ca286f9152cf9d43a4b65e704c591d58a64f37c9567dde7f7af39f7f200f0a29

General

Target

ca286f9152cf9d43a4b65e704c591d58a64f37c9567dde7f7af39f7f200f0a29.exe
Size

4.0MB
MD5

2fe24729cdd975952e7cf09cd8e97d85
SHA1

f4e63674c4852b76231184739466b3e94cc897fc
SHA256

ca286f9152cf9d43a4b65e704c591d58a64f37c9567dde7f7af39f7f200f0a29
SHA512

dccbf4585c56e4bbaff511ac53422b6c598e7f2978f4fbbfd9e4c71fd95b199eb4ed9fde720852aa6128850db37a224fa65a3c6f1e48a0d385e17f0be756e8cf
SSDEEP

49152:fKqE9F/nKUxRmBRVBCkGIGrqgKOVyW8Gq42kjAH3CyigAm2bNrJMyKKCctNm2c:F2pxwBRVBrGAO4W8Gp2kjAyJgAm25tM

Score

8^/10

adware discovery persistence spyware stealer

Malware Config

Signatures

Registers COM server for autorun 1 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Processes:

regsvr32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{689b511a-d044-4a19-b258-fefe14324b61}\InprocServer32\ = "C:\\Program Files (x86)\\YYoutuebeAduBlocke\\EizbZzAmnqhgLp.x64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{689b511a-d044-4a19-b258-fefe14324b61}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{689b511a-d044-4a19-b258-fefe14324b61}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{689b511a-d044-4a19-b258-fefe14324b61}\InprocServer32	regsvr32.exe

Loads dropped DLL 3 IoCs

Processes:

ca286f9152cf9d43a4b65e704c591d58a64f37c9567dde7f7af39f7f200f0a29.exeregsvr32.exeregsvr32.exe

pid process

3440 ca286f9152cf9d43a4b65e704c591d58a64f37c9567dde7f7af39f7f200f0a29.exe
4184 regsvr32.exe
4628 regsvr32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

pid	process
3440	ca286f9152cf9d43a4b65e704c591d58a64f37c9567dde7f7af39f7f200f0a29.exe
4184	regsvr32.exe
4628	regsvr32.exe

Installs/modifies Browser Helper Object 2 TTPs 8 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

Processes:

regsvr32.execa286f9152cf9d43a4b65e704c591d58a64f37c9567dde7f7af39f7f200f0a29.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{689b511a-d044-4a19-b258-fefe14324b61}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{689b511a-d044-4a19-b258-fefe14324b61}\ = "YYoutuebeAduBlocke"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{689b511a-d044-4a19-b258-fefe14324b61}\NoExplorer = "1"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{689b511a-d044-4a19-b258-fefe14324b61}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{689b511a-d044-4a19-b258-fefe14324b61}	ca286f9152cf9d43a4b65e704c591d58a64f37c9567dde7f7af39f7f200f0a29.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{689b511a-d044-4a19-b258-fefe14324b61}\ = "YYoutuebeAduBlocke"	ca286f9152cf9d43a4b65e704c591d58a64f37c9567dde7f7af39f7f200f0a29.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{689b511a-d044-4a19-b258-fefe14324b61}\NoExplorer = "1"	ca286f9152cf9d43a4b65e704c591d58a64f37c9567dde7f7af39f7f200f0a29.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{689b511a-d044-4a19-b258-fefe14324b61}	ca286f9152cf9d43a4b65e704c591d58a64f37c9567dde7f7af39f7f200f0a29.exe

Drops file in Program Files directory 8 IoCs

Processes:

ca286f9152cf9d43a4b65e704c591d58a64f37c9567dde7f7af39f7f200f0a29.exe

description	ioc	process
File created	C:\Program Files (x86)\YYoutuebeAduBlocke\EizbZzAmnqhgLp.dat	ca286f9152cf9d43a4b65e704c591d58a64f37c9567dde7f7af39f7f200f0a29.exe
File opened for modification	C:\Program Files (x86)\YYoutuebeAduBlocke\EizbZzAmnqhgLp.dat	ca286f9152cf9d43a4b65e704c591d58a64f37c9567dde7f7af39f7f200f0a29.exe
File created	C:\Program Files (x86)\YYoutuebeAduBlocke\EizbZzAmnqhgLp.x64.dll	ca286f9152cf9d43a4b65e704c591d58a64f37c9567dde7f7af39f7f200f0a29.exe
File opened for modification	C:\Program Files (x86)\YYoutuebeAduBlocke\EizbZzAmnqhgLp.x64.dll	ca286f9152cf9d43a4b65e704c591d58a64f37c9567dde7f7af39f7f200f0a29.exe
File created	C:\Program Files (x86)\YYoutuebeAduBlocke\EizbZzAmnqhgLp.dll	ca286f9152cf9d43a4b65e704c591d58a64f37c9567dde7f7af39f7f200f0a29.exe
File opened for modification	C:\Program Files (x86)\YYoutuebeAduBlocke\EizbZzAmnqhgLp.dll	ca286f9152cf9d43a4b65e704c591d58a64f37c9567dde7f7af39f7f200f0a29.exe
File created	C:\Program Files (x86)\YYoutuebeAduBlocke\EizbZzAmnqhgLp.tlb	ca286f9152cf9d43a4b65e704c591d58a64f37c9567dde7f7af39f7f200f0a29.exe
File opened for modification	C:\Program Files (x86)\YYoutuebeAduBlocke\EizbZzAmnqhgLp.tlb	ca286f9152cf9d43a4b65e704c591d58a64f37c9567dde7f7af39f7f200f0a29.exe

Modifies Internet Explorer settings 1 TTPs 8 IoCs

adware spyware

Modify Registry

T1112

Processes:

regsvr32.execa286f9152cf9d43a4b65e704c591d58a64f37c9567dde7f7af39f7f200f0a29.exe

description	ioc	process
Key deleted	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\ApprovedExtensionsMigration	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\ApprovedExtensionsMigration	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{689b511a-d044-4a19-b258-fefe14324b61}	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\ApprovedExtensionsMigration	ca286f9152cf9d43a4b65e704c591d58a64f37c9567dde7f7af39f7f200f0a29.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{689b511a-d044-4a19-b258-fefe14324b61}	ca286f9152cf9d43a4b65e704c591d58a64f37c9567dde7f7af39f7f200f0a29.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\MICROSOFT\INTERNET EXPLORER\APPROVEDEXTENSIONSMIGRATION\{689B511A-D044-4A19-B258-FEFE14324B61}	ca286f9152cf9d43a4b65e704c591d58a64f37c9567dde7f7af39f7f200f0a29.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\ApprovedExtensionsMigration	ca286f9152cf9d43a4b65e704c591d58a64f37c9567dde7f7af39f7f200f0a29.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\MICROSOFT\INTERNET EXPLORER\APPROVEDEXTENSIONSMIGRATION\{689B511A-D044-4A19-B258-FEFE14324B61}	regsvr32.exe

Modifies registry class 64 IoCs

Processes:

ca286f9152cf9d43a4b65e704c591d58a64f37c9567dde7f7af39f7f200f0a29.exeregsvr32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\ProxyStubClsid32	ca286f9152cf9d43a4b65e704c591d58a64f37c9567dde7f7af39f7f200f0a29.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}	ca286f9152cf9d43a4b65e704c591d58a64f37c9567dde7f7af39f7f200f0a29.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ProxyStubClsid32	ca286f9152cf9d43a4b65e704c591d58a64f37c9567dde7f7af39f7f200f0a29.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\..9	ca286f9152cf9d43a4b65e704c591d58a64f37c9567dde7f7af39f7f200f0a29.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\TypeLib\Version = "1.0"	ca286f9152cf9d43a4b65e704c591d58a64f37c9567dde7f7af39f7f200f0a29.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}	ca286f9152cf9d43a4b65e704c591d58a64f37c9567dde7f7af39f7f200f0a29.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\TypeLib\Version = "1.0"	ca286f9152cf9d43a4b65e704c591d58a64f37c9567dde7f7af39f7f200f0a29.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\..9\CLSID\ = "{689b511a-d044-4a19-b258-fefe14324b61}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{689b511a-d044-4a19-b258-fefe14324b61}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{689b511a-d044-4a19-b258-fefe14324b61}\VersionIndependentProgID	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{689b511a-d044-4a19-b258-fefe14324b61}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{689b511a-d044-4a19-b258-fefe14324b61}\InprocServer32\ = "C:\\Program Files (x86)\\YYoutuebeAduBlocke\\EizbZzAmnqhgLp.dll"	ca286f9152cf9d43a4b65e704c591d58a64f37c9567dde7f7af39f7f200f0a29.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{689B511A-D044-4A19-B258-FEFE14324B61}\Implemented Categories	ca286f9152cf9d43a4b65e704c591d58a64f37c9567dde7f7af39f7f200f0a29.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\FLAGS\ = "0"	ca286f9152cf9d43a4b65e704c591d58a64f37c9567dde7f7af39f7f200f0a29.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	ca286f9152cf9d43a4b65e704c591d58a64f37c9567dde7f7af39f7f200f0a29.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	ca286f9152cf9d43a4b65e704c591d58a64f37c9567dde7f7af39f7f200f0a29.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\ = "IEPluginLib"	ca286f9152cf9d43a4b65e704c591d58a64f37c9567dde7f7af39f7f200f0a29.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\FLAGS	ca286f9152cf9d43a4b65e704c591d58a64f37c9567dde7f7af39f7f200f0a29.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\TypeLib\Version = "1.0"	ca286f9152cf9d43a4b65e704c591d58a64f37c9567dde7f7af39f7f200f0a29.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\..9\CLSID\ = "{689b511a-d044-4a19-b258-fefe14324b61}"	ca286f9152cf9d43a4b65e704c591d58a64f37c9567dde7f7af39f7f200f0a29.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\TypeLib	ca286f9152cf9d43a4b65e704c591d58a64f37c9567dde7f7af39f7f200f0a29.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ = "IRegistry"	ca286f9152cf9d43a4b65e704c591d58a64f37c9567dde7f7af39f7f200f0a29.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	ca286f9152cf9d43a4b65e704c591d58a64f37c9567dde7f7af39f7f200f0a29.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.\CLSID\ = "{689b511a-d044-4a19-b258-fefe14324b61}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib\Version = "1.0"	ca286f9152cf9d43a4b65e704c591d58a64f37c9567dde7f7af39f7f200f0a29.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.\ = "YYoutuebeAduBlocke"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{689B511A-D044-4A19-B258-FEFE14324B61}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{689b511a-d044-4a19-b258-fefe14324b61}\VersionIndependentProgID	ca286f9152cf9d43a4b65e704c591d58a64f37c9567dde7f7af39f7f200f0a29.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0	ca286f9152cf9d43a4b65e704c591d58a64f37c9567dde7f7af39f7f200f0a29.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\YYoutuebeAduBlocke"	ca286f9152cf9d43a4b65e704c591d58a64f37c9567dde7f7af39f7f200f0a29.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	ca286f9152cf9d43a4b65e704c591d58a64f37c9567dde7f7af39f7f200f0a29.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	ca286f9152cf9d43a4b65e704c591d58a64f37c9567dde7f7af39f7f200f0a29.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\ = "ILocalStorage"	ca286f9152cf9d43a4b65e704c591d58a64f37c9567dde7f7af39f7f200f0a29.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	ca286f9152cf9d43a4b65e704c591d58a64f37c9567dde7f7af39f7f200f0a29.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}	ca286f9152cf9d43a4b65e704c591d58a64f37c9567dde7f7af39f7f200f0a29.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	ca286f9152cf9d43a4b65e704c591d58a64f37c9567dde7f7af39f7f200f0a29.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{689b511a-d044-4a19-b258-fefe14324b61}\InprocServer32\ = "C:\\Program Files (x86)\\YYoutuebeAduBlocke\\EizbZzAmnqhgLp.x64.dll"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{689b511a-d044-4a19-b258-fefe14324b61}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.\CLSID\ = "{689b511a-d044-4a19-b258-fefe14324b61}"	ca286f9152cf9d43a4b65e704c591d58a64f37c9567dde7f7af39f7f200f0a29.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{689b511a-d044-4a19-b258-fefe14324b61}\Programmable	ca286f9152cf9d43a4b65e704c591d58a64f37c9567dde7f7af39f7f200f0a29.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win32	ca286f9152cf9d43a4b65e704c591d58a64f37c9567dde7f7af39f7f200f0a29.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win32\ = "C:\\Program Files (x86)\\YYoutuebeAduBlocke\\EizbZzAmnqhgLp.tlb"	ca286f9152cf9d43a4b65e704c591d58a64f37c9567dde7f7af39f7f200f0a29.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{689b511a-d044-4a19-b258-fefe14324b61}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib	ca286f9152cf9d43a4b65e704c591d58a64f37c9567dde7f7af39f7f200f0a29.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib	ca286f9152cf9d43a4b65e704c591d58a64f37c9567dde7f7af39f7f200f0a29.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{689b511a-d044-4a19-b258-fefe14324b61}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{689b511a-d044-4a19-b258-fefe14324b61}\VersionIndependentProgID	ca286f9152cf9d43a4b65e704c591d58a64f37c9567dde7f7af39f7f200f0a29.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{689B511A-D044-4A19-B258-FEFE14324B61}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}	ca286f9152cf9d43a4b65e704c591d58a64f37c9567dde7f7af39f7f200f0a29.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\TypeLib	ca286f9152cf9d43a4b65e704c591d58a64f37c9567dde7f7af39f7f200f0a29.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	ca286f9152cf9d43a4b65e704c591d58a64f37c9567dde7f7af39f7f200f0a29.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\TypeLib	ca286f9152cf9d43a4b65e704c591d58a64f37c9567dde7f7af39f7f200f0a29.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{689b511a-d044-4a19-b258-fefe14324b61}\Programmable	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{689B511A-D044-4A19-B258-FEFE14324B61}\Implemented Categories	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	ca286f9152cf9d43a4b65e704c591d58a64f37c9567dde7f7af39f7f200f0a29.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	ca286f9152cf9d43a4b65e704c591d58a64f37c9567dde7f7af39f7f200f0a29.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\..9\ = "YYoutuebeAduBlocke"	ca286f9152cf9d43a4b65e704c591d58a64f37c9567dde7f7af39f7f200f0a29.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{689b511a-d044-4a19-b258-fefe14324b61}\ProgID	ca286f9152cf9d43a4b65e704c591d58a64f37c9567dde7f7af39f7f200f0a29.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{689b511a-d044-4a19-b258-fefe14324b61}\ProgID\ = ".9"	ca286f9152cf9d43a4b65e704c591d58a64f37c9567dde7f7af39f7f200f0a29.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{689b511a-d044-4a19-b258-fefe14324b61}\InprocServer32\ThreadingModel = "Apartment"	ca286f9152cf9d43a4b65e704c591d58a64f37c9567dde7f7af39f7f200f0a29.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{689b511a-d044-4a19-b258-fefe14324b61}\ProgID	ca286f9152cf9d43a4b65e704c591d58a64f37c9567dde7f7af39f7f200f0a29.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\ProxyStubClsid32	ca286f9152cf9d43a4b65e704c591d58a64f37c9567dde7f7af39f7f200f0a29.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ = "IRegistry"	ca286f9152cf9d43a4b65e704c591d58a64f37c9567dde7f7af39f7f200f0a29.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\..9\ = "YYoutuebeAduBlocke"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.\CLSID	ca286f9152cf9d43a4b65e704c591d58a64f37c9567dde7f7af39f7f200f0a29.exe

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

ca286f9152cf9d43a4b65e704c591d58a64f37c9567dde7f7af39f7f200f0a29.exeregsvr32.exe

description	pid	process	target process
PID 3440 wrote to memory of 4184	3440	ca286f9152cf9d43a4b65e704c591d58a64f37c9567dde7f7af39f7f200f0a29.exe	regsvr32.exe
PID 3440 wrote to memory of 4184	3440	ca286f9152cf9d43a4b65e704c591d58a64f37c9567dde7f7af39f7f200f0a29.exe	regsvr32.exe
PID 3440 wrote to memory of 4184	3440	ca286f9152cf9d43a4b65e704c591d58a64f37c9567dde7f7af39f7f200f0a29.exe	regsvr32.exe
PID 4184 wrote to memory of 4628	4184	regsvr32.exe	regsvr32.exe
PID 4184 wrote to memory of 4628	4184	regsvr32.exe	regsvr32.exe

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

Processes:

ca286f9152cf9d43a4b65e704c591d58a64f37c9567dde7f7af39f7f200f0a29.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{689b511a-d044-4a19-b258-fefe14324b61} = "1"	ca286f9152cf9d43a4b65e704c591d58a64f37c9567dde7f7af39f7f200f0a29.exe

C:\Users\Admin\AppData\Local\Temp\ca286f9152cf9d43a4b65e704c591d58a64f37c9567dde7f7af39f7f200f0a29.exe
"C:\Users\Admin\AppData\Local\Temp\ca286f9152cf9d43a4b65e704c591d58a64f37c9567dde7f7af39f7f200f0a29.exe"
1⤵
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3440

C:\Windows\SysWOW64\regsvr32.exe
regsvr32.exe /s "C:\Program Files (x86)\YYoutuebeAduBlocke\EizbZzAmnqhgLp.x64.dll"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4184

C:\Windows\system32\regsvr32.exe
/s "C:\Program Files (x86)\YYoutuebeAduBlocke\EizbZzAmnqhgLp.x64.dll"
3⤵
- Registers COM server for autorun
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Modifies Internet Explorer settings
- Modifies registry class
PID:4628

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Browser Extensions

1

T1176

Privilege Escalation

Defense Evasion

Modify Registry

3

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\YYoutuebeAduBlocke\EizbZzAmnqhgLp.dat
Filesize
4KB

MD5
18afe8b3ba1d7225fbde4b2f22a9268b

SHA1
fa6f6fb15a3c55922f746f84eada8d73f5046ad9

SHA256
0d4504d1d285bf153914886faf8b00d26e31497644de191e98a645d0db3e1815

SHA512
6394484f996360940c1427be690d6cb13e54c0e2f1b069d53cade19fc5c32a2329f393f7b31d88bbcf24d4a7c782ab05fd13ac647e6f8368a9af22c61ee0c039

Download Submit
C:\Program Files (x86)\YYoutuebeAduBlocke\EizbZzAmnqhgLp.dll
Filesize
622KB

MD5
73c59cc15195b405ee191c50f0e3ac08

SHA1
27245e3abd8cfa100f97e741e5b81f9e0f1740e9

SHA256
b18df3a44be8b63a1e779d583777c9a4ec3cf5be5e1814f2cf3e75b41791077b

SHA512
749a1a6d6e67a42f23f9d710fd5095363796b65e9a589212bd9cfcde1f811e09764f004920947a91e6818189dcce93da8f499634b76fcb422b5cfe2cb71d1dca

Download Submit
C:\Program Files (x86)\YYoutuebeAduBlocke\EizbZzAmnqhgLp.tlb
Filesize
3KB

MD5
4a115bee5243fe12bb4789b2dd3240dc

SHA1
e9b002e9436ebd9cd6eeeb1016219bf99fd6fa62

SHA256
234096310cf75df66fef0439127e636aea5444bcd4ce8cc1d6e91e3eb218c8b0

SHA512
3d2b6d211b6e47ad3e0860e2973b72cd72e4da552f52823f34c9881e667b5d4105388d00fb6298a9b94bd02e111a8ce18c5a3c79fc5ca78a03438fa025fb99e9

Download Submit
C:\Program Files (x86)\YYoutuebeAduBlocke\EizbZzAmnqhgLp.x64.dll
Filesize
699KB

MD5
4541758f3684e20c501490e7cea65ed7

SHA1
5f5caa0078a90006b39c18055678dd5cd4362c72

SHA256
a2baf6143f27ba3b766856c91fecda346e69fbcba0b3bae850f8b1ff014c5b5c

SHA512
18e0a02ad19ca39412bf966e30dd651dda623230fec49c909eabedfcd6e532c8017993d77e56d85cf35e9ea0fe7747f2d2885eea1fa9b324d2e4365ac5a39c78

Download Submit
C:\Program Files (x86)\YYoutuebeAduBlocke\EizbZzAmnqhgLp.x64.dll
Filesize
699KB

MD5
4541758f3684e20c501490e7cea65ed7

SHA1
5f5caa0078a90006b39c18055678dd5cd4362c72

SHA256
a2baf6143f27ba3b766856c91fecda346e69fbcba0b3bae850f8b1ff014c5b5c

SHA512
18e0a02ad19ca39412bf966e30dd651dda623230fec49c909eabedfcd6e532c8017993d77e56d85cf35e9ea0fe7747f2d2885eea1fa9b324d2e4365ac5a39c78

Download Submit
C:\Program Files (x86)\YYoutuebeAduBlocke\EizbZzAmnqhgLp.x64.dll
Filesize
699KB

MD5
4541758f3684e20c501490e7cea65ed7

SHA1
5f5caa0078a90006b39c18055678dd5cd4362c72

SHA256
a2baf6143f27ba3b766856c91fecda346e69fbcba0b3bae850f8b1ff014c5b5c

SHA512
18e0a02ad19ca39412bf966e30dd651dda623230fec49c909eabedfcd6e532c8017993d77e56d85cf35e9ea0fe7747f2d2885eea1fa9b324d2e4365ac5a39c78

Download Submit
memory/3440-132-0x0000000002E40000-0x0000000002EE7000-memory.dmp

Filesize
668KB

Download
memory/4184-138-0x0000000000000000-mapping.dmp

Download
memory/4628-141-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads