349bfa61264cd1e30ee0af1687e49ed75165687ae4130577e13d9cc9ce3782bf

Analysis

max time kernel
152s
max time network
174s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2022 14:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

349bfa61264cd1e30ee0af1687e49ed75165687ae4130577e13d9cc9ce3782bf.exe
Size

1.5MB
MD5

7046e209ff5847b23b8bd04e2d6f76fe
SHA1

0ae796deb864a47f171f93583efaa7c2f5fa5434
SHA256

349bfa61264cd1e30ee0af1687e49ed75165687ae4130577e13d9cc9ce3782bf
SHA512

9e915f3a1dd9df55b8841ef45766b904594bda0ae28a4708d7be934148a0adf4445be8241ce7751dbea92f19e1d2756084938f380746a8a437c58e99c74669aa
SSDEEP

24576:HS6fJHL4IpoUYaj/ybNICQZrTkuof0JQdTJ9o3oatIexCNdvvgYPw:H74DBajAUZrvofbQoaSeydv4Y4

Score

8^/10

adware discovery persistence spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

L8I.exe

pid process

5112 L8I.exe

pid	process
5112	L8I.exe

Registers COM server for autorun 1 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Processes:

regsvr32.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E1BD0D59-F0FF-05F6-780A-1B79C01A7161}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E1BD0D59-F0FF-05F6-780A-1B79C01A7161}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E1BD0D59-F0FF-05F6-780A-1B79C01A7161}\InprocServer32\ = "C:\\Program Files (x86)\\Adblocker\\vZ.x64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E1BD0D59-F0FF-05F6-780A-1B79C01A7161}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe

Loads dropped DLL 3 IoCs

Processes:

L8I.exeregsvr32.exeregsvr32.exe

pid process

5112 L8I.exe
2032 regsvr32.exe
4020 regsvr32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

pid	process
5112	L8I.exe
2032	regsvr32.exe
4020	regsvr32.exe

Installs/modifies Browser Helper Object 2 TTPs 8 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

Processes:

regsvr32.exeL8I.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E1BD0D59-F0FF-05F6-780A-1B79C01A7161}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E1BD0D59-F0FF-05F6-780A-1B79C01A7161}	L8I.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E1BD0D59-F0FF-05F6-780A-1B79C01A7161}\ = "Adblocker"	L8I.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E1BD0D59-F0FF-05F6-780A-1B79C01A7161}\NoExplorer = "1"	L8I.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E1BD0D59-F0FF-05F6-780A-1B79C01A7161}	L8I.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E1BD0D59-F0FF-05F6-780A-1B79C01A7161}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E1BD0D59-F0FF-05F6-780A-1B79C01A7161}\ = "Adblocker"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E1BD0D59-F0FF-05F6-780A-1B79C01A7161}\NoExplorer = "1"	regsvr32.exe

Drops file in Program Files directory 8 IoCs

Processes:

L8I.exe

description	ioc	process
File created	C:\Program Files (x86)\Adblocker\vZ.dll	L8I.exe
File opened for modification	C:\Program Files (x86)\Adblocker\vZ.dll	L8I.exe
File created	C:\Program Files (x86)\Adblocker\vZ.tlb	L8I.exe
File opened for modification	C:\Program Files (x86)\Adblocker\vZ.tlb	L8I.exe
File created	C:\Program Files (x86)\Adblocker\vZ.dat	L8I.exe
File opened for modification	C:\Program Files (x86)\Adblocker\vZ.dat	L8I.exe
File created	C:\Program Files (x86)\Adblocker\vZ.x64.dll	L8I.exe
File opened for modification	C:\Program Files (x86)\Adblocker\vZ.x64.dll	L8I.exe

Modifies Internet Explorer settings 1 TTPs 8 IoCs

adware spyware

Modify Registry

T1112

Processes:

L8I.exeregsvr32.exe

description	ioc	process
Key deleted	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\ApprovedExtensionsMigration	L8I.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\MICROSOFT\INTERNET EXPLORER\APPROVEDEXTENSIONSMIGRATION\{E1BD0D59-F0FF-05F6-780A-1B79C01A7161}	regsvr32.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\ApprovedExtensionsMigration	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\ApprovedExtensionsMigration	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{E1BD0D59-F0FF-05F6-780A-1B79C01A7161}	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\ApprovedExtensionsMigration	L8I.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{E1BD0D59-F0FF-05F6-780A-1B79C01A7161}	L8I.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\MICROSOFT\INTERNET EXPLORER\APPROVEDEXTENSIONSMIGRATION\{E1BD0D59-F0FF-05F6-780A-1B79C01A7161}	L8I.exe

Modifies registry class 64 IoCs

Processes:

L8I.exeregsvr32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}	L8I.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Adblocker.Adblocker\CLSID\ = "{E1BD0D59-F0FF-05F6-780A-1B79C01A7161}"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E1BD0D59-F0FF-05F6-780A-1B79C01A7161}\InprocServer32	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E1BD0D59-F0FF-05F6-780A-1B79C01A7161}\VersionIndependentProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\FLAGS\ = "0"	L8I.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	L8I.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ = "IRegistry"	L8I.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E1BD0D59-F0FF-05F6-780A-1B79C01A7161}\VersionIndependentProgID	L8I.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\TypeLib\Version = "1.0"	L8I.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	L8I.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ProxyStubClsid32	L8I.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Adblocker.Adblocker.1.0\CLSID\ = "{E1BD0D59-F0FF-05F6-780A-1B79C01A7161}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E1BD0D59-F0FF-05F6-780A-1B79C01A7161}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Adblocker.Adblocker.1.0\ = "Adblocker"	L8I.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\FLAGS	L8I.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ProxyStubClsid32	L8I.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib\Version = "1.0"	L8I.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	L8I.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Adblocker.Adblocker\ = "Adblocker"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E1BD0D59-F0FF-05F6-780A-1B79C01A7161}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\ = "IEPluginLib"	L8I.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\ProxyStubClsid32	L8I.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\ = "IPlaghinMein"	L8I.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	L8I.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\TypeLib	L8I.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\ProxyStubClsid32	L8I.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\TypeLib	L8I.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	L8I.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Adblocker.Adblocker\CLSID\ = "{E1BD0D59-F0FF-05F6-780A-1B79C01A7161}"	L8I.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E1BD0D59-F0FF-05F6-780A-1B79C01A7161}\InprocServer32	L8I.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E1BD0D59-F0FF-05F6-780A-1B79C01A7161}	L8I.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\TypeLib	L8I.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	L8I.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Adblocker.Adblocker	L8I.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E1BD0D59-F0FF-05F6-780A-1B79C01A7161}	L8I.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib	L8I.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib	L8I.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Adblocker.Adblocker.1.0\ = "Adblocker"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Adblocker.Adblocker\CurVer\ = "Adblocker.1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E1BD0D59-F0FF-05F6-780A-1B79C01A7161}\Programmable	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E1BD0D59-F0FF-05F6-780A-1B79C01A7161}\ProgID	L8I.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\ProxyStubClsid32	L8I.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}	L8I.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0	L8I.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\TypeLib	L8I.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E1BD0D59-F0FF-05F6-780A-1B79C01A7161}\VersionIndependentProgID	L8I.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E1BD0D59-F0FF-05F6-780A-1B79C01A7161}\Implemented Categories	L8I.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	L8I.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E1BD0D59-F0FF-05F6-780A-1B79C01A7161}\ = "Adblocker"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Adblocker.Adblocker.1.0\CLSID\ = "{E1BD0D59-F0FF-05F6-780A-1B79C01A7161}"	L8I.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E1BD0D59-F0FF-05F6-780A-1B79C01A7161}\InprocServer32\ = "C:\\Program Files (x86)\\Adblocker\\vZ.dll"	L8I.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\ = "IPlaghinMein"	L8I.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ = "IRegistry"	L8I.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E1BD0D59-F0FF-05F6-780A-1B79C01A7161}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E1BD0D59-F0FF-05F6-780A-1B79C01A7161}\ProgID\ = "Adblocker.1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E1BD0D59-F0FF-05F6-780A-1B79C01A7161}\InprocServer32\ = "C:\\Program Files (x86)\\Adblocker\\vZ.x64.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Adblocker.Adblocker\CLSID	L8I.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E1BD0D59-F0FF-05F6-780A-1B79C01A7161}\InprocServer32	L8I.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	L8I.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\ = "ILocalStorage"	L8I.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	L8I.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Adblocker.Adblocker\CurVer\ = "Adblocker.1.0"	L8I.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}	L8I.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E1BD0D59-F0FF-05F6-780A-1B79C01A7161}\ProgID\ = "Adblocker.1.0"	L8I.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

349bfa61264cd1e30ee0af1687e49ed75165687ae4130577e13d9cc9ce3782bf.exeL8I.exeregsvr32.exe

description	pid	process	target process
PID 2576 wrote to memory of 5112	2576	349bfa61264cd1e30ee0af1687e49ed75165687ae4130577e13d9cc9ce3782bf.exe	L8I.exe
PID 2576 wrote to memory of 5112	2576	349bfa61264cd1e30ee0af1687e49ed75165687ae4130577e13d9cc9ce3782bf.exe	L8I.exe
PID 2576 wrote to memory of 5112	2576	349bfa61264cd1e30ee0af1687e49ed75165687ae4130577e13d9cc9ce3782bf.exe	L8I.exe
PID 5112 wrote to memory of 2032	5112	L8I.exe	regsvr32.exe
PID 5112 wrote to memory of 2032	5112	L8I.exe	regsvr32.exe
PID 5112 wrote to memory of 2032	5112	L8I.exe	regsvr32.exe
PID 2032 wrote to memory of 4020	2032	regsvr32.exe	regsvr32.exe
PID 2032 wrote to memory of 4020	2032	regsvr32.exe	regsvr32.exe

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

Processes:

L8I.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{E1BD0D59-F0FF-05F6-780A-1B79C01A7161} = "1"	L8I.exe

C:\Users\Admin\AppData\Local\Temp\349bfa61264cd1e30ee0af1687e49ed75165687ae4130577e13d9cc9ce3782bf.exe
"C:\Users\Admin\AppData\Local\Temp\349bfa61264cd1e30ee0af1687e49ed75165687ae4130577e13d9cc9ce3782bf.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2576

C:\Users\Admin\AppData\Local\Temp\358838cb\L8I.exe
"C:\Users\Admin\AppData\Local\Temp/358838cb/L8I.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
- System policy modification
PID:5112

C:\Windows\SysWOW64\regsvr32.exe
regsvr32.exe /s "C:\Program Files (x86)\Adblocker\vZ.x64.dll"
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2032

C:\Windows\system32\regsvr32.exe
/s "C:\Program Files (x86)\Adblocker\vZ.x64.dll"
4⤵
- Registers COM server for autorun
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Modifies Internet Explorer settings
- Modifies registry class
PID:4020

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Browser Extensions

T1176

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Adblocker\vZ.dat

Filesize
4KB

MD5
291f0a380f0f4bbcb7e8bedd60d3af78

SHA1
934fcff906f474218ae2328a92adbd09da33f582

SHA256
0868b1d66fd18ffb5fc6b94ff2ef87cf17748032b7de32b01da2439409b5a5d0

SHA512
b1b6647c5606ff0f1ae159145924c04b786c95d125d2843142f68547aba6721f4992e59a62b4334e26785dbf7882850b37737422ef301261b22b1d2c9525fff3

Download Submit
C:\Program Files (x86)\Adblocker\vZ.dll

Filesize
325KB

MD5
d316153e6feea98b96650c4f05e2f31a

SHA1
21ef422afe7f9bcbd86f0381b296a8f2d2f66fe4

SHA256
c22e935a2b45bf48d94ee2f268b163d73b1b0c6c10f5ef6737591ec3da7c1578

SHA512
9a9752d3cb544c3cbad053aa93e44e95892094099181a15b40b8dcf200180eb72eadd4fb1cd6792434d20e60d9ae433370a47ed19753317078e51e616438514c

Download Submit
C:\Program Files (x86)\Adblocker\vZ.tlb

Filesize
3KB

MD5
736f8e927a2bc98863a50a76ac7a0973

SHA1
fe78f86dc43442192b9f4e56dfdb35e36d23cfbb

SHA256
b7fb683bbb4c444b7121ad4cb00a4b8f247ea32ee367a4d0bc6ea05e6803c45f

SHA512
321e777413ee96dd05b3c412fd90b0e78ea8a9550a8d7af27d7a1530302833c97eb7e41b018e7bb89e82c8987e2527094b88ac94b74a3b5cc4b8bea1a0ef287e

Download Submit
C:\Program Files (x86)\Adblocker\vZ.x64.dll

Filesize
389KB

MD5
7cd46176b71eda0ecb89413ed185e606

SHA1
58f24d30eb5251a553ec7dac81f3fc2398e3e63e

SHA256
b959f8550304467338e0b2975acf36b6c530e575d3cc6847f82fa7576fb86bb7

SHA512
217eee22ebf8ca536e49378a6c831f71e0bdf6ef637d14395e8e765a9f2e1b98bbda0a9bf273592dc9665d9e63f72aa58fd9dbd66ede56f8855ee500c67becdd

Download Submit
C:\Program Files (x86)\Adblocker\vZ.x64.dll

Filesize
389KB

MD5
7cd46176b71eda0ecb89413ed185e606

SHA1
58f24d30eb5251a553ec7dac81f3fc2398e3e63e

SHA256
b959f8550304467338e0b2975acf36b6c530e575d3cc6847f82fa7576fb86bb7

SHA512
217eee22ebf8ca536e49378a6c831f71e0bdf6ef637d14395e8e765a9f2e1b98bbda0a9bf273592dc9665d9e63f72aa58fd9dbd66ede56f8855ee500c67becdd

Download Submit
C:\Program Files (x86)\Adblocker\vZ.x64.dll

Filesize
389KB

MD5
7cd46176b71eda0ecb89413ed185e606

SHA1
58f24d30eb5251a553ec7dac81f3fc2398e3e63e

SHA256
b959f8550304467338e0b2975acf36b6c530e575d3cc6847f82fa7576fb86bb7

SHA512
217eee22ebf8ca536e49378a6c831f71e0bdf6ef637d14395e8e765a9f2e1b98bbda0a9bf273592dc9665d9e63f72aa58fd9dbd66ede56f8855ee500c67becdd

Download Submit
C:\Users\Admin\AppData\Local\Temp\358838cb\L8I.dat

Filesize
4KB

MD5
291f0a380f0f4bbcb7e8bedd60d3af78

SHA1
934fcff906f474218ae2328a92adbd09da33f582

SHA256
0868b1d66fd18ffb5fc6b94ff2ef87cf17748032b7de32b01da2439409b5a5d0

SHA512
b1b6647c5606ff0f1ae159145924c04b786c95d125d2843142f68547aba6721f4992e59a62b4334e26785dbf7882850b37737422ef301261b22b1d2c9525fff3

Download Submit
C:\Users\Admin\AppData\Local\Temp\358838cb\L8I.exe

Filesize
564KB

MD5
0e40283546a07f8655a29d2dd0eb47b2

SHA1
708483119bf61e380a38df9b3d951ed9fef578d5

SHA256
175bc9c1241f15ae0a43f6b12fdc01337cb824c9b5ce6a51fdcbea7c4c98e323

SHA512
56adfd58ee0314b77d8351b6ec266ade8f0f59ccf6ac48f6641531733cc9b2b836f18a0ec2952d7e6a30bd18a320c3d1d796f6619e93ae449c6ccf3195514926

Download Submit
C:\Users\Admin\AppData\Local\Temp\358838cb\L8I.exe

Filesize
564KB

MD5
0e40283546a07f8655a29d2dd0eb47b2

SHA1
708483119bf61e380a38df9b3d951ed9fef578d5

SHA256
175bc9c1241f15ae0a43f6b12fdc01337cb824c9b5ce6a51fdcbea7c4c98e323

SHA512
56adfd58ee0314b77d8351b6ec266ade8f0f59ccf6ac48f6641531733cc9b2b836f18a0ec2952d7e6a30bd18a320c3d1d796f6619e93ae449c6ccf3195514926

Download Submit
C:\Users\Admin\AppData\Local\Temp\358838cb\[email protected]\bootstrap.js

Filesize
2KB

MD5
df13f711e20e9c80171846d4f2f7ae06

SHA1
56d29cda58427efe0e21d3880d39eb1b0ef60bee

SHA256
6c325461fba531a94cf8cbdcfc52755494973df0629ce0ee3fef734ab0838fc4

SHA512
6c51cee3bf13f164c4a5c9884cc6053cbf9db9701d34c07dc5761d2c047d3d1f7a361b32996a430107e9a4ce68a29149d747a84c76778a1e8780719a3d30470e

Download Submit
C:\Users\Admin\AppData\Local\Temp\358838cb\[email protected]\chrome.manifest

Filesize
23B

MD5
85818ae9fbc4cda30d4273a7e9bc5096

SHA1
bb586e344120fbbb5ffa45447346ad60d5a0f98c

SHA256
90ad9cf2ce74b9d34df508b691b3f310c1d36529d82e0e6c463b0d1dc5174d26

SHA512
9f74119597fb5cdf79a5a9076b19693cd22c3aa48f3da7c89e5f235b62fcb080c8afcef03adc466f9ccaf8027e602d93f2e3aae5e99ee9855f25eb7c7344b941

Download Submit
C:\Users\Admin\AppData\Local\Temp\358838cb\[email protected]\content\bg.js

Filesize
31KB

MD5
df5ab56cdd7a79263efea83a1aea1d02

SHA1
36db4ad5c01ed856871ea692d38d7d96dbd38f11

SHA256
0918afeeef72e8ba7a3565c6462626b013e3a01f57e12b7d46723ca4970b2b4f

SHA512
982c419ce22cea13b3430ee094ec45a7f169e47242b62534585f471817bdf74675f705d200c1072b46674911044771cc5e7b079232822b5f684c92d4ac4eeaa9

Download Submit
C:\Users\Admin\AppData\Local\Temp\358838cb\[email protected]\install.rdf

Filesize
598B

MD5
a0dfabff8f525638f890efcf4d0b8c7a

SHA1
db31f3294765b3d367bb7b887537db86e72e614b

SHA256
30eb081aeea55743b11763af706d1a2782758352154303207ae86d95a9028937

SHA512
f37692911f504591cf86ce53332f9d62ae4b89126b902f4a59d383bd0156e055573bef86372c4c043b5ceecbdc18977e2381af13feff2fb1f91e3445138fecb2

Download Submit
C:\Users\Admin\AppData\Local\Temp\358838cb\vZ.dll

Filesize
325KB

MD5
d316153e6feea98b96650c4f05e2f31a

SHA1
21ef422afe7f9bcbd86f0381b296a8f2d2f66fe4

SHA256
c22e935a2b45bf48d94ee2f268b163d73b1b0c6c10f5ef6737591ec3da7c1578

SHA512
9a9752d3cb544c3cbad053aa93e44e95892094099181a15b40b8dcf200180eb72eadd4fb1cd6792434d20e60d9ae433370a47ed19753317078e51e616438514c

Download Submit
C:\Users\Admin\AppData\Local\Temp\358838cb\vZ.tlb

Filesize
3KB

MD5
736f8e927a2bc98863a50a76ac7a0973

SHA1
fe78f86dc43442192b9f4e56dfdb35e36d23cfbb

SHA256
b7fb683bbb4c444b7121ad4cb00a4b8f247ea32ee367a4d0bc6ea05e6803c45f

SHA512
321e777413ee96dd05b3c412fd90b0e78ea8a9550a8d7af27d7a1530302833c97eb7e41b018e7bb89e82c8987e2527094b88ac94b74a3b5cc4b8bea1a0ef287e

Download Submit
C:\Users\Admin\AppData\Local\Temp\358838cb\vZ.x64.dll

Filesize
389KB

MD5
7cd46176b71eda0ecb89413ed185e606

SHA1
58f24d30eb5251a553ec7dac81f3fc2398e3e63e

SHA256
b959f8550304467338e0b2975acf36b6c530e575d3cc6847f82fa7576fb86bb7

SHA512
217eee22ebf8ca536e49378a6c831f71e0bdf6ef637d14395e8e765a9f2e1b98bbda0a9bf273592dc9665d9e63f72aa58fd9dbd66ede56f8855ee500c67becdd

Download Submit
memory/2032-144-0x0000000000000000-mapping.dmp

Download
memory/4020-147-0x0000000000000000-mapping.dmp

Download
memory/5112-132-0x0000000000000000-mapping.dmp

Download