95a3d342699bfef7257d5ad1b13cf3cf3ae13fb5351891fa21660c6c1c9b06c5

General

Target

95a3d342699bfef7257d5ad1b13cf3cf3ae13fb5351891fa21660c6c1c9b06c5.exe
Size

3.5MB
MD5

3149b31c9372651ece844204d45c795c
SHA1

4abf2378ba73eded7ee8c97e81780a007979b983
SHA256

95a3d342699bfef7257d5ad1b13cf3cf3ae13fb5351891fa21660c6c1c9b06c5
SHA512

e57729d0d42b9156bf0fd81a6b5234bae4369525d7710099c39e3d6077d5e1f521bee39d7994b75931d1f475fdd859f5fc84213217c96b5adffaec78b033c69a
SSDEEP

98304:AMZDv7EqY3veK9Dn2vypAqJ5c2s9DQ4JM0:AAa2vypAqJ5WM

Score

8^/10

adware discovery persistence spyware stealer

Malware Config

Signatures

Registers COM server for autorun 1 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Processes:

regsvr32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0d6e1f85-b67f-406d-9d13-92fa9af77758}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0d6e1f85-b67f-406d-9d13-92fa9af77758}\InprocServer32\ = "C:\\Program Files (x86)\\TinyWallet\\T1p95LzSw50H1n.x64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0d6e1f85-b67f-406d-9d13-92fa9af77758}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0d6e1f85-b67f-406d-9d13-92fa9af77758}\InprocServer32	regsvr32.exe

Loads dropped DLL 3 IoCs

Processes:

95a3d342699bfef7257d5ad1b13cf3cf3ae13fb5351891fa21660c6c1c9b06c5.exeregsvr32.exeregsvr32.exe

pid process

1188 95a3d342699bfef7257d5ad1b13cf3cf3ae13fb5351891fa21660c6c1c9b06c5.exe
2004 regsvr32.exe
1736 regsvr32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 3 IoCs

Processes:

95a3d342699bfef7257d5ad1b13cf3cf3ae13fb5351891fa21660c6c1c9b06c5.exe

description	ioc	process
File created	C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\fjcmofcejoanffkilpkljbkklanhglnd\1.0\manifest.json	95a3d342699bfef7257d5ad1b13cf3cf3ae13fb5351891fa21660c6c1c9b06c5.exe
File created	C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\fjcmofcejoanffkilpkljbkklanhglnd\1.0\manifest.json	95a3d342699bfef7257d5ad1b13cf3cf3ae13fb5351891fa21660c6c1c9b06c5.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\fjcmofcejoanffkilpkljbkklanhglnd\1.0\manifest.json	95a3d342699bfef7257d5ad1b13cf3cf3ae13fb5351891fa21660c6c1c9b06c5.exe

Installs/modifies Browser Helper Object 2 TTPs 8 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

Processes:

95a3d342699bfef7257d5ad1b13cf3cf3ae13fb5351891fa21660c6c1c9b06c5.exeregsvr32.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{0d6e1f85-b67f-406d-9d13-92fa9af77758}\NoExplorer = "1"	95a3d342699bfef7257d5ad1b13cf3cf3ae13fb5351891fa21660c6c1c9b06c5.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{0d6e1f85-b67f-406d-9d13-92fa9af77758}	95a3d342699bfef7257d5ad1b13cf3cf3ae13fb5351891fa21660c6c1c9b06c5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0d6e1f85-b67f-406d-9d13-92fa9af77758}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0d6e1f85-b67f-406d-9d13-92fa9af77758}\ = "TinyWallet"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0d6e1f85-b67f-406d-9d13-92fa9af77758}\NoExplorer = "1"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0d6e1f85-b67f-406d-9d13-92fa9af77758}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{0d6e1f85-b67f-406d-9d13-92fa9af77758}	95a3d342699bfef7257d5ad1b13cf3cf3ae13fb5351891fa21660c6c1c9b06c5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{0d6e1f85-b67f-406d-9d13-92fa9af77758}\ = "TinyWallet"	95a3d342699bfef7257d5ad1b13cf3cf3ae13fb5351891fa21660c6c1c9b06c5.exe

Drops file in System32 directory 4 IoCs

Processes:

95a3d342699bfef7257d5ad1b13cf3cf3ae13fb5351891fa21660c6c1c9b06c5.exe

description	ioc	process
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	95a3d342699bfef7257d5ad1b13cf3cf3ae13fb5351891fa21660c6c1c9b06c5.exe
File opened for modification	C:\Windows\System32\GroupPolicy	95a3d342699bfef7257d5ad1b13cf3cf3ae13fb5351891fa21660c6c1c9b06c5.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\gpt.ini	95a3d342699bfef7257d5ad1b13cf3cf3ae13fb5351891fa21660c6c1c9b06c5.exe
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	95a3d342699bfef7257d5ad1b13cf3cf3ae13fb5351891fa21660c6c1c9b06c5.exe

Drops file in Program Files directory 8 IoCs

Processes:

95a3d342699bfef7257d5ad1b13cf3cf3ae13fb5351891fa21660c6c1c9b06c5.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\TinyWallet\T1p95LzSw50H1n.dat	95a3d342699bfef7257d5ad1b13cf3cf3ae13fb5351891fa21660c6c1c9b06c5.exe
File created	C:\Program Files (x86)\TinyWallet\T1p95LzSw50H1n.x64.dll	95a3d342699bfef7257d5ad1b13cf3cf3ae13fb5351891fa21660c6c1c9b06c5.exe
File opened for modification	C:\Program Files (x86)\TinyWallet\T1p95LzSw50H1n.x64.dll	95a3d342699bfef7257d5ad1b13cf3cf3ae13fb5351891fa21660c6c1c9b06c5.exe
File created	C:\Program Files (x86)\TinyWallet\T1p95LzSw50H1n.dll	95a3d342699bfef7257d5ad1b13cf3cf3ae13fb5351891fa21660c6c1c9b06c5.exe
File opened for modification	C:\Program Files (x86)\TinyWallet\T1p95LzSw50H1n.dll	95a3d342699bfef7257d5ad1b13cf3cf3ae13fb5351891fa21660c6c1c9b06c5.exe
File created	C:\Program Files (x86)\TinyWallet\T1p95LzSw50H1n.tlb	95a3d342699bfef7257d5ad1b13cf3cf3ae13fb5351891fa21660c6c1c9b06c5.exe
File opened for modification	C:\Program Files (x86)\TinyWallet\T1p95LzSw50H1n.tlb	95a3d342699bfef7257d5ad1b13cf3cf3ae13fb5351891fa21660c6c1c9b06c5.exe
File created	C:\Program Files (x86)\TinyWallet\T1p95LzSw50H1n.dat	95a3d342699bfef7257d5ad1b13cf3cf3ae13fb5351891fa21660c6c1c9b06c5.exe

Modifies Internet Explorer settings 1 TTPs 8 IoCs

adware spyware

Modify Registry

T1112

Processes:

regsvr32.exe95a3d342699bfef7257d5ad1b13cf3cf3ae13fb5351891fa21660c6c1c9b06c5.exe

description	ioc	process
Key deleted	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{0D6E1F85-B67F-406D-9D13-92FA9AF77758}	regsvr32.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{0d6e1f85-b67f-406d-9d13-92fa9af77758}	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration	95a3d342699bfef7257d5ad1b13cf3cf3ae13fb5351891fa21660c6c1c9b06c5.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{0d6e1f85-b67f-406d-9d13-92fa9af77758}	95a3d342699bfef7257d5ad1b13cf3cf3ae13fb5351891fa21660c6c1c9b06c5.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{0D6E1F85-B67F-406D-9D13-92FA9AF77758}	95a3d342699bfef7257d5ad1b13cf3cf3ae13fb5351891fa21660c6c1c9b06c5.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration	95a3d342699bfef7257d5ad1b13cf3cf3ae13fb5351891fa21660c6c1c9b06c5.exe

Modifies registry class 64 IoCs

Processes:

95a3d342699bfef7257d5ad1b13cf3cf3ae13fb5351891fa21660c6c1c9b06c5.exeregsvr32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}	95a3d342699bfef7257d5ad1b13cf3cf3ae13fb5351891fa21660c6c1c9b06c5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}	95a3d342699bfef7257d5ad1b13cf3cf3ae13fb5351891fa21660c6c1c9b06c5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\ = "IPlaghinMein"	95a3d342699bfef7257d5ad1b13cf3cf3ae13fb5351891fa21660c6c1c9b06c5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	95a3d342699bfef7257d5ad1b13cf3cf3ae13fb5351891fa21660c6c1c9b06c5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}	95a3d342699bfef7257d5ad1b13cf3cf3ae13fb5351891fa21660c6c1c9b06c5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\..9\CLSID	95a3d342699bfef7257d5ad1b13cf3cf3ae13fb5351891fa21660c6c1c9b06c5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\TinyWallet"	95a3d342699bfef7257d5ad1b13cf3cf3ae13fb5351891fa21660c6c1c9b06c5.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0d6e1f85-b67f-406d-9d13-92fa9af77758}	95a3d342699bfef7257d5ad1b13cf3cf3ae13fb5351891fa21660c6c1c9b06c5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0d6e1f85-b67f-406d-9d13-92fa9af77758}\ = "TinyWallet"	95a3d342699bfef7257d5ad1b13cf3cf3ae13fb5351891fa21660c6c1c9b06c5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0d6e1f85-b67f-406d-9d13-92fa9af77758}\ProgID\ = ".9"	95a3d342699bfef7257d5ad1b13cf3cf3ae13fb5351891fa21660c6c1c9b06c5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\TypeLib\Version = "1.0"	95a3d342699bfef7257d5ad1b13cf3cf3ae13fb5351891fa21660c6c1c9b06c5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\ = "ILocalStorage"	95a3d342699bfef7257d5ad1b13cf3cf3ae13fb5351891fa21660c6c1c9b06c5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\..9\CLSID\ = "{0d6e1f85-b67f-406d-9d13-92fa9af77758}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.\CLSID\ = "{0d6e1f85-b67f-406d-9d13-92fa9af77758}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0d6e1f85-b67f-406d-9d13-92fa9af77758}\VersionIndependentProgID\	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0d6e1f85-b67f-406d-9d13-92fa9af77758}\Programmable	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.\ = "TinyWallet"	95a3d342699bfef7257d5ad1b13cf3cf3ae13fb5351891fa21660c6c1c9b06c5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0d6e1f85-b67f-406d-9d13-92fa9af77758}\InprocServer32\ThreadingModel = "Apartment"	95a3d342699bfef7257d5ad1b13cf3cf3ae13fb5351891fa21660c6c1c9b06c5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0d6e1f85-b67f-406d-9d13-92fa9af77758}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0D6E1F85-B67F-406D-9D13-92FA9AF77758}\Implemented Categories	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	95a3d342699bfef7257d5ad1b13cf3cf3ae13fb5351891fa21660c6c1c9b06c5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.	95a3d342699bfef7257d5ad1b13cf3cf3ae13fb5351891fa21660c6c1c9b06c5.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0d6e1f85-b67f-406d-9d13-92fa9af77758}\ProgID	95a3d342699bfef7257d5ad1b13cf3cf3ae13fb5351891fa21660c6c1c9b06c5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0D6E1F85-B67F-406D-9D13-92FA9AF77758}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}	95a3d342699bfef7257d5ad1b13cf3cf3ae13fb5351891fa21660c6c1c9b06c5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0	95a3d342699bfef7257d5ad1b13cf3cf3ae13fb5351891fa21660c6c1c9b06c5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\ProxyStubClsid32	95a3d342699bfef7257d5ad1b13cf3cf3ae13fb5351891fa21660c6c1c9b06c5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ProxyStubClsid32	95a3d342699bfef7257d5ad1b13cf3cf3ae13fb5351891fa21660c6c1c9b06c5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib	95a3d342699bfef7257d5ad1b13cf3cf3ae13fb5351891fa21660c6c1c9b06c5.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0d6e1f85-b67f-406d-9d13-92fa9af77758}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.\CLSID\ = "{0d6e1f85-b67f-406d-9d13-92fa9af77758}"	95a3d342699bfef7257d5ad1b13cf3cf3ae13fb5351891fa21660c6c1c9b06c5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0d6e1f85-b67f-406d-9d13-92fa9af77758}\VersionIndependentProgID\	95a3d342699bfef7257d5ad1b13cf3cf3ae13fb5351891fa21660c6c1c9b06c5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0d6e1f85-b67f-406d-9d13-92fa9af77758}\InprocServer32\ = "C:\\Program Files (x86)\\TinyWallet\\T1p95LzSw50H1n.x64.dll"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0d6e1f85-b67f-406d-9d13-92fa9af77758}\VersionIndependentProgID	95a3d342699bfef7257d5ad1b13cf3cf3ae13fb5351891fa21660c6c1c9b06c5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	95a3d342699bfef7257d5ad1b13cf3cf3ae13fb5351891fa21660c6c1c9b06c5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	95a3d342699bfef7257d5ad1b13cf3cf3ae13fb5351891fa21660c6c1c9b06c5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\TypeLib	95a3d342699bfef7257d5ad1b13cf3cf3ae13fb5351891fa21660c6c1c9b06c5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.\ = "TinyWallet"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.\CurVer\ = ".9"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0D6E1F85-B67F-406D-9D13-92FA9AF77758}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.\CurVer\ = ".9"	95a3d342699bfef7257d5ad1b13cf3cf3ae13fb5351891fa21660c6c1c9b06c5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	95a3d342699bfef7257d5ad1b13cf3cf3ae13fb5351891fa21660c6c1c9b06c5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib\Version = "1.0"	95a3d342699bfef7257d5ad1b13cf3cf3ae13fb5351891fa21660c6c1c9b06c5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.\CurVer	95a3d342699bfef7257d5ad1b13cf3cf3ae13fb5351891fa21660c6c1c9b06c5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\ProxyStubClsid32	95a3d342699bfef7257d5ad1b13cf3cf3ae13fb5351891fa21660c6c1c9b06c5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0d6e1f85-b67f-406d-9d13-92fa9af77758}\ProgID	95a3d342699bfef7257d5ad1b13cf3cf3ae13fb5351891fa21660c6c1c9b06c5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0d6e1f85-b67f-406d-9d13-92fa9af77758}\InprocServer32\ = "C:\\Program Files (x86)\\TinyWallet\\T1p95LzSw50H1n.dll"	95a3d342699bfef7257d5ad1b13cf3cf3ae13fb5351891fa21660c6c1c9b06c5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\TypeLib\Version = "1.0"	95a3d342699bfef7257d5ad1b13cf3cf3ae13fb5351891fa21660c6c1c9b06c5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	95a3d342699bfef7257d5ad1b13cf3cf3ae13fb5351891fa21660c6c1c9b06c5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0d6e1f85-b67f-406d-9d13-92fa9af77758}\ = "TinyWallet"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\..9	95a3d342699bfef7257d5ad1b13cf3cf3ae13fb5351891fa21660c6c1c9b06c5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.\CLSID	95a3d342699bfef7257d5ad1b13cf3cf3ae13fb5351891fa21660c6c1c9b06c5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win32	95a3d342699bfef7257d5ad1b13cf3cf3ae13fb5351891fa21660c6c1c9b06c5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\TypeLib	95a3d342699bfef7257d5ad1b13cf3cf3ae13fb5351891fa21660c6c1c9b06c5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}	95a3d342699bfef7257d5ad1b13cf3cf3ae13fb5351891fa21660c6c1c9b06c5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	95a3d342699bfef7257d5ad1b13cf3cf3ae13fb5351891fa21660c6c1c9b06c5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0d6e1f85-b67f-406d-9d13-92fa9af77758}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0d6e1f85-b67f-406d-9d13-92fa9af77758}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0d6e1f85-b67f-406d-9d13-92fa9af77758}	95a3d342699bfef7257d5ad1b13cf3cf3ae13fb5351891fa21660c6c1c9b06c5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\FLAGS	95a3d342699bfef7257d5ad1b13cf3cf3ae13fb5351891fa21660c6c1c9b06c5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ProxyStubClsid32	95a3d342699bfef7257d5ad1b13cf3cf3ae13fb5351891fa21660c6c1c9b06c5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ = "IRegistry"	95a3d342699bfef7257d5ad1b13cf3cf3ae13fb5351891fa21660c6c1c9b06c5.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0d6e1f85-b67f-406d-9d13-92fa9af77758}\Programmable	95a3d342699bfef7257d5ad1b13cf3cf3ae13fb5351891fa21660c6c1c9b06c5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	95a3d342699bfef7257d5ad1b13cf3cf3ae13fb5351891fa21660c6c1c9b06c5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\ = "ILocalStorage"	95a3d342699bfef7257d5ad1b13cf3cf3ae13fb5351891fa21660c6c1c9b06c5.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

Processes:

95a3d342699bfef7257d5ad1b13cf3cf3ae13fb5351891fa21660c6c1c9b06c5.exe

pid	process
1188	95a3d342699bfef7257d5ad1b13cf3cf3ae13fb5351891fa21660c6c1c9b06c5.exe
1188	95a3d342699bfef7257d5ad1b13cf3cf3ae13fb5351891fa21660c6c1c9b06c5.exe
1188	95a3d342699bfef7257d5ad1b13cf3cf3ae13fb5351891fa21660c6c1c9b06c5.exe
1188	95a3d342699bfef7257d5ad1b13cf3cf3ae13fb5351891fa21660c6c1c9b06c5.exe
1188	95a3d342699bfef7257d5ad1b13cf3cf3ae13fb5351891fa21660c6c1c9b06c5.exe
1188	95a3d342699bfef7257d5ad1b13cf3cf3ae13fb5351891fa21660c6c1c9b06c5.exe
1188	95a3d342699bfef7257d5ad1b13cf3cf3ae13fb5351891fa21660c6c1c9b06c5.exe
1188	95a3d342699bfef7257d5ad1b13cf3cf3ae13fb5351891fa21660c6c1c9b06c5.exe
1188	95a3d342699bfef7257d5ad1b13cf3cf3ae13fb5351891fa21660c6c1c9b06c5.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

95a3d342699bfef7257d5ad1b13cf3cf3ae13fb5351891fa21660c6c1c9b06c5.exe

description	pid	process
Token: SeDebugPrivilege	1188	95a3d342699bfef7257d5ad1b13cf3cf3ae13fb5351891fa21660c6c1c9b06c5.exe
Token: SeDebugPrivilege	1188	95a3d342699bfef7257d5ad1b13cf3cf3ae13fb5351891fa21660c6c1c9b06c5.exe
Token: SeDebugPrivilege	1188	95a3d342699bfef7257d5ad1b13cf3cf3ae13fb5351891fa21660c6c1c9b06c5.exe
Token: SeDebugPrivilege	1188	95a3d342699bfef7257d5ad1b13cf3cf3ae13fb5351891fa21660c6c1c9b06c5.exe
Token: SeDebugPrivilege	1188	95a3d342699bfef7257d5ad1b13cf3cf3ae13fb5351891fa21660c6c1c9b06c5.exe
Token: SeDebugPrivilege	1188	95a3d342699bfef7257d5ad1b13cf3cf3ae13fb5351891fa21660c6c1c9b06c5.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

95a3d342699bfef7257d5ad1b13cf3cf3ae13fb5351891fa21660c6c1c9b06c5.exeregsvr32.exe

description	pid	process	target process
PID 1188 wrote to memory of 2004	1188	95a3d342699bfef7257d5ad1b13cf3cf3ae13fb5351891fa21660c6c1c9b06c5.exe	regsvr32.exe
PID 1188 wrote to memory of 2004	1188	95a3d342699bfef7257d5ad1b13cf3cf3ae13fb5351891fa21660c6c1c9b06c5.exe	regsvr32.exe
PID 1188 wrote to memory of 2004	1188	95a3d342699bfef7257d5ad1b13cf3cf3ae13fb5351891fa21660c6c1c9b06c5.exe	regsvr32.exe
PID 1188 wrote to memory of 2004	1188	95a3d342699bfef7257d5ad1b13cf3cf3ae13fb5351891fa21660c6c1c9b06c5.exe	regsvr32.exe
PID 1188 wrote to memory of 2004	1188	95a3d342699bfef7257d5ad1b13cf3cf3ae13fb5351891fa21660c6c1c9b06c5.exe	regsvr32.exe
PID 1188 wrote to memory of 2004	1188	95a3d342699bfef7257d5ad1b13cf3cf3ae13fb5351891fa21660c6c1c9b06c5.exe	regsvr32.exe
PID 1188 wrote to memory of 2004	1188	95a3d342699bfef7257d5ad1b13cf3cf3ae13fb5351891fa21660c6c1c9b06c5.exe	regsvr32.exe
PID 2004 wrote to memory of 1736	2004	regsvr32.exe	regsvr32.exe
PID 2004 wrote to memory of 1736	2004	regsvr32.exe	regsvr32.exe
PID 2004 wrote to memory of 1736	2004	regsvr32.exe	regsvr32.exe
PID 2004 wrote to memory of 1736	2004	regsvr32.exe	regsvr32.exe
PID 2004 wrote to memory of 1736	2004	regsvr32.exe	regsvr32.exe
PID 2004 wrote to memory of 1736	2004	regsvr32.exe	regsvr32.exe
PID 2004 wrote to memory of 1736	2004	regsvr32.exe	regsvr32.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

95a3d342699bfef7257d5ad1b13cf3cf3ae13fb5351891fa21660c6c1c9b06c5.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID	95a3d342699bfef7257d5ad1b13cf3cf3ae13fb5351891fa21660c6c1c9b06c5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{0d6e1f85-b67f-406d-9d13-92fa9af77758} = "1"	95a3d342699bfef7257d5ad1b13cf3cf3ae13fb5351891fa21660c6c1c9b06c5.exe

C:\Users\Admin\AppData\Local\Temp\95a3d342699bfef7257d5ad1b13cf3cf3ae13fb5351891fa21660c6c1c9b06c5.exe
"C:\Users\Admin\AppData\Local\Temp\95a3d342699bfef7257d5ad1b13cf3cf3ae13fb5351891fa21660c6c1c9b06c5.exe"
1⤵
- Loads dropped DLL
- Drops Chrome extension
- Installs/modifies Browser Helper Object
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1188

C:\Windows\SysWOW64\regsvr32.exe
regsvr32.exe /s "C:\Program Files (x86)\TinyWallet\T1p95LzSw50H1n.x64.dll"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2004

C:\Windows\system32\regsvr32.exe
/s "C:\Program Files (x86)\TinyWallet\T1p95LzSw50H1n.x64.dll"
3⤵
- Registers COM server for autorun
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Modifies Internet Explorer settings
- Modifies registry class
PID:1736

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Browser Extensions

1

T1176

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

3

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\TinyWallet\T1p95LzSw50H1n.dat

Filesize
3KB

MD5
ec9ea4b418be197c57a9b2200b66ee0b

SHA1
524dd41ed5fe72cbffd68daf7cd107950b517150

SHA256
61883ae7fd121d60e70b59d11f04c9d1cc2736df69fa35a4d19d949ded196ed6

SHA512
49c7715f56ac85ca45e54a154a7f21dc6391d8380ee84e92c4cba951e14d3f06cb3bb917f705c7937bd87630efb4075bf0d009e893c9b44ea77d60b088dea29a

Download Submit
C:\Program Files (x86)\TinyWallet\T1p95LzSw50H1n.tlb

Filesize
3KB

MD5
d5c4233a6c3de331b459f5f6a35ae3dd

SHA1
b5f1bf145f4e0896d7ae500abecbfaca715c18ab

SHA256
f3fca93b2a2848af13dcd30cad6305d20319d0a96f622f96753c1aebb91c885c

SHA512
4af48daa80dcd76cf45018d7edef74f35c5917457dd598f5a2071bba8875d75280326e41f3f5885d5301a596c22a3833cb062e2f4c97e0d83a01ad2644056e76

Download Submit
C:\Program Files (x86)\TinyWallet\T1p95LzSw50H1n.x64.dll

Filesize
693KB

MD5
c59945c3f5074d51077f2d598680aa11

SHA1
7d2ab4599f476d9da677283bdfcff5164a30b2e7

SHA256
10658a9b7ad99f84d73c77bde58761c89f37b1318f90197710d63824ae894b5b

SHA512
d3ccea87caba7d10776c0d4726b26cad81e85562270a1c873a59ab59a0d73336bae0af6cb6a242fb8f1b4cb4278636ed9995bd03f4f0b32d84a705e19a7b7e61

Download Submit
\Program Files (x86)\TinyWallet\T1p95LzSw50H1n.dll

Filesize
611KB

MD5
123fde8f1a45be2f971b36a8ae5457ef

SHA1
78f77c976bec0b388407f986e7866818512eec97

SHA256
12869f73fb78fcbb8876e10772d081890b19fd1e228dd83ca012416cf26e931e

SHA512
4ae3708e45e15a49e7ba1d338a9186ed47f41abe57727d57833a33be887043dcb950d02bc52f79ee414df0df56c3e87f213995fa222a6f0e1c659393860231d9

Download Submit
\Program Files (x86)\TinyWallet\T1p95LzSw50H1n.x64.dll

Filesize
693KB

MD5
c59945c3f5074d51077f2d598680aa11

SHA1
7d2ab4599f476d9da677283bdfcff5164a30b2e7

SHA256
10658a9b7ad99f84d73c77bde58761c89f37b1318f90197710d63824ae894b5b

SHA512
d3ccea87caba7d10776c0d4726b26cad81e85562270a1c873a59ab59a0d73336bae0af6cb6a242fb8f1b4cb4278636ed9995bd03f4f0b32d84a705e19a7b7e61

Download Submit
\Program Files (x86)\TinyWallet\T1p95LzSw50H1n.x64.dll

Filesize
693KB

MD5
c59945c3f5074d51077f2d598680aa11

SHA1
7d2ab4599f476d9da677283bdfcff5164a30b2e7

SHA256
10658a9b7ad99f84d73c77bde58761c89f37b1318f90197710d63824ae894b5b

SHA512
d3ccea87caba7d10776c0d4726b26cad81e85562270a1c873a59ab59a0d73336bae0af6cb6a242fb8f1b4cb4278636ed9995bd03f4f0b32d84a705e19a7b7e61

Download Submit
memory/1188-54-0x0000000075091000-0x0000000075093000-memory.dmp

Filesize
8KB

Download
memory/1188-55-0x00000000008B0000-0x0000000000955000-memory.dmp

Filesize
660KB

Download
memory/1736-66-0x0000000000000000-mapping.dmp

Download
memory/1736-67-0x000007FEFB751000-0x000007FEFB753000-memory.dmp

Filesize
8KB

Download
memory/2004-62-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads