69b9dcb14dbc2cc0b019fb7a083f4792dc46078be468811acb4cf3f353afd15a

General

Target

69b9dcb14dbc2cc0b019fb7a083f4792dc46078be468811acb4cf3f353afd15a.exe
Size

44KB
MD5

4d7ff430fa4651b4ef3055758734fa10
SHA1

2557f9e0aaa60a465d7444db83a48bfe5e85686e
SHA256

69b9dcb14dbc2cc0b019fb7a083f4792dc46078be468811acb4cf3f353afd15a
SHA512

b0517722e3ec420afadce1ae227f0c0e957f57d8ed5661d567e96a97c420b9373c5d23de1f1b4f9b4923f77f6dbeb6b65e594c233ee42d5952c43cd82a9d9630

Score

7^/10

adware stealer

Malware Config

Signatures

Loads dropped DLL 1 IoCs

Processes:

regsvr32.exe

pid process

1576 regsvr32.exe
Installs/modifies Browser Helper Object 2 TTPs
BHOs are DLL modules which act as plugins for Internet Explorer.
stealer adware

Modify Registry
T1112

Browser Extensions
T1176
Drops file in System32 directory 1 IoCs

Processes:

69b9dcb14dbc2cc0b019fb7a083f4792dc46078be468811acb4cf3f353afd15a.exe

description ioc process

File created C:\Windows\SysWOW64\spuho.dll 69b9dcb14dbc2cc0b019fb7a083f4792dc46078be468811acb4cf3f353afd15a.exe

pid	process
1576	regsvr32.exe

description	ioc	process
File created	C:\Windows\SysWOW64\spuho.dll	69b9dcb14dbc2cc0b019fb7a083f4792dc46078be468811acb4cf3f353afd15a.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

regsvr32.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\cslnam = d52baf3cfab9d548859cb31a2329bb92	regsvr32.exe

Modifies registry class 7 IoCs

Processes:

regsvr32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\clsid\{3CAF2BD5-B9FA-48D5-859C-B31A2329BB92}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3CAF2BD5-B9FA-48D5-859C-B31A2329BB92}\ = "IE SP2 AddOn"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3CAF2BD5-B9FA-48D5-859C-B31A2329BB92}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3CAF2BD5-B9FA-48D5-859C-B31A2329BB92}\InprocServer32\ = "C:\\Windows\\SysWow64\\spuho.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3CAF2BD5-B9FA-48D5-859C-B31A2329BB92}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3CAF2BD5-B9FA-48D5-859C-B31A2329BB92}\emanelif = 459f844c73df9060099e7c607b1ad8927b067af73971f13781f3d4affe	regsvr32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3CAF2BD5-B9FA-48D5-859C-B31A2329BB92}\emanger = 75d5ad7772	regsvr32.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

69b9dcb14dbc2cc0b019fb7a083f4792dc46078be468811acb4cf3f353afd15a.exe

description	pid	process	target process
PID 632 wrote to memory of 1576	632	69b9dcb14dbc2cc0b019fb7a083f4792dc46078be468811acb4cf3f353afd15a.exe	regsvr32.exe
PID 632 wrote to memory of 1576	632	69b9dcb14dbc2cc0b019fb7a083f4792dc46078be468811acb4cf3f353afd15a.exe	regsvr32.exe
PID 632 wrote to memory of 1576	632	69b9dcb14dbc2cc0b019fb7a083f4792dc46078be468811acb4cf3f353afd15a.exe	regsvr32.exe
PID 632 wrote to memory of 1576	632	69b9dcb14dbc2cc0b019fb7a083f4792dc46078be468811acb4cf3f353afd15a.exe	regsvr32.exe
PID 632 wrote to memory of 1576	632	69b9dcb14dbc2cc0b019fb7a083f4792dc46078be468811acb4cf3f353afd15a.exe	regsvr32.exe
PID 632 wrote to memory of 1576	632	69b9dcb14dbc2cc0b019fb7a083f4792dc46078be468811acb4cf3f353afd15a.exe	regsvr32.exe
PID 632 wrote to memory of 1576	632	69b9dcb14dbc2cc0b019fb7a083f4792dc46078be468811acb4cf3f353afd15a.exe	regsvr32.exe

C:\Users\Admin\AppData\Local\Temp\69b9dcb14dbc2cc0b019fb7a083f4792dc46078be468811acb4cf3f353afd15a.exe
"C:\Users\Admin\AppData\Local\Temp\69b9dcb14dbc2cc0b019fb7a083f4792dc46078be468811acb4cf3f353afd15a.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:632

C:\Windows\SysWOW64\regsvr32.exe
regsvr32 /s C:\Windows\system32\spuho.dll
2⤵
- Loads dropped DLL
- Modifies Internet Explorer settings
- Modifies registry class
PID:1576

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Browser Extensions

1

T1176

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\spuho.dll
Filesize
36KB

MD5
9a15cdb10be7564c5799f5c1cdc2c32e

SHA1
d337f2481e15b53ce05aee534d4068f99a94453b

SHA256
42265fd6a124e471b5cedaf083d9277afdffc927e9cc6c1f5d1c757bf511962c

SHA512
4f91a48059fa82c3831fbe23f5031ae1cca81297420c4a3a94b138468183eeefdc74a9a0a6263bdf374e369f80400d9bc312b182f905bccc6d97e1ff3c42fdc8

Download Submit
\Windows\SysWOW64\spuho.dll
Filesize
36KB

MD5
9a15cdb10be7564c5799f5c1cdc2c32e

SHA1
d337f2481e15b53ce05aee534d4068f99a94453b

SHA256
42265fd6a124e471b5cedaf083d9277afdffc927e9cc6c1f5d1c757bf511962c

SHA512
4f91a48059fa82c3831fbe23f5031ae1cca81297420c4a3a94b138468183eeefdc74a9a0a6263bdf374e369f80400d9bc312b182f905bccc6d97e1ff3c42fdc8

Download Submit
memory/632-54-0x0000000000401000-0x0000000000403000-memory.dmp

Filesize
8KB

Download
memory/1576-55-0x0000000000000000-mapping.dmp

Download
memory/1576-56-0x0000000075391000-0x0000000075393000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads