c44c5dc3cb8ad705e6e92ed9804adf53c314802b80e12548879bf2f3a6a11da3

Analysis

Target

c44c5dc3cb8ad705e6e92ed9804adf53c314802b80e12548879bf2f3a6a11da3.dll
Size

100KB
MD5

7efd1578873ba7d57b2622683b25ec82
SHA1

e4fa1b172ef6a1cc87f2c5d3cd4e71bb7d365b14
SHA256

c44c5dc3cb8ad705e6e92ed9804adf53c314802b80e12548879bf2f3a6a11da3
SHA512

f314357634f01e3e2532974f0429fbf358d43d14eabfba3c6a347628e9ddb1eec45d6d20d09e3936c29af66479d73910fcec639680d2ac3fa162f6d6084b1e5a

Score

6^/10

adware stealer

Installs/modifies Browser Helper Object 2 TTPs
BHOs are DLL modules which act as plugins for Internet Explorer.
stealer adware

Modify Registry
T1112

Browser Extensions
T1176

Modifies registry class 6 IoCs

Processes:

regsvr32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6C378FC7-27C1-4B38-BAED-01303E18C7CE}\InprocServer32\ThreadingModel = "apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6C378FC7-27C1-4B38-BAED-01303E18C7CE}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6C378FC7-27C1-4B38-BAED-01303E18C7CE}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6C378FC7-27C1-4B38-BAED-01303E18C7CE}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\c44c5dc3cb8ad705e6e92ed9804adf53c314802b80e12548879bf2f3a6a11da3.dll"	regsvr32.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

regsvr32.exe

description	pid	process	target process
PID 4732 wrote to memory of 1736	4732	regsvr32.exe	regsvr32.exe
PID 4732 wrote to memory of 1736	4732	regsvr32.exe	regsvr32.exe
PID 4732 wrote to memory of 1736	4732	regsvr32.exe	regsvr32.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\c44c5dc3cb8ad705e6e92ed9804adf53c314802b80e12548879bf2f3a6a11da3.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:4732

C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\c44c5dc3cb8ad705e6e92ed9804adf53c314802b80e12548879bf2f3a6a11da3.dll
2⤵
- Modifies registry class
PID:1736

Initial Access

Execution

Persistence

Browser Extensions

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact