Malware Analysis Report

2025-01-18 21:27

Sample ID 240321-w4x44age5t
Target dc50efff91d40071e26ffb7491605844
SHA256 a5edeb3512a3d9cad63a6ada9266e2638dc9f5db18801f90e1ccf733515ca685
Tags
adware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

a5edeb3512a3d9cad63a6ada9266e2638dc9f5db18801f90e1ccf733515ca685

Threat Level: Shows suspicious behavior

The file dc50efff91d40071e26ffb7491605844 was found to be: Shows suspicious behavior.

Malicious Activity Summary

adware stealer

Loads dropped DLL

Installs/modifies Browser Helper Object

Drops file in System32 directory

Unsigned PE

Modifies registry class

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-21 18:29

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-21 18:29

Reported

2024-03-21 18:31

Platform

win7-20240220-en

Max time kernel

118s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\dc50efff91d40071e26ffb7491605844.exe"

Signatures

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\Regsvr32.exe N/A

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{C68B0149-C717-4041-BF00-C21569B97019} C:\Windows\SysWOW64\Regsvr32.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\windownewsups.ini C:\Users\Admin\AppData\Local\Temp\dc50efff91d40071e26ffb7491605844.exe N/A
File created C:\Windows\SysWOW64\hfeoqxsdnfxjl.dll C:\Users\Admin\AppData\Local\Temp\dc50efff91d40071e26ffb7491605844.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C68B0149-C717-4041-BF00-C21569B97019}\ C:\Windows\SysWOW64\Regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C68B0149-C717-4041-BF00-C21569B97019}\InprocServer32 C:\Windows\SysWOW64\Regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C68B0149-C717-4041-BF00-C21569B97019}\InprocServer32\ = "C:\\Windows\\SysWow64\\hfeoqxsdnfxjl.dll" C:\Windows\SysWOW64\Regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\hfeoqxsdnfxjl.IEExtend C:\Windows\SysWOW64\Regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\hfeoqxsdnfxjl.IEExtend\ C:\Windows\SysWOW64\Regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\hfeoqxsdnfxjl.IEExtend\Clsid C:\Windows\SysWOW64\Regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C68B0149-C717-4041-BF00-C21569B97019}\ProgID C:\Windows\SysWOW64\Regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C68B0149-C717-4041-BF00-C21569B97019}\ProgID\ = "hfeoqxsdnfxjl.IEExtend" C:\Windows\SysWOW64\Regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C68B0149-C717-4041-BF00-C21569B97019} C:\Windows\SysWOW64\Regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C68B0149-C717-4041-BF00-C21569B97019}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\hfeoqxsdnfxjl.IEExtend\Clsid\ = "{C68B0149-C717-4041-BF00-C21569B97019}" C:\Windows\SysWOW64\Regsvr32.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\dc50efff91d40071e26ffb7491605844.exe

"C:\Users\Admin\AppData\Local\Temp\dc50efff91d40071e26ffb7491605844.exe"

C:\Windows\SysWOW64\Regsvr32.exe

Regsvr32.exe /s C:\Windows\system32\hfeoqxsdnfxjl.dll

Network

N/A

Files

memory/2080-0-0x0000000000400000-0x0000000000469000-memory.dmp

memory/2080-1-0x0000000000220000-0x0000000000222000-memory.dmp

C:\Windows\SysWOW64\hfeoqxsdnfxjl.dll

MD5 b11a7476b7aeca348fe33d6242b465da
SHA1 e7e72254097a2a9b08fa7d64789ca665bdfa3a96
SHA256 9ff6d68518c09f6d454370c50fa4e97143c9824fa370790d3de933429c45c4dc
SHA512 32af36f020107b66c05eecd4a203e438183a0eae0772fdbd181adfaa3ef00744d180f6768da2eabc2749fbecc8b84a38de078fd407a7873ca9345fb9ccb10008

memory/1984-6-0x00000000001D0000-0x0000000000270000-memory.dmp

memory/1984-7-0x0000000000170000-0x0000000000172000-memory.dmp

memory/2080-8-0x0000000000400000-0x0000000000469000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-21 18:29

Reported

2024-03-21 18:31

Platform

win10v2004-20231215-en

Max time kernel

93s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\dc50efff91d40071e26ffb7491605844.exe"

Signatures

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\Regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\Regsvr32.exe N/A

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{C68B0149-C717-4041-BF00-C21569B97019} C:\Windows\SysWOW64\Regsvr32.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\windownewsups.ini C:\Users\Admin\AppData\Local\Temp\dc50efff91d40071e26ffb7491605844.exe N/A
File created C:\Windows\SysWOW64\dpahbzgbnuchd.dll C:\Users\Admin\AppData\Local\Temp\dc50efff91d40071e26ffb7491605844.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C68B0149-C717-4041-BF00-C21569B97019} C:\Windows\SysWOW64\Regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C68B0149-C717-4041-BF00-C21569B97019}\InprocServer32\ = "C:\\Windows\\SysWow64\\dpahbzgbnuchd.dll" C:\Windows\SysWOW64\Regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\dpahbzgbnuchd.IEExtend\Clsid\ = "{C68B0149-C717-4041-BF00-C21569B97019}" C:\Windows\SysWOW64\Regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C68B0149-C717-4041-BF00-C21569B97019}\ProgID\ = "dpahbzgbnuchd.IEExtend" C:\Windows\SysWOW64\Regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\dpahbzgbnuchd.IEExtend\Clsid C:\Windows\SysWOW64\Regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C68B0149-C717-4041-BF00-C21569B97019}\ProgID C:\Windows\SysWOW64\Regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C68B0149-C717-4041-BF00-C21569B97019}\ C:\Windows\SysWOW64\Regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C68B0149-C717-4041-BF00-C21569B97019}\InprocServer32 C:\Windows\SysWOW64\Regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C68B0149-C717-4041-BF00-C21569B97019}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\dpahbzgbnuchd.IEExtend C:\Windows\SysWOW64\Regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\dpahbzgbnuchd.IEExtend\ C:\Windows\SysWOW64\Regsvr32.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\dc50efff91d40071e26ffb7491605844.exe

"C:\Users\Admin\AppData\Local\Temp\dc50efff91d40071e26ffb7491605844.exe"

C:\Windows\SysWOW64\Regsvr32.exe

Regsvr32.exe /s C:\Windows\system32\dpahbzgbnuchd.dll

Network

Country Destination Domain Proto
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 56.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 128.227.79.178.in-addr.arpa udp
US 8.8.8.8:53 83.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 81.179.17.96.in-addr.arpa udp

Files

memory/956-0-0x0000000000400000-0x0000000000469000-memory.dmp

memory/956-1-0x0000000000610000-0x0000000000612000-memory.dmp

C:\Windows\SysWOW64\dpahbzgbnuchd.dll

MD5 b11a7476b7aeca348fe33d6242b465da
SHA1 e7e72254097a2a9b08fa7d64789ca665bdfa3a96
SHA256 9ff6d68518c09f6d454370c50fa4e97143c9824fa370790d3de933429c45c4dc
SHA512 32af36f020107b66c05eecd4a203e438183a0eae0772fdbd181adfaa3ef00744d180f6768da2eabc2749fbecc8b84a38de078fd407a7873ca9345fb9ccb10008

memory/3404-8-0x0000000001FC0000-0x0000000002060000-memory.dmp

memory/3404-7-0x0000000001FC0000-0x0000000002060000-memory.dmp

memory/3404-9-0x0000000000480000-0x0000000000482000-memory.dmp

memory/956-10-0x0000000000400000-0x0000000000469000-memory.dmp