d543e15482a2ba4f71e763f1bc92db45bfe31b4f142bc7f231d8999ef43c55d2

General

Target

d543e15482a2ba4f71e763f1bc92db45bfe31b4f142bc7f231d8999ef43c55d2.dll
Size

96KB
MD5

732c6b97db146f3d93ffdfbab95068fc
SHA1

95ab33c31655d06f9cf993fad037fe3bc9cc4bb0
SHA256

d543e15482a2ba4f71e763f1bc92db45bfe31b4f142bc7f231d8999ef43c55d2
SHA512

e8d2b7d29e6c08c53046d9adabaf3478693287c61d89263f88c581b8d4c8c3765dd27fc5db682f79d97d532b843faf224c5d1e9890fb0087c11e366366f9ab93

Score

6^/10

adware stealer

Malware Config

Signatures

Installs/modifies Browser Helper Object 2 TTPs
BHOs are DLL modules which act as plugins for Internet Explorer.
stealer adware

Modify Registry
T1112

Browser Extensions
T1176

Modifies registry class 23 IoCs

Processes:

rundll32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8c8040b9-8ef0-4d1f-abe1-025550496594}	rundll32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\VersionIndependentProgID	rundll32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\InprocServer32	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8c8040b9-8ef0-4d1f-abe1-025550496594}\InprocServer32	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	rundll32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}\Programmable	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8c8040b9-8ef0-4d1f-abe1-025550496594}\InprocServer32\ThreadingModel = "free"	rundll32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\ProgID	rundll32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\Implemented Categories	rundll32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}	rundll32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}\Version	rundll32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\Programmable	rundll32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}\TypeLib	rundll32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}\ProgID	rundll32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}\Implemented Categories	rundll32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}	rundll32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8c8040b9-8ef0-4d1f-abe1-025550496594}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\d543e15482a2ba4f71e763f1bc92db45bfe31b4f142bc7f231d8999ef43c55d2.dll"	rundll32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\TypeLib	rundll32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}	rundll32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}\VersionIndependentProgID	rundll32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}\InprocServer32	rundll32.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 1312 wrote to memory of 5112	1312	rundll32.exe	rundll32.exe
PID 1312 wrote to memory of 5112	1312	rundll32.exe	rundll32.exe
PID 1312 wrote to memory of 5112	1312	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\d543e15482a2ba4f71e763f1bc92db45bfe31b4f142bc7f231d8999ef43c55d2.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1312

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\d543e15482a2ba4f71e763f1bc92db45bfe31b4f142bc7f231d8999ef43c55d2.dll,#1
2⤵
- Modifies registry class
PID:5112

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Browser Extensions

1

T1176

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/5112-130-0x0000000000000000-mapping.dmp

Download
memory/5112-131-0x0000000010000000-0x000000001004D000-memory.dmp

Filesize
308KB

Download
memory/5112-134-0x0000000010001000-0x0000000010033000-memory.dmp

Filesize
200KB

Download
memory/5112-135-0x0000000000930000-0x0000000000947000-memory.dmp

Filesize
92KB

Download

Analysis

Sharing