2da9dc8e184390955c462e71115693776e3c5b44cb741e3ce3d18f4183bc761a

General

Target

2da9dc8e184390955c462e71115693776e3c5b44cb741e3ce3d18f4183bc761a.dll
Size

556KB
MD5

03e9899abd7de4b3b87d7dd3692eef9d
SHA1

5119dad734b03df432029ad030fcab7f052006b6
SHA256

2da9dc8e184390955c462e71115693776e3c5b44cb741e3ce3d18f4183bc761a
SHA512

e7e072568bad18b1e28413b66879920663ccb064a181f17cb8aba91579e9af96adf63875ffa7ef9885de6b04d007a20e540d4984855bceb3e77c6ea03e33f281

Score

6^/10

adware stealer

Malware Config

Signatures

Installs/modifies Browser Helper Object 2 TTPs
BHOs are DLL modules which act as plugins for Internet Explorer.
stealer adware

Modify Registry
T1112

Browser Extensions
T1176

Modifies registry class 11 IoCs

Processes:

regsvr32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CC01FC6C-CAB8-CD56-B2AA-C1ECB7DD2651}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2da9dc8e184390955c462e71115693776e3c5b44cb741e3ce3d18f4183bc761a.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\2da9dc8e184390955c462e71115693776e3c5b44cb741e3ce3d18f4183bc761a.sch	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\2da9dc8e184390955c462e71115693776e3c5b44cb741e3ce3d18f4183bc761a.sch\ = "sch"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\2da9dc8e184390955c462e71115693776e3c5b44cb741e3ce3d18f4183bc761a.sch\Clsid\ = "{CC01FC6C-CAB8-CD56-B2AA-C1ECB7DD2651}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CC01FC6C-CAB8-CD56-B2AA-C1ECB7DD2651}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CC01FC6C-CAB8-CD56-B2AA-C1ECB7DD2651}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CC01FC6C-CAB8-CD56-B2AA-C1ECB7DD2651}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\2da9dc8e184390955c462e71115693776e3c5b44cb741e3ce3d18f4183bc761a.sch\Clsid	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CC01FC6C-CAB8-CD56-B2AA-C1ECB7DD2651}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CC01FC6C-CAB8-CD56-B2AA-C1ECB7DD2651}\ProgID\ = "2da9dc8e184390955c462e71115693776e3c5b44cb741e3ce3d18f4183bc761a.sch"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CC01FC6C-CAB8-CD56-B2AA-C1ECB7DD2651}\ = "sch"	regsvr32.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

regsvr32.exe

description	pid	process	target process
PID 872 wrote to memory of 1108	872	regsvr32.exe	regsvr32.exe
PID 872 wrote to memory of 1108	872	regsvr32.exe	regsvr32.exe
PID 872 wrote to memory of 1108	872	regsvr32.exe	regsvr32.exe
PID 872 wrote to memory of 1108	872	regsvr32.exe	regsvr32.exe
PID 872 wrote to memory of 1108	872	regsvr32.exe	regsvr32.exe
PID 872 wrote to memory of 1108	872	regsvr32.exe	regsvr32.exe
PID 872 wrote to memory of 1108	872	regsvr32.exe	regsvr32.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\2da9dc8e184390955c462e71115693776e3c5b44cb741e3ce3d18f4183bc761a.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:872

C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\2da9dc8e184390955c462e71115693776e3c5b44cb741e3ce3d18f4183bc761a.dll
2⤵
- Modifies registry class
PID:1108

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Browser Extensions

1

T1176

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/872-54-0x000007FEFBF21000-0x000007FEFBF23000-memory.dmp

Filesize
8KB

Download
memory/1108-55-0x0000000000000000-mapping.dmp

Download
memory/1108-56-0x0000000076721000-0x0000000076723000-memory.dmp

Filesize
8KB

Download
memory/1108-57-0x0000000000250000-0x00000000002D0000-memory.dmp

Filesize
512KB

Download

Analysis

Sharing