8f0fc83cae47632e13c1fa4862b3f86530ff6f9cd44ce9f16a5e00d4149eb3b2

General

Target

8f0fc83cae47632e13c1fa4862b3f86530ff6f9cd44ce9f16a5e00d4149eb3b2.dll
Size

232KB
MD5

9444618a31abcdadc876e27ddaf0de0c
SHA1

657fab105d607fa14d6d4fa0362c7994f122f469
SHA256

8f0fc83cae47632e13c1fa4862b3f86530ff6f9cd44ce9f16a5e00d4149eb3b2
SHA512

ff6084479854cb0c315e12c73b788d2caf497b07e014ce350ffdfc4c756710f5c3868781d0a542363ee98555d6deb8cfd1df208986347b667a9356335f5be382

Score

6^/10

adware stealer

Malware Config

Signatures

Installs/modifies Browser Helper Object 2 TTPs
BHOs are DLL modules which act as plugins for Internet Explorer.
stealer adware

Modify Registry
T1112

Browser Extensions
T1176

Modifies registry class 15 IoCs

Processes:

regsvr32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{686488AF-13D5-9DDF-4FEF-9FB88698CFC1}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{686488AF-13D5-9DDF-4FEF-9FB88698CFC1}\InprocServer32\	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AAB6C1A0-F3A4-4DAC-A922-F82E601E73A8}\ = "JavaSunSurf Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AAB6C1A0-F3A4-4DAC-A922-F82E601E73A8}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\8f0fc83cae47632e13c1fa4862b3f86530ff6f9cd44ce9f16a5e00d4149eb3b2.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{AAB6C1A0-F3A4-4DAC-A922-F82E601E73A8}	regsvr32.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{AAB6C1A0-F3A4-4DAC-A922-F82E601E73A8}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F9BA1AA9-CAD4-4C14-BDE6-922DFF5F6F38}\wversion = "4.0.9"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{686488AF-13D5-9DDF-4FEF-9FB88698CFC1}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AAB6C1A0-F3A4-4DAC-A922-F82E601E73A8}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{F9BA1AA9-CAD4-4C14-BDE6-922DFF5F6F38}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F9BA1AA9-CAD4-4C14-BDE6-922DFF5F6F38}\webbrowser = "{AAB6C1A0-F3A4-4DAC-A922-F82E601E73A8}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{686488AF-13D5-9DDF-4FEF-9FB88698CFC1}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{686488AF-13D5-9DDF-4FEF-9FB88698CFC1}\InprocServer32	regsvr32.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

regsvr32.exe

description	pid	process	target process
PID 2388 wrote to memory of 1968	2388	regsvr32.exe	regsvr32.exe
PID 2388 wrote to memory of 1968	2388	regsvr32.exe	regsvr32.exe
PID 2388 wrote to memory of 1968	2388	regsvr32.exe	regsvr32.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\8f0fc83cae47632e13c1fa4862b3f86530ff6f9cd44ce9f16a5e00d4149eb3b2.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:2388

C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\8f0fc83cae47632e13c1fa4862b3f86530ff6f9cd44ce9f16a5e00d4149eb3b2.dll
2⤵
- Modifies registry class
PID:1968

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s camsvc
1⤵
PID:780

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Browser Extensions

1

T1176

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1968-130-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing