689ecc798fa5d33f942dfc4575f7a3e92d66a0a2c13a09da5ba3bf6fdd788d40

General

Target

689ecc798fa5d33f942dfc4575f7a3e92d66a0a2c13a09da5ba3bf6fdd788d40.dll
Size

62KB
MD5

6a4371bab2c0d1fe7bde09040c5bf4a1
SHA1

7aac6f4527f8bdfde2d29a321f2ab83693be784f
SHA256

689ecc798fa5d33f942dfc4575f7a3e92d66a0a2c13a09da5ba3bf6fdd788d40
SHA512

d5ba02bbf43bc43948db0e5e062f4f78e822deae43f72da292a2c5788707098c2c503b1b1c4bc315fa7a22acf7eb590700059f176e61bbd1e0c32ac483b471de

Score

6^/10

adware stealer

Malware Config

Signatures

Installs/modifies Browser Helper Object 2 TTPs
BHOs are DLL modules which act as plugins for Internet Explorer.
stealer adware

Modify Registry
T1112

Browser Extensions
T1176

Modifies registry class 42 IoCs

Processes:

regsvr32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F08A493E-3FEF-4372-8AF3-FEB2735FEC36}\VersionIndependentProgID\ = "ExplorerOhb.ExplorerOhb"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F08A4930-3FEF-4372-8AF3-FEB2735FEC36}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F08A4930-3FEF-4372-8AF3-FEB2735FEC36}\1.0\FLAGS	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F08A493D-3FEF-4372-8AF3-FEB2735FEC36}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F08A493D-3FEF-4372-8AF3-FEB2735FEC36}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F08A493D-3FEF-4372-8AF3-FEB2735FEC36}\TypeLib\ = "{F08A4930-3FEF-4372-8AF3-FEB2735FEC36}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ExplorerOhb.ExplorerOhb.1	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F08A493E-3FEF-4372-8AF3-FEB2735FEC36}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F08A493E-3FEF-4372-8AF3-FEB2735FEC36}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\689ecc798fa5d33f942dfc4575f7a3e92d66a0a2c13a09da5ba3bf6fdd788d40.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F08A493D-3FEF-4372-8AF3-FEB2735FEC36}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F08A493E-3FEF-4372-8AF3-FEB2735FEC36}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F08A4930-3FEF-4372-8AF3-FEB2735FEC36}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\689ecc798fa5d33f942dfc4575f7a3e92d66a0a2c13a09da5ba3bf6fdd788d40.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ExplorerOhb.ExplorerOhb.1\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ExplorerOhb.ExplorerOhb\ = "ExplorerOhb Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F08A493E-3FEF-4372-8AF3-FEB2735FEC36}\ = "ExplorerOhb Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F08A4930-3FEF-4372-8AF3-FEB2735FEC36}\1.0\0\win32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F08A493D-3FEF-4372-8AF3-FEB2735FEC36}\ = "IExplorerOhb"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F08A493D-3FEF-4372-8AF3-FEB2735FEC36}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F08A493E-3FEF-4372-8AF3-FEB2735FEC36}\VersionIndependentProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F08A4930-3FEF-4372-8AF3-FEB2735FEC36}\1.0\FLAGS\ = "0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F08A4930-3FEF-4372-8AF3-FEB2735FEC36}\1.0\HELPDIR	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F08A493D-3FEF-4372-8AF3-FEB2735FEC36}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F08A493D-3FEF-4372-8AF3-FEB2735FEC36}\ = "IExplorerOhb"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ExplorerOhb.ExplorerOhb.1\CLSID\ = "{F08A493E-3FEF-4372-8AF3-FEB2735FEC36}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F08A493E-3FEF-4372-8AF3-FEB2735FEC36}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F08A493D-3FEF-4372-8AF3-FEB2735FEC36}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F08A493D-3FEF-4372-8AF3-FEB2735FEC36}\TypeLib\ = "{F08A4930-3FEF-4372-8AF3-FEB2735FEC36}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ExplorerOhb.ExplorerOhb	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ExplorerOhb.ExplorerOhb\CurVer	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ExplorerOhb.ExplorerOhb\CurVer\ = "ExplorerOhb.ExplorerOhb.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F08A493E-3FEF-4372-8AF3-FEB2735FEC36}\Programmable	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F08A4930-3FEF-4372-8AF3-FEB2735FEC36}\1.0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F08A4930-3FEF-4372-8AF3-FEB2735FEC36}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F08A493D-3FEF-4372-8AF3-FEB2735FEC36}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F08A493D-3FEF-4372-8AF3-FEB2735FEC36}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ExplorerOhb.ExplorerOhb.1\ = "ExplorerOhb Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F08A493E-3FEF-4372-8AF3-FEB2735FEC36}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F08A493E-3FEF-4372-8AF3-FEB2735FEC36}\ProgID\ = "ExplorerOhb.ExplorerOhb.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F08A4930-3FEF-4372-8AF3-FEB2735FEC36}\1.0\ = "IEAdsKill 1.0 Type Library"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F08A4930-3FEF-4372-8AF3-FEB2735FEC36}\1.0\0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F08A493D-3FEF-4372-8AF3-FEB2735FEC36}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F08A493D-3FEF-4372-8AF3-FEB2735FEC36}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

regsvr32.exe

description	pid	process	target process
PID 1664 wrote to memory of 1988	1664	regsvr32.exe	regsvr32.exe
PID 1664 wrote to memory of 1988	1664	regsvr32.exe	regsvr32.exe
PID 1664 wrote to memory of 1988	1664	regsvr32.exe	regsvr32.exe
PID 1664 wrote to memory of 1988	1664	regsvr32.exe	regsvr32.exe
PID 1664 wrote to memory of 1988	1664	regsvr32.exe	regsvr32.exe
PID 1664 wrote to memory of 1988	1664	regsvr32.exe	regsvr32.exe
PID 1664 wrote to memory of 1988	1664	regsvr32.exe	regsvr32.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\689ecc798fa5d33f942dfc4575f7a3e92d66a0a2c13a09da5ba3bf6fdd788d40.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:1664

C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\689ecc798fa5d33f942dfc4575f7a3e92d66a0a2c13a09da5ba3bf6fdd788d40.dll
2⤵
- Modifies registry class
PID:1988

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Browser Extensions

1

T1176

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1664-54-0x000007FEFBEF1000-0x000007FEFBEF3000-memory.dmp

Filesize
8KB

Download
memory/1988-55-0x0000000000000000-mapping.dmp

Download
memory/1988-56-0x00000000754A1000-0x00000000754A3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing