6c2d68201a903f90756ac73bc8758d6f9bf7066a52248fbda2d5b10f983c194f

General

Target

6c2d68201a903f90756ac73bc8758d6f9bf7066a52248fbda2d5b10f983c194f.dll
Size

88KB
MD5

fb0fbeb618fbeab697ffb7cb1c78e5ba
SHA1

0663bb5c7cf43d2e95e42de299c95925a4b94b15
SHA256

6c2d68201a903f90756ac73bc8758d6f9bf7066a52248fbda2d5b10f983c194f
SHA512

79d422595160c014c4b891ff274692b87913dcfafa73b519b611b1bd120d64637b13b293913a92105cd4b9bedbe1603c31f533d3ab9bccd7bdb18ac24d3a8960

Score

6^/10

adware stealer

Malware Config

Signatures

Installs/modifies Browser Helper Object 2 TTPs
BHOs are DLL modules which act as plugins for Internet Explorer.
stealer adware

Modify Registry
T1112

Browser Extensions
T1176

Modifies registry class 56 IoCs

Processes:

regsvr32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BitAccelerator.BitAccelerator	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C1DE446A-8770-4621-9378-F1922C74A36C}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C1DE446A-8770-4621-9378-F1922C74A36C}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C1DE446A-8770-4621-9378-F1922C74A36C}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8CB0D898-A6A2-48c3-BBD7-862F85B18D46}\ = "BitAccelerator"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8CB0D898-A6A2-48c3-BBD7-862F85B18D46}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BitAccelerator.BitAccelerator.1\ = "BitAccelerator Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C1DE446A-8770-4621-9378-F1922C74A36C}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C1DE446A-8770-4621-9378-F1922C74A36C}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8CB0D898-A6A2-48c3-BBD7-862F85B18D46}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{431D251C-B43A-47d7-B4F4-07A101B432D6}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\6c2d68201a903f90756ac73bc8758d6f9bf7066a52248fbda2d5b10f983c194f.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{92860A02-4D69-48c1-82D7-EF6B2C609502}\VersionIndependentProgID\ = "BitAccelerator.BitAccelerator"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{431D251C-B43A-47d7-B4F4-07A101B432D6}\1.0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{431D251C-B43A-47d7-B4F4-07A101B432D6}\1.0\FLAGS	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{431D251C-B43A-47d7-B4F4-07A101B432D6}\1.0\HELPDIR	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C1DE446A-8770-4621-9378-F1922C74A36C}\Programmable	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{92860A02-4D69-48c1-82D7-EF6B2C609502}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\6c2d68201a903f90756ac73bc8758d6f9bf7066a52248fbda2d5b10f983c194f.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{92860A02-4D69-48c1-82D7-EF6B2C609502}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BitAccelerator.BitAccelerator\CurVer\ = "BitAccelerator.BitAccelerator.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C1DE446A-8770-4621-9378-F1922C74A36C}\VersionIndependentProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8CB0D898-A6A2-48c3-BBD7-862F85B18D46}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{92860A02-4D69-48c1-82D7-EF6B2C609502}\Programmable	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BitAccelerator.BitAccelerator.1	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BitAccelerator.BitAccelerator.1\CLSID\ = "{92860A02-4D69-48c1-82D7-EF6B2C609502}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BitAccelerator.BitAccelerator\ = "BitAccelerator Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C1DE446A-8770-4621-9378-F1922C74A36C}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\6c2d68201a903f90756ac73bc8758d6f9bf7066a52248fbda2d5b10f983c194f.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C1DE446A-8770-4621-9378-F1922C74A36C}\ = "BitAccelerator"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{431D251C-B43A-47d7-B4F4-07A101B432D6}\1.0\0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{431D251C-B43A-47d7-B4F4-07A101B432D6}\1.0\0\win32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BitAccelerator.BitAccelerator.1\CLSID\ = "{C1DE446A-8770-4621-9378-F1922C74A36C}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BitAccelerator.BitAccelerator\CLSID\ = "{C1DE446A-8770-4621-9378-F1922C74A36C}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{92860A02-4D69-48c1-82D7-EF6B2C609502}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{92860A02-4D69-48c1-82D7-EF6B2C609502}\ = "BitAccelerator Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BitAccelerator.BitAccelerator.1\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8CB0D898-A6A2-48c3-BBD7-862F85B18D46}\ProxyStubClsid	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8CB0D898-A6A2-48c3-BBD7-862F85B18D46}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8CB0D898-A6A2-48c3-BBD7-862F85B18D46}\TypeLib\ = "{431D251C-B43A-47d7-B4F4-07A101B432D6}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{431D251C-B43A-47d7-B4F4-07A101B432D6}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{431D251C-B43A-47d7-B4F4-07A101B432D6}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BitAccelerator.BitAccelerator\CLSID\ = "{92860A02-4D69-48c1-82D7-EF6B2C609502}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{431D251C-B43A-47d7-B4F4-07A101B432D6}\1.0\ = "BitAccelerator 1.0 Type Library"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{92860A02-4D69-48c1-82D7-EF6B2C609502}\TypeLib\ = "{431D251C-B43A-47d7-B4F4-07A101B432D6}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C1DE446A-8770-4621-9378-F1922C74A36C}\VersionIndependentProgID\ = "BitAccelerator.BitAccelerator"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{92860A02-4D69-48c1-82D7-EF6B2C609502}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{92860A02-4D69-48c1-82D7-EF6B2C609502}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8CB0D898-A6A2-48c3-BBD7-862F85B18D46}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{431D251C-B43A-47d7-B4F4-07A101B432D6}\1.0\FLAGS\ = "0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BitAccelerator.BitAccelerator\CurVer	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{92860A02-4D69-48c1-82D7-EF6B2C609502}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{92860A02-4D69-48c1-82D7-EF6B2C609502}\VersionIndependentProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BitAccelerator.BitAccelerator\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C1DE446A-8770-4621-9378-F1922C74A36C}\TypeLib\ = "{431D251C-B43A-47d7-B4F4-07A101B432D6}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{92860A02-4D69-48c1-82D7-EF6B2C609502}\Install = "OK"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{92860A02-4D69-48c1-82D7-EF6B2C609502}\ProgID\ = "BitAccelerator.BitAccelerator.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C1DE446A-8770-4621-9378-F1922C74A36C}\ProgID\ = "BitAccelerator.BitAccelerator.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8CB0D898-A6A2-48c3-BBD7-862F85B18D46}\TypeLib	regsvr32.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

regsvr32.exe

description	pid	process	target process
PID 540 wrote to memory of 1924	540	regsvr32.exe	regsvr32.exe
PID 540 wrote to memory of 1924	540	regsvr32.exe	regsvr32.exe
PID 540 wrote to memory of 1924	540	regsvr32.exe	regsvr32.exe
PID 540 wrote to memory of 1924	540	regsvr32.exe	regsvr32.exe
PID 540 wrote to memory of 1924	540	regsvr32.exe	regsvr32.exe
PID 540 wrote to memory of 1924	540	regsvr32.exe	regsvr32.exe
PID 540 wrote to memory of 1924	540	regsvr32.exe	regsvr32.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\6c2d68201a903f90756ac73bc8758d6f9bf7066a52248fbda2d5b10f983c194f.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:540

C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\6c2d68201a903f90756ac73bc8758d6f9bf7066a52248fbda2d5b10f983c194f.dll
2⤵
- Modifies registry class
PID:1924

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Browser Extensions

1

T1176

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/540-60-0x000007FEFB9A1000-0x000007FEFB9A3000-memory.dmp

Filesize
8KB

Download
memory/1924-61-0x0000000000000000-mapping.dmp

Download
memory/1924-62-0x0000000075A71000-0x0000000075A73000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing