bd0fcd29ed0a9a39902229faf404b4f9ca605dd274aa2df02d2f4a805b49bb2c

Analysis

max time kernel
99s
max time network
64s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241023-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
12-11-2024 17:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

33620DA25B7B638DE71F91B7557B11400F03A9E4.dll
Size

60KB
MD5

ac17b14e79c15f5e44df0f572efe755e
SHA1

319b7af5b974b961bbfef5ff7daa58f91723e45d
SHA256

bd0fcd29ed0a9a39902229faf404b4f9ca605dd274aa2df02d2f4a805b49bb2c
SHA512

25062b59a9e9526b206887a059d386fef425e5ef26da231bd9b1abb501ed84872852229470d1c6a45b73e27328c776df08d71e95583f96df22aa2833d97372eb
SSDEEP

1536:QBU+DtQ6JUvkUFPeyBQ0P1xvJcWEc0nK:s1mkpyS0P1xvJcWEc0n

Score

6^/10

adware discovery stealer

Malware Config

Signatures

Installs/modifies Browser Helper Object 2 TTPs 3 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06663B51-0D73-4f9f-BCC5-4AA941470AFD}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{06663B51-0D73-4F9F-BCC5-4AA941470AFD}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06663B51-0D73-4f9f-BCC5-4AA941470AFD}\ = "Pando Search Assistant BHO"	regsvr32.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4152190078-1497776152-96910572-1000\Software\Microsoft\Internet Explorer\UrlSearchHooks	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4152190078-1497776152-96910572-1000\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks\{06663B56-0D73-4f9f-BCC5-4AA941470AFD}	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4152190078-1497776152-96910572-1000\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks\{CFBFAE00-17A6-11D0-99CB-00C04FD64497}	regsvr32.exe

Modifies registry class 10 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{06663B51-0D73-4f9f-BCC5-4AA941470AFD}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{06663B56-0D73-4f9f-BCC5-4AA941470AFD}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{06663B56-0D73-4f9f-BCC5-4AA941470AFD}\	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{06663B56-0D73-4f9f-BCC5-4AA941470AFD}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{06663B56-0D73-4f9f-BCC5-4AA941470AFD}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{06663B51-0D73-4f9f-BCC5-4AA941470AFD}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{06663B51-0D73-4f9f-BCC5-4AA941470AFD}\ = "Pando Search Assistant BHO"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{06663B51-0D73-4f9f-BCC5-4AA941470AFD}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\33620DA25B7B638DE71F91B7557B11400F03A9E4.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{06663B51-0D73-4f9f-BCC5-4AA941470AFD}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{06663B56-0D73-4f9f-BCC5-4AA941470AFD}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\33620DA25B7B638DE71F91B7557B11400F03A9E4.dll"	regsvr32.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 5056 wrote to memory of 2840	5056	regsvr32.exe	81
PID 5056 wrote to memory of 2840	5056	regsvr32.exe	81
PID 5056 wrote to memory of 2840	5056	regsvr32.exe	81

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\33620DA25B7B638DE71F91B7557B11400F03A9E4.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:5056
- C:\Windows\SysWOW64\regsvr32.exe
  /s C:\Users\Admin\AppData\Local\Temp\33620DA25B7B638DE71F91B7557B11400F03A9E4.dll
  2⤵
  - Installs/modifies Browser Helper Object
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Modifies registry class
  PID:2840

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads