2939c242fd67c1057d531b6a6cf167653b06288b8acdcb99bb32f62e9825ccf4

Analysis

max time kernel
121s
max time network
121s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
08/03/2024, 16:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bbaea7dbde076cc97a50befba4fb9909.exe
Size

90KB
MD5

bbaea7dbde076cc97a50befba4fb9909
SHA1

ad879681bdbf9b286324f4851bd3b699e68a37f6
SHA256

2939c242fd67c1057d531b6a6cf167653b06288b8acdcb99bb32f62e9825ccf4
SHA512

abb5faa2d75667692edeb240dad2db7aa7fab260747f8204bfc2fd0c58ba12f040bc8024d0c528e2196542b771e7fe45c25b615316392da57154f316e6a4a608
SSDEEP

1536:10b4datWrQaMmy1cydIq9ya9RD4piGN4CxVZZfy2IiwYb0hqCwVFH8WVGSpiliki:i3W8aO1cyeqhLcx4CxVHHIi/04TFc2pH

Score

7^/10

adware stealer upx

Malware Config

Signatures

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	regsvr32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	bbaea7dbde076cc97a50befba4fb9909.exe

Loads dropped DLL 1 IoCs

pid	Process
2064	regsvr32.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2404-0-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral1/memory/2404-9-0x0000000000400000-0x0000000000423000-memory.dmp	upx

Installs/modifies Browser Helper Object 2 TTPs 3 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{D88E1558-7C2D-407A-953A-C044F5607CEA}\ = "HelloWorldBHO"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{D88E1558-7C2D-407A-953A-C044F5607CEA}\NoExplorer = "1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{D88E1558-7C2D-407A-953A-C044F5607CEA}	regsvr32.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Mjcore\Mjcore.dll	bbaea7dbde076cc97a50befba4fb9909.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	regsvr32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	regsvr32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	bbaea7dbde076cc97a50befba4fb9909.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	bbaea7dbde076cc97a50befba4fb9909.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosDate	regsvr32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosDate	bbaea7dbde076cc97a50befba4fb9909.exe

Modifies registry class 50 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{17E44256-51E0-4D46-A0C8-44E80AB4BA5B}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E0F01490-DCF3-4357-95AA-169A8C2B2190}\1.0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO_MyJavaCore.Mjcore\CurVer\ = "BHO_MyJavaCore.Mjcore.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E0F01490-DCF3-4357-95AA-169A8C2B2190}\1.0\0\win32\ = "C:\\Program Files (x86)\\Mjcore\\Mjcore.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{17E44256-51E0-4D46-A0C8-44E80AB4BA5B}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{17E44256-51E0-4D46-A0C8-44E80AB4BA5B}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{17E44256-51E0-4D46-A0C8-44E80AB4BA5B}\ = "IMjcore"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{80EF304A-B1C4-425C-8535-95AB6F1EEFB8}\ = "BHO_MyJavaCore"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D88E1558-7C2D-407A-953A-C044F5607CEA}\Programmable	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D88E1558-7C2D-407A-953A-C044F5607CEA}\VersionIndependentProgID\ = "BHO_MyJavaCore.Mjcore"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO_MyJavaCore.Mjcore\CurVer	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D88E1558-7C2D-407A-953A-C044F5607CEA}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D88E1558-7C2D-407A-953A-C044F5607CEA}\ = "Mjcore Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E0F01490-DCF3-4357-95AA-169A8C2B2190}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E0F01490-DCF3-4357-95AA-169A8C2B2190}\1.0\0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO_MyJavaCore.Mjcore.1	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO_MyJavaCore.Mjcore\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D88E1558-7C2D-407A-953A-C044F5607CEA}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E0F01490-DCF3-4357-95AA-169A8C2B2190}\1.0\0\win32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{17E44256-51E0-4D46-A0C8-44E80AB4BA5B}\ = "IMjcore"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{17E44256-51E0-4D46-A0C8-44E80AB4BA5B}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{17E44256-51E0-4D46-A0C8-44E80AB4BA5B}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO_MyJavaCore.Mjcore.1\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO_MyJavaCore.Mjcore\ = "Mjcore Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E0F01490-DCF3-4357-95AA-169A8C2B2190}\1.0\FLAGS\ = "0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{17E44256-51E0-4D46-A0C8-44E80AB4BA5B}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO_MyJavaCore.Mjcore.1\ = "Mjcore Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D88E1558-7C2D-407A-953A-C044F5607CEA}\VersionIndependentProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E0F01490-DCF3-4357-95AA-169A8C2B2190}\1.0\ = "BHO_MyJavaCore 1.0 Type Library"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E0F01490-DCF3-4357-95AA-169A8C2B2190}\1.0\FLAGS	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{17E44256-51E0-4D46-A0C8-44E80AB4BA5B}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{17E44256-51E0-4D46-A0C8-44E80AB4BA5B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO_MyJavaCore.Mjcore.1\CLSID\ = "{D88E1558-7C2D-407A-953A-C044F5607CEA}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D88E1558-7C2D-407A-953A-C044F5607CEA}\TypeLib\ = "{E0F01490-DCF3-4357-95AA-169A8C2B2190}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{17E44256-51E0-4D46-A0C8-44E80AB4BA5B}\TypeLib\ = "{E0F01490-DCF3-4357-95AA-169A8C2B2190}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D88E1558-7C2D-407A-953A-C044F5607CEA}\ProgID\ = "BHO_MyJavaCore.Mjcore.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO_MyJavaCore.Mjcore	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D88E1558-7C2D-407A-953A-C044F5607CEA}\InprocServer32\ = "C:\\Program Files (x86)\\Mjcore\\Mjcore.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\BHO_MyJavaCore.DLL	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{80EF304A-B1C4-425C-8535-95AB6F1EEFB8}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D88E1558-7C2D-407A-953A-C044F5607CEA}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D88E1558-7C2D-407A-953A-C044F5607CEA}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E0F01490-DCF3-4357-95AA-169A8C2B2190}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\Mjcore"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{17E44256-51E0-4D46-A0C8-44E80AB4BA5B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{17E44256-51E0-4D46-A0C8-44E80AB4BA5B}\TypeLib\ = "{E0F01490-DCF3-4357-95AA-169A8C2B2190}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\BHO_MyJavaCore.DLL\AppID = "{80EF304A-B1C4-425C-8535-95AB6F1EEFB8}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D88E1558-7C2D-407A-953A-C044F5607CEA}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E0F01490-DCF3-4357-95AA-169A8C2B2190}\1.0\HELPDIR	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{17E44256-51E0-4D46-A0C8-44E80AB4BA5B}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO_MyJavaCore.Mjcore\CLSID\ = "{D88E1558-7C2D-407A-953A-C044F5607CEA}"	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2404	bbaea7dbde076cc97a50befba4fb9909.exe
2404	bbaea7dbde076cc97a50befba4fb9909.exe
2404	bbaea7dbde076cc97a50befba4fb9909.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 2404 wrote to memory of 500	2404	bbaea7dbde076cc97a50befba4fb9909.exe	28
PID 2404 wrote to memory of 500	2404	bbaea7dbde076cc97a50befba4fb9909.exe	28
PID 2404 wrote to memory of 500	2404	bbaea7dbde076cc97a50befba4fb9909.exe	28
PID 2404 wrote to memory of 500	2404	bbaea7dbde076cc97a50befba4fb9909.exe	28
PID 2404 wrote to memory of 1712	2404	bbaea7dbde076cc97a50befba4fb9909.exe	30
PID 2404 wrote to memory of 1712	2404	bbaea7dbde076cc97a50befba4fb9909.exe	30
PID 2404 wrote to memory of 1712	2404	bbaea7dbde076cc97a50befba4fb9909.exe	30
PID 2404 wrote to memory of 1712	2404	bbaea7dbde076cc97a50befba4fb9909.exe	30
PID 2404 wrote to memory of 2692	2404	bbaea7dbde076cc97a50befba4fb9909.exe	32
PID 2404 wrote to memory of 2692	2404	bbaea7dbde076cc97a50befba4fb9909.exe	32
PID 2404 wrote to memory of 2692	2404	bbaea7dbde076cc97a50befba4fb9909.exe	32
PID 2404 wrote to memory of 2692	2404	bbaea7dbde076cc97a50befba4fb9909.exe	32
PID 2404 wrote to memory of 2064	2404	bbaea7dbde076cc97a50befba4fb9909.exe	34
PID 2404 wrote to memory of 2064	2404	bbaea7dbde076cc97a50befba4fb9909.exe	34
PID 2404 wrote to memory of 2064	2404	bbaea7dbde076cc97a50befba4fb9909.exe	34
PID 2404 wrote to memory of 2064	2404	bbaea7dbde076cc97a50befba4fb9909.exe	34
PID 2404 wrote to memory of 2064	2404	bbaea7dbde076cc97a50befba4fb9909.exe	34
PID 2404 wrote to memory of 2064	2404	bbaea7dbde076cc97a50befba4fb9909.exe	34
PID 2404 wrote to memory of 2064	2404	bbaea7dbde076cc97a50befba4fb9909.exe	34

C:\Users\Admin\AppData\Local\Temp\bbaea7dbde076cc97a50befba4fb9909.exe
"C:\Users\Admin\AppData\Local\Temp\bbaea7dbde076cc97a50befba4fb9909.exe"
1⤵
- Checks BIOS information in registry
- Drops file in Program Files directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2404
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c rmdir /S /Q "C:\Program Files (x86)\JavaCore\"
  2⤵
  PID:500
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c rmdir /S /Q "C:\Program Files (x86)\Eroca\"
  2⤵
  PID:1712
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c rmdir /S /Q "C:\Program Files (x86)\mjc\"
  2⤵
  PID:2692
- C:\Windows\SysWOW64\regsvr32.exe
  regsvr32.exe /s "C:\Program Files (x86)\Mjcore\Mjcore.dll"
  2⤵
  - Checks BIOS information in registry
  - Loads dropped DLL
  - Installs/modifies Browser Helper Object
  - Checks processor information in registry
  - Enumerates system info in registry
  - Modifies registry class
  PID:2064

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Mjcore\Mjcore.dll

Filesize
133KB

MD5
45577131ebe4de4ccbd731fe68f84160

SHA1
bb2812fffe83baed6060210299860cc49911c979

SHA256
343f335a972c431e8f6667e547d2b18b21505bacad36515a7cb64e32620127ec

SHA512
297a3d24d1820fbaa29a3a487d73dff942dfcb9e4118d0c8abe39da703a3391b0dfd8909af7961511520a92242c417bb7d3e58055563dacee3921203004deff7

Download Submit
memory/2404-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2404-9-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download