874a281111a8791c865b7dd7df94261ca355f04b68fdcda6c95b0860697fd443

Analysis

max time kernel
122s
max time network
124s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
09/03/2024, 20:53

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

bcc7bd371f6fa4f9bdf071d7615fc732.exe
Size

192KB
MD5

bcc7bd371f6fa4f9bdf071d7615fc732
SHA1

64cd37e97b216b17df51d35543b4077a8da32096
SHA256

874a281111a8791c865b7dd7df94261ca355f04b68fdcda6c95b0860697fd443
SHA512

2a40a1a39e57d61a31c55787be6e39aa7b2395fb72fce09f92d33fd9abb397be2ad7d4096fece3eb5d15954541daf804adb64c2662d1efbfada0ed700e23ef6d
SSDEEP

3072:RupaoCA9OCu2S/tjXhzlzzSoer4YsrRYR4Scj2UXE6f30u+0:ZEOCu2+VlnwMO47P0uN

Score

7^/10

adware stealer

Malware Config

Signatures

Loads dropped DLL 2 IoCs

pid	Process
620	regsvr32.exe
2712	regsvr32.exe

Installs/modifies Browser Helper Object 2 TTPs 4 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{139D88E5-C372-469D-B4C5-1FE00852AB9B}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{139D88E5-C372-469D-B4C5-1FE00852AB9B}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{00000EF1-0786-4633-87C6-1AA7A44296DA}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{000E7270-CC7A-0786-8E7A-DA09B51938A6}	regsvr32.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\ddm3dia.dll	bcc7bd371f6fa4f9bdf071d7615fc732.exe
File created	C:\Windows\SysWOW64\n3tpa1.dll	bcc7bd371f6fa4f9bdf071d7615fc732.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\F1.Organizer.1\ = "F1 Organizer Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000EF1-0786-4633-87C6-1AA7A44296DA}\VersionIndependentProgID\ = "F1.Organizer"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000EF1-0786-4633-87C6-1AA7A44296DA}\Programmable	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{000e7270-cc7a-0786-8e7a-da09b51938a6}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{000e7270-cc7a-0786-8e7a-da09b51938a6}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000EF1-0786-4633-87C6-1AA7A44296DA}\Implemented Categories\{40FC6ED5-2438-11CF-A3DB-080036F12502}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\NetPalIExplore.NetPal\CurVer\ = "NetPalIExplore.NetPal.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{000E7270-CC7A-0786-8E7A-DA09B51938A6}\Implemented Categories	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000EF1-0786-4633-87C6-1AA7A44296DA}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000EF1-0786-4633-87C6-1AA7A44296DA}\TypeLib\ = "{EF100007-F409-426a-9E7C-CB211F2A9786}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\NetPalIExplore.NetPal.1	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\NetPalIExplore.NetPal	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\NetPalIExplore.NetPal\ = "NetPal Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0CF28135-B1DC-4F50-AB58-7CF5701A6ED6}\1.0\0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0CF28135-B1DC-4F50-AB58-7CF5701A6ED6}\1.0\0\win32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\F1.Organizer.1	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000EF1-0786-4633-87C6-1AA7A44296DA}\ = "F1 Organizer Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000EF1-0786-4633-87C6-1AA7A44296DA}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{EF100007-F409-426A-9E7C-CB211F2A9786}\1.0\ = "Favorite 1.0 Type Library"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{EF100007-F409-426A-9E7C-CB211F2A9786}\1.0\FLAGS	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\NetPalIExplore.NetPal\CLSID\ = "{000e7270-cc7a-0786-8e7a-da09b51938a6}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\F1.Organizer\CLSID\ = "{00000EF1-0786-4633-87C6-1AA7A44296DA}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{EF100007-F409-426A-9E7C-CB211F2A9786}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\ddm3dia.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{000E7270-CC7A-0786-8E7A-DA09B51938A6}\Programmable	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0CF28135-B1DC-4F50-AB58-7CF5701A6ED6}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\n3tpa1.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\F1.Organizer.1\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\F1.Organizer\CurVer	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\NetPalIExplore.NetPal.1\ = "NetPal Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{000e7270-cc7a-0786-8e7a-da09b51938a6}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0CF28135-B1DC-4F50-AB58-7CF5701A6ED6}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\F1.Organizer\ = "F1 Organizer Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\F1.Organizer\CurVer\ = "F1.Organizer.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000EF1-0786-4633-87C6-1AA7A44296DA}\ProgID\ = "F1.Organizer.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{EF100007-F409-426A-9E7C-CB211F2A9786}\1.0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{000E7270-CC7A-0786-8E7A-DA09B51938A6}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000EF1-0786-4633-87C6-1AA7A44296DA}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{EF100007-F409-426A-9E7C-CB211F2A9786}\1.0\HELPDIR	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\NetPalIExplore.NetPal.1\CLSID\ = "{000e7270-cc7a-0786-8e7a-da09b51938a6}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{000e7270-cc7a-0786-8e7a-da09b51938a6}\ = "NetPal Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0CF28135-B1DC-4F50-AB58-7CF5701A6ED6}\1.0\HELPDIR\ = "C:\\Windows\\SysWow64\\"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000EF1-0786-4633-87C6-1AA7A44296DA}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000EF1-0786-4633-87C6-1AA7A44296DA}\InprocServer32\ = "C:\\Windows\\SysWow64\\ddm3dia.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000EF1-0786-4633-87C6-1AA7A44296DA}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000EF1-0786-4633-87C6-1AA7A44296DA}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{EF100007-F409-426A-9E7C-CB211F2A9786}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{000E7270-CC7A-0786-8E7A-DA09B51938A6}\Implemented Categories\{40FC6ED5-2438-11CF-A3DB-080036F12502}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\F1.Organizer	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000EF1-0786-4633-87C6-1AA7A44296DA}\Implemented Categories	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\NetPalIExplore.NetPal.1\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{000e7270-cc7a-0786-8e7a-da09b51938a6}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000EF1-0786-4633-87C6-1AA7A44296DA}\VersionIndependentProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{EF100007-F409-426A-9E7C-CB211F2A9786}\1.0\0\win32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{000e7270-cc7a-0786-8e7a-da09b51938a6}\TypeLib\ = "{000e7270-cc7a-0786-8e7a-da09b51938a6}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0CF28135-B1DC-4F50-AB58-7CF5701A6ED6}\1.0\FLAGS	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0CF28135-B1DC-4F50-AB58-7CF5701A6ED6}\1.0\FLAGS\ = "0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\F1.Organizer.1\CLSID\ = "{00000EF1-0786-4633-87C6-1AA7A44296DA}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{000e7270-cc7a-0786-8e7a-da09b51938a6}\ProgID\ = "NetPalIExplore.NetPal.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{000e7270-cc7a-0786-8e7a-da09b51938a6}\VersionIndependentProgID\ = "NetPalIExplore.NetPal"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{000e7270-cc7a-0786-8e7a-da09b51938a6}\InprocServer32\ = "C:\\Windows\\SysWow64\\n3tpa1.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{000e7270-cc7a-0786-8e7a-da09b51938a6}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0CF28135-B1DC-4F50-AB58-7CF5701A6ED6}\1.0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{EF100007-F409-426A-9E7C-CB211F2A9786}\1.0\0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\NetPalIExplore.NetPal\CurVer	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\F1.Organizer\CLSID	regsvr32.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 1636 wrote to memory of 620	1636	bcc7bd371f6fa4f9bdf071d7615fc732.exe	28
PID 1636 wrote to memory of 620	1636	bcc7bd371f6fa4f9bdf071d7615fc732.exe	28
PID 1636 wrote to memory of 620	1636	bcc7bd371f6fa4f9bdf071d7615fc732.exe	28
PID 1636 wrote to memory of 620	1636	bcc7bd371f6fa4f9bdf071d7615fc732.exe	28
PID 1636 wrote to memory of 620	1636	bcc7bd371f6fa4f9bdf071d7615fc732.exe	28
PID 1636 wrote to memory of 620	1636	bcc7bd371f6fa4f9bdf071d7615fc732.exe	28
PID 1636 wrote to memory of 620	1636	bcc7bd371f6fa4f9bdf071d7615fc732.exe	28
PID 1636 wrote to memory of 2712	1636	bcc7bd371f6fa4f9bdf071d7615fc732.exe	29
PID 1636 wrote to memory of 2712	1636	bcc7bd371f6fa4f9bdf071d7615fc732.exe	29
PID 1636 wrote to memory of 2712	1636	bcc7bd371f6fa4f9bdf071d7615fc732.exe	29
PID 1636 wrote to memory of 2712	1636	bcc7bd371f6fa4f9bdf071d7615fc732.exe	29
PID 1636 wrote to memory of 2712	1636	bcc7bd371f6fa4f9bdf071d7615fc732.exe	29
PID 1636 wrote to memory of 2712	1636	bcc7bd371f6fa4f9bdf071d7615fc732.exe	29
PID 1636 wrote to memory of 2712	1636	bcc7bd371f6fa4f9bdf071d7615fc732.exe	29

C:\Users\Admin\AppData\Local\Temp\bcc7bd371f6fa4f9bdf071d7615fc732.exe
"C:\Users\Admin\AppData\Local\Temp\bcc7bd371f6fa4f9bdf071d7615fc732.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1636
- C:\Windows\SysWOW64\regsvr32.exe
  "C:\Windows\system32\regsvr32.exe" /s "C:\Windows\system32\ddm3dia.dll"
  2⤵
  - Loads dropped DLL
  - Installs/modifies Browser Helper Object
  - Modifies registry class
  PID:620
- C:\Windows\SysWOW64\regsvr32.exe
  "C:\Windows\system32\regsvr32.exe" /s "C:\Windows\system32\n3tpa1.dll"
  2⤵
  - Loads dropped DLL
  - Installs/modifies Browser Helper Object
  - Modifies registry class
  PID:2712

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\ddm3dia.dll

Filesize
111KB

MD5
5e4d3973ecdd251d2ed012f07f9353ae

SHA1
441dd645ee395408f44299199a2962fcdfdf0dc6

SHA256
21b29efb19dfe7cec9b6ad78b10ce0b95f5f6ebacf4e3b16c6d2ed97f314681c

SHA512
b6806e70d3cccde5eb9321508bee5587f67cb80d8a173a2fed066ce524c9bd008b54d39ee29de324cfa173f1909537bf006462208c6b4e1720a6c371f791e0f0

Download Submit
C:\Windows\SysWOW64\n3tpa1.dll

Filesize
66KB

MD5
77b538424ad0fcc09aad76ced368c2d2

SHA1
f390e079695619d4b2e65e7df8800ec93a8b9ece

SHA256
023c46d41c8b03a838dd4ca0a5d43230c48054858b4b5d479b0f44599c591cac

SHA512
cacd9960cf979988b7f4f41b76683cb69ee30304b8ea318ea39d57a96b3f7566b40815b0a9b8f51d9eb434e3c85122946c70281bd23533748e92d48a6cb1e737

Download Submit