9ce47213d9bb40345ed3abea6d0b473f5ba34861436fc395bc133b44d15ac1c7

General

Target

9ce47213d9bb40345ed3abea6d0b473f5ba34861436fc395bc133b44d15ac1c7.dll
Size

248KB
MD5

2385c4f996074d98c89def3b1b5d306f
SHA1

e027697c44edce399f606ebc460cb22287bd76cd
SHA256

9ce47213d9bb40345ed3abea6d0b473f5ba34861436fc395bc133b44d15ac1c7
SHA512

b8058a60e47fa510e1f9f24c55fbf7ae2d027af3f15f4df5fec55562bff959668f13a8ad2f98b8d08ad87bd5118ea0a487274c255f7d4b5e03b367d766dea1d7

Score

6^/10

adware stealer

Malware Config

Signatures

Installs/modifies Browser Helper Object 2 TTPs
BHOs are DLL modules which act as plugins for Internet Explorer.
stealer adware

Modify Registry
T1112

Browser Extensions
T1176

Modifies registry class 15 IoCs

Processes:

regsvr32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AAB6C1A0-F3A4-4DAC-A922-F82E601E73A8}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\9ce47213d9bb40345ed3abea6d0b473f5ba34861436fc395bc133b44d15ac1c7.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{686488AF-13D5-9DDF-4FEF-9FB88698CFC1}\InprocServer32\	regsvr32.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{AAB6C1A0-F3A4-4DAC-A922-F82E601E73A8}\InprocServer32	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{686488AF-13D5-9DDF-4FEF-9FB88698CFC1}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{AAB6C1A0-F3A4-4DAC-A922-F82E601E73A8}	regsvr32.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{F9BA1AA9-CAD4-4C14-BDE6-922DFF5F6F38}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{686488AF-13D5-9DDF-4FEF-9FB88698CFC1}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{686488AF-13D5-9DDF-4FEF-9FB88698CFC1}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AAB6C1A0-F3A4-4DAC-A922-F82E601E73A8}\ = "JavaSunSurf Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AAB6C1A0-F3A4-4DAC-A922-F82E601E73A8}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F9BA1AA9-CAD4-4C14-BDE6-922DFF5F6F38}\webbrowser = "{AAB6C1A0-F3A4-4DAC-A922-F82E601E73A8}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F9BA1AA9-CAD4-4C14-BDE6-922DFF5F6F38}\wversion = "4.1.6"	regsvr32.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{686488AF-13D5-9DDF-4FEF-9FB88698CFC1}\InprocServer32	regsvr32.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

regsvr32.exe

description	pid	process	target process
PID 1824 wrote to memory of 1540	1824	regsvr32.exe	regsvr32.exe
PID 1824 wrote to memory of 1540	1824	regsvr32.exe	regsvr32.exe
PID 1824 wrote to memory of 1540	1824	regsvr32.exe	regsvr32.exe
PID 1824 wrote to memory of 1540	1824	regsvr32.exe	regsvr32.exe
PID 1824 wrote to memory of 1540	1824	regsvr32.exe	regsvr32.exe
PID 1824 wrote to memory of 1540	1824	regsvr32.exe	regsvr32.exe
PID 1824 wrote to memory of 1540	1824	regsvr32.exe	regsvr32.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\9ce47213d9bb40345ed3abea6d0b473f5ba34861436fc395bc133b44d15ac1c7.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:1824

C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\9ce47213d9bb40345ed3abea6d0b473f5ba34861436fc395bc133b44d15ac1c7.dll
2⤵
- Modifies registry class
PID:1540

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Browser Extensions

1

T1176

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1540-55-0x0000000000000000-mapping.dmp

Download
memory/1540-56-0x00000000768D1000-0x00000000768D3000-memory.dmp

Filesize
8KB

Download
memory/1824-54-0x000007FEFBFC1000-0x000007FEFBFC3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing