1012ea9a9ad53ff3438058366404771c7995b404a6cf0a074f7f4f5b296b0612

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
09-11-2024 20:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1012ea9a9ad53ff3438058366404771c7995b404a6cf0a074f7f4f5b296b0612N.exe
Size

1.5MB
MD5

92dcd66c5fa28c908374a51a47f82280
SHA1

3d4c2cdc87b7241db6b3f89d051ce095fba4c49e
SHA256

1012ea9a9ad53ff3438058366404771c7995b404a6cf0a074f7f4f5b296b0612
SHA512

b5b30f565f0707826e0e3cb51043411a6fd61e858eb87f719d8d46cf5e758cb40c7b7e1e7a106dba23effc1417e9739245d5a5e4539bc9ddef8691a801ba6f6a
SSDEEP

49152:rN2oCWRDIA4CRMT9B0jr4LpylrDEpdmEySStuPP8llijP:rNl4Cm2P4LpmAjySoWUlliT

Score

7^/10

adware discovery persistence privilege_escalation spyware stealer

Malware Config

Signatures

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Executes dropped EXE 1 IoCs

pid	Process
2756	cmLg7XRxLz.exe

Loads dropped DLL 4 IoCs

pid	Process
1448	1012ea9a9ad53ff3438058366404771c7995b404a6cf0a074f7f4f5b296b0612N.exe
2756	cmLg7XRxLz.exe
2900	regsvr32.exe
2932	regsvr32.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ajmkkjdjaleendpcijfgdmlpcncogpkf\1.6\manifest.json	cmLg7XRxLz.exe

Installs/modifies Browser Helper Object 2 TTPs 8 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{99C76CA0-9D5F-E5D7-82C0-7F2C71FE1BA1}\NoExplorer = "1"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{99C76CA0-9D5F-E5D7-82C0-7F2C71FE1BA1}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{99C76CA0-9D5F-E5D7-82C0-7F2C71FE1BA1}	cmLg7XRxLz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{99C76CA0-9D5F-E5D7-82C0-7F2C71FE1BA1}\ = "Doiwnlooade keeper"	cmLg7XRxLz.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{99C76CA0-9D5F-E5D7-82C0-7F2C71FE1BA1}\NoExplorer = "1"	cmLg7XRxLz.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{99C76CA0-9D5F-E5D7-82C0-7F2C71FE1BA1}	cmLg7XRxLz.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{99C76CA0-9D5F-E5D7-82C0-7F2C71FE1BA1}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{99C76CA0-9D5F-E5D7-82C0-7F2C71FE1BA1}\ = "Doiwnlooade keeper"	regsvr32.exe

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Doiwnlooade keeper\On1fRm7Jx.tlb	cmLg7XRxLz.exe
File created	C:\Program Files (x86)\Doiwnlooade keeper\On1fRm7Jx.dat	cmLg7XRxLz.exe
File opened for modification	C:\Program Files (x86)\Doiwnlooade keeper\On1fRm7Jx.dat	cmLg7XRxLz.exe
File created	C:\Program Files (x86)\Doiwnlooade keeper\On1fRm7Jx.x64.dll	cmLg7XRxLz.exe
File opened for modification	C:\Program Files (x86)\Doiwnlooade keeper\On1fRm7Jx.x64.dll	cmLg7XRxLz.exe
File created	C:\Program Files (x86)\Doiwnlooade keeper\On1fRm7Jx.dll	cmLg7XRxLz.exe
File opened for modification	C:\Program Files (x86)\Doiwnlooade keeper\On1fRm7Jx.dll	cmLg7XRxLz.exe
File created	C:\Program Files (x86)\Doiwnlooade keeper\On1fRm7Jx.tlb	cmLg7XRxLz.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1012ea9a9ad53ff3438058366404771c7995b404a6cf0a074f7f4f5b296b0612N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmLg7XRxLz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe

Modifies Internet Explorer settings 1 TTPs 8 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration	cmLg7XRxLz.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{99C76CA0-9D5F-E5D7-82C0-7F2C71FE1BA1}	cmLg7XRxLz.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{99C76CA0-9D5F-E5D7-82C0-7F2C71FE1BA1}	cmLg7XRxLz.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration	cmLg7XRxLz.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{99C76CA0-9D5F-E5D7-82C0-7F2C71FE1BA1}	regsvr32.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{99C76CA0-9D5F-E5D7-82C0-7F2C71FE1BA1}	regsvr32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\KEEpera\CLSID\ = "{99C76CA0-9D5F-E5D7-82C0-7F2C71FE1BA1}"	cmLg7XRxLz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{99C76CA0-9D5F-E5D7-82C0-7F2C71FE1BA1}\VersionIndependentProgID\ = "DDownnlioadd KEEpera"	cmLg7XRxLz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\ = "IEPluginLib"	cmLg7XRxLz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\Doiwnlooade keeper"	cmLg7XRxLz.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}	cmLg7XRxLz.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ProxyStubClsid32	cmLg7XRxLz.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\KEEpera.DDownnlioadd	cmLg7XRxLz.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\KEEpera	cmLg7XRxLz.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{99C76CA0-9D5F-E5D7-82C0-7F2C71FE1BA1}\Programmable	cmLg7XRxLz.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib	cmLg7XRxLz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win32\ = "C:\\Program Files (x86)\\Doiwnlooade keeper\\On1fRm7Jx.dll"	cmLg7XRxLz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\KEEpera.1.6\CLSID\ = "{99C76CA0-9D5F-E5D7-82C0-7F2C71FE1BA1}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	cmLg7XRxLz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	cmLg7XRxLz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib\Version = "1.0"	cmLg7XRxLz.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{99C76CA0-9D5F-E5D7-82C0-7F2C71FE1BA1}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\KEEpera.1.6\ = "Doiwnlooade keeper"	cmLg7XRxLz.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{99C76CA0-9D5F-E5D7-82C0-7F2C71FE1BA1}\InprocServer32	cmLg7XRxLz.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{99C76CA0-9D5F-E5D7-82C0-7F2C71FE1BA1}	cmLg7XRxLz.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win32	cmLg7XRxLz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ = "IIEPluginMain"	cmLg7XRxLz.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}	cmLg7XRxLz.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib	cmLg7XRxLz.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{99C76CA0-9D5F-E5D7-82C0-7F2C71FE1BA1}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}	cmLg7XRxLz.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\KEEpera\CLSID	cmLg7XRxLz.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\KEEpera\CurVer	cmLg7XRxLz.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0	cmLg7XRxLz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\KEEpera\CurVer\ = "DDownnlioadd KEEpera.1.6"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{99C76CA0-9D5F-E5D7-82C0-7F2C71FE1BA1}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{99C76CA0-9D5F-E5D7-82C0-7F2C71FE1BA1}\Programmable	cmLg7XRxLz.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{99C76CA0-9D5F-E5D7-82C0-7F2C71FE1BA1}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win64\ = "C:\\Program Files (x86)\\Doiwnlooade keeper\\On1fRm7Jx.x64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{99C76CA0-9D5F-E5D7-82C0-7F2C71FE1BA1}\InprocServer32\ = "C:\\Program Files (x86)\\Doiwnlooade keeper\\On1fRm7Jx.dll"	cmLg7XRxLz.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\FLAGS	cmLg7XRxLz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib\Version = "1.0"	cmLg7XRxLz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{99C76CA0-9D5F-E5D7-82C0-7F2C71FE1BA1}\ProgID\ = "DDownnlioadd KEEpera.1.6"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{99C76CA0-9D5F-E5D7-82C0-7F2C71FE1BA1}\Programmable	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DDownnlioadd	cmLg7XRxLz.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{99C76CA0-9D5F-E5D7-82C0-7F2C71FE1BA1}\VersionIndependentProgID	cmLg7XRxLz.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0	cmLg7XRxLz.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}	cmLg7XRxLz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	cmLg7XRxLz.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{99C76CA0-9D5F-E5D7-82C0-7F2C71FE1BA1}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\KEEpera\ = "Doiwnlooade keeper"	cmLg7XRxLz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib\Version = "1.0"	cmLg7XRxLz.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{99C76CA0-9D5F-E5D7-82C0-7F2C71FE1BA1}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{99C76CA0-9D5F-E5D7-82C0-7F2C71FE1BA1}\VersionIndependentProgID\ = "DDownnlioadd KEEpera"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win32\ = "C:\\Program Files (x86)\\Doiwnlooade keeper\\On1fRm7Jx.tlb"	cmLg7XRxLz.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{99C76CA0-9D5F-E5D7-82C0-7F2C71FE1BA1}\ProgID	cmLg7XRxLz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib\Version = "1.0"	cmLg7XRxLz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ = "ILocalStorage"	cmLg7XRxLz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	cmLg7XRxLz.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{99C76CA0-9D5F-E5D7-82C0-7F2C71FE1BA1}\VersionIndependentProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win64	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ProxyStubClsid32	cmLg7XRxLz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\KEEpera\CLSID\ = "{99C76CA0-9D5F-E5D7-82C0-7F2C71FE1BA1}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{99C76CA0-9D5F-E5D7-82C0-7F2C71FE1BA1}\Implemented Categories	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\KEEpera.1.6	cmLg7XRxLz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\FLAGS\ = "0"	cmLg7XRxLz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ = "ILocalStorage"	cmLg7XRxLz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{99C76CA0-9D5F-E5D7-82C0-7F2C71FE1BA1}\ = "Doiwnlooade keeper"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib\Version = "1.0"	cmLg7XRxLz.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}	cmLg7XRxLz.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib	cmLg7XRxLz.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 1448 wrote to memory of 2756	1448	1012ea9a9ad53ff3438058366404771c7995b404a6cf0a074f7f4f5b296b0612N.exe	30
PID 1448 wrote to memory of 2756	1448	1012ea9a9ad53ff3438058366404771c7995b404a6cf0a074f7f4f5b296b0612N.exe	30
PID 1448 wrote to memory of 2756	1448	1012ea9a9ad53ff3438058366404771c7995b404a6cf0a074f7f4f5b296b0612N.exe	30
PID 1448 wrote to memory of 2756	1448	1012ea9a9ad53ff3438058366404771c7995b404a6cf0a074f7f4f5b296b0612N.exe	30
PID 1448 wrote to memory of 2756	1448	1012ea9a9ad53ff3438058366404771c7995b404a6cf0a074f7f4f5b296b0612N.exe	30
PID 1448 wrote to memory of 2756	1448	1012ea9a9ad53ff3438058366404771c7995b404a6cf0a074f7f4f5b296b0612N.exe	30
PID 1448 wrote to memory of 2756	1448	1012ea9a9ad53ff3438058366404771c7995b404a6cf0a074f7f4f5b296b0612N.exe	30
PID 2756 wrote to memory of 2900	2756	cmLg7XRxLz.exe	31
PID 2756 wrote to memory of 2900	2756	cmLg7XRxLz.exe	31
PID 2756 wrote to memory of 2900	2756	cmLg7XRxLz.exe	31
PID 2756 wrote to memory of 2900	2756	cmLg7XRxLz.exe	31
PID 2756 wrote to memory of 2900	2756	cmLg7XRxLz.exe	31
PID 2756 wrote to memory of 2900	2756	cmLg7XRxLz.exe	31
PID 2756 wrote to memory of 2900	2756	cmLg7XRxLz.exe	31
PID 2900 wrote to memory of 2932	2900	regsvr32.exe	32
PID 2900 wrote to memory of 2932	2900	regsvr32.exe	32
PID 2900 wrote to memory of 2932	2900	regsvr32.exe	32
PID 2900 wrote to memory of 2932	2900	regsvr32.exe	32
PID 2900 wrote to memory of 2932	2900	regsvr32.exe	32
PID 2900 wrote to memory of 2932	2900	regsvr32.exe	32
PID 2900 wrote to memory of 2932	2900	regsvr32.exe	32

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID	cmLg7XRxLz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{99C76CA0-9D5F-E5D7-82C0-7F2C71FE1BA1} = "1"	cmLg7XRxLz.exe

C:\Users\Admin\AppData\Local\Temp\1012ea9a9ad53ff3438058366404771c7995b404a6cf0a074f7f4f5b296b0612N.exe
"C:\Users\Admin\AppData\Local\Temp\1012ea9a9ad53ff3438058366404771c7995b404a6cf0a074f7f4f5b296b0612N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1448
- C:\Users\Admin\AppData\Local\Temp\00294823\cmLg7XRxLz.exe
  "C:\Users\Admin\AppData\Local\Temp/00294823/cmLg7XRxLz.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops Chrome extension
  - Installs/modifies Browser Helper Object
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2756
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32.exe /s "C:\Program Files (x86)\Doiwnlooade keeper\On1fRm7Jx.x64.dll"
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2900
  - - C:\Windows\system32\regsvr32.exe
      /s "C:\Program Files (x86)\Doiwnlooade keeper\On1fRm7Jx.x64.dll"
      4⤵
      Loads dropped DLL
      Installs/modifies Browser Helper Object
      Modifies Internet Explorer settings
      Modifies registry class
      PID:2932

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Browser Extensions

T1176

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Privilege Escalation

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\00294823\On1fRm7Jx.dll

Filesize
416KB

MD5
b5e8219112f5de28e71487fd8c367b8f

SHA1
cc60f4497ee2328e43e89474c412d75a90be2e1b

SHA256
e23b94a809d4306dce3c0fb5a7dc76ad25e133cb74daa489629419ba1d849ebe

SHA512
d4dd2a41ab9c17125263824f3f4b5c6f3a5f8dc7c78adc298391a6a18b495a521388e2c8524c5050b7452df89d048a12b014e711fef7e4ed8b439d8959a7357d

Download Submit
C:\Users\Admin\AppData\Local\Temp\00294823\On1fRm7Jx.tlb

Filesize
3KB

MD5
8d1f5f85eefb09e07c0f1357289b7251

SHA1
f9e39ac9d8e978d8fe834c527a6160eb58392e77

SHA256
2e46c45652d03653c407468ca871f4e910b4cec36af85853e2bd06f3fb7ad4ae

SHA512
df483e23bf19f90b07cf70d5e4bf7a26ece3bea39cc78b0dd652d179890000ec2c603841f5354e27676f60055094e13749ad6fc11dcf56aa8be32a8a7d916fd7

Download Submit
C:\Users\Admin\AppData\Local\Temp\00294823\On1fRm7Jx.x64.dll

Filesize
463KB

MD5
51869d78edfbeb04d0805522d9232518

SHA1
4c1a736dbf800b83580265a6c6ae2ebd13e0b3cc

SHA256
5b9f026657796490c626a88c1b7533fc23a1ee92b4bad819f4d0940e18d0c7ae

SHA512
9f99165b2c27df5f43131d857340aeb197d24b00a7176943c98f9b45bd7919e4ce002f68c9c1ed03424f42a1ce94ff3968b315cf9f6d2edfba708d86fc2c03fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\00294823\ajmkkjdjaleendpcijfgdmlpcncogpkf\background.html

Filesize
148B

MD5
d3b73d0e6e941fa940228449025ae90c

SHA1
c38c7f6a4501e10eb51e4714d0b163809c1ed956

SHA256
6b3068f9b8179ec05bf7e86a4cd7d72dd18e1c20cc6a553abc86a10b390296b4

SHA512
2688d08f82f90119ab56a230f3d5b567df1fa57f6bb3516c12a81e969a9f9b27471beee7d26039a81bfe9fd8bf9d62d139d05b6ebeeae55e52edf805b5acc045

Download Submit
C:\Users\Admin\AppData\Local\Temp\00294823\ajmkkjdjaleendpcijfgdmlpcncogpkf\content.js

Filesize
197B

MD5
5f9891607f65f433b0690bae7088b2c1

SHA1
b4edb7579dca34dcd00bca5d2c13cbc5c8fac0de

SHA256
fb01e87250ac9985ed08d97f2f99937a52998ea9faebdc88e4071d6517e1ea6b

SHA512
76018b39e4b62ff9ea92709d12b0255f33e8402dfc649ed403382eebc22fb37c347c403534a7792e6b5de0ed0a5d97a09b69f0ffc39031cb0d4c7d79e9440c7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\00294823\ajmkkjdjaleendpcijfgdmlpcncogpkf\kSE02SVg0eg.js

Filesize
5KB

MD5
0ede5717a083517d752c7c487f3bd83b

SHA1
014ce026619d3195f7693d44c13f4d532376b9f2

SHA256
ea5124ce6dcb72743be395f156ab8de1e943432e600b3ba6cd5ae7c6f3b553dc

SHA512
bc46a5a3d2714f5a528278d69397a5667fe61ad796c98f86e6690fff0c31c1720aa6bf77f6869ecc5478d2279aa601f5ee07ca26a787f1af7928785445be5ed1

Download Submit
C:\Users\Admin\AppData\Local\Temp\00294823\ajmkkjdjaleendpcijfgdmlpcncogpkf\lsdb.js

Filesize
559B

MD5
209b7ae0b6d8c3f9687c979d03b08089

SHA1
6449f8bff917115eef4e7488fae61942a869200f

SHA256
e3cf0049af8b9f6cb4f0223ccb8438f4b0c75863684c944450015868a0c45704

SHA512
1b38d5509283ef25de550b43ef2535dee1a13eff12ad5093f513165a47eec631bcc993242e2ce640f36c61974431ae2555bd6e2a97aba91eb689b7cd4bf25a25

Download Submit
C:\Users\Admin\AppData\Local\Temp\00294823\ajmkkjdjaleendpcijfgdmlpcncogpkf\manifest.json

Filesize
510B

MD5
90f82f3f2d7daf9bc3394a4bf06cde90

SHA1
bdac71379c1ff4a41e431cb9021ff023592aec8a

SHA256
f2d5755b5f161bca1cc993bfa7245641408c2650b2b030fcecb0d228cbc1c48d

SHA512
1d4133a93401a53528fc7464c9a2289fc7f891f131b2839f9293de565c842c5ac20192d21dbd260966e0e584b8c6aeae80322da6393cbfab955ee9a1a21c74bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\00294823\ajmkkjdjaleendpcijfgdmlpcncogpkf\sqlite.js

Filesize
1KB

MD5
2b45eab731caca8781c2ba60bb1ca589

SHA1
1f813166d70a4dde2cb969306f766b067563b69b

SHA256
40e8237c44ad2dd31fd944cdc94f3f43564399d9a3e7a2fcb508fc48bbde2b83

SHA512
9561b371e23c2cc5e693e49e9645c33c5d640a2e721c8068da1ff88ea8415d31834715970cf76e4aaf40e66764000e70e18edd71cdf9b0c959087e2e6d5284a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\00294823\cmLg7XRxLz.dat

Filesize
3KB

MD5
8a10642cdb312b905e064145af3588e4

SHA1
ec562c8cde18b88300de93808785593a1a7c1fc8

SHA256
c304c8a1ad64b5109f89a05539a5dbed3c8baac4b9bbf25d2153b5cdf8c12797

SHA512
ca4c1d6923ca63aa3a261f6bf70acf60b798f0e28f682af404a62762b29c3b2739f197f58cec8607b06e313a191570e84b281e4ff7defae71ce08c4d7697e6ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\00294823\[email protected]\bootstrap.js

Filesize
2KB

MD5
1b53c596cfb1aa2209446ff64c17dabd

SHA1
2542da14728dcdbe1763f1ee39fe9ceae38ad414

SHA256
a7dfea4bf7e1d46a8b8e64ccfb2cf35017e3a5b350eead26d6671254d2b3c46f

SHA512
be54481675c38ef6a41697cf8cd3ab5a0b126922b192732a9c587dd8905b74b66c79eb0c849f62bbe8934979a894be63734b0ad59ffae295f5797cbfaa327030

Download Submit
C:\Users\Admin\AppData\Local\Temp\00294823\[email protected]\chrome.manifest

Filesize
112B

MD5
777f8f0996cb9fc6bd5fdf5b157914ad

SHA1
8d4e10947703d96116a1fedf5038c0583dba38d1

SHA256
b57e163c9349fa81a3aff62a6ac3752f3325ed8b5dfc25b523b5e50539398231

SHA512
9bfe19371c870585ce3338c82a11491a8ba29253ee108f53aa5c936e510e43eaac958fb2f89bc029bd430ab64e9a1829eed842a3398c002806768000bb406836

Download Submit
C:\Users\Admin\AppData\Local\Temp\00294823\[email protected]\content\bg.js

Filesize
9KB

MD5
3189eeb9e98abdf261b5e4c116fb53e5

SHA1
d8fbad3f3854594b0f56304afc5cb7bdbd2d3407

SHA256
f653649443d16f99473a5f86dcc09d6b863d8b490576c9e5f13626f7c13d5d4e

SHA512
6b7a17646c803fea36e7ca4d2d2674a7eea6fc8899c53d73c73dcfde69b9c7c0253cc614daa347820dddf2e5ef652448c5dfc7b90aa959c88bff919165cf65b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\00294823\[email protected]\install.rdf

Filesize
617B

MD5
3555645894fc7802a1e1eea323c71bc8

SHA1
3da78918fa3aef063efd4bbef234a39ef0394e40

SHA256
437f299f191f4cbe9cf239f8ad8738a9df015c147279654b4f71ef7006ee7555

SHA512
205698de53a7dc6c15394d82fd8f87d7dbc650d3630f6f297b12679223f8a9e22c9717c23a3b43b3c79c5609651d7441c6309d01375fe1c1e8f42c8b384b2d2d

Download Submit
\Users\Admin\AppData\Local\Temp\00294823\cmLg7XRxLz.exe

Filesize
482KB

MD5
2f21b030acc94619252a33d36dc2694c

SHA1
82c9801ec0d132500bc823defe9aaa1b8679d198

SHA256
bf0a543d607d8c4f6a64ceb3a09488cfd7631191eb2c6ff6db3532ff1d34a62b

SHA512
27cb565725965634f7ee0b50ec1502cc188273194c4960545d503e91891d59d842d7a1c3f4b3347d501dd2e5ee89af9b148be1c7fbc6df65488a675eb42e030f

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads