da495fe5b4fdd1f8e9f3d56bfc716cc888bd7d1eeeb141eec1f37a9932d1e54e

General

Target

da495fe5b4fdd1f8e9f3d56bfc716cc888bd7d1eeeb141eec1f37a9932d1e54e.exe
Size

3.6MB
MD5

1968b72bd158f86b2f6dbeeaaf7cfe0e
SHA1

bd6b9a30f47cd1c96dc2b0245ff340daac8f9b01
SHA256

da495fe5b4fdd1f8e9f3d56bfc716cc888bd7d1eeeb141eec1f37a9932d1e54e
SHA512

7e7bdcbbbb9f4520227eef7876a3174d68ce8b3362a810d96bb5a6066e56bafe3d41c94237824616b0ea1e037f4b407bf73fc249c8b03a6ccf6a72a24687e402
SSDEEP

49152:FbAct+TfLFAsAp0Xw2VnzmhK6Dhtc0LKXnss6MogyE3837l0WN0kzXJAhkCWLxlU:Fbr+TSjp0Xx8E4GXneYy4837lRjJLCo

Score

8^/10

adware discovery persistence spyware stealer

Malware Config

Signatures

Registers COM server for autorun 1 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Processes:

regsvr32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7fe44f71-9924-4aef-aefe-139f6f4d1a6c}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7fe44f71-9924-4aef-aefe-139f6f4d1a6c}\InprocServer32\ = "C:\\Program Files (x86)\\YoutubeAdaBlocKe\\Nxp9czrDRmXBnZ.x64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7fe44f71-9924-4aef-aefe-139f6f4d1a6c}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7fe44f71-9924-4aef-aefe-139f6f4d1a6c}\InprocServer32	regsvr32.exe

Loads dropped DLL 3 IoCs

Processes:

da495fe5b4fdd1f8e9f3d56bfc716cc888bd7d1eeeb141eec1f37a9932d1e54e.exeregsvr32.exeregsvr32.exe

pid process

3632 da495fe5b4fdd1f8e9f3d56bfc716cc888bd7d1eeeb141eec1f37a9932d1e54e.exe
3492 regsvr32.exe
4764 regsvr32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

pid	process
3632	da495fe5b4fdd1f8e9f3d56bfc716cc888bd7d1eeeb141eec1f37a9932d1e54e.exe
3492	regsvr32.exe
4764	regsvr32.exe

Installs/modifies Browser Helper Object 2 TTPs 8 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

Processes:

regsvr32.exeda495fe5b4fdd1f8e9f3d56bfc716cc888bd7d1eeeb141eec1f37a9932d1e54e.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7fe44f71-9924-4aef-aefe-139f6f4d1a6c}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7fe44f71-9924-4aef-aefe-139f6f4d1a6c}	da495fe5b4fdd1f8e9f3d56bfc716cc888bd7d1eeeb141eec1f37a9932d1e54e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7fe44f71-9924-4aef-aefe-139f6f4d1a6c}\ = "YoutubeAdaBlocKe"	da495fe5b4fdd1f8e9f3d56bfc716cc888bd7d1eeeb141eec1f37a9932d1e54e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7fe44f71-9924-4aef-aefe-139f6f4d1a6c}\NoExplorer = "1"	da495fe5b4fdd1f8e9f3d56bfc716cc888bd7d1eeeb141eec1f37a9932d1e54e.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7fe44f71-9924-4aef-aefe-139f6f4d1a6c}	da495fe5b4fdd1f8e9f3d56bfc716cc888bd7d1eeeb141eec1f37a9932d1e54e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7fe44f71-9924-4aef-aefe-139f6f4d1a6c}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7fe44f71-9924-4aef-aefe-139f6f4d1a6c}\ = "YoutubeAdaBlocKe"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7fe44f71-9924-4aef-aefe-139f6f4d1a6c}\NoExplorer = "1"	regsvr32.exe

Drops file in Program Files directory 8 IoCs

Processes:

da495fe5b4fdd1f8e9f3d56bfc716cc888bd7d1eeeb141eec1f37a9932d1e54e.exe

description	ioc	process
File created	C:\Program Files (x86)\YoutubeAdaBlocKe\Nxp9czrDRmXBnZ.x64.dll	da495fe5b4fdd1f8e9f3d56bfc716cc888bd7d1eeeb141eec1f37a9932d1e54e.exe
File opened for modification	C:\Program Files (x86)\YoutubeAdaBlocKe\Nxp9czrDRmXBnZ.x64.dll	da495fe5b4fdd1f8e9f3d56bfc716cc888bd7d1eeeb141eec1f37a9932d1e54e.exe
File created	C:\Program Files (x86)\YoutubeAdaBlocKe\Nxp9czrDRmXBnZ.dll	da495fe5b4fdd1f8e9f3d56bfc716cc888bd7d1eeeb141eec1f37a9932d1e54e.exe
File opened for modification	C:\Program Files (x86)\YoutubeAdaBlocKe\Nxp9czrDRmXBnZ.dll	da495fe5b4fdd1f8e9f3d56bfc716cc888bd7d1eeeb141eec1f37a9932d1e54e.exe
File created	C:\Program Files (x86)\YoutubeAdaBlocKe\Nxp9czrDRmXBnZ.tlb	da495fe5b4fdd1f8e9f3d56bfc716cc888bd7d1eeeb141eec1f37a9932d1e54e.exe
File opened for modification	C:\Program Files (x86)\YoutubeAdaBlocKe\Nxp9czrDRmXBnZ.tlb	da495fe5b4fdd1f8e9f3d56bfc716cc888bd7d1eeeb141eec1f37a9932d1e54e.exe
File created	C:\Program Files (x86)\YoutubeAdaBlocKe\Nxp9czrDRmXBnZ.dat	da495fe5b4fdd1f8e9f3d56bfc716cc888bd7d1eeeb141eec1f37a9932d1e54e.exe
File opened for modification	C:\Program Files (x86)\YoutubeAdaBlocKe\Nxp9czrDRmXBnZ.dat	da495fe5b4fdd1f8e9f3d56bfc716cc888bd7d1eeeb141eec1f37a9932d1e54e.exe

Modifies Internet Explorer settings 1 TTPs 8 IoCs

adware spyware

Modify Registry

T1112

Processes:

regsvr32.exeda495fe5b4fdd1f8e9f3d56bfc716cc888bd7d1eeeb141eec1f37a9932d1e54e.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Internet Explorer\ApprovedExtensionsMigration	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{7fe44f71-9924-4aef-aefe-139f6f4d1a6c}	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Internet Explorer\ApprovedExtensionsMigration	da495fe5b4fdd1f8e9f3d56bfc716cc888bd7d1eeeb141eec1f37a9932d1e54e.exe
Key created	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{7fe44f71-9924-4aef-aefe-139f6f4d1a6c}	da495fe5b4fdd1f8e9f3d56bfc716cc888bd7d1eeeb141eec1f37a9932d1e54e.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\MICROSOFT\INTERNET EXPLORER\APPROVEDEXTENSIONSMIGRATION\{7FE44F71-9924-4AEF-AEFE-139F6F4D1A6C}	da495fe5b4fdd1f8e9f3d56bfc716cc888bd7d1eeeb141eec1f37a9932d1e54e.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Internet Explorer\ApprovedExtensionsMigration	da495fe5b4fdd1f8e9f3d56bfc716cc888bd7d1eeeb141eec1f37a9932d1e54e.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\MICROSOFT\INTERNET EXPLORER\APPROVEDEXTENSIONSMIGRATION\{7FE44F71-9924-4AEF-AEFE-139F6F4D1A6C}	regsvr32.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Internet Explorer\ApprovedExtensionsMigration	regsvr32.exe

Modifies registry class 64 IoCs

Processes:

da495fe5b4fdd1f8e9f3d56bfc716cc888bd7d1eeeb141eec1f37a9932d1e54e.exeregsvr32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	da495fe5b4fdd1f8e9f3d56bfc716cc888bd7d1eeeb141eec1f37a9932d1e54e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}	da495fe5b4fdd1f8e9f3d56bfc716cc888bd7d1eeeb141eec1f37a9932d1e54e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	da495fe5b4fdd1f8e9f3d56bfc716cc888bd7d1eeeb141eec1f37a9932d1e54e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\ProxyStubClsid32	da495fe5b4fdd1f8e9f3d56bfc716cc888bd7d1eeeb141eec1f37a9932d1e54e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ProxyStubClsid32	da495fe5b4fdd1f8e9f3d56bfc716cc888bd7d1eeeb141eec1f37a9932d1e54e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7fe44f71-9924-4aef-aefe-139f6f4d1a6c}	da495fe5b4fdd1f8e9f3d56bfc716cc888bd7d1eeeb141eec1f37a9932d1e54e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7fe44f71-9924-4aef-aefe-139f6f4d1a6c}\Programmable	da495fe5b4fdd1f8e9f3d56bfc716cc888bd7d1eeeb141eec1f37a9932d1e54e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win32	da495fe5b4fdd1f8e9f3d56bfc716cc888bd7d1eeeb141eec1f37a9932d1e54e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7fe44f71-9924-4aef-aefe-139f6f4d1a6c}\ = "YoutubeAdaBlocKe"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0	da495fe5b4fdd1f8e9f3d56bfc716cc888bd7d1eeeb141eec1f37a9932d1e54e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\TypeLib	da495fe5b4fdd1f8e9f3d56bfc716cc888bd7d1eeeb141eec1f37a9932d1e54e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\TypeLib\Version = "1.0"	da495fe5b4fdd1f8e9f3d56bfc716cc888bd7d1eeeb141eec1f37a9932d1e54e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\..9\CLSID	da495fe5b4fdd1f8e9f3d56bfc716cc888bd7d1eeeb141eec1f37a9932d1e54e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.\ = "YoutubeAdaBlocKe"	da495fe5b4fdd1f8e9f3d56bfc716cc888bd7d1eeeb141eec1f37a9932d1e54e.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7fe44f71-9924-4aef-aefe-139f6f4d1a6c}\VersionIndependentProgID	da495fe5b4fdd1f8e9f3d56bfc716cc888bd7d1eeeb141eec1f37a9932d1e54e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7fe44f71-9924-4aef-aefe-139f6f4d1a6c}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	da495fe5b4fdd1f8e9f3d56bfc716cc888bd7d1eeeb141eec1f37a9932d1e54e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\TypeLib	da495fe5b4fdd1f8e9f3d56bfc716cc888bd7d1eeeb141eec1f37a9932d1e54e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7fe44f71-9924-4aef-aefe-139f6f4d1a6c}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\FLAGS	da495fe5b4fdd1f8e9f3d56bfc716cc888bd7d1eeeb141eec1f37a9932d1e54e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\TypeLib\Version = "1.0"	da495fe5b4fdd1f8e9f3d56bfc716cc888bd7d1eeeb141eec1f37a9932d1e54e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}	da495fe5b4fdd1f8e9f3d56bfc716cc888bd7d1eeeb141eec1f37a9932d1e54e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.\CurVer\ = ".9"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7fe44f71-9924-4aef-aefe-139f6f4d1a6c}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\..9	da495fe5b4fdd1f8e9f3d56bfc716cc888bd7d1eeeb141eec1f37a9932d1e54e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7fe44f71-9924-4aef-aefe-139f6f4d1a6c}\ProgID	da495fe5b4fdd1f8e9f3d56bfc716cc888bd7d1eeeb141eec1f37a9932d1e54e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7fe44f71-9924-4aef-aefe-139f6f4d1a6c}\VersionIndependentProgID\	da495fe5b4fdd1f8e9f3d56bfc716cc888bd7d1eeeb141eec1f37a9932d1e54e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7fe44f71-9924-4aef-aefe-139f6f4d1a6c}\ProgID\ = ".9"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.\CLSID\ = "{7fe44f71-9924-4aef-aefe-139f6f4d1a6c}"	da495fe5b4fdd1f8e9f3d56bfc716cc888bd7d1eeeb141eec1f37a9932d1e54e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\TypeLib	da495fe5b4fdd1f8e9f3d56bfc716cc888bd7d1eeeb141eec1f37a9932d1e54e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}	da495fe5b4fdd1f8e9f3d56bfc716cc888bd7d1eeeb141eec1f37a9932d1e54e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\HELPDIR	da495fe5b4fdd1f8e9f3d56bfc716cc888bd7d1eeeb141eec1f37a9932d1e54e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\ = "ILocalStorage"	da495fe5b4fdd1f8e9f3d56bfc716cc888bd7d1eeeb141eec1f37a9932d1e54e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.	da495fe5b4fdd1f8e9f3d56bfc716cc888bd7d1eeeb141eec1f37a9932d1e54e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7fe44f71-9924-4aef-aefe-139f6f4d1a6c}\InprocServer32	da495fe5b4fdd1f8e9f3d56bfc716cc888bd7d1eeeb141eec1f37a9932d1e54e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7fe44f71-9924-4aef-aefe-139f6f4d1a6c}\InprocServer32\ThreadingModel = "Apartment"	da495fe5b4fdd1f8e9f3d56bfc716cc888bd7d1eeeb141eec1f37a9932d1e54e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\TypeLib\Version = "1.0"	da495fe5b4fdd1f8e9f3d56bfc716cc888bd7d1eeeb141eec1f37a9932d1e54e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	da495fe5b4fdd1f8e9f3d56bfc716cc888bd7d1eeeb141eec1f37a9932d1e54e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\TypeLib\Version = "1.0"	da495fe5b4fdd1f8e9f3d56bfc716cc888bd7d1eeeb141eec1f37a9932d1e54e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ProxyStubClsid32	da495fe5b4fdd1f8e9f3d56bfc716cc888bd7d1eeeb141eec1f37a9932d1e54e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	da495fe5b4fdd1f8e9f3d56bfc716cc888bd7d1eeeb141eec1f37a9932d1e54e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.\CurVer	da495fe5b4fdd1f8e9f3d56bfc716cc888bd7d1eeeb141eec1f37a9932d1e54e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win32\ = "C:\\Program Files (x86)\\YoutubeAdaBlocKe\\Nxp9czrDRmXBnZ.tlb"	da495fe5b4fdd1f8e9f3d56bfc716cc888bd7d1eeeb141eec1f37a9932d1e54e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	da495fe5b4fdd1f8e9f3d56bfc716cc888bd7d1eeeb141eec1f37a9932d1e54e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	da495fe5b4fdd1f8e9f3d56bfc716cc888bd7d1eeeb141eec1f37a9932d1e54e.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7fe44f71-9924-4aef-aefe-139f6f4d1a6c}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\YoutubeAdaBlocKe"	da495fe5b4fdd1f8e9f3d56bfc716cc888bd7d1eeeb141eec1f37a9932d1e54e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	da495fe5b4fdd1f8e9f3d56bfc716cc888bd7d1eeeb141eec1f37a9932d1e54e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\ProxyStubClsid32	da495fe5b4fdd1f8e9f3d56bfc716cc888bd7d1eeeb141eec1f37a9932d1e54e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\ = "IPlaghinMein"	da495fe5b4fdd1f8e9f3d56bfc716cc888bd7d1eeeb141eec1f37a9932d1e54e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\ProxyStubClsid32	da495fe5b4fdd1f8e9f3d56bfc716cc888bd7d1eeeb141eec1f37a9932d1e54e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\..9\CLSID\ = "{7fe44f71-9924-4aef-aefe-139f6f4d1a6c}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7FE44F71-9924-4AEF-AEFE-139F6F4D1A6C}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7fe44f71-9924-4aef-aefe-139f6f4d1a6c}\InprocServer32\ = "C:\\Program Files (x86)\\YoutubeAdaBlocKe\\Nxp9czrDRmXBnZ.dll"	da495fe5b4fdd1f8e9f3d56bfc716cc888bd7d1eeeb141eec1f37a9932d1e54e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7FE44F71-9924-4AEF-AEFE-139F6F4D1A6C}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}	da495fe5b4fdd1f8e9f3d56bfc716cc888bd7d1eeeb141eec1f37a9932d1e54e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\ = "IEPluginLib"	da495fe5b4fdd1f8e9f3d56bfc716cc888bd7d1eeeb141eec1f37a9932d1e54e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}	da495fe5b4fdd1f8e9f3d56bfc716cc888bd7d1eeeb141eec1f37a9932d1e54e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	da495fe5b4fdd1f8e9f3d56bfc716cc888bd7d1eeeb141eec1f37a9932d1e54e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.\CLSID\ = "{7fe44f71-9924-4aef-aefe-139f6f4d1a6c}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7fe44f71-9924-4aef-aefe-139f6f4d1a6c}\VersionIndependentProgID\	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7fe44f71-9924-4aef-aefe-139f6f4d1a6c}\Programmable	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.\CurVer\ = ".9"	da495fe5b4fdd1f8e9f3d56bfc716cc888bd7d1eeeb141eec1f37a9932d1e54e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}	da495fe5b4fdd1f8e9f3d56bfc716cc888bd7d1eeeb141eec1f37a9932d1e54e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0	da495fe5b4fdd1f8e9f3d56bfc716cc888bd7d1eeeb141eec1f37a9932d1e54e.exe

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

da495fe5b4fdd1f8e9f3d56bfc716cc888bd7d1eeeb141eec1f37a9932d1e54e.exeregsvr32.exe

description	pid	process	target process
PID 3632 wrote to memory of 3492	3632	da495fe5b4fdd1f8e9f3d56bfc716cc888bd7d1eeeb141eec1f37a9932d1e54e.exe	regsvr32.exe
PID 3632 wrote to memory of 3492	3632	da495fe5b4fdd1f8e9f3d56bfc716cc888bd7d1eeeb141eec1f37a9932d1e54e.exe	regsvr32.exe
PID 3632 wrote to memory of 3492	3632	da495fe5b4fdd1f8e9f3d56bfc716cc888bd7d1eeeb141eec1f37a9932d1e54e.exe	regsvr32.exe
PID 3492 wrote to memory of 4764	3492	regsvr32.exe	regsvr32.exe
PID 3492 wrote to memory of 4764	3492	regsvr32.exe	regsvr32.exe

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

Processes:

da495fe5b4fdd1f8e9f3d56bfc716cc888bd7d1eeeb141eec1f37a9932d1e54e.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{7fe44f71-9924-4aef-aefe-139f6f4d1a6c} = "1"	da495fe5b4fdd1f8e9f3d56bfc716cc888bd7d1eeeb141eec1f37a9932d1e54e.exe

C:\Users\Admin\AppData\Local\Temp\da495fe5b4fdd1f8e9f3d56bfc716cc888bd7d1eeeb141eec1f37a9932d1e54e.exe
"C:\Users\Admin\AppData\Local\Temp\da495fe5b4fdd1f8e9f3d56bfc716cc888bd7d1eeeb141eec1f37a9932d1e54e.exe"
1⤵
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3632
- C:\Windows\SysWOW64\regsvr32.exe
  regsvr32.exe /s "C:\Program Files (x86)\YoutubeAdaBlocKe\Nxp9czrDRmXBnZ.x64.dll"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:3492
- - C:\Windows\system32\regsvr32.exe
    /s "C:\Program Files (x86)\YoutubeAdaBlocKe\Nxp9czrDRmXBnZ.x64.dll"
    3⤵
    - Registers COM server for autorun
    - Loads dropped DLL
    - Installs/modifies Browser Helper Object
    - Modifies Internet Explorer settings
    - Modifies registry class
    PID:4764

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Browser Extensions

1

T1176

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

3

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\YoutubeAdaBlocKe\Nxp9czrDRmXBnZ.dat

Filesize
4KB

MD5
04d9aa4df41a309b5f352aca98ddd8cd

SHA1
0b662bca9cb1f8b604edcd3be030a55a55878b34

SHA256
b50593229c4e048b0deec7665093d2bbd60d3eb0f12897e0360be406ab37415a

SHA512
4106a7c056e683c52d7327d1c469f4257bc19f61a5fc24e7fb4a7eef9924116b44434e40ff7cd634a28717cd28a647fb7a8543700521737700ff7d89fb67b368

Download Submit
C:\Program Files (x86)\YoutubeAdaBlocKe\Nxp9czrDRmXBnZ.dll

Filesize
616KB

MD5
adf713a93e396a4e70845a61c1b166fb

SHA1
c13f8f34eaa96431a1f28d404f44c29401869242

SHA256
1cb4d0d74ec9ad9b27a08685f5282d0a0179c1b01ca27394b1fe08145f331ece

SHA512
e9874e3ca84f4f82fe95979c20454c26f253038aa06c4b72dd02cd3ad207477292508ebe5fa2071450b849e285b1e73c42198e0eb24bac25d43314ed88a3a8d7

Download Submit
C:\Program Files (x86)\YoutubeAdaBlocKe\Nxp9czrDRmXBnZ.tlb

Filesize
3KB

MD5
3ff54cd86d4f83c32a7abdf699d46513

SHA1
f586008206097b653fc939018e630cccadda21e2

SHA256
95be1a1cc30ebbebb797a365a2058e5320d062b49497fbab5423d96f9846573f

SHA512
9ba366b7f6ba215ea079122f5b9b9c32abb1a73dd2bebd6270c91163450d7d7160d3709160b8990d3ba57a76d287ab853ccf6589d67c4016cc8a82b279607aa8

Download Submit
C:\Program Files (x86)\YoutubeAdaBlocKe\Nxp9czrDRmXBnZ.x64.dll

Filesize
695KB

MD5
5de3306036cde10139ff0f99154bef07

SHA1
08ec3d698a0e6ddf89433f9f73f07afcc4defee0

SHA256
c51bb32074fed6342304383f2127fe72f8bfa123742fa4b651a3f2a8c9a485ec

SHA512
ac7a4c3a094e0be6d1a4e44fbdb14934123c02fbdf2a28c467b80babcff963a23c5f21107ae588c94413f269660fe5259728df290d15dff259608c54cb76a248

Download Submit
C:\Program Files (x86)\YoutubeAdaBlocKe\Nxp9czrDRmXBnZ.x64.dll

Filesize
695KB

MD5
5de3306036cde10139ff0f99154bef07

SHA1
08ec3d698a0e6ddf89433f9f73f07afcc4defee0

SHA256
c51bb32074fed6342304383f2127fe72f8bfa123742fa4b651a3f2a8c9a485ec

SHA512
ac7a4c3a094e0be6d1a4e44fbdb14934123c02fbdf2a28c467b80babcff963a23c5f21107ae588c94413f269660fe5259728df290d15dff259608c54cb76a248

Download Submit
C:\Program Files (x86)\YoutubeAdaBlocKe\Nxp9czrDRmXBnZ.x64.dll

Filesize
695KB

MD5
5de3306036cde10139ff0f99154bef07

SHA1
08ec3d698a0e6ddf89433f9f73f07afcc4defee0

SHA256
c51bb32074fed6342304383f2127fe72f8bfa123742fa4b651a3f2a8c9a485ec

SHA512
ac7a4c3a094e0be6d1a4e44fbdb14934123c02fbdf2a28c467b80babcff963a23c5f21107ae588c94413f269660fe5259728df290d15dff259608c54cb76a248

Download Submit
memory/3492-149-0x0000000000000000-mapping.dmp

Download
memory/3632-141-0x00000000005E1000-0x00000000005E4000-memory.dmp

Filesize
12KB

Download
memory/3632-144-0x00000000005E1000-0x00000000005E4000-memory.dmp

Filesize
12KB

Download
memory/3632-145-0x00000000005E1000-0x00000000005E4000-memory.dmp

Filesize
12KB

Download
memory/3632-146-0x00000000005E1000-0x00000000005E4000-memory.dmp

Filesize
12KB

Download
memory/3632-147-0x00000000005E1000-0x00000000005E4000-memory.dmp

Filesize
12KB

Download
memory/3632-143-0x00000000005E1000-0x00000000005E4000-memory.dmp

Filesize
12KB

Download
memory/3632-142-0x00000000005E1000-0x00000000005E4000-memory.dmp

Filesize
12KB

Download
memory/3632-132-0x0000000000990000-0x0000000000A36000-memory.dmp

Filesize
664KB

Download
memory/3632-140-0x00000000005E1000-0x00000000005E4000-memory.dmp

Filesize
12KB

Download
memory/3632-139-0x00000000005E1000-0x00000000005E4000-memory.dmp

Filesize
12KB

Download
memory/3632-138-0x00000000005E1000-0x00000000005E4000-memory.dmp

Filesize
12KB

Download
memory/3632-137-0x00000000005E1000-0x00000000005E4000-memory.dmp

Filesize
12KB

Download
memory/4764-152-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads