0c3999d16bef72e7aacaa54d69826211e1afd6f9244a4d3cd7b770e9e99db927

General

Target

0c3999d16bef72e7aacaa54d69826211e1afd6f9244a4d3cd7b770e9e99db927.dll
Size

60KB
MD5

409703046fb842601ea843829af0f41a
SHA1

087e2af794c022b1cfa1dbe4a99baf16ead81bd1
SHA256

0c3999d16bef72e7aacaa54d69826211e1afd6f9244a4d3cd7b770e9e99db927
SHA512

237bf24534609add9b77d5f968fb23b5161d2075b6b2e482159c3a51e792e60fc6e34328c8a0520bc3408a2de2792e8e15eeaeba8c7886d2d338a06a185fc262

Score

6^/10

adware stealer

Malware Config

Signatures

Installs/modifies Browser Helper Object 2 TTPs
BHOs are DLL modules which act as plugins for Internet Explorer.
stealer adware

Modify Registry
T1112

Browser Extensions
T1176

Modifies registry class 60 IoCs

Processes:

regsvr32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\janybo.Bho\CLSID\ = "{D80C8DC6-A525-4AE5-AAF3-A4B13105A700}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D80C8DC6-A525-4AE5-AAF3-A4B13105A700}\VersionIndependentProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E8E991EC-4BED-4773-ABC2-9F9B2869ACF5}\TypeLib\ = "{15C7D7AD-A87A-4C0D-9D8B-637FCD3488EF}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D80C8DC6-A525-4AE5-AAF3-A4B13105A700}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8B8B70F3-3835-4C43-BD8E-3142251EE128}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8B8B70F3-3835-4C43-BD8E-3142251EE128}\TypeLib\ = "{15C7D7AD-A87A-4C0D-9D8B-637FCD3488EF}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E8E991EC-4BED-4773-ABC2-9F9B2869ACF5}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{15C7D7AD-A87A-4C0D-9D8B-637FCD3488EF}\1.0\FLAGS	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8B8B70F3-3835-4C43-BD8E-3142251EE128}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D80C8DC6-A525-4AE5-AAF3-A4B13105A700}\ProgID\ = "Mukapicha"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D80C8DC6-A525-4AE5-AAF3-A4B13105A700}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D80C8DC6-A525-4AE5-AAF3-A4B13105A700}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\0C3999~1.DLL"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{15C7D7AD-A87A-4C0D-9D8B-637FCD3488EF}\1.0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{15C7D7AD-A87A-4C0D-9D8B-637FCD3488EF}\1.0\ = "Type Library"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{15C7D7AD-A87A-4C0D-9D8B-637FCD3488EF}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8B8B70F3-3835-4C43-BD8E-3142251EE128}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8B8B70F3-3835-4C43-BD8E-3142251EE128}\ = "_IBhoEvents"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\janybo.Bho	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D80C8DC6-A525-4AE5-AAF3-A4B13105A700}\Programmable	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{15C7D7AD-A87A-4C0D-9D8B-637FCD3488EF}\1.0\FLAGS\ = "0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E8E991EC-4BED-4773-ABC2-9F9B2869ACF5}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E8E991EC-4BED-4773-ABC2-9F9B2869ACF5}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E8E991EC-4BED-4773-ABC2-9F9B2869ACF5}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E8E991EC-4BED-4773-ABC2-9F9B2869ACF5}\TypeLib\ = "{15C7D7AD-A87A-4C0D-9D8B-637FCD3488EF}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E8E991EC-4BED-4773-ABC2-9F9B2869ACF5}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Mukapicha	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{15C7D7AD-A87A-4C0D-9D8B-637FCD3488EF}\1.0\0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8B8B70F3-3835-4C43-BD8E-3142251EE128}\TypeLib\ = "{15C7D7AD-A87A-4C0D-9D8B-637FCD3488EF}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E8E991EC-4BED-4773-ABC2-9F9B2869ACF5}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E8E991EC-4BED-4773-ABC2-9F9B2869ACF5}\ = "IBho"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E8E991EC-4BED-4773-ABC2-9F9B2869ACF5}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Mukapicha\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\janybo.Bho\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{15C7D7AD-A87A-4C0D-9D8B-637FCD3488EF}\1.0\HELPDIR	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8B8B70F3-3835-4C43-BD8E-3142251EE128}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8B8B70F3-3835-4C43-BD8E-3142251EE128}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8B8B70F3-3835-4C43-BD8E-3142251EE128}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8B8B70F3-3835-4C43-BD8E-3142251EE128}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E8E991EC-4BED-4773-ABC2-9F9B2869ACF5}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Mukapicha\ = "Jany.bho.module"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D80C8DC6-A525-4AE5-AAF3-A4B13105A700}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{15C7D7AD-A87A-4C0D-9D8B-637FCD3488EF}\1.0\0\win32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E8E991EC-4BED-4773-ABC2-9F9B2869ACF5}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E8E991EC-4BED-4773-ABC2-9F9B2869ACF5}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\janybo.Bho\ = "Jany.bho.module"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\janybo.Bho\CurVer	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\janybo.Bho\CurVer\ = "Mukapicha"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8B8B70F3-3835-4C43-BD8E-3142251EE128}\ = "_IBhoEvents"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8B8B70F3-3835-4C43-BD8E-3142251EE128}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Mukapicha\CLSID\ = "{D80C8DC6-A525-4AE5-AAF3-A4B13105A700}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D80C8DC6-A525-4AE5-AAF3-A4B13105A700}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D80C8DC6-A525-4AE5-AAF3-A4B13105A700}\ = "Jany.bho.module"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D80C8DC6-A525-4AE5-AAF3-A4B13105A700}\VersionIndependentProgID\ = "janybo.Bho"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D80C8DC6-A525-4AE5-AAF3-A4B13105A700}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{15C7D7AD-A87A-4C0D-9D8B-637FCD3488EF}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\0c3999d16bef72e7aacaa54d69826211e1afd6f9244a4d3cd7b770e9e99db927.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8B8B70F3-3835-4C43-BD8E-3142251EE128}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D80C8DC6-A525-4AE5-AAF3-A4B13105A700}\TypeLib\ = "{15C7D7AD-A87A-4C0D-9D8B-637FCD3488EF}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{15C7D7AD-A87A-4C0D-9D8B-637FCD3488EF}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8B8B70F3-3835-4C43-BD8E-3142251EE128}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E8E991EC-4BED-4773-ABC2-9F9B2869ACF5}\ = "IBho"	regsvr32.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

regsvr32.exe

description	pid	process	target process
PID 1784 wrote to memory of 4704	1784	regsvr32.exe	regsvr32.exe
PID 1784 wrote to memory of 4704	1784	regsvr32.exe	regsvr32.exe
PID 1784 wrote to memory of 4704	1784	regsvr32.exe	regsvr32.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\0c3999d16bef72e7aacaa54d69826211e1afd6f9244a4d3cd7b770e9e99db927.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:1784

C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\0c3999d16bef72e7aacaa54d69826211e1afd6f9244a4d3cd7b770e9e99db927.dll
2⤵
- Modifies registry class
PID:4704

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Browser Extensions

1

T1176

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4704-124-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing