Malware Analysis Report

2025-01-18 21:24

Sample ID 240321-z1tjaacc7x
Target dc9e95d15297ed1540fbd24e0c85d348
SHA256 13fc611da354226e99f1a1a5cbc94c9e79b991d0345fb3dca5faad8f39966abd
Tags
adware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

13fc611da354226e99f1a1a5cbc94c9e79b991d0345fb3dca5faad8f39966abd

Threat Level: Shows suspicious behavior

The file dc9e95d15297ed1540fbd24e0c85d348 was found to be: Shows suspicious behavior.

Malicious Activity Summary

adware stealer

Loads dropped DLL

Installs/modifies Browser Helper Object

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Program crash

NSIS installer

Modifies registry class

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-21 21:11

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-03-21 21:11

Reported

2024-03-21 21:14

Platform

win7-20240221-en

Max time kernel

118s

Max time network

118s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2348 -s 224

Network

N/A

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-03-21 21:11

Reported

2024-03-21 21:14

Platform

win10v2004-20240226-en

Max time kernel

147s

Max time network

155s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3916 wrote to memory of 1832 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3916 wrote to memory of 1832 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3916 wrote to memory of 1832 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 1832 -ip 1832

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1832 -s 620

Network

Country Destination Domain Proto
US 8.8.8.8:53 20.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 210.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 134.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 20.231.121.79:80 tcp
US 8.8.8.8:53 171.117.168.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-03-21 21:11

Reported

2024-03-21 21:14

Platform

win10v2004-20240226-en

Max time kernel

147s

Max time network

154s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\$_2_\$R0.dll

Signatures

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{285AB8C6-FB22-4D17-8834-064E2BA0A6F0} C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{385AB8C5-FB22-4D17-8834-064E2BA0A6F0}\1.0\0\win32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{385AB8C4-FB22-4D17-8834-064E2BA0A6F0}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{385AB8C4-FB22-4D17-8834-064E2BA0A6F0}\ = "IIEHelperObj2" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{385AB8C4-FB22-4D17-8834-064E2BA0A6F0}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{285AB8C6-FB22-4D17-8834-064E2BA0A6F0}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\$_2_\\$R0.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{385AB8C4-FB22-4D17-8834-064E2BA0A6F0}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{385AB8C4-FB22-4D17-8834-064E2BA0A6F0}\TypeLib\ = "{385AB8C5-FB22-4D17-8834-064E2BA0A6F0}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{385AB8C4-FB22-4D17-8834-064E2BA0A6F0}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{285AB8C6-FB22-4D17-8834-064E2BA0A6F0}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{285AB8C6-FB22-4D17-8834-064E2BA0A6F0}\TypeLib\ = "{285AB8C5-FB22-4D17-8834-064E2BA0A6F0}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{385AB8C5-FB22-4D17-8834-064E2BA0A6F0} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{385AB8C5-FB22-4D17-8834-064E2BA0A6F0}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\$_2_\\$R0.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{385AB8C4-FB22-4D17-8834-064E2BA0A6F0}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{385AB8C5-FB22-4D17-8834-064E2BA0A6F0}\1.0\FLAGS C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{385AB8C4-FB22-4D17-8834-064E2BA0A6F0} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{385AB8C4-FB22-4D17-8834-064E2BA0A6F0}\ = "IIEHelperObj2" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{385AB8C4-FB22-4D17-8834-064E2BA0A6F0} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{385AB8C4-FB22-4D17-8834-064E2BA0A6F0}\TypeLib\ = "{385AB8C5-FB22-4D17-8834-064E2BA0A6F0}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{285AB8C6-FB22-4D17-8834-064E2BA0A6F0} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{385AB8C5-FB22-4D17-8834-064E2BA0A6F0}\1.0\ = "Pbtoo2s 1.0 Type Library" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{385AB8C4-FB22-4D17-8834-064E2BA0A6F0}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{385AB8C4-FB22-4D17-8834-064E2BA0A6F0}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{285AB8C6-FB22-4D17-8834-064E2BA0A6F0}\ = "Info cache" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{285AB8C6-FB22-4D17-8834-064E2BA0A6F0}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{385AB8C5-FB22-4D17-8834-064E2BA0A6F0}\1.0\0 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{385AB8C4-FB22-4D17-8834-064E2BA0A6F0}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{385AB8C5-FB22-4D17-8834-064E2BA0A6F0}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\$_2_" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{285AB8C6-FB22-4D17-8834-064E2BA0A6F0}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{385AB8C5-FB22-4D17-8834-064E2BA0A6F0}\1.0 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{385AB8C5-FB22-4D17-8834-064E2BA0A6F0}\1.0\FLAGS\ = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{385AB8C5-FB22-4D17-8834-064E2BA0A6F0}\1.0\HELPDIR C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3044 wrote to memory of 2204 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3044 wrote to memory of 2204 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3044 wrote to memory of 2204 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\$_2_\$R0.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\$_2_\$R0.dll

Network

Country Destination Domain Proto
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 202.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 140.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 104.246.116.51.in-addr.arpa udp

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-21 21:11

Reported

2024-03-21 21:14

Platform

win10v2004-20240226-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\dc9e95d15297ed1540fbd24e0c85d348.exe"

Signatures

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{285AB8C6-FB22-4D17-8834-064E2BA0A6F0} C:\Users\Admin\AppData\Local\Temp\dc9e95d15297ed1540fbd24e0c85d348.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Aseo\pbhealth.dll C:\Users\Admin\AppData\Local\Temp\dc9e95d15297ed1540fbd24e0c85d348.exe N/A
File created C:\Windows\Aseo\pbhealth.dll C:\Users\Admin\AppData\Local\Temp\dc9e95d15297ed1540fbd24e0c85d348.exe N/A
File opened for modification C:\Windows\Aseo\pbhealth.dll C:\Windows\SysWOW64\regsvr32.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{385AB8C4-FB22-4D17-8834-064E2BA0A6F0}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\dc9e95d15297ed1540fbd24e0c85d348.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{385AB8C4-FB22-4D17-8834-064E2BA0A6F0}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\dc9e95d15297ed1540fbd24e0c85d348.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{285AB8C6-FB22-4D17-8834-064E2BA0A6F0}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{285AB8C6-FB22-4D17-8834-064E2BA0A6F0}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\dc9e95d15297ed1540fbd24e0c85d348.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{385AB8C5-FB22-4D17-8834-064E2BA0A6F0}\1.0\FLAGS C:\Users\Admin\AppData\Local\Temp\dc9e95d15297ed1540fbd24e0c85d348.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{385AB8C4-FB22-4D17-8834-064E2BA0A6F0}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\dc9e95d15297ed1540fbd24e0c85d348.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{285AB8C6-FB22-4D17-8834-064E2BA0A6F0} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{285AB8C6-FB22-4D17-8834-064E2BA0A6F0}\ = "Info cache" C:\Users\Admin\AppData\Local\Temp\dc9e95d15297ed1540fbd24e0c85d348.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{385AB8C5-FB22-4D17-8834-064E2BA0A6F0}\1.0\0 C:\Users\Admin\AppData\Local\Temp\dc9e95d15297ed1540fbd24e0c85d348.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{385AB8C4-FB22-4D17-8834-064E2BA0A6F0}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\dc9e95d15297ed1540fbd24e0c85d348.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{385AB8C4-FB22-4D17-8834-064E2BA0A6F0}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\dc9e95d15297ed1540fbd24e0c85d348.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{285AB8C6-FB22-4D17-8834-064E2BA0A6F0}\ = "Info cache" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{285AB8C6-FB22-4D17-8834-064E2BA0A6F0}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{385AB8C5-FB22-4D17-8834-064E2BA0A6F0}\1.0\HELPDIR C:\Users\Admin\AppData\Local\Temp\dc9e95d15297ed1540fbd24e0c85d348.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{385AB8C4-FB22-4D17-8834-064E2BA0A6F0}\ = "IIEHelperObj2" C:\Users\Admin\AppData\Local\Temp\dc9e95d15297ed1540fbd24e0c85d348.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{385AB8C4-FB22-4D17-8834-064E2BA0A6F0}\TypeLib C:\Users\Admin\AppData\Local\Temp\dc9e95d15297ed1540fbd24e0c85d348.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{385AB8C4-FB22-4D17-8834-064E2BA0A6F0}\ = "IIEHelperObj2" C:\Users\Admin\AppData\Local\Temp\dc9e95d15297ed1540fbd24e0c85d348.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{385AB8C4-FB22-4D17-8834-064E2BA0A6F0}\TypeLib\ = "{385AB8C5-FB22-4D17-8834-064E2BA0A6F0}" C:\Users\Admin\AppData\Local\Temp\dc9e95d15297ed1540fbd24e0c85d348.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{285AB8C6-FB22-4D17-8834-064E2BA0A6F0}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{285AB8C6-FB22-4D17-8834-064E2BA0A6F0}\InprocServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Temp\dc9e95d15297ed1540fbd24e0c85d348.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{285AB8C6-FB22-4D17-8834-064E2BA0A6F0}\TypeLib C:\Users\Admin\AppData\Local\Temp\dc9e95d15297ed1540fbd24e0c85d348.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{385AB8C5-FB22-4D17-8834-064E2BA0A6F0}\1.0\ = "Pbtoo2s 1.0 Type Library" C:\Users\Admin\AppData\Local\Temp\dc9e95d15297ed1540fbd24e0c85d348.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{385AB8C5-FB22-4D17-8834-064E2BA0A6F0}\1.0\0\win32 C:\Users\Admin\AppData\Local\Temp\dc9e95d15297ed1540fbd24e0c85d348.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{285AB8C6-FB22-4D17-8834-064E2BA0A6F0}\InprocServer32\ = "C:\\Windows\\Aseo\\pbhealth.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{285AB8C6-FB22-4D17-8834-064E2BA0A6F0}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{285AB8C6-FB22-4D17-8834-064E2BA0A6F0} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{285AB8C6-FB22-4D17-8834-064E2BA0A6F0} C:\Users\Admin\AppData\Local\Temp\dc9e95d15297ed1540fbd24e0c85d348.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{385AB8C5-FB22-4D17-8834-064E2BA0A6F0} C:\Users\Admin\AppData\Local\Temp\dc9e95d15297ed1540fbd24e0c85d348.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{385AB8C5-FB22-4D17-8834-064E2BA0A6F0}\1.0\FLAGS\ = "0" C:\Users\Admin\AppData\Local\Temp\dc9e95d15297ed1540fbd24e0c85d348.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{385AB8C5-FB22-4D17-8834-064E2BA0A6F0}\1.0\HELPDIR\ = "C:\\Windows\\Aseo" C:\Users\Admin\AppData\Local\Temp\dc9e95d15297ed1540fbd24e0c85d348.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{385AB8C4-FB22-4D17-8834-064E2BA0A6F0} C:\Users\Admin\AppData\Local\Temp\dc9e95d15297ed1540fbd24e0c85d348.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{385AB8C4-FB22-4D17-8834-064E2BA0A6F0}\TypeLib\ = "{385AB8C5-FB22-4D17-8834-064E2BA0A6F0}" C:\Users\Admin\AppData\Local\Temp\dc9e95d15297ed1540fbd24e0c85d348.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{385AB8C5-FB22-4D17-8834-064E2BA0A6F0}\1.0 C:\Users\Admin\AppData\Local\Temp\dc9e95d15297ed1540fbd24e0c85d348.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{385AB8C5-FB22-4D17-8834-064E2BA0A6F0}\1.0\0\win32\ = "C:\\Windows\\Aseo\\pbhealth.dll" C:\Users\Admin\AppData\Local\Temp\dc9e95d15297ed1540fbd24e0c85d348.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{385AB8C4-FB22-4D17-8834-064E2BA0A6F0}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\dc9e95d15297ed1540fbd24e0c85d348.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{385AB8C4-FB22-4D17-8834-064E2BA0A6F0} C:\Users\Admin\AppData\Local\Temp\dc9e95d15297ed1540fbd24e0c85d348.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{285AB8C6-FB22-4D17-8834-064E2BA0A6F0}\TypeLib\ = "{285AB8C5-FB22-4D17-8834-064E2BA0A6F0}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{285AB8C6-FB22-4D17-8834-064E2BA0A6F0}\InprocServer32\ = "C:\\Windows\\Aseo\\pbhealth.dll" C:\Users\Admin\AppData\Local\Temp\dc9e95d15297ed1540fbd24e0c85d348.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{285AB8C6-FB22-4D17-8834-064E2BA0A6F0}\TypeLib\ = "{285AB8C5-FB22-4D17-8834-064E2BA0A6F0}" C:\Users\Admin\AppData\Local\Temp\dc9e95d15297ed1540fbd24e0c85d348.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{385AB8C4-FB22-4D17-8834-064E2BA0A6F0}\TypeLib C:\Users\Admin\AppData\Local\Temp\dc9e95d15297ed1540fbd24e0c85d348.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{285AB8C6-FB22-4D17-8834-064E2BA0A6F0}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\dc9e95d15297ed1540fbd24e0c85d348.exe

"C:\Users\Admin\AppData\Local\Temp\dc9e95d15297ed1540fbd24e0c85d348.exe"

C:\Windows\SysWOW64\regsvr32.exe

"regsvr32.exe" "C:\Windows\Aseo\pbhealth.dll" /s

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 80.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 23.160.77.104.in-addr.arpa udp
US 8.8.8.8:53 210.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 104.246.116.51.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\nsi4122.tmp\System.dll

MD5 bf01b2d04e8fad306ba2f364cfc4edfa
SHA1 58f42b45ca9fc1818c4498ecd8bac088d20f2b18
SHA256 d3f9c99e0c1c9acd81a1b33bc3dbd305140def90d10485c253cf1d455f0dc903
SHA512 30ca1663d659c5efac7fed3d1aaba81c47d5d5fda77f30f021124c882b858732e17f917bfd0aa3ee7b269fad86e75b1b9388d8f916e7a4e2c9961669f2c772e7

memory/3480-13-0x0000000004850000-0x000000000487B000-memory.dmp

C:\Windows\Aseo\pbhealth.dll

MD5 0843848a3a365651bc9e873d9bb67a01
SHA1 deb3531ddd9a640b8a3d5a8d2d271281eb8f7c62
SHA256 e8e7b5f37903fddb0e5f46a2a0fdb9ceb5b51c6c0276330e4a361b8bb5c7a979
SHA512 e9038292c625578711eee4cd04adb43b8a3052680eaf67f65ad7e21e2055fd81bc459926f0abdcfa5999567a0eb08e5a716e689e7927ac5973dc098f88dd2942

Analysis: behavioral7

Detonation Overview

Submitted

2024-03-21 21:11

Reported

2024-03-21 21:14

Platform

win7-20240221-en

Max time kernel

122s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\$_2_\$R2\NSIS.Library.RegTool.v2.$_4_.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\$_2_\$R2\NSIS.Library.RegTool.v2.$_4_.exe

"C:\Users\Admin\AppData\Local\Temp\$_2_\$R2\NSIS.Library.RegTool.v2.$_4_.exe"

Network

N/A

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2024-03-21 21:11

Reported

2024-03-21 21:14

Platform

win10v2004-20240226-en

Max time kernel

135s

Max time network

141s

Command Line

"C:\Users\Admin\AppData\Local\Temp\$_2_\$R2\NSIS.Library.RegTool.v2.$_4_.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\$_2_\$R2\NSIS.Library.RegTool.v2.$_4_.exe

"C:\Users\Admin\AppData\Local\Temp\$_2_\$R2\NSIS.Library.RegTool.v2.$_4_.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 210.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 140.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-21 21:11

Reported

2024-03-21 21:14

Platform

win7-20240221-en

Max time kernel

121s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\dc9e95d15297ed1540fbd24e0c85d348.exe"

Signatures

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{285AB8C6-FB22-4D17-8834-064E2BA0A6F0} C:\Users\Admin\AppData\Local\Temp\dc9e95d15297ed1540fbd24e0c85d348.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Aseo\pbhealth.dll C:\Users\Admin\AppData\Local\Temp\dc9e95d15297ed1540fbd24e0c85d348.exe N/A
File created C:\Windows\Aseo\pbhealth.dll C:\Users\Admin\AppData\Local\Temp\dc9e95d15297ed1540fbd24e0c85d348.exe N/A
File opened for modification C:\Windows\Aseo\pbhealth.dll C:\Windows\SysWOW64\regsvr32.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{285AB8C6-FB22-4D17-8834-064E2BA0A6F0} C:\Users\Admin\AppData\Local\Temp\dc9e95d15297ed1540fbd24e0c85d348.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{385AB8C4-FB22-4D17-8834-064E2BA0A6F0}\TypeLib\ = "{385AB8C5-FB22-4D17-8834-064E2BA0A6F0}" C:\Users\Admin\AppData\Local\Temp\dc9e95d15297ed1540fbd24e0c85d348.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{385AB8C4-FB22-4D17-8834-064E2BA0A6F0}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\dc9e95d15297ed1540fbd24e0c85d348.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{285AB8C6-FB22-4D17-8834-064E2BA0A6F0}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\dc9e95d15297ed1540fbd24e0c85d348.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{285AB8C6-FB22-4D17-8834-064E2BA0A6F0}\TypeLib\ = "{285AB8C5-FB22-4D17-8834-064E2BA0A6F0}" C:\Users\Admin\AppData\Local\Temp\dc9e95d15297ed1540fbd24e0c85d348.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{385AB8C5-FB22-4D17-8834-064E2BA0A6F0} C:\Users\Admin\AppData\Local\Temp\dc9e95d15297ed1540fbd24e0c85d348.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{385AB8C4-FB22-4D17-8834-064E2BA0A6F0}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\dc9e95d15297ed1540fbd24e0c85d348.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{385AB8C4-FB22-4D17-8834-064E2BA0A6F0}\TypeLib\ = "{385AB8C5-FB22-4D17-8834-064E2BA0A6F0}" C:\Users\Admin\AppData\Local\Temp\dc9e95d15297ed1540fbd24e0c85d348.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{285AB8C6-FB22-4D17-8834-064E2BA0A6F0} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{285AB8C6-FB22-4D17-8834-064E2BA0A6F0}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{385AB8C5-FB22-4D17-8834-064E2BA0A6F0}\1.0\ = "Pbtoo2s 1.0 Type Library" C:\Users\Admin\AppData\Local\Temp\dc9e95d15297ed1540fbd24e0c85d348.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{385AB8C4-FB22-4D17-8834-064E2BA0A6F0}\TypeLib C:\Users\Admin\AppData\Local\Temp\dc9e95d15297ed1540fbd24e0c85d348.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{385AB8C4-FB22-4D17-8834-064E2BA0A6F0}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\dc9e95d15297ed1540fbd24e0c85d348.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{285AB8C6-FB22-4D17-8834-064E2BA0A6F0}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{285AB8C6-FB22-4D17-8834-064E2BA0A6F0}\TypeLib C:\Users\Admin\AppData\Local\Temp\dc9e95d15297ed1540fbd24e0c85d348.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{385AB8C5-FB22-4D17-8834-064E2BA0A6F0}\1.0\0\win32 C:\Users\Admin\AppData\Local\Temp\dc9e95d15297ed1540fbd24e0c85d348.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{385AB8C4-FB22-4D17-8834-064E2BA0A6F0} C:\Users\Admin\AppData\Local\Temp\dc9e95d15297ed1540fbd24e0c85d348.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{285AB8C6-FB22-4D17-8834-064E2BA0A6F0}\ = "Info cache" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{285AB8C6-FB22-4D17-8834-064E2BA0A6F0}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{285AB8C6-FB22-4D17-8834-064E2BA0A6F0}\InprocServer32\ = "C:\\Windows\\Aseo\\pbhealth.dll" C:\Users\Admin\AppData\Local\Temp\dc9e95d15297ed1540fbd24e0c85d348.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{385AB8C5-FB22-4D17-8834-064E2BA0A6F0}\1.0 C:\Users\Admin\AppData\Local\Temp\dc9e95d15297ed1540fbd24e0c85d348.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{385AB8C5-FB22-4D17-8834-064E2BA0A6F0}\1.0\FLAGS C:\Users\Admin\AppData\Local\Temp\dc9e95d15297ed1540fbd24e0c85d348.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{385AB8C4-FB22-4D17-8834-064E2BA0A6F0}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\dc9e95d15297ed1540fbd24e0c85d348.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{385AB8C4-FB22-4D17-8834-064E2BA0A6F0}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\dc9e95d15297ed1540fbd24e0c85d348.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{385AB8C4-FB22-4D17-8834-064E2BA0A6F0} C:\Users\Admin\AppData\Local\Temp\dc9e95d15297ed1540fbd24e0c85d348.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{285AB8C6-FB22-4D17-8834-064E2BA0A6F0}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{285AB8C6-FB22-4D17-8834-064E2BA0A6F0}\ = "Info cache" C:\Users\Admin\AppData\Local\Temp\dc9e95d15297ed1540fbd24e0c85d348.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{285AB8C6-FB22-4D17-8834-064E2BA0A6F0}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{285AB8C6-FB22-4D17-8834-064E2BA0A6F0}\InprocServer32\ = "C:\\Windows\\Aseo\\pbhealth.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{285AB8C6-FB22-4D17-8834-064E2BA0A6F0}\InprocServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Temp\dc9e95d15297ed1540fbd24e0c85d348.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{385AB8C5-FB22-4D17-8834-064E2BA0A6F0}\1.0\HELPDIR\ = "C:\\Windows\\Aseo" C:\Users\Admin\AppData\Local\Temp\dc9e95d15297ed1540fbd24e0c85d348.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{385AB8C4-FB22-4D17-8834-064E2BA0A6F0}\ = "IIEHelperObj2" C:\Users\Admin\AppData\Local\Temp\dc9e95d15297ed1540fbd24e0c85d348.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{385AB8C4-FB22-4D17-8834-064E2BA0A6F0}\TypeLib C:\Users\Admin\AppData\Local\Temp\dc9e95d15297ed1540fbd24e0c85d348.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{385AB8C4-FB22-4D17-8834-064E2BA0A6F0}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\dc9e95d15297ed1540fbd24e0c85d348.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{285AB8C6-FB22-4D17-8834-064E2BA0A6F0} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{385AB8C5-FB22-4D17-8834-064E2BA0A6F0}\1.0\FLAGS\ = "0" C:\Users\Admin\AppData\Local\Temp\dc9e95d15297ed1540fbd24e0c85d348.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{385AB8C5-FB22-4D17-8834-064E2BA0A6F0}\1.0\0 C:\Users\Admin\AppData\Local\Temp\dc9e95d15297ed1540fbd24e0c85d348.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{385AB8C5-FB22-4D17-8834-064E2BA0A6F0}\1.0\0\win32\ = "C:\\Windows\\Aseo\\pbhealth.dll" C:\Users\Admin\AppData\Local\Temp\dc9e95d15297ed1540fbd24e0c85d348.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{385AB8C5-FB22-4D17-8834-064E2BA0A6F0}\1.0\HELPDIR C:\Users\Admin\AppData\Local\Temp\dc9e95d15297ed1540fbd24e0c85d348.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{385AB8C4-FB22-4D17-8834-064E2BA0A6F0}\ = "IIEHelperObj2" C:\Users\Admin\AppData\Local\Temp\dc9e95d15297ed1540fbd24e0c85d348.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{285AB8C6-FB22-4D17-8834-064E2BA0A6F0}\TypeLib\ = "{285AB8C5-FB22-4D17-8834-064E2BA0A6F0}" C:\Windows\SysWOW64\regsvr32.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\dc9e95d15297ed1540fbd24e0c85d348.exe

"C:\Users\Admin\AppData\Local\Temp\dc9e95d15297ed1540fbd24e0c85d348.exe"

C:\Windows\SysWOW64\regsvr32.exe

"regsvr32.exe" "C:\Windows\Aseo\pbhealth.dll" /s

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\nsy1576.tmp\System.dll

MD5 bf01b2d04e8fad306ba2f364cfc4edfa
SHA1 58f42b45ca9fc1818c4498ecd8bac088d20f2b18
SHA256 d3f9c99e0c1c9acd81a1b33bc3dbd305140def90d10485c253cf1d455f0dc903
SHA512 30ca1663d659c5efac7fed3d1aaba81c47d5d5fda77f30f021124c882b858732e17f917bfd0aa3ee7b269fad86e75b1b9388d8f916e7a4e2c9961669f2c772e7

\Windows\Aseo\pbhealth.dll

MD5 0843848a3a365651bc9e873d9bb67a01
SHA1 deb3531ddd9a640b8a3d5a8d2d271281eb8f7c62
SHA256 e8e7b5f37903fddb0e5f46a2a0fdb9ceb5b51c6c0276330e4a361b8bb5c7a979
SHA512 e9038292c625578711eee4cd04adb43b8a3052680eaf67f65ad7e21e2055fd81bc459926f0abdcfa5999567a0eb08e5a716e689e7927ac5973dc098f88dd2942

memory/2288-11-0x0000000000760000-0x000000000078B000-memory.dmp

Analysis: behavioral5

Detonation Overview

Submitted

2024-03-21 21:11

Reported

2024-03-21 21:14

Platform

win7-20240319-en

Max time kernel

117s

Max time network

120s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\$_2_\$R0.dll

Signatures

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{285AB8C6-FB22-4D17-8834-064E2BA0A6F0} C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{385AB8C4-FB22-4D17-8834-064E2BA0A6F0}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{285AB8C6-FB22-4D17-8834-064E2BA0A6F0} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{385AB8C4-FB22-4D17-8834-064E2BA0A6F0}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{385AB8C5-FB22-4D17-8834-064E2BA0A6F0} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{385AB8C4-FB22-4D17-8834-064E2BA0A6F0}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{285AB8C6-FB22-4D17-8834-064E2BA0A6F0}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{285AB8C6-FB22-4D17-8834-064E2BA0A6F0}\TypeLib\ = "{285AB8C5-FB22-4D17-8834-064E2BA0A6F0}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{385AB8C5-FB22-4D17-8834-064E2BA0A6F0}\1.0\FLAGS\ = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{385AB8C4-FB22-4D17-8834-064E2BA0A6F0} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{385AB8C5-FB22-4D17-8834-064E2BA0A6F0}\1.0\ = "Pbtoo2s 1.0 Type Library" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{385AB8C5-FB22-4D17-8834-064E2BA0A6F0}\1.0\FLAGS C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{385AB8C5-FB22-4D17-8834-064E2BA0A6F0}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\$_2_" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{385AB8C4-FB22-4D17-8834-064E2BA0A6F0}\ = "IIEHelperObj2" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{385AB8C4-FB22-4D17-8834-064E2BA0A6F0}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{385AB8C4-FB22-4D17-8834-064E2BA0A6F0}\TypeLib\ = "{385AB8C5-FB22-4D17-8834-064E2BA0A6F0}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{385AB8C5-FB22-4D17-8834-064E2BA0A6F0}\1.0\0\win32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{385AB8C5-FB22-4D17-8834-064E2BA0A6F0}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\$_2_\\$R0.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{385AB8C5-FB22-4D17-8834-064E2BA0A6F0}\1.0\HELPDIR C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{385AB8C4-FB22-4D17-8834-064E2BA0A6F0}\ = "IIEHelperObj2" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{285AB8C6-FB22-4D17-8834-064E2BA0A6F0}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\$_2_\\$R0.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{385AB8C5-FB22-4D17-8834-064E2BA0A6F0}\1.0\0 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{285AB8C6-FB22-4D17-8834-064E2BA0A6F0}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{385AB8C4-FB22-4D17-8834-064E2BA0A6F0} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{385AB8C5-FB22-4D17-8834-064E2BA0A6F0}\1.0 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{385AB8C4-FB22-4D17-8834-064E2BA0A6F0}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{385AB8C4-FB22-4D17-8834-064E2BA0A6F0}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{385AB8C4-FB22-4D17-8834-064E2BA0A6F0}\TypeLib\ = "{385AB8C5-FB22-4D17-8834-064E2BA0A6F0}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{285AB8C6-FB22-4D17-8834-064E2BA0A6F0}\ = "Info cache" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{285AB8C6-FB22-4D17-8834-064E2BA0A6F0}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{385AB8C4-FB22-4D17-8834-064E2BA0A6F0}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{385AB8C4-FB22-4D17-8834-064E2BA0A6F0}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2980 wrote to memory of 1680 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2980 wrote to memory of 1680 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2980 wrote to memory of 1680 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2980 wrote to memory of 1680 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2980 wrote to memory of 1680 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2980 wrote to memory of 1680 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2980 wrote to memory of 1680 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\$_2_\$R0.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\$_2_\$R0.dll

Network

N/A

Files

N/A