Analysis
-
max time kernel
142s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
04/02/2024, 18:47
Static task
static1
Behavioral task
behavioral1
Sample
8fe22d9012398e4b5e109d9d6703b2cd.exe
Resource
win7-20231215-en
General
-
Target
8fe22d9012398e4b5e109d9d6703b2cd.exe
-
Size
252KB
-
MD5
8fe22d9012398e4b5e109d9d6703b2cd
-
SHA1
07b2e1fb39963d75a01fb0e27f66b9289f40671f
-
SHA256
3f0fad0de5319c67ce158793a2651f62668dfc1ef0615393350b5cbdd7f89bce
-
SHA512
4e8a5d624584e95b380da40de9fae0c25b5ea1221b4a1c7ab2c7778c22f47e5faca91fe5a8324b3102ecc1b49433521d30d5b8617bb8d78626490d0af8e25a05
-
SSDEEP
6144:91OgDPdkBAFZWjadD4svBrBS1mLOUWYGS5Ae5R+ebz:91OgLdaOBs1mSrKAe5Rpz
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 456 setup.exe -
Loads dropped DLL 1 IoCs
pid Process 456 setup.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Installs/modifies Browser Helper Object 2 TTPs 4 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
description ioc Process Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2BA6291B-EF0B-339F-8A26-E28B87D3E98E} setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2BA6291B-EF0B-339F-8A26-E28B87D3E98E} setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2BA6291B-EF0B-339F-8A26-E28B87D3E98E}\ = "ADDICT-THING" setup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2BA6291B-EF0B-339F-8A26-E28B87D3E98E}\NoExplorer = "1" setup.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
NSIS installer 4 IoCs
resource yara_rule behavioral2/files/0x0006000000023210-23.dat nsis_installer_1 behavioral2/files/0x0006000000023210-23.dat nsis_installer_2 behavioral2/files/0x0006000000023229-80.dat nsis_installer_1 behavioral2/files/0x0006000000023229-80.dat nsis_installer_2 -
Modifies registry class 63 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}" setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ = "ILocalStorage" setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CLSID\ = "{2BA6291B-EF0B-339F-8A26-E28B87D3E98E}" setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\ = "Injector 1.0 Type Library" setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2BA6291B-EF0B-339F-8A26-E28B87D3E98E}\InprocServer32\ThreadingModel = "Apartment" setup.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2BA6291B-EF0B-339F-8A26-E28B87D3E98E} setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\Version = "1.0" setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\Version = "1.0" setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\ = "ADDICT-THING" setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0 setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\0 setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0\CLSID setup.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2BA6291B-EF0B-339F-8A26-E28B87D3E98E}\ProgID setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0\CLSID\ = "{2BA6291B-EF0B-339F-8A26-E28B87D3E98E}" setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CLSID setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2BA6291B-EF0B-339F-8A26-E28B87D3E98E}\ProgID setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CurVer setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2BA6291B-EF0B-339F-8A26-E28B87D3E98E}\VersionIndependentProgID setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2BA6291B-EF0B-339F-8A26-E28B87D3E98E}\InprocServer32\ = "C:\\ProgramData\\ADDICT-THING\\bhoclass.dll" setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2BA6291B-EF0B-339F-8A26-E28B87D3E98E}\InprocServer32 setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}" setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\Version = "1.0" setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\HELPDIR\ = "C:\\ProgramData\\ADDICT-THING" setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib setup.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2BA6291B-EF0B-339F-8A26-E28B87D3E98E}\Programmable setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC} setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\FLAGS\ = "0" setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CurVer\ = "bhoclass.bho.1.0" setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\0\win32\ = "C:\\ProgramData\\ADDICT-THING\\bhoclass.dll" setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB} setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}" setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0\ = "ADDICT-THING" setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2BA6291B-EF0B-339F-8A26-E28B87D3E98E}\Programmable setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}" setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\HELPDIR setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ = "IInjectorBHO" setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F} setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2BA6291B-EF0B-339F-8A26-E28B87D3E98E}\ProgID\ = "bhoclass.bho.1.0" setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\FLAGS setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\0\win32 setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32 setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32 setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB} setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\Version = "1.0" setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2BA6291B-EF0B-339F-8A26-E28B87D3E98E} setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2BA6291B-EF0B-339F-8A26-E28B87D3E98E}\VersionIndependentProgID\ = "bhoclass.bho" setup.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2BA6291B-EF0B-339F-8A26-E28B87D3E98E}\VersionIndependentProgID setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2BA6291B-EF0B-339F-8A26-E28B87D3E98E}\ = "ADDICT-THING Class" setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ = "IInjectorBHO" setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ = "ILocalStorage" setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F} setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32 setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0 setup.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2BA6291B-EF0B-339F-8A26-E28B87D3E98E}\InprocServer32 setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32 setup.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2312 wrote to memory of 456 2312 8fe22d9012398e4b5e109d9d6703b2cd.exe 83 PID 2312 wrote to memory of 456 2312 8fe22d9012398e4b5e109d9d6703b2cd.exe 83 PID 2312 wrote to memory of 456 2312 8fe22d9012398e4b5e109d9d6703b2cd.exe 83 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{2BA6291B-EF0B-339F-8A26-E28B87D3E98E} = "1" setup.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8fe22d9012398e4b5e109d9d6703b2cd.exe"C:\Users\Admin\AppData\Local\Temp\8fe22d9012398e4b5e109d9d6703b2cd.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2312 -
C:\Users\Admin\AppData\Local\Temp\7zS85D9.tmp\setup.exe.\setup.exe /s2⤵
- Executes dropped EXE
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Modifies registry class
- System policy modification
PID:456
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
46KB
MD58be20144dbd200c6de0c9430ed9280cf
SHA1b81e3aacaaedd66ef0896acabc6983c94758e2b4
SHA256634557ab79a29fe800721bc5f146a9b86799b72eb6755e821492f85ca66818a6
SHA512fd7db954002be6332c8c6f4500fc38c1d5286022bb56f21b97567e837ee3d5a3c6db08cabcd2ffe405e7180918d6bb0b57b330703a9d045851901d01115ff94e
-
C:\Users\Admin\AppData\Local\Temp\7zS85D9.tmp\[email protected]\bootstrap.js
Filesize2KB
MD5f0ded83c97e0190109bc35e59c3a86a3
SHA18ba0d099b3ae07ed479f45000f422f78a579254f
SHA2569301e5cd5c9018835f5656cdbc01e62968d2cdc305f4230fdd2b12e256463484
SHA5126a437fc06c2db07568606e8a9561f51e6d038d8afb2c05608167e42c5c134290d96a8be80851b01175e579f07685dc49ac1921f497f2f384670ccb24a1cbbb52
-
C:\Users\Admin\AppData\Local\Temp\7zS85D9.tmp\[email protected]\chrome.manifest
Filesize116B
MD50c1d81dda49ba25ac627d71081836ee8
SHA121678c783cc814b3123c8e934517e1a513d3d822
SHA256e4177a36ba9902f1c403d1cdc396a3cca62f6f647ae91bb4b172bcb18c85727f
SHA512ca85ab54b2883410f93e0d80a67a2df3f2abbb5cf67b85e2b169662bbda5404e4377b91640928170eec4634ffe8992d5ab27693b3f79b6b54bedcda724fd35ff
-
C:\Users\Admin\AppData\Local\Temp\7zS85D9.tmp\[email protected]\content\bg.js
Filesize8KB
MD53b91185d0a8d1a2741a4f8ecbaae117f
SHA1245378d4416da91fa51dd3f4598595605c353626
SHA2564d3a683c9ea6b3b3f0d89fcf85f14b2ae281e2d1d08669f34f78bb0e0f83c55e
SHA512777ad87b6b8fe21d1d04ba01b96ca698f3c863727281ba1bf48e4e9d18d7d548024a580dd04c1f0ee506b5a99e88b12d4220a28b672d5b752c088573a14e23bf
-
C:\Users\Admin\AppData\Local\Temp\7zS85D9.tmp\[email protected]\content\zy.xul
Filesize225B
MD509644f0ac805b6f88be0d5ca48602fcb
SHA12227b8cb86f7c6cb9393f235e90eb7af398103a2
SHA2564a2c5fbac4166da0a61c6ddb99b9324c574502ae4e03edcb35aa9045521fabfb
SHA5123f806ed48fa603c6356fc3021192157a3ba4050b4c2571b86d85757858ff4fc1738e4303f3fb2830eb614fdd2fbdd9a49522986e8c03dae7d2efe35011fe1064
-
C:\Users\Admin\AppData\Local\Temp\7zS85D9.tmp\[email protected]\install.rdf
Filesize714B
MD55970b39017e732ca352554d8d41c2317
SHA19c4c681bbf468f397d8bde4808ebd3a6e82795e4
SHA256f826aa0af1e9ff8d8c1021db0a729c0b731d1ccf9b1f30b5b8e9bf6d2926ce9d
SHA5127a0e0af1c2c3bfc055d9bc46ea05e13d611b6e313d41dbf1ecb4feacecaea7c0d333aac546f9a2303cf96e350f80c23ba04cabaf3850991b59a06124f084911e
-
Filesize
4KB
MD5d84a5926468decd26e172d800dd86bba
SHA1a676b23c781e7e6ee0dc1a79b50b251f8dca13e2
SHA2562598646012dc74560db1ad98544412f4d33cedc852e30c10dbefd28cc0b1246d
SHA5129e65b47cd9564188a8ab29c2204a49985d191e95178acb2d7c769e1cf3f0460ab437326f81a7c17213a66f0e4dab1bdc8c7cfabac95160ba8458c22b32348489
-
Filesize
139KB
MD54b35f6c1f932f52fa9901fbc47b432df
SHA18e842bf068b04f36475a3bf86c5ea6a9839bbb5e
SHA2562b4d643a8a14f060bf3885f872b36e5e1fe1e777ad94783ba9593487c8e1f196
SHA5128716b9a8e46933bf29348254a68d1a21392bdbbe3b4d5010e55fe638d02cc04eb685e424d440f7c5b58ffbca82e5772dd95bef73fa831595c2ae9599f3b05a99
-
Filesize
388B
MD5cf6721ed9f2a829eeb15bf3e41f75895
SHA11d330123ab9553663c72c1eecb0404c57a0385e7
SHA2565a03eb012a23126976699a0368671c37342b926cddf7de8e2b44415454665a94
SHA512cacd0d411e6901d2779a2d9f2df788d5d7f5d4739aa10ed0e07693e81815048be3b9adbbcc43cafc1dcbf88c86a5023d434307ad056df4f5a5e502b4c27e8e40
-
Filesize
3KB
MD5894e02b7a7a44a82ceeb550420372bd0
SHA1846eafa31ac3cd92fcf5417cf768916270db718b
SHA256ee15544238a9da778dfe3a4e81f58118398d2a4e6690e745ae6916c3c00a0932
SHA5123e4ce317b02edf04ab4d95272e449aa2e10bee6bf072478ed01e728ea24ce8c6e52f5dc3e36a5a4090105672ee27fda268390ce4e9934d3aa4c0816fa7a8694f
-
Filesize
667B
MD51250f4a3cce76c624d3d651681a054b3
SHA19249cb7ae76fd80c0d7cb768eafd1ccd1a27c1ef
SHA256d4033b65c5c555ac54c745be29e428e0eda403170ff57ab75f8f581e817c28e2
SHA51282235714f92168ec8b145e639c8ae335be0f4b7b2e6f454201f477eb963f251decd025e5dd3890920ad6119032a98ef36909b7eebd523e1d937644c185924a4e
-
Filesize
61KB
MD516ef6e914973925977cdc5ef6b8b2565
SHA14815da2815975b33f5dc94d482e6dbc02588afa6
SHA2566b9a2b64b90799f1d50458dc38fb4e9e13a8abb37210c8f5d9eeedae84c6912f
SHA512c74f0e17878c4598b626edb5e75e7ee098b71c0c26454ba709e2ea438517670ce11abf7d909470e6c935a21d0413c0d14b29960af9bd6a423e3261789a35b059