ab5d3c89a2777b13df311069ff6c0420ed7575b6fae5d8c062cdccaa96894d3f

General

Target

ab5d3c89a2777b13df311069ff6c0420ed7575b6fae5d8c062cdccaa96894d3f.exe
Size

2.1MB
MD5

68e7d3edcb9d655d94d58a3db8253550
SHA1

7e0b525d5895fb13e064ccd3aa57b9d542b34f3f
SHA256

ab5d3c89a2777b13df311069ff6c0420ed7575b6fae5d8c062cdccaa96894d3f
SHA512

39d69512b5b2172400dd346e7990ee6b8aeb2e3d132faf62ed8f451b074ff891eebd9d3b055192b4949d33e65f124f7410f19e2c121bab29456ba783fe04c357
SSDEEP

49152:XkWY694CQwU+gZQLAwHyLTU9QGY9Mg8pmuZisW5IqYu5MTyoP:nY6JQX5QLAwHOIQGYmwIqYEKyoP

Score

8^/10

adware discovery persistence spyware stealer

Malware Config

Signatures

Registers COM server for autorun 1 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Processes:

regsvr32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9132dcb1-35e9-48c5-9c24-d791bb5b0c50}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9132dcb1-35e9-48c5-9c24-d791bb5b0c50}\InprocServer32\ = "C:\\Program Files (x86)\\YooutubeAddBloacckee\\1SbnOcTsIiGSv7.x64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9132dcb1-35e9-48c5-9c24-d791bb5b0c50}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9132dcb1-35e9-48c5-9c24-d791bb5b0c50}\InprocServer32	regsvr32.exe

Loads dropped DLL 3 IoCs

Processes:

ab5d3c89a2777b13df311069ff6c0420ed7575b6fae5d8c062cdccaa96894d3f.exeregsvr32.exeregsvr32.exe

pid process

1944 ab5d3c89a2777b13df311069ff6c0420ed7575b6fae5d8c062cdccaa96894d3f.exe
1692 regsvr32.exe
1152 regsvr32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

pid	process
1944	ab5d3c89a2777b13df311069ff6c0420ed7575b6fae5d8c062cdccaa96894d3f.exe
1692	regsvr32.exe
1152	regsvr32.exe

Installs/modifies Browser Helper Object 2 TTPs 8 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

Processes:

ab5d3c89a2777b13df311069ff6c0420ed7575b6fae5d8c062cdccaa96894d3f.exeregsvr32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{9132dcb1-35e9-48c5-9c24-d791bb5b0c50}\ = "YooutubeAddBloacckee"	ab5d3c89a2777b13df311069ff6c0420ed7575b6fae5d8c062cdccaa96894d3f.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{9132dcb1-35e9-48c5-9c24-d791bb5b0c50}\NoExplorer = "1"	ab5d3c89a2777b13df311069ff6c0420ed7575b6fae5d8c062cdccaa96894d3f.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{9132dcb1-35e9-48c5-9c24-d791bb5b0c50}	ab5d3c89a2777b13df311069ff6c0420ed7575b6fae5d8c062cdccaa96894d3f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9132dcb1-35e9-48c5-9c24-d791bb5b0c50}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9132dcb1-35e9-48c5-9c24-d791bb5b0c50}\ = "YooutubeAddBloacckee"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9132dcb1-35e9-48c5-9c24-d791bb5b0c50}\NoExplorer = "1"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9132dcb1-35e9-48c5-9c24-d791bb5b0c50}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{9132dcb1-35e9-48c5-9c24-d791bb5b0c50}	ab5d3c89a2777b13df311069ff6c0420ed7575b6fae5d8c062cdccaa96894d3f.exe

Drops file in Program Files directory 8 IoCs

Processes:

ab5d3c89a2777b13df311069ff6c0420ed7575b6fae5d8c062cdccaa96894d3f.exe

description	ioc	process
File created	C:\Program Files (x86)\YooutubeAddBloacckee\1SbnOcTsIiGSv7.x64.dll	ab5d3c89a2777b13df311069ff6c0420ed7575b6fae5d8c062cdccaa96894d3f.exe
File opened for modification	C:\Program Files (x86)\YooutubeAddBloacckee\1SbnOcTsIiGSv7.x64.dll	ab5d3c89a2777b13df311069ff6c0420ed7575b6fae5d8c062cdccaa96894d3f.exe
File created	C:\Program Files (x86)\YooutubeAddBloacckee\1SbnOcTsIiGSv7.dll	ab5d3c89a2777b13df311069ff6c0420ed7575b6fae5d8c062cdccaa96894d3f.exe
File opened for modification	C:\Program Files (x86)\YooutubeAddBloacckee\1SbnOcTsIiGSv7.dll	ab5d3c89a2777b13df311069ff6c0420ed7575b6fae5d8c062cdccaa96894d3f.exe
File created	C:\Program Files (x86)\YooutubeAddBloacckee\1SbnOcTsIiGSv7.tlb	ab5d3c89a2777b13df311069ff6c0420ed7575b6fae5d8c062cdccaa96894d3f.exe
File opened for modification	C:\Program Files (x86)\YooutubeAddBloacckee\1SbnOcTsIiGSv7.tlb	ab5d3c89a2777b13df311069ff6c0420ed7575b6fae5d8c062cdccaa96894d3f.exe
File created	C:\Program Files (x86)\YooutubeAddBloacckee\1SbnOcTsIiGSv7.dat	ab5d3c89a2777b13df311069ff6c0420ed7575b6fae5d8c062cdccaa96894d3f.exe
File opened for modification	C:\Program Files (x86)\YooutubeAddBloacckee\1SbnOcTsIiGSv7.dat	ab5d3c89a2777b13df311069ff6c0420ed7575b6fae5d8c062cdccaa96894d3f.exe

Modifies Internet Explorer settings 1 TTPs 8 IoCs

adware spyware

Modify Registry

T1112

Processes:

regsvr32.exeab5d3c89a2777b13df311069ff6c0420ed7575b6fae5d8c062cdccaa96894d3f.exe

description	ioc	process
Key deleted	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{9132DCB1-35E9-48C5-9C24-D791BB5B0C50}	regsvr32.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{9132dcb1-35e9-48c5-9c24-d791bb5b0c50}	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration	ab5d3c89a2777b13df311069ff6c0420ed7575b6fae5d8c062cdccaa96894d3f.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{9132dcb1-35e9-48c5-9c24-d791bb5b0c50}	ab5d3c89a2777b13df311069ff6c0420ed7575b6fae5d8c062cdccaa96894d3f.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{9132DCB1-35E9-48C5-9C24-D791BB5B0C50}	ab5d3c89a2777b13df311069ff6c0420ed7575b6fae5d8c062cdccaa96894d3f.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration	ab5d3c89a2777b13df311069ff6c0420ed7575b6fae5d8c062cdccaa96894d3f.exe

Modifies registry class 64 IoCs

Processes:

ab5d3c89a2777b13df311069ff6c0420ed7575b6fae5d8c062cdccaa96894d3f.exeregsvr32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\..9\ = "YooutubeAddBloacckee"	ab5d3c89a2777b13df311069ff6c0420ed7575b6fae5d8c062cdccaa96894d3f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9132dcb1-35e9-48c5-9c24-d791bb5b0c50}\InprocServer32	ab5d3c89a2777b13df311069ff6c0420ed7575b6fae5d8c062cdccaa96894d3f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\ProxyStubClsid32	ab5d3c89a2777b13df311069ff6c0420ed7575b6fae5d8c062cdccaa96894d3f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ = "IRegistry"	ab5d3c89a2777b13df311069ff6c0420ed7575b6fae5d8c062cdccaa96894d3f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9132dcb1-35e9-48c5-9c24-d791bb5b0c50}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9132dcb1-35e9-48c5-9c24-d791bb5b0c50}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9132dcb1-35e9-48c5-9c24-d791bb5b0c50}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.\CurVer\ = ".9"	ab5d3c89a2777b13df311069ff6c0420ed7575b6fae5d8c062cdccaa96894d3f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9132dcb1-35e9-48c5-9c24-d791bb5b0c50}\VersionIndependentProgID\	ab5d3c89a2777b13df311069ff6c0420ed7575b6fae5d8c062cdccaa96894d3f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\ProxyStubClsid32	ab5d3c89a2777b13df311069ff6c0420ed7575b6fae5d8c062cdccaa96894d3f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\TypeLib\Version = "1.0"	ab5d3c89a2777b13df311069ff6c0420ed7575b6fae5d8c062cdccaa96894d3f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib	ab5d3c89a2777b13df311069ff6c0420ed7575b6fae5d8c062cdccaa96894d3f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\..9	ab5d3c89a2777b13df311069ff6c0420ed7575b6fae5d8c062cdccaa96894d3f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9132dcb1-35e9-48c5-9c24-d791bb5b0c50}	ab5d3c89a2777b13df311069ff6c0420ed7575b6fae5d8c062cdccaa96894d3f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\FLAGS	ab5d3c89a2777b13df311069ff6c0420ed7575b6fae5d8c062cdccaa96894d3f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	ab5d3c89a2777b13df311069ff6c0420ed7575b6fae5d8c062cdccaa96894d3f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\..9\ = "YooutubeAddBloacckee"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.\CurVer\ = ".9"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9132dcb1-35e9-48c5-9c24-d791bb5b0c50}\Programmable	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.\CurVer	ab5d3c89a2777b13df311069ff6c0420ed7575b6fae5d8c062cdccaa96894d3f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0	ab5d3c89a2777b13df311069ff6c0420ed7575b6fae5d8c062cdccaa96894d3f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\HELPDIR	ab5d3c89a2777b13df311069ff6c0420ed7575b6fae5d8c062cdccaa96894d3f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}	ab5d3c89a2777b13df311069ff6c0420ed7575b6fae5d8c062cdccaa96894d3f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\ = "IPlaghinMein"	ab5d3c89a2777b13df311069ff6c0420ed7575b6fae5d8c062cdccaa96894d3f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\ProxyStubClsid32	ab5d3c89a2777b13df311069ff6c0420ed7575b6fae5d8c062cdccaa96894d3f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib\Version = "1.0"	ab5d3c89a2777b13df311069ff6c0420ed7575b6fae5d8c062cdccaa96894d3f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9132dcb1-35e9-48c5-9c24-d791bb5b0c50}\VersionIndependentProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\..9\CLSID\ = "{9132dcb1-35e9-48c5-9c24-d791bb5b0c50}"	ab5d3c89a2777b13df311069ff6c0420ed7575b6fae5d8c062cdccaa96894d3f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9132dcb1-35e9-48c5-9c24-d791bb5b0c50}\ProgID\ = ".9"	ab5d3c89a2777b13df311069ff6c0420ed7575b6fae5d8c062cdccaa96894d3f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\TypeLib	ab5d3c89a2777b13df311069ff6c0420ed7575b6fae5d8c062cdccaa96894d3f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9132dcb1-35e9-48c5-9c24-d791bb5b0c50}\ = "YooutubeAddBloacckee"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9132dcb1-35e9-48c5-9c24-d791bb5b0c50}\VersionIndependentProgID	ab5d3c89a2777b13df311069ff6c0420ed7575b6fae5d8c062cdccaa96894d3f.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9132dcb1-35e9-48c5-9c24-d791bb5b0c50}	ab5d3c89a2777b13df311069ff6c0420ed7575b6fae5d8c062cdccaa96894d3f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9132dcb1-35e9-48c5-9c24-d791bb5b0c50}\ = "YooutubeAddBloacckee"	ab5d3c89a2777b13df311069ff6c0420ed7575b6fae5d8c062cdccaa96894d3f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9132dcb1-35e9-48c5-9c24-d791bb5b0c50}\InprocServer32\ = "C:\\Program Files (x86)\\YooutubeAddBloacckee\\1SbnOcTsIiGSv7.dll"	ab5d3c89a2777b13df311069ff6c0420ed7575b6fae5d8c062cdccaa96894d3f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win32	ab5d3c89a2777b13df311069ff6c0420ed7575b6fae5d8c062cdccaa96894d3f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	ab5d3c89a2777b13df311069ff6c0420ed7575b6fae5d8c062cdccaa96894d3f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	ab5d3c89a2777b13df311069ff6c0420ed7575b6fae5d8c062cdccaa96894d3f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\TypeLib	ab5d3c89a2777b13df311069ff6c0420ed7575b6fae5d8c062cdccaa96894d3f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ProxyStubClsid32	ab5d3c89a2777b13df311069ff6c0420ed7575b6fae5d8c062cdccaa96894d3f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	ab5d3c89a2777b13df311069ff6c0420ed7575b6fae5d8c062cdccaa96894d3f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9132dcb1-35e9-48c5-9c24-d791bb5b0c50}\VersionIndependentProgID	ab5d3c89a2777b13df311069ff6c0420ed7575b6fae5d8c062cdccaa96894d3f.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9132dcb1-35e9-48c5-9c24-d791bb5b0c50}\ProgID	ab5d3c89a2777b13df311069ff6c0420ed7575b6fae5d8c062cdccaa96894d3f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\TypeLib\Version = "1.0"	ab5d3c89a2777b13df311069ff6c0420ed7575b6fae5d8c062cdccaa96894d3f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}	ab5d3c89a2777b13df311069ff6c0420ed7575b6fae5d8c062cdccaa96894d3f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9132dcb1-35e9-48c5-9c24-d791bb5b0c50}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9132dcb1-35e9-48c5-9c24-d791bb5b0c50}\InprocServer32\ThreadingModel = "Apartment"	ab5d3c89a2777b13df311069ff6c0420ed7575b6fae5d8c062cdccaa96894d3f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9132DCB1-35E9-48C5-9C24-D791BB5B0C50}\Implemented Categories	ab5d3c89a2777b13df311069ff6c0420ed7575b6fae5d8c062cdccaa96894d3f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\FLAGS\ = "0"	ab5d3c89a2777b13df311069ff6c0420ed7575b6fae5d8c062cdccaa96894d3f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\ = "ILocalStorage"	ab5d3c89a2777b13df311069ff6c0420ed7575b6fae5d8c062cdccaa96894d3f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\TypeLib\Version = "1.0"	ab5d3c89a2777b13df311069ff6c0420ed7575b6fae5d8c062cdccaa96894d3f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.\ = "YooutubeAddBloacckee"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.\ = "YooutubeAddBloacckee"	ab5d3c89a2777b13df311069ff6c0420ed7575b6fae5d8c062cdccaa96894d3f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}	ab5d3c89a2777b13df311069ff6c0420ed7575b6fae5d8c062cdccaa96894d3f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\ = "IEPluginLib"	ab5d3c89a2777b13df311069ff6c0420ed7575b6fae5d8c062cdccaa96894d3f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	ab5d3c89a2777b13df311069ff6c0420ed7575b6fae5d8c062cdccaa96894d3f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ = "IRegistry"	ab5d3c89a2777b13df311069ff6c0420ed7575b6fae5d8c062cdccaa96894d3f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ProxyStubClsid32	ab5d3c89a2777b13df311069ff6c0420ed7575b6fae5d8c062cdccaa96894d3f.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9132dcb1-35e9-48c5-9c24-d791bb5b0c50}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9132DCB1-35E9-48C5-9C24-D791BB5B0C50}\Implemented Categories	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\..9\CLSID	ab5d3c89a2777b13df311069ff6c0420ed7575b6fae5d8c062cdccaa96894d3f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9132dcb1-35e9-48c5-9c24-d791bb5b0c50}\Programmable	ab5d3c89a2777b13df311069ff6c0420ed7575b6fae5d8c062cdccaa96894d3f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9132DCB1-35E9-48C5-9C24-D791BB5B0C50}	ab5d3c89a2777b13df311069ff6c0420ed7575b6fae5d8c062cdccaa96894d3f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0	ab5d3c89a2777b13df311069ff6c0420ed7575b6fae5d8c062cdccaa96894d3f.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

ab5d3c89a2777b13df311069ff6c0420ed7575b6fae5d8c062cdccaa96894d3f.exeregsvr32.exe

description	pid	process	target process
PID 1944 wrote to memory of 1692	1944	ab5d3c89a2777b13df311069ff6c0420ed7575b6fae5d8c062cdccaa96894d3f.exe	regsvr32.exe
PID 1944 wrote to memory of 1692	1944	ab5d3c89a2777b13df311069ff6c0420ed7575b6fae5d8c062cdccaa96894d3f.exe	regsvr32.exe
PID 1944 wrote to memory of 1692	1944	ab5d3c89a2777b13df311069ff6c0420ed7575b6fae5d8c062cdccaa96894d3f.exe	regsvr32.exe
PID 1944 wrote to memory of 1692	1944	ab5d3c89a2777b13df311069ff6c0420ed7575b6fae5d8c062cdccaa96894d3f.exe	regsvr32.exe
PID 1944 wrote to memory of 1692	1944	ab5d3c89a2777b13df311069ff6c0420ed7575b6fae5d8c062cdccaa96894d3f.exe	regsvr32.exe
PID 1944 wrote to memory of 1692	1944	ab5d3c89a2777b13df311069ff6c0420ed7575b6fae5d8c062cdccaa96894d3f.exe	regsvr32.exe
PID 1944 wrote to memory of 1692	1944	ab5d3c89a2777b13df311069ff6c0420ed7575b6fae5d8c062cdccaa96894d3f.exe	regsvr32.exe
PID 1692 wrote to memory of 1152	1692	regsvr32.exe	regsvr32.exe
PID 1692 wrote to memory of 1152	1692	regsvr32.exe	regsvr32.exe
PID 1692 wrote to memory of 1152	1692	regsvr32.exe	regsvr32.exe
PID 1692 wrote to memory of 1152	1692	regsvr32.exe	regsvr32.exe
PID 1692 wrote to memory of 1152	1692	regsvr32.exe	regsvr32.exe
PID 1692 wrote to memory of 1152	1692	regsvr32.exe	regsvr32.exe
PID 1692 wrote to memory of 1152	1692	regsvr32.exe	regsvr32.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

ab5d3c89a2777b13df311069ff6c0420ed7575b6fae5d8c062cdccaa96894d3f.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID	ab5d3c89a2777b13df311069ff6c0420ed7575b6fae5d8c062cdccaa96894d3f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{9132dcb1-35e9-48c5-9c24-d791bb5b0c50} = "1"	ab5d3c89a2777b13df311069ff6c0420ed7575b6fae5d8c062cdccaa96894d3f.exe

C:\Users\Admin\AppData\Local\Temp\ab5d3c89a2777b13df311069ff6c0420ed7575b6fae5d8c062cdccaa96894d3f.exe
"C:\Users\Admin\AppData\Local\Temp\ab5d3c89a2777b13df311069ff6c0420ed7575b6fae5d8c062cdccaa96894d3f.exe"
1⤵
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1944

C:\Windows\SysWOW64\regsvr32.exe
regsvr32.exe /s "C:\Program Files (x86)\YooutubeAddBloacckee\1SbnOcTsIiGSv7.x64.dll"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1692

C:\Windows\system32\regsvr32.exe
/s "C:\Program Files (x86)\YooutubeAddBloacckee\1SbnOcTsIiGSv7.x64.dll"
3⤵
- Registers COM server for autorun
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Modifies Internet Explorer settings
- Modifies registry class
PID:1152

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Browser Extensions

1

T1176

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

3

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\YooutubeAddBloacckee\1SbnOcTsIiGSv7.dat
Filesize
3KB

MD5
688356f54e13abe0ab4790eb86e045b2

SHA1
93edac9de9ae5594efd01bb9ccdc3d2ac024f989

SHA256
ff21d4c513b1ef118bae61a9e7c990ac8cbd44be4db7e838fded7a583a14a447

SHA512
c002e58e9d7e6bbfc86fc306e2560845b2cd2bed62e87500fd68665458c2cf3f2dd5cc85e45b740fb15d53a6fc92555fd16e663ed682b7551fea71f2a2aec33f

Download Submit
C:\Program Files (x86)\YooutubeAddBloacckee\1SbnOcTsIiGSv7.tlb
Filesize
3KB

MD5
f13b83dd097c20e5158af7317cd82a94

SHA1
2d3d4473e92358b3fec12cff3789fae2ed9bcd51

SHA256
0a1142fdfd7b7c92852ecc676455ef9c100b7c4150f5f7c4a690aca2115a1920

SHA512
71e8cb120266803119228ee25ce650a97adf6e9a03a4ec033a6a3b6b743baae3286fa91e04cb7c3c4573ec6807ed30e2329b6a81e1474a09234265316473f0ee

Download Submit
C:\Program Files (x86)\YooutubeAddBloacckee\1SbnOcTsIiGSv7.x64.dll
Filesize
690KB

MD5
7f4e5aed48ad9c75a88177e0b3e1ef71

SHA1
6840657f75e173d9024b32f52080505800d181b8

SHA256
e51368f1382e9a00d9059728c1e23914b3ecfc50cbbe927370adf009cd08aac1

SHA512
fb41c9e758909d0546dd554230eb04812e708f069b423db587b37c4f8c5745399c959c1bfd850ec474f918217314bb64604ad8ab04780730040e732959b7f671

Download Submit
\Program Files (x86)\YooutubeAddBloacckee\1SbnOcTsIiGSv7.dll
Filesize
614KB

MD5
9b667841fa6680b733d5b79bc9bd4cb4

SHA1
c476a5e8c8ab32927862184a274a1fa9524ab9c7

SHA256
bef8ef321da36b6230869d492cc4223bc4e921cbe8e2e0d286ab41ed6ebf4e5b

SHA512
b94ab8efb79d791769e394a9fded3dfffc50d57cb865f63f1a873948f400b4cc9313befae2d2059e0b2ea810eac2c554bd34aa694452a168e7ceff9e7d42e7ab

Download Submit
\Program Files (x86)\YooutubeAddBloacckee\1SbnOcTsIiGSv7.x64.dll
Filesize
690KB

MD5
7f4e5aed48ad9c75a88177e0b3e1ef71

SHA1
6840657f75e173d9024b32f52080505800d181b8

SHA256
e51368f1382e9a00d9059728c1e23914b3ecfc50cbbe927370adf009cd08aac1

SHA512
fb41c9e758909d0546dd554230eb04812e708f069b423db587b37c4f8c5745399c959c1bfd850ec474f918217314bb64604ad8ab04780730040e732959b7f671

Download Submit
\Program Files (x86)\YooutubeAddBloacckee\1SbnOcTsIiGSv7.x64.dll
Filesize
690KB

MD5
7f4e5aed48ad9c75a88177e0b3e1ef71

SHA1
6840657f75e173d9024b32f52080505800d181b8

SHA256
e51368f1382e9a00d9059728c1e23914b3ecfc50cbbe927370adf009cd08aac1

SHA512
fb41c9e758909d0546dd554230eb04812e708f069b423db587b37c4f8c5745399c959c1bfd850ec474f918217314bb64604ad8ab04780730040e732959b7f671

Download Submit
memory/1152-84-0x0000000000000000-mapping.dmp

Download
memory/1152-85-0x000007FEFB6F1000-0x000007FEFB6F3000-memory.dmp

Filesize
8KB

Download
memory/1692-80-0x0000000000000000-mapping.dmp

Download
memory/1944-54-0x0000000075671000-0x0000000075673000-memory.dmp

Filesize
8KB

Download
memory/1944-55-0x0000000002400000-0x00000000024A2000-memory.dmp

Filesize
648KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads