e6094a8906ffaca5b075f86ecd14f76ba4295317e9490b7a797f5468d3d4a0a3

General

Target

e6094a8906ffaca5b075f86ecd14f76ba4295317e9490b7a797f5468d3d4a0a3.exe
Size

4.6MB
MD5

951e6de1be2bef0cadf6a3df95b932b9
SHA1

7e61ee281db676a53d42c9c53040d27a502e2519
SHA256

e6094a8906ffaca5b075f86ecd14f76ba4295317e9490b7a797f5468d3d4a0a3
SHA512

37335cce656f65cd0b296cb8aad751020b863cc9317453e9d62f889354ebf4d3dd4a974327b6bbc4677da8d44f2ca87abc9e6666187e2481680d70fca8323cee
SSDEEP

49152:NheoGUjQAuwgnz0p+jGnLJLpg5A7LSfQFXj+prN8kGKwR2k9OIa8+8vM5XxO8aOP:cGgop+jktpg5A7NXj+prN5wb9vX+8vM

Score

8^/10

adware discovery persistence spyware stealer

Malware Config

Signatures

Registers COM server for autorun 1 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Processes:

regsvr32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5ad9ad70-0c9f-4774-b9b9-e86f8c6c02ac}\InprocServer32\ = "C:\\Program Files (x86)\\SmartOnes\\k8YcNyFMtOO9Zx.x64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5ad9ad70-0c9f-4774-b9b9-e86f8c6c02ac}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5ad9ad70-0c9f-4774-b9b9-e86f8c6c02ac}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5ad9ad70-0c9f-4774-b9b9-e86f8c6c02ac}\InprocServer32	regsvr32.exe

Loads dropped DLL 3 IoCs

Processes:

e6094a8906ffaca5b075f86ecd14f76ba4295317e9490b7a797f5468d3d4a0a3.exeregsvr32.exeregsvr32.exe

pid process

1148 e6094a8906ffaca5b075f86ecd14f76ba4295317e9490b7a797f5468d3d4a0a3.exe
1784 regsvr32.exe
2036 regsvr32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 3 IoCs

Processes:

e6094a8906ffaca5b075f86ecd14f76ba4295317e9490b7a797f5468d3d4a0a3.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\kepfdfkinhjiahpgghabipaikmegjihn\4.0\manifest.json	e6094a8906ffaca5b075f86ecd14f76ba4295317e9490b7a797f5468d3d4a0a3.exe
File created	C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\kepfdfkinhjiahpgghabipaikmegjihn\4.0\manifest.json	e6094a8906ffaca5b075f86ecd14f76ba4295317e9490b7a797f5468d3d4a0a3.exe
File created	C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\kepfdfkinhjiahpgghabipaikmegjihn\4.0\manifest.json	e6094a8906ffaca5b075f86ecd14f76ba4295317e9490b7a797f5468d3d4a0a3.exe

Installs/modifies Browser Helper Object 2 TTPs 8 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

Processes:

e6094a8906ffaca5b075f86ecd14f76ba4295317e9490b7a797f5468d3d4a0a3.exeregsvr32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{5ad9ad70-0c9f-4774-b9b9-e86f8c6c02ac}\ = "SmartOnes"	e6094a8906ffaca5b075f86ecd14f76ba4295317e9490b7a797f5468d3d4a0a3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{5ad9ad70-0c9f-4774-b9b9-e86f8c6c02ac}\NoExplorer = "1"	e6094a8906ffaca5b075f86ecd14f76ba4295317e9490b7a797f5468d3d4a0a3.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{5ad9ad70-0c9f-4774-b9b9-e86f8c6c02ac}	e6094a8906ffaca5b075f86ecd14f76ba4295317e9490b7a797f5468d3d4a0a3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5ad9ad70-0c9f-4774-b9b9-e86f8c6c02ac}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5ad9ad70-0c9f-4774-b9b9-e86f8c6c02ac}\ = "SmartOnes"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5ad9ad70-0c9f-4774-b9b9-e86f8c6c02ac}\NoExplorer = "1"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5ad9ad70-0c9f-4774-b9b9-e86f8c6c02ac}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{5ad9ad70-0c9f-4774-b9b9-e86f8c6c02ac}	e6094a8906ffaca5b075f86ecd14f76ba4295317e9490b7a797f5468d3d4a0a3.exe

Drops file in System32 directory 4 IoCs

Processes:

e6094a8906ffaca5b075f86ecd14f76ba4295317e9490b7a797f5468d3d4a0a3.exe

description	ioc	process
File opened for modification	C:\Windows\System32\GroupPolicy	e6094a8906ffaca5b075f86ecd14f76ba4295317e9490b7a797f5468d3d4a0a3.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\gpt.ini	e6094a8906ffaca5b075f86ecd14f76ba4295317e9490b7a797f5468d3d4a0a3.exe
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	e6094a8906ffaca5b075f86ecd14f76ba4295317e9490b7a797f5468d3d4a0a3.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	e6094a8906ffaca5b075f86ecd14f76ba4295317e9490b7a797f5468d3d4a0a3.exe

Drops file in Program Files directory 8 IoCs

Processes:

e6094a8906ffaca5b075f86ecd14f76ba4295317e9490b7a797f5468d3d4a0a3.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\SmartOnes\k8YcNyFMtOO9Zx.x64.dll	e6094a8906ffaca5b075f86ecd14f76ba4295317e9490b7a797f5468d3d4a0a3.exe
File created	C:\Program Files (x86)\SmartOnes\k8YcNyFMtOO9Zx.dll	e6094a8906ffaca5b075f86ecd14f76ba4295317e9490b7a797f5468d3d4a0a3.exe
File opened for modification	C:\Program Files (x86)\SmartOnes\k8YcNyFMtOO9Zx.dll	e6094a8906ffaca5b075f86ecd14f76ba4295317e9490b7a797f5468d3d4a0a3.exe
File created	C:\Program Files (x86)\SmartOnes\k8YcNyFMtOO9Zx.tlb	e6094a8906ffaca5b075f86ecd14f76ba4295317e9490b7a797f5468d3d4a0a3.exe
File opened for modification	C:\Program Files (x86)\SmartOnes\k8YcNyFMtOO9Zx.tlb	e6094a8906ffaca5b075f86ecd14f76ba4295317e9490b7a797f5468d3d4a0a3.exe
File created	C:\Program Files (x86)\SmartOnes\k8YcNyFMtOO9Zx.dat	e6094a8906ffaca5b075f86ecd14f76ba4295317e9490b7a797f5468d3d4a0a3.exe
File opened for modification	C:\Program Files (x86)\SmartOnes\k8YcNyFMtOO9Zx.dat	e6094a8906ffaca5b075f86ecd14f76ba4295317e9490b7a797f5468d3d4a0a3.exe
File created	C:\Program Files (x86)\SmartOnes\k8YcNyFMtOO9Zx.x64.dll	e6094a8906ffaca5b075f86ecd14f76ba4295317e9490b7a797f5468d3d4a0a3.exe

Modifies Internet Explorer settings 1 TTPs 8 IoCs

adware spyware

Modify Registry

T1112

Processes:

e6094a8906ffaca5b075f86ecd14f76ba4295317e9490b7a797f5468d3d4a0a3.exeregsvr32.exe

description	ioc	process
Key deleted	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{5AD9AD70-0C9F-4774-B9B9-E86F8C6C02AC}	e6094a8906ffaca5b075f86ecd14f76ba4295317e9490b7a797f5468d3d4a0a3.exe
Key deleted	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration	e6094a8906ffaca5b075f86ecd14f76ba4295317e9490b7a797f5468d3d4a0a3.exe
Key deleted	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{5AD9AD70-0C9F-4774-B9B9-E86F8C6C02AC}	regsvr32.exe
Key deleted	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{5ad9ad70-0c9f-4774-b9b9-e86f8c6c02ac}	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration	e6094a8906ffaca5b075f86ecd14f76ba4295317e9490b7a797f5468d3d4a0a3.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{5ad9ad70-0c9f-4774-b9b9-e86f8c6c02ac}	e6094a8906ffaca5b075f86ecd14f76ba4295317e9490b7a797f5468d3d4a0a3.exe

Modifies registry class 64 IoCs

Processes:

e6094a8906ffaca5b075f86ecd14f76ba4295317e9490b7a797f5468d3d4a0a3.exeregsvr32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.\ = "SmartOnes"	e6094a8906ffaca5b075f86ecd14f76ba4295317e9490b7a797f5468d3d4a0a3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ad9ad70-0c9f-4774-b9b9-e86f8c6c02ac}\InprocServer32\ThreadingModel = "Apartment"	e6094a8906ffaca5b075f86ecd14f76ba4295317e9490b7a797f5468d3d4a0a3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win32\ = "C:\\Program Files (x86)\\SmartOnes\\k8YcNyFMtOO9Zx.tlb"	e6094a8906ffaca5b075f86ecd14f76ba4295317e9490b7a797f5468d3d4a0a3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\ = "IPlaghinMein"	e6094a8906ffaca5b075f86ecd14f76ba4295317e9490b7a797f5468d3d4a0a3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\ProxyStubClsid32	e6094a8906ffaca5b075f86ecd14f76ba4295317e9490b7a797f5468d3d4a0a3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}	e6094a8906ffaca5b075f86ecd14f76ba4295317e9490b7a797f5468d3d4a0a3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\ = "ILocalStorage"	e6094a8906ffaca5b075f86ecd14f76ba4295317e9490b7a797f5468d3d4a0a3.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ad9ad70-0c9f-4774-b9b9-e86f8c6c02ac}\VersionIndependentProgID	e6094a8906ffaca5b075f86ecd14f76ba4295317e9490b7a797f5468d3d4a0a3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.\ = "SmartOnes"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5ad9ad70-0c9f-4774-b9b9-e86f8c6c02ac}\InprocServer32	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5ad9ad70-0c9f-4774-b9b9-e86f8c6c02ac}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ad9ad70-0c9f-4774-b9b9-e86f8c6c02ac}\VersionIndependentProgID	e6094a8906ffaca5b075f86ecd14f76ba4295317e9490b7a797f5468d3d4a0a3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}	e6094a8906ffaca5b075f86ecd14f76ba4295317e9490b7a797f5468d3d4a0a3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	e6094a8906ffaca5b075f86ecd14f76ba4295317e9490b7a797f5468d3d4a0a3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ = "IRegistry"	e6094a8906ffaca5b075f86ecd14f76ba4295317e9490b7a797f5468d3d4a0a3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib	e6094a8906ffaca5b075f86ecd14f76ba4295317e9490b7a797f5468d3d4a0a3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5ad9ad70-0c9f-4774-b9b9-e86f8c6c02ac}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5ad9ad70-0c9f-4774-b9b9-e86f8c6c02ac}\Programmable	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5AD9AD70-0C9F-4774-B9B9-E86F8C6C02AC}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib	e6094a8906ffaca5b075f86ecd14f76ba4295317e9490b7a797f5468d3d4a0a3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\..9\CLSID	e6094a8906ffaca5b075f86ecd14f76ba4295317e9490b7a797f5468d3d4a0a3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.\CLSID\ = "{5ad9ad70-0c9f-4774-b9b9-e86f8c6c02ac}"	e6094a8906ffaca5b075f86ecd14f76ba4295317e9490b7a797f5468d3d4a0a3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ad9ad70-0c9f-4774-b9b9-e86f8c6c02ac}\InprocServer32	e6094a8906ffaca5b075f86ecd14f76ba4295317e9490b7a797f5468d3d4a0a3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5AD9AD70-0C9F-4774-B9B9-E86F8C6C02AC}\Implemented Categories	e6094a8906ffaca5b075f86ecd14f76ba4295317e9490b7a797f5468d3d4a0a3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\TypeLib	e6094a8906ffaca5b075f86ecd14f76ba4295317e9490b7a797f5468d3d4a0a3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	e6094a8906ffaca5b075f86ecd14f76ba4295317e9490b7a797f5468d3d4a0a3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ProxyStubClsid32	e6094a8906ffaca5b075f86ecd14f76ba4295317e9490b7a797f5468d3d4a0a3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	e6094a8906ffaca5b075f86ecd14f76ba4295317e9490b7a797f5468d3d4a0a3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5AD9AD70-0C9F-4774-B9B9-E86F8C6C02AC}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ = "IRegistry"	e6094a8906ffaca5b075f86ecd14f76ba4295317e9490b7a797f5468d3d4a0a3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.\CurVer	e6094a8906ffaca5b075f86ecd14f76ba4295317e9490b7a797f5468d3d4a0a3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\FLAGS\ = "0"	e6094a8906ffaca5b075f86ecd14f76ba4295317e9490b7a797f5468d3d4a0a3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	e6094a8906ffaca5b075f86ecd14f76ba4295317e9490b7a797f5468d3d4a0a3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\TypeLib	e6094a8906ffaca5b075f86ecd14f76ba4295317e9490b7a797f5468d3d4a0a3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	e6094a8906ffaca5b075f86ecd14f76ba4295317e9490b7a797f5468d3d4a0a3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	e6094a8906ffaca5b075f86ecd14f76ba4295317e9490b7a797f5468d3d4a0a3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}	e6094a8906ffaca5b075f86ecd14f76ba4295317e9490b7a797f5468d3d4a0a3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.\CurVer\ = ".9"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}	e6094a8906ffaca5b075f86ecd14f76ba4295317e9490b7a797f5468d3d4a0a3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.	e6094a8906ffaca5b075f86ecd14f76ba4295317e9490b7a797f5468d3d4a0a3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ad9ad70-0c9f-4774-b9b9-e86f8c6c02ac}\VersionIndependentProgID\	e6094a8906ffaca5b075f86ecd14f76ba4295317e9490b7a797f5468d3d4a0a3.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ad9ad70-0c9f-4774-b9b9-e86f8c6c02ac}	e6094a8906ffaca5b075f86ecd14f76ba4295317e9490b7a797f5468d3d4a0a3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0	e6094a8906ffaca5b075f86ecd14f76ba4295317e9490b7a797f5468d3d4a0a3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\FLAGS	e6094a8906ffaca5b075f86ecd14f76ba4295317e9490b7a797f5468d3d4a0a3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\TypeLib\Version = "1.0"	e6094a8906ffaca5b075f86ecd14f76ba4295317e9490b7a797f5468d3d4a0a3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\TypeLib	e6094a8906ffaca5b075f86ecd14f76ba4295317e9490b7a797f5468d3d4a0a3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.\CLSID	e6094a8906ffaca5b075f86ecd14f76ba4295317e9490b7a797f5468d3d4a0a3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\SmartOnes"	e6094a8906ffaca5b075f86ecd14f76ba4295317e9490b7a797f5468d3d4a0a3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\TypeLib\Version = "1.0"	e6094a8906ffaca5b075f86ecd14f76ba4295317e9490b7a797f5468d3d4a0a3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	e6094a8906ffaca5b075f86ecd14f76ba4295317e9490b7a797f5468d3d4a0a3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\..9	e6094a8906ffaca5b075f86ecd14f76ba4295317e9490b7a797f5468d3d4a0a3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ad9ad70-0c9f-4774-b9b9-e86f8c6c02ac}\Programmable	e6094a8906ffaca5b075f86ecd14f76ba4295317e9490b7a797f5468d3d4a0a3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5AD9AD70-0C9F-4774-B9B9-E86F8C6C02AC}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}	e6094a8906ffaca5b075f86ecd14f76ba4295317e9490b7a797f5468d3d4a0a3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5ad9ad70-0c9f-4774-b9b9-e86f8c6c02ac}\ = "SmartOnes"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ad9ad70-0c9f-4774-b9b9-e86f8c6c02ac}\ = "SmartOnes"	e6094a8906ffaca5b075f86ecd14f76ba4295317e9490b7a797f5468d3d4a0a3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\HELPDIR	e6094a8906ffaca5b075f86ecd14f76ba4295317e9490b7a797f5468d3d4a0a3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}	e6094a8906ffaca5b075f86ecd14f76ba4295317e9490b7a797f5468d3d4a0a3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\ProxyStubClsid32	e6094a8906ffaca5b075f86ecd14f76ba4295317e9490b7a797f5468d3d4a0a3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\ = "ILocalStorage"	e6094a8906ffaca5b075f86ecd14f76ba4295317e9490b7a797f5468d3d4a0a3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\TypeLib\Version = "1.0"	e6094a8906ffaca5b075f86ecd14f76ba4295317e9490b7a797f5468d3d4a0a3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	e6094a8906ffaca5b075f86ecd14f76ba4295317e9490b7a797f5468d3d4a0a3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5ad9ad70-0c9f-4774-b9b9-e86f8c6c02ac}\VersionIndependentProgID\	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5ad9ad70-0c9f-4774-b9b9-e86f8c6c02ac}\VersionIndependentProgID	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5ad9ad70-0c9f-4774-b9b9-e86f8c6c02ac}	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

e6094a8906ffaca5b075f86ecd14f76ba4295317e9490b7a797f5468d3d4a0a3.exe

pid	process
1148	e6094a8906ffaca5b075f86ecd14f76ba4295317e9490b7a797f5468d3d4a0a3.exe
1148	e6094a8906ffaca5b075f86ecd14f76ba4295317e9490b7a797f5468d3d4a0a3.exe
1148	e6094a8906ffaca5b075f86ecd14f76ba4295317e9490b7a797f5468d3d4a0a3.exe
1148	e6094a8906ffaca5b075f86ecd14f76ba4295317e9490b7a797f5468d3d4a0a3.exe
1148	e6094a8906ffaca5b075f86ecd14f76ba4295317e9490b7a797f5468d3d4a0a3.exe
1148	e6094a8906ffaca5b075f86ecd14f76ba4295317e9490b7a797f5468d3d4a0a3.exe
1148	e6094a8906ffaca5b075f86ecd14f76ba4295317e9490b7a797f5468d3d4a0a3.exe
1148	e6094a8906ffaca5b075f86ecd14f76ba4295317e9490b7a797f5468d3d4a0a3.exe
1148	e6094a8906ffaca5b075f86ecd14f76ba4295317e9490b7a797f5468d3d4a0a3.exe
1148	e6094a8906ffaca5b075f86ecd14f76ba4295317e9490b7a797f5468d3d4a0a3.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

e6094a8906ffaca5b075f86ecd14f76ba4295317e9490b7a797f5468d3d4a0a3.exe

description	pid	process
Token: SeDebugPrivilege	1148	e6094a8906ffaca5b075f86ecd14f76ba4295317e9490b7a797f5468d3d4a0a3.exe
Token: SeDebugPrivilege	1148	e6094a8906ffaca5b075f86ecd14f76ba4295317e9490b7a797f5468d3d4a0a3.exe
Token: SeDebugPrivilege	1148	e6094a8906ffaca5b075f86ecd14f76ba4295317e9490b7a797f5468d3d4a0a3.exe
Token: SeDebugPrivilege	1148	e6094a8906ffaca5b075f86ecd14f76ba4295317e9490b7a797f5468d3d4a0a3.exe
Token: SeDebugPrivilege	1148	e6094a8906ffaca5b075f86ecd14f76ba4295317e9490b7a797f5468d3d4a0a3.exe
Token: SeDebugPrivilege	1148	e6094a8906ffaca5b075f86ecd14f76ba4295317e9490b7a797f5468d3d4a0a3.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

e6094a8906ffaca5b075f86ecd14f76ba4295317e9490b7a797f5468d3d4a0a3.exeregsvr32.exe

description	pid	process	target process
PID 1148 wrote to memory of 1784	1148	e6094a8906ffaca5b075f86ecd14f76ba4295317e9490b7a797f5468d3d4a0a3.exe	regsvr32.exe
PID 1148 wrote to memory of 1784	1148	e6094a8906ffaca5b075f86ecd14f76ba4295317e9490b7a797f5468d3d4a0a3.exe	regsvr32.exe
PID 1148 wrote to memory of 1784	1148	e6094a8906ffaca5b075f86ecd14f76ba4295317e9490b7a797f5468d3d4a0a3.exe	regsvr32.exe
PID 1148 wrote to memory of 1784	1148	e6094a8906ffaca5b075f86ecd14f76ba4295317e9490b7a797f5468d3d4a0a3.exe	regsvr32.exe
PID 1148 wrote to memory of 1784	1148	e6094a8906ffaca5b075f86ecd14f76ba4295317e9490b7a797f5468d3d4a0a3.exe	regsvr32.exe
PID 1148 wrote to memory of 1784	1148	e6094a8906ffaca5b075f86ecd14f76ba4295317e9490b7a797f5468d3d4a0a3.exe	regsvr32.exe
PID 1148 wrote to memory of 1784	1148	e6094a8906ffaca5b075f86ecd14f76ba4295317e9490b7a797f5468d3d4a0a3.exe	regsvr32.exe
PID 1784 wrote to memory of 2036	1784	regsvr32.exe	regsvr32.exe
PID 1784 wrote to memory of 2036	1784	regsvr32.exe	regsvr32.exe
PID 1784 wrote to memory of 2036	1784	regsvr32.exe	regsvr32.exe
PID 1784 wrote to memory of 2036	1784	regsvr32.exe	regsvr32.exe
PID 1784 wrote to memory of 2036	1784	regsvr32.exe	regsvr32.exe
PID 1784 wrote to memory of 2036	1784	regsvr32.exe	regsvr32.exe
PID 1784 wrote to memory of 2036	1784	regsvr32.exe	regsvr32.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

e6094a8906ffaca5b075f86ecd14f76ba4295317e9490b7a797f5468d3d4a0a3.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID	e6094a8906ffaca5b075f86ecd14f76ba4295317e9490b7a797f5468d3d4a0a3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{5ad9ad70-0c9f-4774-b9b9-e86f8c6c02ac} = "1"	e6094a8906ffaca5b075f86ecd14f76ba4295317e9490b7a797f5468d3d4a0a3.exe

C:\Users\Admin\AppData\Local\Temp\e6094a8906ffaca5b075f86ecd14f76ba4295317e9490b7a797f5468d3d4a0a3.exe
"C:\Users\Admin\AppData\Local\Temp\e6094a8906ffaca5b075f86ecd14f76ba4295317e9490b7a797f5468d3d4a0a3.exe"
1⤵
- Loads dropped DLL
- Drops Chrome extension
- Installs/modifies Browser Helper Object
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1148

C:\Windows\SysWOW64\regsvr32.exe
regsvr32.exe /s "C:\Program Files (x86)\SmartOnes\k8YcNyFMtOO9Zx.x64.dll"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1784

C:\Windows\system32\regsvr32.exe
/s "C:\Program Files (x86)\SmartOnes\k8YcNyFMtOO9Zx.x64.dll"
3⤵
- Registers COM server for autorun
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Modifies Internet Explorer settings
- Modifies registry class
PID:2036

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Browser Extensions

1

T1176

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

3

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\SmartOnes\k8YcNyFMtOO9Zx.dat

Filesize
3KB

MD5
7a9ffd62619dc7c76c6423b59a2b2447

SHA1
a43c47ef4f2c8b58fec3e18fccc231390d13ded5

SHA256
8281c5ce66d9223645c2555f5d58ed9c25b18b5f99f091cde28209caaf5cc5e3

SHA512
628de41dc37d46b3855950e6aa3c14e045e38c732f047ddc191e14007e1042e37fcb9d1183d7dd2204e10183d51122be8a534f67ffc739b4d0fff533e3bf1e91

Download Submit
C:\Program Files (x86)\SmartOnes\k8YcNyFMtOO9Zx.tlb

Filesize
3KB

MD5
75846c93e1f5b9d77fcc4520a65b4936

SHA1
f4631b5f768bfa33063a96c7a0da478c1fb28791

SHA256
c6843974e37a7eb67c2e6550cec7ffd63645d80f4bd9613430e5824b4604b08b

SHA512
a51876207191e351f955e614be727f9b0141cce69d46f7bbf141a632306fe277de3372848c5b707da525d22bafca044b0a73c544a2a670d4056d33f37f7b328c

Download Submit
C:\Program Files (x86)\SmartOnes\k8YcNyFMtOO9Zx.x64.dll

Filesize
879KB

MD5
f60a9be9218f7d3c329205bd4f585ee7

SHA1
8b31e1d5b92ff6642cc5fb707ec76596ce84002c

SHA256
7b08c02a0b7315c5b860b594d6486f85a8c182a1851313e1a6299810b896d394

SHA512
a6a18d63220f92f80881aaf5f7ed936d7e317a50fe2fc0452f5b3c6793b5b6ffac782366c65d91d7cad1b5a68149f5fa9cd82cf57ba0208ea271c792bddee6a7

Download Submit
\Program Files (x86)\SmartOnes\k8YcNyFMtOO9Zx.dll

Filesize
741KB

MD5
02955857b45fa9ddd4229b9d67f65d93

SHA1
a5fe5c71d62bd9648ab25660d7cae6eff98af3ed

SHA256
839e59c1dd9fa6ce4ed8b4b964b32a3afdd5b6b621580c47cdad754868abe753

SHA512
0b0c6a7754abead8aec777a1ee4330f4c5ee90aebde30266e6ad93f356f91abbe4a2bc3fdc924556edb82c3b4bd0f97191e72d6039bed14975d5e5b940af3261

Download Submit
\Program Files (x86)\SmartOnes\k8YcNyFMtOO9Zx.x64.dll

Filesize
879KB

MD5
f60a9be9218f7d3c329205bd4f585ee7

SHA1
8b31e1d5b92ff6642cc5fb707ec76596ce84002c

SHA256
7b08c02a0b7315c5b860b594d6486f85a8c182a1851313e1a6299810b896d394

SHA512
a6a18d63220f92f80881aaf5f7ed936d7e317a50fe2fc0452f5b3c6793b5b6ffac782366c65d91d7cad1b5a68149f5fa9cd82cf57ba0208ea271c792bddee6a7

Download Submit
\Program Files (x86)\SmartOnes\k8YcNyFMtOO9Zx.x64.dll

Filesize
879KB

MD5
f60a9be9218f7d3c329205bd4f585ee7

SHA1
8b31e1d5b92ff6642cc5fb707ec76596ce84002c

SHA256
7b08c02a0b7315c5b860b594d6486f85a8c182a1851313e1a6299810b896d394

SHA512
a6a18d63220f92f80881aaf5f7ed936d7e317a50fe2fc0452f5b3c6793b5b6ffac782366c65d91d7cad1b5a68149f5fa9cd82cf57ba0208ea271c792bddee6a7

Download Submit
memory/1148-54-0x0000000074C11000-0x0000000074C13000-memory.dmp

Filesize
8KB

Download
memory/1148-55-0x0000000002BA0000-0x0000000002C6C000-memory.dmp

Filesize
816KB

Download
memory/1784-61-0x0000000000000000-mapping.dmp

Download
memory/2036-65-0x0000000000000000-mapping.dmp

Download
memory/2036-66-0x000007FEFB5D1000-0x000007FEFB5D3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads