Malware Analysis Report

2025-01-18 21:13

Sample ID 240325-afm4bsde6x
Target dcc1fccea936b05c4383f8c535b29016
SHA256 eb01dda6ffa6a5ae66dedab0e1ae0d8ab191b6962b63d54b5ad1a5cc2ff889a8
Tags
adware stealer
score
6/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
6/10

SHA256

eb01dda6ffa6a5ae66dedab0e1ae0d8ab191b6962b63d54b5ad1a5cc2ff889a8

Threat Level: Shows suspicious behavior

The file dcc1fccea936b05c4383f8c535b29016 was found to be: Shows suspicious behavior.

Malicious Activity Summary

adware stealer

Installs/modifies Browser Helper Object

Drops file in System32 directory

Unsigned PE

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-25 00:09

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-25 00:09

Reported

2024-03-25 00:12

Platform

win7-20240221-en

Max time kernel

118s

Max time network

123s

Command Line

winlogon.exe

Signatures

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3} C:\Users\Admin\AppData\Local\Temp\dcc1fccea936b05c4383f8c535b29016.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E} C:\Users\Admin\AppData\Local\Temp\dcc1fccea936b05c4383f8c535b29016.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF} C:\Users\Admin\AppData\Local\Temp\dcc1fccea936b05c4383f8c535b29016.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\mfccmd.dll C:\Users\Admin\AppData\Local\Temp\dcc1fccea936b05c4383f8c535b29016.exe N/A

Modifies registry class

Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\Programmable C:\Users\Admin\AppData\Local\Temp\dcc1fccea936b05c4383f8c535b29016.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{18DF081C-E8AD-4283-A596-FA578C2EBDC3} C:\Users\Admin\AppData\Local\Temp\dcc1fccea936b05c4383f8c535b29016.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\Version C:\Users\Admin\AppData\Local\Temp\dcc1fccea936b05c4383f8c535b29016.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B4F3A835-0E21-4959-BA22-42B3008E02FF} C:\Users\Admin\AppData\Local\Temp\dcc1fccea936b05c4383f8c535b29016.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\VersionIndependentProgID C:\Users\Admin\AppData\Local\Temp\dcc1fccea936b05c4383f8c535b29016.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\TypeLib C:\Users\Admin\AppData\Local\Temp\dcc1fccea936b05c4383f8c535b29016.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\dcc1fccea936b05c4383f8c535b29016.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\VersionIndependentProgID C:\Users\Admin\AppData\Local\Temp\dcc1fccea936b05c4383f8c535b29016.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{72853161-30C5-4D22-B7F9-0BBC1D38A37E} C:\Users\Admin\AppData\Local\Temp\dcc1fccea936b05c4383f8c535b29016.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\ProgID C:\Users\Admin\AppData\Local\Temp\dcc1fccea936b05c4383f8c535b29016.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\dcc1fccea936b05c4383f8c535b29016.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\ProgID C:\Users\Admin\AppData\Local\Temp\dcc1fccea936b05c4383f8c535b29016.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\dcc1fccea936b05c4383f8c535b29016.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\dcc1fccea936b05c4383f8c535b29016.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\dcc1fccea936b05c4383f8c535b29016.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\dcc1fccea936b05c4383f8c535b29016.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\dcc1fccea936b05c4383f8c535b29016.exe N/A

Processes

C:\Windows\system32\winlogon.exe

winlogon.exe

C:\Users\Admin\AppData\Local\Temp\dcc1fccea936b05c4383f8c535b29016.exe

"C:\Users\Admin\AppData\Local\Temp\dcc1fccea936b05c4383f8c535b29016.exe"

Network

N/A

Files

memory/424-0-0x00000000000C0000-0x00000000000C1000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-25 00:09

Reported

2024-03-25 00:12

Platform

win10v2004-20240226-en

Max time kernel

137s

Max time network

143s

Command Line

winlogon.exe

Signatures

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C} C:\Users\Admin\AppData\Local\Temp\dcc1fccea936b05c4383f8c535b29016.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA} C:\Users\Admin\AppData\Local\Temp\dcc1fccea936b05c4383f8c535b29016.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\cacdev.dll C:\Users\Admin\AppData\Local\Temp\dcc1fccea936b05c4383f8c535b29016.exe N/A

Modifies registry class

Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}\Version C:\Users\Admin\AppData\Local\Temp\dcc1fccea936b05c4383f8c535b29016.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}\ProgID C:\Users\Admin\AppData\Local\Temp\dcc1fccea936b05c4383f8c535b29016.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640} C:\Users\Admin\AppData\Local\Temp\dcc1fccea936b05c4383f8c535b29016.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}\Implemented Categories C:\Users\Admin\AppData\Local\Temp\dcc1fccea936b05c4383f8c535b29016.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\ProgID C:\Users\Admin\AppData\Local\Temp\dcc1fccea936b05c4383f8c535b29016.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\dcc1fccea936b05c4383f8c535b29016.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\Implemented Categories C:\Users\Admin\AppData\Local\Temp\dcc1fccea936b05c4383f8c535b29016.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C} C:\Users\Admin\AppData\Local\Temp\dcc1fccea936b05c4383f8c535b29016.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}\TypeLib C:\Users\Admin\AppData\Local\Temp\dcc1fccea936b05c4383f8c535b29016.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}\Programmable C:\Users\Admin\AppData\Local\Temp\dcc1fccea936b05c4383f8c535b29016.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA} C:\Users\Admin\AppData\Local\Temp\dcc1fccea936b05c4383f8c535b29016.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\VersionIndependentProgID C:\Users\Admin\AppData\Local\Temp\dcc1fccea936b05c4383f8c535b29016.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\TypeLib C:\Users\Admin\AppData\Local\Temp\dcc1fccea936b05c4383f8c535b29016.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\Programmable C:\Users\Admin\AppData\Local\Temp\dcc1fccea936b05c4383f8c535b29016.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640} C:\Users\Admin\AppData\Local\Temp\dcc1fccea936b05c4383f8c535b29016.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}\VersionIndependentProgID C:\Users\Admin\AppData\Local\Temp\dcc1fccea936b05c4383f8c535b29016.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\dcc1fccea936b05c4383f8c535b29016.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\dcc1fccea936b05c4383f8c535b29016.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\dcc1fccea936b05c4383f8c535b29016.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\dcc1fccea936b05c4383f8c535b29016.exe N/A

Processes

C:\Windows\system32\winlogon.exe

winlogon.exe

C:\Users\Admin\AppData\Local\Temp\dcc1fccea936b05c4383f8c535b29016.exe

"C:\Users\Admin\AppData\Local\Temp\dcc1fccea936b05c4383f8c535b29016.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1408 --field-trial-handle=2280,i,8281149332300504990,9122875031903898779,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 13.107.246.64:443 tcp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp

Files

N/A