0d43acbb159687bdfda23da84ae785677f0a4c14010be48ead657d2b71a359bd

Analysis

max time kernel
92s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
08-10-2024 16:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

MtvP2P.exe
Size

5.9MB
MD5

c256532149bb511a5616b660f1792c3a
SHA1

26d0add6702f18a03b365aec9d95683842a29d59
SHA256

05ba9c02c7871c980a873c7b0f935323f49875a3a536694ddd4f54626c76ca0c
SHA512

d0dfcaef2e0d883c64ede884e224751a5123d9d7593046089cc469f00bfb9e4f592fdfd9c7caa667efb7b5a8681bb681606b1a68bc87446a9b013ac3e49f25c5
SSDEEP

98304:xMGbGTwx49Y7GbHxjtM4wZEx+LYx73CBqGtSfo01T:0wriB8Z2ObKT

Score

6^/10

adware discovery persistence stealer

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\eMuleAutoStart = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MtvP2P.exe -AutoStart"	MtvP2P.exe

Installs/modifies Browser Helper Object 2 TTPs 1 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0A0DDBD3-6641-40B9-873F-BBDD26D6C14E}	MtvP2P.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MtvP2P.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	updater.exe

Modifies Internet Explorer settings 1 TTPs 5 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\DownloadUI = "{A0867FD1-79E7-456C-8B41-165A2504FD86}"	MtvP2P.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Internet Explorer\MenuExt	MtvP2P.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\MenuExt\使用MTV分享精灵下载	MtvP2P.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\MenuExt\使用MTV分享精灵下载\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IE2EM.htm"	MtvP2P.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\MenuExt\使用MTV分享精灵下载\Contexts = "34"	MtvP2P.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MtvP2Pmetfile\Shell\Open	MtvP2P.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.IE2EMBHO.1\CLSID	MtvP2P.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A0DDBD3-6641-40B9-873F-BBDD26D6C14E}\ = "IE2EMBHO Class"	MtvP2P.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A0DDBD3-6641-40B9-873F-BBDD26D6C14E}\Programmable	MtvP2P.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.ProtMon\CLSID\ = "{D15FB88E-B87E-43D1-87C2-D5FF5FA33002}"	MtvP2P.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D15FB88E-B87E-43D1-87C2-D5FF5FA33002}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}	MtvP2P.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MtvP2P\DefaultIcon	MtvP2P.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MtvP2Pmetfile\Shell\Open\Command	MtvP2P.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IE2EM.IE2EMUrlTaker	MtvP2P.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{48618374-565F-4CA0-B8CD-6F496C997FAF}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}	MtvP2P.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D15FB88E-B87E-43D1-87C2-D5FF5FA33002}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}	MtvP2P.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\kp2p\shell\open\command	MtvP2P.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.IE2EMBHO\CLSID\ = "{0A0DDBD3-6641-40B9-873F-BBDD26D6C14E}"	MtvP2P.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A0867FD1-79E7-456C-8B41-165A2504FD86}	MtvP2P.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IE2EM.IE2EMUrlTaker\CurVer\ = "IE2EM.IE2EMUrlTaker.1"	MtvP2P.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8F5497A2-6C8C-45EA-87BC-5A76F2F5E28B}\1.0\0	MtvP2P.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F59B9BF7-9A25-4610-B059-4431AB20C3FF}\TypeLib	MtvP2P.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ed2k\DefaultIcon	MtvP2P.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mp2p\ = "URL: mp2p Protocol"	MtvP2P.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MtvP2Ppartfile\DefaultIcon	MtvP2P.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A0DDBD3-6641-40B9-873F-BBDD26D6C14E}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\modules\\IE2EM.dll"	MtvP2P.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{48618374-565F-4CA0-B8CD-6F496C997FAF}\AppID = "{BCEADC2F-0C89-43F5-8DE9-068B5BC265E2}"	MtvP2P.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D15FB88E-B87E-43D1-87C2-D5FF5FA33002}\ProgID\ = "BHO.ProtMon.1"	MtvP2P.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8F5497A2-6C8C-45EA-87BC-5A76F2F5E28B}\1.0	MtvP2P.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DE1A243C-C7CB-4543-AC32-A2D2CA879663}	MtvP2P.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F59B9BF7-9A25-4610-B059-4431AB20C3FF}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	MtvP2P.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mp2p\URL Protocol	MtvP2P.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A0867FD1-79E7-456C-8B41-165A2504FD86}\Implemented Categories	MtvP2P.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MtvP2Pmetfile\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\resource.dll,1"	MtvP2P.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A0DDBD3-6641-40B9-873F-BBDD26D6C14E}\InprocServer32	MtvP2P.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.ProtMon	MtvP2P.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\kp2p\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\MP2PLoader.exe\" \"%1\""	MtvP2P.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MtvP2Ppartfile\Shell	MtvP2P.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8F5497A2-6C8C-45EA-87BC-5A76F2F5E28B}	MtvP2P.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F59B9BF7-9A25-4610-B059-4431AB20C3FF}\ProxyStubClsid32	MtvP2P.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ed2k\shell	MtvP2P.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MtvP2P\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MtvP2P.exe,1"	MtvP2P.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A0DDBD3-6641-40B9-873F-BBDD26D6C14E}\VersionIndependentProgID\ = "BHO.IE2EMBHO"	MtvP2P.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A0867FD1-79E7-456C-8B41-165A2504FD86}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}	MtvP2P.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.ProtMon.1\CLSID\ = "{D15FB88E-B87E-43D1-87C2-D5FF5FA33002}"	MtvP2P.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8F5497A2-6C8C-45EA-87BC-5A76F2F5E28B}\1.0\FLAGS\ = "0"	MtvP2P.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DE1A243C-C7CB-4543-AC32-A2D2CA879663}\ProxyStubClsid32	MtvP2P.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ed2k	MtvP2P.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DM.EMDM\CurVer\ = "DM.EMDM.1"	MtvP2P.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{BCEADC2F-0C89-43F5-8DE9-068B5BC265E2}\ = "IE2EM"	MtvP2P.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A0DDBD3-6641-40B9-873F-BBDD26D6C14E}	MtvP2P.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IE2EM.IE2EMUrlTaker\ = "IE2EMUrlTaker Class"	MtvP2P.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{48618374-565F-4CA0-B8CD-6F496C997FAF}\Programmable	MtvP2P.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{48618374-565F-4CA0-B8CD-6F496C997FAF}\InprocServer32\ThreadingModel = "Apartment"	MtvP2P.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.ProtMon.1	MtvP2P.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D15FB88E-B87E-43D1-87C2-D5FF5FA33002}\Implemented Categories	MtvP2P.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.part\ = "MtvP2Ppartfile"	MtvP2P.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DE1A243C-C7CB-4543-AC32-A2D2CA879663}\ = "IIE2EMUrlTaker"	MtvP2P.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MtvP2P\shell\open	MtvP2P.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MtvP2P\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\MtvP2P.exe\" \"%1\""	MtvP2P.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DE1A243C-C7CB-4543-AC32-A2D2CA879663}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	MtvP2P.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IE2EM.IE2EMUrlTaker.1\CLSID\ = "{48618374-565F-4CA0-B8CD-6F496C997FAF}"	MtvP2P.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D15FB88E-B87E-43D1-87C2-D5FF5FA33002}\TypeLib	MtvP2P.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DE1A243C-C7CB-4543-AC32-A2D2CA879663}\TypeLib	MtvP2P.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DE1A243C-C7CB-4543-AC32-A2D2CA879663}\TypeLib\ = "{8F5497A2-6C8C-45EA-87BC-5A76F2F5E28B}"	MtvP2P.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DE1A243C-C7CB-4543-AC32-A2D2CA879663}\ProxyStubClsid32	MtvP2P.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ed2k\ = "URL: ed2k Protocol"	MtvP2P.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MtvP2P\shell	MtvP2P.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A0867FD1-79E7-456C-8B41-165A2504FD86}\InprocServer32	MtvP2P.exe

Suspicious use of FindShellTrayWindow 5 IoCs

pid	Process
824	MtvP2P.exe
824	MtvP2P.exe
824	MtvP2P.exe
824	MtvP2P.exe
824	MtvP2P.exe

Suspicious use of SendNotifyMessage 5 IoCs

pid	Process
824	MtvP2P.exe
824	MtvP2P.exe
824	MtvP2P.exe
824	MtvP2P.exe
824	MtvP2P.exe

Suspicious use of SetWindowsHookEx 38 IoCs

pid	Process
824	MtvP2P.exe
824	MtvP2P.exe
824	MtvP2P.exe
824	MtvP2P.exe
824	MtvP2P.exe
824	MtvP2P.exe
824	MtvP2P.exe
824	MtvP2P.exe
824	MtvP2P.exe
824	MtvP2P.exe
824	MtvP2P.exe
824	MtvP2P.exe
824	MtvP2P.exe
824	MtvP2P.exe
824	MtvP2P.exe
824	MtvP2P.exe
824	MtvP2P.exe
824	MtvP2P.exe
824	MtvP2P.exe
824	MtvP2P.exe
824	MtvP2P.exe
824	MtvP2P.exe
824	MtvP2P.exe
824	MtvP2P.exe
824	MtvP2P.exe
824	MtvP2P.exe
824	MtvP2P.exe
824	MtvP2P.exe
824	MtvP2P.exe
824	MtvP2P.exe
824	MtvP2P.exe
824	MtvP2P.exe
824	MtvP2P.exe
824	MtvP2P.exe
824	MtvP2P.exe
824	MtvP2P.exe
2416	updater.exe
2416	updater.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 824 wrote to memory of 2416	824	MtvP2P.exe	85
PID 824 wrote to memory of 2416	824	MtvP2P.exe	85
PID 824 wrote to memory of 2416	824	MtvP2P.exe	85

C:\Users\Admin\AppData\Local\Temp\MtvP2P.exe
"C:\Users\Admin\AppData\Local\Temp\MtvP2P.exe"
1⤵
- Adds Run key to start application
- Installs/modifies Browser Helper Object
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:824
- C:\Users\Admin\AppData\Local\Temp\updater.exe
  updater.exe -checkforupdates
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2416

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Browser Extensions

T1176

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\config\cancelled.met

Filesize
5B

MD5
c36685fdc1b9a56002040854db2d653e

SHA1
f83c507c53e69a3e6a9d195d884c88424c68fec3

SHA256
83eafc118ee2ef9073ef3ce2a22a49fe47a950df022806a23ab07bb889db1d6f

SHA512
35da87fac37efa2df13f4c5c1aabfbbbb3121fda9a288a1ce7420f84608c859a7effb05672d73b5b1346984e7b5b3e77f9cb1140adbfdebaa8e0b246647eb760

Download Submit
memory/824-0-0x0000000002AB0000-0x0000000002AD6000-memory.dmp

Filesize
152KB

Download
memory/824-2-0x0000000002BB0000-0x0000000002BE4000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads