2f14f9b66d7054613c2e84f70d04fd5cdb3b2c99ec7f72d14123feffcf6a8808

Analysis

max time kernel
94s
max time network
98s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
13/07/2024, 19:02

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

Cloud-Web_2_86.dll
Size

123KB
MD5

cd80e012b768c6fbfcf209a10bcfb2b2
SHA1

e1c01bd52be5861cd20696484c043a2b77d22222
SHA256

ee3ba8b64aeaacac397cd4fe81bd4433f23bf7b144a65c18034b1323e6e75c23
SHA512

d1cc91089165ef8507bd8bf21aa76d2373579e7e5e793ee72bd123b9bb8135e8d61272db79aa5d47f3848d8a2a54dd1c9a5b3892ba1f00cc4dc8e2367063f44a
SSDEEP

3072:QNG0ZeC/azzmWxd/mZQA3NM46eqtGGrCxCnW:AtzyKYJmmAGeury

Score

6^/10

adware stealer

Malware Config

Signatures

Installs/modifies Browser Helper Object 2 TTPs 2 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3AD2B8DC-C660-B0ef-BF1F-D4C52BD272B0}\ = "CloudExs30002APIClass Helper"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3AD2B8DC-C660-B0ef-BF1F-D4C52BD272B0}	regsvr32.exe

Modifies registry class 48 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2AD2B8DC-C660-B0EF-BF1F-D4C52BD272B0}\1.0\0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1AD2B8DC-C660-B0EF-BF1F-D4C52BD272B0}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CloudExs30002BHO.CloudExs30002APIClass	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CloudExs30002BHO.CloudExs30002APIClass\CLSID\ = "{3AD2B8DC-C660-B0ef-BF1F-D4C52BD272B0}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3AD2B8DC-C660-B0ef-BF1F-D4C52BD272B0}\ProgID\ = "CloudExs30002BHO.CloudExs30002APIClass.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2AD2B8DC-C660-B0EF-BF1F-D4C52BD272B0}\1.0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2AD2B8DC-C660-B0EF-BF1F-D4C52BD272B0}\1.0\ = "CloudExs30002APIClass 1.0 Type Library"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1AD2B8DC-C660-B0EF-BF1F-D4C52BD272B0}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1AD2B8DC-C660-B0EF-BF1F-D4C52BD272B0}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CloudExs30002BHO.CloudExs30002APIClass.1\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3AD2B8DC-C660-B0ef-BF1F-D4C52BD272B0}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3AD2B8DC-C660-B0ef-BF1F-D4C52BD272B0}\TypeLib\ = "{2AD2B8DC-C660-B0ef-BF1F-D4C52BD272B0}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2AD2B8DC-C660-B0EF-BF1F-D4C52BD272B0}\1.0\FLAGS	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2AD2B8DC-C660-B0EF-BF1F-D4C52BD272B0}\1.0\0\win32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2AD2B8DC-C660-B0EF-BF1F-D4C52BD272B0}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Cloud-Web_2_86.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1AD2B8DC-C660-B0EF-BF1F-D4C52BD272B0}\TypeLib\ = "{2AD2B8DC-C660-B0EF-BF1F-D4C52BD272B0}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1AD2B8DC-C660-B0EF-BF1F-D4C52BD272B0}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CloudExs30002BHO.CloudExs30002APIClass\CurVer	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.application\sid = "M0FEMkI4REMtQzY2MC1CMGVmLUJGMUYtRDRDNTJCRDI3MkIw"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3AD2B8DC-C660-B0ef-BF1F-D4C52BD272B0}\VersionIndependentProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3AD2B8DC-C660-B0ef-BF1F-D4C52BD272B0}\Programmable	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2AD2B8DC-C660-B0EF-BF1F-D4C52BD272B0}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.application	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3AD2B8DC-C660-B0ef-BF1F-D4C52BD272B0}\VersionIndependentProgID\ = "CloudExs30002BHO.CloudExs30002APIClass"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3AD2B8DC-C660-B0ef-BF1F-D4C52BD272B0}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1AD2B8DC-C660-B0EF-BF1F-D4C52BD272B0}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1AD2B8DC-C660-B0EF-BF1F-D4C52BD272B0}\ = "ICloudExs30002API"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3AD2B8DC-C660-B0ef-BF1F-D4C52BD272B0}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CloudExs30002BHO.CloudExs30002APIClass\CurVer\ = "CloudExs30002BHO.CloudExs30002APIClass.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2AD2B8DC-C660-B0EF-BF1F-D4C52BD272B0}\1.0\HELPDIR	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1AD2B8DC-C660-B0EF-BF1F-D4C52BD272B0}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CloudExs30002BHO.CloudExs30002APIClass.1\ = "CloudExs30002APIClass Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CloudExs30002BHO.CloudExs30002APIClass.1\CLSID\ = "{3AD2B8DC-C660-B0ef-BF1F-D4C52BD272B0}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CloudExs30002BHO.CloudExs30002APIClass\ = "CloudExs30002APIClass Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CloudExs30002BHO.CloudExs30002APIClass\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3AD2B8DC-C660-B0ef-BF1F-D4C52BD272B0}\ = "CloudWeb Web3.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3AD2B8DC-C660-B0ef-BF1F-D4C52BD272B0}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Cloud-Web_2_86.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3AD2B8DC-C660-B0ef-BF1F-D4C52BD272B0}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2AD2B8DC-C660-B0EF-BF1F-D4C52BD272B0}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CloudExs30002BHO.CloudExs30002APIClass.1	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1AD2B8DC-C660-B0EF-BF1F-D4C52BD272B0}\TypeLib\ = "{2AD2B8DC-C660-B0EF-BF1F-D4C52BD272B0}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1AD2B8DC-C660-B0EF-BF1F-D4C52BD272B0}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2AD2B8DC-C660-B0EF-BF1F-D4C52BD272B0}\1.0\FLAGS\ = "0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1AD2B8DC-C660-B0EF-BF1F-D4C52BD272B0}\ = "ICloudExs30002API"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1AD2B8DC-C660-B0EF-BF1F-D4C52BD272B0}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1AD2B8DC-C660-B0EF-BF1F-D4C52BD272B0}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1AD2B8DC-C660-B0EF-BF1F-D4C52BD272B0}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3AD2B8DC-C660-B0ef-BF1F-D4C52BD272B0}	regsvr32.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4044 wrote to memory of 3908	4044	regsvr32.exe	84
PID 4044 wrote to memory of 3908	4044	regsvr32.exe	84
PID 4044 wrote to memory of 3908	4044	regsvr32.exe	84

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\Cloud-Web_2_86.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:4044
- C:\Windows\SysWOW64\regsvr32.exe
  /s C:\Users\Admin\AppData\Local\Temp\Cloud-Web_2_86.dll
  2⤵
  - Installs/modifies Browser Helper Object
  - Modifies registry class
  PID:3908

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3908-0-0x00000000022D0000-0x000000000235D000-memory.dmp

Filesize
564KB

Download