cac739d275fa0de663.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{73364D99-1240-4dff-B11A-67E448373048}\InprocServer32\ = "C:\\Windows\\SysWow64\\ipv6mons.dll"	46cb36ae4d38a4cac739d275fa0de663.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{73364D99-1240-4dff-B11A-67E448373048}\InprocServer32\ThreadingModel = "apartment"	46cb36ae4d38a4cac739d275fa0de663.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4468	46cb36ae4d38a4cac739d275fa0de663.exe

C:\Users\Admin\AppData\Local\Temp\46cb36ae4d38a4cac739d275fa0de663.exe
"C:\Users\Admin\AppData\Local\Temp\46cb36ae4d38a4cac739d275fa0de663.exe"
1⤵
- Modifies firewall policy service
- Installs/modifies Browser Helper Object
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4468

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Browser Extensions

T1176

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4468-3-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/4468-0-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads