2419638b693eeaefd46b9e2483a710bcf627b7c6fbc706d6843f9269a845be88

Analysis

max time kernel
136s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
11-09-2024 15:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

daa49d2b7e67b315ef5114db94db05c9_JaffaCakes118.exe
Size

1.8MB
MD5

daa49d2b7e67b315ef5114db94db05c9
SHA1

57a2f116908d4fcce53c33fa21a7e906f59196ed
SHA256

2419638b693eeaefd46b9e2483a710bcf627b7c6fbc706d6843f9269a845be88
SHA512

a38649589d150ea02949a32dd81a9b98167821ff895aca5478b938cc6ba6c7c0bccc060de7ff89477094054cf4622ef28b09f9fa0df602578a98e794e8af7e12
SSDEEP

49152:vDFmHCAgrGk0e28C5e5taZZjrrdcmmYrF/OUE:v3Ag6ojCZZ7ymJ2L

Score

7^/10

adware discovery persistence privilege_escalation stealer

Malware Config

Signatures

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Executes dropped EXE 1 IoCs

pid	Process
1160	QHCBM91jkKC.exe

Loads dropped DLL 3 IoCs

pid	Process
1160	QHCBM91jkKC.exe
224	regsvr32.exe
2248	regsvr32.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Installs/modifies Browser Helper Object 2 TTPs 8 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0665274D-A05E-7898-6D16-D40CE7452D6C}\ = "Vaudix"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0665274D-A05E-7898-6D16-D40CE7452D6C}\NoExplorer = "1"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0665274D-A05E-7898-6D16-D40CE7452D6C}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0665274D-A05E-7898-6D16-D40CE7452D6C}	QHCBM91jkKC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0665274D-A05E-7898-6D16-D40CE7452D6C}\ = "Vaudix"	QHCBM91jkKC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0665274D-A05E-7898-6D16-D40CE7452D6C}\NoExplorer = "1"	QHCBM91jkKC.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0665274D-A05E-7898-6D16-D40CE7452D6C}	QHCBM91jkKC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0665274D-A05E-7898-6D16-D40CE7452D6C}	regsvr32.exe

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Vaudix\t2Ylxv2GkU.tlb	QHCBM91jkKC.exe
File opened for modification	C:\Program Files (x86)\Vaudix\t2Ylxv2GkU.tlb	QHCBM91jkKC.exe
File created	C:\Program Files (x86)\Vaudix\t2Ylxv2GkU.dat	QHCBM91jkKC.exe
File opened for modification	C:\Program Files (x86)\Vaudix\t2Ylxv2GkU.dat	QHCBM91jkKC.exe
File created	C:\Program Files (x86)\Vaudix\t2Ylxv2GkU.x64.dll	QHCBM91jkKC.exe
File opened for modification	C:\Program Files (x86)\Vaudix\t2Ylxv2GkU.x64.dll	QHCBM91jkKC.exe
File created	C:\Program Files (x86)\Vaudix\t2Ylxv2GkU.dll	QHCBM91jkKC.exe
File opened for modification	C:\Program Files (x86)\Vaudix\t2Ylxv2GkU.dll	QHCBM91jkKC.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	daa49d2b7e67b315ef5114db94db05c9_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	QHCBM91jkKC.exe

Modifies Internet Explorer settings 1 TTPs 8 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key deleted	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\MICROSOFT\INTERNET EXPLORER\APPROVEDEXTENSIONSMIGRATION\{0665274D-A05E-7898-6D16-D40CE7452D6C}	QHCBM91jkKC.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\ApprovedExtensionsMigration	QHCBM91jkKC.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\MICROSOFT\INTERNET EXPLORER\APPROVEDEXTENSIONSMIGRATION\{0665274D-A05E-7898-6D16-D40CE7452D6C}	regsvr32.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\ApprovedExtensionsMigration	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\ApprovedExtensionsMigration	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{0665274D-A05E-7898-6D16-D40CE7452D6C}	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\ApprovedExtensionsMigration	QHCBM91jkKC.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{0665274D-A05E-7898-6D16-D40CE7452D6C}	QHCBM91jkKC.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0665274D-A05E-7898-6D16-D40CE7452D6C}\ProgID	QHCBM91jkKC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\ProxyStubClsid32	QHCBM91jkKC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib	QHCBM91jkKC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\TypeLib\Version = "1.0"	QHCBM91jkKC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0665274D-A05E-7898-6D16-D40CE7452D6C}\VersionIndependentProgID\ = "VVaudix"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0665274D-A05E-7898-6D16-D40CE7452D6C}\InprocServer32\ = "C:\\Program Files (x86)\\Vaudix\\t2Ylxv2GkU.x64.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0665274D-A05E-7898-6D16-D40CE7452D6C}\Implemented Categories	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0665274D-A05E-7898-6D16-D40CE7452D6C}\ProgID\ = "VVaudix.1.3"	QHCBM91jkKC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0665274D-A05E-7898-6D16-D40CE7452D6C}\InprocServer32\ = "C:\\Program Files (x86)\\Vaudix\\t2Ylxv2GkU.dll"	QHCBM91jkKC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\TypeLib\Version = "1.0"	QHCBM91jkKC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\FLAGS\ = "0"	QHCBM91jkKC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}	QHCBM91jkKC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\Vaudix"	QHCBM91jkKC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0665274D-A05E-7898-6D16-D40CE7452D6C}\Programmable	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0665274D-A05E-7898-6D16-D40CE7452D6C}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	QHCBM91jkKC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	QHCBM91jkKC.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0665274D-A05E-7898-6D16-D40CE7452D6C}	QHCBM91jkKC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\ = "IEPluginLib"	QHCBM91jkKC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\HELPDIR	QHCBM91jkKC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	QHCBM91jkKC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	QHCBM91jkKC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0665274D-A05E-7898-6D16-D40CE7452D6C}\ = "Vaudix"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VVaudix.VVaudix\CurVer	QHCBM91jkKC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ = "IRegistry"	QHCBM91jkKC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VVaudix.VVaudix\CurVer\ = "VVaudix.1.3"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win32	QHCBM91jkKC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\ = "ILocalStorage"	QHCBM91jkKC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0665274D-A05E-7898-6D16-D40CE7452D6C}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0665274D-A05E-7898-6D16-D40CE7452D6C}\Programmable	QHCBM91jkKC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VVaudix.VVaudix.1.3	QHCBM91jkKC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\ProxyStubClsid32	QHCBM91jkKC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VVaudix.VVaudix\CLSID\ = "{0665274D-A05E-7898-6D16-D40CE7452D6C}"	QHCBM91jkKC.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0665274D-A05E-7898-6D16-D40CE7452D6C}\VersionIndependentProgID	QHCBM91jkKC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	QHCBM91jkKC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}	QHCBM91jkKC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\TypeLib	QHCBM91jkKC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	QHCBM91jkKC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0665274D-A05E-7898-6D16-D40CE7452D6C}\VersionIndependentProgID\ = "VVaudix"	QHCBM91jkKC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0665274D-A05E-7898-6D16-D40CE7452D6C}\InprocServer32\ThreadingModel = "Apartment"	QHCBM91jkKC.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0665274D-A05E-7898-6D16-D40CE7452D6C}\Programmable	QHCBM91jkKC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib	QHCBM91jkKC.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0665274D-A05E-7898-6D16-D40CE7452D6C}\Programmable	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0665274D-A05E-7898-6D16-D40CE7452D6C}\VersionIndependentProgID	QHCBM91jkKC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\TypeLib	QHCBM91jkKC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}	QHCBM91jkKC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}	QHCBM91jkKC.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0665274D-A05E-7898-6D16-D40CE7452D6C}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VVaudix.VVaudix.1.3\ = "Vaudix"	QHCBM91jkKC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0665274D-A05E-7898-6D16-D40CE7452D6C}	QHCBM91jkKC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0665274D-A05E-7898-6D16-D40CE7452D6C}\Implemented Categories	QHCBM91jkKC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ProxyStubClsid32	QHCBM91jkKC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	QHCBM91jkKC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0665274D-A05E-7898-6D16-D40CE7452D6C}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0665274D-A05E-7898-6D16-D40CE7452D6C}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VVaudix.VVaudix.1.3\CLSID	QHCBM91jkKC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0	QHCBM91jkKC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VVaudix.VVaudix.1.3\CLSID\ = "{0665274D-A05E-7898-6D16-D40CE7452D6C}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\FLAGS	QHCBM91jkKC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\TypeLib\Version = "1.0"	QHCBM91jkKC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib\Version = "1.0"	QHCBM91jkKC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VVaudix.VVaudix.1.3\CLSID\ = "{0665274D-A05E-7898-6D16-D40CE7452D6C}"	QHCBM91jkKC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VVaudix.VVaudix	QHCBM91jkKC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VVaudix.VVaudix\ = "Vaudix"	QHCBM91jkKC.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4832 wrote to memory of 1160	4832	daa49d2b7e67b315ef5114db94db05c9_JaffaCakes118.exe	91
PID 4832 wrote to memory of 1160	4832	daa49d2b7e67b315ef5114db94db05c9_JaffaCakes118.exe	91
PID 4832 wrote to memory of 1160	4832	daa49d2b7e67b315ef5114db94db05c9_JaffaCakes118.exe	91
PID 1160 wrote to memory of 224	1160	QHCBM91jkKC.exe	94
PID 1160 wrote to memory of 224	1160	QHCBM91jkKC.exe	94
PID 1160 wrote to memory of 224	1160	QHCBM91jkKC.exe	94
PID 224 wrote to memory of 2248	224	regsvr32.exe	95
PID 224 wrote to memory of 2248	224	regsvr32.exe	95

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{0665274D-A05E-7898-6D16-D40CE7452D6C} = "1"	QHCBM91jkKC.exe

C:\Users\Admin\AppData\Local\Temp\daa49d2b7e67b315ef5114db94db05c9_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\daa49d2b7e67b315ef5114db94db05c9_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4832
- C:\Users\Admin\AppData\Local\Temp\170a43c6\QHCBM91jkKC.exe
  "C:\Users\Admin\AppData\Local\Temp/170a43c6/QHCBM91jkKC.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Installs/modifies Browser Helper Object
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:1160
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32.exe /s "C:\Program Files (x86)\Vaudix\t2Ylxv2GkU.x64.dll"
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:224
  - - C:\Windows\system32\regsvr32.exe
      /s "C:\Program Files (x86)\Vaudix\t2Ylxv2GkU.x64.dll"
      4⤵
      Loads dropped DLL
      Installs/modifies Browser Helper Object
      Modifies Internet Explorer settings
      Modifies registry class
      PID:2248

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4452,i,15336851255456239337,16379811035920490645,262144 --variations-seed-version --mojo-platform-channel-handle=4612 /prefetch:8
1⤵
PID:1232

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Browser Extensions

T1176

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Privilege Escalation

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\170a43c6\QHCBM91jkKC.dat

Filesize
4KB

MD5
9f25df3fcf5e051a82f602f4cb66bdec

SHA1
e0f1f9b4a2cbee30697ed9699e1bfe72b591a489

SHA256
27d79e70562251491c9d273bfc01192f602e259822e9e630b91721cb2ee0c859

SHA512
c469d5a9471e40070382eb9de853e74036abd20aa0dd085e314ae4d89becc1f222418587b44b05509b990aeb4cf4411c4719226e6e132c01cd8b8569a19b9616

Download Submit
C:\Users\Admin\AppData\Local\Temp\170a43c6\QHCBM91jkKC.exe

Filesize
713KB

MD5
7e57e14ded1c4a5f01f3f68d5dfd9172

SHA1
85c687a742039a0c167ee0dfb4f233355cc53925

SHA256
55b93377719f87ecb5799aec86c9401b11065ca7109dba85cc3709303c09610e

SHA512
db9280497bb6a6cc8e216924a5507167c607929388a5006c9ce7555cb545ffbeffa84cbb1eb3ea11af83b263572427dc9d0abc947c83e603d784a7829d61f855

Download Submit
C:\Users\Admin\AppData\Local\Temp\170a43c6\t2Ylxv2GkU.dll

Filesize
448KB

MD5
77ac4b7f992e09184acf58efe97293cf

SHA1
440396ea69eadffa7d152517a4ccfea24489ac46

SHA256
7f58fc2daaf48877e9e9640c6e9e804ba5aed3c15f72a1620e3f5e24f29af0a9

SHA512
6606e88eead423a0312d23e4f2bd2281782af2588cf7daa955139b6c383250269e4710c9efbf494b93895484ef1033b2ad3561bfce898333f8459c8636108030

Download Submit
C:\Users\Admin\AppData\Local\Temp\170a43c6\t2Ylxv2GkU.tlb

Filesize
3KB

MD5
10d7cb61f6ea9666fdf0cd5c41170b52

SHA1
82bb8eb6f00cab7db9d2ec0ba01f6fe8ec8cb0c8

SHA256
1e3a25d1e6f1c0e53e0328bde3e635d4d9f161540689911c0d8c3a9ccc333a2d

SHA512
bf6c86174fac565438ed6e926305578655366c5cd6faea8ea89d29479efc65e5ad2b758dbced063f26e012cc8147a17faea686a08e57a75dce23df9eedbc4f9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\170a43c6\t2Ylxv2GkU.x64.dll

Filesize
503KB

MD5
a335d72f01e80dcf234287dd1097d484

SHA1
c1ea2b5b0bef57b663ef8c85ea751dc6bb2e6970

SHA256
16701e553f85f3032b5d9e82968cf1e0ac3a907936d4df713ebdc08864b7705d

SHA512
d82808a5cfe882d6b746233d7e0fdd2d26d1cd5641cc3ec0c53560975974937456c769c79b631ab2f57319b1c7afdb5f8cda34cb842a24d2c7a4de5243ae61ca

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads