282565fd7f27317787ad83ed92a8e2a9ee6cde2d095de23f9e025ec6efcf8e02

Analysis

max time kernel
77s
max time network
17s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
09-11-2024 15:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

282565fd7f27317787ad83ed92a8e2a9ee6cde2d095de23f9e025ec6efcf8e02N.exe
Size

1.4MB
MD5

5b82e1f551c557565bb034f0aab21e90
SHA1

3d4c600501219726f070c194d25e5e482fd10445
SHA256

282565fd7f27317787ad83ed92a8e2a9ee6cde2d095de23f9e025ec6efcf8e02
SHA512

6a8e9fae55d7780c7b197c24f5351b9fb12a1c5bca024a4e84957890f97c4181f33467b39291e4785e475078cca2237512a55d3a2f19d902e57bcf86cb62912f
SSDEEP

24576:LPQhskg+ES4gT7C7QmmkQ9b2YKfPSd0Au7LQPJKyIEQMBSMG1f687iAPaPxqcHO:LP6g5S4H7Qmmvb2jfPQBcyIEzAGAPaUT

Score

7^/10

adware discovery persistence privilege_escalation spyware stealer

Malware Config

Signatures

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Executes dropped EXE 1 IoCs

pid	Process
2308	r8T1cP.exe

Loads dropped DLL 4 IoCs

pid	Process
2496	282565fd7f27317787ad83ed92a8e2a9ee6cde2d095de23f9e025ec6efcf8e02N.exe
2308	r8T1cP.exe
2928	regsvr32.exe
1672	regsvr32.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 3 IoCs

description	ioc	Process
File created	C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\kmfcgbmejhlffepggjglkdoihackmoib\2.2\manifest.json	r8T1cP.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\kmfcgbmejhlffepggjglkdoihackmoib\2.2\manifest.json	r8T1cP.exe
File created	C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\kmfcgbmejhlffepggjglkdoihackmoib\2.2\manifest.json	r8T1cP.exe

Installs/modifies Browser Helper Object 2 TTPs 8 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0814DDDE-AFD8-3B0C-C70E-C2762DC6B3F6}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0814DDDE-AFD8-3B0C-C70E-C2762DC6B3F6}\ = "CostMin"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0814DDDE-AFD8-3B0C-C70E-C2762DC6B3F6}\NoExplorer = "1"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0814DDDE-AFD8-3B0C-C70E-C2762DC6B3F6}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{0814DDDE-AFD8-3B0C-C70E-C2762DC6B3F6}	r8T1cP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{0814DDDE-AFD8-3B0C-C70E-C2762DC6B3F6}\ = "CostMin"	r8T1cP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{0814DDDE-AFD8-3B0C-C70E-C2762DC6B3F6}\NoExplorer = "1"	r8T1cP.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{0814DDDE-AFD8-3B0C-C70E-C2762DC6B3F6}	r8T1cP.exe

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\CostMin\cxAER.tlb	r8T1cP.exe
File created	C:\Program Files (x86)\CostMin\cxAER.dat	r8T1cP.exe
File opened for modification	C:\Program Files (x86)\CostMin\cxAER.dat	r8T1cP.exe
File created	C:\Program Files (x86)\CostMin\cxAER.x64.dll	r8T1cP.exe
File opened for modification	C:\Program Files (x86)\CostMin\cxAER.x64.dll	r8T1cP.exe
File created	C:\Program Files (x86)\CostMin\cxAER.dll	r8T1cP.exe
File opened for modification	C:\Program Files (x86)\CostMin\cxAER.dll	r8T1cP.exe
File created	C:\Program Files (x86)\CostMin\cxAER.tlb	r8T1cP.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	282565fd7f27317787ad83ed92a8e2a9ee6cde2d095de23f9e025ec6efcf8e02N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	r8T1cP.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe

Modifies Internet Explorer settings 1 TTPs 8 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{0814DDDE-AFD8-3B0C-C70E-C2762DC6B3F6}	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration	r8T1cP.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{0814DDDE-AFD8-3B0C-C70E-C2762DC6B3F6}	r8T1cP.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{0814DDDE-AFD8-3B0C-C70E-C2762DC6B3F6}	r8T1cP.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration	r8T1cP.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{0814DDDE-AFD8-3B0C-C70E-C2762DC6B3F6}	regsvr32.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration	regsvr32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib	r8T1cP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CostMin.CostMin\CurVer\ = "CostMin.2.2"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0814DDDE-AFD8-3B0C-C70E-C2762DC6B3F6}\ = "CostMin"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0814DDDE-AFD8-3B0C-C70E-C2762DC6B3F6}\ProgID	r8T1cP.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win32	r8T1cP.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\HELPDIR	r8T1cP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	r8T1cP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\TypeLib\Version = "1.0"	r8T1cP.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0814DDDE-AFD8-3B0C-C70E-C2762DC6B3F6}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CostMin.CostMin\ = "CostMin"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CostMin.CostMin.2.2	r8T1cP.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0814DDDE-AFD8-3B0C-C70E-C2762DC6B3F6}\InprocServer32	r8T1cP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	r8T1cP.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ProxyStubClsid32	r8T1cP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CostMin.CostMin.2.2\ = "CostMin"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib	r8T1cP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ = "IRegistry"	r8T1cP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CostMin.CostMin.2.2\CLSID\ = "{0814DDDE-AFD8-3B0C-C70E-C2762DC6B3F6}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CostMin.CostMin\ = "CostMin"	r8T1cP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0814DDDE-AFD8-3B0C-C70E-C2762DC6B3F6}\InprocServer32\ThreadingModel = "Apartment"	r8T1cP.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\FLAGS	r8T1cP.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\ProxyStubClsid32	r8T1cP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\ = "IPlaghinMein"	r8T1cP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0814DDDE-AFD8-3B0C-C70E-C2762DC6B3F6}\InprocServer32\ = "C:\\Program Files (x86)\\CostMin\\cxAER.x64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0814DDDE-AFD8-3B0C-C70E-C2762DC6B3F6}\VersionIndependentProgID\ = "CostMin"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0814DDDE-AFD8-3B0C-C70E-C2762DC6B3F6}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0814DDDE-AFD8-3B0C-C70E-C2762DC6B3F6}\InprocServer32	r8T1cP.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\TypeLib	r8T1cP.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\ProxyStubClsid32	r8T1cP.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0814DDDE-AFD8-3B0C-C70E-C2762DC6B3F6}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0814DDDE-AFD8-3B0C-C70E-C2762DC6B3F6}\ProgID\ = "CostMin.2.2"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CostMin.CostMin\CLSID\ = "{0814DDDE-AFD8-3B0C-C70E-C2762DC6B3F6}"	r8T1cP.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0814DDDE-AFD8-3B0C-C70E-C2762DC6B3F6}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}	r8T1cP.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}	r8T1cP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib\Version = "1.0"	r8T1cP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0814DDDE-AFD8-3B0C-C70E-C2762DC6B3F6}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	r8T1cP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\TypeLib\Version = "1.0"	r8T1cP.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\TypeLib	r8T1cP.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ProxyStubClsid32	r8T1cP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib\Version = "1.0"	r8T1cP.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}	r8T1cP.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}	r8T1cP.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\ProxyStubClsid32	r8T1cP.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0814DDDE-AFD8-3B0C-C70E-C2762DC6B3F6}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	r8T1cP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ = "IRegistry"	r8T1cP.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CostMin.CostMin\CurVer	r8T1cP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0814DDDE-AFD8-3B0C-C70E-C2762DC6B3F6}\VersionIndependentProgID\ = "CostMin"	r8T1cP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0814DDDE-AFD8-3B0C-C70E-C2762DC6B3F6}\InprocServer32\ = "C:\\Program Files (x86)\\CostMin\\cxAER.dll"	r8T1cP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\ = "IEPluginLib"	r8T1cP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	r8T1cP.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0814DDDE-AFD8-3B0C-C70E-C2762DC6B3F6}\ProgID	r8T1cP.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0814DDDE-AFD8-3B0C-C70E-C2762DC6B3F6}\Implemented Categories	r8T1cP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	r8T1cP.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}	r8T1cP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	r8T1cP.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0814DDDE-AFD8-3B0C-C70E-C2762DC6B3F6}\VersionIndependentProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CostMin.CostMin.2.2\ = "CostMin"	r8T1cP.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0814DDDE-AFD8-3B0C-C70E-C2762DC6B3F6}	r8T1cP.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0	r8T1cP.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}	r8T1cP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\ = "ILocalStorage"	r8T1cP.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0814DDDE-AFD8-3B0C-C70E-C2762DC6B3F6}\Programmable	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
2308	r8T1cP.exe
2308	r8T1cP.exe
2308	r8T1cP.exe
2308	r8T1cP.exe
2308	r8T1cP.exe
2308	r8T1cP.exe
2308	r8T1cP.exe
2308	r8T1cP.exe
2308	r8T1cP.exe
2308	r8T1cP.exe
2308	r8T1cP.exe
2308	r8T1cP.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	2308	r8T1cP.exe
Token: SeDebugPrivilege	2308	r8T1cP.exe
Token: SeDebugPrivilege	2308	r8T1cP.exe
Token: SeDebugPrivilege	2308	r8T1cP.exe
Token: SeDebugPrivilege	2308	r8T1cP.exe
Token: SeDebugPrivilege	2308	r8T1cP.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2496 wrote to memory of 2308	2496	282565fd7f27317787ad83ed92a8e2a9ee6cde2d095de23f9e025ec6efcf8e02N.exe	31
PID 2496 wrote to memory of 2308	2496	282565fd7f27317787ad83ed92a8e2a9ee6cde2d095de23f9e025ec6efcf8e02N.exe	31
PID 2496 wrote to memory of 2308	2496	282565fd7f27317787ad83ed92a8e2a9ee6cde2d095de23f9e025ec6efcf8e02N.exe	31
PID 2496 wrote to memory of 2308	2496	282565fd7f27317787ad83ed92a8e2a9ee6cde2d095de23f9e025ec6efcf8e02N.exe	31
PID 2308 wrote to memory of 2928	2308	r8T1cP.exe	32
PID 2308 wrote to memory of 2928	2308	r8T1cP.exe	32
PID 2308 wrote to memory of 2928	2308	r8T1cP.exe	32
PID 2308 wrote to memory of 2928	2308	r8T1cP.exe	32
PID 2308 wrote to memory of 2928	2308	r8T1cP.exe	32
PID 2308 wrote to memory of 2928	2308	r8T1cP.exe	32
PID 2308 wrote to memory of 2928	2308	r8T1cP.exe	32
PID 2928 wrote to memory of 1672	2928	regsvr32.exe	33
PID 2928 wrote to memory of 1672	2928	regsvr32.exe	33
PID 2928 wrote to memory of 1672	2928	regsvr32.exe	33
PID 2928 wrote to memory of 1672	2928	regsvr32.exe	33
PID 2928 wrote to memory of 1672	2928	regsvr32.exe	33
PID 2928 wrote to memory of 1672	2928	regsvr32.exe	33
PID 2928 wrote to memory of 1672	2928	regsvr32.exe	33

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID	r8T1cP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{0814DDDE-AFD8-3B0C-C70E-C2762DC6B3F6} = "1"	r8T1cP.exe

C:\Users\Admin\AppData\Local\Temp\282565fd7f27317787ad83ed92a8e2a9ee6cde2d095de23f9e025ec6efcf8e02N.exe
"C:\Users\Admin\AppData\Local\Temp\282565fd7f27317787ad83ed92a8e2a9ee6cde2d095de23f9e025ec6efcf8e02N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2496
- C:\Users\Admin\AppData\Local\Temp\5a835d5f\r8T1cP.exe
  "C:\Users\Admin\AppData\Local\Temp/5a835d5f/r8T1cP.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops Chrome extension
  - Installs/modifies Browser Helper Object
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2308
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32.exe /s "C:\Program Files (x86)\CostMin\cxAER.x64.dll"
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2928
  - - C:\Windows\system32\regsvr32.exe
      /s "C:\Program Files (x86)\CostMin\cxAER.x64.dll"
      4⤵
      Loads dropped DLL
      Installs/modifies Browser Helper Object
      Modifies Internet Explorer settings
      Modifies registry class
      PID:1672

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Browser Extensions

T1176

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Privilege Escalation

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5a835d5f\cxAER.dll

Filesize
325KB

MD5
0b504d6562ccd6f9a88c3dd8a2da8c42

SHA1
2589d85e577d36cd6a8711afdfcf073fb527ca4b

SHA256
d6e7f09cd52781efd8eaddf5c450ee30ffd3f48f1a38ac002eb96d7fd8a1297e

SHA512
90fb707cb91cf1472c64ea484a0620ee4d18d2f52bc62ea4181b2ffea46940618dd3d27742e065a2243c9ffd6e3653e2194f72a759f1acbb12bc186d685913cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\5a835d5f\cxAER.tlb

Filesize
3KB

MD5
50085452a49958ae6ce00af1111ebdef

SHA1
801e99813c5a05f4ff248f15fd7c058a2dc922ed

SHA256
cb09d5919a5f365a3e3c6663492ee96f766e22fb0d7776e7c322b971fbd5a834

SHA512
c22b23c60e8b52a4f820632d30424509e229d669d0fce54a5f913f5a75098683b09179ee37a81affcde6c94fea34d824978688e1037aad02cfee1b5849403ca9

Download Submit
C:\Users\Admin\AppData\Local\Temp\5a835d5f\cxAER.x64.dll

Filesize
389KB

MD5
c6fdd95d4c2f100b14458ea1fdb99c98

SHA1
cdfe7b4c679b40fd7274b8878d628ab18888b8d7

SHA256
486176fa7e35c178f5e4494fc8bbdbf31ca4fbe1cab321bb991bd15d215a762e

SHA512
c86059f43209c4f27d4efe96fb2e911584d4266f2114a9df5005be80991c1713139c1edf61425e79f1b22b41cd5b98851604fe10175b654caede4b1b5f7737b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\5a835d5f\kmfcgbmejhlffepggjglkdoihackmoib\background.html

Filesize
139B

MD5
58be8d6dea504df15696e20de43f79c4

SHA1
ac9948cdceadce168170cbc144b0c9e65a1fca9b

SHA256
81dc179232dbaa4e7bd6c7a82713a5e62ecaf59af723724a363c8624b5800276

SHA512
073ee894c35e9709de49be971cf5590695053ed2b4bd36667d63f978032fbb06384b085b863525abbb7baa2ffabcc17b038dc7834c13c54e3551c0968d9f2b87

Download Submit
C:\Users\Admin\AppData\Local\Temp\5a835d5f\kmfcgbmejhlffepggjglkdoihackmoib\content.js

Filesize
144B

MD5
fca19198fd8af21016a8b1dec7980002

SHA1
fd01a47d14004e17a625efe66cc46a06c786cf40

SHA256
332b00395bc23d4cb0bf6506b0fbb7e17d690ed41f91cf9b5d1c481cb1d3e82a

SHA512
60f4286b3818f996fab50c09b191fbc82ed1c73b2b98d00b088b5afbbc0368c01819bd3868bd3c6bcb2cd083b719e29c28209317c7411213a25f923cfc1f0e47

Download Submit
C:\Users\Admin\AppData\Local\Temp\5a835d5f\kmfcgbmejhlffepggjglkdoihackmoib\lsdb.js

Filesize
531B

MD5
36d98318ab2b3b2585a30984db328afb

SHA1
f30b85fbe08e1d569ad49dfeafaf7cb2da6585a5

SHA256
ea2caf61817c6f7781ee049217e51c1083c8fc4f1e08e07792052dfdfa529ae7

SHA512
6f61ccda2eba18369409850b2c91c9817fc741755e29a1579646e3816e0deab80e34a5adb9ff865c773793d32ac338163a224dbf363b46420d6ea42a7bbb2b3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\5a835d5f\kmfcgbmejhlffepggjglkdoihackmoib\manifest.json

Filesize
499B

MD5
4c4bad19f3514e843f38a49ed67c9126

SHA1
bbb1b10f73992a749c51c447678676a18849fab4

SHA256
c7d4e356cc5de4755833d581a7b0092d7259ed2bb172ca195bc23f8e504eefae

SHA512
050533fc10b26f027f990248b27f738ed182a8c42b8b9a898e66cd0fb4ef382cc94ae47eb027bbf8eaf1912b61b9c21798a15dd7be4431c89779e6f3eaeedfcf

Download Submit
C:\Users\Admin\AppData\Local\Temp\5a835d5f\kmfcgbmejhlffepggjglkdoihackmoib\s_.js

Filesize
5KB

MD5
d44d484028f6a7bb33cf9d16728567d2

SHA1
c41b7eddfbd2afa7041f3e495342d82f1588bb6e

SHA256
242334aa9f47130f9eeab95d0bf09dd766e6ed94434fe142ce8f7ebf36e98bdd

SHA512
b848a7e68772a0c116db42a4bd8f51b93593f02103f419723f8ae59a33b4137ffbd63514d6cef4cae2f55cd1991a00750687e33ce300021a4c6d5f1f09a4a55d

Download Submit
C:\Users\Admin\AppData\Local\Temp\5a835d5f\r8T1cP.dat

Filesize
3KB

MD5
48ef6136bce43149faf01072d21b026a

SHA1
eae628f3eccd68b7003b8392d3d0d76da37f60a5

SHA256
4a4c456eb9c8413ae3feabb5133500ccda16bba179282048ad0834d8c3d1895f

SHA512
2540948019676de9e0e636d79e1b8f4601cbcb32ce407d1a6cede5c87e62009e9db51c4e4de9032dc2fa7d3bd7fe3d7ecb2995c27ee219e8abbe6d8c3ada5e26

Download Submit
C:\Users\Admin\AppData\Local\Temp\5a835d5f\[email protected]\bootstrap.js

Filesize
2KB

MD5
df13f711e20e9c80171846d4f2f7ae06

SHA1
56d29cda58427efe0e21d3880d39eb1b0ef60bee

SHA256
6c325461fba531a94cf8cbdcfc52755494973df0629ce0ee3fef734ab0838fc4

SHA512
6c51cee3bf13f164c4a5c9884cc6053cbf9db9701d34c07dc5761d2c047d3d1f7a361b32996a430107e9a4ce68a29149d747a84c76778a1e8780719a3d30470e

Download Submit
C:\Users\Admin\AppData\Local\Temp\5a835d5f\[email protected]\chrome.manifest

Filesize
26B

MD5
cf920c0c0cd9b232f27af9fc84eaa603

SHA1
290f90d503ffca660a7ed15e555516f691ce4789

SHA256
d20eda837badc5e5ee953f0333ea1a4a98cce257085c643df53fc7ebddefcba9

SHA512
4debc355435a3ff45eb3e92af00516849a20140218111a212fe6908cfc65331462fe234d62334df53eb8b81c41029a1fc5366a971a93d57425a64c25917d466b

Download Submit
C:\Users\Admin\AppData\Local\Temp\5a835d5f\[email protected]\content\bg.js

Filesize
7KB

MD5
bf55e961473457332670810a6654291e

SHA1
011bf407e3ca13d36f0e9ea9a271def3b6b9ff25

SHA256
5d64d71fa00895a6e14f0d2a90d84fbcaa80e2c36d817afb2a4ac46d5aae5ac5

SHA512
a53da7e6259ef463228f4848697f0589746a55dee3b5cff8ded89fc3637b04d7d578c8e4ee052f7b7070253d46b492133cb2fe75a183249d0711769c8a8aac46

Download Submit
C:\Users\Admin\AppData\Local\Temp\5a835d5f\[email protected]\install.rdf

Filesize
603B

MD5
70fac2826e9291d3d4ce6d881034cfc5

SHA1
ed4c2b5c9af4b180f913a93d3699ba66d1c3a0b6

SHA256
20654a86ec212aa6c13a88e63b48a6153db1490c8e8cc4b37fc50a931bf123ad

SHA512
869c7d21590d241d868d7a882d63160144b3226dcd3e4a685b2698e8b91070400be5e334b49ead664179fe9520b66d8b60bfc71124c7ce4e89fc093d4781a08d

Download Submit
\Users\Admin\AppData\Local\Temp\5a835d5f\r8T1cP.exe

Filesize
564KB

MD5
3341cab47ee090715a8347df8186a28a

SHA1
84bfc3191dc258f497b419572180fe2baab8552b

SHA256
48eddffa241806e5a7a36dbad35ece48f6ceda9652e297e9f4d92ff2d517c103

SHA512
889aef5e980af103aa1b429f15ca80175513802b5d5ac6c800042170bae440815dd95921d701ffa437d77319c19f515d18fcb50797ede3066e83c8833e4c7c35

Download Submit