29f2a07314a26b7b88ea90a3fb5f6374387c7c97f080d922872048f36453c628

General

Target

29f2a07314a26b7b88ea90a3fb5f6374387c7c97f080d922872048f36453c628.exe
Size

2.1MB
MD5

93a97b2d856567ef4298d3a093b0b9b1
SHA1

ab051d92ac14447baf8bef10e63c0ceff17f70c0
SHA256

29f2a07314a26b7b88ea90a3fb5f6374387c7c97f080d922872048f36453c628
SHA512

15d051c22073347febd250717ed40048fa47550ab175eed9ffc140c206078e9c89076f8a469b964559264c4307572f0252f1f60162512be6fc08a8315ac0455e
SSDEEP

49152:okg1wkrm2q74IdJk20oCqltz2h9ntGuF3HHovVpL4l:w1wkC2q7zdJx3/CYuJHOjk

Score

8^/10

adware discovery persistence spyware stealer

Malware Config

Signatures

Registers COM server for autorun 1 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Processes:

regsvr32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9A9EF4E5-BF10-7BD4-5361-E45DCD2F5F81}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9A9EF4E5-BF10-7BD4-5361-E45DCD2F5F81}\InprocServer32\ = "C:\\Program Files (x86)\\Adblocker\\ujG9Uc3.x64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9A9EF4E5-BF10-7BD4-5361-E45DCD2F5F81}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9A9EF4E5-BF10-7BD4-5361-E45DCD2F5F81}\InprocServer32	regsvr32.exe

Loads dropped DLL 3 IoCs

Processes:

29f2a07314a26b7b88ea90a3fb5f6374387c7c97f080d922872048f36453c628.exeregsvr32.exeregsvr32.exe

pid process

1484 29f2a07314a26b7b88ea90a3fb5f6374387c7c97f080d922872048f36453c628.exe
680 regsvr32.exe
1528 regsvr32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

pid	process
1484	29f2a07314a26b7b88ea90a3fb5f6374387c7c97f080d922872048f36453c628.exe
680	regsvr32.exe
1528	regsvr32.exe

Installs/modifies Browser Helper Object 2 TTPs 8 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

Processes:

regsvr32.exe29f2a07314a26b7b88ea90a3fb5f6374387c7c97f080d922872048f36453c628.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9A9EF4E5-BF10-7BD4-5361-E45DCD2F5F81}\NoExplorer = "1"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9A9EF4E5-BF10-7BD4-5361-E45DCD2F5F81}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{9A9EF4E5-BF10-7BD4-5361-E45DCD2F5F81}	29f2a07314a26b7b88ea90a3fb5f6374387c7c97f080d922872048f36453c628.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{9A9EF4E5-BF10-7BD4-5361-E45DCD2F5F81}\ = "Adblocker"	29f2a07314a26b7b88ea90a3fb5f6374387c7c97f080d922872048f36453c628.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{9A9EF4E5-BF10-7BD4-5361-E45DCD2F5F81}\NoExplorer = "1"	29f2a07314a26b7b88ea90a3fb5f6374387c7c97f080d922872048f36453c628.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{9A9EF4E5-BF10-7BD4-5361-E45DCD2F5F81}	29f2a07314a26b7b88ea90a3fb5f6374387c7c97f080d922872048f36453c628.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9A9EF4E5-BF10-7BD4-5361-E45DCD2F5F81}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9A9EF4E5-BF10-7BD4-5361-E45DCD2F5F81}\ = "Adblocker"	regsvr32.exe

Drops file in Program Files directory 8 IoCs

Processes:

29f2a07314a26b7b88ea90a3fb5f6374387c7c97f080d922872048f36453c628.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Adblocker\ujG9Uc3.dat	29f2a07314a26b7b88ea90a3fb5f6374387c7c97f080d922872048f36453c628.exe
File created	C:\Program Files (x86)\Adblocker\ujG9Uc3.x64.dll	29f2a07314a26b7b88ea90a3fb5f6374387c7c97f080d922872048f36453c628.exe
File opened for modification	C:\Program Files (x86)\Adblocker\ujG9Uc3.x64.dll	29f2a07314a26b7b88ea90a3fb5f6374387c7c97f080d922872048f36453c628.exe
File created	C:\Program Files (x86)\Adblocker\ujG9Uc3.dll	29f2a07314a26b7b88ea90a3fb5f6374387c7c97f080d922872048f36453c628.exe
File opened for modification	C:\Program Files (x86)\Adblocker\ujG9Uc3.dll	29f2a07314a26b7b88ea90a3fb5f6374387c7c97f080d922872048f36453c628.exe
File created	C:\Program Files (x86)\Adblocker\ujG9Uc3.tlb	29f2a07314a26b7b88ea90a3fb5f6374387c7c97f080d922872048f36453c628.exe
File opened for modification	C:\Program Files (x86)\Adblocker\ujG9Uc3.tlb	29f2a07314a26b7b88ea90a3fb5f6374387c7c97f080d922872048f36453c628.exe
File created	C:\Program Files (x86)\Adblocker\ujG9Uc3.dat	29f2a07314a26b7b88ea90a3fb5f6374387c7c97f080d922872048f36453c628.exe

Modifies Internet Explorer settings 1 TTPs 8 IoCs

adware spyware

Modify Registry

T1112

Processes:

29f2a07314a26b7b88ea90a3fb5f6374387c7c97f080d922872048f36453c628.exeregsvr32.exe

description	ioc	process
Key deleted	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{9A9EF4E5-BF10-7BD4-5361-E45DCD2F5F81}	29f2a07314a26b7b88ea90a3fb5f6374387c7c97f080d922872048f36453c628.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration	29f2a07314a26b7b88ea90a3fb5f6374387c7c97f080d922872048f36453c628.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{9A9EF4E5-BF10-7BD4-5361-E45DCD2F5F81}	regsvr32.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{9A9EF4E5-BF10-7BD4-5361-E45DCD2F5F81}	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration	29f2a07314a26b7b88ea90a3fb5f6374387c7c97f080d922872048f36453c628.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{9A9EF4E5-BF10-7BD4-5361-E45DCD2F5F81}	29f2a07314a26b7b88ea90a3fb5f6374387c7c97f080d922872048f36453c628.exe

Modifies registry class 64 IoCs

Processes:

29f2a07314a26b7b88ea90a3fb5f6374387c7c97f080d922872048f36453c628.exeregsvr32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9A9EF4E5-BF10-7BD4-5361-E45DCD2F5F81}\InprocServer32\ = "C:\\Program Files (x86)\\Adblocker\\ujG9Uc3.dll"	29f2a07314a26b7b88ea90a3fb5f6374387c7c97f080d922872048f36453c628.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	29f2a07314a26b7b88ea90a3fb5f6374387c7c97f080d922872048f36453c628.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\TypeLib	29f2a07314a26b7b88ea90a3fb5f6374387c7c97f080d922872048f36453c628.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}	29f2a07314a26b7b88ea90a3fb5f6374387c7c97f080d922872048f36453c628.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\ = "ILocalStorage"	29f2a07314a26b7b88ea90a3fb5f6374387c7c97f080d922872048f36453c628.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	29f2a07314a26b7b88ea90a3fb5f6374387c7c97f080d922872048f36453c628.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9A9EF4E5-BF10-7BD4-5361-E45DCD2F5F81}\ = "Adblocker"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Adblocker.Adblocker.1.0\CLSID	29f2a07314a26b7b88ea90a3fb5f6374387c7c97f080d922872048f36453c628.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9A9EF4E5-BF10-7BD4-5361-E45DCD2F5F81}\VersionIndependentProgID	29f2a07314a26b7b88ea90a3fb5f6374387c7c97f080d922872048f36453c628.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9A9EF4E5-BF10-7BD4-5361-E45DCD2F5F81}\VersionIndependentProgID	29f2a07314a26b7b88ea90a3fb5f6374387c7c97f080d922872048f36453c628.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\FLAGS\ = "0"	29f2a07314a26b7b88ea90a3fb5f6374387c7c97f080d922872048f36453c628.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\HELPDIR	29f2a07314a26b7b88ea90a3fb5f6374387c7c97f080d922872048f36453c628.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9A9EF4E5-BF10-7BD4-5361-E45DCD2F5F81}\InprocServer32	29f2a07314a26b7b88ea90a3fb5f6374387c7c97f080d922872048f36453c628.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win32\ = "C:\\Program Files (x86)\\Adblocker\\ujG9Uc3.tlb"	29f2a07314a26b7b88ea90a3fb5f6374387c7c97f080d922872048f36453c628.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9A9EF4E5-BF10-7BD4-5361-E45DCD2F5F81}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9A9EF4E5-BF10-7BD4-5361-E45DCD2F5F81}\Programmable	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9A9EF4E5-BF10-7BD4-5361-E45DCD2F5F81}	29f2a07314a26b7b88ea90a3fb5f6374387c7c97f080d922872048f36453c628.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\TypeLib	29f2a07314a26b7b88ea90a3fb5f6374387c7c97f080d922872048f36453c628.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ProxyStubClsid32	29f2a07314a26b7b88ea90a3fb5f6374387c7c97f080d922872048f36453c628.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9A9EF4E5-BF10-7BD4-5361-E45DCD2F5F81}\VersionIndependentProgID\ = "Adblocker"	29f2a07314a26b7b88ea90a3fb5f6374387c7c97f080d922872048f36453c628.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\TypeLib	29f2a07314a26b7b88ea90a3fb5f6374387c7c97f080d922872048f36453c628.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\TypeLib	29f2a07314a26b7b88ea90a3fb5f6374387c7c97f080d922872048f36453c628.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ = "IRegistry"	29f2a07314a26b7b88ea90a3fb5f6374387c7c97f080d922872048f36453c628.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Adblocker.Adblocker.1.0\ = "Adblocker"	29f2a07314a26b7b88ea90a3fb5f6374387c7c97f080d922872048f36453c628.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Adblocker.Adblocker\ = "Adblocker"	29f2a07314a26b7b88ea90a3fb5f6374387c7c97f080d922872048f36453c628.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Adblocker.Adblocker\CurVer	29f2a07314a26b7b88ea90a3fb5f6374387c7c97f080d922872048f36453c628.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9A9EF4E5-BF10-7BD4-5361-E45DCD2F5F81}\ProgID	29f2a07314a26b7b88ea90a3fb5f6374387c7c97f080d922872048f36453c628.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9A9EF4E5-BF10-7BD4-5361-E45DCD2F5F81}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ProxyStubClsid32	29f2a07314a26b7b88ea90a3fb5f6374387c7c97f080d922872048f36453c628.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Adblocker.Adblocker.1.0\ = "Adblocker"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Adblocker.Adblocker.1.0\CLSID\ = "{9A9EF4E5-BF10-7BD4-5361-E45DCD2F5F81}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Adblocker.Adblocker\CLSID\ = "{9A9EF4E5-BF10-7BD4-5361-E45DCD2F5F81}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Adblocker.Adblocker\CLSID	29f2a07314a26b7b88ea90a3fb5f6374387c7c97f080d922872048f36453c628.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}	29f2a07314a26b7b88ea90a3fb5f6374387c7c97f080d922872048f36453c628.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\TypeLib\Version = "1.0"	29f2a07314a26b7b88ea90a3fb5f6374387c7c97f080d922872048f36453c628.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9A9EF4E5-BF10-7BD4-5361-E45DCD2F5F81}\Implemented Categories	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9A9EF4E5-BF10-7BD4-5361-E45DCD2F5F81}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}	29f2a07314a26b7b88ea90a3fb5f6374387c7c97f080d922872048f36453c628.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\Adblocker"	29f2a07314a26b7b88ea90a3fb5f6374387c7c97f080d922872048f36453c628.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	29f2a07314a26b7b88ea90a3fb5f6374387c7c97f080d922872048f36453c628.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Adblocker.Adblocker.1.0\CLSID\ = "{9A9EF4E5-BF10-7BD4-5361-E45DCD2F5F81}"	29f2a07314a26b7b88ea90a3fb5f6374387c7c97f080d922872048f36453c628.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9A9EF4E5-BF10-7BD4-5361-E45DCD2F5F81}\ = "Adblocker"	29f2a07314a26b7b88ea90a3fb5f6374387c7c97f080d922872048f36453c628.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9A9EF4E5-BF10-7BD4-5361-E45DCD2F5F81}\Programmable	29f2a07314a26b7b88ea90a3fb5f6374387c7c97f080d922872048f36453c628.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9A9EF4E5-BF10-7BD4-5361-E45DCD2F5F81}	29f2a07314a26b7b88ea90a3fb5f6374387c7c97f080d922872048f36453c628.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Adblocker.Adblocker\CurVer\ = "Adblocker.1.0"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9A9EF4E5-BF10-7BD4-5361-E45DCD2F5F81}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Adblocker.Adblocker\CLSID\ = "{9A9EF4E5-BF10-7BD4-5361-E45DCD2F5F81}"	29f2a07314a26b7b88ea90a3fb5f6374387c7c97f080d922872048f36453c628.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\ProxyStubClsid32	29f2a07314a26b7b88ea90a3fb5f6374387c7c97f080d922872048f36453c628.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\TypeLib\Version = "1.0"	29f2a07314a26b7b88ea90a3fb5f6374387c7c97f080d922872048f36453c628.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	29f2a07314a26b7b88ea90a3fb5f6374387c7c97f080d922872048f36453c628.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\TypeLib\Version = "1.0"	29f2a07314a26b7b88ea90a3fb5f6374387c7c97f080d922872048f36453c628.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib	29f2a07314a26b7b88ea90a3fb5f6374387c7c97f080d922872048f36453c628.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9A9EF4E5-BF10-7BD4-5361-E45DCD2F5F81}\VersionIndependentProgID\ = "Adblocker"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Adblocker.Adblocker\CurVer\ = "Adblocker.1.0"	29f2a07314a26b7b88ea90a3fb5f6374387c7c97f080d922872048f36453c628.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9A9EF4E5-BF10-7BD4-5361-E45DCD2F5F81}\Programmable	29f2a07314a26b7b88ea90a3fb5f6374387c7c97f080d922872048f36453c628.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0	29f2a07314a26b7b88ea90a3fb5f6374387c7c97f080d922872048f36453c628.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0	29f2a07314a26b7b88ea90a3fb5f6374387c7c97f080d922872048f36453c628.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	29f2a07314a26b7b88ea90a3fb5f6374387c7c97f080d922872048f36453c628.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}	29f2a07314a26b7b88ea90a3fb5f6374387c7c97f080d922872048f36453c628.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib\Version = "1.0"	29f2a07314a26b7b88ea90a3fb5f6374387c7c97f080d922872048f36453c628.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9A9EF4E5-BF10-7BD4-5361-E45DCD2F5F81}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Adblocker.Adblocker	29f2a07314a26b7b88ea90a3fb5f6374387c7c97f080d922872048f36453c628.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\ = "IPlaghinMein"	29f2a07314a26b7b88ea90a3fb5f6374387c7c97f080d922872048f36453c628.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	29f2a07314a26b7b88ea90a3fb5f6374387c7c97f080d922872048f36453c628.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	29f2a07314a26b7b88ea90a3fb5f6374387c7c97f080d922872048f36453c628.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

29f2a07314a26b7b88ea90a3fb5f6374387c7c97f080d922872048f36453c628.exeregsvr32.exe

description	pid	process	target process
PID 1484 wrote to memory of 680	1484	29f2a07314a26b7b88ea90a3fb5f6374387c7c97f080d922872048f36453c628.exe	regsvr32.exe
PID 1484 wrote to memory of 680	1484	29f2a07314a26b7b88ea90a3fb5f6374387c7c97f080d922872048f36453c628.exe	regsvr32.exe
PID 1484 wrote to memory of 680	1484	29f2a07314a26b7b88ea90a3fb5f6374387c7c97f080d922872048f36453c628.exe	regsvr32.exe
PID 1484 wrote to memory of 680	1484	29f2a07314a26b7b88ea90a3fb5f6374387c7c97f080d922872048f36453c628.exe	regsvr32.exe
PID 1484 wrote to memory of 680	1484	29f2a07314a26b7b88ea90a3fb5f6374387c7c97f080d922872048f36453c628.exe	regsvr32.exe
PID 1484 wrote to memory of 680	1484	29f2a07314a26b7b88ea90a3fb5f6374387c7c97f080d922872048f36453c628.exe	regsvr32.exe
PID 1484 wrote to memory of 680	1484	29f2a07314a26b7b88ea90a3fb5f6374387c7c97f080d922872048f36453c628.exe	regsvr32.exe
PID 680 wrote to memory of 1528	680	regsvr32.exe	regsvr32.exe
PID 680 wrote to memory of 1528	680	regsvr32.exe	regsvr32.exe
PID 680 wrote to memory of 1528	680	regsvr32.exe	regsvr32.exe
PID 680 wrote to memory of 1528	680	regsvr32.exe	regsvr32.exe
PID 680 wrote to memory of 1528	680	regsvr32.exe	regsvr32.exe
PID 680 wrote to memory of 1528	680	regsvr32.exe	regsvr32.exe
PID 680 wrote to memory of 1528	680	regsvr32.exe	regsvr32.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

29f2a07314a26b7b88ea90a3fb5f6374387c7c97f080d922872048f36453c628.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID	29f2a07314a26b7b88ea90a3fb5f6374387c7c97f080d922872048f36453c628.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{9A9EF4E5-BF10-7BD4-5361-E45DCD2F5F81} = "1"	29f2a07314a26b7b88ea90a3fb5f6374387c7c97f080d922872048f36453c628.exe

C:\Users\Admin\AppData\Local\Temp\29f2a07314a26b7b88ea90a3fb5f6374387c7c97f080d922872048f36453c628.exe
"C:\Users\Admin\AppData\Local\Temp\29f2a07314a26b7b88ea90a3fb5f6374387c7c97f080d922872048f36453c628.exe"
1⤵
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1484

C:\Windows\SysWOW64\regsvr32.exe
regsvr32.exe /s "C:\Program Files (x86)\Adblocker\ujG9Uc3.x64.dll"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:680

C:\Windows\system32\regsvr32.exe
/s "C:\Program Files (x86)\Adblocker\ujG9Uc3.x64.dll"
3⤵
- Registers COM server for autorun
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Modifies Internet Explorer settings
- Modifies registry class
PID:1528

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Browser Extensions

1

T1176

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

3

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Adblocker\ujG9Uc3.dat

Filesize
3KB

MD5
43edc0dce2cc0b3a5df383be36cd8297

SHA1
1888a430377138253a09891d4449b3d25d25546a

SHA256
084bcb6dc6eadd8efd15bd99b1a60507b5f82dfb4702ec2659511d522ed9c108

SHA512
e1cb61587024672f794c49e16bcc933a08fcd65c63fc9d91bc7abc9bbd76ae68f9a167ba0c2d2d35a0d0990040946c59ff992d593068ee917152f03675add73f

Download Submit
C:\Program Files (x86)\Adblocker\ujG9Uc3.tlb

Filesize
3KB

MD5
f13b83dd097c20e5158af7317cd82a94

SHA1
2d3d4473e92358b3fec12cff3789fae2ed9bcd51

SHA256
0a1142fdfd7b7c92852ecc676455ef9c100b7c4150f5f7c4a690aca2115a1920

SHA512
71e8cb120266803119228ee25ce650a97adf6e9a03a4ec033a6a3b6b743baae3286fa91e04cb7c3c4573ec6807ed30e2329b6a81e1474a09234265316473f0ee

Download Submit
C:\Program Files (x86)\Adblocker\ujG9Uc3.x64.dll

Filesize
690KB

MD5
7f4e5aed48ad9c75a88177e0b3e1ef71

SHA1
6840657f75e173d9024b32f52080505800d181b8

SHA256
e51368f1382e9a00d9059728c1e23914b3ecfc50cbbe927370adf009cd08aac1

SHA512
fb41c9e758909d0546dd554230eb04812e708f069b423db587b37c4f8c5745399c959c1bfd850ec474f918217314bb64604ad8ab04780730040e732959b7f671

Download Submit
\Program Files (x86)\Adblocker\ujG9Uc3.dll

Filesize
614KB

MD5
9b667841fa6680b733d5b79bc9bd4cb4

SHA1
c476a5e8c8ab32927862184a274a1fa9524ab9c7

SHA256
bef8ef321da36b6230869d492cc4223bc4e921cbe8e2e0d286ab41ed6ebf4e5b

SHA512
b94ab8efb79d791769e394a9fded3dfffc50d57cb865f63f1a873948f400b4cc9313befae2d2059e0b2ea810eac2c554bd34aa694452a168e7ceff9e7d42e7ab

Download Submit
\Program Files (x86)\Adblocker\ujG9Uc3.x64.dll

Filesize
690KB

MD5
7f4e5aed48ad9c75a88177e0b3e1ef71

SHA1
6840657f75e173d9024b32f52080505800d181b8

SHA256
e51368f1382e9a00d9059728c1e23914b3ecfc50cbbe927370adf009cd08aac1

SHA512
fb41c9e758909d0546dd554230eb04812e708f069b423db587b37c4f8c5745399c959c1bfd850ec474f918217314bb64604ad8ab04780730040e732959b7f671

Download Submit
\Program Files (x86)\Adblocker\ujG9Uc3.x64.dll

Filesize
690KB

MD5
7f4e5aed48ad9c75a88177e0b3e1ef71

SHA1
6840657f75e173d9024b32f52080505800d181b8

SHA256
e51368f1382e9a00d9059728c1e23914b3ecfc50cbbe927370adf009cd08aac1

SHA512
fb41c9e758909d0546dd554230eb04812e708f069b423db587b37c4f8c5745399c959c1bfd850ec474f918217314bb64604ad8ab04780730040e732959b7f671

Download Submit
memory/680-80-0x0000000000000000-mapping.dmp

Download
memory/1484-65-0x0000000000701000-0x0000000000705000-memory.dmp

Filesize
16KB

Download
memory/1484-76-0x0000000000701000-0x0000000000705000-memory.dmp

Filesize
16KB

Download
memory/1484-67-0x0000000000701000-0x0000000000705000-memory.dmp

Filesize
16KB

Download
memory/1484-68-0x0000000000701000-0x0000000000705000-memory.dmp

Filesize
16KB

Download
memory/1484-69-0x0000000000701000-0x0000000000705000-memory.dmp

Filesize
16KB

Download
memory/1484-71-0x0000000000701000-0x0000000000705000-memory.dmp

Filesize
16KB

Download
memory/1484-70-0x0000000000701000-0x0000000000705000-memory.dmp

Filesize
16KB

Download
memory/1484-72-0x0000000000701000-0x0000000000705000-memory.dmp

Filesize
16KB

Download
memory/1484-73-0x0000000000701000-0x0000000000705000-memory.dmp

Filesize
16KB

Download
memory/1484-74-0x0000000000701000-0x0000000000705000-memory.dmp

Filesize
16KB

Download
memory/1484-75-0x0000000000701000-0x0000000000705000-memory.dmp

Filesize
16KB

Download
memory/1484-66-0x0000000000701000-0x0000000000705000-memory.dmp

Filesize
16KB

Download
memory/1484-77-0x0000000000701000-0x0000000000705000-memory.dmp

Filesize
16KB

Download
memory/1484-78-0x0000000000701000-0x0000000000705000-memory.dmp

Filesize
16KB

Download
memory/1484-54-0x0000000074E61000-0x0000000074E63000-memory.dmp

Filesize
8KB

Download
memory/1484-64-0x0000000000701000-0x0000000000705000-memory.dmp

Filesize
16KB

Download
memory/1484-63-0x0000000000701000-0x0000000000705000-memory.dmp

Filesize
16KB

Download
memory/1484-62-0x0000000000701000-0x0000000000705000-memory.dmp

Filesize
16KB

Download
memory/1484-55-0x00000000007E0000-0x0000000000882000-memory.dmp

Filesize
648KB

Download
memory/1484-60-0x0000000000701000-0x0000000000705000-memory.dmp

Filesize
16KB

Download
memory/1484-61-0x0000000000701000-0x0000000000705000-memory.dmp

Filesize
16KB

Download
memory/1528-85-0x000007FEFB9C1000-0x000007FEFB9C3000-memory.dmp

Filesize
8KB

Download
memory/1528-84-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads