ef5ca9aa47b868f8e910c4272ac6a9e205379040c0e6c63e6bd3f07955d34496

General

Target

ef5ca9aa47b868f8e910c4272ac6a9e205379040c0e6c63e6bd3f07955d34496.dll
Size

135KB
MD5

030bbe15017be0a1fb1595f9f20c1482
SHA1

9d6c2918dd6b5c1ca15e5fb29777cc8f633540c5
SHA256

ef5ca9aa47b868f8e910c4272ac6a9e205379040c0e6c63e6bd3f07955d34496
SHA512

4f066c327acea64be3639fe9642bd0033b20163c464988978efe822b8858790e555d5c186b00a967e1137dcf69f9497f2487ef2e20e27bf9a05ac717d7a84f36
SSDEEP

3072:Se6UuUtFT90gtpqp8e60ff7Go1Yi3eAaJRFAFB6TnvO/T9gJM:yv09nc8Z0b/GMJSWF0TngUM

Score

6^/10

adware stealer

Malware Config

Signatures

Installs/modifies Browser Helper Object 2 TTPs 1 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0C7C23EF-A848-485B-873C-0ED954731014}	regsvr32.exe

Modifies Internet Explorer settings 1 TTPs 28 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks\{DB8B2393-7A6C-4C76-88CE-6B1F6FF6FFE9}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\TBH\Text = " SOSO AddressBar Search"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\TBH\ShowTip\ValueName = "EnableTip"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\TBH\ShowTip\HkeyRoot = "2147483649"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\TBH\ShowTip\type = "checkbox"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\UrlSearchHooks	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\TBH\type = "group"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\TBH	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\TBH\Enable\HkeyRoot = "2147483649"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\TBH\ShowTip\CheckedValue = "yes"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\UrlSearchHooks\{DB8B2393-7A6C-4C76-88CE-6B1F6FF6FFE9}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\TBH\Enable\text = "Enable AddressBar Search"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\TBH\Enable\checkvalue = "yes"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\TBH\ShowTip\DefaultValue = "yes"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\TBH\Enable	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\TBH\ShowTip\RegPath = "SOFTWARE\\Tencent\\TBH"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\TBH\ShowTip\UncheckedValue = "no"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\TBH\Enable\ValueName = "EnableTBH"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\TBH\Bitmap = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ef5ca9aa47b868f8e910c4272ac6a9e205379040c0e6c63e6bd3f07955d34496.dll,100"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\TBH\Enable\type = "checkbox"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\TBH\Enable\CheckedValue = "yes"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\TBH\Enable\UncheckedValue = "no"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\UrlSearchHooks	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\TBH\Enable\RegPath = "SOFTWARE\\Tencent\\TBH"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\TBH\ShowTip	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\TBH\ShowTip\checkvalue = "yes"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\TBH\Enable\DefaultValue = "yes"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\TBH\ShowTip\text = "Show Tips in AddressBar"	regsvr32.exe

Modifies registry class 15 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DB8B2393-7A6C-4C76-88CE-6B1F6FF6FFE9}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DB8B2393-7A6C-4C76-88CE-6B1F6FF6FFE9}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A57E074F-56D8-4A33-8112-AAC9693AA909}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0C7C23EF-A848-485B-873C-0ED954731014}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0C7C23EF-A848-485B-873C-0ED954731014}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DB8B2393-7A6C-4C76-88CE-6B1F6FF6FFE9}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DB8B2393-7A6C-4C76-88CE-6B1F6FF6FFE9}\ = "Tencent SearchHook"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0C7C23EF-A848-485B-873C-0ED954731014}\ = "Tencent Browser Helper"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A57E074F-56D8-4A33-8112-AAC9693AA909}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0C7C23EF-A848-485B-873C-0ED954731014}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ef5ca9aa47b868f8e910c4272ac6a9e205379040c0e6c63e6bd3f07955d34496.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0C7C23EF-A848-485B-873C-0ED954731014}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DB8B2393-7A6C-4C76-88CE-6B1F6FF6FFE9}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ef5ca9aa47b868f8e910c4272ac6a9e205379040c0e6c63e6bd3f07955d34496.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A57E074F-56D8-4A33-8112-AAC9693AA909}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A57E074F-56D8-4A33-8112-AAC9693AA909}\ = "Tencent AddrDropTarget"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A57E074F-56D8-4A33-8112-AAC9693AA909}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ef5ca9aa47b868f8e910c4272ac6a9e205379040c0e6c63e6bd3f07955d34496.dll"	regsvr32.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 392 wrote to memory of 1552	392	regsvr32.exe	79
PID 392 wrote to memory of 1552	392	regsvr32.exe	79
PID 392 wrote to memory of 1552	392	regsvr32.exe	79

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\ef5ca9aa47b868f8e910c4272ac6a9e205379040c0e6c63e6bd3f07955d34496.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:392
- C:\Windows\SysWOW64\regsvr32.exe
  /s C:\Users\Admin\AppData\Local\Temp\ef5ca9aa47b868f8e910c4272ac6a9e205379040c0e6c63e6bd3f07955d34496.dll
  2⤵
  - Installs/modifies Browser Helper Object
  - Modifies Internet Explorer settings
  - Modifies registry class
  PID:1552

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Browser Extensions

1

T1176

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads