Malware Analysis Report

2024-10-19 10:48

Sample ID 240620-jj1m9swgjc
Target 041da292d8c81aa4f26fb43b88c8af19_JaffaCakes118
SHA256 594c265b6428c4d72d73345a064154207e51e65bfe0e525cd796d01c2456b418
Tags
adware stealer persistence discovery upx
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

594c265b6428c4d72d73345a064154207e51e65bfe0e525cd796d01c2456b418

Threat Level: Shows suspicious behavior

The file 041da292d8c81aa4f26fb43b88c8af19_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

adware stealer persistence discovery upx

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

UPX packed file

ACProtect 1.3x - 1.4x DLL software

Deletes itself

Adds Run key to start application

Installs/modifies Browser Helper Object

Checks installed software on the system

Suspicious use of SetThreadContext

Drops file in Program Files directory

Unsigned PE

Enumerates physical storage devices

Program crash

NSIS installer

Suspicious behavior: EnumeratesProcesses

Modifies registry class

Modifies Internet Explorer settings

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-20 07:42

Signatures

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral14

Detonation Overview

Submitted

2024-06-20 07:42

Reported

2024-06-20 07:45

Platform

win10v2004-20240508-en

Max time kernel

147s

Max time network

150s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\EasyOn.dll

Signatures

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1CE681DC-1190-40EF-85A9-ADE47098CF51} C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Main\TabProcGrowth = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\TabProcGrowth = "0" C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\EasyOn.SideBand.1\CLSID\ = "{51A6FBA6-21E1-44B9-8998-5E886EB3E74F}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1CE681DC-1190-40EF-85A9-ADE47098CF51}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9EC01A8D-1377-4F63-89D8-AE6CD3E43C32}\1.0\0 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5740EFD7-04A6-4FEB-AA0F-E5F2BA962DB0}\ = "ISideBand" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\EasyOn.SideBand.1\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5740EFD7-04A6-4FEB-AA0F-E5F2BA962DB0}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B32ACA33-EA72-4757-A8CF-EFAE06B218EB}\TypeLib\ = "{9EC01A8D-1377-4F63-89D8-AE6CD3E43C32}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\EasyOn.BandHelper\CurVer C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1CE681DC-1190-40EF-85A9-ADE47098CF51} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9EC01A8D-1377-4F63-89D8-AE6CD3E43C32}\1.0\FLAGS\ = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B32ACA33-EA72-4757-A8CF-EFAE06B218EB}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B32ACA33-EA72-4757-A8CF-EFAE06B218EB}\ = "IBandHelper" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\EasyOn.BandHelper.1\ = "BandHelper Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5740EFD7-04A6-4FEB-AA0F-E5F2BA962DB0}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B32ACA33-EA72-4757-A8CF-EFAE06B218EB}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\EasyOn.BandHelper.1 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9EC01A8D-1377-4F63-89D8-AE6CD3E43C32}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B32ACA33-EA72-4757-A8CF-EFAE06B218EB}\ = "IBandHelper" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B32ACA33-EA72-4757-A8CF-EFAE06B218EB}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B32ACA33-EA72-4757-A8CF-EFAE06B218EB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{51A6FBA6-21E1-44B9-8998-5E886EB3E74F}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\EasyOn.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1CE681DC-1190-40EF-85A9-ADE47098CF51}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5740EFD7-04A6-4FEB-AA0F-E5F2BA962DB0}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5740EFD7-04A6-4FEB-AA0F-E5F2BA962DB0}\TypeLib\ = "{9EC01A8D-1377-4F63-89D8-AE6CD3E43C32}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B32ACA33-EA72-4757-A8CF-EFAE06B218EB} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5740EFD7-04A6-4FEB-AA0F-E5F2BA962DB0}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\EasyOn.SideBand\CLSID\ = "{51A6FBA6-21E1-44B9-8998-5E886EB3E74F}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\EasyOn.SideBand\CurVer\ = "EasyOn.SideBand.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\EasyOn.BandHelper\CLSID\ = "{1CE681DC-1190-40EF-85A9-ADE47098CF51}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1CE681DC-1190-40EF-85A9-ADE47098CF51}\ProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1CE681DC-1190-40EF-85A9-ADE47098CF51}\VersionIndependentProgID\ = "EasyOn.BandHelper" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5740EFD7-04A6-4FEB-AA0F-E5F2BA962DB0}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B32ACA33-EA72-4757-A8CF-EFAE06B218EB}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{51A6FBA6-21E1-44B9-8998-5E886EB3E74F} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{51A6FBA6-21E1-44B9-8998-5E886EB3E74F}\ = "EasyOn" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{51A6FBA6-21E1-44B9-8998-5E886EB3E74F}\VersionIndependentProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{51A6FBA6-21E1-44B9-8998-5E886EB3E74F}\TypeLib\ = "{9EC01A8D-1377-4F63-89D8-AE6CD3E43C32}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\EasyOn.BandHelper C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\EasyOn.SideBand\ = "SideBand Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1CE681DC-1190-40EF-85A9-ADE47098CF51}\ = "EasyOnHelper" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9EC01A8D-1377-4F63-89D8-AE6CD3E43C32}\1.0\FLAGS C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9EC01A8D-1377-4F63-89D8-AE6CD3E43C32}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\EasyOn.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\EasyOn.SideBand.1 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{51A6FBA6-21E1-44B9-8998-5E886EB3E74F}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9EC01A8D-1377-4F63-89D8-AE6CD3E43C32}\1.0\0\win32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5740EFD7-04A6-4FEB-AA0F-E5F2BA962DB0}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B32ACA33-EA72-4757-A8CF-EFAE06B218EB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{51A6FBA6-21E1-44B9-8998-5E886EB3E74F}\Implemented Categories\{00021493-0000-0000-C000-000000000046} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1CE681DC-1190-40EF-85A9-ADE47098CF51}\TypeLib\ = "{9EC01A8D-1377-4F63-89D8-AE6CD3E43C32}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5740EFD7-04A6-4FEB-AA0F-E5F2BA962DB0} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5740EFD7-04A6-4FEB-AA0F-E5F2BA962DB0} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B32ACA33-EA72-4757-A8CF-EFAE06B218EB}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1CE681DC-1190-40EF-85A9-ADE47098CF51}\ProgID\ = "EasyOn.BandHelper.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5740EFD7-04A6-4FEB-AA0F-E5F2BA962DB0}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5740EFD7-04A6-4FEB-AA0F-E5F2BA962DB0}\TypeLib\ = "{9EC01A8D-1377-4F63-89D8-AE6CD3E43C32}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B32ACA33-EA72-4757-A8CF-EFAE06B218EB}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\EasyOn.BandHelper.1\CLSID\ = "{1CE681DC-1190-40EF-85A9-ADE47098CF51}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1CE681DC-1190-40EF-85A9-ADE47098CF51}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\EasyOn.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1CE681DC-1190-40EF-85A9-ADE47098CF51}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\EasyOn.SideBand.1\ = "SideBand Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\EasyOn.SideBand\CurVer C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{51A6FBA6-21E1-44B9-8998-5E886EB3E74F}\ProgID\ = "EasyOn.SideBand.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{51A6FBA6-21E1-44B9-8998-5E886EB3E74F}\Programmable C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{51A6FBA6-21E1-44B9-8998-5E886EB3E74F}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4156 wrote to memory of 1392 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4156 wrote to memory of 1392 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4156 wrote to memory of 1392 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\EasyOn.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\EasyOn.dll

Network

Files

N/A

Analysis: behavioral16

Detonation Overview

Submitted

2024-06-20 07:42

Reported

2024-06-20 07:45

Platform

win10v2004-20240508-en

Max time kernel

51s

Max time network

58s

Command Line

"C:\Users\Admin\AppData\Local\Temp\EasyOn.exe"

Signatures

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\EasyOn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\EasyOn.exe" C:\Users\Admin\AppData\Local\Temp\EasyOn.exe N/A

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1CE681DC-1190-40EF-85A9-ADE47098CF51} C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\Main\TabProcGrowth = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\TabProcGrowth = "0" C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1CE681DC-1190-40EF-85A9-ADE47098CF51} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9EC01A8D-1377-4F63-89D8-AE6CD3E43C32}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5740EFD7-04A6-4FEB-AA0F-E5F2BA962DB0}\ = "ISideBand" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B32ACA33-EA72-4757-A8CF-EFAE06B218EB}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B32ACA33-EA72-4757-A8CF-EFAE06B218EB}\TypeLib\ = "{9EC01A8D-1377-4F63-89D8-AE6CD3E43C32}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{51A6FBA6-21E1-44B9-8998-5E886EB3E74F}\VersionIndependentProgID\ = "EasyOn.SideBand" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\EasyOn.BandHelper.1\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{51A6FBA6-21E1-44B9-8998-5E886EB3E74F}\Implemented Categories C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\EasyOn.BandHelper C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9EC01A8D-1377-4F63-89D8-AE6CD3E43C32}\1.0\0\win32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B32ACA33-EA72-4757-A8CF-EFAE06B218EB}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\EasyOn.SideBand.1\CLSID\ = "{51A6FBA6-21E1-44B9-8998-5E886EB3E74F}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\EasyOn.BandHelper\ = "BandHelper Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1CE681DC-1190-40EF-85A9-ADE47098CF51}\TypeLib\ = "{9EC01A8D-1377-4F63-89D8-AE6CD3E43C32}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9EC01A8D-1377-4F63-89D8-AE6CD3E43C32}\1.0\0 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{51A6FBA6-21E1-44B9-8998-5E886EB3E74F}\TypeLib\ = "{9EC01A8D-1377-4F63-89D8-AE6CD3E43C32}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\EasyOn.BandHelper\CurVer C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1CE681DC-1190-40EF-85A9-ADE47098CF51}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B32ACA33-EA72-4757-A8CF-EFAE06B218EB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\EasyOn.SideBand C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\EasyOn.SideBand\CurVer\ = "EasyOn.SideBand.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5740EFD7-04A6-4FEB-AA0F-E5F2BA962DB0}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\EasyOn.SideBand.1\ = "SideBand Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1CE681DC-1190-40EF-85A9-ADE47098CF51}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1CE681DC-1190-40EF-85A9-ADE47098CF51}\ = "EasyOnHelper" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1CE681DC-1190-40EF-85A9-ADE47098CF51}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5740EFD7-04A6-4FEB-AA0F-E5F2BA962DB0}\ = "ISideBand" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5740EFD7-04A6-4FEB-AA0F-E5F2BA962DB0}\TypeLib\ = "{9EC01A8D-1377-4F63-89D8-AE6CD3E43C32}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\EasyOn.SideBand\CLSID\ = "{51A6FBA6-21E1-44B9-8998-5E886EB3E74F}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{51A6FBA6-21E1-44B9-8998-5E886EB3E74F}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{51A6FBA6-21E1-44B9-8998-5E886EB3E74F}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5740EFD7-04A6-4FEB-AA0F-E5F2BA962DB0} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B32ACA33-EA72-4757-A8CF-EFAE06B218EB}\ = "IBandHelper" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B32ACA33-EA72-4757-A8CF-EFAE06B218EB}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{51A6FBA6-21E1-44B9-8998-5E886EB3E74F}\VersionIndependentProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{51A6FBA6-21E1-44B9-8998-5E886EB3E74F}\Programmable C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5740EFD7-04A6-4FEB-AA0F-E5F2BA962DB0}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1CE681DC-1190-40EF-85A9-ADE47098CF51}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\EasyOn.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9EC01A8D-1377-4F63-89D8-AE6CD3E43C32} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\EasyOn.BandHelper\CLSID\ = "{1CE681DC-1190-40EF-85A9-ADE47098CF51}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1CE681DC-1190-40EF-85A9-ADE47098CF51}\ProgID\ = "EasyOn.BandHelper.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9EC01A8D-1377-4F63-89D8-AE6CD3E43C32}\1.0\ = "EasyOn 1.0 Type Library" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9EC01A8D-1377-4F63-89D8-AE6CD3E43C32}\1.0\HELPDIR C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B32ACA33-EA72-4757-A8CF-EFAE06B218EB}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{51A6FBA6-21E1-44B9-8998-5E886EB3E74F}\ = "EasyOn" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{51A6FBA6-21E1-44B9-8998-5E886EB3E74F}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{51A6FBA6-21E1-44B9-8998-5E886EB3E74F}\ProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\EasyOn.BandHelper\CurVer\ = "EasyOn.BandHelper.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5740EFD7-04A6-4FEB-AA0F-E5F2BA962DB0}\TypeLib\ = "{9EC01A8D-1377-4F63-89D8-AE6CD3E43C32}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B32ACA33-EA72-4757-A8CF-EFAE06B218EB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\EasyOn.SideBand.1\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{51A6FBA6-21E1-44B9-8998-5E886EB3E74F} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1CE681DC-1190-40EF-85A9-ADE47098CF51}\Programmable C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9EC01A8D-1377-4F63-89D8-AE6CD3E43C32}\1.0\FLAGS\ = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5740EFD7-04A6-4FEB-AA0F-E5F2BA962DB0}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5740EFD7-04A6-4FEB-AA0F-E5F2BA962DB0}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{51A6FBA6-21E1-44B9-8998-5E886EB3E74F}\Implemented Categories\{00021493-0000-0000-C000-000000000046} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1CE681DC-1190-40EF-85A9-ADE47098CF51}\VersionIndependentProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9EC01A8D-1377-4F63-89D8-AE6CD3E43C32}\1.0 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5740EFD7-04A6-4FEB-AA0F-E5F2BA962DB0}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B32ACA33-EA72-4757-A8CF-EFAE06B218EB}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\EasyOn.SideBand.1 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{51A6FBA6-21E1-44B9-8998-5E886EB3E74F}\ProgID\ = "EasyOn.SideBand.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9EC01A8D-1377-4F63-89D8-AE6CD3E43C32}\1.0\FLAGS C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\EasyOn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EasyOn.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 932 wrote to memory of 4632 N/A C:\Users\Admin\AppData\Local\Temp\EasyOn.exe C:\Windows\SysWOW64\regsvr32.exe
PID 932 wrote to memory of 4632 N/A C:\Users\Admin\AppData\Local\Temp\EasyOn.exe C:\Windows\SysWOW64\regsvr32.exe
PID 932 wrote to memory of 4632 N/A C:\Users\Admin\AppData\Local\Temp\EasyOn.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\EasyOn.exe

"C:\Users\Admin\AppData\Local\Temp\EasyOn.exe"

C:\Windows\SysWOW64\regsvr32.exe

regsvr32 /s "C:\Users\Admin\AppData\Local\Temp\EasyOn.dll"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 easyon.sideon.co.kr udp
US 8.8.8.8:53 easyon.sideon.co.kr udp

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-06-20 07:42

Reported

2024-06-20 07:45

Platform

win7-20240611-en

Max time kernel

120s

Max time network

120s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NSISdl.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NSISdl.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NSISdl.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2216 -s 224

Network

N/A

Files

N/A

Analysis: behavioral13

Detonation Overview

Submitted

2024-06-20 07:42

Reported

2024-06-20 07:45

Platform

win7-20240220-en

Max time kernel

122s

Max time network

123s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\EasyOn.dll

Signatures

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{1CE681DC-1190-40EF-85A9-ADE47098CF51} C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\TabProcGrowth = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\TabProcGrowth = "0" C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\EasyOn.BandHelper\CurVer\ = "EasyOn.BandHelper.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{5740EFD7-04A6-4FEB-AA0F-E5F2BA962DB0}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5740EFD7-04A6-4FEB-AA0F-E5F2BA962DB0}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B32ACA33-EA72-4757-A8CF-EFAE06B218EB}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\EasyOn.SideBand C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\EasyOn.SideBand\ = "SideBand Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9EC01A8D-1377-4F63-89D8-AE6CD3E43C32}\1.0\HELPDIR C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B32ACA33-EA72-4757-A8CF-EFAE06B218EB}\ = "IBandHelper" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B32ACA33-EA72-4757-A8CF-EFAE06B218EB}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\EasyOn.BandHelper\CurVer C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1CE681DC-1190-40EF-85A9-ADE47098CF51}\ = "EasyOnHelper" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1CE681DC-1190-40EF-85A9-ADE47098CF51}\ProgID\ = "EasyOn.BandHelper.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1CE681DC-1190-40EF-85A9-ADE47098CF51}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9EC01A8D-1377-4F63-89D8-AE6CD3E43C32}\1.0\ = "EasyOn 1.0 Type Library" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{51A6FBA6-21E1-44B9-8998-5E886EB3E74F}\ProgID\ = "EasyOn.SideBand.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{51A6FBA6-21E1-44B9-8998-5E886EB3E74F}\Implemented Categories\{00021493-0000-0000-C000-000000000046} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{5740EFD7-04A6-4FEB-AA0F-E5F2BA962DB0}\ = "ISideBand" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{5740EFD7-04A6-4FEB-AA0F-E5F2BA962DB0}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5740EFD7-04A6-4FEB-AA0F-E5F2BA962DB0} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{51A6FBA6-21E1-44B9-8998-5E886EB3E74F}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\EasyOn.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{51A6FBA6-21E1-44B9-8998-5E886EB3E74F}\TypeLib\ = "{9EC01A8D-1377-4F63-89D8-AE6CD3E43C32}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\EasyOn.BandHelper\ = "BandHelper Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\EasyOn.BandHelper\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5740EFD7-04A6-4FEB-AA0F-E5F2BA962DB0}\TypeLib\ = "{9EC01A8D-1377-4F63-89D8-AE6CD3E43C32}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B32ACA33-EA72-4757-A8CF-EFAE06B218EB} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\EasyOn.SideBand\CurVer\ = "EasyOn.SideBand.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\EasyOn.BandHelper.1 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{5740EFD7-04A6-4FEB-AA0F-E5F2BA962DB0} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9EC01A8D-1377-4F63-89D8-AE6CD3E43C32}\1.0 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B32ACA33-EA72-4757-A8CF-EFAE06B218EB}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{51A6FBA6-21E1-44B9-8998-5E886EB3E74F}\VersionIndependentProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{51A6FBA6-21E1-44B9-8998-5E886EB3E74F}\VersionIndependentProgID\ = "EasyOn.SideBand" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1CE681DC-1190-40EF-85A9-ADE47098CF51}\ProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1CE681DC-1190-40EF-85A9-ADE47098CF51}\Programmable C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1CE681DC-1190-40EF-85A9-ADE47098CF51}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{5740EFD7-04A6-4FEB-AA0F-E5F2BA962DB0}\TypeLib\ = "{9EC01A8D-1377-4F63-89D8-AE6CD3E43C32}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B32ACA33-EA72-4757-A8CF-EFAE06B218EB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B32ACA33-EA72-4757-A8CF-EFAE06B218EB}\TypeLib\ = "{9EC01A8D-1377-4F63-89D8-AE6CD3E43C32}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{51A6FBA6-21E1-44B9-8998-5E886EB3E74F}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{51A6FBA6-21E1-44B9-8998-5E886EB3E74F}\Implemented Categories C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1CE681DC-1190-40EF-85A9-ADE47098CF51}\VersionIndependentProgID\ = "EasyOn.BandHelper" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1CE681DC-1190-40EF-85A9-ADE47098CF51}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9EC01A8D-1377-4F63-89D8-AE6CD3E43C32}\1.0\0 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9EC01A8D-1377-4F63-89D8-AE6CD3E43C32}\1.0\0\win32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5740EFD7-04A6-4FEB-AA0F-E5F2BA962DB0}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B32ACA33-EA72-4757-A8CF-EFAE06B218EB} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\EasyOn.SideBand.1\CLSID\ = "{51A6FBA6-21E1-44B9-8998-5E886EB3E74F}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\EasyOn.BandHelper C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1CE681DC-1190-40EF-85A9-ADE47098CF51}\TypeLib\ = "{9EC01A8D-1377-4F63-89D8-AE6CD3E43C32}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9EC01A8D-1377-4F63-89D8-AE6CD3E43C32} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9EC01A8D-1377-4F63-89D8-AE6CD3E43C32}\1.0\FLAGS\ = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B32ACA33-EA72-4757-A8CF-EFAE06B218EB}\TypeLib\ = "{9EC01A8D-1377-4F63-89D8-AE6CD3E43C32}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\EasyOn.SideBand.1\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\EasyOn.SideBand\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{5740EFD7-04A6-4FEB-AA0F-E5F2BA962DB0}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{5740EFD7-04A6-4FEB-AA0F-E5F2BA962DB0}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{51A6FBA6-21E1-44B9-8998-5E886EB3E74F}\ProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{51A6FBA6-21E1-44B9-8998-5E886EB3E74F}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B32ACA33-EA72-4757-A8CF-EFAE06B218EB}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\EasyOn.BandHelper.1\ = "BandHelper Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\EasyOn.BandHelper\CLSID\ = "{1CE681DC-1190-40EF-85A9-ADE47098CF51}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{51A6FBA6-21E1-44B9-8998-5E886EB3E74F}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1CE681DC-1190-40EF-85A9-ADE47098CF51}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\EasyOn.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B32ACA33-EA72-4757-A8CF-EFAE06B218EB}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2192 wrote to memory of 1592 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2192 wrote to memory of 1592 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2192 wrote to memory of 1592 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2192 wrote to memory of 1592 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2192 wrote to memory of 1592 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2192 wrote to memory of 1592 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2192 wrote to memory of 1592 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\EasyOn.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\EasyOn.dll

Network

N/A

Files

N/A

Analysis: behavioral15

Detonation Overview

Submitted

2024-06-20 07:42

Reported

2024-06-20 07:45

Platform

win7-20240221-en

Max time kernel

119s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\EasyOn.exe"

Signatures

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\EasyOn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\EasyOn.exe" C:\Users\Admin\AppData\Local\Temp\EasyOn.exe N/A

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{1CE681DC-1190-40EF-85A9-ADE47098CF51} C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\TabProcGrowth = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\TabProcGrowth = "0" C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\EasyOn.BandHelper.1\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\EasyOn.BandHelper C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1CE681DC-1190-40EF-85A9-ADE47098CF51}\TypeLib\ = "{9EC01A8D-1377-4F63-89D8-AE6CD3E43C32}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9EC01A8D-1377-4F63-89D8-AE6CD3E43C32}\1.0\HELPDIR C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\EasyOn.BandHelper\CurVer\ = "EasyOn.BandHelper.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1CE681DC-1190-40EF-85A9-ADE47098CF51} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5740EFD7-04A6-4FEB-AA0F-E5F2BA962DB0}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5740EFD7-04A6-4FEB-AA0F-E5F2BA962DB0}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\EasyOn.SideBand\CurVer\ = "EasyOn.SideBand.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{51A6FBA6-21E1-44B9-8998-5E886EB3E74F}\ProgID\ = "EasyOn.SideBand.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9EC01A8D-1377-4F63-89D8-AE6CD3E43C32}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\EasyOn.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{5740EFD7-04A6-4FEB-AA0F-E5F2BA962DB0}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\EasyOn.SideBand.1\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1CE681DC-1190-40EF-85A9-ADE47098CF51}\ProgID\ = "EasyOn.BandHelper.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B32ACA33-EA72-4757-A8CF-EFAE06B218EB}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B32ACA33-EA72-4757-A8CF-EFAE06B218EB}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1CE681DC-1190-40EF-85A9-ADE47098CF51}\Programmable C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1CE681DC-1190-40EF-85A9-ADE47098CF51}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\EasyOn.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1CE681DC-1190-40EF-85A9-ADE47098CF51}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9EC01A8D-1377-4F63-89D8-AE6CD3E43C32}\1.0\FLAGS C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9EC01A8D-1377-4F63-89D8-AE6CD3E43C32}\1.0\0 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B32ACA33-EA72-4757-A8CF-EFAE06B218EB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B32ACA33-EA72-4757-A8CF-EFAE06B218EB}\TypeLib\ = "{9EC01A8D-1377-4F63-89D8-AE6CD3E43C32}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\EasyOn.SideBand.1\ = "SideBand Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\EasyOn.SideBand.1\CLSID\ = "{51A6FBA6-21E1-44B9-8998-5E886EB3E74F}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{51A6FBA6-21E1-44B9-8998-5E886EB3E74F}\ProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{51A6FBA6-21E1-44B9-8998-5E886EB3E74F}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{5740EFD7-04A6-4FEB-AA0F-E5F2BA962DB0}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5740EFD7-04A6-4FEB-AA0F-E5F2BA962DB0} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B32ACA33-EA72-4757-A8CF-EFAE06B218EB}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B32ACA33-EA72-4757-A8CF-EFAE06B218EB}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\EasyOn.SideBand C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{51A6FBA6-21E1-44B9-8998-5E886EB3E74F}\VersionIndependentProgID\ = "EasyOn.SideBand" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{51A6FBA6-21E1-44B9-8998-5E886EB3E74F}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\EasyOn.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\EasyOn.BandHelper\ = "BandHelper Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1CE681DC-1190-40EF-85A9-ADE47098CF51}\VersionIndependentProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B32ACA33-EA72-4757-A8CF-EFAE06B218EB}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B32ACA33-EA72-4757-A8CF-EFAE06B218EB}\TypeLib\ = "{9EC01A8D-1377-4F63-89D8-AE6CD3E43C32}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{51A6FBA6-21E1-44B9-8998-5E886EB3E74F}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1CE681DC-1190-40EF-85A9-ADE47098CF51}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9EC01A8D-1377-4F63-89D8-AE6CD3E43C32}\1.0\ = "EasyOn 1.0 Type Library" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{5740EFD7-04A6-4FEB-AA0F-E5F2BA962DB0}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5740EFD7-04A6-4FEB-AA0F-E5F2BA962DB0}\ = "ISideBand" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\EasyOn.BandHelper.1 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\EasyOn.BandHelper\CurVer C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1CE681DC-1190-40EF-85A9-ADE47098CF51}\ProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9EC01A8D-1377-4F63-89D8-AE6CD3E43C32}\1.0 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{51A6FBA6-21E1-44B9-8998-5E886EB3E74F}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{51A6FBA6-21E1-44B9-8998-5E886EB3E74F}\Implemented Categories C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9EC01A8D-1377-4F63-89D8-AE6CD3E43C32}\1.0\FLAGS\ = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{5740EFD7-04A6-4FEB-AA0F-E5F2BA962DB0}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{5740EFD7-04A6-4FEB-AA0F-E5F2BA962DB0}\TypeLib\ = "{9EC01A8D-1377-4F63-89D8-AE6CD3E43C32}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B32ACA33-EA72-4757-A8CF-EFAE06B218EB}\ = "IBandHelper" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B32ACA33-EA72-4757-A8CF-EFAE06B218EB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\EasyOn.SideBand.1 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{51A6FBA6-21E1-44B9-8998-5E886EB3E74F} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{5740EFD7-04A6-4FEB-AA0F-E5F2BA962DB0} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B32ACA33-EA72-4757-A8CF-EFAE06B218EB}\ = "IBandHelper" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\EasyOn.SideBand\ = "SideBand Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{51A6FBA6-21E1-44B9-8998-5E886EB3E74F}\TypeLib\ = "{9EC01A8D-1377-4F63-89D8-AE6CD3E43C32}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\EasyOn.BandHelper.1\CLSID\ = "{1CE681DC-1190-40EF-85A9-ADE47098CF51}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\EasyOn.SideBand\CLSID\ = "{51A6FBA6-21E1-44B9-8998-5E886EB3E74F}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{51A6FBA6-21E1-44B9-8998-5E886EB3E74F}\ = "EasyOn" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\EasyOn.BandHelper.1\ = "BandHelper Class" C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\EasyOn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EasyOn.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\EasyOn.exe

"C:\Users\Admin\AppData\Local\Temp\EasyOn.exe"

C:\Windows\SysWOW64\regsvr32.exe

regsvr32 /s "C:\Users\Admin\AppData\Local\Temp\EasyOn.dll"

Network

Country Destination Domain Proto
US 8.8.8.8:53 easyon.sideon.co.kr udp

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-20 07:42

Reported

2024-06-20 07:45

Platform

win7-20240221-en

Max time kernel

118s

Max time network

118s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\IpConfig.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\IpConfig.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\IpConfig.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 968 -s 224

Network

N/A

Files

N/A

Analysis: behavioral12

Detonation Overview

Submitted

2024-06-20 07:42

Reported

2024-06-20 07:45

Platform

win10v2004-20240611-en

Max time kernel

142s

Max time network

126s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsProcess.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2072 wrote to memory of 3780 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2072 wrote to memory of 3780 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2072 wrote to memory of 3780 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsProcess.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsProcess.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3780 -ip 3780

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3780 -s 604

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
NL 23.62.61.129:443 www.bing.com tcp
US 8.8.8.8:53 129.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp

Files

N/A

Analysis: behavioral10

Detonation Overview

Submitted

2024-06-20 07:42

Reported

2024-06-20 07:45

Platform

win10v2004-20240508-en

Max time kernel

147s

Max time network

151s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UAC.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2560 wrote to memory of 2968 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2560 wrote to memory of 2968 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2560 wrote to memory of 2968 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UAC.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UAC.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 2968 -ip 2968

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2968 -s 624

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-20 07:42

Reported

2024-06-20 07:45

Platform

win7-20240221-en

Max time kernel

118s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\041da292d8c81aa4f26fb43b88c8af19_JaffaCakes118.exe"

Signatures

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\EasyOn\EasyOn.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\EasyOn = "C:\\Program Files (x86)\\EasyOn\\EasyOn.exe" C:\Program Files (x86)\EasyOn\EasyOn.exe N/A

Checks installed software on the system

discovery

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{1CE681DC-1190-40EF-85A9-ADE47098CF51} C:\Windows\SysWOW64\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{1CE681DC-1190-40EF-85A9-ADE47098CF51} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{1CE681DC-1190-40EF-85A9-ADE47098CF51} C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2924 set thread context of 2424 N/A C:\Users\Admin\AppData\Local\Temp\041da292d8c81aa4f26fb43b88c8af19_JaffaCakes118.exe C:\Windows\SysWOW64\explorer.exe

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\EasyOn\EasyOn.dll C:\Users\Admin\AppData\Local\Temp\041da292d8c81aa4f26fb43b88c8af19_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\EasyOn\EasyOn.exe C:\Users\Admin\AppData\Local\Temp\041da292d8c81aa4f26fb43b88c8af19_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\EasyOn\Uninstall.exe C:\Users\Admin\AppData\Local\Temp\041da292d8c81aa4f26fb43b88c8af19_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\EasyOn\1 C:\Users\Admin\AppData\Local\Temp\041da292d8c81aa4f26fb43b88c8af19_JaffaCakes118.exe N/A

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\TabProcGrowth = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\TabProcGrowth = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\TabProcGrowth = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\TabProcGrowth = "0" C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies registry class

Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1CE681DC-1190-40EF-85A9-ADE47098CF51}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{51A6FBA6-21E1-44B9-8998-5E886EB3E74F}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\EasyOn.BandHelper\CurVer C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{51A6FBA6-21E1-44B9-8998-5E886EB3E74F}\TypeLib\ = "{9EC01A8D-1377-4F63-89D8-AE6CD3E43C32}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\EasyOn.BandHelper.1 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5740EFD7-04A6-4FEB-AA0F-E5F2BA962DB0}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B32ACA33-EA72-4757-A8CF-EFAE06B218EB}\TypeLib\ = "{9EC01A8D-1377-4F63-89D8-AE6CD3E43C32}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B32ACA33-EA72-4757-A8CF-EFAE06B218EB}\ = "IBandHelper" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{51A6FBA6-21E1-44B9-8998-5E886EB3E74F}\VersionIndependentProgID\ = "EasyOn.SideBand" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\EasyOn.BandHelper.1\ = "BandHelper Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\EasyOn.SideBand\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{51A6FBA6-21E1-44B9-8998-5E886EB3E74F}\Implemented Categories C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9EC01A8D-1377-4F63-89D8-AE6CD3E43C32}\1.0\0 C:\Windows\SysWOW64\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{51A6FBA6-21E1-44B9-8998-5E886EB3E74F}\ProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\EasyOn.BandHelper\ = "BandHelper Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\EasyOn.SideBand\ = "SideBand Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\EasyOn.SideBand\CurVer C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\EasyOn.SideBand\CurVer\ = "EasyOn.SideBand.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B32ACA33-EA72-4757-A8CF-EFAE06B218EB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\EasyOn.SideBand\CLSID\ = "{51A6FBA6-21E1-44B9-8998-5E886EB3E74F}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{51A6FBA6-21E1-44B9-8998-5E886EB3E74F}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1CE681DC-1190-40EF-85A9-ADE47098CF51} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{51A6FBA6-21E1-44B9-8998-5E886EB3E74F}\ = "EasyOn" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1CE681DC-1190-40EF-85A9-ADE47098CF51}\TypeLib\ = "{9EC01A8D-1377-4F63-89D8-AE6CD3E43C32}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9EC01A8D-1377-4F63-89D8-AE6CD3E43C32}\1.0\0\win32\ = "C:\\Program Files (x86)\\EasyOn\\EasyOn.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{51A6FBA6-21E1-44B9-8998-5E886EB3E74F}\Programmable C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{51A6FBA6-21E1-44B9-8998-5E886EB3E74F} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{51A6FBA6-21E1-44B9-8998-5E886EB3E74F}\ = "EasyOn" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\EasyOn.SideBand.1 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{51A6FBA6-21E1-44B9-8998-5E886EB3E74F}\TypeLib\ = "{9EC01A8D-1377-4F63-89D8-AE6CD3E43C32}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1CE681DC-1190-40EF-85A9-ADE47098CF51}\VersionIndependentProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{51A6FBA6-21E1-44B9-8998-5E886EB3E74F}\InprocServer32\ = "C:\\Program Files (x86)\\EasyOn\\EasyOn.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9EC01A8D-1377-4F63-89D8-AE6CD3E43C32}\1.0 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B32ACA33-EA72-4757-A8CF-EFAE06B218EB}\TypeLib\ = "{9EC01A8D-1377-4F63-89D8-AE6CD3E43C32}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{51A6FBA6-21E1-44B9-8998-5E886EB3E74F}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{51A6FBA6-21E1-44B9-8998-5E886EB3E74F}\Implemented Categories C:\Windows\SysWOW64\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{51A6FBA6-21E1-44B9-8998-5E886EB3E74F}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1CE681DC-1190-40EF-85A9-ADE47098CF51}\VersionIndependentProgID\ = "EasyOn.BandHelper" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1CE681DC-1190-40EF-85A9-ADE47098CF51}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{5740EFD7-04A6-4FEB-AA0F-E5F2BA962DB0} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\EasyOn.BandHelper\CurVer\ = "EasyOn.BandHelper.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1CE681DC-1190-40EF-85A9-ADE47098CF51}\VersionIndependentProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B32ACA33-EA72-4757-A8CF-EFAE06B218EB}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1CE681DC-1190-40EF-85A9-ADE47098CF51}\Programmable C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\EasyOn.BandHelper\CLSID\ = "{1CE681DC-1190-40EF-85A9-ADE47098CF51}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5740EFD7-04A6-4FEB-AA0F-E5F2BA962DB0} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B32ACA33-EA72-4757-A8CF-EFAE06B218EB} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{5740EFD7-04A6-4FEB-AA0F-E5F2BA962DB0}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1CE681DC-1190-40EF-85A9-ADE47098CF51}\ = "EasyOnHelper" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\EasyOn.SideBand\ = "SideBand Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{51A6FBA6-21E1-44B9-8998-5E886EB3E74F}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{5740EFD7-04A6-4FEB-AA0F-E5F2BA962DB0}\ = "ISideBand" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{51A6FBA6-21E1-44B9-8998-5E886EB3E74F}\ProgID\ = "EasyOn.SideBand.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9EC01A8D-1377-4F63-89D8-AE6CD3E43C32}\1.0\ = "EasyOn 1.0 Type Library" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5740EFD7-04A6-4FEB-AA0F-E5F2BA962DB0}\ = "ISideBand" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5740EFD7-04A6-4FEB-AA0F-E5F2BA962DB0}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1CE681DC-1190-40EF-85A9-ADE47098CF51}\InprocServer32\ = "C:\\Program Files (x86)\\EasyOn\\EasyOn.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\EasyOn.BandHelper.1\ = "BandHelper Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\EasyOn.BandHelper\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9EC01A8D-1377-4F63-89D8-AE6CD3E43C32} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\EasyOn.SideBand C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{51A6FBA6-21E1-44B9-8998-5E886EB3E74F}\ProgID\ = "EasyOn.SideBand.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1CE681DC-1190-40EF-85A9-ADE47098CF51}\ProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\EasyOn.SideBand\CurVer\ = "EasyOn.SideBand.1" C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\EasyOn\EasyOn.exe N/A
N/A N/A C:\Program Files (x86)\EasyOn\EasyOn.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2924 wrote to memory of 1036 N/A C:\Users\Admin\AppData\Local\Temp\041da292d8c81aa4f26fb43b88c8af19_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2924 wrote to memory of 1036 N/A C:\Users\Admin\AppData\Local\Temp\041da292d8c81aa4f26fb43b88c8af19_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2924 wrote to memory of 1036 N/A C:\Users\Admin\AppData\Local\Temp\041da292d8c81aa4f26fb43b88c8af19_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2924 wrote to memory of 1036 N/A C:\Users\Admin\AppData\Local\Temp\041da292d8c81aa4f26fb43b88c8af19_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2924 wrote to memory of 1036 N/A C:\Users\Admin\AppData\Local\Temp\041da292d8c81aa4f26fb43b88c8af19_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2924 wrote to memory of 1036 N/A C:\Users\Admin\AppData\Local\Temp\041da292d8c81aa4f26fb43b88c8af19_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2924 wrote to memory of 1036 N/A C:\Users\Admin\AppData\Local\Temp\041da292d8c81aa4f26fb43b88c8af19_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2924 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\041da292d8c81aa4f26fb43b88c8af19_JaffaCakes118.exe C:\Program Files (x86)\EasyOn\EasyOn.exe
PID 2924 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\041da292d8c81aa4f26fb43b88c8af19_JaffaCakes118.exe C:\Program Files (x86)\EasyOn\EasyOn.exe
PID 2924 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\041da292d8c81aa4f26fb43b88c8af19_JaffaCakes118.exe C:\Program Files (x86)\EasyOn\EasyOn.exe
PID 2924 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\041da292d8c81aa4f26fb43b88c8af19_JaffaCakes118.exe C:\Program Files (x86)\EasyOn\EasyOn.exe
PID 2924 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\041da292d8c81aa4f26fb43b88c8af19_JaffaCakes118.exe C:\Windows\SysWOW64\explorer.exe
PID 2924 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\041da292d8c81aa4f26fb43b88c8af19_JaffaCakes118.exe C:\Windows\SysWOW64\explorer.exe
PID 2924 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\041da292d8c81aa4f26fb43b88c8af19_JaffaCakes118.exe C:\Windows\SysWOW64\explorer.exe
PID 2924 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\041da292d8c81aa4f26fb43b88c8af19_JaffaCakes118.exe C:\Windows\SysWOW64\explorer.exe
PID 2924 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\041da292d8c81aa4f26fb43b88c8af19_JaffaCakes118.exe C:\Windows\SysWOW64\explorer.exe
PID 2524 wrote to memory of 2828 N/A C:\Program Files (x86)\EasyOn\EasyOn.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2524 wrote to memory of 2828 N/A C:\Program Files (x86)\EasyOn\EasyOn.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2524 wrote to memory of 2828 N/A C:\Program Files (x86)\EasyOn\EasyOn.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2524 wrote to memory of 2828 N/A C:\Program Files (x86)\EasyOn\EasyOn.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2524 wrote to memory of 2828 N/A C:\Program Files (x86)\EasyOn\EasyOn.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2524 wrote to memory of 2828 N/A C:\Program Files (x86)\EasyOn\EasyOn.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2524 wrote to memory of 2828 N/A C:\Program Files (x86)\EasyOn\EasyOn.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\041da292d8c81aa4f26fb43b88c8af19_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\041da292d8c81aa4f26fb43b88c8af19_JaffaCakes118.exe"

C:\Windows\SysWOW64\regsvr32.exe

C:\Windows\system32\regsvr32.exe /s "C:\Program Files (x86)\EasyOn\EasyOn.dll"

C:\Program Files (x86)\EasyOn\EasyOn.exe

"C:\Program Files (x86)\EasyOn\EasyOn.exe"

C:\Windows\SysWOW64\explorer.exe

C:\Windows\system32\explorer.exe

C:\Windows\SysWOW64\regsvr32.exe

regsvr32 /s "C:\Program Files (x86)\EasyOn\EasyOn.dll"

Network

Country Destination Domain Proto
US 8.8.8.8:53 easyon.sideon.co.kr udp
US 8.8.8.8:53 easyon.sideon.co.kr udp

Files

\Users\Admin\AppData\Local\Temp\nst2222.tmp\nsProcess.dll

MD5 05450face243b3a7472407b999b03a72
SHA1 ffd88af2e338ae606c444390f7eaaf5f4aef2cd9
SHA256 95fe9d92512ff2318cc2520311ef9145b2cee01209ab0e1b6e45c7ce1d4d0e89
SHA512 f4cbe30166aff20a226a7150d93a876873ba699d80d7e9f46f32a9b4753fa7966c3113a3124340b39ca67a13205463a413e740e541e742903e3f89af5a53ad3b

\Users\Admin\AppData\Local\Temp\nst2222.tmp\UAC.dll

MD5 29858669d7da388d1e62b4fd5337af12
SHA1 756b94898429a9025a04ae227f060952f1149a5f
SHA256 c24c005daa7f5578c4372b38d1be6be5e27ef3ba2cdb9b67fee15cac406eba62
SHA512 6f4d538f2fe0681f357bab73f633943c539ddc1451efa1d1bb76d70bb47aa68a05849e36ae405cc4664598a8194227fa7053de6dbce7d6c52a20301293b3c85f

\Program Files (x86)\EasyOn\EasyOn.exe

MD5 e95bc409a64ea9a611bf6df227eb7e3c
SHA1 9388530cf6d248c1c73cee05a2d66c77a1cbcac4
SHA256 9bf1cea5efcecb3dd7f28c3d6359037807b3379aeb82f154c27e1f84c3286f3a
SHA512 a5220d93b3c94d158e33b8d01fa2dc18dbf029ebd70871351b3b1c0fa6225d42e419122ecc0d0a12abecd3d42a90ab87793f239c21c63afcf05d6b2e10bc550e

C:\Program Files (x86)\EasyOn\EasyOn.dll

MD5 b8d58e3a0587f0015e5ef6e611444f30
SHA1 181d12bc03b329f4ddd4f85f792b2f0a7b9d147a
SHA256 41321b02a4922ab9911e340c190eead9e17d5f56590921953b0658958e1bfba8
SHA512 b2e1c3f4ec7e1f468fd8e4d190a17268f2008dfc8e8a68e45b6a109cb98322c5363d49d5aaf8e76cf38c7fc1e813179f776dd90ad6ae55b6b46ddbafe1b56434

\Users\Admin\AppData\Local\Temp\nst2222.tmp\IpConfig.dll

MD5 a3ed6f7ea493b9644125d494fbf9a1e6
SHA1 ebeee67fb0b5b3302c69f47c5e7fca62e1a809d8
SHA256 ec0f85f8a9d6b77081ba0103f967ef6705b547bf27bcd866d77ac909d21a1e08
SHA512 7099e1bc78ba5727661aa49f75523126563a5ebccdff10cabf868ce5335821118384825f037fbf1408c416c0212aa702a5974bc54d1b63c9d0bcade140f9aae1

memory/2924-27-0x00000000029B0000-0x00000000029D6000-memory.dmp

\Users\Admin\AppData\Local\Temp\nst2222.tmp\NSISdl.dll

MD5 a5f8399a743ab7f9c88c645c35b1ebb5
SHA1 168f3c158913b0367bf79fa413357fbe97018191
SHA256 dacc88a12d3ba438fdae3535dc7a5a1d389bce13adc993706424874a782e51c9
SHA512 824e567f5211bf09c7912537c7836d761b0934207612808e9a191f980375c6a97383dbc6b4a7121c6b5f508cbfd7542a781d6b6b196ca24841f73892eec5e977

\Users\Admin\AppData\Local\Temp\nst2222.tmp\SelfDel.dll

MD5 7cff7fe2caea5184d98c147e7e263132
SHA1 21f39d3d0dd5f7198d67ef30e95d10ae3460093e
SHA256 281c39b733579e031c62bdd247b41543ece1fe3bd6eda26fc8ad474b10f33101
SHA512 fb1161b8571d1d0c67e2df0d571b08f5e7a73f81409aed847344154d02406910629181bcce4e18e998ec472f51a6a1b40d956a010abdd10e850413aafa87808a

memory/2924-45-0x0000000074890000-0x0000000074899000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-20 07:42

Reported

2024-06-20 07:45

Platform

win10v2004-20240508-en

Max time kernel

148s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\041da292d8c81aa4f26fb43b88c8af19_JaffaCakes118.exe"

Signatures

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\041da292d8c81aa4f26fb43b88c8af19_JaffaCakes118.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\EasyOn\EasyOn.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\EasyOn = "C:\\Program Files (x86)\\EasyOn\\EasyOn.exe" C:\Program Files (x86)\EasyOn\EasyOn.exe N/A

Checks installed software on the system

discovery

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1CE681DC-1190-40EF-85A9-ADE47098CF51} C:\Windows\SysWOW64\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{1CE681DC-1190-40EF-85A9-ADE47098CF51} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1CE681DC-1190-40EF-85A9-ADE47098CF51} C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1152 set thread context of 924 N/A C:\Users\Admin\AppData\Local\Temp\041da292d8c81aa4f26fb43b88c8af19_JaffaCakes118.exe C:\Windows\SysWOW64\explorer.exe

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\EasyOn\EasyOn.dll C:\Users\Admin\AppData\Local\Temp\041da292d8c81aa4f26fb43b88c8af19_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\EasyOn\EasyOn.exe C:\Users\Admin\AppData\Local\Temp\041da292d8c81aa4f26fb43b88c8af19_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\EasyOn\Uninstall.exe C:\Users\Admin\AppData\Local\Temp\041da292d8c81aa4f26fb43b88c8af19_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\EasyOn\1 C:\Users\Admin\AppData\Local\Temp\041da292d8c81aa4f26fb43b88c8af19_JaffaCakes118.exe N/A

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\Main\TabProcGrowth = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\TabProcGrowth = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\Main\TabProcGrowth = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\TabProcGrowth = "0" C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5740EFD7-04A6-4FEB-AA0F-E5F2BA962DB0}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5740EFD7-04A6-4FEB-AA0F-E5F2BA962DB0}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5740EFD7-04A6-4FEB-AA0F-E5F2BA962DB0}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{51A6FBA6-21E1-44B9-8998-5E886EB3E74F}\VersionIndependentProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\EasyOn.BandHelper\CLSID\ = "{1CE681DC-1190-40EF-85A9-ADE47098CF51}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1CE681DC-1190-40EF-85A9-ADE47098CF51}\TypeLib\ = "{9EC01A8D-1377-4F63-89D8-AE6CD3E43C32}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5740EFD7-04A6-4FEB-AA0F-E5F2BA962DB0}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1CE681DC-1190-40EF-85A9-ADE47098CF51}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\EasyOn.BandHelper.1\CLSID\ = "{1CE681DC-1190-40EF-85A9-ADE47098CF51}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1CE681DC-1190-40EF-85A9-ADE47098CF51}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\EasyOn.SideBand\CLSID\ = "{51A6FBA6-21E1-44B9-8998-5E886EB3E74F}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5740EFD7-04A6-4FEB-AA0F-E5F2BA962DB0}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\EasyOn.SideBand\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\EasyOn.SideBand.1\ = "SideBand Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9EC01A8D-1377-4F63-89D8-AE6CD3E43C32}\1.0\FLAGS\ = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5740EFD7-04A6-4FEB-AA0F-E5F2BA962DB0}\TypeLib\ = "{9EC01A8D-1377-4F63-89D8-AE6CD3E43C32}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{51A6FBA6-21E1-44B9-8998-5E886EB3E74F}\InprocServer32\ = "C:\\Program Files (x86)\\EasyOn\\EasyOn.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1CE681DC-1190-40EF-85A9-ADE47098CF51}\ProgID\ = "EasyOn.BandHelper.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1CE681DC-1190-40EF-85A9-ADE47098CF51}\VersionIndependentProgID\ = "EasyOn.BandHelper" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1CE681DC-1190-40EF-85A9-ADE47098CF51}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\EasyOn.BandHelper\CurVer\ = "EasyOn.BandHelper.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1CE681DC-1190-40EF-85A9-ADE47098CF51}\VersionIndependentProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{51A6FBA6-21E1-44B9-8998-5E886EB3E74F}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{51A6FBA6-21E1-44B9-8998-5E886EB3E74F}\Programmable C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B32ACA33-EA72-4757-A8CF-EFAE06B218EB}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B32ACA33-EA72-4757-A8CF-EFAE06B218EB}\TypeLib\ = "{9EC01A8D-1377-4F63-89D8-AE6CD3E43C32}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B32ACA33-EA72-4757-A8CF-EFAE06B218EB}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{51A6FBA6-21E1-44B9-8998-5E886EB3E74F}\Implemented Categories C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9EC01A8D-1377-4F63-89D8-AE6CD3E43C32}\1.0\0 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B32ACA33-EA72-4757-A8CF-EFAE06B218EB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1CE681DC-1190-40EF-85A9-ADE47098CF51}\ = "EasyOnHelper" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{51A6FBA6-21E1-44B9-8998-5E886EB3E74F}\ = "EasyOn" C:\Windows\SysWOW64\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1CE681DC-1190-40EF-85A9-ADE47098CF51} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1CE681DC-1190-40EF-85A9-ADE47098CF51}\InprocServer32\ = "C:\\Program Files (x86)\\EasyOn\\EasyOn.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\EasyOn.SideBand.1 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1CE681DC-1190-40EF-85A9-ADE47098CF51} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5740EFD7-04A6-4FEB-AA0F-E5F2BA962DB0}\ = "ISideBand" C:\Windows\SysWOW64\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1CE681DC-1190-40EF-85A9-ADE47098CF51}\VersionIndependentProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\EasyOn.BandHelper C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\EasyOn.BandHelper\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B32ACA33-EA72-4757-A8CF-EFAE06B218EB}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{51A6FBA6-21E1-44B9-8998-5E886EB3E74F}\VersionIndependentProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\EasyOn.BandHelper\ = "BandHelper Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5740EFD7-04A6-4FEB-AA0F-E5F2BA962DB0}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{51A6FBA6-21E1-44B9-8998-5E886EB3E74F}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\EasyOn.BandHelper.1 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{51A6FBA6-21E1-44B9-8998-5E886EB3E74F}\ProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{51A6FBA6-21E1-44B9-8998-5E886EB3E74F}\Programmable C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\EasyOn.BandHelper\CurVer\ = "EasyOn.BandHelper.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1CE681DC-1190-40EF-85A9-ADE47098CF51}\VersionIndependentProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1CE681DC-1190-40EF-85A9-ADE47098CF51}\ProgID\ = "EasyOn.BandHelper.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5740EFD7-04A6-4FEB-AA0F-E5F2BA962DB0}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\EasyOn.BandHelper.1\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1CE681DC-1190-40EF-85A9-ADE47098CF51}\ProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B32ACA33-EA72-4757-A8CF-EFAE06B218EB}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B32ACA33-EA72-4757-A8CF-EFAE06B218EB}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\EasyOn.SideBand.1\ = "SideBand Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{51A6FBA6-21E1-44B9-8998-5E886EB3E74F}\TypeLib\ = "{9EC01A8D-1377-4F63-89D8-AE6CD3E43C32}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\EasyOn.BandHelper\CurVer C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{51A6FBA6-21E1-44B9-8998-5E886EB3E74F}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1CE681DC-1190-40EF-85A9-ADE47098CF51}\ProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1CE681DC-1190-40EF-85A9-ADE47098CF51} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{51A6FBA6-21E1-44B9-8998-5E886EB3E74F}\ = "EasyOn" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{51A6FBA6-21E1-44B9-8998-5E886EB3E74F}\VersionIndependentProgID\ = "EasyOn.SideBand" C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\EasyOn\EasyOn.exe N/A
N/A N/A C:\Program Files (x86)\EasyOn\EasyOn.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1152 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\041da292d8c81aa4f26fb43b88c8af19_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1152 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\041da292d8c81aa4f26fb43b88c8af19_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1152 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\041da292d8c81aa4f26fb43b88c8af19_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1152 wrote to memory of 1184 N/A C:\Users\Admin\AppData\Local\Temp\041da292d8c81aa4f26fb43b88c8af19_JaffaCakes118.exe C:\Program Files (x86)\EasyOn\EasyOn.exe
PID 1152 wrote to memory of 1184 N/A C:\Users\Admin\AppData\Local\Temp\041da292d8c81aa4f26fb43b88c8af19_JaffaCakes118.exe C:\Program Files (x86)\EasyOn\EasyOn.exe
PID 1152 wrote to memory of 1184 N/A C:\Users\Admin\AppData\Local\Temp\041da292d8c81aa4f26fb43b88c8af19_JaffaCakes118.exe C:\Program Files (x86)\EasyOn\EasyOn.exe
PID 1152 wrote to memory of 924 N/A C:\Users\Admin\AppData\Local\Temp\041da292d8c81aa4f26fb43b88c8af19_JaffaCakes118.exe C:\Windows\SysWOW64\explorer.exe
PID 1152 wrote to memory of 924 N/A C:\Users\Admin\AppData\Local\Temp\041da292d8c81aa4f26fb43b88c8af19_JaffaCakes118.exe C:\Windows\SysWOW64\explorer.exe
PID 1152 wrote to memory of 924 N/A C:\Users\Admin\AppData\Local\Temp\041da292d8c81aa4f26fb43b88c8af19_JaffaCakes118.exe C:\Windows\SysWOW64\explorer.exe
PID 1152 wrote to memory of 924 N/A C:\Users\Admin\AppData\Local\Temp\041da292d8c81aa4f26fb43b88c8af19_JaffaCakes118.exe C:\Windows\SysWOW64\explorer.exe
PID 1184 wrote to memory of 4924 N/A C:\Program Files (x86)\EasyOn\EasyOn.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1184 wrote to memory of 4924 N/A C:\Program Files (x86)\EasyOn\EasyOn.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1184 wrote to memory of 4924 N/A C:\Program Files (x86)\EasyOn\EasyOn.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\041da292d8c81aa4f26fb43b88c8af19_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\041da292d8c81aa4f26fb43b88c8af19_JaffaCakes118.exe"

C:\Windows\SysWOW64\regsvr32.exe

C:\Windows\system32\regsvr32.exe /s "C:\Program Files (x86)\EasyOn\EasyOn.dll"

C:\Program Files (x86)\EasyOn\EasyOn.exe

"C:\Program Files (x86)\EasyOn\EasyOn.exe"

C:\Windows\SysWOW64\explorer.exe

C:\Windows\system32\explorer.exe

C:\Windows\SysWOW64\regsvr32.exe

regsvr32 /s "C:\Program Files (x86)\EasyOn\EasyOn.dll"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 easyon.sideon.co.kr udp
US 8.8.8.8:53 easyon.sideon.co.kr udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 74.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\nsk5FB5.tmp\nsProcess.dll

MD5 05450face243b3a7472407b999b03a72
SHA1 ffd88af2e338ae606c444390f7eaaf5f4aef2cd9
SHA256 95fe9d92512ff2318cc2520311ef9145b2cee01209ab0e1b6e45c7ce1d4d0e89
SHA512 f4cbe30166aff20a226a7150d93a876873ba699d80d7e9f46f32a9b4753fa7966c3113a3124340b39ca67a13205463a413e740e541e742903e3f89af5a53ad3b

C:\Users\Admin\AppData\Local\Temp\nsk5FB5.tmp\UAC.dll

MD5 29858669d7da388d1e62b4fd5337af12
SHA1 756b94898429a9025a04ae227f060952f1149a5f
SHA256 c24c005daa7f5578c4372b38d1be6be5e27ef3ba2cdb9b67fee15cac406eba62
SHA512 6f4d538f2fe0681f357bab73f633943c539ddc1451efa1d1bb76d70bb47aa68a05849e36ae405cc4664598a8194227fa7053de6dbce7d6c52a20301293b3c85f

C:\Program Files (x86)\EasyOn\EasyOn.exe

MD5 e95bc409a64ea9a611bf6df227eb7e3c
SHA1 9388530cf6d248c1c73cee05a2d66c77a1cbcac4
SHA256 9bf1cea5efcecb3dd7f28c3d6359037807b3379aeb82f154c27e1f84c3286f3a
SHA512 a5220d93b3c94d158e33b8d01fa2dc18dbf029ebd70871351b3b1c0fa6225d42e419122ecc0d0a12abecd3d42a90ab87793f239c21c63afcf05d6b2e10bc550e

C:\Program Files (x86)\EasyOn\EasyOn.dll

MD5 b8d58e3a0587f0015e5ef6e611444f30
SHA1 181d12bc03b329f4ddd4f85f792b2f0a7b9d147a
SHA256 41321b02a4922ab9911e340c190eead9e17d5f56590921953b0658958e1bfba8
SHA512 b2e1c3f4ec7e1f468fd8e4d190a17268f2008dfc8e8a68e45b6a109cb98322c5363d49d5aaf8e76cf38c7fc1e813179f776dd90ad6ae55b6b46ddbafe1b56434

C:\Users\Admin\AppData\Local\Temp\nsk5FB5.tmp\IpConfig.dll

MD5 a3ed6f7ea493b9644125d494fbf9a1e6
SHA1 ebeee67fb0b5b3302c69f47c5e7fca62e1a809d8
SHA256 ec0f85f8a9d6b77081ba0103f967ef6705b547bf27bcd866d77ac909d21a1e08
SHA512 7099e1bc78ba5727661aa49f75523126563a5ebccdff10cabf868ce5335821118384825f037fbf1408c416c0212aa702a5974bc54d1b63c9d0bcade140f9aae1

memory/1152-32-0x0000000002F60000-0x0000000002F86000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nsk5FB5.tmp\NSISdl.dll

MD5 a5f8399a743ab7f9c88c645c35b1ebb5
SHA1 168f3c158913b0367bf79fa413357fbe97018191
SHA256 dacc88a12d3ba438fdae3535dc7a5a1d389bce13adc993706424874a782e51c9
SHA512 824e567f5211bf09c7912537c7836d761b0934207612808e9a191f980375c6a97383dbc6b4a7121c6b5f508cbfd7542a781d6b6b196ca24841f73892eec5e977

C:\Users\Admin\AppData\Local\Temp\nsk5FB5.tmp\SelfDel.dll

MD5 7cff7fe2caea5184d98c147e7e263132
SHA1 21f39d3d0dd5f7198d67ef30e95d10ae3460093e
SHA256 281c39b733579e031c62bdd247b41543ece1fe3bd6eda26fc8ad474b10f33101
SHA512 fb1161b8571d1d0c67e2df0d571b08f5e7a73f81409aed847344154d02406910629181bcce4e18e998ec472f51a6a1b40d956a010abdd10e850413aafa87808a

memory/1152-49-0x0000000073C80000-0x0000000073C89000-memory.dmp

Analysis: behavioral6

Detonation Overview

Submitted

2024-06-20 07:42

Reported

2024-06-20 07:45

Platform

win10v2004-20240508-en

Max time kernel

51s

Max time network

51s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NSISdl.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 840 wrote to memory of 1508 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 840 wrote to memory of 1508 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 840 wrote to memory of 1508 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NSISdl.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NSISdl.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1508 -ip 1508

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1508 -s 624

Network

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-06-20 07:42

Reported

2024-06-20 07:45

Platform

win7-20231129-en

Max time kernel

140s

Max time network

119s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\SelfDel.dll,#1

Signatures

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\SelfDel.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\SelfDel.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1884 -s 220

Network

N/A

Files

memory/1884-1-0x00000000749D0000-0x00000000749D9000-memory.dmp

memory/1884-3-0x00000000749C0000-0x00000000749C9000-memory.dmp

memory/1884-2-0x00000000749E0000-0x00000000749E9000-memory.dmp

memory/1884-0-0x00000000749E0000-0x00000000749E9000-memory.dmp

memory/1884-6-0x00000000749E0000-0x00000000749E9000-memory.dmp

memory/1884-7-0x00000000749E0000-0x00000000749E9000-memory.dmp

Analysis: behavioral8

Detonation Overview

Submitted

2024-06-20 07:42

Reported

2024-06-20 07:45

Platform

win10v2004-20240508-en

Max time kernel

147s

Max time network

150s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\SelfDel.dll,#1

Signatures

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4576 wrote to memory of 3812 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4576 wrote to memory of 3812 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4576 wrote to memory of 3812 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\SelfDel.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\SelfDel.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 3812 -ip 3812

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3812 -s 612

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

memory/3812-0-0x0000000075470000-0x0000000075479000-memory.dmp

memory/3812-1-0x0000000075470000-0x0000000075479000-memory.dmp

Analysis: behavioral9

Detonation Overview

Submitted

2024-06-20 07:42

Reported

2024-06-20 07:45

Platform

win7-20240419-en

Max time kernel

119s

Max time network

120s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UAC.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UAC.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UAC.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2968 -s 224

Network

N/A

Files

N/A

Analysis: behavioral11

Detonation Overview

Submitted

2024-06-20 07:42

Reported

2024-06-20 07:45

Platform

win7-20240611-en

Max time kernel

121s

Max time network

121s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsProcess.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsProcess.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsProcess.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2264 -s 224

Network

N/A

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-06-20 07:42

Reported

2024-06-20 07:45

Platform

win10v2004-20240226-en

Max time kernel

143s

Max time network

151s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\IpConfig.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4076 wrote to memory of 4740 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4076 wrote to memory of 4740 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4076 wrote to memory of 4740 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\IpConfig.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\IpConfig.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4740 -ip 4740

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4740 -s 612

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4264 --field-trial-handle=2656,i,16940681401824032220,151921362336696246,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 106.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 92.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
GB 142.250.180.10:443 chromewebstore.googleapis.com tcp
US 8.8.8.8:53 pki.goog udp
US 8.8.8.8:53 pki.goog udp
US 216.239.32.29:80 pki.goog tcp
US 8.8.8.8:53 10.180.250.142.in-addr.arpa udp
US 8.8.8.8:53 29.32.239.216.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 225.162.46.104.in-addr.arpa udp

Files

N/A