Malware Analysis Report

2025-08-10 22:23

Sample ID 240202-1fdsrsadar
Target 8a97591c2f062c66786fc7636e51bdfe
SHA256 08956ecb861feeae3d61059bf2b72fa589ae01030bf3587edac7d3affa340590
Tags
adware persistence stealer
score
6/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
6/10

SHA256

08956ecb861feeae3d61059bf2b72fa589ae01030bf3587edac7d3affa340590

Threat Level: Shows suspicious behavior

The file 8a97591c2f062c66786fc7636e51bdfe was found to be: Shows suspicious behavior.

Malicious Activity Summary

adware persistence stealer

Adds Run key to start application

Installs/modifies Browser Helper Object

Unsigned PE

Modifies registry class

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-02 21:35

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-02 21:35

Reported

2024-02-02 21:37

Platform

win7-20231215-en

Max time kernel

122s

Max time network

128s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\8a97591c2f062c66786fc7636e51bdfe.dll

Signatures

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\{87dc3652-1fa9-c3fa-aa4a-87ae76b0c72f} = "C:\\Windows\\System32\\Rundll32.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\8a97591c2f062c66786fc7636e51bdfe.dll\" DllStart" C:\Windows\SysWOW64\regsvr32.exe N/A

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{21496767-ee1d-4d41-e625-ae6e7300abee} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{21496767-ee1d-4d41-e625-ae6e7300abee}\NoExplorer = "\"\"" C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21496767-ee1d-4d41-e625-ae6e7300abee}\InProcServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21496767-ee1d-4d41-e625-ae6e7300abee}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\8a97591c2f062c66786fc7636e51bdfe.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21496767-ee1d-4d41-e625-ae6e7300abee}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21496767-ee1d-4d41-e625-ae6e7300abee} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21496767-ee1d-4d41-e625-ae6e7300abee}\ = "radbanner browser enhancer" C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2148 wrote to memory of 1428 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2148 wrote to memory of 1428 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2148 wrote to memory of 1428 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2148 wrote to memory of 1428 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2148 wrote to memory of 1428 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2148 wrote to memory of 1428 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2148 wrote to memory of 1428 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\8a97591c2f062c66786fc7636e51bdfe.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\8a97591c2f062c66786fc7636e51bdfe.dll

Network

N/A

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-02 21:35

Reported

2024-02-02 21:37

Platform

win10v2004-20231222-en

Max time kernel

93s

Max time network

95s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\8a97591c2f062c66786fc7636e51bdfe.dll

Signatures

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\{8f7db5fb-ea9e-2dbe-6c83-e81a65b9e8f9} = "C:\\Windows\\System32\\Rundll32.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\8a97591c2f062c66786fc7636e51bdfe.dll\" DllStart" C:\Windows\SysWOW64\regsvr32.exe N/A

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5a7d2f70-a033-d254-9a57-5791d17d0f25} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5a7d2f70-a033-d254-9a57-5791d17d0f25}\NoExplorer = "\"\"" C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5a7d2f70-a033-d254-9a57-5791d17d0f25}\InProcServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5a7d2f70-a033-d254-9a57-5791d17d0f25}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\8a97591c2f062c66786fc7636e51bdfe.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5a7d2f70-a033-d254-9a57-5791d17d0f25}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5a7d2f70-a033-d254-9a57-5791d17d0f25} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5a7d2f70-a033-d254-9a57-5791d17d0f25}\ = "radbanner browser enhancer" C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3208 wrote to memory of 4948 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3208 wrote to memory of 4948 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3208 wrote to memory of 4948 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\8a97591c2f062c66786fc7636e51bdfe.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\8a97591c2f062c66786fc7636e51bdfe.dll

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 179.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 20.231.121.79:80 tcp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 175.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp

Files

N/A