e98c2b46ff8f65feaaf66b031179616939237ed9009bca1adde0c9aa752a2f56

General

Target

c5e6114bd035557469bf9da02f38ba43.dll
Size

424KB
MD5

c5e6114bd035557469bf9da02f38ba43
SHA1

8740f1b1a2bd6b4419e88df7cd2476085de5a2f2
SHA256

e98c2b46ff8f65feaaf66b031179616939237ed9009bca1adde0c9aa752a2f56
SHA512

95dc2ca8827acf6f5da7286dc22da8506fc8e537c6d1f71bc949ce7ab49e38273a15725a2d5ddaf9d6bba4dbae5bac796e490b8ea90e9c054db22381139d7ec2
SSDEEP

6144:Q16AUrfixlYlvy+EBHpHNhhI966AGkAjOpoaY7Lx7E/LN4fj4QxF9QhkECzLtbA:Q1ky+epxq6xGJOpqvxk4fUurHC

Score

6^/10

adware stealer

Malware Config

Signatures

Installs/modifies Browser Helper Object 2 TTPs 2 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0acf6538-9d27-a7cf-af5f-18986009c899}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0acf6538-9d27-a7cf-af5f-18986009c899}\NoExplorer = "\"\""	regsvr32.exe

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0acf6538-9d27-a7cf-af5f-18986009c899}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0acf6538-9d27-a7cf-af5f-18986009c899}\ = "adssite"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0acf6538-9d27-a7cf-af5f-18986009c899}\InProcServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0acf6538-9d27-a7cf-af5f-18986009c899}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\c5e6114bd035557469bf9da02f38ba43.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0acf6538-9d27-a7cf-af5f-18986009c899}\InProcServer32\ThreadingModel = "Apartment"	regsvr32.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeManageVolumePrivilege	2320	svchost.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3272 wrote to memory of 4680	3272	regsvr32.exe	87
PID 3272 wrote to memory of 4680	3272	regsvr32.exe	87
PID 3272 wrote to memory of 4680	3272	regsvr32.exe	87

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\c5e6114bd035557469bf9da02f38ba43.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:3272
- C:\Windows\SysWOW64\regsvr32.exe
  /s C:\Users\Admin\AppData\Local\Temp\c5e6114bd035557469bf9da02f38ba43.dll
  2⤵
  - Installs/modifies Browser Helper Object
  - Modifies registry class
  PID:4680

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe
1⤵
PID:3244

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k UnistackSvcGroup
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2320

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Browser Extensions

1

T1176

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Comms\UnistoreDB\store.jfm

Filesize
16KB

MD5
73e3559d02ba8078c96e1089da1f5417

SHA1
20b5cccb8e193359928a058c745e1a7ddb4d21ac

SHA256
605d5898f6ce56e6b0439de370fd7a785b1998e78f68ff84c5545aeb0c91d92d

SHA512
30ec19c52bf19dcd938811c00db29bf5c9f867e9cb2dc1cd425483a44d775fee8b2f4bc43751b2d990efbda40f2554b296b98e843de6d4cb608bc7ef34bf9674

Download Submit
memory/2320-55-0x0000027DBB7D0000-0x0000027DBB7D1000-memory.dmp

Filesize
4KB

Download
memory/2320-49-0x0000027DBBBC0000-0x0000027DBBBC1000-memory.dmp

Filesize
4KB

Download
memory/2320-79-0x0000027DBBA30000-0x0000027DBBA31000-memory.dmp

Filesize
4KB

Download
memory/2320-78-0x0000027DBB920000-0x0000027DBB921000-memory.dmp

Filesize
4KB

Download
memory/2320-77-0x0000027DBB920000-0x0000027DBB921000-memory.dmp

Filesize
4KB

Download
memory/2320-75-0x0000027DBB910000-0x0000027DBB911000-memory.dmp

Filesize
4KB

Download
memory/2320-63-0x0000027DBB710000-0x0000027DBB711000-memory.dmp

Filesize
4KB

Download
memory/2320-60-0x0000027DBB7D0000-0x0000027DBB7D1000-memory.dmp

Filesize
4KB

Download
memory/2320-48-0x0000027DBBBC0000-0x0000027DBBBC1000-memory.dmp

Filesize
4KB

Download
memory/2320-11-0x0000027DB34A0000-0x0000027DB34B0000-memory.dmp

Filesize
64KB

Download
memory/2320-27-0x0000027DB35A0000-0x0000027DB35B0000-memory.dmp

Filesize
64KB

Download
memory/2320-43-0x0000027DBBB90000-0x0000027DBBB91000-memory.dmp

Filesize
4KB

Download
memory/2320-44-0x0000027DBBBC0000-0x0000027DBBBC1000-memory.dmp

Filesize
4KB

Download
memory/2320-45-0x0000027DBBBC0000-0x0000027DBBBC1000-memory.dmp

Filesize
4KB

Download
memory/2320-57-0x0000027DBB7E0000-0x0000027DBB7E1000-memory.dmp

Filesize
4KB

Download
memory/2320-46-0x0000027DBBBC0000-0x0000027DBBBC1000-memory.dmp

Filesize
4KB

Download
memory/2320-54-0x0000027DBB7E0000-0x0000027DBB7E1000-memory.dmp

Filesize
4KB

Download
memory/2320-47-0x0000027DBBBC0000-0x0000027DBBBC1000-memory.dmp

Filesize
4KB

Download
memory/2320-50-0x0000027DBBBC0000-0x0000027DBBBC1000-memory.dmp

Filesize
4KB

Download
memory/2320-51-0x0000027DBBBC0000-0x0000027DBBBC1000-memory.dmp

Filesize
4KB

Download
memory/2320-52-0x0000027DBBBC0000-0x0000027DBBBC1000-memory.dmp

Filesize
4KB

Download
memory/2320-53-0x0000027DBBBC0000-0x0000027DBBBC1000-memory.dmp

Filesize
4KB

Download
memory/4680-9-0x00000000034C0000-0x00000000034C1000-memory.dmp

Filesize
4KB

Download
memory/4680-0-0x0000000010000000-0x000000001009B000-memory.dmp

Filesize
620KB

Download
memory/4680-2-0x00000000020C0000-0x000000000211A000-memory.dmp

Filesize
360KB

Download
memory/4680-8-0x00000000034A0000-0x00000000034A1000-memory.dmp

Filesize
4KB

Download
memory/4680-7-0x0000000002530000-0x0000000002531000-memory.dmp

Filesize
4KB

Download
memory/4680-1-0x0000000010000000-0x000000001009B000-memory.dmp

Filesize
620KB

Download
memory/4680-6-0x00000000023D0000-0x00000000023D1000-memory.dmp

Filesize
4KB

Download
memory/4680-5-0x0000000002260000-0x0000000002261000-memory.dmp

Filesize
4KB

Download
memory/4680-4-0x00000000004E0000-0x00000000004E1000-memory.dmp

Filesize
4KB

Download
memory/4680-3-0x0000000003100000-0x0000000003102000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing