Malware Analysis Report

2025-08-05 16:43

Sample ID 240204-t4g2rsgdfk
Target 8fa3d0be26fb0078bea9668053a2278e
SHA256 2eeb0679d6f277074cd115ea462c110c56c68134027330097f3b5c5a3237a959
Tags
adware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

2eeb0679d6f277074cd115ea462c110c56c68134027330097f3b5c5a3237a959

Threat Level: Shows suspicious behavior

The file 8fa3d0be26fb0078bea9668053a2278e was found to be: Shows suspicious behavior.

Malicious Activity Summary

adware stealer

Checks computer location settings

Loads dropped DLL

Deletes itself

Installs/modifies Browser Helper Object

Drops file in Program Files directory

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Modifies Internet Explorer start page

Modifies registry class

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-04 16:36

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-04 16:36

Reported

2024-02-04 16:39

Platform

win10v2004-20231222-en

Max time kernel

92s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8fa3d0be26fb0078bea9668053a2278e.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\8fa3d0be26fb0078bea9668053a2278e.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\Regsvr32.exe N/A

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{9E7F0F05-23CF-4575-9049-7DDB9D39AA8E} C:\Windows\SysWOW64\Regsvr32.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\PROGRA~1\fx678Toolbar\fx678Toolbar.dll C:\Users\Admin\AppData\Local\Temp\8fa3d0be26fb0078bea9668053a2278e.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\ime\SPTIPIMERS.ini C:\Users\Admin\AppData\Local\Temp\8fa3d0be26fb0078bea9668053a2278e.exe N/A

Enumerates physical storage devices

Modifies Internet Explorer start page

stealer
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.m4455.com" C:\Users\Admin\AppData\Local\Temp\8fa3d0be26fb0078bea9668053a2278e.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell C:\Users\Admin\AppData\Local\Temp\8fa3d0be26fb0078bea9668053a2278e.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9E7F0F05-23CF-4575-9049-7DDB9D39AA8E}\ C:\Windows\SysWOW64\Regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9E7F0F05-23CF-4575-9049-7DDB9D39AA8E}\InprocServer32 C:\Windows\SysWOW64\Regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\fx678Toolbar.ShowBarEx C:\Windows\SysWOW64\Regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\fx678Toolbar.ShowBarEx\Clsid\ = "{9E7F0F05-23CF-4575-9049-7DDB9D39AA8E}" C:\Windows\SysWOW64\Regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID C:\Users\Admin\AppData\Local\Temp\8fa3d0be26fb0078bea9668053a2278e.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\fx678Toolbar.ShowBarEx\ C:\Windows\SysWOW64\Regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\fx678Toolbar.ShowBarEx\Clsid C:\Windows\SysWOW64\Regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\OpenHomePage\Command C:\Users\Admin\AppData\Local\Temp\8fa3d0be26fb0078bea9668053a2278e.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9E7F0F05-23CF-4575-9049-7DDB9D39AA8E} C:\Windows\SysWOW64\Regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9E7F0F05-23CF-4575-9049-7DDB9D39AA8E}\ProgID\ = "fx678Toolbar.ShowBarEx" C:\Windows\SysWOW64\Regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\OpenHomePage C:\Users\Admin\AppData\Local\Temp\8fa3d0be26fb0078bea9668053a2278e.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9E7F0F05-23CF-4575-9049-7DDB9D39AA8E}\InprocServer32\ = "C:\\PROGRA~1\\FX678T~1\\FX678T~1.DLL" C:\Windows\SysWOW64\Regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9E7F0F05-23CF-4575-9049-7DDB9D39AA8E}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9E7F0F05-23CF-4575-9049-7DDB9D39AA8E}\ProgID C:\Windows\SysWOW64\Regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} C:\Users\Admin\AppData\Local\Temp\8fa3d0be26fb0078bea9668053a2278e.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\8fa3d0be26fb0078bea9668053a2278e.exe

"C:\Users\Admin\AppData\Local\Temp\8fa3d0be26fb0078bea9668053a2278e.exe"

C:\Windows\SysWOW64\Regsvr32.exe

Regsvr32.exe /s C:\PROGRA~1\fx678Toolbar\fx678Toolbar.dll

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DelTemp.bat" "

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 183.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 20.231.121.79:80 tcp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 204.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 196.178.17.96.in-addr.arpa udp

Files

memory/2708-1-0x00000000022B0000-0x00000000022B1000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Æô¶¯ Internet Explorer ä¯ÀÀÆ÷.url

MD5 534bb0175e95a0aae130995e507d5e05
SHA1 295077632d9815e4af4c30718f4534133a45b5b5
SHA256 cfa730e16a89744189ce9f198e27843c1063fbce23722e73f7e72dca23221ead
SHA512 df7ce3ee1c8ae3b8b2142e5929b4ab4b3a4c0a5dfab030baa26b18f0d81a310a3b48664ae148dfd02f4aa6d07d37c625ae29571c361997e88fe03323cfbdbf51

C:\PROGRA~1\fx678Toolbar\fx678Toolbar.dll

MD5 923512e3c24ab8c1bae00c8651517f62
SHA1 4946a5ac59527f210f9bb63584d2b75935304653
SHA256 531ab7f4453e2807d9bcd242dc5f8d94780499932b14c10b6009c36d9dec4f21
SHA512 2ef5bfea63e515598d30bf128acda0713fdf2e32f10003b97a9d719cd2cb1494ac5f91983b69099178c6b4593e689738d47aa277aa55a3f59f0b35d649d6ba67

memory/2708-26-0x0000000000400000-0x0000000000501000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\DelTemp.bat

MD5 b12493931e5294e78df99889cf3ab3ce
SHA1 d7da714fb97888d8a8cac64e220e410c380d461e
SHA256 661eada4df31a24144e47949d7c3e9406a06b9339af09d64912dce199373d02e
SHA512 7089e09c695c6901886bca32104d1c67e65572489fa63f60ca99a14b29dd41675871c3a31249bcf109f7fc3640dc9b39027f1132820923d9a2bc7cecad9b1f05

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-04 16:36

Reported

2024-02-04 16:39

Platform

win7-20231215-en

Max time kernel

117s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8fa3d0be26fb0078bea9668053a2278e.exe"

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\Regsvr32.exe N/A

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{9E7F0F05-23CF-4575-9049-7DDB9D39AA8E} C:\Windows\SysWOW64\Regsvr32.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\PROGRA~1\fx678Toolbar\fx678Toolbar.dll C:\Users\Admin\AppData\Local\Temp\8fa3d0be26fb0078bea9668053a2278e.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\ime\SPTIPIMERS.ini C:\Users\Admin\AppData\Local\Temp\8fa3d0be26fb0078bea9668053a2278e.exe N/A

Enumerates physical storage devices

Modifies Internet Explorer start page

stealer
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.m4455.com" C:\Users\Admin\AppData\Local\Temp\8fa3d0be26fb0078bea9668053a2278e.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9E7F0F05-23CF-4575-9049-7DDB9D39AA8E}\ C:\Windows\SysWOW64\Regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\fx678Toolbar.ShowBarEx\ C:\Windows\SysWOW64\Regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9E7F0F05-23CF-4575-9049-7DDB9D39AA8E}\ProgID C:\Windows\SysWOW64\Regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\OpenHomePage C:\Users\Admin\AppData\Local\Temp\8fa3d0be26fb0078bea9668053a2278e.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9E7F0F05-23CF-4575-9049-7DDB9D39AA8E}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\fx678Toolbar.ShowBarEx C:\Windows\SysWOW64\Regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9E7F0F05-23CF-4575-9049-7DDB9D39AA8E}\ProgID\ = "fx678Toolbar.ShowBarEx" C:\Windows\SysWOW64\Regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID C:\Users\Admin\AppData\Local\Temp\8fa3d0be26fb0078bea9668053a2278e.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} C:\Users\Admin\AppData\Local\Temp\8fa3d0be26fb0078bea9668053a2278e.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9E7F0F05-23CF-4575-9049-7DDB9D39AA8E}\InprocServer32 C:\Windows\SysWOW64\Regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9E7F0F05-23CF-4575-9049-7DDB9D39AA8E}\InprocServer32\ = "C:\\PROGRA~1\\FX678T~1\\FX678T~1.DLL" C:\Windows\SysWOW64\Regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\fx678Toolbar.ShowBarEx\Clsid\ = "{9E7F0F05-23CF-4575-9049-7DDB9D39AA8E}" C:\Windows\SysWOW64\Regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\OpenHomePage\Command C:\Users\Admin\AppData\Local\Temp\8fa3d0be26fb0078bea9668053a2278e.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9E7F0F05-23CF-4575-9049-7DDB9D39AA8E} C:\Windows\SysWOW64\Regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\fx678Toolbar.ShowBarEx\Clsid C:\Windows\SysWOW64\Regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell C:\Users\Admin\AppData\Local\Temp\8fa3d0be26fb0078bea9668053a2278e.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1888 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\8fa3d0be26fb0078bea9668053a2278e.exe C:\Windows\SysWOW64\Regsvr32.exe
PID 1888 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\8fa3d0be26fb0078bea9668053a2278e.exe C:\Windows\SysWOW64\Regsvr32.exe
PID 1888 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\8fa3d0be26fb0078bea9668053a2278e.exe C:\Windows\SysWOW64\Regsvr32.exe
PID 1888 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\8fa3d0be26fb0078bea9668053a2278e.exe C:\Windows\SysWOW64\Regsvr32.exe
PID 1888 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\8fa3d0be26fb0078bea9668053a2278e.exe C:\Windows\SysWOW64\Regsvr32.exe
PID 1888 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\8fa3d0be26fb0078bea9668053a2278e.exe C:\Windows\SysWOW64\Regsvr32.exe
PID 1888 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\8fa3d0be26fb0078bea9668053a2278e.exe C:\Windows\SysWOW64\Regsvr32.exe
PID 1888 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\8fa3d0be26fb0078bea9668053a2278e.exe C:\Windows\SysWOW64\cmd.exe
PID 1888 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\8fa3d0be26fb0078bea9668053a2278e.exe C:\Windows\SysWOW64\cmd.exe
PID 1888 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\8fa3d0be26fb0078bea9668053a2278e.exe C:\Windows\SysWOW64\cmd.exe
PID 1888 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\8fa3d0be26fb0078bea9668053a2278e.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\8fa3d0be26fb0078bea9668053a2278e.exe

"C:\Users\Admin\AppData\Local\Temp\8fa3d0be26fb0078bea9668053a2278e.exe"

C:\Windows\SysWOW64\Regsvr32.exe

Regsvr32.exe /s C:\PROGRA~1\fx678Toolbar\fx678Toolbar.dll

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\DelTemp.bat" "

Network

N/A

Files

memory/1888-0-0x0000000000220000-0x0000000000221000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\¹ºÎïÉ̳Ç.url

MD5 00a09a89ff80e65454523f88732eec7c
SHA1 1c9b57277a8338795dbbdd2b5182798450ef6428
SHA256 067f313a60f40cf3523f0cef5a35fb34b72f0fa05e65b1746bddc9e050a1f121
SHA512 c775172e5dc0326916e39dbedd1494a83e83be48782915976b52b9286d08249a2080ca610a1c200666bf84fc576b683ebd2f7c57829adbf02b690fc59d51d4d7

C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Æô¶¯ Internet Explorer ä¯ÀÀÆ÷.url

MD5 534bb0175e95a0aae130995e507d5e05
SHA1 295077632d9815e4af4c30718f4534133a45b5b5
SHA256 cfa730e16a89744189ce9f198e27843c1063fbce23722e73f7e72dca23221ead
SHA512 df7ce3ee1c8ae3b8b2142e5929b4ab4b3a4c0a5dfab030baa26b18f0d81a310a3b48664ae148dfd02f4aa6d07d37c625ae29571c361997e88fe03323cfbdbf51

C:\PROGRA~1\fx678Toolbar\fx678Toolbar.dll

MD5 923512e3c24ab8c1bae00c8651517f62
SHA1 4946a5ac59527f210f9bb63584d2b75935304653
SHA256 531ab7f4453e2807d9bcd242dc5f8d94780499932b14c10b6009c36d9dec4f21
SHA512 2ef5bfea63e515598d30bf128acda0713fdf2e32f10003b97a9d719cd2cb1494ac5f91983b69099178c6b4593e689738d47aa277aa55a3f59f0b35d649d6ba67

memory/2848-23-0x00000000001E0000-0x0000000000274000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\DelTemp.bat

MD5 b12493931e5294e78df99889cf3ab3ce
SHA1 d7da714fb97888d8a8cac64e220e410c380d461e
SHA256 661eada4df31a24144e47949d7c3e9406a06b9339af09d64912dce199373d02e
SHA512 7089e09c695c6901886bca32104d1c67e65572489fa63f60ca99a14b29dd41675871c3a31249bcf109f7fc3640dc9b39027f1132820923d9a2bc7cecad9b1f05

memory/1888-33-0x0000000000400000-0x0000000000501000-memory.dmp