34da59691dc1f021d31048f709c0e9b612a87e1d70a14408cde0a8c3ce969e88

General

Target

34da59691dc1f021d31048f709c0e9b612a87e1d70a14408cde0a8c3ce969e88.dll
Size

859KB
MD5

06bba2dceb45a8662063ef97f437b702
SHA1

fffe75f0bac7d09d55f5fce87898cd4825816ea9
SHA256

34da59691dc1f021d31048f709c0e9b612a87e1d70a14408cde0a8c3ce969e88
SHA512

b4199cab674714235f6ce1d81636862a171d0f8e2fc41357ebf1f64825f93ead434f9dd2d3a8c770154909e8b67da23adeacd57bff9a2f99598fb46218c97bd3

Score

7^/10

adware stealer themida

Malware Config

Signatures

Themida packer 3 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral1/memory/1224-57-0x0000000002070000-0x0000000002409000-memory.dmp	themida
behavioral1/memory/1224-60-0x0000000002070000-0x0000000002409000-memory.dmp	themida
behavioral1/memory/1224-61-0x0000000002070000-0x0000000002409000-memory.dmp	themida

Installs/modifies Browser Helper Object 2 TTPs 1 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

Processes:

regsvr32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{09AFB2CE-9837-CA3E-0CB1-0A0B00C83DF2}	regsvr32.exe

Modifies registry class 11 IoCs

Processes:

regsvr32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{09AFB2CE-9837-CA3E-0CB1-0A0B00C83DF2}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{09AFB2CE-9837-CA3E-0CB1-0A0B00C83DF2}\ = "Alx2000"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{09AFB2CE-9837-CA3E-0CB1-0A0B00C83DF2}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\34da59691dc1f021d31048f709c0e9b612a87e1d70a14408cde0a8c3ce969e88.MsShutt_109\Clsid\ = "{09AFB2CE-9837-CA3E-0CB1-0A0B00C83DF2}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{09AFB2CE-9837-CA3E-0CB1-0A0B00C83DF2}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{09AFB2CE-9837-CA3E-0CB1-0A0B00C83DF2}\ProgID\ = "34da59691dc1f021d31048f709c0e9b612a87e1d70a14408cde0a8c3ce969e88.MsShutt_109"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{09AFB2CE-9837-CA3E-0CB1-0A0B00C83DF2}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\34da59691dc1f021d31048f709c0e9b612a87e1d70a14408cde0a8c3ce969e88.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{09AFB2CE-9837-CA3E-0CB1-0A0B00C83DF2}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\34da59691dc1f021d31048f709c0e9b612a87e1d70a14408cde0a8c3ce969e88.MsShutt_109	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\34da59691dc1f021d31048f709c0e9b612a87e1d70a14408cde0a8c3ce969e88.MsShutt_109\ = "Alx2000"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\34da59691dc1f021d31048f709c0e9b612a87e1d70a14408cde0a8c3ce969e88.MsShutt_109\Clsid	regsvr32.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

regsvr32.exe

description	pid	process	target process
PID 852 wrote to memory of 1224	852	regsvr32.exe	regsvr32.exe
PID 852 wrote to memory of 1224	852	regsvr32.exe	regsvr32.exe
PID 852 wrote to memory of 1224	852	regsvr32.exe	regsvr32.exe
PID 852 wrote to memory of 1224	852	regsvr32.exe	regsvr32.exe
PID 852 wrote to memory of 1224	852	regsvr32.exe	regsvr32.exe
PID 852 wrote to memory of 1224	852	regsvr32.exe	regsvr32.exe
PID 852 wrote to memory of 1224	852	regsvr32.exe	regsvr32.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\34da59691dc1f021d31048f709c0e9b612a87e1d70a14408cde0a8c3ce969e88.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:852

C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\34da59691dc1f021d31048f709c0e9b612a87e1d70a14408cde0a8c3ce969e88.dll
2⤵
- Installs/modifies Browser Helper Object
- Modifies registry class
PID:1224

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Browser Extensions

1

T1176

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/852-54-0x000007FEFBCD1000-0x000007FEFBCD3000-memory.dmp

Filesize
8KB

Download
memory/1224-55-0x0000000000000000-mapping.dmp

Download
memory/1224-56-0x00000000763E1000-0x00000000763E3000-memory.dmp

Filesize
8KB

Download
memory/1224-57-0x0000000002070000-0x0000000002409000-memory.dmp

Filesize
3.6MB

Download
memory/1224-60-0x0000000002070000-0x0000000002409000-memory.dmp

Filesize
3.6MB

Download
memory/1224-61-0x0000000002070000-0x0000000002409000-memory.dmp

Filesize
3.6MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads