Malware Analysis Report

2025-01-18 21:32

Sample ID 240414-xtx7saeb4y
Target 153a21844ea08dca1f61f091c26cfb5eac91d46e1b9a378d43a767669b6cf148
SHA256 153a21844ea08dca1f61f091c26cfb5eac91d46e1b9a378d43a767669b6cf148
Tags
adware discovery spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

153a21844ea08dca1f61f091c26cfb5eac91d46e1b9a378d43a767669b6cf148

Threat Level: Shows suspicious behavior

The file 153a21844ea08dca1f61f091c26cfb5eac91d46e1b9a378d43a767669b6cf148 was found to be: Shows suspicious behavior.

Malicious Activity Summary

adware discovery spyware stealer

Loads dropped DLL

Executes dropped EXE

Checks computer location settings

Reads user/profile data of web browsers

Installs/modifies Browser Helper Object

Checks installed software on the system

Drops file in System32 directory

Drops file in Program Files directory

Program crash

Enumerates physical storage devices

Unsigned PE

NSIS installer

Modifies registry class

Modifies Internet Explorer settings

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-14 19:09

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-14 19:09

Reported

2024-04-14 19:11

Platform

win7-20240221-en

Max time kernel

119s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\153a21844ea08dca1f61f091c26cfb5eac91d46e1b9a378d43a767669b6cf148.exe"

Signatures

Reads user/profile data of web browsers

spyware stealer

Checks installed software on the system

discovery

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{dde32d75-5d35-453f-8590-4a9672ea2680} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{dde32d75-5d35-453f-8590-4a9672ea2680}\ = "MediaWatchV1home2854" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{dde32d75-5d35-453f-8590-4a9672ea2680}\NoExplorer = "1" C:\Windows\SysWOW64\regsvr32.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\GroupPolicy\gpt.ini C:\Users\Admin\AppData\Local\Temp\153a21844ea08dca1f61f091c26cfb5eac91d46e1b9a378d43a767669b6cf148.exe N/A
File created C:\Windows\System32\GroupPolicy\Machine\Registry.pol C:\Users\Admin\AppData\Local\Temp\153a21844ea08dca1f61f091c26cfb5eac91d46e1b9a378d43a767669b6cf148.exe N/A
File opened for modification C:\Windows\System32\GroupPolicy\GPT.INI C:\Users\Admin\AppData\Local\Temp\153a21844ea08dca1f61f091c26cfb5eac91d46e1b9a378d43a767669b6cf148.exe N/A
File opened for modification C:\Windows\System32\GroupPolicy C:\Users\Admin\AppData\Local\Temp\153a21844ea08dca1f61f091c26cfb5eac91d46e1b9a378d43a767669b6cf148.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home2854\ch\MediaWatchV1home2854.crx C:\Users\Admin\AppData\Local\Temp\153a21844ea08dca1f61f091c26cfb5eac91d46e1b9a378d43a767669b6cf148.exe N/A
File created C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home2854\ff\chrome.manifest C:\Users\Admin\AppData\Local\Temp\153a21844ea08dca1f61f091c26cfb5eac91d46e1b9a378d43a767669b6cf148.exe N/A
File opened for modification C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home2854\ff\chrome\content C:\Users\Admin\AppData\Local\Temp\153a21844ea08dca1f61f091c26cfb5eac91d46e1b9a378d43a767669b6cf148.exe N/A
File created C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home2854\ff\chrome\content\ffMediaWatchV1home2854ffaction.js C:\Users\Admin\AppData\Local\Temp\153a21844ea08dca1f61f091c26cfb5eac91d46e1b9a378d43a767669b6cf148.exe N/A
File created C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home2854\ff\chrome\content\overlay.xul C:\Users\Admin\AppData\Local\Temp\153a21844ea08dca1f61f091c26cfb5eac91d46e1b9a378d43a767669b6cf148.exe N/A
File opened for modification C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home2854\ff\chrome\content\icons C:\Users\Admin\AppData\Local\Temp\153a21844ea08dca1f61f091c26cfb5eac91d46e1b9a378d43a767669b6cf148.exe N/A
File created C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home2854\uninstall.exe C:\Users\Admin\AppData\Local\Temp\153a21844ea08dca1f61f091c26cfb5eac91d46e1b9a378d43a767669b6cf148.exe N/A
File created C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home2854\ff\install.rdf C:\Users\Admin\AppData\Local\Temp\153a21844ea08dca1f61f091c26cfb5eac91d46e1b9a378d43a767669b6cf148.exe N/A
File opened for modification C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home2854\ff\install.rdf C:\Users\Admin\AppData\Local\Temp\153a21844ea08dca1f61f091c26cfb5eac91d46e1b9a378d43a767669b6cf148.exe N/A
File opened for modification C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home2854\ff\chrome\content\ffMediaWatchV1home2854ffaction.js C:\Users\Admin\AppData\Local\Temp\153a21844ea08dca1f61f091c26cfb5eac91d46e1b9a378d43a767669b6cf148.exe N/A
File created C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home2854\ff\chrome\content\icons\Thumbs.db C:\Users\Admin\AppData\Local\Temp\153a21844ea08dca1f61f091c26cfb5eac91d46e1b9a378d43a767669b6cf148.exe N/A
File created C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home2854\ie\MediaWatchV1home2854.dll C:\Users\Admin\AppData\Local\Temp\153a21844ea08dca1f61f091c26cfb5eac91d46e1b9a378d43a767669b6cf148.exe N/A
File created C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home2854\ch\MediaWatchV1home2854.crx C:\Users\Admin\AppData\Local\Temp\153a21844ea08dca1f61f091c26cfb5eac91d46e1b9a378d43a767669b6cf148.exe N/A
File opened for modification C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home2854\ff\chrome.manifest C:\Users\Admin\AppData\Local\Temp\153a21844ea08dca1f61f091c26cfb5eac91d46e1b9a378d43a767669b6cf148.exe N/A
File opened for modification C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home2854\ff\chrome C:\Users\Admin\AppData\Local\Temp\153a21844ea08dca1f61f091c26cfb5eac91d46e1b9a378d43a767669b6cf148.exe N/A
File opened for modification C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home2854\ff\chrome\content\ffMediaWatchV1home2854.js C:\Users\Admin\AppData\Local\Temp\153a21844ea08dca1f61f091c26cfb5eac91d46e1b9a378d43a767669b6cf148.exe N/A
File opened for modification C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home2854\ff\chrome\content\icons\Thumbs.db C:\Users\Admin\AppData\Local\Temp\153a21844ea08dca1f61f091c26cfb5eac91d46e1b9a378d43a767669b6cf148.exe N/A
File opened for modification C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home2854\ff\chrome\content\icons\default C:\Users\Admin\AppData\Local\Temp\153a21844ea08dca1f61f091c26cfb5eac91d46e1b9a378d43a767669b6cf148.exe N/A
File created C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home2854\ff\chrome\content\icons\default\MediaWatchV1home2854_32.png C:\Users\Admin\AppData\Local\Temp\153a21844ea08dca1f61f091c26cfb5eac91d46e1b9a378d43a767669b6cf148.exe N/A
File opened for modification C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home2854\ff\chrome\content\icons\default\MediaWatchV1home2854_32.png C:\Users\Admin\AppData\Local\Temp\153a21844ea08dca1f61f091c26cfb5eac91d46e1b9a378d43a767669b6cf148.exe N/A
File created C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home2854\ff\chrome\content\ffMediaWatchV1home2854.js C:\Users\Admin\AppData\Local\Temp\153a21844ea08dca1f61f091c26cfb5eac91d46e1b9a378d43a767669b6cf148.exe N/A
File opened for modification C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home2854\ff\chrome\content\overlay.xul C:\Users\Admin\AppData\Local\Temp\153a21844ea08dca1f61f091c26cfb5eac91d46e1b9a378d43a767669b6cf148.exe N/A

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Approved Extensions C:\Users\Admin\AppData\Local\Temp\153a21844ea08dca1f61f091c26cfb5eac91d46e1b9a378d43a767669b6cf148.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Approved Extensions\{dde32d75-5d35-453f-8590-4a9672ea2680} = 51667a6c4c1d3b1b6531f3cd050b53089f9c0fd673ab6195 C:\Users\Admin\AppData\Local\Temp\153a21844ea08dca1f61f091c26cfb5eac91d46e1b9a378d43a767669b6cf148.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{dde32d75-5d35-453f-8590-4a9672ea2680}\TypeLib\ = "{e6ef0bb3-7f1a-49e6-b2cb-08f9c33da4f7}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8DAAF928-9BA3-4685-80BF-045C32237DA4}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8DAAF928-9BA3-4685-80BF-045C32237DA4}\TypeLib\Version = "1.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{dde32d75-5d35-453f-8590-4a9672ea2680}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E6EF0BB3-7F1A-49E6-B2CB-08F9C33DA4F7}\1.1\FLAGS\ = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E6EF0BB3-7F1A-49E6-B2CB-08F9C33DA4F7}\1.1\HELPDIR C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8DAAF928-9BA3-4685-80BF-045C32237DA4} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8DAAF928-9BA3-4685-80BF-045C32237DA4}\ = "IMediaWatchV1home2854BHO" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8DAAF928-9BA3-4685-80BF-045C32237DA4}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8DAAF928-9BA3-4685-80BF-045C32237DA4} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E6EF0BB3-7F1A-49E6-B2CB-08F9C33DA4F7} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E6EF0BB3-7F1A-49E6-B2CB-08F9C33DA4F7}\1.1\0 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E6EF0BB3-7F1A-49E6-B2CB-08F9C33DA4F7}\1.1\HELPDIR\ = "C:\\Program Files (x86)\\MediaWatchV1\\MediaWatchV1home2854\\ie" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8DAAF928-9BA3-4685-80BF-045C32237DA4}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{dde32d75-5d35-453f-8590-4a9672ea2680}\InprocServer32\ = "C:\\Program Files (x86)\\MediaWatchV1\\MediaWatchV1home2854\\ie\\MediaWatchV1home2854.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E6EF0BB3-7F1A-49E6-B2CB-08F9C33DA4F7}\1.1\0\win32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E6EF0BB3-7F1A-49E6-B2CB-08F9C33DA4F7}\1.1\0\win32\ = "C:\\Program Files (x86)\\MediaWatchV1\\MediaWatchV1home2854\\ie\\MediaWatchV1home2854.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8DAAF928-9BA3-4685-80BF-045C32237DA4}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8DAAF928-9BA3-4685-80BF-045C32237DA4}\ = "IMediaWatchV1home2854BHO" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E6EF0BB3-7F1A-49E6-B2CB-08F9C33DA4F7}\1.1\FLAGS C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8DAAF928-9BA3-4685-80BF-045C32237DA4}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{dde32d75-5d35-453f-8590-4a9672ea2680} C:\Users\Admin\AppData\Local\Temp\153a21844ea08dca1f61f091c26cfb5eac91d46e1b9a378d43a767669b6cf148.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{dde32d75-5d35-453f-8590-4a9672ea2680}\ = "Media Watch" C:\Users\Admin\AppData\Local\Temp\153a21844ea08dca1f61f091c26cfb5eac91d46e1b9a378d43a767669b6cf148.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8DAAF928-9BA3-4685-80BF-045C32237DA4}\TypeLib\ = "{E6EF0BB3-7F1A-49E6-B2CB-08F9C33DA4F7}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{dde32d75-5d35-453f-8590-4a9672ea2680}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{dde32d75-5d35-453f-8590-4a9672ea2680}\Version C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{dde32d75-5d35-453f-8590-4a9672ea2680}\Version\ = "1.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8DAAF928-9BA3-4685-80BF-045C32237DA4}\TypeLib\Version = "1.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8DAAF928-9BA3-4685-80BF-045C32237DA4}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{dde32d75-5d35-453f-8590-4a9672ea2680}\Programmable C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{dde32d75-5d35-453f-8590-4a9672ea2680}\ = "MediaWatchV1home2854" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{dde32d75-5d35-453f-8590-4a9672ea2680}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E6EF0BB3-7F1A-49E6-B2CB-08F9C33DA4F7}\1.1 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E6EF0BB3-7F1A-49E6-B2CB-08F9C33DA4F7}\1.1\ = "MediaWatchV1home2854Lib" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8DAAF928-9BA3-4685-80BF-045C32237DA4}\TypeLib\ = "{E6EF0BB3-7F1A-49E6-B2CB-08F9C33DA4F7}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{dde32d75-5d35-453f-8590-4a9672ea2680} C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2984 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\153a21844ea08dca1f61f091c26cfb5eac91d46e1b9a378d43a767669b6cf148.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2984 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\153a21844ea08dca1f61f091c26cfb5eac91d46e1b9a378d43a767669b6cf148.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2984 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\153a21844ea08dca1f61f091c26cfb5eac91d46e1b9a378d43a767669b6cf148.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2984 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\153a21844ea08dca1f61f091c26cfb5eac91d46e1b9a378d43a767669b6cf148.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2984 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\153a21844ea08dca1f61f091c26cfb5eac91d46e1b9a378d43a767669b6cf148.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2984 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\153a21844ea08dca1f61f091c26cfb5eac91d46e1b9a378d43a767669b6cf148.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2984 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\153a21844ea08dca1f61f091c26cfb5eac91d46e1b9a378d43a767669b6cf148.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2984 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\153a21844ea08dca1f61f091c26cfb5eac91d46e1b9a378d43a767669b6cf148.exe C:\Windows\SysWOW64\gpupdate.exe
PID 2984 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\153a21844ea08dca1f61f091c26cfb5eac91d46e1b9a378d43a767669b6cf148.exe C:\Windows\SysWOW64\gpupdate.exe
PID 2984 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\153a21844ea08dca1f61f091c26cfb5eac91d46e1b9a378d43a767669b6cf148.exe C:\Windows\SysWOW64\gpupdate.exe
PID 2984 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\153a21844ea08dca1f61f091c26cfb5eac91d46e1b9a378d43a767669b6cf148.exe C:\Windows\SysWOW64\gpupdate.exe
PID 2984 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\153a21844ea08dca1f61f091c26cfb5eac91d46e1b9a378d43a767669b6cf148.exe C:\Windows\SysWOW64\gpupdate.exe
PID 2984 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\153a21844ea08dca1f61f091c26cfb5eac91d46e1b9a378d43a767669b6cf148.exe C:\Windows\SysWOW64\gpupdate.exe
PID 2984 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\153a21844ea08dca1f61f091c26cfb5eac91d46e1b9a378d43a767669b6cf148.exe C:\Windows\SysWOW64\gpupdate.exe

Processes

C:\Users\Admin\AppData\Local\Temp\153a21844ea08dca1f61f091c26cfb5eac91d46e1b9a378d43a767669b6cf148.exe

"C:\Users\Admin\AppData\Local\Temp\153a21844ea08dca1f61f091c26cfb5eac91d46e1b9a378d43a767669b6cf148.exe"

C:\Windows\SysWOW64\regsvr32.exe

regsvr32 "C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home2854\ie\MediaWatchV1home2854.dll" /s

C:\Windows\SysWOW64\gpupdate.exe

"C:\Windows\System32\gpupdate.exe" /force

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\nstE54.tmp\aminsis.dll

MD5 51ba1095f0ae45a2d444bea506cb9ad4
SHA1 038a5d53d055a6d440bd2c8864c2f51db206c5e5
SHA256 b620091bf9973e807e12155d2247a6d233b5d13ec38c426675470ab4b26f0539
SHA512 f5fe2dd0f19bcaab47540ceedbec71f7f7c5b833c8772c097594c458e5f1101fe9feb849812b65c175055f71dfb13f11c4ad94fef42cd66f247413e453de3361

C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home2854\ie\MediaWatchV1home2854.dll

MD5 30da403a8658d0c19235e2e7ae696a44
SHA1 01950646830295e694c0d7d9af764efe51ebdeea
SHA256 81ebd5b5c8ee4d8a7fd96556653c2c5d6de3a91586e0840a03df93378f9793f3
SHA512 8ee9f93c0b5bbc7be27dab4877dd245f49f8cf5205b6f805a55826043d5e304e755fcc6c8aca5efb7cdb667d03906cd50c8e3226bff94977a5f570d1d4ed06e6

Analysis: behavioral11

Detonation Overview

Submitted

2024-04-14 19:09

Reported

2024-04-14 19:11

Platform

win7-20240221-en

Max time kernel

122s

Max time network

127s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\ie\MediaWatchV1home2854.dll

Signatures

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{dde32d75-5d35-453f-8590-4a9672ea2680} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{dde32d75-5d35-453f-8590-4a9672ea2680}\ = "MediaWatchV1home2854" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{dde32d75-5d35-453f-8590-4a9672ea2680}\NoExplorer = "1" C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8DAAF928-9BA3-4685-80BF-045C32237DA4}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8DAAF928-9BA3-4685-80BF-045C32237DA4} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{dde32d75-5d35-453f-8590-4a9672ea2680}\Version\ = "1.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E6EF0BB3-7F1A-49E6-B2CB-08F9C33DA4F7}\1.1 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E6EF0BB3-7F1A-49E6-B2CB-08F9C33DA4F7}\1.1\ = "MediaWatchV1home2854Lib" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E6EF0BB3-7F1A-49E6-B2CB-08F9C33DA4F7}\1.1\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ie\\MediaWatchV1home2854.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8DAAF928-9BA3-4685-80BF-045C32237DA4}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8DAAF928-9BA3-4685-80BF-045C32237DA4}\TypeLib\Version = "1.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{dde32d75-5d35-453f-8590-4a9672ea2680}\Version C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E6EF0BB3-7F1A-49E6-B2CB-08F9C33DA4F7} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E6EF0BB3-7F1A-49E6-B2CB-08F9C33DA4F7}\1.1\FLAGS\ = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{dde32d75-5d35-453f-8590-4a9672ea2680}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ie\\MediaWatchV1home2854.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{dde32d75-5d35-453f-8590-4a9672ea2680}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E6EF0BB3-7F1A-49E6-B2CB-08F9C33DA4F7}\1.1\0 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E6EF0BB3-7F1A-49E6-B2CB-08F9C33DA4F7}\1.1\0\win32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8DAAF928-9BA3-4685-80BF-045C32237DA4}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8DAAF928-9BA3-4685-80BF-045C32237DA4}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{dde32d75-5d35-453f-8590-4a9672ea2680} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8DAAF928-9BA3-4685-80BF-045C32237DA4}\TypeLib\ = "{E6EF0BB3-7F1A-49E6-B2CB-08F9C33DA4F7}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8DAAF928-9BA3-4685-80BF-045C32237DA4}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{dde32d75-5d35-453f-8590-4a9672ea2680}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{dde32d75-5d35-453f-8590-4a9672ea2680}\TypeLib\ = "{e6ef0bb3-7f1a-49e6-b2cb-08f9c33da4f7}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E6EF0BB3-7F1A-49E6-B2CB-08F9C33DA4F7}\1.1\HELPDIR C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8DAAF928-9BA3-4685-80BF-045C32237DA4} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8DAAF928-9BA3-4685-80BF-045C32237DA4}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8DAAF928-9BA3-4685-80BF-045C32237DA4}\TypeLib\Version = "1.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8DAAF928-9BA3-4685-80BF-045C32237DA4}\ = "IMediaWatchV1home2854BHO" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{dde32d75-5d35-453f-8590-4a9672ea2680}\ = "MediaWatchV1home2854" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{dde32d75-5d35-453f-8590-4a9672ea2680}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E6EF0BB3-7F1A-49E6-B2CB-08F9C33DA4F7}\1.1\FLAGS C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E6EF0BB3-7F1A-49E6-B2CB-08F9C33DA4F7}\1.1\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ie" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8DAAF928-9BA3-4685-80BF-045C32237DA4}\ = "IMediaWatchV1home2854BHO" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8DAAF928-9BA3-4685-80BF-045C32237DA4}\TypeLib\ = "{E6EF0BB3-7F1A-49E6-B2CB-08F9C33DA4F7}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{dde32d75-5d35-453f-8590-4a9672ea2680}\Programmable C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2456 wrote to memory of 1624 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2456 wrote to memory of 1624 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2456 wrote to memory of 1624 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2456 wrote to memory of 1624 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2456 wrote to memory of 1624 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2456 wrote to memory of 1624 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2456 wrote to memory of 1624 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\ie\MediaWatchV1home2854.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\ie\MediaWatchV1home2854.dll

Network

N/A

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-04-14 19:09

Reported

2024-04-14 19:11

Platform

win7-20240221-en

Max time kernel

122s

Max time network

125s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\ffMediaWatchV1home2854chaction.js

Signatures

N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\ffMediaWatchV1home2854chaction.js

Network

N/A

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-04-14 19:09

Reported

2024-04-14 19:12

Platform

win10v2004-20240412-en

Max time kernel

147s

Max time network

158s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\ffMediaWatchV1home2854chaction.js

Signatures

N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\ffMediaWatchV1home2854chaction.js

Network

Country Destination Domain Proto
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 21.114.53.23.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 25.14.97.104.in-addr.arpa udp
US 8.8.8.8:53 161.76.36.23.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 11.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-04-14 19:09

Reported

2024-04-14 19:11

Platform

win7-20240221-en

Max time kernel

122s

Max time network

125s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\ff\chrome\content\ffMediaWatchV1home2854.js

Signatures

N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\ff\chrome\content\ffMediaWatchV1home2854.js

Network

N/A

Files

N/A

Analysis: behavioral9

Detonation Overview

Submitted

2024-04-14 19:09

Reported

2024-04-14 19:11

Platform

win7-20240221-en

Max time kernel

119s

Max time network

120s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\ff\chrome\content\ffMediaWatchV1home2854ffaction.js

Signatures

N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\ff\chrome\content\ffMediaWatchV1home2854ffaction.js

Network

N/A

Files

N/A

Analysis: behavioral10

Detonation Overview

Submitted

2024-04-14 19:09

Reported

2024-04-14 19:11

Platform

win10v2004-20240412-en

Max time kernel

94s

Max time network

113s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\ff\chrome\content\ffMediaWatchV1home2854ffaction.js

Signatures

N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\ff\chrome\content\ffMediaWatchV1home2854ffaction.js

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 161.76.36.23.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 21.114.53.23.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 25.14.97.104.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-14 19:09

Reported

2024-04-14 19:12

Platform

win10v2004-20240412-en

Max time kernel

125s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\153a21844ea08dca1f61f091c26cfb5eac91d46e1b9a378d43a767669b6cf148.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1230272463-3683322193-511842230-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\153a21844ea08dca1f61f091c26cfb5eac91d46e1b9a378d43a767669b6cf148.exe N/A

Reads user/profile data of web browsers

spyware stealer

Checks installed software on the system

discovery

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{dde32d75-5d35-453f-8590-4a9672ea2680}\ = "MediaWatchV1home2854" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{dde32d75-5d35-453f-8590-4a9672ea2680}\NoExplorer = "1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{dde32d75-5d35-453f-8590-4a9672ea2680} C:\Windows\SysWOW64\regsvr32.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\GroupPolicy C:\Users\Admin\AppData\Local\Temp\153a21844ea08dca1f61f091c26cfb5eac91d46e1b9a378d43a767669b6cf148.exe N/A
File opened for modification C:\Windows\SysWOW64\GroupPolicy\gpt.ini C:\Users\Admin\AppData\Local\Temp\153a21844ea08dca1f61f091c26cfb5eac91d46e1b9a378d43a767669b6cf148.exe N/A
File created C:\Windows\System32\GroupPolicy\Machine\Registry.pol C:\Users\Admin\AppData\Local\Temp\153a21844ea08dca1f61f091c26cfb5eac91d46e1b9a378d43a767669b6cf148.exe N/A
File opened for modification C:\Windows\System32\GroupPolicy\GPT.INI C:\Users\Admin\AppData\Local\Temp\153a21844ea08dca1f61f091c26cfb5eac91d46e1b9a378d43a767669b6cf148.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home2854\ff\chrome\content\ffMediaWatchV1home2854.js C:\Users\Admin\AppData\Local\Temp\153a21844ea08dca1f61f091c26cfb5eac91d46e1b9a378d43a767669b6cf148.exe N/A
File opened for modification C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home2854\ff\chrome\content\icons C:\Users\Admin\AppData\Local\Temp\153a21844ea08dca1f61f091c26cfb5eac91d46e1b9a378d43a767669b6cf148.exe N/A
File opened for modification C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home2854\ff\chrome\content\icons\Thumbs.db C:\Users\Admin\AppData\Local\Temp\153a21844ea08dca1f61f091c26cfb5eac91d46e1b9a378d43a767669b6cf148.exe N/A
File created C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home2854\ch\MediaWatchV1home2854.crx C:\Users\Admin\AppData\Local\Temp\153a21844ea08dca1f61f091c26cfb5eac91d46e1b9a378d43a767669b6cf148.exe N/A
File opened for modification C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home2854\ch\MediaWatchV1home2854.crx C:\Users\Admin\AppData\Local\Temp\153a21844ea08dca1f61f091c26cfb5eac91d46e1b9a378d43a767669b6cf148.exe N/A
File created C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home2854\ff\chrome.manifest C:\Users\Admin\AppData\Local\Temp\153a21844ea08dca1f61f091c26cfb5eac91d46e1b9a378d43a767669b6cf148.exe N/A
File opened for modification C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home2854\ff\chrome.manifest C:\Users\Admin\AppData\Local\Temp\153a21844ea08dca1f61f091c26cfb5eac91d46e1b9a378d43a767669b6cf148.exe N/A
File opened for modification C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home2854\ff\chrome\content C:\Users\Admin\AppData\Local\Temp\153a21844ea08dca1f61f091c26cfb5eac91d46e1b9a378d43a767669b6cf148.exe N/A
File opened for modification C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home2854\ff\chrome\content\icons\default C:\Users\Admin\AppData\Local\Temp\153a21844ea08dca1f61f091c26cfb5eac91d46e1b9a378d43a767669b6cf148.exe N/A
File created C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home2854\uninstall.exe C:\Users\Admin\AppData\Local\Temp\153a21844ea08dca1f61f091c26cfb5eac91d46e1b9a378d43a767669b6cf148.exe N/A
File created C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home2854\ie\MediaWatchV1home2854.dll C:\Users\Admin\AppData\Local\Temp\153a21844ea08dca1f61f091c26cfb5eac91d46e1b9a378d43a767669b6cf148.exe N/A
File created C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home2854\ff\install.rdf C:\Users\Admin\AppData\Local\Temp\153a21844ea08dca1f61f091c26cfb5eac91d46e1b9a378d43a767669b6cf148.exe N/A
File opened for modification C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home2854\ff\chrome\content\ffMediaWatchV1home2854.js C:\Users\Admin\AppData\Local\Temp\153a21844ea08dca1f61f091c26cfb5eac91d46e1b9a378d43a767669b6cf148.exe N/A
File opened for modification C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home2854\ff\chrome\content\overlay.xul C:\Users\Admin\AppData\Local\Temp\153a21844ea08dca1f61f091c26cfb5eac91d46e1b9a378d43a767669b6cf148.exe N/A
File created C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home2854\ff\chrome\content\icons\Thumbs.db C:\Users\Admin\AppData\Local\Temp\153a21844ea08dca1f61f091c26cfb5eac91d46e1b9a378d43a767669b6cf148.exe N/A
File opened for modification C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home2854\ff\install.rdf C:\Users\Admin\AppData\Local\Temp\153a21844ea08dca1f61f091c26cfb5eac91d46e1b9a378d43a767669b6cf148.exe N/A
File opened for modification C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home2854\ff\chrome C:\Users\Admin\AppData\Local\Temp\153a21844ea08dca1f61f091c26cfb5eac91d46e1b9a378d43a767669b6cf148.exe N/A
File created C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home2854\ff\chrome\content\overlay.xul C:\Users\Admin\AppData\Local\Temp\153a21844ea08dca1f61f091c26cfb5eac91d46e1b9a378d43a767669b6cf148.exe N/A
File created C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home2854\ff\chrome\content\ffMediaWatchV1home2854ffaction.js C:\Users\Admin\AppData\Local\Temp\153a21844ea08dca1f61f091c26cfb5eac91d46e1b9a378d43a767669b6cf148.exe N/A
File opened for modification C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home2854\ff\chrome\content\ffMediaWatchV1home2854ffaction.js C:\Users\Admin\AppData\Local\Temp\153a21844ea08dca1f61f091c26cfb5eac91d46e1b9a378d43a767669b6cf148.exe N/A
File created C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home2854\ff\chrome\content\icons\default\MediaWatchV1home2854_32.png C:\Users\Admin\AppData\Local\Temp\153a21844ea08dca1f61f091c26cfb5eac91d46e1b9a378d43a767669b6cf148.exe N/A
File opened for modification C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home2854\ff\chrome\content\icons\default\MediaWatchV1home2854_32.png C:\Users\Admin\AppData\Local\Temp\153a21844ea08dca1f61f091c26cfb5eac91d46e1b9a378d43a767669b6cf148.exe N/A

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1230272463-3683322193-511842230-1000\Software\Microsoft\Internet Explorer\Approved Extensions C:\Users\Admin\AppData\Local\Temp\153a21844ea08dca1f61f091c26cfb5eac91d46e1b9a378d43a767669b6cf148.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1230272463-3683322193-511842230-1000\SOFTWARE\Microsoft\Internet Explorer\Approved Extensions\{dde32d75-5d35-453f-8590-4a9672ea2680} = 51667a6c4c1d3b1b6532f3c7020c570a9d9d0bd671af6b9f C:\Users\Admin\AppData\Local\Temp\153a21844ea08dca1f61f091c26cfb5eac91d46e1b9a378d43a767669b6cf148.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8DAAF928-9BA3-4685-80BF-045C32237DA4}\ = "IMediaWatchV1home2854BHO" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{dde32d75-5d35-453f-8590-4a9672ea2680}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{dde32d75-5d35-453f-8590-4a9672ea2680}\TypeLib\ = "{e6ef0bb3-7f1a-49e6-b2cb-08f9c33da4f7}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E6EF0BB3-7F1A-49E6-B2CB-08F9C33DA4F7} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E6EF0BB3-7F1A-49E6-B2CB-08F9C33DA4F7}\1.1\HELPDIR C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8DAAF928-9BA3-4685-80BF-045C32237DA4}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{dde32d75-5d35-453f-8590-4a9672ea2680} C:\Users\Admin\AppData\Local\Temp\153a21844ea08dca1f61f091c26cfb5eac91d46e1b9a378d43a767669b6cf148.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E6EF0BB3-7F1A-49E6-B2CB-08F9C33DA4F7}\1.1\HELPDIR\ = "C:\\Program Files (x86)\\MediaWatchV1\\MediaWatchV1home2854\\ie" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8DAAF928-9BA3-4685-80BF-045C32237DA4} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8DAAF928-9BA3-4685-80BF-045C32237DA4}\ = "IMediaWatchV1home2854BHO" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8DAAF928-9BA3-4685-80BF-045C32237DA4} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{dde32d75-5d35-453f-8590-4a9672ea2680}\Version C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{dde32d75-5d35-453f-8590-4a9672ea2680}\Version\ = "1.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E6EF0BB3-7F1A-49E6-B2CB-08F9C33DA4F7}\1.1\FLAGS\ = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8DAAF928-9BA3-4685-80BF-045C32237DA4}\TypeLib\ = "{E6EF0BB3-7F1A-49E6-B2CB-08F9C33DA4F7}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{dde32d75-5d35-453f-8590-4a9672ea2680}\ = "MediaWatchV1home2854" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E6EF0BB3-7F1A-49E6-B2CB-08F9C33DA4F7}\1.1\0\win32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8DAAF928-9BA3-4685-80BF-045C32237DA4}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8DAAF928-9BA3-4685-80BF-045C32237DA4}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{dde32d75-5d35-453f-8590-4a9672ea2680}\Programmable C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{dde32d75-5d35-453f-8590-4a9672ea2680}\InprocServer32\ = "C:\\Program Files (x86)\\MediaWatchV1\\MediaWatchV1home2854\\ie\\MediaWatchV1home2854.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8DAAF928-9BA3-4685-80BF-045C32237DA4}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8DAAF928-9BA3-4685-80BF-045C32237DA4}\TypeLib\Version = "1.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{dde32d75-5d35-453f-8590-4a9672ea2680}\ = "Media Watch" C:\Users\Admin\AppData\Local\Temp\153a21844ea08dca1f61f091c26cfb5eac91d46e1b9a378d43a767669b6cf148.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{dde32d75-5d35-453f-8590-4a9672ea2680}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E6EF0BB3-7F1A-49E6-B2CB-08F9C33DA4F7}\1.1\FLAGS C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E6EF0BB3-7F1A-49E6-B2CB-08F9C33DA4F7}\1.1\0 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E6EF0BB3-7F1A-49E6-B2CB-08F9C33DA4F7}\1.1\0\win32\ = "C:\\Program Files (x86)\\MediaWatchV1\\MediaWatchV1home2854\\ie\\MediaWatchV1home2854.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8DAAF928-9BA3-4685-80BF-045C32237DA4}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{dde32d75-5d35-453f-8590-4a9672ea2680} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E6EF0BB3-7F1A-49E6-B2CB-08F9C33DA4F7}\1.1\ = "MediaWatchV1home2854Lib" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8DAAF928-9BA3-4685-80BF-045C32237DA4}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8DAAF928-9BA3-4685-80BF-045C32237DA4}\TypeLib\ = "{E6EF0BB3-7F1A-49E6-B2CB-08F9C33DA4F7}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{dde32d75-5d35-453f-8590-4a9672ea2680}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E6EF0BB3-7F1A-49E6-B2CB-08F9C33DA4F7}\1.1 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8DAAF928-9BA3-4685-80BF-045C32237DA4}\TypeLib\Version = "1.1" C:\Windows\SysWOW64\regsvr32.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\153a21844ea08dca1f61f091c26cfb5eac91d46e1b9a378d43a767669b6cf148.exe

"C:\Users\Admin\AppData\Local\Temp\153a21844ea08dca1f61f091c26cfb5eac91d46e1b9a378d43a767669b6cf148.exe"

C:\Windows\SysWOW64\regsvr32.exe

regsvr32 "C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home2854\ie\MediaWatchV1home2854.dll" /s

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum

C:\Windows\SysWOW64\gpupdate.exe

"C:\Windows\System32\gpupdate.exe" /force

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4412,i,4190291444332669241,12594774403502447104,262144 --variations-seed-version --mojo-platform-channel-handle=1440 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 161.76.36.23.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 21.114.53.23.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 17.14.97.104.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 104.76.36.23.in-addr.arpa udp
US 8.8.8.8:53 14.179.89.13.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\nse22F.tmp\aminsis.dll

MD5 51ba1095f0ae45a2d444bea506cb9ad4
SHA1 038a5d53d055a6d440bd2c8864c2f51db206c5e5
SHA256 b620091bf9973e807e12155d2247a6d233b5d13ec38c426675470ab4b26f0539
SHA512 f5fe2dd0f19bcaab47540ceedbec71f7f7c5b833c8772c097594c458e5f1101fe9feb849812b65c175055f71dfb13f11c4ad94fef42cd66f247413e453de3361

C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home2854\ie\MediaWatchV1home2854.dll

MD5 30da403a8658d0c19235e2e7ae696a44
SHA1 01950646830295e694c0d7d9af764efe51ebdeea
SHA256 81ebd5b5c8ee4d8a7fd96556653c2c5d6de3a91586e0840a03df93378f9793f3
SHA512 8ee9f93c0b5bbc7be27dab4877dd245f49f8cf5205b6f805a55826043d5e304e755fcc6c8aca5efb7cdb667d03906cd50c8e3226bff94977a5f570d1d4ed06e6

Analysis: behavioral4

Detonation Overview

Submitted

2024-04-14 19:09

Reported

2024-04-14 19:11

Platform

win10v2004-20240412-en

Max time kernel

147s

Max time network

155s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\aminsis.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3892 wrote to memory of 3204 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3892 wrote to memory of 3204 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3892 wrote to memory of 3204 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\aminsis.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\aminsis.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 3204 -ip 3204

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3204 -s 628

Network

Country Destination Domain Proto
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 21.114.53.23.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 17.14.97.104.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 104.76.36.23.in-addr.arpa udp
US 8.8.8.8:53 91.16.208.104.in-addr.arpa udp

Files

N/A

Analysis: behavioral13

Detonation Overview

Submitted

2024-04-14 19:09

Reported

2024-04-14 19:11

Platform

win7-20240221-en

Max time kernel

122s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\uninstall.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\uninstall.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A

Reads user/profile data of web browsers

spyware stealer

Enumerates physical storage devices

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Processes

C:\Users\Admin\AppData\Local\Temp\uninstall.exe

"C:\Users\Admin\AppData\Local\Temp\uninstall.exe"

C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

"C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=C:\Users\Admin\AppData\Local\Temp\

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

MD5 e6543c6d41de18ab838bf66d4d1e917a
SHA1 0c97b6daeaf4902a363a465d3b4396634fc256ce
SHA256 361ba3e94cac8ffad333d3e895f632e98d0a5acd620eec067b3a3c7abdfc21d3
SHA512 a9c06d27e9fd837d004cfe51cc8d0c8adc613be16208b338aff1b56cd964463de990f7b7f4ab333c8aba05d8e338ecf28812f036184a9a24a389fabd56e275f6

C:\Users\Admin\AppData\Local\Temp\nsi3E87.tmp\aminsis.dll

MD5 51ba1095f0ae45a2d444bea506cb9ad4
SHA1 038a5d53d055a6d440bd2c8864c2f51db206c5e5
SHA256 b620091bf9973e807e12155d2247a6d233b5d13ec38c426675470ab4b26f0539
SHA512 f5fe2dd0f19bcaab47540ceedbec71f7f7c5b833c8772c097594c458e5f1101fe9feb849812b65c175055f71dfb13f11c4ad94fef42cd66f247413e453de3361

Analysis: behavioral15

Detonation Overview

Submitted

2024-04-14 19:09

Reported

2024-04-14 19:11

Platform

win7-20231129-en

Max time kernel

118s

Max time network

119s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\aminsis.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\aminsis.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\aminsis.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1676 -s 220

Network

N/A

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-04-14 19:09

Reported

2024-04-14 19:11

Platform

win7-20240319-en

Max time kernel

118s

Max time network

122s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\aminsis.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\aminsis.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\aminsis.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1532 -s 224

Network

N/A

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2024-04-14 19:09

Reported

2024-04-14 19:11

Platform

win10v2004-20240412-en

Max time kernel

98s

Max time network

138s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\ff\chrome\content\ffMediaWatchV1home2854.js

Signatures

N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\ff\chrome\content\ffMediaWatchV1home2854.js

Network

Country Destination Domain Proto
US 23.53.113.159:80 tcp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 43.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 21.114.53.23.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 17.14.97.104.in-addr.arpa udp
US 8.8.8.8:53 175.117.168.52.in-addr.arpa udp
US 8.8.8.8:53 161.76.36.23.in-addr.arpa udp
US 8.8.8.8:53 66.134.221.88.in-addr.arpa udp

Files

N/A

Analysis: behavioral12

Detonation Overview

Submitted

2024-04-14 19:09

Reported

2024-04-14 19:11

Platform

win10v2004-20240412-en

Max time kernel

148s

Max time network

150s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\ie\MediaWatchV1home2854.dll

Signatures

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{dde32d75-5d35-453f-8590-4a9672ea2680}\NoExplorer = "1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{dde32d75-5d35-453f-8590-4a9672ea2680} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{dde32d75-5d35-453f-8590-4a9672ea2680}\ = "MediaWatchV1home2854" C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{dde32d75-5d35-453f-8590-4a9672ea2680}\Version C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E6EF0BB3-7F1A-49E6-B2CB-08F9C33DA4F7}\1.1\ = "MediaWatchV1home2854Lib" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8DAAF928-9BA3-4685-80BF-045C32237DA4}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E6EF0BB3-7F1A-49E6-B2CB-08F9C33DA4F7}\1.1\0 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E6EF0BB3-7F1A-49E6-B2CB-08F9C33DA4F7}\1.1\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ie\\MediaWatchV1home2854.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E6EF0BB3-7F1A-49E6-B2CB-08F9C33DA4F7}\1.1\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ie" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8DAAF928-9BA3-4685-80BF-045C32237DA4}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{dde32d75-5d35-453f-8590-4a9672ea2680} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{dde32d75-5d35-453f-8590-4a9672ea2680}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{dde32d75-5d35-453f-8590-4a9672ea2680}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{dde32d75-5d35-453f-8590-4a9672ea2680}\Version\ = "1.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E6EF0BB3-7F1A-49E6-B2CB-08F9C33DA4F7}\1.1 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{dde32d75-5d35-453f-8590-4a9672ea2680}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E6EF0BB3-7F1A-49E6-B2CB-08F9C33DA4F7}\1.1\FLAGS\ = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E6EF0BB3-7F1A-49E6-B2CB-08F9C33DA4F7}\1.1\HELPDIR C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8DAAF928-9BA3-4685-80BF-045C32237DA4} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8DAAF928-9BA3-4685-80BF-045C32237DA4} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8DAAF928-9BA3-4685-80BF-045C32237DA4}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E6EF0BB3-7F1A-49E6-B2CB-08F9C33DA4F7}\1.1\0\win32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8DAAF928-9BA3-4685-80BF-045C32237DA4}\TypeLib\ = "{E6EF0BB3-7F1A-49E6-B2CB-08F9C33DA4F7}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8DAAF928-9BA3-4685-80BF-045C32237DA4}\TypeLib\Version = "1.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8DAAF928-9BA3-4685-80BF-045C32237DA4}\ = "IMediaWatchV1home2854BHO" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{dde32d75-5d35-453f-8590-4a9672ea2680}\ = "MediaWatchV1home2854" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{dde32d75-5d35-453f-8590-4a9672ea2680}\Programmable C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{dde32d75-5d35-453f-8590-4a9672ea2680}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ie\\MediaWatchV1home2854.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E6EF0BB3-7F1A-49E6-B2CB-08F9C33DA4F7} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8DAAF928-9BA3-4685-80BF-045C32237DA4}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8DAAF928-9BA3-4685-80BF-045C32237DA4}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8DAAF928-9BA3-4685-80BF-045C32237DA4}\TypeLib\ = "{E6EF0BB3-7F1A-49E6-B2CB-08F9C33DA4F7}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8DAAF928-9BA3-4685-80BF-045C32237DA4}\TypeLib\Version = "1.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{dde32d75-5d35-453f-8590-4a9672ea2680}\TypeLib\ = "{e6ef0bb3-7f1a-49e6-b2cb-08f9c33da4f7}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E6EF0BB3-7F1A-49E6-B2CB-08F9C33DA4F7}\1.1\FLAGS C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8DAAF928-9BA3-4685-80BF-045C32237DA4}\ = "IMediaWatchV1home2854BHO" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8DAAF928-9BA3-4685-80BF-045C32237DA4}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1548 wrote to memory of 4836 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1548 wrote to memory of 4836 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1548 wrote to memory of 4836 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\ie\MediaWatchV1home2854.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\ie\MediaWatchV1home2854.dll

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 104.76.36.23.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 25.14.97.104.in-addr.arpa udp
US 8.8.8.8:53 161.76.36.23.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral14

Detonation Overview

Submitted

2024-04-14 19:09

Reported

2024-04-14 19:12

Platform

win10v2004-20240226-en

Max time kernel

137s

Max time network

143s

Command Line

"C:\Users\Admin\AppData\Local\Temp\uninstall.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A

Reads user/profile data of web browsers

spyware stealer

Enumerates physical storage devices

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Processes

C:\Users\Admin\AppData\Local\Temp\uninstall.exe

"C:\Users\Admin\AppData\Local\Temp\uninstall.exe"

C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

"C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=C:\Users\Admin\AppData\Local\Temp\

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4012 --field-trial-handle=2276,i,11674642242468042059,14711253743544118298,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 25.14.97.104.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 104.76.36.23.in-addr.arpa udp
US 8.8.8.8:53 27.173.189.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

MD5 e6543c6d41de18ab838bf66d4d1e917a
SHA1 0c97b6daeaf4902a363a465d3b4396634fc256ce
SHA256 361ba3e94cac8ffad333d3e895f632e98d0a5acd620eec067b3a3c7abdfc21d3
SHA512 a9c06d27e9fd837d004cfe51cc8d0c8adc613be16208b338aff1b56cd964463de990f7b7f4ab333c8aba05d8e338ecf28812f036184a9a24a389fabd56e275f6

C:\Users\Admin\AppData\Local\Temp\nsk51D.tmp\aminsis.dll

MD5 51ba1095f0ae45a2d444bea506cb9ad4
SHA1 038a5d53d055a6d440bd2c8864c2f51db206c5e5
SHA256 b620091bf9973e807e12155d2247a6d233b5d13ec38c426675470ab4b26f0539
SHA512 f5fe2dd0f19bcaab47540ceedbec71f7f7c5b833c8772c097594c458e5f1101fe9feb849812b65c175055f71dfb13f11c4ad94fef42cd66f247413e453de3361

Analysis: behavioral16

Detonation Overview

Submitted

2024-04-14 19:09

Reported

2024-04-14 19:11

Platform

win10v2004-20240412-en

Max time kernel

147s

Max time network

152s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\aminsis.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1336 wrote to memory of 1148 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1336 wrote to memory of 1148 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1336 wrote to memory of 1148 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\aminsis.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\aminsis.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 1148 -ip 1148

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1148 -s 624

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 104.76.36.23.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 21.114.53.23.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 25.14.97.104.in-addr.arpa udp
US 8.8.8.8:53 161.76.36.23.in-addr.arpa udp
IE 52.111.236.22:443 tcp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 27.173.189.20.in-addr.arpa udp

Files

N/A