2b530fd990fae01d78fae8ca38b701cdb7abaffd350ec7ccdff662d13a337971

General

Target

2b530fd990fae01d78fae8ca38b701cdb7abaffd350ec7ccdff662d13a337971.dll
Size

1.8MB
MD5

53d06f469b0236c5db723be8b68f2531
SHA1

1225150fdf8369cccfcd634fcc0c41ade90549a5
SHA256

2b530fd990fae01d78fae8ca38b701cdb7abaffd350ec7ccdff662d13a337971
SHA512

5da0347831be10ea1d08fc2c52a1eea0d6a84ac7460efda3c7e18c9d30ba38b166cf6841f7a7794de315b7d3ed0192a52d76c7031d976c27c975fd2e472594b4

Score

6^/10

adware stealer

Malware Config

Signatures

Installs/modifies Browser Helper Object 2 TTPs
BHOs are DLL modules which act as plugins for Internet Explorer.
stealer adware

Modify Registry
T1112

Browser Extensions
T1176

Modifies registry class 46 IoCs

Processes:

regsvr32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C0BEBABF-1785-4075-8C4D-8FEE7833D3CD}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IEHelper.IEHlprObj\ = "IEHlprObj Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DAF9F01C-30F0-4A52-AF52-E236961977F4}\ = "IEHlprObj Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DAF9F01C-30F0-4A52-AF52-E236961977F4}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DAF9F01C-30F0-4A52-AF52-E236961977F4}\TypeLib\ = "{D42047D9-38C2-4FD1-8337-F69C8F835A30}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D42047D9-38C2-4FD1-8337-F69C8F835A30}\1.0\0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C0BEBABF-1785-4075-8C4D-8FEE7833D3CD}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IEHelper.IEHlprObj	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DAF9F01C-30F0-4A52-AF52-E236961977F4}\ProgID\ = "IEHelper.IEHlprObj.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DAF9F01C-30F0-4A52-AF52-E236961977F4}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DAF9F01C-30F0-4A52-AF52-E236961977F4}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C0BEBABF-1785-4075-8C4D-8FEE7833D3CD}\ = "IIEHlprObj"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C0BEBABF-1785-4075-8C4D-8FEE7833D3CD}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IEHelper.IEHlprObj.1	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IEHelper.IEHlprObj.1\ = "IEHlprObj Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IEHelper.IEHlprObj.1\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IEHelper.IEHlprObj.1\CLSID\ = "{DAF9F01C-30F0-4A52-AF52-E236961977F4}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D42047D9-38C2-4FD1-8337-F69C8F835A30}\1.0\0\win32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IEHelper.IEHlprObj\CurVer	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D42047D9-38C2-4FD1-8337-F69C8F835A30}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D42047D9-38C2-4FD1-8337-F69C8F835A30}\1.0\FLAGS	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C0BEBABF-1785-4075-8C4D-8FEE7833D3CD}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C0BEBABF-1785-4075-8C4D-8FEE7833D3CD}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C0BEBABF-1785-4075-8C4D-8FEE7833D3CD}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IEHelper.IEHlprObj\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DAF9F01C-30F0-4A52-AF52-E236961977F4}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DAF9F01C-30F0-4A52-AF52-E236961977F4}\VersionIndependentProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D42047D9-38C2-4FD1-8337-F69C8F835A30}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C0BEBABF-1785-4075-8C4D-8FEE7833D3CD}\TypeLib\ = "{D42047D9-38C2-4FD1-8337-F69C8F835A30}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C0BEBABF-1785-4075-8C4D-8FEE7833D3CD}\TypeLib\ = "{D42047D9-38C2-4FD1-8337-F69C8F835A30}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C0BEBABF-1785-4075-8C4D-8FEE7833D3CD}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IEHelper.IEHlprObj\CLSID\ = "{DAF9F01C-30F0-4A52-AF52-E236961977F4}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IEHelper.IEHlprObj\CurVer\ = "IEHelper.IEHlprObj.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DAF9F01C-30F0-4A52-AF52-E236961977F4}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2b530fd990fae01d78fae8ca38b701cdb7abaffd350ec7ccdff662d13a337971.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D42047D9-38C2-4FD1-8337-F69C8F835A30}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2b530fd990fae01d78fae8ca38b701cdb7abaffd350ec7ccdff662d13a337971.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D42047D9-38C2-4FD1-8337-F69C8F835A30}\1.0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D42047D9-38C2-4FD1-8337-F69C8F835A30}\1.0\ = "IEHelper 1.0 Type Library"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C0BEBABF-1785-4075-8C4D-8FEE7833D3CD}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C0BEBABF-1785-4075-8C4D-8FEE7833D3CD}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C0BEBABF-1785-4075-8C4D-8FEE7833D3CD}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C0BEBABF-1785-4075-8C4D-8FEE7833D3CD}\ = "IIEHlprObj"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DAF9F01C-30F0-4A52-AF52-E236961977F4}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DAF9F01C-30F0-4A52-AF52-E236961977F4}\VersionIndependentProgID\ = "IEHelper.IEHlprObj"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DAF9F01C-30F0-4A52-AF52-E236961977F4}\Programmable	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D42047D9-38C2-4FD1-8337-F69C8F835A30}\1.0\FLAGS\ = "0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D42047D9-38C2-4FD1-8337-F69C8F835A30}\1.0\HELPDIR	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

regsvr32.exe

pid process

2612 regsvr32.exe
2612 regsvr32.exe

pid	process
2612	regsvr32.exe
2612	regsvr32.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

regsvr32.exe

description	pid	process	target process
PID 4048 wrote to memory of 2612	4048	regsvr32.exe	regsvr32.exe
PID 4048 wrote to memory of 2612	4048	regsvr32.exe	regsvr32.exe
PID 4048 wrote to memory of 2612	4048	regsvr32.exe	regsvr32.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\2b530fd990fae01d78fae8ca38b701cdb7abaffd350ec7ccdff662d13a337971.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:4048

C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\2b530fd990fae01d78fae8ca38b701cdb7abaffd350ec7ccdff662d13a337971.dll
2⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:2612

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Browser Extensions

1

T1176

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2612-114-0x0000000000000000-mapping.dmp

Download
memory/2612-115-0x0000000003030000-0x0000000003032000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing