cf9e87c55b296daee8fc72437eedd0838be65f40fe7ea3acce35fd1b5f03bfcc

Analysis

max time kernel
187s
max time network
193s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
24-11-2022 05:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cf9e87c55b296daee8fc72437eedd0838be65f40fe7ea3acce35fd1b5f03bfcc.exe
Size

2.3MB
MD5

e1c9e1c4036e1c6326a6d91362566b5d
SHA1

9ab75374a9ad3f748dc873510b7509b7dba890ca
SHA256

cf9e87c55b296daee8fc72437eedd0838be65f40fe7ea3acce35fd1b5f03bfcc
SHA512

08715963be3c56ec89b64ff940af879663cfe368e6d1ee0c69a37d0902908076d0bdab781d8f80034dd4d952b65adc795c580ab9bd66147e1a77440863c3fae8
SSDEEP

49152:YMicTU88b9c66U4aOpF8bYmK5+Uq2ZJ0G5Ah:vbs9cc4aOvmG+Uqky8

Score

8^/10

adware discovery persistence spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

RyB.exe

pid process

2888 RyB.exe

Registers COM server for autorun 1 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Processes:

regsvr32.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9FBEF4CD-D3B1-A1F7-2F8C-884BECD5DC7D}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9FBEF4CD-D3B1-A1F7-2F8C-884BECD5DC7D}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9FBEF4CD-D3B1-A1F7-2F8C-884BECD5DC7D}\InprocServer32\ = "C:\\Program Files (x86)\\SaveClicker\\gS.x64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9FBEF4CD-D3B1-A1F7-2F8C-884BECD5DC7D}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe

Loads dropped DLL 3 IoCs

Processes:

RyB.exeregsvr32.exeregsvr32.exe

pid process

2888 RyB.exe
3804 regsvr32.exe
5000 regsvr32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 5 IoCs

Processes:

RyB.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gpmicmdbebaicpnjncdapmkneeigdlba\2.1\manifest.json	RyB.exe
File created	C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\gpmicmdbebaicpnjncdapmkneeigdlba\2.1\manifest.json	RyB.exe
File created	C:\Users\DefaultAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\gpmicmdbebaicpnjncdapmkneeigdlba\2.1\manifest.json	RyB.exe
File created	C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\gpmicmdbebaicpnjncdapmkneeigdlba\2.1\manifest.json	RyB.exe
File created	C:\Users\WDAGUtilityAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\gpmicmdbebaicpnjncdapmkneeigdlba\2.1\manifest.json	RyB.exe

Installs/modifies Browser Helper Object 2 TTPs 8 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

Processes:

RyB.exeregsvr32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9FBEF4CD-D3B1-A1F7-2F8C-884BECD5DC7D}	RyB.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9FBEF4CD-D3B1-A1F7-2F8C-884BECD5DC7D}\ = "SaveClicker"	RyB.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9FBEF4CD-D3B1-A1F7-2F8C-884BECD5DC7D}\NoExplorer = "1"	RyB.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9FBEF4CD-D3B1-A1F7-2F8C-884BECD5DC7D}	RyB.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9FBEF4CD-D3B1-A1F7-2F8C-884BECD5DC7D}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9FBEF4CD-D3B1-A1F7-2F8C-884BECD5DC7D}\ = "SaveClicker"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9FBEF4CD-D3B1-A1F7-2F8C-884BECD5DC7D}\NoExplorer = "1"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9FBEF4CD-D3B1-A1F7-2F8C-884BECD5DC7D}	regsvr32.exe

Drops file in System32 directory 4 IoCs

Processes:

RyB.exe

description	ioc	process
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	RyB.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	RyB.exe
File opened for modification	C:\Windows\System32\GroupPolicy	RyB.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\gpt.ini	RyB.exe

Drops file in Program Files directory 8 IoCs

Processes:

RyB.exe

description	ioc	process
File created	C:\Program Files (x86)\SaveClicker\gS.tlb	RyB.exe
File opened for modification	C:\Program Files (x86)\SaveClicker\gS.tlb	RyB.exe
File created	C:\Program Files (x86)\SaveClicker\gS.dat	RyB.exe
File opened for modification	C:\Program Files (x86)\SaveClicker\gS.dat	RyB.exe
File created	C:\Program Files (x86)\SaveClicker\gS.x64.dll	RyB.exe
File opened for modification	C:\Program Files (x86)\SaveClicker\gS.x64.dll	RyB.exe
File created	C:\Program Files (x86)\SaveClicker\gS.dll	RyB.exe
File opened for modification	C:\Program Files (x86)\SaveClicker\gS.dll	RyB.exe

Modifies Internet Explorer settings 1 TTPs 8 IoCs

adware spyware

Modify Registry

T1112

Processes:

RyB.exeregsvr32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{9FBEF4CD-D3B1-A1F7-2F8C-884BECD5DC7D}	RyB.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\MICROSOFT\INTERNET EXPLORER\APPROVEDEXTENSIONSMIGRATION\{9FBEF4CD-D3B1-A1F7-2F8C-884BECD5DC7D}	RyB.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Internet Explorer\ApprovedExtensionsMigration	RyB.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\MICROSOFT\INTERNET EXPLORER\APPROVEDEXTENSIONSMIGRATION\{9FBEF4CD-D3B1-A1F7-2F8C-884BECD5DC7D}	regsvr32.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Internet Explorer\ApprovedExtensionsMigration	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Internet Explorer\ApprovedExtensionsMigration	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{9FBEF4CD-D3B1-A1F7-2F8C-884BECD5DC7D}	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Internet Explorer\ApprovedExtensionsMigration	RyB.exe

Modifies registry class 64 IoCs

Processes:

RyB.exeregsvr32.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9FBEF4CD-D3B1-A1F7-2F8C-884BECD5DC7D}\ProgID	RyB.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\FLAGS	RyB.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\TypeLib\Version = "1.0"	RyB.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\TypeLib\Version = "1.0"	RyB.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9FBEF4CD-D3B1-A1F7-2F8C-884BECD5DC7D}\ProgID	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9FBEF4CD-D3B1-A1F7-2F8C-884BECD5DC7D}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9FBEF4CD-D3B1-A1F7-2F8C-884BECD5DC7D}\Programmable	RyB.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\ = "IEPluginLib"	RyB.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win32\ = "C:\\Program Files (x86)\\SaveClicker\\gS.tlb"	RyB.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	RyB.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib\Version = "1.0"	RyB.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SaveClicker.SaveClicker\CurVer\ = "SaveClicker.2.1"	RyB.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ProxyStubClsid32	RyB.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SaveClicker.SaveClicker.2.1\CLSID\ = "{9FBEF4CD-D3B1-A1F7-2F8C-884BECD5DC7D}"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9FBEF4CD-D3B1-A1F7-2F8C-884BECD5DC7D}\VersionIndependentProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SaveClicker.SaveClicker	RyB.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9FBEF4CD-D3B1-A1F7-2F8C-884BECD5DC7D}\VersionIndependentProgID\ = "SaveClicker"	RyB.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9FBEF4CD-D3B1-A1F7-2F8C-884BECD5DC7D}	RyB.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}	RyB.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\TypeLib\Version = "1.0"	RyB.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}	RyB.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\ = "IPlaghinMein"	RyB.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}	RyB.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9FBEF4CD-D3B1-A1F7-2F8C-884BECD5DC7D}\ProgID\ = "SaveClicker.2.1"	RyB.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9FBEF4CD-D3B1-A1F7-2F8C-884BECD5DC7D}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	RyB.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	RyB.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}	RyB.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9FBEF4CD-D3B1-A1F7-2F8C-884BECD5DC7D}\VersionIndependentProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9FBEF4CD-D3B1-A1F7-2F8C-884BECD5DC7D}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}	RyB.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	RyB.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib	RyB.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	RyB.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	RyB.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SaveClicker.SaveClicker.2.1\ = "SaveClicker"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9FBEF4CD-D3B1-A1F7-2F8C-884BECD5DC7D}\VersionIndependentProgID\ = "SaveClicker"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9FBEF4CD-D3B1-A1F7-2F8C-884BECD5DC7D}\InprocServer32	RyB.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9FBEF4CD-D3B1-A1F7-2F8C-884BECD5DC7D}\InprocServer32\ = "C:\\Program Files (x86)\\SaveClicker\\gS.dll"	RyB.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win32	RyB.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}	RyB.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\TypeLib	RyB.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ProxyStubClsid32	RyB.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SaveClicker.SaveClicker\ = "SaveClicker"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9FBEF4CD-D3B1-A1F7-2F8C-884BECD5DC7D}\Programmable	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9FBEF4CD-D3B1-A1F7-2F8C-884BECD5DC7D}\VersionIndependentProgID	RyB.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\SaveClicker"	RyB.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	RyB.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	RyB.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\ = "ILocalStorage"	RyB.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\TypeLib	RyB.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\ = "ILocalStorage"	RyB.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SaveClicker.SaveClicker\CLSID\ = "{9FBEF4CD-D3B1-A1F7-2F8C-884BECD5DC7D}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9FBEF4CD-D3B1-A1F7-2F8C-884BECD5DC7D}\Implemented Categories	RyB.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9FBEF4CD-D3B1-A1F7-2F8C-884BECD5DC7D}\Implemented Categories	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9FBEF4CD-D3B1-A1F7-2F8C-884BECD5DC7D}\InprocServer32\ = "C:\\Program Files (x86)\\SaveClicker\\gS.x64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SaveClicker.SaveClicker\CLSID\ = "{9FBEF4CD-D3B1-A1F7-2F8C-884BECD5DC7D}"	RyB.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\FLAGS\ = "0"	RyB.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SaveClicker.SaveClicker.2.1\ = "SaveClicker"	RyB.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0	RyB.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\ProxyStubClsid32	RyB.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	RyB.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9FBEF4CD-D3B1-A1F7-2F8C-884BECD5DC7D}\ = "SaveClicker"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SaveClicker.SaveClicker\ = "SaveClicker"	RyB.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9FBEF4CD-D3B1-A1F7-2F8C-884BECD5DC7D}\InprocServer32	RyB.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

Processes:

RyB.exe

pid	process
2888	RyB.exe
2888	RyB.exe
2888	RyB.exe
2888	RyB.exe
2888	RyB.exe
2888	RyB.exe
2888	RyB.exe
2888	RyB.exe
2888	RyB.exe
2888	RyB.exe
2888	RyB.exe
2888	RyB.exe
2888	RyB.exe
2888	RyB.exe
2888	RyB.exe
2888	RyB.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

RyB.exe

description	pid	process
Token: SeDebugPrivilege	2888	RyB.exe
Token: SeDebugPrivilege	2888	RyB.exe
Token: SeDebugPrivilege	2888	RyB.exe
Token: SeDebugPrivilege	2888	RyB.exe
Token: SeDebugPrivilege	2888	RyB.exe
Token: SeDebugPrivilege	2888	RyB.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

cf9e87c55b296daee8fc72437eedd0838be65f40fe7ea3acce35fd1b5f03bfcc.exeRyB.exeregsvr32.exe

description	pid	process	target process
PID 4540 wrote to memory of 2888	4540	cf9e87c55b296daee8fc72437eedd0838be65f40fe7ea3acce35fd1b5f03bfcc.exe	RyB.exe
PID 4540 wrote to memory of 2888	4540	cf9e87c55b296daee8fc72437eedd0838be65f40fe7ea3acce35fd1b5f03bfcc.exe	RyB.exe
PID 4540 wrote to memory of 2888	4540	cf9e87c55b296daee8fc72437eedd0838be65f40fe7ea3acce35fd1b5f03bfcc.exe	RyB.exe
PID 2888 wrote to memory of 3804	2888	RyB.exe	regsvr32.exe
PID 2888 wrote to memory of 3804	2888	RyB.exe	regsvr32.exe
PID 2888 wrote to memory of 3804	2888	RyB.exe	regsvr32.exe
PID 3804 wrote to memory of 5000	3804	regsvr32.exe	regsvr32.exe
PID 3804 wrote to memory of 5000	3804	regsvr32.exe	regsvr32.exe

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

Processes:

RyB.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{9FBEF4CD-D3B1-A1F7-2F8C-884BECD5DC7D} = "1"	RyB.exe

C:\Users\Admin\AppData\Local\Temp\cf9e87c55b296daee8fc72437eedd0838be65f40fe7ea3acce35fd1b5f03bfcc.exe
"C:\Users\Admin\AppData\Local\Temp\cf9e87c55b296daee8fc72437eedd0838be65f40fe7ea3acce35fd1b5f03bfcc.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4540

C:\Users\Admin\AppData\Local\Temp\17026604\RyB.exe
"C:\Users\Admin\AppData\Local\Temp/17026604/RyB.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops Chrome extension
- Installs/modifies Browser Helper Object
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2888

C:\Windows\SysWOW64\regsvr32.exe
regsvr32.exe /s "C:\Program Files (x86)\SaveClicker\gS.x64.dll"
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3804

C:\Windows\system32\regsvr32.exe
/s "C:\Program Files (x86)\SaveClicker\gS.x64.dll"
4⤵
- Registers COM server for autorun
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Modifies Internet Explorer settings
- Modifies registry class
PID:5000

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:2372

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:4532

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Browser Extensions

T1176

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\SaveClicker\gS.dat

Filesize
4KB

MD5
f84e7ee6544f744f0d483d259d151273

SHA1
2aed06639a0fb0258c880ca0ebccbc78cfd96842

SHA256
2aaee231d7b6431d8eacb9fa596555abb6d301d9d4f64b8997084a36e611e4ee

SHA512
b548682e23a09d002c15ba5b01edfd8f09c5b184f3d0bdc6cef2a39a8d32b50693c6fd122dbe96be37836d230fa107e3b6a9ec736cb9ea5805d073f7532eb73a

Download Submit
C:\Program Files (x86)\SaveClicker\gS.dll

Filesize
618KB

MD5
dd4c8cd20864e78640cf964d8382dc6c

SHA1
3b0816068da422e8245ad051e3e928a9907e71a1

SHA256
9dda1969ce4d6e5ff44c857b7f2bcd98abae346df952306ec62d345f0120cfd5

SHA512
1ff0cbfb140d04158bfdd21d703b6cd436f4dfcd7f5d22e4182de2585809175e9124367ac5cc36398a5b5d53b2511ce46148b198680060baaee9bda8b209e117

Download Submit
C:\Program Files (x86)\SaveClicker\gS.tlb

Filesize
3KB

MD5
9de927e8059d1655834dd5ed295f277f

SHA1
0b2b2f5d2e90941bcc23c383c8ac7a63dde4e54a

SHA256
6c189fadb6010e22d50df01b72748664fa64673cc2e769add4098e5e1e7d248f

SHA512
90fb3b0d7459443717a82db1216c85f9c7cf33ac957c1dff3b6545baadf5669e50ed1f5ca1f81f08b2bac0cb0840058528755cc9656b781f7da80c5ab53cd08b

Download Submit
C:\Program Files (x86)\SaveClicker\gS.x64.dll

Filesize
699KB

MD5
4ac6ee700d5340f02d83927a5a6f45e4

SHA1
f6bcd1055a171768c05939d6797f72bf2d092b8b

SHA256
f1d448c306c454892f12a7a24ecde7b318e22490133defca26017db02c14e625

SHA512
42479b840c60cf7393187ab89527d9c995569b2f8b2929eacb1c465f57eb5bb00beee809551f5263f786c52b95132f3521e1805ab1a6d1897beb092be2ffbb00

Download Submit
C:\Program Files (x86)\SaveClicker\gS.x64.dll

Filesize
699KB

MD5
4ac6ee700d5340f02d83927a5a6f45e4

SHA1
f6bcd1055a171768c05939d6797f72bf2d092b8b

SHA256
f1d448c306c454892f12a7a24ecde7b318e22490133defca26017db02c14e625

SHA512
42479b840c60cf7393187ab89527d9c995569b2f8b2929eacb1c465f57eb5bb00beee809551f5263f786c52b95132f3521e1805ab1a6d1897beb092be2ffbb00

Download Submit
C:\Program Files (x86)\SaveClicker\gS.x64.dll

Filesize
699KB

MD5
4ac6ee700d5340f02d83927a5a6f45e4

SHA1
f6bcd1055a171768c05939d6797f72bf2d092b8b

SHA256
f1d448c306c454892f12a7a24ecde7b318e22490133defca26017db02c14e625

SHA512
42479b840c60cf7393187ab89527d9c995569b2f8b2929eacb1c465f57eb5bb00beee809551f5263f786c52b95132f3521e1805ab1a6d1897beb092be2ffbb00

Download Submit
C:\Users\Admin\AppData\Local\Temp\17026604\[email protected]\bootstrap.js

Filesize
2KB

MD5
df13f711e20e9c80171846d4f2f7ae06

SHA1
56d29cda58427efe0e21d3880d39eb1b0ef60bee

SHA256
6c325461fba531a94cf8cbdcfc52755494973df0629ce0ee3fef734ab0838fc4

SHA512
6c51cee3bf13f164c4a5c9884cc6053cbf9db9701d34c07dc5761d2c047d3d1f7a361b32996a430107e9a4ce68a29149d747a84c76778a1e8780719a3d30470e

Download Submit
C:\Users\Admin\AppData\Local\Temp\17026604\[email protected]\chrome.manifest

Filesize
23B

MD5
05f4d9f4250c65f676f76d2d57eb1525

SHA1
3ff387b61ca707ec25ad41ca23b67f11351fab88

SHA256
c4385b250a255e9d5ed1afa54a9e87cc8a5b0aa8d68f8c3ba279080acfdd7ddd

SHA512
e7a42aba8ed6717e244779f66fc3e9fd0eacc1e3a86c9c14e257399bb31567001b7454d35354052a78861a5c5320f95080780e4591ba2e46a52453b106976ba6

Download Submit
C:\Users\Admin\AppData\Local\Temp\17026604\[email protected]\content\bg.js

Filesize
7KB

MD5
73e9676fcef0e98f78f1ac029e1950b9

SHA1
4171a93a229a66f38eedff04062b885a1bd46017

SHA256
c57fd0d35667a6b9ed314edbc14a2777edec308bc516bc676a26f6e8bd2252da

SHA512
15067762488eccc8e70d7a6bfe59c66c5922776e6629eb08cd2b000b8fd652f29b7e58fcf84ffc388d7ed194fd1229a4f598438f811cd862eaebf2de1309f290

Download Submit
C:\Users\Admin\AppData\Local\Temp\17026604\[email protected]\install.rdf

Filesize
605B

MD5
46cccbea9a27ad35b3c1e2bf4655eaa8

SHA1
bfec3154778a2e6d952bec3d20f88fff94ddfde3

SHA256
7ba2622756375b39b238dd3c4455a0d60837522bb706b23746704bb9de148c32

SHA512
d89050b61fdb5284ec47f3f379c6b0eb098393eb89705bd19917d18b094003390068a91c4eea330af9adfe4b6624a4b2241ca1ce2deb214d440cafe7759276ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\17026604\RyB.dat

Filesize
4KB

MD5
f84e7ee6544f744f0d483d259d151273

SHA1
2aed06639a0fb0258c880ca0ebccbc78cfd96842

SHA256
2aaee231d7b6431d8eacb9fa596555abb6d301d9d4f64b8997084a36e611e4ee

SHA512
b548682e23a09d002c15ba5b01edfd8f09c5b184f3d0bdc6cef2a39a8d32b50693c6fd122dbe96be37836d230fa107e3b6a9ec736cb9ea5805d073f7532eb73a

Download Submit
C:\Users\Admin\AppData\Local\Temp\17026604\RyB.exe

Filesize
628KB

MD5
b8bac6039af3e4d9e70d0450845def09

SHA1
0e32d83685a73c1abdc6bf83de384e9420f4c9b7

SHA256
6b86b49fa226086791ffa1cd2cc37449166e9c6f986dc8aa51fd5c1b9ff24054

SHA512
e0d39f89febcbb9fe93f3475861f38d16f77a1a669ecf12ff5fe299a488274f01603b2a164b8b186c6299b24df495ca58d8740bc6f8a6f338183bd2a00e803b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\17026604\RyB.exe

Filesize
628KB

MD5
b8bac6039af3e4d9e70d0450845def09

SHA1
0e32d83685a73c1abdc6bf83de384e9420f4c9b7

SHA256
6b86b49fa226086791ffa1cd2cc37449166e9c6f986dc8aa51fd5c1b9ff24054

SHA512
e0d39f89febcbb9fe93f3475861f38d16f77a1a669ecf12ff5fe299a488274f01603b2a164b8b186c6299b24df495ca58d8740bc6f8a6f338183bd2a00e803b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\17026604\gS.dll

Filesize
618KB

MD5
dd4c8cd20864e78640cf964d8382dc6c

SHA1
3b0816068da422e8245ad051e3e928a9907e71a1

SHA256
9dda1969ce4d6e5ff44c857b7f2bcd98abae346df952306ec62d345f0120cfd5

SHA512
1ff0cbfb140d04158bfdd21d703b6cd436f4dfcd7f5d22e4182de2585809175e9124367ac5cc36398a5b5d53b2511ce46148b198680060baaee9bda8b209e117

Download Submit
C:\Users\Admin\AppData\Local\Temp\17026604\gS.tlb

Filesize
3KB

MD5
9de927e8059d1655834dd5ed295f277f

SHA1
0b2b2f5d2e90941bcc23c383c8ac7a63dde4e54a

SHA256
6c189fadb6010e22d50df01b72748664fa64673cc2e769add4098e5e1e7d248f

SHA512
90fb3b0d7459443717a82db1216c85f9c7cf33ac957c1dff3b6545baadf5669e50ed1f5ca1f81f08b2bac0cb0840058528755cc9656b781f7da80c5ab53cd08b

Download Submit
C:\Users\Admin\AppData\Local\Temp\17026604\gS.x64.dll

Filesize
699KB

MD5
4ac6ee700d5340f02d83927a5a6f45e4

SHA1
f6bcd1055a171768c05939d6797f72bf2d092b8b

SHA256
f1d448c306c454892f12a7a24ecde7b318e22490133defca26017db02c14e625

SHA512
42479b840c60cf7393187ab89527d9c995569b2f8b2929eacb1c465f57eb5bb00beee809551f5263f786c52b95132f3521e1805ab1a6d1897beb092be2ffbb00

Download Submit
C:\Users\Admin\AppData\Local\Temp\17026604\gpmicmdbebaicpnjncdapmkneeigdlba\Q6Fu0sb.js

Filesize
5KB

MD5
904f8fe93162956aeaa2c58804966a26

SHA1
09cb05bd162830292f504524950620743d65255a

SHA256
04be6bc125d9e246b0832691b9a37c74dab18edbf9622e4710a2fb2a2d1070cc

SHA512
1877956fc851e76fea144743600c493bf061087f19822919e44423ce59f245222ee7286813aa7756925af316ddf9ac821ac349a9e4ee66dc69e5af8260101ddf

Download Submit
C:\Users\Admin\AppData\Local\Temp\17026604\gpmicmdbebaicpnjncdapmkneeigdlba\background.html

Filesize
144B

MD5
6b67bac72e6f06eb1f569d13a2f8b1a9

SHA1
906eec7085ce77e2743731a7494b5858282f29eb

SHA256
2fadc0705113c623c15461134e9470b8d7be0244d0d9a42940e50477ef61805d

SHA512
23dacbece18c1ec668d283f7c2fd84ebc147e2d4a066d2723fe0bc03a4ce9f979fad2797aa30c58fec21515cb1acb5734919d53ebc6a29a7166ad79e85b40a7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\17026604\gpmicmdbebaicpnjncdapmkneeigdlba\content.js

Filesize
144B

MD5
fca19198fd8af21016a8b1dec7980002

SHA1
fd01a47d14004e17a625efe66cc46a06c786cf40

SHA256
332b00395bc23d4cb0bf6506b0fbb7e17d690ed41f91cf9b5d1c481cb1d3e82a

SHA512
60f4286b3818f996fab50c09b191fbc82ed1c73b2b98d00b088b5afbbc0368c01819bd3868bd3c6bcb2cd083b719e29c28209317c7411213a25f923cfc1f0e47

Download Submit
C:\Users\Admin\AppData\Local\Temp\17026604\gpmicmdbebaicpnjncdapmkneeigdlba\lsdb.js

Filesize
531B

MD5
36d98318ab2b3b2585a30984db328afb

SHA1
f30b85fbe08e1d569ad49dfeafaf7cb2da6585a5

SHA256
ea2caf61817c6f7781ee049217e51c1083c8fc4f1e08e07792052dfdfa529ae7

SHA512
6f61ccda2eba18369409850b2c91c9817fc741755e29a1579646e3816e0deab80e34a5adb9ff865c773793d32ac338163a224dbf363b46420d6ea42a7bbb2b3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\17026604\gpmicmdbebaicpnjncdapmkneeigdlba\manifest.json

Filesize
503B

MD5
aa6fc24e028b07a032fbc6f859819dca

SHA1
166f2c578c4f164da313ece0e914e56e053418c2

SHA256
2f026100e6faf41a63ea0c5d289914bfceba28094b32c9a3566a4932b7c71038

SHA512
4f5328b27ace6ec4d786e7369b8a071fedf46f30e0b1d223d8fa9332d1df60914f22b84725e3055c894f027f79f05dd91d47ae5c22bebaad34c0af440f634701

Download Submit
memory/2888-132-0x0000000000000000-mapping.dmp

Download
memory/3804-149-0x0000000000000000-mapping.dmp

Download
memory/5000-152-0x0000000000000000-mapping.dmp

Download