3b80986a7e5ae5c055af1f1a57b41710bb3cbf6767bc4a6ded5045f20b7765e8

Analysis

max time kernel
118s
max time network
133s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
11/03/2024, 00:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bf630cebf35793dcb1762e3580d2a1c0.exe
Size

129KB
MD5

bf630cebf35793dcb1762e3580d2a1c0
SHA1

c7b7d73056c652ab2ebe4c40ddac762f0486f788
SHA256

3b80986a7e5ae5c055af1f1a57b41710bb3cbf6767bc4a6ded5045f20b7765e8
SHA512

789ef515b2763d44c8d8ee2f7fe6681c489cc7cbadac6600af82ef614ddc39f5909597f11909a80dc679ea6566df760d2fdfa610841bf58bbcf1a603d142cb3e
SSDEEP

1536:RjvrfBPnTiqtLGXa8t5WJ0Yl5ev6cH5h3meXFdSkyxBYXYXUsCn40ch9WLp34zcj:Rt1LGK8avSLaooXUX691gtcvpOeXN3k

Score

7^/10

adware stealer upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x0031000000015d0a-16.dat	acprotect

Executes dropped EXE 1 IoCs

pid	Process
2156	mrcmgr.exe

Loads dropped DLL 4 IoCs

pid	Process
1992	bf630cebf35793dcb1762e3580d2a1c0.exe
1992	bf630cebf35793dcb1762e3580d2a1c0.exe
1056	regsvr32.exe
2664	regsvr32.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1992-0-0x0000000000400000-0x0000000000437000-memory.dmp	upx
behavioral1/files/0x0031000000015d0a-16.dat	upx
behavioral1/memory/1992-17-0x0000000000400000-0x0000000000437000-memory.dmp	upx
behavioral1/memory/1056-21-0x0000000010000000-0x000000001006E000-memory.dmp	upx

Installs/modifies Browser Helper Object 2 TTPs 2 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{161B953B-95F9-4af3-B071-D5FF5EA132EF}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{1A4F919F-4334-4abf-BF47-0836A8B5A54B}	regsvr32.exe

Drops file in System32 directory 9 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\ddr7xm.dll	mrcmgr.exe
File created	C:\Windows\SysWOW64\mrcmgr.exe	bf630cebf35793dcb1762e3580d2a1c0.exe
File created	C:\Windows\SysWOW64\prxsmr.dll	mrcmgr.exe
File created	C:\Windows\SysWOW64\mshpc.dll	bf630cebf35793dcb1762e3580d2a1c0.exe
File created	C:\Windows\SysWOW64\mp7arc.dat	bf630cebf35793dcb1762e3580d2a1c0.exe
File opened for modification	C:\Windows\SysWOW64\prxsmr.dll	mrcmgr.exe
File opened for modification	C:\Windows\SysWOW64\ddr7xm.dll	mrcmgr.exe
File created	C:\Windows\SysWOW64\hl.dat	bf630cebf35793dcb1762e3580d2a1c0.exe
File created	C:\Windows\SysWOW64\scerpt.dll	bf630cebf35793dcb1762e3580d2a1c0.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 28 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "416279454"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{D9C3DE11-DF3F-11EE-8547-E6D98B7EB028} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F6FBADC6-F435-4B4B-9153-8DFF61BCF996}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F6FBADC6-F435-4B4B-9153-8DFF61BCF996}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\ddr7xm.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{244F3263-6C3C-469C-AECE-FF46D84A0A3B}\TypeLib\ = "{F6FBADC6-F435-4B4B-9153-8DFF61BCF996}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{572AB3DC-60AC-4FCB-B0F6-8B010ECFE90A}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{161B953B-95F9-4af3-B071-D5FF5EA132EF}\ = "IE Microsoft extension"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{161B953B-95F9-4af3-B071-D5FF5EA132EF}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{572AB3DC-60AC-4FCB-B0F6-8B010ECFE90A}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{161B953B-95F9-4af3-B071-D5FF5EA132EF}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{30989926-2D37-4561-B76F-65D0F89A3560}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{244F3263-6C3C-469C-AECE-FF46D84A0A3B}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{ECEE577A-5B6F-4BDC-9210-DB603D6BEF78}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Mmdd.MddApp\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F6FBADC6-F435-4B4B-9153-8DFF61BCF996}\1.0\0\win32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{ECEE577A-5B6F-4BDC-9210-DB603D6BEF78}\TypeLib\ = "{2D51E439-3AE8-4BF7-8FB2-45F768554DEC}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1A4F919F-4334-4abf-BF47-0836A8B5A54B}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{244F3263-6C3C-469C-AECE-FF46D84A0A3B}\ = "_IMAppEvents"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2D51E439-3AE8-4BF7-8FB2-45F768554DEC}\1.0\FLAGS	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{ECEE577A-5B6F-4BDC-9210-DB603D6BEF78}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2D51E439-3AE8-4BF7-8FB2-45F768554DEC}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\mshpc.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{ECEE577A-5B6F-4BDC-9210-DB603D6BEF78}\ = "_IAppEvents"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1A4F919F-4334-4abf-BF47-0836A8B5A54B}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{572AB3DC-60AC-4FCB-B0F6-8B010ECFE90A}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{ECEE577A-5B6F-4BDC-9210-DB603D6BEF78}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Mmdd.MddApp\CurVer\ = "Mdd.MddApp.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1A4F919F-4334-4abf-BF47-0836A8B5A54B}\VersionIndependentProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{244F3263-6C3C-469C-AECE-FF46D84A0A3B}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{244F3263-6C3C-469C-AECE-FF46D84A0A3B}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{161B953B-95F9-4af3-B071-D5FF5EA132EF}\VersionIndependentProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2D51E439-3AE8-4BF7-8FB2-45F768554DEC}\1.0\HELPDIR	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{ECEE577A-5B6F-4BDC-9210-DB603D6BEF78}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{572AB3DC-60AC-4FCB-B0F6-8B010ECFE90A}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSApp.BhoApp\ = "IE Microsoft extension"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2D51E439-3AE8-4BF7-8FB2-45F768554DEC}\1.0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Mdd.MddApp.1\CLSID\ = "{1A4F919F-4334-4abf-BF47-0836A8B5A54B}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{572AB3DC-60AC-4FCB-B0F6-8B010ECFE90A}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{161B953B-95F9-4af3-B071-D5FF5EA132EF}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{30989926-2D37-4561-B76F-65D0F89A3560}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSApp.BhoApp\CurVer	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{ECEE577A-5B6F-4BDC-9210-DB603D6BEF78}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1A4F919F-4334-4abf-BF47-0836A8B5A54B}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{244F3263-6C3C-469C-AECE-FF46D84A0A3B}\TypeLib\ = "{F6FBADC6-F435-4B4B-9153-8DFF61BCF996}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{572AB3DC-60AC-4FCB-B0F6-8B010ECFE90A}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSApp.BhoApp.1\ = "IE Microsoft extension"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSApp.BhoApp.1\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1A4F919F-4334-4abf-BF47-0836A8B5A54B}\ProgID\ = "Mdd.MddApp.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F6FBADC6-F435-4B4B-9153-8DFF61BCF996}\1.0\ = "Mdd 1.0 Type Library"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Mmdd.MddApp\CurVer	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F6FBADC6-F435-4B4B-9153-8DFF61BCF996}\1.0\HELPDIR	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{244F3263-6C3C-469C-AECE-FF46D84A0A3B}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{572AB3DC-60AC-4FCB-B0F6-8B010ECFE90A}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2D51E439-3AE8-4BF7-8FB2-45F768554DEC}\1.0\FLAGS\ = "0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{ECEE577A-5B6F-4BDC-9210-DB603D6BEF78}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{161B953B-95F9-4af3-B071-D5FF5EA132EF}\InprocServer32\ = "C:\\Windows\\SysWow64\\mshpc.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{30989926-2D37-4561-B76F-65D0F89A3560}\TypeLib\ = "{2D51E439-3AE8-4BF7-8FB2-45F768554DEC}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{244F3263-6C3C-469C-AECE-FF46D84A0A3B}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{244F3263-6C3C-469C-AECE-FF46D84A0A3B}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{572AB3DC-60AC-4FCB-B0F6-8B010ECFE90A}\ = "IMApp"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{161B953B-95F9-4af3-B071-D5FF5EA132EF}\TypeLib\ = "{2D51E439-3AE8-4bf7-8FB2-45F768554DEC}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1A4F919F-4334-4abf-BF47-0836A8B5A54B}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F6FBADC6-F435-4B4B-9153-8DFF61BCF996}\1.0\0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2D51E439-3AE8-4BF7-8FB2-45F768554DEC}\1.0\ = "MSHpc 2.0 Lib"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Mdd.MddApp.1\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Mmdd.MddApp\ = "MddApp Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{30989926-2D37-4561-B76F-65D0F89A3560}\TypeLib\Version = "1.0"	regsvr32.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2624	iexplore.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2624	iexplore.exe
2624	iexplore.exe
2532	IEXPLORE.EXE
2532	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 1992 wrote to memory of 1056	1992	bf630cebf35793dcb1762e3580d2a1c0.exe	28
PID 1992 wrote to memory of 1056	1992	bf630cebf35793dcb1762e3580d2a1c0.exe	28
PID 1992 wrote to memory of 1056	1992	bf630cebf35793dcb1762e3580d2a1c0.exe	28
PID 1992 wrote to memory of 1056	1992	bf630cebf35793dcb1762e3580d2a1c0.exe	28
PID 1992 wrote to memory of 1056	1992	bf630cebf35793dcb1762e3580d2a1c0.exe	28
PID 1992 wrote to memory of 1056	1992	bf630cebf35793dcb1762e3580d2a1c0.exe	28
PID 1992 wrote to memory of 1056	1992	bf630cebf35793dcb1762e3580d2a1c0.exe	28
PID 1992 wrote to memory of 2156	1992	bf630cebf35793dcb1762e3580d2a1c0.exe	29
PID 1992 wrote to memory of 2156	1992	bf630cebf35793dcb1762e3580d2a1c0.exe	29
PID 1992 wrote to memory of 2156	1992	bf630cebf35793dcb1762e3580d2a1c0.exe	29
PID 1992 wrote to memory of 2156	1992	bf630cebf35793dcb1762e3580d2a1c0.exe	29
PID 1992 wrote to memory of 2624	1992	bf630cebf35793dcb1762e3580d2a1c0.exe	30
PID 1992 wrote to memory of 2624	1992	bf630cebf35793dcb1762e3580d2a1c0.exe	30
PID 1992 wrote to memory of 2624	1992	bf630cebf35793dcb1762e3580d2a1c0.exe	30
PID 1992 wrote to memory of 2624	1992	bf630cebf35793dcb1762e3580d2a1c0.exe	30
PID 2156 wrote to memory of 2664	2156	mrcmgr.exe	31
PID 2156 wrote to memory of 2664	2156	mrcmgr.exe	31
PID 2156 wrote to memory of 2664	2156	mrcmgr.exe	31
PID 2156 wrote to memory of 2664	2156	mrcmgr.exe	31
PID 2156 wrote to memory of 2664	2156	mrcmgr.exe	31
PID 2156 wrote to memory of 2664	2156	mrcmgr.exe	31
PID 2156 wrote to memory of 2664	2156	mrcmgr.exe	31
PID 2156 wrote to memory of 2620	2156	mrcmgr.exe	32
PID 2156 wrote to memory of 2620	2156	mrcmgr.exe	32
PID 2156 wrote to memory of 2620	2156	mrcmgr.exe	32
PID 2156 wrote to memory of 2620	2156	mrcmgr.exe	32
PID 2624 wrote to memory of 2532	2624	iexplore.exe	33
PID 2624 wrote to memory of 2532	2624	iexplore.exe	33
PID 2624 wrote to memory of 2532	2624	iexplore.exe	33
PID 2624 wrote to memory of 2532	2624	iexplore.exe	33

C:\Users\Admin\AppData\Local\Temp\bf630cebf35793dcb1762e3580d2a1c0.exe
"C:\Users\Admin\AppData\Local\Temp\bf630cebf35793dcb1762e3580d2a1c0.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1992
- C:\Windows\SysWOW64\regsvr32.exe
  "C:\Windows\system32\regsvr32.exe" /s C:\Windows\system32\\mshpc.dll
  2⤵
  - Loads dropped DLL
  - Installs/modifies Browser Helper Object
  - Modifies registry class
  PID:1056
- C:\Windows\SysWOW64\mrcmgr.exe
  "C:\Windows\system32\mrcmgr.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2156
- - C:\Windows\SysWOW64\regsvr32.exe
    "C:\Windows\System32\regsvr32.exe" /s C:\Windows\system32\ddr7xm.dll
    3⤵
    - Loads dropped DLL
    - Installs/modifies Browser Helper Object
    - Modifies registry class
    PID:2664
- - C:\Windows\SysWOW64\explorer.exe
    "C:\Windows\System32\explorer.exe"
    3⤵
    PID:2620
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe"
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2624
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2624 CREDAT:275457 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:2532

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
67KB

MD5
753df6889fd7410a2e9fe333da83a429

SHA1
3c425f16e8267186061dd48ac1c77c122962456e

SHA256
b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78

SHA512
9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
c6e753501c58841c31654e6a7a4cb72f

SHA1
bdcdea874affe20fd718a13c1d60b1f604febc69

SHA256
b8a8617baffe553dbce5e1f0861017b7b6eb28f876aaca5d479348c8dd8a5118

SHA512
311bac75188bca30cb4d50788d158cd3e2e99c6b17cbc50e7dc48001e6bed695401919462463a2965a014b5c2fca2193d02e2798945f63db27789e19e7a673da

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
69498565ad08b702ab01b5cf09b878be

SHA1
7a0d7017167c08f64030eacd750c909f23573607

SHA256
b448fe48593fc3a4cda241d6b2d8dcc7b53051bcb3081021f84d75ac3c19559b

SHA512
9e98bc6af5e3db365232817b4fe6a7e6c56640082a8d2da4f2fb66e9e18e3eaca27fcffe956444d03663a77c8e7497d84bbe9ff14be5651c4df0b78ee00f1724

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
7ed64657231c2092e4fa4536be5d274f

SHA1
ac2cb8e536a7b2195f2a0480f1a1d42e465ad4e9

SHA256
2b09f2ebc5f0a5cd057d29f328b6ae4219795f9ca74e60fa81cf2c8ddc9e6e3b

SHA512
98ccd2b999810e2d5c6af6b4f68a3404d954c2aa560831f6f37d0532111e2de53c205caf3d122aeea5ad97a5379203fc6be8e8570a8249cbc4abed511a08066e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
25ac990517895bd1abe8b563215b7fdf

SHA1
698a7a9901892b5bc77aa58944cdfd2c3df70b3c

SHA256
7abcfba919812e7b99c02c3035b3c05a39f5230748195ee2792c2845831bfa8c

SHA512
305ee297de2dea995cd74cf090829590ec0971e986950681aa6782cbacfaec81f76802fc82de43a899a33c1094856375367d7ad4bf47f7ad08b3fffb2900f7b6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
23a069d5fefb9ba25ab7f0b1da54f30e

SHA1
d1e2fb97180d800c15797f5f97170cbf8aed57c4

SHA256
32dd7a81d999455c25f1a3d4de129096b14e92ae78ef89b2bb5bbb88630a8406

SHA512
9262409e9724ce6cda669c3310711a5adb31b2dc1cd5cc9821df8e09e0be1356cedf97c06bdc0f9d93a872720394b0eab02f34120c6e2d51358eeb90d5efd0ff

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
219455cc7df53f818526cbc0e997c87c

SHA1
5f01ae51fe49649203ab43c52ad57ccc34072c10

SHA256
61a9cd0118f35d9b4dde12aaaea17a89438777afaf3570967bdd303851a94b20

SHA512
f1bef2f04134200802ad2a299ded754a6e0eba6b04802bd5065b0b49b00a678ae9961d383a134e63fee5efa454acf05f9818c3d709b1905d06b55d3f2149e6ba

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
831ce8bc2220d7b092ad45bd16487364

SHA1
86afbb7382acf5f1b7541fa8c9df0b37e88a7917

SHA256
4b0ab89fa8a19e3a523277a7369d100c65d516d80d5ed977422ee952d42cf417

SHA512
7c848d26b8871c4af989341964b2ed942ebcbb2e29971e978190350b858737c7949f3f516d13745ce6f0dd7ac723628c53fb6725b661a3b76850ed9a66eb6077

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
6aeb397cff7529ccb88daf0c02b2e1b8

SHA1
c5128e3eb543fe795156ccb248c41291fa70692c

SHA256
5451054fc1b7022443232587053efaebe0fd8f03c8a12b3cc6a704d9c4347ebe

SHA512
a6eea7275717dcb316fd9e17a8fc91571104925c75ce1c392082e81b35f44c3e8a4256b6336c9eca6fa35378c00245e1ccf57efe9b87646b3140c88f91b6ec51

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f0491af6250d60c64a31c24ca9cfcadd

SHA1
99ed11dafef476695c2264beda80349f3e6f7226

SHA256
6562e6bc080321f8c835620b3d1fbd65a4eca7f09f39ba003dbda556105cf4db

SHA512
40202af299e116d9b10a94beb0162f64ef4ba4f702b96aff92dde180855f1c98e9ddc9a70eb0d5afd0e27de9e94d26544a4ebcc7969e06f2206488668ab335ef

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
8a79b0f6322aa8740f8572fc25857a78

SHA1
4ec3a90636da48a97e4d4a2f7ba1bac42762766c

SHA256
709bb5482ff222074faf363e46370dce541e7e6d6d1213b5d4093791e21eceab

SHA512
c796ea8699ee45e0488e5e271b18cae10469fce838c817031cd0ae93272ab021fc84a805abd3ddee809b88fc9db5e4288f28f9ec4daff55bf1b99b6f52e619e5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
eac4ed2c2b856a1243a5cc45f62fd9f5

SHA1
853e181c17837daed108cd1dc45d6bcfcffba232

SHA256
419584f0bc87499692307ac62d75058f3383bd4e0b130ce4cbb9a7ddf3a289bb

SHA512
d6ae0e27015bb020ed395972d626787e50cad13dab9a12d33eea1ed2ba6bf418482be215ad0daf964fb60d4dd38f9b3a196e893a1294141c0baae8cbc94ea861

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
793bfcb41e43ea5738af1dc19335886e

SHA1
d8a6c2d76752921b9bea0688f7d9118517fbc02a

SHA256
6c7297a92532fd92551e47facec415d8fc0ca9594a569d1a04048e7ad5b660a9

SHA512
78d4a5b6ee75b18de83918ddb565125b553ecbbaac5cfc4ee3933e62aee5a7426c22c08db05d97b824c8945ed15e6e9ebd5ec83c465c434b5563de306a0f01c9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
271c1b6b9164699408dbb016a3351932

SHA1
abae7c2c7e4711008a386234174dc824b55bbc8d

SHA256
1aaf471bec6179ed718601e8d153797272ccb047d6b8c74cba74c3a68b97c96e

SHA512
098cc4b7620d1bae4fa2e1d148cb10f4b25a2a0c3771e21de0bff186641baca24fe6599f3fe14b99e93b31049c191a0fcc4b8e32be8186298e4554c55a3636cc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
3ca245f3313d901044344567f799130a

SHA1
1f72f02fbba72f116e666019f81be7702475e076

SHA256
ea166f288fb135151b9427cbce1dc3c75ea7e99664509c862926dc03731f1db4

SHA512
a60370f250d71960fd2729672637ab56279befc02d3b56248c94c96510d3f359168ecb8d80b8e8d250c584dc181d2db2ed964307fdbc21a1bad14c2d784b040c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e45fb48a2afd2b86ca797de5fe4bdf71

SHA1
a5ec3b60fb51e24e195908249d266de183b87e09

SHA256
a1242779cad7c55104a1a4bc148c5afcffa0820234fc9b8a58f731b20cb8a0be

SHA512
f3e5a2cfae87cc0592be9036849aa522cecdca106fb5709dce08f8c79af0af0a2f3eb5bfba1d32df7e23a15e7419486b933dd1795fc0df20173d646d2da350e1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
831f5f0d088f9bcc76579b23146b8a75

SHA1
2670db9a8f79551a982c1f4b222762ba92dcb034

SHA256
d012667332e2ddf31f51f1df63f32e48fb5b115c528b91fd2f3e389f31f537b0

SHA512
6fd45e985a12d5ded1f0bb67053f55773b430a34ee58bdff73f3a7ed89446735c5f222c940173e87f85a9749e280bca59237a3007684932f7976921ebf3c90a0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f8a0e70d7e195c65f2019d6ac80043ab

SHA1
37858930c7f85dcaecd76bd8dfcf29c6a79cc3bd

SHA256
ec8b3c6888f31d33aa735f922f5e197f1c33a0e5608a75a1a6d859029776a38e

SHA512
dd8bc3d1eace1fd273daa9bec2a480fce1f639dc81507e551023b824057b4101cb8a33c29507de3b623cf738ccaa26ce055f8b4d30f3151254114e580b985ffb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab368C.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar3859.tmp

Filesize
175KB

MD5
dd73cead4b93366cf3465c8cd32e2796

SHA1
74546226dfe9ceb8184651e920d1dbfb432b314e

SHA256
a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22

SHA512
ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63

Download Submit
C:\Windows\SysWOW64\ddr7xm.dll

Filesize
48KB

MD5
ec846b552113c26467a3d0f619c8de5d

SHA1
db2ded70c56f2e94512e805c44a0fb49098e2f04

SHA256
1f68d564c33d5bb5e04380944e21c41a8f6882023dd4190acde2e2f438cb15e5

SHA512
453cc4f4bab560f26c0edf3c72e419272092b726b49f16efda8e781cab05ebcfd51906f8d8c1e51161ac7fb0bc3535530a3dbcd7b8260f512b28c7e034a6d2db

Download Submit
C:\Windows\SysWOW64\mshpc.dll

Filesize
43KB

MD5
b885b87bd1e40e8d1cc12fc12203ee7d

SHA1
9590c3f045f04808b2593b1e374b3699815bf830

SHA256
3b486eff36309a8024c1bc9a9eec1ec2e5394bd6559822b0b273c65190b75ef3

SHA512
a7bada08b8d45399d89e022770e9fd86850034b4c8514424bf1db30c045e7ecf3b41bf9d1bf3a0b3a8411e8d1bf0eff60f5edbc4d9446c81066f2e8294ede7b2

Download Submit
\Windows\SysWOW64\mrcmgr.exe

Filesize
92KB

MD5
2822ffc5989933709ed8ea85ad9adedf

SHA1
cca5f70f11016491832593c9e2bd6c2c9f742a57

SHA256
a4b6637d190f8a1d2cf2a4740c0ca7d33424cfe85d5408315c88531de84a28f5

SHA512
239b60dae1b8febd422f1428f58e785c2dbb9781d7bfb55798549a27fef6bd25e67a089469a5410272a5610d68a978f4a8edf8509b80eeeb056ed1f9fb2f6a39

Download Submit
memory/1056-21-0x0000000010000000-0x000000001006E000-memory.dmp

Filesize
440KB

Download
memory/1992-0-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1992-17-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads