518b5fce0881c96abf3f71662adc0d0cdf6dec12e1be5caa6be6110120c56325

Analysis

max time kernel
145s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
29/01/2024, 14:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8015931dde444b206666fa02c3e4b967.exe
Size

315KB
MD5

8015931dde444b206666fa02c3e4b967
SHA1

0451a53a3625b10ab52b750c88a7c2e1558280b3
SHA256

518b5fce0881c96abf3f71662adc0d0cdf6dec12e1be5caa6be6110120c56325
SHA512

3017791094c5fe4086053ae6d55bffc99f1a96a0ee8c5241880e7ed0be3b6dd5afc064e258988adfa865e63cd08c8b89da1a34a51c7b7f146a7e4e62f4a73f71
SSDEEP

3072:8EdX67djyrcGFQSzAQHtN4JIpRP7wN1DKNIPAVRHDTJILVtcxK1UT1TCRu9VDZ1n:8UuiFQSz9HtN4KmNYRCLVZ1Up2Rq1

Score

8^/10

adware persistence stealer

Malware Config

Signatures

Sets file execution options in registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ctfmon.exe	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ctfmon.exe\Debugger = "C:\\Windows\\system32\\ctfmonosc.exe"	regsvr32.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	8015931dde444b206666fa02c3e4b967.exe

Loads dropped DLL 1 IoCs

pid	Process
1308	regsvr32.exe

Installs/modifies Browser Helper Object 2 TTPs 3 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{74C147F5-7D98-3E82-AFF2-A82DC34C24AC}	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{74C147F5-7D98-3E82-AFF2-A82DC34C24AC}\IExplore = "1"	regsvr32.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\qd54491.dll	8015931dde444b206666fa02c3e4b967.exe
File created	C:\Windows\SysWOW64\ctfmonosc.exe	regsvr32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 41 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\D.1\CLSID\ = "{74C147F5-7D98-3E82-AFF2-A82DC34C24AC}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{150E721D-25B5-32B6-A1AA-C8FBE08D8130}\TypeLib\ = "{7405FE51-34B7-30D8-9247-6F76DEE55124}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{150E721D-25B5-32B6-A1AA-C8FBE08D8130}\ = "IDOMPeek"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{150E721D-25B5-32B6-A1AA-C8FBE08D8130}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7405FE51-34B7-30D8-9247-6F76DEE55124}\1.0\FLAGS\ = "0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{150E721D-25B5-32B6-A1AA-C8FBE08D8130}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{150E721D-25B5-32B6-A1AA-C8FBE08D8130}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\D\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{74C147F5-7D98-3E82-AFF2-A82DC34C24AC}\VersionIndependentProgID\ = "D"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{74C147F5-7D98-3E82-AFF2-A82DC34C24AC}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7405FE51-34B7-30D8-9247-6F76DEE55124}\1.0\ = "LIB"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7405FE51-34B7-30D8-9247-6F76DEE55124}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\qd54491.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7405FE51-34B7-30D8-9247-6F76DEE55124}\1.0\HELPDIR	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7405FE51-34B7-30D8-9247-6F76DEE55124}\1.0\HELPDIR\ = "C:\\Windows\\SysWow64\\"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{150E721D-25B5-32B6-A1AA-C8FBE08D8130}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\D.1	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\D\CLSID\ = "{74C147F5-7D98-3E82-AFF2-A82DC34C24AC}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7405FE51-34B7-30D8-9247-6F76DEE55124}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7405FE51-34B7-30D8-9247-6F76DEE55124}\1.0\FLAGS	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{150E721D-25B5-32B6-A1AA-C8FBE08D8130}\ = "IDOMPeek"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{150E721D-25B5-32B6-A1AA-C8FBE08D8130}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{150E721D-25B5-32B6-A1AA-C8FBE08D8130}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\D	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{74C147F5-7D98-3E82-AFF2-A82DC34C24AC}\ProgID\ = "D.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{74C147F5-7D98-3E82-AFF2-A82DC34C24AC}\InprocServer32\ = "C:\\Windows\\SysWow64\\qd54491.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{150E721D-25B5-32B6-A1AA-C8FBE08D8130}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\D\ = "D"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{74C147F5-7D98-3E82-AFF2-A82DC34C24AC}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{150E721D-25B5-32B6-A1AA-C8FBE08D8130}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\D.1\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{74C147F5-7D98-3E82-AFF2-A82DC34C24AC}\ = "D"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{74C147F5-7D98-3E82-AFF2-A82DC34C24AC}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7405FE51-34B7-30D8-9247-6F76DEE55124}\1.0\0\win32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{150E721D-25B5-32B6-A1AA-C8FBE08D8130}\TypeLib\ = "{7405FE51-34B7-30D8-9247-6F76DEE55124}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\D.1\ = "D"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{74C147F5-7D98-3E82-AFF2-A82DC34C24AC}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7405FE51-34B7-30D8-9247-6F76DEE55124}\1.0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{150E721D-25B5-32B6-A1AA-C8FBE08D8130}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{74C147F5-7D98-3E82-AFF2-A82DC34C24AC}\VersionIndependentProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7405FE51-34B7-30D8-9247-6F76DEE55124}\1.0\0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{150E721D-25B5-32B6-A1AA-C8FBE08D8130}	regsvr32.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1688 wrote to memory of 1308	1688	8015931dde444b206666fa02c3e4b967.exe	94
PID 1688 wrote to memory of 1308	1688	8015931dde444b206666fa02c3e4b967.exe	94
PID 1688 wrote to memory of 1308	1688	8015931dde444b206666fa02c3e4b967.exe	94

C:\Users\Admin\AppData\Local\Temp\8015931dde444b206666fa02c3e4b967.exe
"C:\Users\Admin\AppData\Local\Temp\8015931dde444b206666fa02c3e4b967.exe"
1⤵
- Checks computer location settings
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1688
- C:\Windows\SysWOW64\regsvr32.exe
  "C:\Windows\System32\regsvr32.exe" /s C:\Windows\system32\qd54491.dll
  2⤵
  - Sets file execution options in registry
  - Loads dropped DLL
  - Installs/modifies Browser Helper Object
  - Drops file in System32 directory
  - Modifies registry class
  PID:1308

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Browser Extensions

T1176

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\qd54491.dll

Filesize
248KB

MD5
b9123d153eb6ded84af553fdc79e0fe6

SHA1
9949994b9204d323741c8350df9d0c5c8f7cbd44

SHA256
3dd0631d14738676d62d87a04d7e0ee739353ae3ed6ee57d457c6875d18f1209

SHA512
b24f776686b6ea59069177dfc234250188601f1dca27c8a48509310ee15fc57fd2f900eddfbfaa2788e70b0575a7c979308e4ea7059af29bbf5fc6c458e1834f

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads