2dae838574c19aa327c16cd508436cad1be76dab57057fe7eec46711a474cb7e

General

Target

2dae838574c19aa327c16cd508436cad1be76dab57057fe7eec46711a474cb7e.dll
Size

484KB
MD5

4d3902ac9c8a0a3b3756b9476873d395
SHA1

eb0c66271ea08485ff7683bee33b9b897b12517a
SHA256

2dae838574c19aa327c16cd508436cad1be76dab57057fe7eec46711a474cb7e
SHA512

7d348509a07e3b1f73958e02ae109da3ed38431c13d5072e8231c68d54a75addbd3d4cecf8d13e027c7fcacfc60aab3235e375f84ef3971f0fcce7fd3f044148

Score

6^/10

adware stealer

Malware Config

Signatures

Installs/modifies Browser Helper Object 2 TTPs
BHOs are DLL modules which act as plugins for Internet Explorer.
stealer adware

Modify Registry
T1112

Browser Extensions
T1176

Modifies Internet Explorer settings 1 TTPs 43 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeiexplore.exeregsvr32.exeIEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{EFEE08DE-C660-11EC-A58B-C618EE80FC43} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Toolbar	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{D899A75B-C660-11EC-A58B-C618EE80FC43} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2917207727"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30956141"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2915949109"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30956141"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\iexplore.exe = "0"	regsvr32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Toolbar\{C94158E1-6151-4442-ABE6-FD53D6534CCB} = 00	regsvr32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "357852997"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe

Modifies registry class 64 IoCs

Processes:

regsvr32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\XBTB08431.XBTB08431\CLSID\ = "{C94158E1-6151-4442-ABE6-FD53D6534CCB}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C94158E1-6151-4442-ABE6-FD53D6534CCB}\TypeLib\ = "{A76CB30A-6ED9-4c62-9A8A-7DE9FA234608}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ToolBand.ToolHelper\CurVer\ = "ToolBand.ToolHelper.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AAAE1C1A-89F7-4AF6-ABD1-F8FBCFA47408}\ProgID\ = "ToolBand.ToolHelper.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E9554EE2-7FC8-4A22-A00B-29F8ED88C772}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\XBTB08431.IEToolbar\ = "IE Toolbar"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E99FD4CC-5666-4F5E-985D-C0C1244441A1}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E99FD4CC-5666-4F5E-985D-C0C1244441A1}\1.0\0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FACCC49A-4D7B-415B-8250-15C3B854E9FF}\ = "ISoftomateObj"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E99FD4CC-5666-4F5E-985D-C0C1244441A1}\1.0\0\win32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E9554EE2-7FC8-4A22-A00B-29F8ED88C772}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E9554EE2-7FC8-4A22-A00B-29F8ED88C772}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E9554EE2-7FC8-4A22-A00B-29F8ED88C772}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C94158E1-6151-4442-ABE6-FD53D6534CCB}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ToolBand.ToolHelper.1\ = "ToolHelper Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ToolBand.ToolHelper.1\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AAAE1C1A-89F7-4AF6-ABD1-F8FBCFA47408}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2DAE83~1.DLL"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\XBTB08431.XBTB08431.1\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ToolBand.ToolHelper\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AAAE1C1A-89F7-4AF6-ABD1-F8FBCFA47408}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E9554EE2-7FC8-4A22-A00B-29F8ED88C772}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\XBTB08431.XBTB08431.1	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FACCC49A-4D7B-415B-8250-15C3B854E9FF}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FACCC49A-4D7B-415B-8250-15C3B854E9FF}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FACCC49A-4D7B-415B-8250-15C3B854E9FF}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E9554EE2-7FC8-4A22-A00B-29F8ED88C772}\ = "IToolHelper"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C94158E1-6151-4442-ABE6-FD53D6534CCB}\ProgID\ = "XBTB08431.IEToolbar.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ToolBand.ToolHelper	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AAAE1C1A-89F7-4AF6-ABD1-F8FBCFA47408}\ = "ToolHelper Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AAAE1C1A-89F7-4AF6-ABD1-F8FBCFA47408}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E99FD4CC-5666-4F5E-985D-C0C1244441A1}\1.0\HELPDIR	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FACCC49A-4D7B-415B-8250-15C3B854E9FF}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FACCC49A-4D7B-415B-8250-15C3B854E9FF}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E9554EE2-7FC8-4A22-A00B-29F8ED88C772}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C94158E1-6151-4442-ABE6-FD53D6534CCB}\ = "IE Toolbar"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C94158E1-6151-4442-ABE6-FD53D6534CCB}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2DAE83~1.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ToolBand.ToolHelper\ = "ToolHelper Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E99FD4CC-5666-4F5E-985D-C0C1244441A1}\1.0\FLAGS	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E9554EE2-7FC8-4A22-A00B-29F8ED88C772}\TypeLib\ = "{E99FD4CC-5666-4F5E-985D-C0C1244441A1}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\XBTB08431.XBTB08431.1\ = "IE Toolbar"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\XBTB08431.XBTB08431.1\CLSID\ = "{C94158E1-6151-4442-ABE6-FD53D6534CCB}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\XBTB08431.XBTB08431	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C94158E1-6151-4442-ABE6-FD53D6534CCB}\ProgID\ = "XBTB08431.XBTB08431.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\XBTB08431.IEToolbar.1	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\XBTB08431.IEToolbar\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E99FD4CC-5666-4F5E-985D-C0C1244441A1}\1.0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E9554EE2-7FC8-4A22-A00B-29F8ED88C772}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AAAE1C1A-89F7-4AF6-ABD1-F8FBCFA47408}\VersionIndependentProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AAAE1C1A-89F7-4AF6-ABD1-F8FBCFA47408}\VersionIndependentProgID\ = "ToolBand.ToolHelper"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E99FD4CC-5666-4F5E-985D-C0C1244441A1}\1.0\ = "Softomate 1.0 Type Library"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E99FD4CC-5666-4F5E-985D-C0C1244441A1}\1.0\FLAGS\ = "0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C94158E1-6151-4442-ABE6-FD53D6534CCB}\VersionIndependentProgID\ = "XBTB08431.IEToolbar"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C94158E1-6151-4442-ABE6-FD53D6534CCB}\Implemented Categories	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ToolBand.ToolHelper.1	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ToolBand.ToolHelper\CLSID\ = "{AAAE1C1A-89F7-4AF6-ABD1-F8FBCFA47408}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\XBTB08431.XBTB08431\CurVer	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\XBTB08431.XBTB08431\CurVer\ = "XBTB08431.XBTB08431.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\XBTB08431.IEToolbar.1\ = "IE Toolbar"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\XBTB08431.IEToolbar.1\CLSID\ = "{C94158E1-6151-4442-ABE6-FD53D6534CCB}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C94158E1-6151-4442-ABE6-FD53D6534CCB}\Programmable	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AAAE1C1A-89F7-4AF6-ABD1-F8FBCFA47408}\Programmable	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E9554EE2-7FC8-4A22-A00B-29F8ED88C772}\ = "IToolHelper"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C94158E1-6151-4442-ABE6-FD53D6534CCB}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E99FD4CC-5666-4F5E-985D-C0C1244441A1}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2dae838574c19aa327c16cd508436cad1be76dab57057fe7eec46711a474cb7e.dll"	regsvr32.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

iexplore.exeiexplore.exe

pid process

2852 iexplore.exe
1284 iexplore.exe

Suspicious use of SetWindowsHookEx 10 IoCs

Processes:

iexplore.exeIEXPLORE.EXEiexplore.exeIEXPLORE.EXE

pid	process
2852	iexplore.exe
2852	iexplore.exe
2428	IEXPLORE.EXE
2428	IEXPLORE.EXE
1284	iexplore.exe
1284	iexplore.exe
3548	IEXPLORE.EXE
3548	IEXPLORE.EXE
3548	IEXPLORE.EXE
3548	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

regsvr32.exeiexplore.exeregsvr32.exeiexplore.exe

description	pid	process	target process
PID 2416 wrote to memory of 4852	2416	regsvr32.exe	regsvr32.exe
PID 2416 wrote to memory of 4852	2416	regsvr32.exe	regsvr32.exe
PID 2416 wrote to memory of 4852	2416	regsvr32.exe	regsvr32.exe
PID 2852 wrote to memory of 2428	2852	iexplore.exe	IEXPLORE.EXE
PID 2852 wrote to memory of 2428	2852	iexplore.exe	IEXPLORE.EXE
PID 2852 wrote to memory of 2428	2852	iexplore.exe	IEXPLORE.EXE
PID 4852 wrote to memory of 1284	4852	regsvr32.exe	iexplore.exe
PID 4852 wrote to memory of 1284	4852	regsvr32.exe	iexplore.exe
PID 1284 wrote to memory of 3548	1284	iexplore.exe	IEXPLORE.EXE
PID 1284 wrote to memory of 3548	1284	iexplore.exe	IEXPLORE.EXE
PID 1284 wrote to memory of 3548	1284	iexplore.exe	IEXPLORE.EXE

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\2dae838574c19aa327c16cd508436cad1be76dab57057fe7eec46711a474cb7e.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:2416

C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\2dae838574c19aa327c16cd508436cad1be76dab57057fe7eec46711a474cb7e.dll
2⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4852

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1284

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1284 CREDAT:17410 /prefetch:2
4⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:3548

C:\Program Files (x86)\Internet Explorer\ielowutil.exe
"C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding
1⤵
PID:1664

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2852

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2852 CREDAT:17410 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2428

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Browser Extensions

1

T1176

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{D899A75B-C660-11EC-A58B-C618EE80FC43}.dat
Filesize
5KB

MD5
0cd172a140030a6075669c2fe6e3df61

SHA1
c23e68c77b676d3b7ccc4b27e0b519dfdd8e5064

SHA256
d1e3b92b5a243bc009825f5310613f474f2c3ffdd6a790291dbb8669ba9f9b74

SHA512
e3a2a34cf408a4dfa47135d89497c9be3c2a1dd53fa892471876212bf7cba60764d229fb32e8a9972d05cae090a0a93aed33c05ca6aad8ba8c374aa3c4de50b8

Download Submit
memory/4852-130-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads