ac5ae6ddc2d68524c4f41b0327a9510767a44747582992cb57744d23d895f841

Analysis

max time kernel
93s
max time network
111s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
12/02/2024, 14:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

976b2261b26fba5e57dfa2c9d3a6aeb8.exe
Size

84KB
MD5

976b2261b26fba5e57dfa2c9d3a6aeb8
SHA1

38f553e9fec6c84ced36918a506b458b024e0234
SHA256

ac5ae6ddc2d68524c4f41b0327a9510767a44747582992cb57744d23d895f841
SHA512

90d24765f1640e0ecd3045cb20e4621e942f7227d7083e2a0b6fc45a8ce71400a828aecf218fc5159b3d1860b93423cfd9437173e3f0e98d6243656c2d8a3fef
SSDEEP

1536:T727NGtQkU3HlNuYOD0cWENIlCjNpapX5xBt7Yw0pewn8+8:HUNGtk3FNutD0cWENIyNpa5bzkSt+8

Score

7^/10

adware stealer upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x000900000002325d-4.dat	acprotect

Loads dropped DLL 2 IoCs

pid	Process
836	regsvr32.exe
2168	regsvr32.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000900000002325d-4.dat	upx
behavioral2/memory/2168-6-0x0000000010000000-0x000000001000C000-memory.dmp	upx

Installs/modifies Browser Helper Object 2 TTPs 1 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0CB66BA8-5E1F-4963-93D1-E1D6B78FE9A2}	regsvr32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
448	4988	WerFault.exe	60

Modifies registry class 60 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BhoNew.BhoApp\CurVer	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A8954909-1F0F-41A5-A7FA-3B376D69E226}\1.0\ = "BhoNew 1.0 Type Library"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{967A494A-6AEC-4555-9CAF-FA6EB00ACF91}\ = "_IBhoAppEvents"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{967A494A-6AEC-4555-9CAF-FA6EB00ACF91}\ = "_IBhoAppEvents"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5}\ = "IBhoApp"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0CB66BA8-5E1F-4963-93D1-E1D6B78FE9A2}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\BhoNew.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0CB66BA8-5E1F-4963-93D1-E1D6B78FE9A2}\TypeLib\ = "{A8954909-1F0F-41A5-A7FA-3B376D69E226}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A8954909-1F0F-41A5-A7FA-3B376D69E226}\1.0\FLAGS	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BhoNew.BhoApp\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0CB66BA8-5E1F-4963-93D1-E1D6B78FE9A2}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A8954909-1F0F-41A5-A7FA-3B376D69E226}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{967A494A-6AEC-4555-9CAF-FA6EB00ACF91}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0CB66BA8-5E1F-4963-93D1-E1D6B78FE9A2}\ = "BhoApp Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BhoNew.BhoApp\CLSID\ = "{0CB66BA8-5E1F-4963-93D1-E1D6B78FE9A2}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{967A494A-6AEC-4555-9CAF-FA6EB00ACF91}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BhoNew.BhoApp\ = "BhoApp Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0CB66BA8-5E1F-4963-93D1-E1D6B78FE9A2}\ProgID\ = "BhoNew.BhoApp.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0CB66BA8-5E1F-4963-93D1-E1D6B78FE9A2}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A8954909-1F0F-41A5-A7FA-3B376D69E226}\1.0\0\win32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A8954909-1F0F-41A5-A7FA-3B376D69E226}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\BhoNew.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5}\TypeLib\ = "{A8954909-1F0F-41A5-A7FA-3B376D69E226}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5}\TypeLib\ = "{A8954909-1F0F-41A5-A7FA-3B376D69E226}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BhoNew.BhoApp.1\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A8954909-1F0F-41A5-A7FA-3B376D69E226}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0CB66BA8-5E1F-4963-93D1-E1D6B78FE9A2}\Programmable	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0CB66BA8-5E1F-4963-93D1-E1D6B78FE9A2}\VersionIndependentProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0CB66BA8-5E1F-4963-93D1-E1D6B78FE9A2}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0CB66BA8-5E1F-4963-93D1-E1D6B78FE9A2}\VersionIndependentProgID\ = "BhoNew.BhoApp"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0CB66BA8-5E1F-4963-93D1-E1D6B78FE9A2}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A8954909-1F0F-41A5-A7FA-3B376D69E226}\1.0\0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{967A494A-6AEC-4555-9CAF-FA6EB00ACF91}\TypeLib\ = "{A8954909-1F0F-41A5-A7FA-3B376D69E226}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BhoNew.BhoApp	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0CB66BA8-5E1F-4963-93D1-E1D6B78FE9A2}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A8954909-1F0F-41A5-A7FA-3B376D69E226}\1.0\HELPDIR	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{967A494A-6AEC-4555-9CAF-FA6EB00ACF91}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{967A494A-6AEC-4555-9CAF-FA6EB00ACF91}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{967A494A-6AEC-4555-9CAF-FA6EB00ACF91}\TypeLib\ = "{A8954909-1F0F-41A5-A7FA-3B376D69E226}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BhoNew.BhoApp\CurVer\ = "BhoNew.BhoApp.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A8954909-1F0F-41A5-A7FA-3B376D69E226}\1.0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{967A494A-6AEC-4555-9CAF-FA6EB00ACF91}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BhoNew.BhoApp.1\CLSID\ = "{0CB66BA8-5E1F-4963-93D1-E1D6B78FE9A2}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{967A494A-6AEC-4555-9CAF-FA6EB00ACF91}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{967A494A-6AEC-4555-9CAF-FA6EB00ACF91}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A8954909-1F0F-41A5-A7FA-3B376D69E226}\1.0\FLAGS\ = "0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{967A494A-6AEC-4555-9CAF-FA6EB00ACF91}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{967A494A-6AEC-4555-9CAF-FA6EB00ACF91}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5}\ = "IBhoApp"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BhoNew.BhoApp.1\ = "BhoApp Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{967A494A-6AEC-4555-9CAF-FA6EB00ACF91}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BhoNew.BhoApp.1	regsvr32.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
836	regsvr32.exe
668	Process not Found

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeLoadDriverPrivilege	836	regsvr32.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4988 wrote to memory of 836	4988	976b2261b26fba5e57dfa2c9d3a6aeb8.exe	84
PID 4988 wrote to memory of 836	4988	976b2261b26fba5e57dfa2c9d3a6aeb8.exe	84
PID 4988 wrote to memory of 836	4988	976b2261b26fba5e57dfa2c9d3a6aeb8.exe	84
PID 4988 wrote to memory of 2168	4988	976b2261b26fba5e57dfa2c9d3a6aeb8.exe	85
PID 4988 wrote to memory of 2168	4988	976b2261b26fba5e57dfa2c9d3a6aeb8.exe	85
PID 4988 wrote to memory of 2168	4988	976b2261b26fba5e57dfa2c9d3a6aeb8.exe	85

C:\Users\Admin\AppData\Local\Temp\976b2261b26fba5e57dfa2c9d3a6aeb8.exe
"C:\Users\Admin\AppData\Local\Temp\976b2261b26fba5e57dfa2c9d3a6aeb8.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4988
- C:\Windows\SysWOW64\regsvr32.exe
  regsvr32.exe /s C:\Users\Admin\AppData\Local\Temp\ntdll64.dll
  2⤵
  - Loads dropped DLL
  - Suspicious behavior: LoadsDriver
  - Suspicious use of AdjustPrivilegeToken
  PID:836
- C:\Windows\SysWOW64\regsvr32.exe
  regsvr32.exe /s C:\Users\Admin\AppData\Local\Temp\BhoNew.dll
  2⤵
  - Loads dropped DLL
  - Installs/modifies Browser Helper Object
  - Modifies registry class
  PID:2168
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4988 -s 528
  2⤵
  - Program crash
  PID:448

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4988 -ip 4988
1⤵
PID:1040

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\BhoNew.dll

Filesize
13KB

MD5
483cdecc7d2cb80dbcf64d76dd8fcc47

SHA1
3914952632af666ef019c0cabcb25734104a1012

SHA256
a4672b9a2f91dc3b2e2955292b62dba30a5685a66e3772816fb9a2d5ab109baa

SHA512
4aeeff2272e235115e8a38ef8830d04d4d750770a0dd43d11f69657fc2b686a0cc686ceaaf37d787265659bb011220ee09d6a0b5f141f25be676691181ba8406

Download Submit
C:\Users\Admin\AppData\Local\Temp\ntdll64.dll

Filesize
40KB

MD5
f41108e4bf007b986041b808c998a0c8

SHA1
7d1d4ff5d6573528a0b41749c8aaa432f22212c4

SHA256
4f4c3e506e22ab4c6d48a15a2306ded9e529aadfc854d66b0bebb4de20e772df

SHA512
ba0f195487a27bf4297e2cf09b4aebcac9212cff7521a86c54dc292c4f7051d5b22633431c8a38de624974a431cb92a783e59c61baf4d1a711bb4d47447d9372

Download Submit
memory/2168-6-0x0000000010000000-0x000000001000C000-memory.dmp

Filesize
48KB

Download