c926db383d7481891952b75a532b25f492f7f02c26cdecc9b46f5a13e3ae650d

General

Target

6440abdb529c401f5bda914359e76b12.exe
Size

160KB
MD5

6440abdb529c401f5bda914359e76b12
SHA1

c68b838ad422a33c129ebb5dc01f81d1b4b09ada
SHA256

c926db383d7481891952b75a532b25f492f7f02c26cdecc9b46f5a13e3ae650d
SHA512

a8c870067779f5a73b9c9c9c1533257df3a6cf4db6e79f1a5585ccb2e366248b234eb26c228ef04162fb0011f611ea63bec28f320a5d73768d2523c3ff66f56f
SSDEEP

3072:6NI5vxsI6b1zCzeTDmMSyi70ZywVea4yal1dBmLN/wo85uCSgF16PZN:6W5vx5UEenw70lVeZl1dBmLN4pnSgF4B

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 3 IoCs

pid	Process
2804	6440abdb529c401f5bda914359e76b12.exe
2804	6440abdb529c401f5bda914359e76b12.exe
2572	WerFault.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2804-8-0x0000000000270000-0x00000000002A8000-memory.dmp	upx
behavioral1/memory/2804-7-0x0000000000270000-0x00000000002A8000-memory.dmp	upx
behavioral1/memory/2804-14-0x0000000000270000-0x00000000002A8000-memory.dmp	upx
behavioral1/memory/2804-22-0x00000000002D0000-0x00000000002EC000-memory.dmp	upx
behavioral1/memory/2804-23-0x00000000002D0000-0x00000000002EC000-memory.dmp	upx
behavioral1/memory/2804-42-0x00000000002D0000-0x00000000002EC000-memory.dmp	upx

Installs/modifies Browser Helper Object 2 TTPs 1 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{829BC664-C805-49A9-8FE6-52C47E40AB1C}	6440abdb529c401f5bda914359e76b12.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2572	2804	WerFault.exe	27

Modifies registry class 6 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{829BC664-C805-49A9-8FE6-52C47E40AB1C}\InprocServer32	6440abdb529c401f5bda914359e76b12.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	6440abdb529c401f5bda914359e76b12.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	6440abdb529c401f5bda914359e76b12.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{829BC664-C805-49A9-8FE6-52C47E40AB1C}	6440abdb529c401f5bda914359e76b12.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{829BC664-C805-49A9-8FE6-52C47E40AB1C}\InprocServer32\ = "C:\\Windows\\SysWow64\\at.dll"	6440abdb529c401f5bda914359e76b12.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{829BC664-C805-49A9-8FE6-52C47E40AB1C}\InprocServer32\ThreadingModel = "apartment"	6440abdb529c401f5bda914359e76b12.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2804	6440abdb529c401f5bda914359e76b12.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2804 wrote to memory of 2572	2804	6440abdb529c401f5bda914359e76b12.exe	29
PID 2804 wrote to memory of 2572	2804	6440abdb529c401f5bda914359e76b12.exe	29
PID 2804 wrote to memory of 2572	2804	6440abdb529c401f5bda914359e76b12.exe	29
PID 2804 wrote to memory of 2572	2804	6440abdb529c401f5bda914359e76b12.exe	29

C:\Users\Admin\AppData\Local\Temp\6440abdb529c401f5bda914359e76b12.exe
"C:\Users\Admin\AppData\Local\Temp\6440abdb529c401f5bda914359e76b12.exe"
1⤵
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2804
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2804 -s 216
  2⤵
  - Loads dropped DLL
  - Program crash
  PID:2572

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Browser Extensions

1

T1176

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\SysWOW64\at.dll

Filesize
92KB

MD5
e85b520e14dd58068e8e0b533bfe995a

SHA1
33afae7ee2d7e19bbf3a02f1dce7d3f6bc7eb690

SHA256
25299c86686a45b68f8cac7bee1cabef32c30f86120a6ef41ee177ee0d094891

SHA512
301326a172371e682b39ee0292baed2348509096a1def7c099ee38e8717e0e7ca4754cf376266f5de7a3e7da737109bb22c04e6eba30109fed1bacfd4f660cab

Download Submit
\Windows\SysWOW64\crtdl.dll

Filesize
51KB

MD5
16576a5be02d9e2a27afbd376b897102

SHA1
5fde6ee9d370ca9016b2f43aee2a4e79733cbe90

SHA256
7424fe4ea691fa16da8970e522c7b2d59ec70e6f6831763ce69cddb2e96a6fa4

SHA512
ec618d8e722e3f1509e9a9ef858659fae6a9e607ddf7a8b0c80f1096429c09fe1f47e93efd3d612a03907eb498402667f5d21458f105756552a609d3ed0f3a3a

Download Submit
\Windows\SysWOW64\crtdl.dll

Filesize
1KB

MD5
0dce4c2d761253d932c05f883cca5ada

SHA1
314ac8756a7d5af07feca77229a05f757f4ac0e0

SHA256
cfae1adc9c30da4a36011974bf78b689ed40b4dc59d75e66d7efc9e72fcf9ddd

SHA512
c7088eae327b4d95082c2ca7433c9638969047471d1d82ae0c8252556a05d51f3905433f428b9a643cc773a3a2c1693f1242477e5888befe7a3f0d426cf48b7a

Download Submit
memory/2804-13-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2804-6-0x0000000000230000-0x000000000026B000-memory.dmp

Filesize
236KB

Download
memory/2804-7-0x0000000000270000-0x00000000002A8000-memory.dmp

Filesize
224KB

Download
memory/2804-9-0x0000000000530000-0x000000000055E000-memory.dmp

Filesize
184KB

Download
memory/2804-10-0x0000000000230000-0x000000000026B000-memory.dmp

Filesize
236KB

Download
memory/2804-0-0x0000000000530000-0x000000000055E000-memory.dmp

Filesize
184KB

Download
memory/2804-14-0x0000000000270000-0x00000000002A8000-memory.dmp

Filesize
224KB

Download
memory/2804-8-0x0000000000270000-0x00000000002A8000-memory.dmp

Filesize
224KB

Download
memory/2804-21-0x00000000002B0000-0x00000000002CF000-memory.dmp

Filesize
124KB

Download
memory/2804-22-0x00000000002D0000-0x00000000002EC000-memory.dmp

Filesize
112KB

Download
memory/2804-23-0x00000000002D0000-0x00000000002EC000-memory.dmp

Filesize
112KB

Download
memory/2804-31-0x0000000002060000-0x0000000002170000-memory.dmp

Filesize
1.1MB

Download
memory/2804-1-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2804-38-0x00000000002B0000-0x00000000002CF000-memory.dmp

Filesize
124KB

Download
memory/2804-42-0x00000000002D0000-0x00000000002EC000-memory.dmp

Filesize
112KB

Download

Analysis

Sharing