b7c782895eab0b5d9609affee7f8eb97812a3fc872ced8d46d904b5280c7a80a

Analysis

max time kernel
144s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
03/10/2024, 07:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

$TEMPImg/PazeraToolbar.exe
Size

2.8MB
MD5

4d14c69f86a74fc25ad116c38f8f05f9
SHA1

bf8399d5f22aec7e4db7b4c385591ed5d42e71d0
SHA256

db3119182761d71fe962e662aaff8aba64121130f3f1d39ac548020f26deec77
SHA512

2f4acf84eb9e588ebe7a1c4731a472c0664f280982f90ec104c04021fbf6e9fc1c4708ce639fb1433ea014954ed24cd79fa94a5d3617e13b8b2e2058cac7a4dc
SSDEEP

49152:qKmU/FmbvQyw+Lx8GtekgJV2cEraOdDJLQDwydRm0qw9d/YDTn3UOesiX9iYvmEd:JmUoU+LSGtYJVqraOb5yds0tf0EOevXT

Score

7^/10

discovery

Malware Config

Signatures

Loads dropped DLL 4 IoCs

pid	Process
868	PazeraToolbar.exe
868	PazeraToolbar.exe
868	PazeraToolbar.exe
868	PazeraToolbar.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PazeraToolbar.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main	PazeraToolbar.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\Enable Browser Extensions = "yes"	PazeraToolbar.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
868	PazeraToolbar.exe

C:\Users\Admin\AppData\Local\Temp\$TEMPImg\PazeraToolbar.exe
"C:\Users\Admin\AppData\Local\Temp\$TEMPImg\PazeraToolbar.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
PID:868

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nstE438.tmp\ioSpecial.ini

Filesize
696B

MD5
bb9472456dbb9cb606e784fe381c8ea3

SHA1
6f549d7078ff9bcbced779b9ea4d6b44c104f28d

SHA256
fcbff029bacec9a002b88809e710a32efb049caa9fd47f1373a4bc7084a197ea

SHA512
8df14d75a1e560156696d5ce75f6338270019a1f648df440b251aaf0bbb85b168a054e896f7f04b78b262c1c3d1b29ed50874ae9d2905622db44fa88adcfc561

Download Submit
C:\Users\Admin\AppData\Local\Temp\nstE438.tmp\options.ini

Filesize
1KB

MD5
d0c1fe1203bc8efa9d0588d82dc7a38f

SHA1
384b3e295f0d19e7898adfc7cccd5abe28756d75

SHA256
6c0769d520ab6394290dd4e03b181a9775b045d58104c505b0775ba1369b464f

SHA512
30e46003f2c825d7854c87d49bc36cf34a49eeced209533ebe90690ebe4b74e6618189071b0a412ee561d7f8f9375da945f45dc51c09cb4a32ddd54af2b51162

Download Submit
C:\Users\Admin\AppData\Local\Temp\nstE438.tmp\options.ini

Filesize
1KB

MD5
dbd9ce2aa3eac9c54bf2cb632a9359c6

SHA1
7020ec2c8a3ffe6f415a3e3e61a631292c5f7c2b

SHA256
42d195ae09b630bbc7882397c35b06d626df80d775df0981b9f7681c5ad8f47e

SHA512
cd680368415a2da5d6dd7a1ba1053226997733ef56338ec4abd9c7c28aabf5e468871eb3226cbd0d76cf21b8e3566389b698c2a2ff10a23910b061e9b98a1dea

Download Submit
\Users\Admin\AppData\Local\Temp\nstE438.tmp\InstallOptions.dll

Filesize
12KB

MD5
1d5c649dde35003a618b9679d5d71b92

SHA1
0409bbab3ab34f8c01289cdd847b4d1a32d05b18

SHA256
0f4d3cee24e3f310fa804983c931d3628613988a24f0be7854f63a9309b8e45f

SHA512
b432ebcc52905662d61a3f17e08e209a3f9d836a9071b3b5e80070af7ebcf34cf66c44426dda041c2a258fda4787e5692e2b35acbcd73288fb84fe3c977bbfd9

Download Submit
\Users\Admin\AppData\Local\Temp\nstE438.tmp\ScrollLicense.dll

Filesize
58KB

MD5
9de28704babdcf38f423c36eae737e17

SHA1
dd7f7b03430bbc9d568c6ea31de88fc281c3eec3

SHA256
d81d764e13b8e7a7ede9964f118d2de44b13c39c442527c0ffa11ed25cac5014

SHA512
74e0b8b2cbf2de7ffde19e31567976e4c59fc68df351621acee5b0f00734fe7cb95f29fc822313f58ab9cf5f2822763d6021643e088fa6a37bf6d4672f6cbeea

Download Submit
\Users\Admin\AppData\Local\Temp\nstE438.tmp\UserInfo.dll

Filesize
4KB

MD5
eaf5036ef8e7fbdfa76d42c18233764f

SHA1
acd9f46c0500b00648933c4a172ef258ec64a1f3

SHA256
74a4283da525512b7fa14d40cafd905e63a8c2a3c9faca4d0605ad71f1a05a7d

SHA512
93d3e698c5d40f28c9d899f95f5b8ae60eceb8e96e57000ed458b9bffadcc98616aeadd4d6b930f3f91bd2a822681ef284dfc0eda6ae776ba1b7cc6ff87704ef

Download Submit