6df0fa8b714deb52b2cb2df9a850b3c58ce13b2c121c4ed01fedf6ae588e04c6

General

Target

6df0fa8b714deb52b2cb2df9a850b3c58ce13b2c121c4ed01fedf6ae588e04c6.exe
Size

3.6MB
MD5

004d4f824a30d29ef597349953815e14
SHA1

5b60af1e57e315b4df33944811d8d1124e9d9110
SHA256

6df0fa8b714deb52b2cb2df9a850b3c58ce13b2c121c4ed01fedf6ae588e04c6
SHA512

838375f0d2360cb2697e593c4f6736302ddff578a7df9116e08723112b0ac9b6eea287d10874dd3b37571bc645be78ad893254187fc130ac231fe9f1e4353e11
SSDEEP

98304:3K6hjE5CMqSC2pn6x8DsYrIaT5za7dBBNWAHWq:3KsjWCU4rWAH

Score

8^/10

adware discovery persistence spyware stealer

Malware Config

Signatures

Registers COM server for autorun 1 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Processes:

regsvr32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C65E3369-A1BC-D6E1-D44B-9BD4632A71EC}\InprocServer32\ = "C:\\Program Files (x86)\\Adblocker\\KKaa1AnAd.x64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C65E3369-A1BC-D6E1-D44B-9BD4632A71EC}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C65E3369-A1BC-D6E1-D44B-9BD4632A71EC}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C65E3369-A1BC-D6E1-D44B-9BD4632A71EC}\InprocServer32	regsvr32.exe

Loads dropped DLL 3 IoCs

Processes:

6df0fa8b714deb52b2cb2df9a850b3c58ce13b2c121c4ed01fedf6ae588e04c6.exeregsvr32.exeregsvr32.exe

pid process

908 6df0fa8b714deb52b2cb2df9a850b3c58ce13b2c121c4ed01fedf6ae588e04c6.exe
1444 regsvr32.exe
944 regsvr32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

pid	process
908	6df0fa8b714deb52b2cb2df9a850b3c58ce13b2c121c4ed01fedf6ae588e04c6.exe
1444	regsvr32.exe
944	regsvr32.exe

Installs/modifies Browser Helper Object 2 TTPs 8 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

Processes:

regsvr32.exe6df0fa8b714deb52b2cb2df9a850b3c58ce13b2c121c4ed01fedf6ae588e04c6.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C65E3369-A1BC-D6E1-D44B-9BD4632A71EC}\ = "Adblocker"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C65E3369-A1BC-D6E1-D44B-9BD4632A71EC}\NoExplorer = "1"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C65E3369-A1BC-D6E1-D44B-9BD4632A71EC}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{C65E3369-A1BC-D6E1-D44B-9BD4632A71EC}	6df0fa8b714deb52b2cb2df9a850b3c58ce13b2c121c4ed01fedf6ae588e04c6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{C65E3369-A1BC-D6E1-D44B-9BD4632A71EC}\ = "Adblocker"	6df0fa8b714deb52b2cb2df9a850b3c58ce13b2c121c4ed01fedf6ae588e04c6.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{C65E3369-A1BC-D6E1-D44B-9BD4632A71EC}\NoExplorer = "1"	6df0fa8b714deb52b2cb2df9a850b3c58ce13b2c121c4ed01fedf6ae588e04c6.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{C65E3369-A1BC-D6E1-D44B-9BD4632A71EC}	6df0fa8b714deb52b2cb2df9a850b3c58ce13b2c121c4ed01fedf6ae588e04c6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C65E3369-A1BC-D6E1-D44B-9BD4632A71EC}	regsvr32.exe

Drops file in Program Files directory 8 IoCs

Processes:

6df0fa8b714deb52b2cb2df9a850b3c58ce13b2c121c4ed01fedf6ae588e04c6.exe

description	ioc	process
File created	C:\Program Files (x86)\Adblocker\KKaa1AnAd.dat	6df0fa8b714deb52b2cb2df9a850b3c58ce13b2c121c4ed01fedf6ae588e04c6.exe
File opened for modification	C:\Program Files (x86)\Adblocker\KKaa1AnAd.dat	6df0fa8b714deb52b2cb2df9a850b3c58ce13b2c121c4ed01fedf6ae588e04c6.exe
File created	C:\Program Files (x86)\Adblocker\KKaa1AnAd.x64.dll	6df0fa8b714deb52b2cb2df9a850b3c58ce13b2c121c4ed01fedf6ae588e04c6.exe
File opened for modification	C:\Program Files (x86)\Adblocker\KKaa1AnAd.x64.dll	6df0fa8b714deb52b2cb2df9a850b3c58ce13b2c121c4ed01fedf6ae588e04c6.exe
File created	C:\Program Files (x86)\Adblocker\KKaa1AnAd.dll	6df0fa8b714deb52b2cb2df9a850b3c58ce13b2c121c4ed01fedf6ae588e04c6.exe
File opened for modification	C:\Program Files (x86)\Adblocker\KKaa1AnAd.dll	6df0fa8b714deb52b2cb2df9a850b3c58ce13b2c121c4ed01fedf6ae588e04c6.exe
File created	C:\Program Files (x86)\Adblocker\KKaa1AnAd.tlb	6df0fa8b714deb52b2cb2df9a850b3c58ce13b2c121c4ed01fedf6ae588e04c6.exe
File opened for modification	C:\Program Files (x86)\Adblocker\KKaa1AnAd.tlb	6df0fa8b714deb52b2cb2df9a850b3c58ce13b2c121c4ed01fedf6ae588e04c6.exe

Modifies Internet Explorer settings 1 TTPs 8 IoCs

adware spyware

Modify Registry

T1112

Processes:

6df0fa8b714deb52b2cb2df9a850b3c58ce13b2c121c4ed01fedf6ae588e04c6.exeregsvr32.exe

description	ioc	process
Key deleted	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{C65E3369-A1BC-D6E1-D44B-9BD4632A71EC}	6df0fa8b714deb52b2cb2df9a850b3c58ce13b2c121c4ed01fedf6ae588e04c6.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration	6df0fa8b714deb52b2cb2df9a850b3c58ce13b2c121c4ed01fedf6ae588e04c6.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{C65E3369-A1BC-D6E1-D44B-9BD4632A71EC}	regsvr32.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{C65E3369-A1BC-D6E1-D44B-9BD4632A71EC}	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration	6df0fa8b714deb52b2cb2df9a850b3c58ce13b2c121c4ed01fedf6ae588e04c6.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{C65E3369-A1BC-D6E1-D44B-9BD4632A71EC}	6df0fa8b714deb52b2cb2df9a850b3c58ce13b2c121c4ed01fedf6ae588e04c6.exe

Modifies registry class 64 IoCs

Processes:

6df0fa8b714deb52b2cb2df9a850b3c58ce13b2c121c4ed01fedf6ae588e04c6.exeregsvr32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Adblocker.Adblocker\CLSID	6df0fa8b714deb52b2cb2df9a850b3c58ce13b2c121c4ed01fedf6ae588e04c6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\Adblocker"	6df0fa8b714deb52b2cb2df9a850b3c58ce13b2c121c4ed01fedf6ae588e04c6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\TypeLib\Version = "1.0"	6df0fa8b714deb52b2cb2df9a850b3c58ce13b2c121c4ed01fedf6ae588e04c6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\ = "ILocalStorage"	6df0fa8b714deb52b2cb2df9a850b3c58ce13b2c121c4ed01fedf6ae588e04c6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ProxyStubClsid32	6df0fa8b714deb52b2cb2df9a850b3c58ce13b2c121c4ed01fedf6ae588e04c6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib\Version = "1.0"	6df0fa8b714deb52b2cb2df9a850b3c58ce13b2c121c4ed01fedf6ae588e04c6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C65E3369-A1BC-D6E1-D44B-9BD4632A71EC}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Adblocker.Adblocker\ = "Adblocker"	6df0fa8b714deb52b2cb2df9a850b3c58ce13b2c121c4ed01fedf6ae588e04c6.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C65E3369-A1BC-D6E1-D44B-9BD4632A71EC}\Programmable	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\FLAGS	6df0fa8b714deb52b2cb2df9a850b3c58ce13b2c121c4ed01fedf6ae588e04c6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\ProxyStubClsid32	6df0fa8b714deb52b2cb2df9a850b3c58ce13b2c121c4ed01fedf6ae588e04c6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	6df0fa8b714deb52b2cb2df9a850b3c58ce13b2c121c4ed01fedf6ae588e04c6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C65E3369-A1BC-D6E1-D44B-9BD4632A71EC}\InprocServer32\ = "C:\\Program Files (x86)\\Adblocker\\KKaa1AnAd.x64.dll"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C65E3369-A1BC-D6E1-D44B-9BD4632A71EC}\ProgID	6df0fa8b714deb52b2cb2df9a850b3c58ce13b2c121c4ed01fedf6ae588e04c6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C65E3369-A1BC-D6E1-D44B-9BD4632A71EC}\VersionIndependentProgID\ = "Adblocker"	6df0fa8b714deb52b2cb2df9a850b3c58ce13b2c121c4ed01fedf6ae588e04c6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C65E3369-A1BC-D6E1-D44B-9BD4632A71EC}\InprocServer32\ = "C:\\Program Files (x86)\\Adblocker\\KKaa1AnAd.dll"	6df0fa8b714deb52b2cb2df9a850b3c58ce13b2c121c4ed01fedf6ae588e04c6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\ProxyStubClsid32	6df0fa8b714deb52b2cb2df9a850b3c58ce13b2c121c4ed01fedf6ae588e04c6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C65E3369-A1BC-D6E1-D44B-9BD4632A71EC}\ProgID	6df0fa8b714deb52b2cb2df9a850b3c58ce13b2c121c4ed01fedf6ae588e04c6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win32	6df0fa8b714deb52b2cb2df9a850b3c58ce13b2c121c4ed01fedf6ae588e04c6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}	6df0fa8b714deb52b2cb2df9a850b3c58ce13b2c121c4ed01fedf6ae588e04c6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Adblocker.Adblocker\CurVer\ = "Adblocker.1.0"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C65E3369-A1BC-D6E1-D44B-9BD4632A71EC}\VersionIndependentProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0	6df0fa8b714deb52b2cb2df9a850b3c58ce13b2c121c4ed01fedf6ae588e04c6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C65E3369-A1BC-D6E1-D44B-9BD4632A71EC}\ = "Adblocker"	6df0fa8b714deb52b2cb2df9a850b3c58ce13b2c121c4ed01fedf6ae588e04c6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C65E3369-A1BC-D6E1-D44B-9BD4632A71EC}\VersionIndependentProgID	6df0fa8b714deb52b2cb2df9a850b3c58ce13b2c121c4ed01fedf6ae588e04c6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C65E3369-A1BC-D6E1-D44B-9BD4632A71EC}\InprocServer32\ThreadingModel = "Apartment"	6df0fa8b714deb52b2cb2df9a850b3c58ce13b2c121c4ed01fedf6ae588e04c6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C65E3369-A1BC-D6E1-D44B-9BD4632A71EC}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}	6df0fa8b714deb52b2cb2df9a850b3c58ce13b2c121c4ed01fedf6ae588e04c6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}	6df0fa8b714deb52b2cb2df9a850b3c58ce13b2c121c4ed01fedf6ae588e04c6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	6df0fa8b714deb52b2cb2df9a850b3c58ce13b2c121c4ed01fedf6ae588e04c6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\ = "IPlaghinMein"	6df0fa8b714deb52b2cb2df9a850b3c58ce13b2c121c4ed01fedf6ae588e04c6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C65E3369-A1BC-D6E1-D44B-9BD4632A71EC}	6df0fa8b714deb52b2cb2df9a850b3c58ce13b2c121c4ed01fedf6ae588e04c6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\ = "ILocalStorage"	6df0fa8b714deb52b2cb2df9a850b3c58ce13b2c121c4ed01fedf6ae588e04c6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C65E3369-A1BC-D6E1-D44B-9BD4632A71EC}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	6df0fa8b714deb52b2cb2df9a850b3c58ce13b2c121c4ed01fedf6ae588e04c6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	6df0fa8b714deb52b2cb2df9a850b3c58ce13b2c121c4ed01fedf6ae588e04c6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	6df0fa8b714deb52b2cb2df9a850b3c58ce13b2c121c4ed01fedf6ae588e04c6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Adblocker.Adblocker\CLSID\ = "{C65E3369-A1BC-D6E1-D44B-9BD4632A71EC}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\ = "IPlaghinMein"	6df0fa8b714deb52b2cb2df9a850b3c58ce13b2c121c4ed01fedf6ae588e04c6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Adblocker.Adblocker	6df0fa8b714deb52b2cb2df9a850b3c58ce13b2c121c4ed01fedf6ae588e04c6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Adblocker.Adblocker\CLSID\ = "{C65E3369-A1BC-D6E1-D44B-9BD4632A71EC}"	6df0fa8b714deb52b2cb2df9a850b3c58ce13b2c121c4ed01fedf6ae588e04c6.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C65E3369-A1BC-D6E1-D44B-9BD4632A71EC}\InprocServer32	6df0fa8b714deb52b2cb2df9a850b3c58ce13b2c121c4ed01fedf6ae588e04c6.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C65E3369-A1BC-D6E1-D44B-9BD4632A71EC}	6df0fa8b714deb52b2cb2df9a850b3c58ce13b2c121c4ed01fedf6ae588e04c6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\TypeLib	6df0fa8b714deb52b2cb2df9a850b3c58ce13b2c121c4ed01fedf6ae588e04c6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}	6df0fa8b714deb52b2cb2df9a850b3c58ce13b2c121c4ed01fedf6ae588e04c6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	6df0fa8b714deb52b2cb2df9a850b3c58ce13b2c121c4ed01fedf6ae588e04c6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Adblocker.Adblocker.1.0\CLSID	6df0fa8b714deb52b2cb2df9a850b3c58ce13b2c121c4ed01fedf6ae588e04c6.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C65E3369-A1BC-D6E1-D44B-9BD4632A71EC}\ProgID	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C65E3369-A1BC-D6E1-D44B-9BD4632A71EC}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C65E3369-A1BC-D6E1-D44B-9BD4632A71EC}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C65E3369-A1BC-D6E1-D44B-9BD4632A71EC}\VersionIndependentProgID	6df0fa8b714deb52b2cb2df9a850b3c58ce13b2c121c4ed01fedf6ae588e04c6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0	6df0fa8b714deb52b2cb2df9a850b3c58ce13b2c121c4ed01fedf6ae588e04c6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\TypeLib\Version = "1.0"	6df0fa8b714deb52b2cb2df9a850b3c58ce13b2c121c4ed01fedf6ae588e04c6.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C65E3369-A1BC-D6E1-D44B-9BD4632A71EC}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Adblocker.Adblocker.1.0	6df0fa8b714deb52b2cb2df9a850b3c58ce13b2c121c4ed01fedf6ae588e04c6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C65E3369-A1BC-D6E1-D44B-9BD4632A71EC}\InprocServer32	6df0fa8b714deb52b2cb2df9a850b3c58ce13b2c121c4ed01fedf6ae588e04c6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\TypeLib\Version = "1.0"	6df0fa8b714deb52b2cb2df9a850b3c58ce13b2c121c4ed01fedf6ae588e04c6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}	6df0fa8b714deb52b2cb2df9a850b3c58ce13b2c121c4ed01fedf6ae588e04c6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	6df0fa8b714deb52b2cb2df9a850b3c58ce13b2c121c4ed01fedf6ae588e04c6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Adblocker.Adblocker.1.0\CLSID\ = "{C65E3369-A1BC-D6E1-D44B-9BD4632A71EC}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C65E3369-A1BC-D6E1-D44B-9BD4632A71EC}\VersionIndependentProgID\ = "Adblocker"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C65E3369-A1BC-D6E1-D44B-9BD4632A71EC}\Programmable	6df0fa8b714deb52b2cb2df9a850b3c58ce13b2c121c4ed01fedf6ae588e04c6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	6df0fa8b714deb52b2cb2df9a850b3c58ce13b2c121c4ed01fedf6ae588e04c6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\ProxyStubClsid32	6df0fa8b714deb52b2cb2df9a850b3c58ce13b2c121c4ed01fedf6ae588e04c6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\TypeLib\Version = "1.0"	6df0fa8b714deb52b2cb2df9a850b3c58ce13b2c121c4ed01fedf6ae588e04c6.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

6df0fa8b714deb52b2cb2df9a850b3c58ce13b2c121c4ed01fedf6ae588e04c6.exeregsvr32.exe

description	pid	process	target process
PID 908 wrote to memory of 1444	908	6df0fa8b714deb52b2cb2df9a850b3c58ce13b2c121c4ed01fedf6ae588e04c6.exe	regsvr32.exe
PID 908 wrote to memory of 1444	908	6df0fa8b714deb52b2cb2df9a850b3c58ce13b2c121c4ed01fedf6ae588e04c6.exe	regsvr32.exe
PID 908 wrote to memory of 1444	908	6df0fa8b714deb52b2cb2df9a850b3c58ce13b2c121c4ed01fedf6ae588e04c6.exe	regsvr32.exe
PID 908 wrote to memory of 1444	908	6df0fa8b714deb52b2cb2df9a850b3c58ce13b2c121c4ed01fedf6ae588e04c6.exe	regsvr32.exe
PID 908 wrote to memory of 1444	908	6df0fa8b714deb52b2cb2df9a850b3c58ce13b2c121c4ed01fedf6ae588e04c6.exe	regsvr32.exe
PID 908 wrote to memory of 1444	908	6df0fa8b714deb52b2cb2df9a850b3c58ce13b2c121c4ed01fedf6ae588e04c6.exe	regsvr32.exe
PID 908 wrote to memory of 1444	908	6df0fa8b714deb52b2cb2df9a850b3c58ce13b2c121c4ed01fedf6ae588e04c6.exe	regsvr32.exe
PID 1444 wrote to memory of 944	1444	regsvr32.exe	regsvr32.exe
PID 1444 wrote to memory of 944	1444	regsvr32.exe	regsvr32.exe
PID 1444 wrote to memory of 944	1444	regsvr32.exe	regsvr32.exe
PID 1444 wrote to memory of 944	1444	regsvr32.exe	regsvr32.exe
PID 1444 wrote to memory of 944	1444	regsvr32.exe	regsvr32.exe
PID 1444 wrote to memory of 944	1444	regsvr32.exe	regsvr32.exe
PID 1444 wrote to memory of 944	1444	regsvr32.exe	regsvr32.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

6df0fa8b714deb52b2cb2df9a850b3c58ce13b2c121c4ed01fedf6ae588e04c6.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID	6df0fa8b714deb52b2cb2df9a850b3c58ce13b2c121c4ed01fedf6ae588e04c6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{C65E3369-A1BC-D6E1-D44B-9BD4632A71EC} = "1"	6df0fa8b714deb52b2cb2df9a850b3c58ce13b2c121c4ed01fedf6ae588e04c6.exe

C:\Users\Admin\AppData\Local\Temp\6df0fa8b714deb52b2cb2df9a850b3c58ce13b2c121c4ed01fedf6ae588e04c6.exe
"C:\Users\Admin\AppData\Local\Temp\6df0fa8b714deb52b2cb2df9a850b3c58ce13b2c121c4ed01fedf6ae588e04c6.exe"
1⤵
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
- System policy modification
PID:908

C:\Windows\SysWOW64\regsvr32.exe
regsvr32.exe /s "C:\Program Files (x86)\Adblocker\KKaa1AnAd.x64.dll"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1444

C:\Windows\system32\regsvr32.exe
/s "C:\Program Files (x86)\Adblocker\KKaa1AnAd.x64.dll"
3⤵
- Registers COM server for autorun
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Modifies Internet Explorer settings
- Modifies registry class
PID:944

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Browser Extensions

1

T1176

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

3

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Adblocker\KKaa1AnAd.dat

Filesize
4KB

MD5
a356db7e20c13bcaf6efe38fe8c482e6

SHA1
7c9a3609e2eacf300f6400b728490d80e60fbb09

SHA256
c6404e81f33ecb829d8ff179de0fd556f5c9ce2cce92ffe86ab72995d1b2338d

SHA512
4b26dd58cf472a6d97d6e4b4e3e9fe5f07f284331ece19bfd74828766e0bc6ea0a080323482da06ed2afc75dcaaac2bbaea213b7c8d74cbbbfc06a47816b167a

Download Submit
C:\Program Files (x86)\Adblocker\KKaa1AnAd.tlb

Filesize
3KB

MD5
81264db3941e0b187881f0490ea39ecd

SHA1
8320d25693da84305147fa51c3a2acb26644fc8c

SHA256
3d3647378d406d4189f9e4692692555ebfa84d6a8ea36904fff04e09c26f6768

SHA512
87ead8c01ef8170fa3fb974bb4fdca8c4532dd93c81c44cc56ea5e9697bcda97fa8dfc7f90f2f482ec6d6a1c50d350d2e110fb2d4ffe54b584ca3fbfd065d392

Download Submit
C:\Program Files (x86)\Adblocker\KKaa1AnAd.x64.dll

Filesize
703KB

MD5
f40332de702148bcbc725d8537409f22

SHA1
aa36973eed31d6d5fcbad6fcda10d27c473c76a1

SHA256
b0fe61520d126c89481edc73b9544ff9c88ddae6fcd4779e69b9682919dbc42d

SHA512
12d8aee285d80ad37c4f7bc9ea50bf89e5afdb74e1afec51f82a84798fff5c8bcd320dc90d840cfff1462f4723321fda497a7230c8dbb766892626a10238644e

Download Submit
\Program Files (x86)\Adblocker\KKaa1AnAd.dll

Filesize
622KB

MD5
9f3a7741ae87aff6f9e528c33bb3a9e7

SHA1
18ad18b0bd573c4bc286b36820e6a47814fdeff4

SHA256
b7a107d12a6c0f0227ca88cea7c3ef46cec41a4bae93846dd6175857b823603b

SHA512
d06fdd64a207f4fa5bc343ade79e4161642de4782cc81cb45071532dc19fd098ae8974befed5114e2048d29c0241fca1404812b9ba065f2ea784e1f1087fd39b

Download Submit
\Program Files (x86)\Adblocker\KKaa1AnAd.x64.dll

Filesize
703KB

MD5
f40332de702148bcbc725d8537409f22

SHA1
aa36973eed31d6d5fcbad6fcda10d27c473c76a1

SHA256
b0fe61520d126c89481edc73b9544ff9c88ddae6fcd4779e69b9682919dbc42d

SHA512
12d8aee285d80ad37c4f7bc9ea50bf89e5afdb74e1afec51f82a84798fff5c8bcd320dc90d840cfff1462f4723321fda497a7230c8dbb766892626a10238644e

Download Submit
\Program Files (x86)\Adblocker\KKaa1AnAd.x64.dll

Filesize
703KB

MD5
f40332de702148bcbc725d8537409f22

SHA1
aa36973eed31d6d5fcbad6fcda10d27c473c76a1

SHA256
b0fe61520d126c89481edc73b9544ff9c88ddae6fcd4779e69b9682919dbc42d

SHA512
12d8aee285d80ad37c4f7bc9ea50bf89e5afdb74e1afec51f82a84798fff5c8bcd320dc90d840cfff1462f4723321fda497a7230c8dbb766892626a10238644e

Download Submit
memory/908-54-0x0000000075C81000-0x0000000075C83000-memory.dmp

Filesize
8KB

Download
memory/908-56-0x0000000000750000-0x00000000007F4000-memory.dmp

Filesize
656KB

Download
memory/944-69-0x0000000000000000-mapping.dmp

Download
memory/944-70-0x000007FEFBA41000-0x000007FEFBA43000-memory.dmp

Filesize
8KB

Download
memory/1444-65-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads