e298079e95006545b320ff24fb27d95ba834f10f2e7546807c559fb304fbc90d

General

Target

e298079e95006545b320ff24fb27d95ba834f10f2e7546807c559fb304fbc90d.dll
Size

1.8MB
MD5

d73c7a58938e3b6d94d312605bca4368
SHA1

914cd67b14d48fd9b186ec9af5d33ff5c8afe617
SHA256

e298079e95006545b320ff24fb27d95ba834f10f2e7546807c559fb304fbc90d
SHA512

8d98f39b79b21c73d9df64713a7aedef69fcfc5f0c093b128b13af28f4b28d58523d919a2dfb13303617c4434d75cefb8959cfb3604dd3b9bfc8465fd896fc70

Score

6^/10

adware stealer

Malware Config

Signatures

Installs/modifies Browser Helper Object 2 TTPs
BHOs are DLL modules which act as plugins for Internet Explorer.
stealer adware

Modify Registry
T1112

Browser Extensions
T1176

Modifies registry class 46 IoCs

Processes:

regsvr32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IEHelper.IEHlprObj\CurVer\ = "IEHelper.IEHlprObj.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DAF9F01C-30F0-4A52-AF52-E236961977F4}\VersionIndependentProgID\ = "IEHelper.IEHlprObj"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DAF9F01C-30F0-4A52-AF52-E236961977F4}\Programmable	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DAF9F01C-30F0-4A52-AF52-E236961977F4}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D42047D9-38C2-4FD1-8337-F69C8F835A30}\1.0\0\win32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D42047D9-38C2-4FD1-8337-F69C8F835A30}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\e298079e95006545b320ff24fb27d95ba834f10f2e7546807c559fb304fbc90d.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C0BEBABF-1785-4075-8C4D-8FEE7833D3CD}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C0BEBABF-1785-4075-8C4D-8FEE7833D3CD}\TypeLib\ = "{D42047D9-38C2-4FD1-8337-F69C8F835A30}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C0BEBABF-1785-4075-8C4D-8FEE7833D3CD}\ = "IIEHlprObj"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C0BEBABF-1785-4075-8C4D-8FEE7833D3CD}\TypeLib\ = "{D42047D9-38C2-4FD1-8337-F69C8F835A30}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IEHelper.IEHlprObj	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IEHelper.IEHlprObj\ = "IEHlprObj Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IEHelper.IEHlprObj\CLSID\ = "{DAF9F01C-30F0-4A52-AF52-E236961977F4}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DAF9F01C-30F0-4A52-AF52-E236961977F4}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\e298079e95006545b320ff24fb27d95ba834f10f2e7546807c559fb304fbc90d.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D42047D9-38C2-4FD1-8337-F69C8F835A30}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D42047D9-38C2-4FD1-8337-F69C8F835A30}\1.0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D42047D9-38C2-4FD1-8337-F69C8F835A30}\1.0\0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C0BEBABF-1785-4075-8C4D-8FEE7833D3CD}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C0BEBABF-1785-4075-8C4D-8FEE7833D3CD}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C0BEBABF-1785-4075-8C4D-8FEE7833D3CD}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IEHelper.IEHlprObj.1\CLSID\ = "{DAF9F01C-30F0-4A52-AF52-E236961977F4}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DAF9F01C-30F0-4A52-AF52-E236961977F4}\ = "IEHlprObj Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DAF9F01C-30F0-4A52-AF52-E236961977F4}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D42047D9-38C2-4FD1-8337-F69C8F835A30}\1.0\HELPDIR	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C0BEBABF-1785-4075-8C4D-8FEE7833D3CD}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DAF9F01C-30F0-4A52-AF52-E236961977F4}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D42047D9-38C2-4FD1-8337-F69C8F835A30}\1.0\FLAGS\ = "0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C0BEBABF-1785-4075-8C4D-8FEE7833D3CD}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C0BEBABF-1785-4075-8C4D-8FEE7833D3CD}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IEHelper.IEHlprObj.1	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IEHelper.IEHlprObj.1\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DAF9F01C-30F0-4A52-AF52-E236961977F4}\ProgID\ = "IEHelper.IEHlprObj.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DAF9F01C-30F0-4A52-AF52-E236961977F4}\VersionIndependentProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DAF9F01C-30F0-4A52-AF52-E236961977F4}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C0BEBABF-1785-4075-8C4D-8FEE7833D3CD}\ = "IIEHlprObj"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C0BEBABF-1785-4075-8C4D-8FEE7833D3CD}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IEHelper.IEHlprObj\CurVer	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DAF9F01C-30F0-4A52-AF52-E236961977F4}\TypeLib\ = "{D42047D9-38C2-4FD1-8337-F69C8F835A30}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D42047D9-38C2-4FD1-8337-F69C8F835A30}\1.0\ = "IEHelper 1.0 Type Library"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D42047D9-38C2-4FD1-8337-F69C8F835A30}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C0BEBABF-1785-4075-8C4D-8FEE7833D3CD}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IEHelper.IEHlprObj.1\ = "IEHlprObj Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IEHelper.IEHlprObj\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DAF9F01C-30F0-4A52-AF52-E236961977F4}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D42047D9-38C2-4FD1-8337-F69C8F835A30}\1.0\FLAGS	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C0BEBABF-1785-4075-8C4D-8FEE7833D3CD}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

regsvr32.exe

pid process

1172 regsvr32.exe
1172 regsvr32.exe

pid	process
1172	regsvr32.exe
1172	regsvr32.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

regsvr32.exe

description	pid	process	target process
PID 1828 wrote to memory of 1172	1828	regsvr32.exe	regsvr32.exe
PID 1828 wrote to memory of 1172	1828	regsvr32.exe	regsvr32.exe
PID 1828 wrote to memory of 1172	1828	regsvr32.exe	regsvr32.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\e298079e95006545b320ff24fb27d95ba834f10f2e7546807c559fb304fbc90d.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:1828

C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\e298079e95006545b320ff24fb27d95ba834f10f2e7546807c559fb304fbc90d.dll
2⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1172

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Browser Extensions

1

T1176

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1172-114-0x0000000000000000-mapping.dmp

Download
memory/1172-115-0x0000000002FA0000-0x0000000002FA2000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing