8df178881e8b75967bc0d637dec79f0c8ef74aa69d34469edb6c5f54bc02d2f7

Analysis

max time kernel
51s
max time network
51s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
12/06/2024, 07:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Device/HarddiskVolume3/Users/tomphilip/AppData/Local/Temp/NER86D7.tmp/Toolbar.exe
Size

472KB
MD5

0f53d59df42827e7af4fc207e600a999
SHA1

bee96291323d129cf104d0fa8ecbe8aab5e4bca5
SHA256

784ad117dc1cd965a561ee729f086049fe47694aa3545ea6408d2ff31917827f
SHA512

1cc407b30c60b7ba865daa2036573c8c205b3710de86a8921c0c47b8e9889bd0d97512ab31160fdeb68220ff8a742fccb3230b74ca65f97c5b019acac8708cfe
SSDEEP

12288:vTOAkRj7IqoRHaxYmzzxrFdLh/20lRSgi:v6AkRjyaxYmdxdLxt

Score

7^/10

adware discovery stealer

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1444	A5SETUP.EXE
324	A5SRCSP.EXE

Loads dropped DLL 2 IoCs

pid	Process
1444	A5SETUP.EXE
1444	A5SETUP.EXE

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Installs/modifies Browser Helper Object 2 TTPs 2 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FE063DB1-4EC0-403e-8DD8-394C54984B2C}	A5SETUP.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FE063DB1-4EC0-403e-8DD8-394C54984B2C}\ = "Ask Toolbar BHO"	A5SETUP.EXE

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\AskTBar\bar\1.bin\ASKTBAR.DLL	A5SETUP.EXE
File created	C:\Program Files (x86)\AskTBar\bar\1.bin\ASKTBAR.DLL	A5SETUP.EXE
File opened for modification	C:\Program Files (x86)\AskTBar\bar\1.bin\A5POPSWT.DLL	A5SETUP.EXE
File created	C:\Program Files (x86)\AskTBar\bar\1.bin\A5POPSWT.DLL	A5SETUP.EXE

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Toolbar	A5SETUP.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Toolbar\{FE063DB9-4EC0-403e-8DD8-394C54984B2C}	A5SETUP.EXE

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FE063DBA-4EC0-403E-8DD8-394C54984B2C}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	A5SETUP.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AskTBar.PopSwatterSettingsControl.1\CLSID\ = "{83453071-3F9C-4ab0-BE30-EDA368D7976D}"	A5SETUP.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{83453071-3F9C-4ab0-BE30-EDA368D7976D}\TypeLib\ = "{BD04DAE0-8C1B-4cc5-9E06-22DE05C2EDA0}"	A5SETUP.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72FE8681-0BFA-471b-9B2A-B37ED68DD09E}\Implemented Categories\{00021493-0000-0000-C000-000000000046}	A5SETUP.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BD04DAE0-8C1B-4CC5-9E06-22DE05C2EDA0}\1.0\0	A5SETUP.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{83453070-3F9C-4AB0-BE30-EDA368D7976D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	A5SETUP.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FE063DBC-4EC0-403E-8DD8-394C54984B2C}\TypeLib	A5SETUP.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{83453071-3F9C-4ab0-BE30-EDA368D7976D}\InprocServer32\ThreadingModel = "Apartment"	A5SETUP.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72FE8681-0BFA-471b-9B2A-B37ED68DD09E}\Instance	A5SETUP.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FE063DB9-4EC0-403e-8DD8-394C54984B2C}\InprocServer32	A5SETUP.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AskTBar.SettingsPlugin\ = "Ask Toolbar Settings Plugin"	A5SETUP.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FE063DBB-4EC0-403e-8DD8-394C54984B2C}	A5SETUP.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BD04DAE0-8C1B-4CC5-9E06-22DE05C2EDA0}\1.0\FLAGS\ = "0"	A5SETUP.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FE063DB1-4EC0-403e-8DD8-394C54984B2C}\InprocServer32\ = "C:\\Program Files (x86)\\AskTBar\\bar\\1.bin\\ASKTBAR.DLL"	A5SETUP.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AskTBar.SettingsPlugin\CLSID	A5SETUP.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FE063DBA-4EC0-403E-8DD8-394C54984B2C}\TypeLib	A5SETUP.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AskTBar.PopSwatterBarButton.1\CLSID	A5SETUP.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AskTBar.PopSwatterSettingsControl\CLSID	A5SETUP.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BD04DAE0-8C1B-4CC5-9E06-22DE05C2EDA0}\1.0\ = "PopSwatter Control 1.0 Type Library"	A5SETUP.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FE063DBB-4EC0-403e-8DD8-394C54984B2C}\ = "Ask Toolbar Settings"	A5SETUP.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FE063DBB-4EC0-403e-8DD8-394C54984B2C}\MiscStatus	A5SETUP.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FE063DBC-4EC0-403E-8DD8-394C54984B2C}\TypeLib\Version = "1.0"	A5SETUP.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FE063DBC-4EC0-403E-8DD8-394C54984B2C}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	A5SETUP.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{83453070-3F9C-4AB0-BE30-EDA368D7976D}\ProxyStubClsid32	A5SETUP.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{83453070-3F9C-4AB0-BE30-EDA368D7976D}\ProxyStubClsid32	A5SETUP.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FE063DBB-4EC0-403e-8DD8-394C54984B2C}\VersionIndependentProgID\ = "AskTBar.SettingsPlugin"	A5SETUP.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AskTBar.PopSwatterBarButton\CLSID\ = "{BD04DAE2-8C1B-4cc5-9E06-22DE05C2EDA0}"	A5SETUP.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD04DAE2-8C1B-4cc5-9E06-22DE05C2EDA0}\ = "Bar Button Class"	A5SETUP.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD04DAE2-8C1B-4cc5-9E06-22DE05C2EDA0}\TypeLib	A5SETUP.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AskTBar.PopSwatterSettingsControl.1\CLSID	A5SETUP.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72FE8681-0BFA-471b-9B2A-B37ED68DD09E}\ = "Ask PopSwatter"	A5SETUP.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FE063DBB-4EC0-403e-8DD8-394C54984B2C}\Control	A5SETUP.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FE063DB0-4EC0-403E-8DD8-394C54984B2C}\1.0\HELPDIR	A5SETUP.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FE063DBB-4EC0-403e-8DD8-394C54984B2C}\Programmable	A5SETUP.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FE063DBC-4EC0-403E-8DD8-394C54984B2C}\ProxyStubClsid32	A5SETUP.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{83453071-3F9C-4ab0-BE30-EDA368D7976D}\InprocServer32	A5SETUP.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{83453070-3F9C-4AB0-BE30-EDA368D7976D}\TypeLib\ = "{BD04DAE0-8C1B-4CC5-9E06-22DE05C2EDA0}"	A5SETUP.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{83453070-3F9C-4AB0-BE30-EDA368D7976D}\TypeLib\Version = "1.0"	A5SETUP.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AskTBar.SettingsPlugin.1	A5SETUP.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FE063DBB-4EC0-403e-8DD8-394C54984B2C}\ProgID\ = "AskTBar.SettingsPlugin.1"	A5SETUP.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FE063DBB-4EC0-403e-8DD8-394C54984B2C}\Version\ = "1.0"	A5SETUP.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FE063DB0-4EC0-403E-8DD8-394C54984B2C}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\AskTBar\\bar\\1.bin\\"	A5SETUP.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FE063DBC-4EC0-403E-8DD8-394C54984B2C}\TypeLib\ = "{FE063DB0-4EC0-403E-8DD8-394C54984B2C}"	A5SETUP.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AskTBar.PopSwatterBarButton	A5SETUP.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AskTBar.PopSwatterBarButton\ = "Bar Button Class"	A5SETUP.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FE063DB1-4EC0-403e-8DD8-394C54984B2C}\InprocServer32	A5SETUP.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FE063DBB-4EC0-403e-8DD8-394C54984B2C}\InprocServer32\ThreadingModel = "Apartment"	A5SETUP.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FE063DBB-4EC0-403e-8DD8-394C54984B2C}\Version	A5SETUP.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{83453072-3F9C-4AB0-BE30-EDA368D7976D}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	A5SETUP.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FE063DBA-4EC0-403E-8DD8-394C54984B2C}	A5SETUP.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FE063DBC-4EC0-403E-8DD8-394C54984B2C}	A5SETUP.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD04DAE2-8C1B-4cc5-9E06-22DE05C2EDA0}\InprocServer32\ = "C:\\Program Files (x86)\\AskTBar\\bar\\1.bin\\A5POPSWT.DLL"	A5SETUP.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{09BD51AE-7E02-4916-9B12-647A92C02B7F}\TypeLib	A5SETUP.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BD04DAE0-8C1B-4CC5-9E06-22DE05C2EDA0}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\AskTBar\\bar\\1.bin\\"	A5SETUP.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{83453070-3F9C-4AB0-BE30-EDA368D7976D}\TypeLib\ = "{BD04DAE0-8C1B-4CC5-9E06-22DE05C2EDA0}"	A5SETUP.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{83453072-3F9C-4AB0-BE30-EDA368D7976D}\ = "_IAskTBarPopSwatterSettingsEvents"	A5SETUP.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FE063DB1-4EC0-403e-8DD8-394C54984B2C}\InprocServer32\ThreadingModel = "Apartment"	A5SETUP.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FE063DBA-4EC0-403E-8DD8-394C54984B2C}\TypeLib\ = "{FE063DB0-4EC0-403E-8DD8-394C54984B2C}"	A5SETUP.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD04DAE2-8C1B-4cc5-9E06-22DE05C2EDA0}\VersionIndependentProgID\ = "AskTBar.PopSwatterBarButton"	A5SETUP.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{09BD51AE-7E02-4916-9B12-647A92C02B7F}\ = "PopSwatter Server Class"	A5SETUP.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9AFB8248-617F-460d-9366-D71CDEDA3179}	A5SETUP.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BD04DAE0-8C1B-4CC5-9E06-22DE05C2EDA0}\1.0\FLAGS	A5SETUP.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{83453070-3F9C-4AB0-BE30-EDA368D7976D}	A5SETUP.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{83453070-3F9C-4AB0-BE30-EDA368D7976D}\TypeLib\Version = "1.0"	A5SETUP.EXE

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4204 wrote to memory of 1444	4204	Toolbar.exe	82
PID 4204 wrote to memory of 1444	4204	Toolbar.exe	82
PID 4204 wrote to memory of 1444	4204	Toolbar.exe	82
PID 4204 wrote to memory of 324	4204	Toolbar.exe	83
PID 4204 wrote to memory of 324	4204	Toolbar.exe	83
PID 4204 wrote to memory of 324	4204	Toolbar.exe	83

C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume3\Users\tomphilip\AppData\Local\Temp\NER86D7.tmp\Toolbar.exe
"C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume3\Users\tomphilip\AppData\Local\Temp\NER86D7.tmp\Toolbar.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4204
- C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE
  "C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE" "C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume3\Users\tomphilip\AppData\Local\Temp\NER86D7.tmp\Toolbar.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Installs/modifies Browser Helper Object
  - Drops file in Program Files directory
  - Modifies Internet Explorer settings
  - Modifies registry class
  PID:1444
- C:\Users\Admin\AppData\Local\Temp\bar.0\A5SRCSP.EXE
  "C:\Users\Admin\AppData\Local\Temp\bar.0\A5SRCSP.EXE" "C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume3\Users\tomphilip\AppData\Local\Temp\NER86D7.tmp\Toolbar.exe"
  2⤵
  - Executes dropped EXE
  PID:324

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\AskTBar\bar\1.bin\A5POPSWT.DLL

Filesize
116KB

MD5
69a3eb924678bb23047e6248648e6534

SHA1
844949940edfa51d38c5fa3294892b92c8d3cf8e

SHA256
8150669b6e743bdc725abfd4e51c3da721e4b1a2a86ee2cda4d61f8e2bbee851

SHA512
6f3c3b4a81965a6cf462943f1c0b0c8db1fbe7b89e24459411dc279cb18d534568c2cf0097bfea6848ceca9818bf10f86c1ea4aaf601f1b1e42dbd9ec696dd06

Download Submit
C:\Program Files (x86)\AskTBar\bar\1.bin\ASKTBAR.DLL

Filesize
240KB

MD5
59dbfe16aa20144cb11e7fc8b2d21eaa

SHA1
b4403810c1db8482c5a26b418499a8643e4a6410

SHA256
809bbfa3fb67c79f1901b159b754dd955c5defe28d5879f91972d269d706d55c

SHA512
83ce6c1631d36ebc19be3fc178932f41fdef7c7f8a9dd5d3631527a25f894936477a053ad96d65ba58b8775732741b52af1edc390b260009775406b05df36297

Download Submit
C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE

Filesize
376KB

MD5
f90f8e211bb2ba49218188caa1dc2f3a

SHA1
8a18eb5ec6f37f9c4f0654069815f30f651b1d8c

SHA256
024fe6f1d33edbdb2a9064564273db5e4e2bf87fa6b6380b8a118a7b110b7035

SHA512
107889d1a470a4a622a3a09ee39077d12a444c6bb90e2897e56720c722db8e926f0853bc5cbc435d211105335ea0db1d334f8811c2c6d5ad63b7072742eb4f7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\bar.0\A5SRCSP.EXE

Filesize
76KB

MD5
e7d9ce28eae7d5ce00878a39a7d2584f

SHA1
73b4be59997f90e3bb3e87df47efe76b10fa6a92

SHA256
87f40724067f8e3bfbb2d78962f9925ec77b83fb7763513387a016b6b1683439

SHA512
c7bffecd908007e2b53e83f444e3a685f525c022f12d8e2e3733a47f64c00e2165737450ccca4d86738c79d2104cf3ed6652803eb8fd78f36a2a26423600acd5

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads