bb8fc2a5ff3416ee363da175e35534f0c01da2362b49d8bfb5839a339c382759

General

Target

bb8fc2a5ff3416ee363da175e35534f0c01da2362b49d8bfb5839a339c382759.dll
Size

191KB
MD5

3960a95b0585f7813c19fb012d10fe93
SHA1

a12af3edc11d87bd00cecc22753094dc37cfee91
SHA256

bb8fc2a5ff3416ee363da175e35534f0c01da2362b49d8bfb5839a339c382759
SHA512

e80de35dfa65a0bbe5f319f0e60b15ec15055f2d1afc9989ad59ec005c0729458e6987b21637d4c8c86e1bc3842f9b48fb03afdccc58f89e0462100a552618ff

Score

6^/10

adware stealer

Malware Config

Signatures

Installs/modifies Browser Helper Object 2 TTPs
BHOs are DLL modules which act as plugins for Internet Explorer.
stealer adware

Modify Registry
T1112

Browser Extensions
T1176

Modifies registry class 11 IoCs

Processes:

regsvr32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{47CFDDF9-6FBD-4C06-8752-24FEFBA10D58}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{47CFDDF9-6FBD-4C06-8752-24FEFBA10D58}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\bb8fc2a5ff3416ee363da175e35534f0c01da2362b49d8bfb5839a339c382759.mgrsia\	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\bb8fc2a5ff3416ee363da175e35534f0c01da2362b49d8bfb5839a339c382759.mgrsia\Clsid	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{47CFDDF9-6FBD-4C06-8752-24FEFBA10D58}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{47CFDDF9-6FBD-4C06-8752-24FEFBA10D58}\ProgID\ = "bb8fc2a5ff3416ee363da175e35534f0c01da2362b49d8bfb5839a339c382759.mgrsia"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{47CFDDF9-6FBD-4C06-8752-24FEFBA10D58}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{47CFDDF9-6FBD-4C06-8752-24FEFBA10D58}\	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{47CFDDF9-6FBD-4C06-8752-24FEFBA10D58}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bb8fc2a5ff3416ee363da175e35534f0c01da2362b49d8bfb5839a339c382759.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\bb8fc2a5ff3416ee363da175e35534f0c01da2362b49d8bfb5839a339c382759.mgrsia	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\bb8fc2a5ff3416ee363da175e35534f0c01da2362b49d8bfb5839a339c382759.mgrsia\Clsid\ = "{47CFDDF9-6FBD-4C06-8752-24FEFBA10D58}"	regsvr32.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

regsvr32.exe

description	pid	process	target process
PID 1092 wrote to memory of 904	1092	regsvr32.exe	regsvr32.exe
PID 1092 wrote to memory of 904	1092	regsvr32.exe	regsvr32.exe
PID 1092 wrote to memory of 904	1092	regsvr32.exe	regsvr32.exe
PID 1092 wrote to memory of 904	1092	regsvr32.exe	regsvr32.exe
PID 1092 wrote to memory of 904	1092	regsvr32.exe	regsvr32.exe
PID 1092 wrote to memory of 904	1092	regsvr32.exe	regsvr32.exe
PID 1092 wrote to memory of 904	1092	regsvr32.exe	regsvr32.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\bb8fc2a5ff3416ee363da175e35534f0c01da2362b49d8bfb5839a339c382759.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:1092

C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\bb8fc2a5ff3416ee363da175e35534f0c01da2362b49d8bfb5839a339c382759.dll
2⤵
- Modifies registry class
PID:904

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Browser Extensions

1

T1176

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/904-55-0x0000000000000000-mapping.dmp

Download
memory/904-56-0x0000000075451000-0x0000000075453000-memory.dmp

Filesize
8KB

Download
memory/1092-54-0x000007FEFBE11000-0x000007FEFBE13000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing