1ab515547654c84a0a846ca8438056451b42ebab2ee4e3d21675f60ad7d48f44

General

Target

Device/HarddiskVolume3/Users/HaseebP/AppData/Local/Temp/NER88D9.tmp/Toolbar.exe
Size

472KB
MD5

0f53d59df42827e7af4fc207e600a999
SHA1

bee96291323d129cf104d0fa8ecbe8aab5e4bca5
SHA256

784ad117dc1cd965a561ee729f086049fe47694aa3545ea6408d2ff31917827f
SHA512

1cc407b30c60b7ba865daa2036573c8c205b3710de86a8921c0c47b8e9889bd0d97512ab31160fdeb68220ff8a742fccb3230b74ca65f97c5b019acac8708cfe
SSDEEP

12288:vTOAkRj7IqoRHaxYmzzxrFdLh/20lRSgi:v6AkRjyaxYmdxdLxt

Score

7^/10

adware discovery stealer

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

A5SETUP.EXEA5SRCSP.EXE

pid process

1232 A5SETUP.EXE
1008 A5SRCSP.EXE
Loads dropped DLL 2 IoCs

Processes:

A5SETUP.EXE

pid process

1232 A5SETUP.EXE
1232 A5SETUP.EXE
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

pid	process
1232	A5SETUP.EXE
1008	A5SRCSP.EXE

pid	process
1232	A5SETUP.EXE
1232	A5SETUP.EXE

Installs/modifies Browser Helper Object 2 TTPs 2 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

Processes:

A5SETUP.EXE

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FE063DB1-4EC0-403e-8DD8-394C54984B2C}	A5SETUP.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FE063DB1-4EC0-403e-8DD8-394C54984B2C}\ = "Ask Toolbar BHO"	A5SETUP.EXE

Drops file in Program Files directory 4 IoCs

Processes:

A5SETUP.EXE

description	ioc	process
File opened for modification	C:\Program Files (x86)\AskTBar\bar\1.bin\ASKTBAR.DLL	A5SETUP.EXE
File created	C:\Program Files (x86)\AskTBar\bar\1.bin\ASKTBAR.DLL	A5SETUP.EXE
File opened for modification	C:\Program Files (x86)\AskTBar\bar\1.bin\A5POPSWT.DLL	A5SETUP.EXE
File created	C:\Program Files (x86)\AskTBar\bar\1.bin\A5POPSWT.DLL	A5SETUP.EXE

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

A5SETUP.EXE

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Toolbar	A5SETUP.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Toolbar\{FE063DB9-4EC0-403e-8DD8-394C54984B2C}	A5SETUP.EXE

Modifies registry class 64 IoCs

Processes:

A5SETUP.EXE

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FE063DBC-4EC0-403E-8DD8-394C54984B2C}\ = "_IAskTBarSettingsEvents"	A5SETUP.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{83453070-3F9C-4AB0-BE30-EDA368D7976D}\ = "IAskTBarPopSwatterSettings"	A5SETUP.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{83453072-3F9C-4AB0-BE30-EDA368D7976D}\TypeLib\ = "{BD04DAE0-8C1B-4CC5-9E06-22DE05C2EDA0}"	A5SETUP.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AskTBar.SettingsPlugin\ = "Ask Toolbar Settings Plugin"	A5SETUP.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FE063DBB-4EC0-403e-8DD8-394C54984B2C}\TypeLib	A5SETUP.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FE063DBB-4EC0-403e-8DD8-394C54984B2C}\TypeLib\ = "{FE063DB0-4EC0-403e-8DD8-394C54984B2C}"	A5SETUP.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FE063DBA-4EC0-403E-8DD8-394C54984B2C}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	A5SETUP.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{09BD51AE-7E02-4916-9B12-647A92C02B7F}	A5SETUP.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BD04DAE0-8C1B-4CC5-9E06-22DE05C2EDA0}\1.0\0\win32\ = "C:\\Program Files (x86)\\AskTBar\\bar\\1.bin\\A5POPSWT.DLL"	A5SETUP.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FE063DBB-4EC0-403e-8DD8-394C54984B2C}\VersionIndependentProgID\ = "AskTBar.SettingsPlugin"	A5SETUP.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AskTBar.PopSwatterSettingsControl\CLSID\ = "{83453071-3F9C-4ab0-BE30-EDA368D7976D}"	A5SETUP.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{83453071-3F9C-4ab0-BE30-EDA368D7976D}\ProgID\ = "AskTBar.PopSwatterSettingsControl.1"	A5SETUP.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{09BD51AE-7E02-4916-9B12-647A92C02B7F}\TypeLib\ = "{BD04DAE0-8C1B-4cc5-9E06-22DE05C2EDA0}"	A5SETUP.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FE063DB0-4EC0-403E-8DD8-394C54984B2C}\1.0\0\win32\ = "C:\\Program Files (x86)\\AskTBar\\bar\\1.bin\\ASKTBAR.DLL"	A5SETUP.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FE063DB0-4EC0-403E-8DD8-394C54984B2C}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\AskTBar\\bar\\1.bin\\"	A5SETUP.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FE063DBA-4EC0-403E-8DD8-394C54984B2C}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	A5SETUP.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AskTBar.SettingsPlugin\CLSID\ = "{FE063DBB-4EC0-403e-8DD8-394C54984B2C}"	A5SETUP.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FE063DBB-4EC0-403e-8DD8-394C54984B2C}\ProgID\ = "AskTBar.SettingsPlugin.1"	A5SETUP.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD04DAE2-8C1B-4cc5-9E06-22DE05C2EDA0}\VersionIndependentProgID	A5SETUP.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AskTBar.PopSwatterSettingsControl\CLSID	A5SETUP.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{83453071-3F9C-4ab0-BE30-EDA368D7976D}\VersionIndependentProgID	A5SETUP.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FE063DB9-4EC0-403e-8DD8-394C54984B2C}\InprocServer32	A5SETUP.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AskTBar.SettingsPlugin.1\ = "Ask Toolbar Settings Plugin"	A5SETUP.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AskTBar.SettingsPlugin\CLSID	A5SETUP.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AskTBar.PopSwatterSettingsControl.1\ = "PopSwatter Settings Class"	A5SETUP.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{09BD51AE-7E02-4916-9B12-647A92C02B7F}\Programmable	A5SETUP.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{83453072-3F9C-4AB0-BE30-EDA368D7976D}\ = "_IAskTBarPopSwatterSettingsEvents"	A5SETUP.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FE063DBB-4EC0-403e-8DD8-394C54984B2C}\Control	A5SETUP.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FE063DBB-4EC0-403e-8DD8-394C54984B2C}\Version\ = "1.0"	A5SETUP.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FE063DB0-4EC0-403E-8DD8-394C54984B2C}\1.0\0	A5SETUP.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{83453070-3F9C-4AB0-BE30-EDA368D7976D}\ProxyStubClsid32	A5SETUP.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{83453072-3F9C-4AB0-BE30-EDA368D7976D}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	A5SETUP.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FE063DBB-4EC0-403e-8DD8-394C54984B2C}\InprocServer32	A5SETUP.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FE063DBC-4EC0-403E-8DD8-394C54984B2C}\TypeLib	A5SETUP.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FE063DBA-4EC0-403E-8DD8-394C54984B2C}\TypeLib\Version = "1.0"	A5SETUP.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AskTBar.PopSwatterSettingsControl.1\CLSID	A5SETUP.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9AFB8248-617F-460d-9366-D71CDEDA3179}	A5SETUP.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{83453072-3F9C-4AB0-BE30-EDA368D7976D}	A5SETUP.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FE063DB1-4EC0-403e-8DD8-394C54984B2C}\ = "Ask Toolbar BHO"	A5SETUP.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AskTBar.SettingsPlugin\CurVer	A5SETUP.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FE063DBB-4EC0-403e-8DD8-394C54984B2C}\InprocServer32\ = "C:\\Program Files (x86)\\AskTBar\\bar\\1.bin\\ASKTBAR.DLL"	A5SETUP.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FE063DBB-4EC0-403e-8DD8-394C54984B2C}\Programmable	A5SETUP.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FE063DBB-4EC0-403e-8DD8-394C54984B2C}\Version	A5SETUP.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{83453071-3F9C-4ab0-BE30-EDA368D7976D}\ProgID	A5SETUP.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{83453071-3F9C-4ab0-BE30-EDA368D7976D}\InprocServer32\ = "C:\\Program Files (x86)\\AskTBar\\bar\\1.bin\\A5POPSWT.DLL"	A5SETUP.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{83453071-3F9C-4ab0-BE30-EDA368D7976D}\InprocServer32\ThreadingModel = "Apartment"	A5SETUP.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72FE8681-0BFA-471b-9B2A-B37ED68DD09E}\ = "Ask PopSwatter"	A5SETUP.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{83453072-3F9C-4AB0-BE30-EDA368D7976D}\TypeLib	A5SETUP.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{83453072-3F9C-4AB0-BE30-EDA368D7976D}\ProxyStubClsid32	A5SETUP.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AskTBar.PopSwatterSettingsControl\CurVer	A5SETUP.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{09BD51AE-7E02-4916-9B12-647A92C02B7F}\TypeLib	A5SETUP.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{83453072-3F9C-4AB0-BE30-EDA368D7976D}\TypeLib	A5SETUP.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FE063DBA-4EC0-403E-8DD8-394C54984B2C}	A5SETUP.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FE063DBC-4EC0-403E-8DD8-394C54984B2C}\TypeLib	A5SETUP.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AskTBar.PopSwatterBarButton.1	A5SETUP.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{83453071-3F9C-4ab0-BE30-EDA368D7976D}\Programmable	A5SETUP.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BD04DAE0-8C1B-4CC5-9E06-22DE05C2EDA0}	A5SETUP.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{83453070-3F9C-4AB0-BE30-EDA368D7976D}\TypeLib\Version = "1.0"	A5SETUP.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FE063DBA-4EC0-403E-8DD8-394C54984B2C}\ProxyStubClsid32	A5SETUP.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FE063DBC-4EC0-403E-8DD8-394C54984B2C}	A5SETUP.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FE063DBC-4EC0-403E-8DD8-394C54984B2C}\ = "_IAskTBarSettingsEvents"	A5SETUP.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AskTBar.PopSwatterBarButton.1\CLSID	A5SETUP.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD04DAE2-8C1B-4cc5-9E06-22DE05C2EDA0}\ProgID	A5SETUP.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{83453070-3F9C-4AB0-BE30-EDA368D7976D}\TypeLib	A5SETUP.EXE

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

Toolbar.exe

description	pid	process	target process
PID 4036 wrote to memory of 1232	4036	Toolbar.exe	A5SETUP.EXE
PID 4036 wrote to memory of 1232	4036	Toolbar.exe	A5SETUP.EXE
PID 4036 wrote to memory of 1232	4036	Toolbar.exe	A5SETUP.EXE
PID 4036 wrote to memory of 1008	4036	Toolbar.exe	A5SRCSP.EXE
PID 4036 wrote to memory of 1008	4036	Toolbar.exe	A5SRCSP.EXE
PID 4036 wrote to memory of 1008	4036	Toolbar.exe	A5SRCSP.EXE

C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume3\Users\HaseebP\AppData\Local\Temp\NER88D9.tmp\Toolbar.exe
"C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume3\Users\HaseebP\AppData\Local\Temp\NER88D9.tmp\Toolbar.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4036

C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE
"C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE" "C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume3\Users\HaseebP\AppData\Local\Temp\NER88D9.tmp\Toolbar.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Modifies registry class
PID:1232

C:\Users\Admin\AppData\Local\Temp\bar.0\A5SRCSP.EXE
"C:\Users\Admin\AppData\Local\Temp\bar.0\A5SRCSP.EXE" "C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume3\Users\HaseebP\AppData\Local\Temp\NER88D9.tmp\Toolbar.exe"
2⤵
- Executes dropped EXE
PID:1008

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Browser Extensions

1

T1176

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\AskTBar\bar\1.bin\A5POPSWT.DLL
Filesize
116KB

MD5
69a3eb924678bb23047e6248648e6534

SHA1
844949940edfa51d38c5fa3294892b92c8d3cf8e

SHA256
8150669b6e743bdc725abfd4e51c3da721e4b1a2a86ee2cda4d61f8e2bbee851

SHA512
6f3c3b4a81965a6cf462943f1c0b0c8db1fbe7b89e24459411dc279cb18d534568c2cf0097bfea6848ceca9818bf10f86c1ea4aaf601f1b1e42dbd9ec696dd06

Download Submit
C:\Program Files (x86)\AskTBar\bar\1.bin\ASKTBAR.DLL
Filesize
240KB

MD5
59dbfe16aa20144cb11e7fc8b2d21eaa

SHA1
b4403810c1db8482c5a26b418499a8643e4a6410

SHA256
809bbfa3fb67c79f1901b159b754dd955c5defe28d5879f91972d269d706d55c

SHA512
83ce6c1631d36ebc19be3fc178932f41fdef7c7f8a9dd5d3631527a25f894936477a053ad96d65ba58b8775732741b52af1edc390b260009775406b05df36297

Download Submit
C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE
Filesize
376KB

MD5
f90f8e211bb2ba49218188caa1dc2f3a

SHA1
8a18eb5ec6f37f9c4f0654069815f30f651b1d8c

SHA256
024fe6f1d33edbdb2a9064564273db5e4e2bf87fa6b6380b8a118a7b110b7035

SHA512
107889d1a470a4a622a3a09ee39077d12a444c6bb90e2897e56720c722db8e926f0853bc5cbc435d211105335ea0db1d334f8811c2c6d5ad63b7072742eb4f7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\bar.0\A5SRCSP.EXE
Filesize
76KB

MD5
e7d9ce28eae7d5ce00878a39a7d2584f

SHA1
73b4be59997f90e3bb3e87df47efe76b10fa6a92

SHA256
87f40724067f8e3bfbb2d78962f9925ec77b83fb7763513387a016b6b1683439

SHA512
c7bffecd908007e2b53e83f444e3a685f525c022f12d8e2e3733a47f64c00e2165737450ccca4d86738c79d2104cf3ed6652803eb8fd78f36a2a26423600acd5

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads