da495fe5b4fdd1f8e9f3d56bfc716cc888bd7d1eeeb141eec1f37a9932d1e54e

General

Target

da495fe5b4fdd1f8e9f3d56bfc716cc888bd7d1eeeb141eec1f37a9932d1e54e.exe
Size

3.6MB
MD5

1968b72bd158f86b2f6dbeeaaf7cfe0e
SHA1

bd6b9a30f47cd1c96dc2b0245ff340daac8f9b01
SHA256

da495fe5b4fdd1f8e9f3d56bfc716cc888bd7d1eeeb141eec1f37a9932d1e54e
SHA512

7e7bdcbbbb9f4520227eef7876a3174d68ce8b3362a810d96bb5a6066e56bafe3d41c94237824616b0ea1e037f4b407bf73fc249c8b03a6ccf6a72a24687e402
SSDEEP

49152:FbAct+TfLFAsAp0Xw2VnzmhK6Dhtc0LKXnss6MogyE3837l0WN0kzXJAhkCWLxlU:Fbr+TSjp0Xx8E4GXneYy4837lRjJLCo

Score

8^/10

adware discovery persistence spyware stealer

Malware Config

Signatures

Registers COM server for autorun 1 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Processes:

regsvr32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7fe44f71-9924-4aef-aefe-139f6f4d1a6c}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7fe44f71-9924-4aef-aefe-139f6f4d1a6c}\InprocServer32\ = "C:\\Program Files (x86)\\YoutubeAdaBlocKe\\Nxp9czrDRmXBnZ.x64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7fe44f71-9924-4aef-aefe-139f6f4d1a6c}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7fe44f71-9924-4aef-aefe-139f6f4d1a6c}\InprocServer32	regsvr32.exe

Loads dropped DLL 3 IoCs

Processes:

da495fe5b4fdd1f8e9f3d56bfc716cc888bd7d1eeeb141eec1f37a9932d1e54e.exeregsvr32.exeregsvr32.exe

pid process

1480 da495fe5b4fdd1f8e9f3d56bfc716cc888bd7d1eeeb141eec1f37a9932d1e54e.exe
1600 regsvr32.exe
1396 regsvr32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

pid	process
1480	da495fe5b4fdd1f8e9f3d56bfc716cc888bd7d1eeeb141eec1f37a9932d1e54e.exe
1600	regsvr32.exe
1396	regsvr32.exe

Installs/modifies Browser Helper Object 2 TTPs 8 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

Processes:

da495fe5b4fdd1f8e9f3d56bfc716cc888bd7d1eeeb141eec1f37a9932d1e54e.exeregsvr32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{7fe44f71-9924-4aef-aefe-139f6f4d1a6c}	da495fe5b4fdd1f8e9f3d56bfc716cc888bd7d1eeeb141eec1f37a9932d1e54e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{7fe44f71-9924-4aef-aefe-139f6f4d1a6c}\ = "YoutubeAdaBlocKe"	da495fe5b4fdd1f8e9f3d56bfc716cc888bd7d1eeeb141eec1f37a9932d1e54e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{7fe44f71-9924-4aef-aefe-139f6f4d1a6c}\NoExplorer = "1"	da495fe5b4fdd1f8e9f3d56bfc716cc888bd7d1eeeb141eec1f37a9932d1e54e.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{7fe44f71-9924-4aef-aefe-139f6f4d1a6c}	da495fe5b4fdd1f8e9f3d56bfc716cc888bd7d1eeeb141eec1f37a9932d1e54e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7fe44f71-9924-4aef-aefe-139f6f4d1a6c}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7fe44f71-9924-4aef-aefe-139f6f4d1a6c}\ = "YoutubeAdaBlocKe"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7fe44f71-9924-4aef-aefe-139f6f4d1a6c}\NoExplorer = "1"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7fe44f71-9924-4aef-aefe-139f6f4d1a6c}	regsvr32.exe

Drops file in Program Files directory 8 IoCs

Processes:

da495fe5b4fdd1f8e9f3d56bfc716cc888bd7d1eeeb141eec1f37a9932d1e54e.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\YoutubeAdaBlocKe\Nxp9czrDRmXBnZ.tlb	da495fe5b4fdd1f8e9f3d56bfc716cc888bd7d1eeeb141eec1f37a9932d1e54e.exe
File created	C:\Program Files (x86)\YoutubeAdaBlocKe\Nxp9czrDRmXBnZ.dat	da495fe5b4fdd1f8e9f3d56bfc716cc888bd7d1eeeb141eec1f37a9932d1e54e.exe
File opened for modification	C:\Program Files (x86)\YoutubeAdaBlocKe\Nxp9czrDRmXBnZ.dat	da495fe5b4fdd1f8e9f3d56bfc716cc888bd7d1eeeb141eec1f37a9932d1e54e.exe
File created	C:\Program Files (x86)\YoutubeAdaBlocKe\Nxp9czrDRmXBnZ.x64.dll	da495fe5b4fdd1f8e9f3d56bfc716cc888bd7d1eeeb141eec1f37a9932d1e54e.exe
File opened for modification	C:\Program Files (x86)\YoutubeAdaBlocKe\Nxp9czrDRmXBnZ.x64.dll	da495fe5b4fdd1f8e9f3d56bfc716cc888bd7d1eeeb141eec1f37a9932d1e54e.exe
File created	C:\Program Files (x86)\YoutubeAdaBlocKe\Nxp9czrDRmXBnZ.dll	da495fe5b4fdd1f8e9f3d56bfc716cc888bd7d1eeeb141eec1f37a9932d1e54e.exe
File opened for modification	C:\Program Files (x86)\YoutubeAdaBlocKe\Nxp9czrDRmXBnZ.dll	da495fe5b4fdd1f8e9f3d56bfc716cc888bd7d1eeeb141eec1f37a9932d1e54e.exe
File created	C:\Program Files (x86)\YoutubeAdaBlocKe\Nxp9czrDRmXBnZ.tlb	da495fe5b4fdd1f8e9f3d56bfc716cc888bd7d1eeeb141eec1f37a9932d1e54e.exe

Modifies Internet Explorer settings 1 TTPs 8 IoCs

adware spyware

Modify Registry

T1112

Processes:

da495fe5b4fdd1f8e9f3d56bfc716cc888bd7d1eeeb141eec1f37a9932d1e54e.exeregsvr32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration	da495fe5b4fdd1f8e9f3d56bfc716cc888bd7d1eeeb141eec1f37a9932d1e54e.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{7fe44f71-9924-4aef-aefe-139f6f4d1a6c}	da495fe5b4fdd1f8e9f3d56bfc716cc888bd7d1eeeb141eec1f37a9932d1e54e.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{7FE44F71-9924-4AEF-AEFE-139F6F4D1A6C}	da495fe5b4fdd1f8e9f3d56bfc716cc888bd7d1eeeb141eec1f37a9932d1e54e.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration	da495fe5b4fdd1f8e9f3d56bfc716cc888bd7d1eeeb141eec1f37a9932d1e54e.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{7FE44F71-9924-4AEF-AEFE-139F6F4D1A6C}	regsvr32.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{7fe44f71-9924-4aef-aefe-139f6f4d1a6c}	regsvr32.exe

Modifies registry class 64 IoCs

Processes:

regsvr32.exeda495fe5b4fdd1f8e9f3d56bfc716cc888bd7d1eeeb141eec1f37a9932d1e54e.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7fe44f71-9924-4aef-aefe-139f6f4d1a6c}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}	da495fe5b4fdd1f8e9f3d56bfc716cc888bd7d1eeeb141eec1f37a9932d1e54e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.\ = "YoutubeAdaBlocKe"	da495fe5b4fdd1f8e9f3d56bfc716cc888bd7d1eeeb141eec1f37a9932d1e54e.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7fe44f71-9924-4aef-aefe-139f6f4d1a6c}\Programmable	da495fe5b4fdd1f8e9f3d56bfc716cc888bd7d1eeeb141eec1f37a9932d1e54e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7FE44F71-9924-4AEF-AEFE-139F6F4D1A6C}	da495fe5b4fdd1f8e9f3d56bfc716cc888bd7d1eeeb141eec1f37a9932d1e54e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7FE44F71-9924-4AEF-AEFE-139F6F4D1A6C}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}	da495fe5b4fdd1f8e9f3d56bfc716cc888bd7d1eeeb141eec1f37a9932d1e54e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}	da495fe5b4fdd1f8e9f3d56bfc716cc888bd7d1eeeb141eec1f37a9932d1e54e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\FLAGS	da495fe5b4fdd1f8e9f3d56bfc716cc888bd7d1eeeb141eec1f37a9932d1e54e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\HELPDIR	da495fe5b4fdd1f8e9f3d56bfc716cc888bd7d1eeeb141eec1f37a9932d1e54e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.	da495fe5b4fdd1f8e9f3d56bfc716cc888bd7d1eeeb141eec1f37a9932d1e54e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}	da495fe5b4fdd1f8e9f3d56bfc716cc888bd7d1eeeb141eec1f37a9932d1e54e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}	da495fe5b4fdd1f8e9f3d56bfc716cc888bd7d1eeeb141eec1f37a9932d1e54e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ProxyStubClsid32	da495fe5b4fdd1f8e9f3d56bfc716cc888bd7d1eeeb141eec1f37a9932d1e54e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	da495fe5b4fdd1f8e9f3d56bfc716cc888bd7d1eeeb141eec1f37a9932d1e54e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7fe44f71-9924-4aef-aefe-139f6f4d1a6c}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7fe44f71-9924-4aef-aefe-139f6f4d1a6c}\Programmable	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	da495fe5b4fdd1f8e9f3d56bfc716cc888bd7d1eeeb141eec1f37a9932d1e54e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\ = "IEPluginLib"	da495fe5b4fdd1f8e9f3d56bfc716cc888bd7d1eeeb141eec1f37a9932d1e54e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\YoutubeAdaBlocKe"	da495fe5b4fdd1f8e9f3d56bfc716cc888bd7d1eeeb141eec1f37a9932d1e54e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\ProxyStubClsid32	da495fe5b4fdd1f8e9f3d56bfc716cc888bd7d1eeeb141eec1f37a9932d1e54e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\TypeLib\Version = "1.0"	da495fe5b4fdd1f8e9f3d56bfc716cc888bd7d1eeeb141eec1f37a9932d1e54e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	da495fe5b4fdd1f8e9f3d56bfc716cc888bd7d1eeeb141eec1f37a9932d1e54e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7fe44f71-9924-4aef-aefe-139f6f4d1a6c}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\..9\CLSID\ = "{7fe44f71-9924-4aef-aefe-139f6f4d1a6c}"	da495fe5b4fdd1f8e9f3d56bfc716cc888bd7d1eeeb141eec1f37a9932d1e54e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.\CLSID\ = "{7fe44f71-9924-4aef-aefe-139f6f4d1a6c}"	da495fe5b4fdd1f8e9f3d56bfc716cc888bd7d1eeeb141eec1f37a9932d1e54e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7fe44f71-9924-4aef-aefe-139f6f4d1a6c}\ProgID	da495fe5b4fdd1f8e9f3d56bfc716cc888bd7d1eeeb141eec1f37a9932d1e54e.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7fe44f71-9924-4aef-aefe-139f6f4d1a6c}	da495fe5b4fdd1f8e9f3d56bfc716cc888bd7d1eeeb141eec1f37a9932d1e54e.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7fe44f71-9924-4aef-aefe-139f6f4d1a6c}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\..9	da495fe5b4fdd1f8e9f3d56bfc716cc888bd7d1eeeb141eec1f37a9932d1e54e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.\CLSID\ = "{7fe44f71-9924-4aef-aefe-139f6f4d1a6c}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7FE44F71-9924-4AEF-AEFE-139F6F4D1A6C}\Implemented Categories	da495fe5b4fdd1f8e9f3d56bfc716cc888bd7d1eeeb141eec1f37a9932d1e54e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\ProxyStubClsid32	da495fe5b4fdd1f8e9f3d56bfc716cc888bd7d1eeeb141eec1f37a9932d1e54e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\ = "ILocalStorage"	da495fe5b4fdd1f8e9f3d56bfc716cc888bd7d1eeeb141eec1f37a9932d1e54e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib\Version = "1.0"	da495fe5b4fdd1f8e9f3d56bfc716cc888bd7d1eeeb141eec1f37a9932d1e54e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\..9\CLSID\ = "{7fe44f71-9924-4aef-aefe-139f6f4d1a6c}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7fe44f71-9924-4aef-aefe-139f6f4d1a6c}\VersionIndependentProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\..9\CLSID	da495fe5b4fdd1f8e9f3d56bfc716cc888bd7d1eeeb141eec1f37a9932d1e54e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7fe44f71-9924-4aef-aefe-139f6f4d1a6c}\InprocServer32\ = "C:\\Program Files (x86)\\YoutubeAdaBlocKe\\Nxp9czrDRmXBnZ.dll"	da495fe5b4fdd1f8e9f3d56bfc716cc888bd7d1eeeb141eec1f37a9932d1e54e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\TypeLib\Version = "1.0"	da495fe5b4fdd1f8e9f3d56bfc716cc888bd7d1eeeb141eec1f37a9932d1e54e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\TypeLib	da495fe5b4fdd1f8e9f3d56bfc716cc888bd7d1eeeb141eec1f37a9932d1e54e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\TypeLib	da495fe5b4fdd1f8e9f3d56bfc716cc888bd7d1eeeb141eec1f37a9932d1e54e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\TypeLib\Version = "1.0"	da495fe5b4fdd1f8e9f3d56bfc716cc888bd7d1eeeb141eec1f37a9932d1e54e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib	da495fe5b4fdd1f8e9f3d56bfc716cc888bd7d1eeeb141eec1f37a9932d1e54e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib\Version = "1.0"	da495fe5b4fdd1f8e9f3d56bfc716cc888bd7d1eeeb141eec1f37a9932d1e54e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.\CLSID	da495fe5b4fdd1f8e9f3d56bfc716cc888bd7d1eeeb141eec1f37a9932d1e54e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.\ = "YoutubeAdaBlocKe"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7fe44f71-9924-4aef-aefe-139f6f4d1a6c}\InprocServer32	da495fe5b4fdd1f8e9f3d56bfc716cc888bd7d1eeeb141eec1f37a9932d1e54e.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7fe44f71-9924-4aef-aefe-139f6f4d1a6c}\ProgID	da495fe5b4fdd1f8e9f3d56bfc716cc888bd7d1eeeb141eec1f37a9932d1e54e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0	da495fe5b4fdd1f8e9f3d56bfc716cc888bd7d1eeeb141eec1f37a9932d1e54e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	da495fe5b4fdd1f8e9f3d56bfc716cc888bd7d1eeeb141eec1f37a9932d1e54e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7fe44f71-9924-4aef-aefe-139f6f4d1a6c}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7fe44f71-9924-4aef-aefe-139f6f4d1a6c}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7FE44F71-9924-4AEF-AEFE-139F6F4D1A6C}\Implemented Categories	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7fe44f71-9924-4aef-aefe-139f6f4d1a6c}\InprocServer32	da495fe5b4fdd1f8e9f3d56bfc716cc888bd7d1eeeb141eec1f37a9932d1e54e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\ = "IPlaghinMein"	da495fe5b4fdd1f8e9f3d56bfc716cc888bd7d1eeeb141eec1f37a9932d1e54e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	da495fe5b4fdd1f8e9f3d56bfc716cc888bd7d1eeeb141eec1f37a9932d1e54e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\ = "ILocalStorage"	da495fe5b4fdd1f8e9f3d56bfc716cc888bd7d1eeeb141eec1f37a9932d1e54e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	da495fe5b4fdd1f8e9f3d56bfc716cc888bd7d1eeeb141eec1f37a9932d1e54e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib	da495fe5b4fdd1f8e9f3d56bfc716cc888bd7d1eeeb141eec1f37a9932d1e54e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.\CurVer\ = ".9"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.\CurVer\ = ".9"	da495fe5b4fdd1f8e9f3d56bfc716cc888bd7d1eeeb141eec1f37a9932d1e54e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0	da495fe5b4fdd1f8e9f3d56bfc716cc888bd7d1eeeb141eec1f37a9932d1e54e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\TypeLib	da495fe5b4fdd1f8e9f3d56bfc716cc888bd7d1eeeb141eec1f37a9932d1e54e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}	da495fe5b4fdd1f8e9f3d56bfc716cc888bd7d1eeeb141eec1f37a9932d1e54e.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

da495fe5b4fdd1f8e9f3d56bfc716cc888bd7d1eeeb141eec1f37a9932d1e54e.exeregsvr32.exe

description	pid	process	target process
PID 1480 wrote to memory of 1600	1480	da495fe5b4fdd1f8e9f3d56bfc716cc888bd7d1eeeb141eec1f37a9932d1e54e.exe	regsvr32.exe
PID 1480 wrote to memory of 1600	1480	da495fe5b4fdd1f8e9f3d56bfc716cc888bd7d1eeeb141eec1f37a9932d1e54e.exe	regsvr32.exe
PID 1480 wrote to memory of 1600	1480	da495fe5b4fdd1f8e9f3d56bfc716cc888bd7d1eeeb141eec1f37a9932d1e54e.exe	regsvr32.exe
PID 1480 wrote to memory of 1600	1480	da495fe5b4fdd1f8e9f3d56bfc716cc888bd7d1eeeb141eec1f37a9932d1e54e.exe	regsvr32.exe
PID 1480 wrote to memory of 1600	1480	da495fe5b4fdd1f8e9f3d56bfc716cc888bd7d1eeeb141eec1f37a9932d1e54e.exe	regsvr32.exe
PID 1480 wrote to memory of 1600	1480	da495fe5b4fdd1f8e9f3d56bfc716cc888bd7d1eeeb141eec1f37a9932d1e54e.exe	regsvr32.exe
PID 1480 wrote to memory of 1600	1480	da495fe5b4fdd1f8e9f3d56bfc716cc888bd7d1eeeb141eec1f37a9932d1e54e.exe	regsvr32.exe
PID 1600 wrote to memory of 1396	1600	regsvr32.exe	regsvr32.exe
PID 1600 wrote to memory of 1396	1600	regsvr32.exe	regsvr32.exe
PID 1600 wrote to memory of 1396	1600	regsvr32.exe	regsvr32.exe
PID 1600 wrote to memory of 1396	1600	regsvr32.exe	regsvr32.exe
PID 1600 wrote to memory of 1396	1600	regsvr32.exe	regsvr32.exe
PID 1600 wrote to memory of 1396	1600	regsvr32.exe	regsvr32.exe
PID 1600 wrote to memory of 1396	1600	regsvr32.exe	regsvr32.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

da495fe5b4fdd1f8e9f3d56bfc716cc888bd7d1eeeb141eec1f37a9932d1e54e.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID	da495fe5b4fdd1f8e9f3d56bfc716cc888bd7d1eeeb141eec1f37a9932d1e54e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{7fe44f71-9924-4aef-aefe-139f6f4d1a6c} = "1"	da495fe5b4fdd1f8e9f3d56bfc716cc888bd7d1eeeb141eec1f37a9932d1e54e.exe

C:\Users\Admin\AppData\Local\Temp\da495fe5b4fdd1f8e9f3d56bfc716cc888bd7d1eeeb141eec1f37a9932d1e54e.exe
"C:\Users\Admin\AppData\Local\Temp\da495fe5b4fdd1f8e9f3d56bfc716cc888bd7d1eeeb141eec1f37a9932d1e54e.exe"
1⤵
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1480
- C:\Windows\SysWOW64\regsvr32.exe
  regsvr32.exe /s "C:\Program Files (x86)\YoutubeAdaBlocKe\Nxp9czrDRmXBnZ.x64.dll"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1600
- - C:\Windows\system32\regsvr32.exe
    /s "C:\Program Files (x86)\YoutubeAdaBlocKe\Nxp9czrDRmXBnZ.x64.dll"
    3⤵
    - Registers COM server for autorun
    - Loads dropped DLL
    - Installs/modifies Browser Helper Object
    - Modifies Internet Explorer settings
    - Modifies registry class
    PID:1396

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Browser Extensions

1

T1176

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

3

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\YoutubeAdaBlocKe\Nxp9czrDRmXBnZ.dat

Filesize
4KB

MD5
04d9aa4df41a309b5f352aca98ddd8cd

SHA1
0b662bca9cb1f8b604edcd3be030a55a55878b34

SHA256
b50593229c4e048b0deec7665093d2bbd60d3eb0f12897e0360be406ab37415a

SHA512
4106a7c056e683c52d7327d1c469f4257bc19f61a5fc24e7fb4a7eef9924116b44434e40ff7cd634a28717cd28a647fb7a8543700521737700ff7d89fb67b368

Download Submit
C:\Program Files (x86)\YoutubeAdaBlocKe\Nxp9czrDRmXBnZ.tlb

Filesize
3KB

MD5
3ff54cd86d4f83c32a7abdf699d46513

SHA1
f586008206097b653fc939018e630cccadda21e2

SHA256
95be1a1cc30ebbebb797a365a2058e5320d062b49497fbab5423d96f9846573f

SHA512
9ba366b7f6ba215ea079122f5b9b9c32abb1a73dd2bebd6270c91163450d7d7160d3709160b8990d3ba57a76d287ab853ccf6589d67c4016cc8a82b279607aa8

Download Submit
C:\Program Files (x86)\YoutubeAdaBlocKe\Nxp9czrDRmXBnZ.x64.dll

Filesize
695KB

MD5
5de3306036cde10139ff0f99154bef07

SHA1
08ec3d698a0e6ddf89433f9f73f07afcc4defee0

SHA256
c51bb32074fed6342304383f2127fe72f8bfa123742fa4b651a3f2a8c9a485ec

SHA512
ac7a4c3a094e0be6d1a4e44fbdb14934123c02fbdf2a28c467b80babcff963a23c5f21107ae588c94413f269660fe5259728df290d15dff259608c54cb76a248

Download Submit
\Program Files (x86)\YoutubeAdaBlocKe\Nxp9czrDRmXBnZ.dll

Filesize
616KB

MD5
adf713a93e396a4e70845a61c1b166fb

SHA1
c13f8f34eaa96431a1f28d404f44c29401869242

SHA256
1cb4d0d74ec9ad9b27a08685f5282d0a0179c1b01ca27394b1fe08145f331ece

SHA512
e9874e3ca84f4f82fe95979c20454c26f253038aa06c4b72dd02cd3ad207477292508ebe5fa2071450b849e285b1e73c42198e0eb24bac25d43314ed88a3a8d7

Download Submit
\Program Files (x86)\YoutubeAdaBlocKe\Nxp9czrDRmXBnZ.x64.dll

Filesize
695KB

MD5
5de3306036cde10139ff0f99154bef07

SHA1
08ec3d698a0e6ddf89433f9f73f07afcc4defee0

SHA256
c51bb32074fed6342304383f2127fe72f8bfa123742fa4b651a3f2a8c9a485ec

SHA512
ac7a4c3a094e0be6d1a4e44fbdb14934123c02fbdf2a28c467b80babcff963a23c5f21107ae588c94413f269660fe5259728df290d15dff259608c54cb76a248

Download Submit
\Program Files (x86)\YoutubeAdaBlocKe\Nxp9czrDRmXBnZ.x64.dll

Filesize
695KB

MD5
5de3306036cde10139ff0f99154bef07

SHA1
08ec3d698a0e6ddf89433f9f73f07afcc4defee0

SHA256
c51bb32074fed6342304383f2127fe72f8bfa123742fa4b651a3f2a8c9a485ec

SHA512
ac7a4c3a094e0be6d1a4e44fbdb14934123c02fbdf2a28c467b80babcff963a23c5f21107ae588c94413f269660fe5259728df290d15dff259608c54cb76a248

Download Submit
memory/1396-88-0x000007FEFC4E1000-0x000007FEFC4E3000-memory.dmp

Filesize
8KB

Download
memory/1396-87-0x0000000000000000-mapping.dmp

Download
memory/1480-74-0x0000000000392000-0x0000000000396000-memory.dmp

Filesize
16KB

Download
memory/1480-79-0x0000000000392000-0x0000000000396000-memory.dmp

Filesize
16KB

Download
memory/1480-68-0x0000000000392000-0x0000000000396000-memory.dmp

Filesize
16KB

Download
memory/1480-70-0x0000000000392000-0x0000000000396000-memory.dmp

Filesize
16KB

Download
memory/1480-69-0x0000000000392000-0x0000000000396000-memory.dmp

Filesize
16KB

Download
memory/1480-71-0x0000000000392000-0x0000000000396000-memory.dmp

Filesize
16KB

Download
memory/1480-72-0x0000000000392000-0x0000000000396000-memory.dmp

Filesize
16KB

Download
memory/1480-73-0x0000000000392000-0x0000000000396000-memory.dmp

Filesize
16KB

Download
memory/1480-54-0x0000000076831000-0x0000000076833000-memory.dmp

Filesize
8KB

Download
memory/1480-75-0x0000000000392000-0x0000000000396000-memory.dmp

Filesize
16KB

Download
memory/1480-76-0x0000000000392000-0x0000000000396000-memory.dmp

Filesize
16KB

Download
memory/1480-78-0x0000000000392000-0x0000000000396000-memory.dmp

Filesize
16KB

Download
memory/1480-77-0x0000000000392000-0x0000000000396000-memory.dmp

Filesize
16KB

Download
memory/1480-67-0x0000000000392000-0x0000000000396000-memory.dmp

Filesize
16KB

Download
memory/1480-80-0x0000000000392000-0x0000000000396000-memory.dmp

Filesize
16KB

Download
memory/1480-66-0x0000000000392000-0x0000000000396000-memory.dmp

Filesize
16KB

Download
memory/1480-82-0x0000000000393000-0x0000000000395000-memory.dmp

Filesize
8KB

Download
memory/1480-55-0x0000000000C70000-0x0000000000D16000-memory.dmp

Filesize
664KB

Download
memory/1480-65-0x0000000000392000-0x0000000000396000-memory.dmp

Filesize
16KB

Download
memory/1480-64-0x0000000000392000-0x0000000000396000-memory.dmp

Filesize
16KB

Download
memory/1480-63-0x0000000000392000-0x0000000000396000-memory.dmp

Filesize
16KB

Download
memory/1480-62-0x0000000000392000-0x0000000000396000-memory.dmp

Filesize
16KB

Download
memory/1480-61-0x0000000000392000-0x0000000000396000-memory.dmp

Filesize
16KB

Download
memory/1480-60-0x0000000000392000-0x0000000000396000-memory.dmp

Filesize
16KB

Download
memory/1600-83-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads