Malware Analysis Report

2025-01-18 21:27

Sample ID 240321-s2fkgsef58
Target dbfc4cc4faf88548b3b1499ba78a324d
SHA256 1f135eeca52d2f7094f4caeada87fdf09e66227f0afc04a53ffb5ac498ed0e63
Tags
adware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

1f135eeca52d2f7094f4caeada87fdf09e66227f0afc04a53ffb5ac498ed0e63

Threat Level: Shows suspicious behavior

The file dbfc4cc4faf88548b3b1499ba78a324d was found to be: Shows suspicious behavior.

Malicious Activity Summary

adware stealer

Deletes itself

Installs/modifies Browser Helper Object

Unsigned PE

Modifies registry class

Runs .reg file with regedit

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Modifies Internet Explorer settings

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-21 15:37

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-21 15:37

Reported

2024-03-21 15:39

Platform

win7-20240221-en

Max time kernel

122s

Max time network

128s

Command Line

"C:\Users\Admin\AppData\Local\Temp\dbfc4cc4faf88548b3b1499ba78a324d.exe"

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects C:\Windows\SysWOW64\regedit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C613CE22-151C-4331-94FF-F113A153F66D} C:\Windows\SysWOW64\regedit.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{DDC3C501-E798-11EE-A4EE-CEEE273A2359} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "417197292" C:\Program Files\Internet Explorer\iexplore.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C613CE22-151C-4331-94FF-F113A153F66D}\InProcServer32 C:\Windows\SysWOW64\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C613CE22-151C-4331-94FF-F113A153F66D}\InProcServer32\ = "error" C:\Windows\SysWOW64\regedit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C613CE22-151C-4331-94FF-F113A153F66D} C:\Windows\SysWOW64\regedit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C613CE22-151C-4331-94FF-F113A153F66D}\InProcServer32 C:\Windows\SysWOW64\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C613CE22-151C-4331-94FF-F113A153F66D}\InProcServer32\ = "c:\\sysdump.dll" C:\Windows\SysWOW64\regedit.exe N/A

Runs .reg file with regedit

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2528 wrote to memory of 544 N/A C:\Users\Admin\AppData\Local\Temp\dbfc4cc4faf88548b3b1499ba78a324d.exe C:\Windows\SysWOW64\regedit.exe
PID 2528 wrote to memory of 544 N/A C:\Users\Admin\AppData\Local\Temp\dbfc4cc4faf88548b3b1499ba78a324d.exe C:\Windows\SysWOW64\regedit.exe
PID 2528 wrote to memory of 544 N/A C:\Users\Admin\AppData\Local\Temp\dbfc4cc4faf88548b3b1499ba78a324d.exe C:\Windows\SysWOW64\regedit.exe
PID 2528 wrote to memory of 544 N/A C:\Users\Admin\AppData\Local\Temp\dbfc4cc4faf88548b3b1499ba78a324d.exe C:\Windows\SysWOW64\regedit.exe
PID 2528 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\dbfc4cc4faf88548b3b1499ba78a324d.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2528 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\dbfc4cc4faf88548b3b1499ba78a324d.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2528 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\dbfc4cc4faf88548b3b1499ba78a324d.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2528 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\dbfc4cc4faf88548b3b1499ba78a324d.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1948 wrote to memory of 2968 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1948 wrote to memory of 2968 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1948 wrote to memory of 2968 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1948 wrote to memory of 2968 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2528 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\dbfc4cc4faf88548b3b1499ba78a324d.exe C:\Windows\SysWOW64\regedit.exe
PID 2528 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\dbfc4cc4faf88548b3b1499ba78a324d.exe C:\Windows\SysWOW64\regedit.exe
PID 2528 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\dbfc4cc4faf88548b3b1499ba78a324d.exe C:\Windows\SysWOW64\regedit.exe
PID 2528 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\dbfc4cc4faf88548b3b1499ba78a324d.exe C:\Windows\SysWOW64\regedit.exe
PID 2528 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\dbfc4cc4faf88548b3b1499ba78a324d.exe C:\Windows\SysWOW64\cmd.exe
PID 2528 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\dbfc4cc4faf88548b3b1499ba78a324d.exe C:\Windows\SysWOW64\cmd.exe
PID 2528 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\dbfc4cc4faf88548b3b1499ba78a324d.exe C:\Windows\SysWOW64\cmd.exe
PID 2528 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\dbfc4cc4faf88548b3b1499ba78a324d.exe C:\Windows\SysWOW64\cmd.exe
PID 2528 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\dbfc4cc4faf88548b3b1499ba78a324d.exe C:\Windows\SysWOW64\cmd.exe
PID 2528 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\dbfc4cc4faf88548b3b1499ba78a324d.exe C:\Windows\SysWOW64\cmd.exe
PID 2528 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\dbfc4cc4faf88548b3b1499ba78a324d.exe C:\Windows\SysWOW64\cmd.exe
PID 2528 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\dbfc4cc4faf88548b3b1499ba78a324d.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\dbfc4cc4faf88548b3b1499ba78a324d.exe

"C:\Users\Admin\AppData\Local\Temp\dbfc4cc4faf88548b3b1499ba78a324d.exe"

C:\Windows\SysWOW64\regedit.exe

regedit -S c:\temp1.reg

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" %1

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1948 CREDAT:275457 /prefetch:2

C:\Windows\SysWOW64\regedit.exe

regedit -S c:\temp2.reg

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\temp2.bat

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\temp1.bat

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.bing.com udp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

memory/2528-2-0x0000000000400000-0x0000000000404000-memory.dmp

\??\c:\temp1.reg

MD5 492eb2c8ff983e87c95ca5a704c6f5b8
SHA1 8677a4e0d606a526b1c90f180116dea7a6bcb0de
SHA256 9f0388e16d77a4560acfe712ab8a8c6a171c5d369c4134cd3af9bec658bbd431
SHA512 ded2c5fa380fcfaa346dcb33a0775cc476ee7f152b0b54ed34b3e97958e200f1f9f01ed546adc2241d2462cfaf39e9e273eaba04cb2efcfbf7085ba9251acd6e

\??\c:\temp2.reg

MD5 6fdc273e79d8888a813c762aa55edc39
SHA1 a3e72c4eaf143697e3c1a29c8b1c223c121e1d58
SHA256 e0eb2406ae229d4df0d3ff5bb8f9bd907aa947b51fdbb6bed1a3238852849f6c
SHA512 370125ded5b43b67cfc8f28363086fc9b2c85c6fe53ab1e5e00281cf87292650b2abe7bf9420631ca405f4c7e213bed00c53432329cc5f7d6d1f615a02a1f253

C:\temp1.bat

MD5 8888fe593e69fe3f4c48f6e207c42d79
SHA1 fc12cef7cb590481c312387af3dcef3436cca234
SHA256 91805ee2ff3812326e4341b30676be14377442d65f5377fb14643a80b75ef264
SHA512 4cecf7657ba257c172238a5ca67c998d85f94b2fac439da83a21a41161363d7bdab6b024c4000e46661bdbb0a3f7e87bd5a75a6d696c66c7f53cac770677f7e8

C:\temp2.bat

MD5 b9975d30ddbd098a754312e16f744ec6
SHA1 9d41e8816bf8f8aa48356c99af46e64947a0d2ef
SHA256 6e4f3dd8bf9469f50bd04878da2bb005a9df85192a5c7428b4477cecbfd4747c
SHA512 5bdca7782ebe7a2d919c7c096d0b2e9927c68044a5ca802ce7a43e6d4d62fda7b5d7620a1154e640c9946def1b13539a948a58bf13697f897748dc66e3406c02

memory/2528-20-0x0000000000400000-0x0000000000404000-memory.dmp

\??\c:\sysdump.dll

MD5 f7982deb1be471edb1aef54b4bbaf109
SHA1 e44f8cedb550fe75510809c6181a609ad957c06b
SHA256 011ab7c538a7581b0c327fbb9ca5bf578f266fec317af2a9286b5733d50a8e1c
SHA512 a89cb5f9939b66d881893b1ad94467d88d4af71541c57ec8cbad46f7023bf3ae4243459545f37946810a96aa81e68d67851b48857523433163aecceadcb80eac

C:\Users\Admin\AppData\Local\Temp\Cab346A.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 753df6889fd7410a2e9fe333da83a429
SHA1 3c425f16e8267186061dd48ac1c77c122962456e
SHA256 b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78
SHA512 9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444

C:\Users\Admin\AppData\Local\Temp\Tar3647.tmp

MD5 dd73cead4b93366cf3465c8cd32e2796
SHA1 74546226dfe9ceb8184651e920d1dbfb432b314e
SHA256 a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22
SHA512 ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 60374d562a16f8d5812168604fd12e75
SHA1 281a9000a90d7eeebcb6e4aec16668ca6247207d
SHA256 dc357924ddc494794ad72e54570bd3611693e2d21b1a30e6f4fdf5873be566f9
SHA512 310bbbf71ba373d7d3a6ba79d9b43833e61edda8b456e66d2de3ee89c0a7cb3b6a9b37f17432fbd80840633e9119a84163d01f30605b15655825851eab2fbc71

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 17c17e8f749c8dea56131422a8b02f0b
SHA1 85e273b6d949b31bf36a378c0e627c016f9c3b50
SHA256 c0e5ffa7c8704166a5bbd5785034c65634646305ffda4bc728a69ce6c66009ca
SHA512 a07ff4fa2217f2a47ca9ce4d6742160b07aedde35cd30795700434e4d1ab8032c98f92de733f906453810cebcf28ffaa2624feb3dfee141023cb479a65159905

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b5ff14b380e57ce662e27e431b761430
SHA1 dc5a796453d7ac57249231085419d8aae521d902
SHA256 9f08f5f83cebefa2bb4d876c2c9d0205a9d74134ece14860bec2be164fed60b5
SHA512 84de5dde0dbfe249430d8175385d1486b0232b76ece1ff1e88c83ba42fc586b39558fd8d16c626703a3dbfa0962193a886c87d4d64c59d30929c3b792d9cccea

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8909653820ca8b5598af545d60f2117c
SHA1 c6af8067ba34973398b2e984afda55aab6febfd1
SHA256 e56ef4421d1b7e27564b15291e59aa2f47f691a4650b6a4cdd54d865e0614d61
SHA512 65c24bcee78c2faaea54b5fe29ce69301c703bc3d87d9780df0c5991e4ebe538275d9ec5198becf7e288be0def395bb96ad22fe1ec2482b61f0261f57bb30d0e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8060f1b7d4e2bbab30a1a182b7e2ba71
SHA1 65f3ce8b8fe1a2e19054e6f2acdc429464f57d45
SHA256 9c4a361a35dd6bdd36deed841b7d03c79df9ef708149d85e02c406f56368b8d0
SHA512 a86b508c0327b6ec4c39828597592329123f2871c3b1807629b26a6c779acc6dc69cbe2b04d16afe834d3e347bc37db7f925e80fc706d644b2e661d329622d2a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c2574589d9e99d7655c000e46ca2f7b9
SHA1 514e73beeded71ca840097cef8bf564052e98224
SHA256 a0a3194c94c3acee79c771cf5563edc12bc4468c11788f57d406701123659697
SHA512 f77d8eb7ae26362c0dd199e9cb19b7bcaa110449285abc3d0e7eb6e3225f7e33d4a4a3f7ffaf680504e7e8999e1e82fd76aebd7730261aa1adf9645212568a83

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6f4fb96afdb439121bd6d676cb0f8056
SHA1 9ad243b005b6c601cacecfcf9c0c66bc3e272422
SHA256 fb21e9925a1ef65d26ffba6860040a1916f9fb169fcf7a977c7fdc74b69cef94
SHA512 a347a0b03646e2c26b6bd83a77bd04e8f328fda560ad85aef14998229b0f4d8c6f212262ab038650ca3b84ab91e52cbd2b0a0340f0a4af6e4c7496a3236b1a8e

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-21 15:37

Reported

2024-03-21 15:39

Platform

win10v2004-20240226-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\dbfc4cc4faf88548b3b1499ba78a324d.exe"

Signatures

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects C:\Windows\SysWOW64\regedit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C613CE22-151C-4331-94FF-F113A153F66D} C:\Windows\SysWOW64\regedit.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2999438723" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31095717" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31095717" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{DE67CBBD-E798-11EE-87B8-D28C415B03FA} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2999438723" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "417800399" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31095717" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3002876192" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C613CE22-151C-4331-94FF-F113A153F66D}\InProcServer32 C:\Windows\SysWOW64\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C613CE22-151C-4331-94FF-F113A153F66D}\InProcServer32\ = "c:\\sysdump.dll" C:\Windows\SysWOW64\regedit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C613CE22-151C-4331-94FF-F113A153F66D}\InProcServer32 C:\Windows\SysWOW64\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C613CE22-151C-4331-94FF-F113A153F66D}\InProcServer32\ = "error" C:\Windows\SysWOW64\regedit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C613CE22-151C-4331-94FF-F113A153F66D} C:\Windows\SysWOW64\regedit.exe N/A

Runs .reg file with regedit

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4700 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\Temp\dbfc4cc4faf88548b3b1499ba78a324d.exe C:\Windows\SysWOW64\regedit.exe
PID 4700 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\Temp\dbfc4cc4faf88548b3b1499ba78a324d.exe C:\Windows\SysWOW64\regedit.exe
PID 4700 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\Temp\dbfc4cc4faf88548b3b1499ba78a324d.exe C:\Windows\SysWOW64\regedit.exe
PID 4700 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\dbfc4cc4faf88548b3b1499ba78a324d.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4700 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\dbfc4cc4faf88548b3b1499ba78a324d.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2172 wrote to memory of 4864 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2172 wrote to memory of 4864 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2172 wrote to memory of 4864 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 4700 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\dbfc4cc4faf88548b3b1499ba78a324d.exe C:\Windows\SysWOW64\regedit.exe
PID 4700 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\dbfc4cc4faf88548b3b1499ba78a324d.exe C:\Windows\SysWOW64\regedit.exe
PID 4700 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\dbfc4cc4faf88548b3b1499ba78a324d.exe C:\Windows\SysWOW64\regedit.exe
PID 4700 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\dbfc4cc4faf88548b3b1499ba78a324d.exe C:\Windows\SysWOW64\cmd.exe
PID 4700 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\dbfc4cc4faf88548b3b1499ba78a324d.exe C:\Windows\SysWOW64\cmd.exe
PID 4700 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\dbfc4cc4faf88548b3b1499ba78a324d.exe C:\Windows\SysWOW64\cmd.exe
PID 4700 wrote to memory of 4952 N/A C:\Users\Admin\AppData\Local\Temp\dbfc4cc4faf88548b3b1499ba78a324d.exe C:\Windows\SysWOW64\cmd.exe
PID 4700 wrote to memory of 4952 N/A C:\Users\Admin\AppData\Local\Temp\dbfc4cc4faf88548b3b1499ba78a324d.exe C:\Windows\SysWOW64\cmd.exe
PID 4700 wrote to memory of 4952 N/A C:\Users\Admin\AppData\Local\Temp\dbfc4cc4faf88548b3b1499ba78a324d.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\dbfc4cc4faf88548b3b1499ba78a324d.exe

"C:\Users\Admin\AppData\Local\Temp\dbfc4cc4faf88548b3b1499ba78a324d.exe"

C:\Windows\SysWOW64\regedit.exe

regedit -S c:\temp1.reg

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" %1

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2172 CREDAT:17410 /prefetch:2

C:\Windows\SysWOW64\regedit.exe

regedit -S c:\temp2.reg

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\temp2.bat

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\temp1.bat

Network

Country Destination Domain Proto
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 api.bing.com udp
US 8.8.8.8:53 35.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 100.5.17.2.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 174.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 161.19.199.152.in-addr.arpa udp
US 8.8.8.8:53 33.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 202.178.17.96.in-addr.arpa udp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 176.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp

Files

memory/4700-0-0x0000000000400000-0x0000000000404000-memory.dmp

\??\c:\temp1.reg

MD5 492eb2c8ff983e87c95ca5a704c6f5b8
SHA1 8677a4e0d606a526b1c90f180116dea7a6bcb0de
SHA256 9f0388e16d77a4560acfe712ab8a8c6a171c5d369c4134cd3af9bec658bbd431
SHA512 ded2c5fa380fcfaa346dcb33a0775cc476ee7f152b0b54ed34b3e97958e200f1f9f01ed546adc2241d2462cfaf39e9e273eaba04cb2efcfbf7085ba9251acd6e

\??\c:\temp2.reg

MD5 6fdc273e79d8888a813c762aa55edc39
SHA1 a3e72c4eaf143697e3c1a29c8b1c223c121e1d58
SHA256 e0eb2406ae229d4df0d3ff5bb8f9bd907aa947b51fdbb6bed1a3238852849f6c
SHA512 370125ded5b43b67cfc8f28363086fc9b2c85c6fe53ab1e5e00281cf87292650b2abe7bf9420631ca405f4c7e213bed00c53432329cc5f7d6d1f615a02a1f253

memory/4700-10-0x0000000000400000-0x0000000000404000-memory.dmp

\??\c:\sysdump.dll

MD5 f7982deb1be471edb1aef54b4bbaf109
SHA1 e44f8cedb550fe75510809c6181a609ad957c06b
SHA256 011ab7c538a7581b0c327fbb9ca5bf578f266fec317af2a9286b5733d50a8e1c
SHA512 a89cb5f9939b66d881893b1ad94467d88d4af71541c57ec8cbad46f7023bf3ae4243459545f37946810a96aa81e68d67851b48857523433163aecceadcb80eac

\??\c:\temp1.bat

MD5 8888fe593e69fe3f4c48f6e207c42d79
SHA1 fc12cef7cb590481c312387af3dcef3436cca234
SHA256 91805ee2ff3812326e4341b30676be14377442d65f5377fb14643a80b75ef264
SHA512 4cecf7657ba257c172238a5ca67c998d85f94b2fac439da83a21a41161363d7bdab6b024c4000e46661bdbb0a3f7e87bd5a75a6d696c66c7f53cac770677f7e8

\??\c:\temp2.bat

MD5 b9975d30ddbd098a754312e16f744ec6
SHA1 9d41e8816bf8f8aa48356c99af46e64947a0d2ef
SHA256 6e4f3dd8bf9469f50bd04878da2bb005a9df85192a5c7428b4477cecbfd4747c
SHA512 5bdca7782ebe7a2d919c7c096d0b2e9927c68044a5ca802ce7a43e6d4d62fda7b5d7620a1154e640c9946def1b13539a948a58bf13697f897748dc66e3406c02

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\PL0BY74L\suggestions[1].en-US

MD5 5a34cb996293fde2cb7a4ac89587393a
SHA1 3c96c993500690d1a77873cd62bc639b3a10653f
SHA256 c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512 e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee