aaa9769d0012061934ff03352f83994dded7f591be4f2c5264e80877cb5ed6d9

General

Target

aaa9769d0012061934ff03352f83994dded7f591be4f2c5264e80877cb5ed6d9.dll
Size

199KB
MD5

75658f71b5a4165ed39c6a1d6cf86809
SHA1

6f1af30fde134675e4f76a623ccc2247d339ff6a
SHA256

aaa9769d0012061934ff03352f83994dded7f591be4f2c5264e80877cb5ed6d9
SHA512

0652be36e0f9649a2f02d08f1af1b425f13d398ec65e468de32db9ff76534e3995ee9937f991515bd364fb1a0e985e13810750b42bedac18ee895b7b80ffe859
SSDEEP

3072:6i5V+MPRR514iK8w/OI3HSUgFqnRKm+4RmQeFeVnoj3SZQwqjXZWX+BIbB0kO:6i5V+aRR5yiKhBK61+4RmNeZy4I00kO

Score

8^/10

adware persistence stealer

Malware Config

Signatures

Registers COM server for autorun 1 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Wow6432Node\CLSID\{C0F1636E-13A8-4C84-BB11-774BE45E1F83}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aaa9769d0012061934ff03352f83994dded7f591be4f2c5264e80877cb5ed6d9.dll"	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Wow6432Node\CLSID\{C0F1636E-13A8-4C84-BB11-774BE45E1F83}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Wow6432Node\CLSID\{C0F1636E-13A8-4C84-BB11-774BE45E1F83}\InprocServer32	regsvr32.exe

Installs/modifies Browser Helper Object 2 TTPs 4 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C0F1636E-13A8-4C84-BB11-774BE45E1F83}\ = "Adobe PDF Reader Link Helper"	regsvr32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C0F1636E-13A8-4C84-BB11-774BE45E1F83}\NoExplorer = "1"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C0F1636E-13A8-4C84-BB11-774BE45E1F83}	regsvr32.exe

Modifies registry class 26 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\linkd.AIEbho\CurVer	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Wow6432Node\CLSID\{C0F1636E-13A8-4C84-BB11-774BE45E1F83}\TypeLib\ = "{2B63B21A-4075-4298-A569-D8113F1D7045}"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Wow6432Node\CLSID\{C0F1636E-13A8-4C84-BB11-774BE45E1F83}\VersionIndependentProgID	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Wow6432Node\CLSID\{C0F1636E-13A8-4C84-BB11-774BE45E1F83}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Wow6432Node\CLSID\{C0F1636E-13A8-4C84-BB11-774BE45E1F83}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Wow6432Node\CLSID\{C0F1636E-13A8-4C84-BB11-774BE45E1F83}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Wow6432Node\CLSID\{C0F1636E-13A8-4C84-BB11-774BE45E1F83}\Programmable\	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\linkd.AIEbho\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\linkd.AIEbho.1\CLSID\ = "{C0F1636E-13A8-4C84-BB11-774BE45E1F83}"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Wow6432Node	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Wow6432Node\CLSID\{C0F1636E-13A8-4C84-BB11-774BE45E1F83}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Wow6432Node\CLSID\{C0F1636E-13A8-4C84-BB11-774BE45E1F83}\VersionIndependentProgID\ = "linkd.AIEbho"	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\linkd.AIEbho\ = "Adobe PDF Reader Link Helper"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\linkd.AIEbho.1	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\linkd.AIEbho\CurVer\ = "linkd.AIEbho.1"	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Wow6432Node\CLSID\{C0F1636E-13A8-4C84-BB11-774BE45E1F83}\ = "Adobe PDF Reader Link Helper"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Wow6432Node\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Wow6432Node\CLSID\{C0F1636E-13A8-4C84-BB11-774BE45E1F83}\AppID = "{F535DD2D-9339-48ED-A378-61084B1049AB}"	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Wow6432Node\CLSID\{C0F1636E-13A8-4C84-BB11-774BE45E1F83}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aaa9769d0012061934ff03352f83994dded7f591be4f2c5264e80877cb5ed6d9.dll"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\linkd.AIEbho	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\linkd.AIEbho.1\ = "Adobe PDF Reader Link Helper"	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\linkd.AIEbho\CLSID\ = "{C0F1636E-13A8-4C84-BB11-774BE45E1F83}"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\linkd.AIEbho.1\CLSID	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Wow6432Node\CLSID\{C0F1636E-13A8-4C84-BB11-774BE45E1F83}	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Wow6432Node\CLSID\{C0F1636E-13A8-4C84-BB11-774BE45E1F83}\ProgID\ = "linkd.AIEbho.1"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Wow6432Node\CLSID\{C0F1636E-13A8-4C84-BB11-774BE45E1F83}\Programmable	regsvr32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1640 wrote to memory of 1372	1640	regsvr32.exe	27
PID 1640 wrote to memory of 1372	1640	regsvr32.exe	27
PID 1640 wrote to memory of 1372	1640	regsvr32.exe	27
PID 1640 wrote to memory of 1372	1640	regsvr32.exe	27
PID 1640 wrote to memory of 1372	1640	regsvr32.exe	27
PID 1640 wrote to memory of 1372	1640	regsvr32.exe	27
PID 1640 wrote to memory of 1372	1640	regsvr32.exe	27

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\aaa9769d0012061934ff03352f83994dded7f591be4f2c5264e80877cb5ed6d9.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:1640
- C:\Windows\SysWOW64\regsvr32.exe
  /s C:\Users\Admin\AppData\Local\Temp\aaa9769d0012061934ff03352f83994dded7f591be4f2c5264e80877cb5ed6d9.dll
  2⤵
  - Registers COM server for autorun
  - Installs/modifies Browser Helper Object
  - Modifies registry class
  PID:1372

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Browser Extensions

1

T1176

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1372-56-0x0000000075071000-0x0000000075073000-memory.dmp

Filesize
8KB

Download
memory/1640-54-0x000007FEFB821000-0x000007FEFB823000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing