20802dbd7a6399c0788d2a99ea9cfb299b3d5b4fc27268ee4d3cdad3b78f3959

Analysis

max time kernel
135s
max time network
105s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 06:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6dab619d97eafee6e9fc1e9748c2fab9_JaffaCakes118.exe
Size

1.7MB
MD5

6dab619d97eafee6e9fc1e9748c2fab9
SHA1

3d6f68d73e691444dfe234638886a0acfc833930
SHA256

20802dbd7a6399c0788d2a99ea9cfb299b3d5b4fc27268ee4d3cdad3b78f3959
SHA512

00a57788b33d2480c85bdfa3fbb8abd919fc9cf3525b22ed813c4c7f6ec9a258a82b4617b1dee906907278eecf06895211143729ac19be0f2aeaf8b4611e7ad5
SSDEEP

49152:PQj/ZAP3uTKI7QMh2X1vg3pfHRYh3/Ph3gExTEc5V7F74P:PQjSv+KsQMh2lvg3ppw1g7c/Z74P

Score

7^/10

adware discovery persistence spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1008	30e0.exe

Loads dropped DLL 3 IoCs

pid	Process
1008	30e0.exe
4668	regsvr32.exe
1264	regsvr32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Registers COM server for autorun 1 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9B482BA6-0CBF-D98B-F6DA-A51E955AD016}\InprocServer32\ = "C:\\Program Files (x86)\\Adblocker\\91q.x64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9B482BA6-0CBF-D98B-F6DA-A51E955AD016}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9B482BA6-0CBF-D98B-F6DA-A51E955AD016}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9B482BA6-0CBF-D98B-F6DA-A51E955AD016}\InprocServer32	regsvr32.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 5 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\nfminohdmmapkakbegbgpiajbjdneaoe\1.0\manifest.json	30e0.exe
File created	C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\nfminohdmmapkakbegbgpiajbjdneaoe\1.0\manifest.json	30e0.exe
File created	C:\Users\DefaultAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\nfminohdmmapkakbegbgpiajbjdneaoe\1.0\manifest.json	30e0.exe
File created	C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\nfminohdmmapkakbegbgpiajbjdneaoe\1.0\manifest.json	30e0.exe
File created	C:\Users\WDAGUtilityAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\nfminohdmmapkakbegbgpiajbjdneaoe\1.0\manifest.json	30e0.exe

Installs/modifies Browser Helper Object 2 TTPs 8 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9B482BA6-0CBF-D98B-F6DA-A51E955AD016}\ = "Adblocker"	30e0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9B482BA6-0CBF-D98B-F6DA-A51E955AD016}\NoExplorer = "1"	30e0.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9B482BA6-0CBF-D98B-F6DA-A51E955AD016}	30e0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9B482BA6-0CBF-D98B-F6DA-A51E955AD016}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9B482BA6-0CBF-D98B-F6DA-A51E955AD016}\ = "Adblocker"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9B482BA6-0CBF-D98B-F6DA-A51E955AD016}\NoExplorer = "1"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9B482BA6-0CBF-D98B-F6DA-A51E955AD016}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9B482BA6-0CBF-D98B-F6DA-A51E955AD016}	30e0.exe

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Adblocker\91q.tlb	30e0.exe
File opened for modification	C:\Program Files (x86)\Adblocker\91q.tlb	30e0.exe
File created	C:\Program Files (x86)\Adblocker\91q.dat	30e0.exe
File opened for modification	C:\Program Files (x86)\Adblocker\91q.dat	30e0.exe
File created	C:\Program Files (x86)\Adblocker\91q.x64.dll	30e0.exe
File opened for modification	C:\Program Files (x86)\Adblocker\91q.x64.dll	30e0.exe
File created	C:\Program Files (x86)\Adblocker\91q.dll	30e0.exe
File opened for modification	C:\Program Files (x86)\Adblocker\91q.dll	30e0.exe

Modifies Internet Explorer settings 1 TTPs 8 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key deleted	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Internet Explorer\ApprovedExtensionsMigration	30e0.exe
Key deleted	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\MICROSOFT\INTERNET EXPLORER\APPROVEDEXTENSIONSMIGRATION\{9B482BA6-0CBF-D98B-F6DA-A51E955AD016}	regsvr32.exe
Key deleted	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Internet Explorer\ApprovedExtensionsMigration	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Internet Explorer\ApprovedExtensionsMigration	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{9B482BA6-0CBF-D98B-F6DA-A51E955AD016}	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Internet Explorer\ApprovedExtensionsMigration	30e0.exe
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{9B482BA6-0CBF-D98B-F6DA-A51E955AD016}	30e0.exe
Key deleted	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\MICROSOFT\INTERNET EXPLORER\APPROVEDEXTENSIONSMIGRATION\{9B482BA6-0CBF-D98B-F6DA-A51E955AD016}	30e0.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Adblocker.Adblocker\CurVer	30e0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}	30e0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Adblocker.Adblocker	30e0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	30e0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Adblocker.Adblocker\CLSID	30e0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	30e0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib	30e0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	30e0.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9B482BA6-0CBF-D98B-F6DA-A51E955AD016}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib	30e0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9B482BA6-0CBF-D98B-F6DA-A51E955AD016}\Programmable	30e0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}	30e0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	30e0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ = "IRegistry"	30e0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	30e0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9B482BA6-0CBF-D98B-F6DA-A51E955AD016}\VersionIndependentProgID\ = "Adblocker"	30e0.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9B482BA6-0CBF-D98B-F6DA-A51E955AD016}\ProgID	30e0.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9B482BA6-0CBF-D98B-F6DA-A51E955AD016}\Programmable	30e0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win32\ = "C:\\Program Files (x86)\\Adblocker\\91q.tlb"	30e0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9B482BA6-0CBF-D98B-F6DA-A51E955AD016}\InprocServer32\ThreadingModel = "Apartment"	30e0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	30e0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib\Version = "1.0"	30e0.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9B482BA6-0CBF-D98B-F6DA-A51E955AD016}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0	30e0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	30e0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Adblocker.Adblocker\CurVer\ = "Adblocker.1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ = "IIEPluginMain"	30e0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib	30e0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9B482BA6-0CBF-D98B-F6DA-A51E955AD016}\Implemented Categories	30e0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9B482BA6-0CBF-D98B-F6DA-A51E955AD016}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}	30e0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9B482BA6-0CBF-D98B-F6DA-A51E955AD016}\InprocServer32	30e0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}	30e0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9B482BA6-0CBF-D98B-F6DA-A51E955AD016}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9B482BA6-0CBF-D98B-F6DA-A51E955AD016}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\HELPDIR	30e0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9B482BA6-0CBF-D98B-F6DA-A51E955AD016}\ProgID\ = "Adblocker.1.0"	30e0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\FLAGS\ = "0"	30e0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ = "IRegistry"	30e0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Adblocker.Adblocker\CurVer\ = "Adblocker.1.0"	30e0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Adblocker.Adblocker\ = "Adblocker"	30e0.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9B482BA6-0CBF-D98B-F6DA-A51E955AD016}	30e0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Adblocker.Adblocker.1.0	30e0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ProxyStubClsid32	30e0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\Adblocker"	30e0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ = "ILocalStorage"	30e0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib\Version = "1.0"	30e0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9B482BA6-0CBF-D98B-F6DA-A51E955AD016}\Implemented Categories	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9B482BA6-0CBF-D98B-F6DA-A51E955AD016}\VersionIndependentProgID	30e0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}	30e0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9B482BA6-0CBF-D98B-F6DA-A51E955AD016}\InprocServer32\ = "C:\\Program Files (x86)\\Adblocker\\91q.x64.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win32	30e0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}	30e0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9B482BA6-0CBF-D98B-F6DA-A51E955AD016}\Programmable	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9B482BA6-0CBF-D98B-F6DA-A51E955AD016}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win64	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib\Version = "1.0"	30e0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Adblocker.Adblocker.1.0\CLSID	30e0.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9B482BA6-0CBF-D98B-F6DA-A51E955AD016}\InprocServer32	30e0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ProxyStubClsid32	30e0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	30e0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9B482BA6-0CBF-D98B-F6DA-A51E955AD016}\VersionIndependentProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Adblocker.Adblocker.1.0\ = "Adblocker"	30e0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Adblocker.Adblocker\CLSID\ = "{9B482BA6-0CBF-D98B-F6DA-A51E955AD016}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32	30e0.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 5144 wrote to memory of 1008	5144	6dab619d97eafee6e9fc1e9748c2fab9_JaffaCakes118.exe	83
PID 5144 wrote to memory of 1008	5144	6dab619d97eafee6e9fc1e9748c2fab9_JaffaCakes118.exe	83
PID 5144 wrote to memory of 1008	5144	6dab619d97eafee6e9fc1e9748c2fab9_JaffaCakes118.exe	83
PID 1008 wrote to memory of 4668	1008	30e0.exe	86
PID 1008 wrote to memory of 4668	1008	30e0.exe	86
PID 1008 wrote to memory of 4668	1008	30e0.exe	86
PID 4668 wrote to memory of 1264	4668	regsvr32.exe	87
PID 4668 wrote to memory of 1264	4668	regsvr32.exe	87

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{9B482BA6-0CBF-D98B-F6DA-A51E955AD016} = "1"	30e0.exe

C:\Users\Admin\AppData\Local\Temp\6dab619d97eafee6e9fc1e9748c2fab9_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\6dab619d97eafee6e9fc1e9748c2fab9_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:5144
- C:\Users\Admin\AppData\Local\Temp\28397003\30e0.exe
  "C:\Users\Admin\AppData\Local\Temp/28397003/30e0.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops Chrome extension
  - Installs/modifies Browser Helper Object
  - Drops file in Program Files directory
  - Modifies Internet Explorer settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:1008
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32.exe /s "C:\Program Files (x86)\Adblocker\91q.x64.dll"
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:4668
  - - C:\Windows\system32\regsvr32.exe
      /s "C:\Program Files (x86)\Adblocker\91q.x64.dll"
      4⤵
      Loads dropped DLL
      Registers COM server for autorun
      Installs/modifies Browser Helper Object
      Modifies Internet Explorer settings
      Modifies registry class
      PID:1264

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Browser Extensions

T1176

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\28397003\30e0.dat

Filesize
3KB

MD5
923e60e9d2f9bca9269444ff59b867bc

SHA1
2ad85895c594d4efb4cc06b3ba91189ccb43f6a2

SHA256
f3a011d262eb975489d3426c2661b8de858a59cc9bec052f3d467788c73a067d

SHA512
f6534cbc7919a92d0b566e2ac62a195f75426487da9f0cbc6c834e812379779704a117d09d2b7dfec47bb6b1dd4e1a4f4b31a6e7b5721fd8bdf0521dc076ee6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\28397003\30e0.exe

Filesize
623KB

MD5
b2618483d2b505447782784d83fc3c6b

SHA1
5805f72466a86ab72fd328bdafbe20784a02cfbc

SHA256
94553457b3d86e4527651df80e3aa28a0815f9a985e4909a7d0b344fb057ea69

SHA512
b4b60df94f5a4ef16778ba76d504ead9d8f3fb5e9dd3f5e3d5f4108936572ff42e4a54cef61244761df0c9461511f33c0204adfa45ff97b89f4edc38757fc734

Download Submit
C:\Users\Admin\AppData\Local\Temp\28397003\91q.dll

Filesize
414KB

MD5
ffe3f0c62f2fede9890b18d73724fd97

SHA1
0dafa42039405f8d49a6790180194076bd57c833

SHA256
2ec40c7a7808d8aeee27eb8db1ed36424dd7d692e6d2043b20b3c75e8dd2b4d8

SHA512
84fb90d2214beae1e0c90b2d4a8678c8a55792daf60e70c441d6b5e279ae7ab5e03f49c401e14b7610189f4e885095f7f569add030254656c0e7e41f75eb8bfc

Download Submit
C:\Users\Admin\AppData\Local\Temp\28397003\91q.tlb

Filesize
3KB

MD5
8d10c52cfa044ccdcfff4e0b5775babd

SHA1
3b2c872ab3237d7b74377032ed7a5239c82df766

SHA256
af8efa41494e63e07553fed5bd5df73cf55c160de292ea2a2ee0568cf12e0156

SHA512
123d5af4dec8a370a1176fe50998be5a97d3bc46ed7dd9fa365f8f4fc669785b4ed3cb0b65b266095edd3dc3512a4a1d916c035d6184e8e134617502b90f9700

Download Submit
C:\Users\Admin\AppData\Local\Temp\28397003\91q.x64.dll

Filesize
461KB

MD5
0231aebb8155fd069d17eab6a679cc1e

SHA1
61cb4b5228e6253863391ef3346c2f9920dbc554

SHA256
fde9e3251cc1237aa3b2ad89acfb5691e8fee5a434989d9a9308ab41b774b672

SHA512
42c61873d4287d4a7fb17760fc9e9902723d8c74b21be92ddf6a949b1d6170894abbab9e03680a1518c997decf58ccafc351a5ed619e6515532379663e4f5434

Download Submit
C:\Users\Admin\AppData\Local\Temp\28397003\[email protected]\bootstrap.js

Filesize
2KB

MD5
df13f711e20e9c80171846d4f2f7ae06

SHA1
56d29cda58427efe0e21d3880d39eb1b0ef60bee

SHA256
6c325461fba531a94cf8cbdcfc52755494973df0629ce0ee3fef734ab0838fc4

SHA512
6c51cee3bf13f164c4a5c9884cc6053cbf9db9701d34c07dc5761d2c047d3d1f7a361b32996a430107e9a4ce68a29149d747a84c76778a1e8780719a3d30470e

Download Submit
C:\Users\Admin\AppData\Local\Temp\28397003\[email protected]\chrome.manifest

Filesize
24B

MD5
9eb9821da9d821d6d6137c90aeb1121a

SHA1
6c360d8e80031e13bd695f02c47463c3d28c190e

SHA256
c8df63e332b04b7ca8aac5ad567a6b22e059751e670aeef534233c18163dc434

SHA512
5918e2edb22ecc121a049c1a4fab81b34a6737d4c4f0ab1555c0593ac691199d069b0ea186288dee60b45eafa0a41d804efe8538ce53f46a788c3b5e66414972

Download Submit
C:\Users\Admin\AppData\Local\Temp\28397003\[email protected]\content\bg.js

Filesize
30KB

MD5
0b4b8d7bb080c85d0ee70988d3cd2c8f

SHA1
f07b4eddce3ba358a8bc3378a35c83f048bf7b34

SHA256
c5178fb809724b5e34dc2e9ee9e331af4c453bd5094b3e1160124b52bb5cdea8

SHA512
13bf071e40e58bb9498aeac5b2de29d8c8ba8b41c78b668fa1ddfc9d9752e4d4dbe123b04634b989a8b33980592a62dfc2fcd1b903aa751c7982bc700ea27e99

Download Submit
C:\Users\Admin\AppData\Local\Temp\28397003\[email protected]\install.rdf

Filesize
603B

MD5
bfe3aeb0c60d0286cef66e8e2f10e640

SHA1
a6ff855cd7e492a33dcd52779fdbe8b4ce6ac67d

SHA256
01972e468827776d2ca4975eb0a81fcf3719ef072863bb3b2f0fae75727a71c7

SHA512
ef83ea92d9cabf68c1f6bb0a165009c191106063bad4a78fb68360270013f5e048d64ad3ebe5f53e147c3e179626c1e9fdbca92b4cce58158f7cb9d4f9e12162

Download Submit
C:\Users\Admin\AppData\Local\Temp\28397003\nfminohdmmapkakbegbgpiajbjdneaoe\Iu3eN.js

Filesize
24KB

MD5
48df0e24dc7d630e4341cbe47c7d29fa

SHA1
7a20bf2b7b5552e8f6a326c0e557b1494b8294a9

SHA256
1159746016bb4c518e56d1810765c08ec2f3d429a6e7edc512d43d55279edde0

SHA512
192ba84a60ac7e84ccc3e1ddcf37b83280b2be14df20d8f0e5b1a69382a314ff08bbc7a2d153c4f0c78704a217e484d35cbc017c7ac83ee821ad9666e4ee3706

Download Submit
C:\Users\Admin\AppData\Local\Temp\28397003\nfminohdmmapkakbegbgpiajbjdneaoe\background.html

Filesize
142B

MD5
c0c4948dab582878ec0564c46166bda1

SHA1
92c6df67d7f3865d25b1c139ae20e3710a19d4e8

SHA256
c08e9a1b0eaf74c54e1c012590f706b1bedae8fdeb1e1964357aec5d1d9fd14d

SHA512
3c4c74c05f2286e5db20e2fd4fe7c400df3d657d595a1b49afec48b22187300d8b6c9827f1463db362679ed6cdfd72f1415d8e735f3710f3bda516057438def2

Download Submit
C:\Users\Admin\AppData\Local\Temp\28397003\nfminohdmmapkakbegbgpiajbjdneaoe\content.js

Filesize
6KB

MD5
07139eaa9d1fd2d7c3b47ef37578bbbd

SHA1
782122104e812fc11b30f38f47d142c6de7a2cec

SHA256
4307187a58cde5dca07316df4b950fda6381391af8b63ee8be31cbcff65ad1e0

SHA512
3cab09b0a43f9587c4f70d9bac6f8b9da3de34cf5e739ffd6336ce297500f84486487dd0bf4194e5d523bbb9e4cda209d16050ca8e53d07c5af3496fd78d88ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\28397003\nfminohdmmapkakbegbgpiajbjdneaoe\lsdb.js

Filesize
8KB

MD5
0a4c526d7ab529d15a4bee9e218bca79

SHA1
62180ed7a558bb3c3347a81e030c8414d0c4807e

SHA256
dfe75314a9d6e0a3e74b4932c58e81ce8ffeb0fd83af0663a4818698f9f056d1

SHA512
2a78ffa0755f9c44c82ccfd2bf36a08c6d80afd46fae152317b0a285220ff8666cbef0e5bb15582bf0e6955432b3c276a44b15f9c1ead76f0b0969e95c9dfda0

Download Submit
C:\Users\Admin\AppData\Local\Temp\28397003\nfminohdmmapkakbegbgpiajbjdneaoe\manifest.json

Filesize
501B

MD5
12da9defacf7555da51406c40f6a7319

SHA1
6bec535c8f7ba012046c43ffdce58c5602a9ed61

SHA256
2250ebd3138423759f8ba2fcf4eb09180cdb206b5c755128b892626512bd3162

SHA512
3adeb9112d447760f687556f3795633182918bb9c84ce100fcaf4fc5bcf17caa08f4d461db4ad6fc718233b0df0bcb5f89e2629b3764737de1f9f474e4b3780f

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads