0211a085537f0e75b255937f6b5b4f0f69d311b842cbff8cc4f20dd58bbefa14

General

Target

0211a085537f0e75b255937f6b5b4f0f69d311b842cbff8cc4f20dd58bbefa14.dll
Size

1.1MB
MD5

f6d9be21c75501f3445ee5d4826fdcf2
SHA1

db58e4520d0986e01a4e760aa81442aa1bb35bcd
SHA256

0211a085537f0e75b255937f6b5b4f0f69d311b842cbff8cc4f20dd58bbefa14
SHA512

ec736b7456c5dbff992c39118bb30016a4aafd632cbb2433d44cf4e052b697e108f86406e869774ba5f26362164245cd30e14f5adb65272318389efb6fc47eed

Score

6^/10

adware stealer

Malware Config

Signatures

Installs/modifies Browser Helper Object 2 TTPs
BHOs are DLL modules which act as plugins for Internet Explorer.
stealer adware

Modify Registry
T1112

Browser Extensions
T1176

Modifies Internet Explorer settings 1 TTPs 19 IoCs

adware spyware

Modify Registry

T1112

Processes:

regsvr32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{48A61126-9A19-4C50-A214-FF08CB94995C}\ButtonText = "McAfee WebAdvisor"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{48A61126-9A19-4C50-A214-FF08CB94995C}\Lang0412\ButtonText = "McAfee 웹어드바이저"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{48A61126-9A19-4C50-A214-FF08CB94995C}\Lang0804\MenuText = "迈克菲联网顾问"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{48A61126-9A19-4C50-A214-FF08CB94995C}\Default Visible = "Yes"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{48A61126-9A19-4C50-A214-FF08CB94995C}\Lang0412\MenuText = "McAfee 웹어드바이저"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{48A61126-9A19-4C50-A214-FF08CB94995C}\Lang0411	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{48A61126-9A19-4C50-A214-FF08CB94995C}\Lang0411\ButtonText = "マカフィーウェブアドバイザー"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{48A61126-9A19-4C50-A214-FF08CB94995C}\Lang0412	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{48A61126-9A19-4C50-A214-FF08CB94995C}\Lang0804	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{48A61126-9A19-4C50-A214-FF08CB94995C}\CLSID = "{32CFFBE7-8BB7-4BC3-83D8-8197671920D6}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{48A61126-9A19-4C50-A214-FF08CB94995C}\Icon	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{48A61126-9A19-4C50-A214-FF08CB94995C}\MenuText = "McAfee WebAdvisor"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{48A61126-9A19-4C50-A214-FF08CB94995C}\CLSIDExtension = "{29B24532-6CE1-41BA-8BF0-F580EA174AF1}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{48A61126-9A19-4C50-A214-FF08CB94995C}\HotIcon	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{48A61126-9A19-4C50-A214-FF08CB94995C}\MenuStatusBar = "MStatus bar View SiteReport"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{48A61126-9A19-4C50-A214-FF08CB94995C}\Lang0411\MenuText = "マカフィーウェブアドバイザー"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{48A61126-9A19-4C50-A214-FF08CB94995C}\Lang0804\ButtonText = "迈克菲联网顾问"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{48A61126-9A19-4C50-A214-FF08CB94995C}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{48A61126-9A19-4C50-A214-FF08CB94995C}\@ = "WebAdvisor Menu"	regsvr32.exe

Modifies registry class 12 IoCs

Processes:

regsvr32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B164E929-A1B6-4A06-B104-2CD0E90A88FF}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B164E929-A1B6-4A06-B104-2CD0E90A88FF}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{29B24532-6CE1-41BA-8BF0-F580EA174AF1}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{29B24532-6CE1-41BA-8BF0-F580EA174AF1}\ = "McAfee WebAdvisor Extension"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{29B24532-6CE1-41BA-8BF0-F580EA174AF1}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\0211a085537f0e75b255937f6b5b4f0f69d311b842cbff8cc4f20dd58bbefa14.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{29B24532-6CE1-41BA-8BF0-F580EA174AF1}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{29B24532-6CE1-41BA-8BF0-F580EA174AF1}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B164E929-A1B6-4A06-B104-2CD0E90A88FF}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B164E929-A1B6-4A06-B104-2CD0E90A88FF}\ = "McAfee WebAdvisor"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B164E929-A1B6-4A06-B104-2CD0E90A88FF}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\0211a085537f0e75b255937f6b5b4f0f69d311b842cbff8cc4f20dd58bbefa14.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B164E929-A1B6-4A06-B104-2CD0E90A88FF}\Implemented Categories	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B164E929-A1B6-4A06-B104-2CD0E90A88FF}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}	regsvr32.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

regsvr32.exe

description	pid	process	target process
PID 1808 wrote to memory of 1632	1808	regsvr32.exe	regsvr32.exe
PID 1808 wrote to memory of 1632	1808	regsvr32.exe	regsvr32.exe
PID 1808 wrote to memory of 1632	1808	regsvr32.exe	regsvr32.exe
PID 1808 wrote to memory of 1632	1808	regsvr32.exe	regsvr32.exe
PID 1808 wrote to memory of 1632	1808	regsvr32.exe	regsvr32.exe
PID 1808 wrote to memory of 1632	1808	regsvr32.exe	regsvr32.exe
PID 1808 wrote to memory of 1632	1808	regsvr32.exe	regsvr32.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\0211a085537f0e75b255937f6b5b4f0f69d311b842cbff8cc4f20dd58bbefa14.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:1808

C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\0211a085537f0e75b255937f6b5b4f0f69d311b842cbff8cc4f20dd58bbefa14.dll
2⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:1632

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Browser Extensions

1

T1176

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1632-55-0x0000000000000000-mapping.dmp

Download
memory/1632-56-0x0000000075BD1000-0x0000000075BD3000-memory.dmp

Filesize
8KB

Download
memory/1808-54-0x000007FEFB671000-0x000007FEFB673000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads