51c3539744206c0d8966f552e10c59c7ffa8111d8c0b8e9632d14f9639365b29

Analysis

max time kernel
143s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
28-01-2024 17:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7da17447aa53664eb97d79f6d2e9b347.exe
Size

465KB
MD5

7da17447aa53664eb97d79f6d2e9b347
SHA1

cb5f9ae6c9171329d09116ff35da22ebc31834bf
SHA256

51c3539744206c0d8966f552e10c59c7ffa8111d8c0b8e9632d14f9639365b29
SHA512

b0fb6f7979158c01e46cc99954df86546d98328bbd5371d5edad9adf98559ba5a6b15f8a1e33250e14c6cf732445ff3e32cf87a1c1b0b52a1023043aed5f719f
SSDEEP

12288:w6CdhXRsu7SXAYuifOAq4TEaGixSQlnqGpgvf+35pYWefRLmAbPzNA:ShXRsumXAzAXEhixSgnqGpg3+M95lLzi

Score

7^/10

adware discovery spyware stealer

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\Control Panel\International\Geo\Nation	7da17447aa53664eb97d79f6d2e9b347.exe

Loads dropped DLL 20 IoCs

pid	Process
1640	7da17447aa53664eb97d79f6d2e9b347.exe
1640	7da17447aa53664eb97d79f6d2e9b347.exe
1640	7da17447aa53664eb97d79f6d2e9b347.exe
1640	7da17447aa53664eb97d79f6d2e9b347.exe
1640	7da17447aa53664eb97d79f6d2e9b347.exe
1640	7da17447aa53664eb97d79f6d2e9b347.exe
1640	7da17447aa53664eb97d79f6d2e9b347.exe
1640	7da17447aa53664eb97d79f6d2e9b347.exe
1640	7da17447aa53664eb97d79f6d2e9b347.exe
1640	7da17447aa53664eb97d79f6d2e9b347.exe
1640	7da17447aa53664eb97d79f6d2e9b347.exe
1640	7da17447aa53664eb97d79f6d2e9b347.exe
1640	7da17447aa53664eb97d79f6d2e9b347.exe
1640	7da17447aa53664eb97d79f6d2e9b347.exe
1640	7da17447aa53664eb97d79f6d2e9b347.exe
1640	7da17447aa53664eb97d79f6d2e9b347.exe
1640	7da17447aa53664eb97d79f6d2e9b347.exe
1640	7da17447aa53664eb97d79f6d2e9b347.exe
1640	7da17447aa53664eb97d79f6d2e9b347.exe
1640	7da17447aa53664eb97d79f6d2e9b347.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File created	C:\Windows\assembly\Desktop.ini	7da17447aa53664eb97d79f6d2e9b347.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	7da17447aa53664eb97d79f6d2e9b347.exe

Installs/modifies Browser Helper Object 2 TTPs 2 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{61e0ef7a-9bc0-45ea-9b2f-f3e9f02692bd}	7da17447aa53664eb97d79f6d2e9b347.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{61e0ef7a-9bc0-45ea-9b2f-f3e9f02692bd}\NoExplorer = "1"	7da17447aa53664eb97d79f6d2e9b347.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Playbryte\uninstall.exe	7da17447aa53664eb97d79f6d2e9b347.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly	7da17447aa53664eb97d79f6d2e9b347.exe
File created	C:\Windows\assembly\Desktop.ini	7da17447aa53664eb97d79f6d2e9b347.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	7da17447aa53664eb97d79f6d2e9b347.exe
File created	C:\Windows\assembly\tmp\AO1O6CBZ\SHDocVw.dll	7da17447aa53664eb97d79f6d2e9b347.exe
File opened for modification	C:\Windows\assembly\tmp\AO1O6CBZ\__AssemblyInfo__.ini	7da17447aa53664eb97d79f6d2e9b347.exe
File created	C:\Windows\assembly\GACLock.dat	7da17447aa53664eb97d79f6d2e9b347.exe
File created	C:\Windows\assembly\ngenlock.dat	7da17447aa53664eb97d79f6d2e9b347.exe
File created	C:\Windows\assembly\tmp\AD0TZJ4Y\AxSHDocVw.dll	7da17447aa53664eb97d79f6d2e9b347.exe
File opened for modification	C:\Windows\assembly\tmp\AD0TZJ4Y\__AssemblyInfo__.ini	7da17447aa53664eb97d79f6d2e9b347.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 8 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{91607fa7-3c2f-4f90-93e3-d5337a6b0ac2}\ShowSearchSuggestions = "1"	7da17447aa53664eb97d79f6d2e9b347.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{91607fa7-3c2f-4f90-93e3-d5337a6b0ac2}\FaviconPath = "c:\\Program Files\\Playbryte\fav.ico"	7da17447aa53664eb97d79f6d2e9b347.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{91607fa7-3c2f-4f90-93e3-d5337a6b0ac2}\SuggestionsURL = "http://clients5.google.com/complete/search?hl={language}&q={searchTerms}&client=ie8&inputencoding={inputEncoding}&outputencoding={outputEncoding}"	7da17447aa53664eb97d79f6d2e9b347.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{91607fa7-3c2f-4f90-93e3-d5337a6b0ac2}\URL = "Playbryte-fa-binst/search/redirect/?type=default&user_id=21b52105-68d3-4fb9-a98f-5a242e642475&query={searchTerms}"	7da17447aa53664eb97d79f6d2e9b347.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Toolbar	7da17447aa53664eb97d79f6d2e9b347.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Toolbar\{b278d9f8-0fa9-465e-9938-0c392605d8e3} = "PlayBryte Toolbar"	7da17447aa53664eb97d79f6d2e9b347.exe
Key created	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{91607fa7-3c2f-4f90-93e3-d5337a6b0ac2}	7da17447aa53664eb97d79f6d2e9b347.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{91607fa7-3c2f-4f90-93e3-d5337a6b0ac2}\DisplayName = "Search"	7da17447aa53664eb97d79f6d2e9b347.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{3EA6E86E-0B72-36D8-A43D-C6A50A53FC5A}\1.1.0.0\CodeBase = "file:///C:/Windows/assembly/GAC/SHDocVw/1.1.0.0__51b6fa9a48c79a9e/SHDocVw.dll"	7da17447aa53664eb97d79f6d2e9b347.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{49E5A200-45E4-34EC-9ED3-1C09BEA2D845}	7da17447aa53664eb97d79f6d2e9b347.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{65507BE0-91A8-11D3-A845-009027220E6D}\1.1.0.0\CodeBase = "file:///C:/Windows/assembly/GAC/SHDocVw/1.1.0.0__51b6fa9a48c79a9e/SHDocVw.dll"	7da17447aa53664eb97d79f6d2e9b347.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6823F25B-4D75-38A1-A163-7C696B45701F}\InprocServer32\CodeBase = "file:///C:/Windows/assembly/GAC/AxSHDocVw/1.1.0.0__51b6fa9a48c79a9e/AxSHDocVw.dll"	7da17447aa53664eb97d79f6d2e9b347.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Component Categories\{62C8FE65-4EBB-45E7-B440-6E39B2CDBF29}\0 = ".NET Category"	7da17447aa53664eb97d79f6d2e9b347.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{61e0ef7a-9bc0-45ea-9b2f-f3e9f02692bd}\InProcServer32	7da17447aa53664eb97d79f6d2e9b347.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{61e0ef7a-9bc0-45ea-9b2f-f3e9f02692bd}\InProcServer32\1.1.0.0\CodeBase = "C:\\Users\\Admin\\AppData\\LocalLow\\Playbryte\\Assemblies\\1\\BrowserObjects.dll"	7da17447aa53664eb97d79f6d2e9b347.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{DA62727A-E124-3E4C-B21F-B5774407C35F}\1.1.0.0\Class = "SHDocVw.OLECMDEXECOPT"	7da17447aa53664eb97d79f6d2e9b347.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	7da17447aa53664eb97d79f6d2e9b347.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{61e0ef7a-9bc0-45ea-9b2f-f3e9f02692bd}\Implemented Categories	7da17447aa53664eb97d79f6d2e9b347.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{61e0ef7a-9bc0-45ea-9b2f-f3e9f02692bd}\InProcServer32\1.1.0.0\Class = "PBANDJ.BrowserObjects.BHO"	7da17447aa53664eb97d79f6d2e9b347.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{49E5A200-45E4-34EC-9ED3-1C09BEA2D845}\1.1.0.0\CodeBase = "file:///C:/Windows/assembly/GAC/SHDocVw/1.1.0.0__51b6fa9a48c79a9e/SHDocVw.dll"	7da17447aa53664eb97d79f6d2e9b347.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{A8317D46-03CB-4975-AE94-85E9F2E1D020}\1.1.0.0\RuntimeVersion = "v1.1.4322"	7da17447aa53664eb97d79f6d2e9b347.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6823F25B-4D75-38A1-A163-7C696B45701F}	7da17447aa53664eb97d79f6d2e9b347.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6823F25B-4D75-38A1-A163-7C696B45701F}\ProgId\ = "AxSHDocVw.AxWebBrowser"	7da17447aa53664eb97d79f6d2e9b347.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{61e0ef7a-9bc0-45ea-9b2f-f3e9f02692bd}\InProcServer32\CodeBase = "C:\\Users\\Admin\\AppData\\LocalLow\\Playbryte\\Assemblies\\1\\BrowserObjects.dll"	7da17447aa53664eb97d79f6d2e9b347.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{49E5A200-45E4-34EC-9ED3-1C09BEA2D845}\1.1.0.0	7da17447aa53664eb97d79f6d2e9b347.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{65507BE0-91A8-11D3-A845-009027220E6D}\1.1.0.0\Class = "SHDocVw.SecureLockIconConstants"	7da17447aa53664eb97d79f6d2e9b347.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{A8317D46-03CB-4975-AE94-85E9F2E1D020}	7da17447aa53664eb97d79f6d2e9b347.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6823F25B-4D75-38A1-A163-7C696B45701F}\ProgId	7da17447aa53664eb97d79f6d2e9b347.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{61e0ef7a-9bc0-45ea-9b2f-f3e9f02692bd}\Implemented Categories\{62C8FE65-4EBB-45e7-B440-6E39B2CDBF29}	7da17447aa53664eb97d79f6d2e9b347.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{DA62727A-E124-3E4C-B21F-B5774407C35F}	7da17447aa53664eb97d79f6d2e9b347.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{61e0ef7a-9bc0-45ea-9b2f-f3e9f02692bd}\InProcServer32\RuntimeVersion = "v1.1.4322"	7da17447aa53664eb97d79f6d2e9b347.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{3EA6E86E-0B72-36D8-A43D-C6A50A53FC5A}	7da17447aa53664eb97d79f6d2e9b347.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{B0C9160E-DDE2-3323-BD7E-C37DE1F8968D}\1.1.0.0\RuntimeVersion = "v1.1.4322"	7da17447aa53664eb97d79f6d2e9b347.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AxSHDocVw.AxWebBrowser\CLSID\ = "{6823F25B-4D75-38A1-A163-7C696B45701F}"	7da17447aa53664eb97d79f6d2e9b347.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6823F25B-4D75-38A1-A163-7C696B45701F}\InprocServer32	7da17447aa53664eb97d79f6d2e9b347.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6823F25B-4D75-38A1-A163-7C696B45701F}\InprocServer32\Class = "AxSHDocVw.AxWebBrowser"	7da17447aa53664eb97d79f6d2e9b347.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{61e0ef7a-9bc0-45ea-9b2f-f3e9f02692bd}\HelpText = "PlayBryte BHO"	7da17447aa53664eb97d79f6d2e9b347.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{61e0ef7a-9bc0-45ea-9b2f-f3e9f02692bd}\InProcServer32\Assembly = "BrowserObjects, Version=1.1.0.0, Culture=neutral, PublicKeyToken=8573f793e1aee7d1"	7da17447aa53664eb97d79f6d2e9b347.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6823F25B-4D75-38A1-A163-7C696B45701F}\InprocServer32\RuntimeVersion = "v1.1.4322"	7da17447aa53664eb97d79f6d2e9b347.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6823F25B-4D75-38A1-A163-7C696B45701F}\InprocServer32\1.1.0.0	7da17447aa53664eb97d79f6d2e9b347.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{65507BE0-91A8-11D3-A845-009027220E6D}\1.1.0.0\Assembly = "SHDocVw, Version=1.1.0.0, Culture=neutral, PublicKeyToken=51b6fa9a48c79a9e"	7da17447aa53664eb97d79f6d2e9b347.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6823F25B-4D75-38A1-A163-7C696B45701F}\InprocServer32\Assembly = "AxSHDocVw, Version=1.1.0.0, Culture=neutral, PublicKeyToken=51b6fa9a48c79a9e"	7da17447aa53664eb97d79f6d2e9b347.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{B0C9160E-DDE2-3323-BD7E-C37DE1F8968D}\1.1.0.0\Assembly = "SHDocVw, Version=1.1.0.0, Culture=neutral, PublicKeyToken=51b6fa9a48c79a9e"	7da17447aa53664eb97d79f6d2e9b347.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{A8317D46-03CB-4975-AE94-85E9F2E1D020}\1.1.0.0\Class = "SHDocVw.NewProcessCauseConstants"	7da17447aa53664eb97d79f6d2e9b347.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AxSHDocVw.AxWebBrowser\CLSID	7da17447aa53664eb97d79f6d2e9b347.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6823F25B-4D75-38A1-A163-7C696B45701F}\InprocServer32\1.1.0.0\RuntimeVersion = "v1.1.4322"	7da17447aa53664eb97d79f6d2e9b347.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{61e0ef7a-9bc0-45ea-9b2f-f3e9f02692bd}	7da17447aa53664eb97d79f6d2e9b347.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{3EA6E86E-0B72-36D8-A43D-C6A50A53FC5A}\1.1.0.0\RuntimeVersion = "v1.1.4322"	7da17447aa53664eb97d79f6d2e9b347.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{34A226E0-DF30-11CF-89A9-00A0C9054129}\1.1.0.0\Assembly = "SHDocVw, Version=1.1.0.0, Culture=neutral, PublicKeyToken=51b6fa9a48c79a9e"	7da17447aa53664eb97d79f6d2e9b347.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{65507BE0-91A8-11D3-A845-009027220E6D}	7da17447aa53664eb97d79f6d2e9b347.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AxSHDocVw.AxWebBrowser	7da17447aa53664eb97d79f6d2e9b347.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{61e0ef7a-9bc0-45ea-9b2f-f3e9f02692bd}\InProcServer32\ThreadingModel = "Both"	7da17447aa53664eb97d79f6d2e9b347.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{61e0ef7a-9bc0-45ea-9b2f-f3e9f02692bd}\InProcServer32\1.1.0.0\RuntimeVersion = "v1.1.4322"	7da17447aa53664eb97d79f6d2e9b347.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	7da17447aa53664eb97d79f6d2e9b347.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AxSHDocVw.AxWebBrowser\ = "AxSHDocVw.AxWebBrowser"	7da17447aa53664eb97d79f6d2e9b347.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{3EA6E86E-0B72-36D8-A43D-C6A50A53FC5A}\1.1.0.0	7da17447aa53664eb97d79f6d2e9b347.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{B0C9160E-DDE2-3323-BD7E-C37DE1F8968D}	7da17447aa53664eb97d79f6d2e9b347.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{DA62727A-E124-3E4C-B21F-B5774407C35F}\1.1.0.0\CodeBase = "file:///C:/Windows/assembly/GAC/SHDocVw/1.1.0.0__51b6fa9a48c79a9e/SHDocVw.dll"	7da17447aa53664eb97d79f6d2e9b347.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{B0C9160E-DDE2-3323-BD7E-C37DE1F8968D}\1.1.0.0\CodeBase = "file:///C:/Windows/assembly/GAC/SHDocVw/1.1.0.0__51b6fa9a48c79a9e/SHDocVw.dll"	7da17447aa53664eb97d79f6d2e9b347.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{A8317D46-03CB-4975-AE94-85E9F2E1D020}\1.1.0.0\Assembly = "SHDocVw, Version=1.1.0.0, Culture=neutral, PublicKeyToken=51b6fa9a48c79a9e"	7da17447aa53664eb97d79f6d2e9b347.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{61e0ef7a-9bc0-45ea-9b2f-f3e9f02692bd}\InProcServer32\1.1.0.0	7da17447aa53664eb97d79f6d2e9b347.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{49E5A200-45E4-34EC-9ED3-1C09BEA2D845}\1.1.0.0\Assembly = "SHDocVw, Version=1.1.0.0, Culture=neutral, PublicKeyToken=51b6fa9a48c79a9e"	7da17447aa53664eb97d79f6d2e9b347.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{34A226E0-DF30-11CF-89A9-00A0C9054129}\1.1.0.0\CodeBase = "file:///C:/Windows/assembly/GAC/SHDocVw/1.1.0.0__51b6fa9a48c79a9e/SHDocVw.dll"	7da17447aa53664eb97d79f6d2e9b347.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{3EA6E86E-0B72-36D8-A43D-C6A50A53FC5A}\1.1.0.0\Class = "SHDocVw.OLECMDID"	7da17447aa53664eb97d79f6d2e9b347.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{65507BE0-91A8-11D3-A845-009027220E6D}\1.1.0.0	7da17447aa53664eb97d79f6d2e9b347.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{34A226E0-DF30-11CF-89A9-00A0C9054129}	7da17447aa53664eb97d79f6d2e9b347.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{34A226E0-DF30-11CF-89A9-00A0C9054129}\1.1.0.0\RuntimeVersion = "v1.1.4322"	7da17447aa53664eb97d79f6d2e9b347.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{A8317D46-03CB-4975-AE94-85E9F2E1D020}\1.1.0.0	7da17447aa53664eb97d79f6d2e9b347.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6823F25B-4D75-38A1-A163-7C696B45701F}\InprocServer32\ = "mscoree.dll"	7da17447aa53664eb97d79f6d2e9b347.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{34A226E0-DF30-11CF-89A9-00A0C9054129}\1.1.0.0\Class = "SHDocVw.CommandStateChangeConstants"	7da17447aa53664eb97d79f6d2e9b347.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{49E5A200-45E4-34EC-9ED3-1C09BEA2D845}\1.1.0.0\Class = "SHDocVw.OLECMDF"	7da17447aa53664eb97d79f6d2e9b347.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{B0C9160E-DDE2-3323-BD7E-C37DE1F8968D}\1.1.0.0\Class = "SHDocVw.tagREADYSTATE"	7da17447aa53664eb97d79f6d2e9b347.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
3196	PING.EXE

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1640 wrote to memory of 1392	1640	7da17447aa53664eb97d79f6d2e9b347.exe	84
PID 1640 wrote to memory of 1392	1640	7da17447aa53664eb97d79f6d2e9b347.exe	84
PID 1640 wrote to memory of 1392	1640	7da17447aa53664eb97d79f6d2e9b347.exe	84
PID 1392 wrote to memory of 3196	1392	cmd.exe	86
PID 1392 wrote to memory of 3196	1392	cmd.exe	86
PID 1392 wrote to memory of 3196	1392	cmd.exe	86

C:\Users\Admin\AppData\Local\Temp\7da17447aa53664eb97d79f6d2e9b347.exe
"C:\Users\Admin\AppData\Local\Temp\7da17447aa53664eb97d79f6d2e9b347.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Drops desktop.ini file(s)
- Installs/modifies Browser Helper Object
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1640
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del C:\Users\Admin\AppData\Local\Temp\7da17447aa53664eb97d79f6d2e9b347.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1392
- - C:\Windows\SysWOW64\PING.EXE
    ping 1.1.1.1 -n 1 -w 3000
    3⤵
    - Runs ping.exe
    PID:3196

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Playbryte\Assemblies\1\BrowserObjects.dll

Filesize
208KB

MD5
390fddc724a59ccfb6a8203778cfb5de

SHA1
dd5e0aac666a7c721092336680b7de906b9801c3

SHA256
eee464400ebbe30a4a60e13d0cd9c8a84ceca245f298b177a20c888e8f22038d

SHA512
01666a8914914399daf2a51c099dc9238bd4faba85f923f775b7e28b5e60613e45ade603771019130acc76fe420a2a24a8aadf76cb045b65751c90eef2591b67

Download Submit
C:\Users\Admin\AppData\LocalLow\Playbryte\Assemblies\1\rscoree.dll

Filesize
176KB

MD5
ff9de8be567e80a2a07bc152e313300c

SHA1
430991ac99c413c59ce31f97423a4449dcd93164

SHA256
b5eb658baa7f7c988b000bd9551c5e55bac036ff390aa48484df8a4dac05c047

SHA512
9b2a8e5b54a7334850a2ecc77299fc512805e2c83ff8a1b5da845fc396026dd25c1df99816f9481f88ef75e47b3ec35ccd6367efed3d409e80a042f79ac2da77

Download Submit
C:\Users\Admin\AppData\LocalLow\Playbryte\Firefox\[email protected]\Toolbar.xml

Filesize
145B

MD5
8d28ff2b37c1f274f38de3504058a228

SHA1
5d6c11f263a8d3b41bb166f632c7f1948b54ff3c

SHA256
99bfee7121f795533d9e7b6ca3536f9ac52c2055e11fc3bc93a28f02207f0dba

SHA512
5d186ab2c196115830a67ae416170491709f0ea8fdafba052d3c1548beb5c820c3425f314ae1c8897b9c283b250f41e2a4066ef2c8b12bdcb897b3a87ef75b09

Download Submit
C:\Users\Admin\AppData\LocalLow\Playbryte\Firefox\[email protected]\chrome.manifest

Filesize
202B

MD5
8231f24a28fa90ba8a74f248392cb935

SHA1
2eaafbecd8a8e49a06bc927f2f06fc694d50207a

SHA256
52b4b8fceb31dbbc905e34b80a65b5ce63d89378443f7ed3b2caaa03d1042a5c

SHA512
4234ecdf78cde0fc00f9ff2214204e31f50a5ff7ad21ea7d330ef38fe9cfddb56a0cb969a0d49af3fdb8f75e64430d10b6f1abea6843f4c3e743f28720ef52dd

Download Submit
C:\Users\Admin\AppData\LocalLow\Playbryte\Firefox\[email protected]\chrome\content\Thumbs.db

Filesize
42KB

MD5
a13a252d2d526907d84cc888ff86ff7e

SHA1
42645ce4e718729672ad861e69b9fdc64e11476e

SHA256
c834466ab8d08d9deaf470494f06dd2442d446f7883a74559bf90987cc1725a6

SHA512
ada28aa68b46a9c46a5aa70f9531461c3cae7e10c6eae07c47a5c7352e93f07f59f9f81ab358dfcc7019f9c3f724fadf41033539bc26ffa79d30f30c30420500

Download Submit
C:\Users\Admin\AppData\LocalLow\Playbryte\Firefox\[email protected]\chrome\content\browserwindow.js

Filesize
5KB

MD5
d9d55dec62f1b565e5dadd48a4fee277

SHA1
9cf277fdeb092dfcf260aea3663d97edbfdc4730

SHA256
132aaf282e95f7a5e2b4cbce54f6eb76d175e6d20d50364faa3e1231046c70d2

SHA512
cfc10f839f9fa0d280141946e3ac324dd28aae352356fde5ebfc552d9a039487edcaea35b00b0b16053cae4e1d8cff043a79fd59b6a23f1a9a093a1ccf645f95

Download Submit
C:\Users\Admin\AppData\LocalLow\Playbryte\Firefox\[email protected]\chrome\content\browserwindow.xul

Filesize
639B

MD5
bfca47419dfbee66e46977f59df93911

SHA1
ed21f6e531bd37ee3febdc649a6b1ccc2a18e0f6

SHA256
a60484bdd267f15fbabf1f7894aaa8d8cb097ddb3f03805f789a84830ac6b07c

SHA512
b051f344c29f0623454d040e164cfa7067d620d469329a7262edabed697bdf481d356c34545945c2a8a1289cdf35804218d297d1a87aebde366b2d473b8ad1ae

Download Submit
C:\Users\Admin\AppData\LocalLow\Playbryte\Firefox\[email protected]\chrome\content\fileio.js

Filesize
7KB

MD5
5f7e7f18f270df208d51a3c8a95d8715

SHA1
f565472885ebd55bebabd88f2888d87a060cb22c

SHA256
411370465bc13225f2caf2dff432d639eeddeb0a531a16c31513ddc834aee6ea

SHA512
ec4acfa1ab758f2f1f793f4a1d393d0313f60a9cdbb89c983def18dc138396e3471997a33e332cc9edcecffb112f2b346516a0f537e2996c4eaec934d241739b

Download Submit
C:\Users\Admin\AppData\LocalLow\Playbryte\Firefox\[email protected]\chrome\content\images\hidden.png

Filesize
135B

MD5
9ffce671bc7bd4fbcf202f06c2cb1128

SHA1
58ae75aab8a6e10523b594fe89ac64958c909df1

SHA256
794658e1c5cc2fdabc604b62c8deda9ced96adbda66207915e5551a4ddde65d6

SHA512
38eb938cc39317bf00270d6ec3b128fe24116fa9d54e885106f7f6dae2b31581bf2e75ab1ec7f090fcbd6e6d59214d50d0f04c054a769019c893f1c7a82e2964

Download Submit
C:\Users\Admin\AppData\LocalLow\Playbryte\Firefox\[email protected]\chrome\content\inline\inline.js

Filesize
5KB

MD5
2393045d94ee767445d77413ce06eaf9

SHA1
a6bca7ea188506de1c5f5fde23f0082839820868

SHA256
3effbe8523d2fe06f2e0dfa6eb81760a1e2a7a2f1223fbe4c72d6b1b689f5fef

SHA512
2ab40229c51f6c8d0e3f5666fb7f3822e892d288ab31db78cd87ea7710c32563ed268af6b0580cfeaa4383d900edc09a9ff520dcc42af53eb3baa55bed24a6a6

Download Submit
C:\Users\Admin\AppData\LocalLow\Playbryte\Firefox\[email protected]\chrome\content\json.js

Filesize
18KB

MD5
6e0f67dbbfc82ae0d7fe8500f501e426

SHA1
5de8795c78d44c77869ae7c96f9fe6f139c8829f

SHA256
8e82c7944c69af6792c22c193382a7ae5b9018b3bcfa8aa748e63b592c430f36

SHA512
4daba5571698a108ebcf4ef8fa87c8acbf3b9930512473b2ae91764732580b06fcd58567b3b1262eab9582c438e7db3c4fbdb540cf97e9a71ef5ead54f934a41

Download Submit
C:\Users\Admin\AppData\LocalLow\Playbryte\Firefox\[email protected]\chrome\content\login.xul

Filesize
767B

MD5
1e4dd5da9f4e36addbea3c7d7ab0232b

SHA1
c0ff7d2094598fd457b420a910d393dde1bcac24

SHA256
e693228ae152b04bba35fed764b610a8acf3616cde1c4088e91da6f396fe4b97

SHA512
25ba550249508b2832ae66cfd45bd030f60366b34fcc6501cd6dda7ca0d0ec0918fa46ef0487fc4adafb92a5ec17dd86cbb8cd13a909920452f846cf99fae6ec

Download Submit
C:\Users\Admin\AppData\LocalLow\Playbryte\Firefox\[email protected]\chrome\content\menu.xul

Filesize
676B

MD5
4d98e8cfb5770628cb652bcf052d7c53

SHA1
e5554c32040eb61bd2ed8c8c789c913dc96f6bb8

SHA256
2b0837acdff995a45af64703b606ae34eadfc083738eb79fc274e65a5a06b2d5

SHA512
956ea261fa6c3ab5512b1e8b4001b8f6d5d1f56e33f44047aae64a05dacbe54fa8a9a980bb9f505ca57c4bc5021faa5b406e9b0bbc958fe1aa30552c2d6465cc

Download Submit
C:\Users\Admin\AppData\LocalLow\Playbryte\Firefox\[email protected]\chrome\content\share_link.xul

Filesize
1KB

MD5
57363ff93f4a979202182f7f9b10b30b

SHA1
fa53754a8f9d71654b221061c057101bf0dc8064

SHA256
ca82863da4d7bbb8d011b2c10c697f84eaf101a1885c20e3d4d48756085de90e

SHA512
2da969c40b047928b19c880339f288abc2e004c1f9fb82da4b44df05d439ed2c39ea3bcc1d1c31e48be90fe495e685e3e3ebd2875619756279930448d8bd161a

Download Submit
C:\Users\Admin\AppData\LocalLow\Playbryte\Firefox\[email protected]\chrome\content\sidebar.js

Filesize
50KB

MD5
42b9217e3cd998d7948b88ea333b5997

SHA1
3750d7838a801e780b88cfe8dc5884bd8c0f182e

SHA256
17fb39dc5f672dc5f1757287edcef647e35993fff62c20644661e73ff045d6ca

SHA512
dc5a3b9e5343f5418b51a40ffc7b8580fd195ce771fd6637bec906213d261f842a1c82c8579460f177a45dae117ea8091c89f628dac89023bad83de8ff22bc02

Download Submit
C:\Users\Admin\AppData\LocalLow\Playbryte\Firefox\[email protected]\chrome\content\sidebar.xul

Filesize
4KB

MD5
e1ab49072ee7dd16d4e41893dfd5e8d6

SHA1
a6337106cf1ea477d58026fd4e4712f0efc8a650

SHA256
a1bafae8eb6ce28c352279322dc56e8efe9fecc132f1f7e887690be5aae53c12

SHA512
d23c0f3954b33bb1b400886618ce5375d17e63489a3a3a83d23e97d594c1dc57f7de7b19fcb9220bba5dea3721242863b1b8c234ca3337ef6fb84953c4fd9309

Download Submit
C:\Users\Admin\AppData\LocalLow\Playbryte\Firefox\[email protected]\chrome\content\toolbar.js

Filesize
43KB

MD5
2532b20c995d7a18e99b930ce8382b36

SHA1
22dee0849acb46f43ba575a3cfe3dc1f08a42d3b

SHA256
ecbdca7a58afd387fff05a7c2e2896aa87dc0e188902444f955168a6b49ce833

SHA512
014de5e8ff3a6122ccb900fa30daea4c261f7d5eabaa19c526861f2dc312174bac30e07f6915985315758581975563c3e04901b8bdeff47cec2f294f99abbff1

Download Submit
C:\Users\Admin\AppData\LocalLow\Playbryte\Firefox\[email protected]\chrome\content\toolbar.xul

Filesize
1KB

MD5
75bc4ef477a2da9d2b324e29cdec0d5d

SHA1
fb921129f50557c7ac27142f5d4f023af771c016

SHA256
a5467ba36344a7ea253c09c76a654cdaec3956c806989397daf013b5c0852e9d

SHA512
dbb78aee7803cfd58916db83fb6e763f2b4fbf7ded2e5a70972c4afc1774ee3fcd5da95d12af5154b4ac97e0b8528c6ec56098a104198932a5f9e28f93fbdc73

Download Submit
C:\Users\Admin\AppData\LocalLow\Playbryte\Firefox\[email protected]\chrome\content\toolbarsidebarshared.js

Filesize
32KB

MD5
d952cf8275b94892a23fd5e45229299d

SHA1
dbb120efe746d42c41a448e973c32a61807115fc

SHA256
3337796b9c6f0dbd883d63ee51add669128f56a3534e605e4a77922020674f27

SHA512
5289887519dfdae1e97726b23e09222c61dda1165269218849ece08d52423f70fdaaf17c6362c85dc43acb955a7949c7b2a6df3e60c2365a23dba41dec86fce0

Download Submit
C:\Users\Admin\AppData\LocalLow\Playbryte\Firefox\[email protected]\chrome\content\update_status.xul

Filesize
1KB

MD5
bd45a43882e268e61265ec944b5d97a4

SHA1
ada640b2fc6d1e85da6b5ee7113a992f5947d6a2

SHA256
c02e88a95d218c39ee91338fd33c8f162bd59e0e2be85269221ee4e41d98a283

SHA512
25be11e3b19ea7d148345aeffcb84b27bd5020ce0c66a5c00537d7b5d3e5895dba2680cb717bac11dc3d0290d74dd40c141b372e786b6d477b64e43c1374cb3e

Download Submit
C:\Users\Admin\AppData\LocalLow\Playbryte\Firefox\[email protected]\chrome\content\windows.js

Filesize
3KB

MD5
ea2f31f782aa28f0d6fc1ef57a8dbd86

SHA1
48e34ad8db9382d7868019d225f7b7cd7b58351c

SHA256
08df0958b78f538bf3b78413da5b091857361bd0660a9c882b9c791338079782

SHA512
1b45f31ed0e9857a35093031ca274f8a58f4c87d76b26dad421a5edb5babc2f457d45659190552af1da49420780fd28149112c59245334bc6da4bb729a09c8b6

Download Submit
C:\Users\Admin\AppData\LocalLow\Playbryte\Firefox\[email protected]\install.rdf

Filesize
926B

MD5
a42bb90b389338ade7a6122b87d1d48b

SHA1
dbf8a4f19c8a33de785b57df5e3856c0f2443d4b

SHA256
1284a975891efce56bf54394d4fb8b53c2399fae8842b96b2d4673f771ce972a

SHA512
ad2d46cf342377b863add02ce5dba20782c54df380017b6d36ef72a669ffd7568b857ae72cf2885421c5087124dc31e39d370c1ad7c00cf2534e335f96556483

Download Submit
C:\Users\Admin\AppData\LocalLow\Playbryte\GAC\AxSHDocVw.dll

Filesize
48KB

MD5
353d0856ef87852e6b45a66dc18f22c4

SHA1
8ed092b9fd9b3993e4c4c5f7ddc055e20383fd62

SHA256
f85b9aa13d5dbdc953625bfdd178df82da6694b2724fd2d2ee1185ae57348c95

SHA512
222078090eb5d82ee3eb3ef4854a7d3f1802e3f25512cee9ad58a3dcc19b724bc8fe381a86c33d536a5765ae5243b8c8f32bbb93e93a645a3fd9e64a708b33b9

Download Submit
C:\Users\Admin\AppData\LocalLow\Playbryte\GAC\SHDocVw.dll

Filesize
132KB

MD5
3f1a1cc32e039f36221d7934d9cf610d

SHA1
a1390fb8decd211e50860ed312515733ea829c98

SHA256
b10384df060591538d73cae468d6d66f606cd7cb752281de6161dd743f0c3dd7

SHA512
5cd052c6dfa098d91b494aa87ab580b1ea74367b5830a318cc5431a93299b5119f0870d2cefda29598a9e28990a70dbdfb5bc19f52849b11381112f1b98329fe

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\eypn1lcs.default-release\extensions\[email protected]\FFAboutBlankSearch.txt

Filesize
2KB

MD5
0fff1a900fb1df3bac2b22b12d6e79f1

SHA1
f7eb355a39ae0625a6ac6b0676cfc3dc83565ce0

SHA256
3c98525664420880d906dfc5ee6594ef68310f26c80d7453d5fa5f16ae478d01

SHA512
66d7ac0b0f214e3ed8c48e4e05d2eec4803465709ba36a7c9bbc22f8b92d1d17e9ec3913dc2296d53275ac4fcbd5af86e333523f11c7315ade8e48f26a2a1a91

Download Submit
C:\Windows\assembly\GAC\AxSHDocVw\1.1.0.0__51b6fa9a48c79a9e\__AssemblyInfo__.ini

Filesize
270B

MD5
45957187d6da1ad080a55fa907eba136

SHA1
f74353b01a9f6e6c979edd1957646d61d82b3786

SHA256
5c592a8d0b292e85b653ccff097702b2a1cb208ecc0ca2f0f59e0798fcf5f6f3

SHA512
4743393a05e36dc701b857cdd1ffb6d5a55ba994e4dd83436dec153392083f618407960ffb8174a9eb5fd103c827c3c750382fe0f0f5d54154a5b5a113e90c31

Download Submit
memory/1640-1-0x0000000074A30000-0x0000000074FE1000-memory.dmp

Filesize
5.7MB

Download
memory/1640-192-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/1640-2-0x0000000000AD0000-0x0000000000AE0000-memory.dmp

Filesize
64KB

Download
memory/1640-0-0x0000000074A30000-0x0000000074FE1000-memory.dmp

Filesize
5.7MB

Download
memory/1640-240-0x0000000074A30000-0x0000000074FE1000-memory.dmp

Filesize
5.7MB

Download
memory/1640-241-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads