Analysis
-
max time kernel
149s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
24-11-2022 21:13
Static task
static1
Behavioral task
behavioral1
Sample
a6070431968d441dbb3d0c09a7b201958d09ec39698502cd9be81c7b3b2865a2.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
a6070431968d441dbb3d0c09a7b201958d09ec39698502cd9be81c7b3b2865a2.exe
Resource
win10v2004-20220812-en
General
-
Target
a6070431968d441dbb3d0c09a7b201958d09ec39698502cd9be81c7b3b2865a2.exe
-
Size
3.8MB
-
MD5
8ab5d5eda8a1e69e6d6b65d3c06b4e3b
-
SHA1
427d19366796d64fdb0b42ba9f6993cf2e1b3773
-
SHA256
a6070431968d441dbb3d0c09a7b201958d09ec39698502cd9be81c7b3b2865a2
-
SHA512
de5ea184310c21008f4b217173f49f0503857f9483bdfa2b5d186f018f6f8eb8aeae641c4266cd9d6a3195d8dec8e82702dd5b8b3dd96c8b5efe10bddbd01c4a
-
SSDEEP
98304:jRj6in0g4vPKMKEdzkziOHIom1oFr3/Kiyo:jRj6RhduiRSrv1y
Malware Config
Signatures
-
Registers COM server for autorun 1 TTPs 4 IoCs
Processes:
regsvr32.exedescription ioc process Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{07e1b652-43f3-4cc0-8dd1-63280af6f869}\InprocServer32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{07e1b652-43f3-4cc0-8dd1-63280af6f869}\InprocServer32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{07e1b652-43f3-4cc0-8dd1-63280af6f869}\InprocServer32\ = "C:\\Program Files (x86)\\TinyWallet\\XLDG3dsTk1sRmg.x64.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{07e1b652-43f3-4cc0-8dd1-63280af6f869}\InprocServer32\ThreadingModel = "Apartment" regsvr32.exe -
Loads dropped DLL 3 IoCs
Processes:
a6070431968d441dbb3d0c09a7b201958d09ec39698502cd9be81c7b3b2865a2.exeregsvr32.exeregsvr32.exepid process 4856 a6070431968d441dbb3d0c09a7b201958d09ec39698502cd9be81c7b3b2865a2.exe 4916 regsvr32.exe 1292 regsvr32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops Chrome extension 5 IoCs
Processes:
a6070431968d441dbb3d0c09a7b201958d09ec39698502cd9be81c7b3b2865a2.exedescription ioc process File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmpfkodbcndmjaepnhjoibelpmkcgmme\1.0\manifest.json a6070431968d441dbb3d0c09a7b201958d09ec39698502cd9be81c7b3b2865a2.exe File created C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmpfkodbcndmjaepnhjoibelpmkcgmme\1.0\manifest.json a6070431968d441dbb3d0c09a7b201958d09ec39698502cd9be81c7b3b2865a2.exe File created C:\Users\DefaultAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmpfkodbcndmjaepnhjoibelpmkcgmme\1.0\manifest.json a6070431968d441dbb3d0c09a7b201958d09ec39698502cd9be81c7b3b2865a2.exe File created C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmpfkodbcndmjaepnhjoibelpmkcgmme\1.0\manifest.json a6070431968d441dbb3d0c09a7b201958d09ec39698502cd9be81c7b3b2865a2.exe File created C:\Users\WDAGUtilityAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmpfkodbcndmjaepnhjoibelpmkcgmme\1.0\manifest.json a6070431968d441dbb3d0c09a7b201958d09ec39698502cd9be81c7b3b2865a2.exe -
Installs/modifies Browser Helper Object 2 TTPs 8 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
Processes:
regsvr32.exea6070431968d441dbb3d0c09a7b201958d09ec39698502cd9be81c7b3b2865a2.exedescription ioc process Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{07e1b652-43f3-4cc0-8dd1-63280af6f869} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{07e1b652-43f3-4cc0-8dd1-63280af6f869} a6070431968d441dbb3d0c09a7b201958d09ec39698502cd9be81c7b3b2865a2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{07e1b652-43f3-4cc0-8dd1-63280af6f869}\ = "TinyWallet" a6070431968d441dbb3d0c09a7b201958d09ec39698502cd9be81c7b3b2865a2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{07e1b652-43f3-4cc0-8dd1-63280af6f869}\NoExplorer = "1" a6070431968d441dbb3d0c09a7b201958d09ec39698502cd9be81c7b3b2865a2.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{07e1b652-43f3-4cc0-8dd1-63280af6f869} a6070431968d441dbb3d0c09a7b201958d09ec39698502cd9be81c7b3b2865a2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{07e1b652-43f3-4cc0-8dd1-63280af6f869} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{07e1b652-43f3-4cc0-8dd1-63280af6f869}\ = "TinyWallet" regsvr32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{07e1b652-43f3-4cc0-8dd1-63280af6f869}\NoExplorer = "1" regsvr32.exe -
Drops file in System32 directory 4 IoCs
Processes:
a6070431968d441dbb3d0c09a7b201958d09ec39698502cd9be81c7b3b2865a2.exedescription ioc process File opened for modification C:\Windows\System32\GroupPolicy a6070431968d441dbb3d0c09a7b201958d09ec39698502cd9be81c7b3b2865a2.exe File opened for modification C:\Windows\SysWOW64\GroupPolicy\gpt.ini a6070431968d441dbb3d0c09a7b201958d09ec39698502cd9be81c7b3b2865a2.exe File created C:\Windows\System32\GroupPolicy\Machine\Registry.pol a6070431968d441dbb3d0c09a7b201958d09ec39698502cd9be81c7b3b2865a2.exe File opened for modification C:\Windows\System32\GroupPolicy\GPT.INI a6070431968d441dbb3d0c09a7b201958d09ec39698502cd9be81c7b3b2865a2.exe -
Drops file in Program Files directory 8 IoCs
Processes:
a6070431968d441dbb3d0c09a7b201958d09ec39698502cd9be81c7b3b2865a2.exedescription ioc process File created C:\Program Files (x86)\TinyWallet\XLDG3dsTk1sRmg.x64.dll a6070431968d441dbb3d0c09a7b201958d09ec39698502cd9be81c7b3b2865a2.exe File opened for modification C:\Program Files (x86)\TinyWallet\XLDG3dsTk1sRmg.x64.dll a6070431968d441dbb3d0c09a7b201958d09ec39698502cd9be81c7b3b2865a2.exe File created C:\Program Files (x86)\TinyWallet\XLDG3dsTk1sRmg.dll a6070431968d441dbb3d0c09a7b201958d09ec39698502cd9be81c7b3b2865a2.exe File opened for modification C:\Program Files (x86)\TinyWallet\XLDG3dsTk1sRmg.dll a6070431968d441dbb3d0c09a7b201958d09ec39698502cd9be81c7b3b2865a2.exe File created C:\Program Files (x86)\TinyWallet\XLDG3dsTk1sRmg.tlb a6070431968d441dbb3d0c09a7b201958d09ec39698502cd9be81c7b3b2865a2.exe File opened for modification C:\Program Files (x86)\TinyWallet\XLDG3dsTk1sRmg.tlb a6070431968d441dbb3d0c09a7b201958d09ec39698502cd9be81c7b3b2865a2.exe File created C:\Program Files (x86)\TinyWallet\XLDG3dsTk1sRmg.dat a6070431968d441dbb3d0c09a7b201958d09ec39698502cd9be81c7b3b2865a2.exe File opened for modification C:\Program Files (x86)\TinyWallet\XLDG3dsTk1sRmg.dat a6070431968d441dbb3d0c09a7b201958d09ec39698502cd9be81c7b3b2865a2.exe -
Processes:
a6070431968d441dbb3d0c09a7b201958d09ec39698502cd9be81c7b3b2865a2.exeregsvr32.exedescription ioc process Key deleted \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\MICROSOFT\INTERNET EXPLORER\APPROVEDEXTENSIONSMIGRATION\{07E1B652-43F3-4CC0-8DD1-63280AF6F869} a6070431968d441dbb3d0c09a7b201958d09ec39698502cd9be81c7b3b2865a2.exe Key deleted \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\ApprovedExtensionsMigration a6070431968d441dbb3d0c09a7b201958d09ec39698502cd9be81c7b3b2865a2.exe Key deleted \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\MICROSOFT\INTERNET EXPLORER\APPROVEDEXTENSIONSMIGRATION\{07E1B652-43F3-4CC0-8DD1-63280AF6F869} regsvr32.exe Key deleted \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\ApprovedExtensionsMigration regsvr32.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\ApprovedExtensionsMigration regsvr32.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{07e1b652-43f3-4cc0-8dd1-63280af6f869} regsvr32.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\ApprovedExtensionsMigration a6070431968d441dbb3d0c09a7b201958d09ec39698502cd9be81c7b3b2865a2.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{07e1b652-43f3-4cc0-8dd1-63280af6f869} a6070431968d441dbb3d0c09a7b201958d09ec39698502cd9be81c7b3b2865a2.exe -
Modifies registry class 64 IoCs
Processes:
a6070431968d441dbb3d0c09a7b201958d09ec39698502cd9be81c7b3b2865a2.exeregsvr32.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\ProxyStubClsid32 a6070431968d441dbb3d0c09a7b201958d09ec39698502cd9be81c7b3b2865a2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}" a6070431968d441dbb3d0c09a7b201958d09ec39698502cd9be81c7b3b2865a2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC} a6070431968d441dbb3d0c09a7b201958d09ec39698502cd9be81c7b3b2865a2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{07e1b652-43f3-4cc0-8dd1-63280af6f869} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{07e1b652-43f3-4cc0-8dd1-63280af6f869}\Programmable regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{07e1b652-43f3-4cc0-8dd1-63280af6f869}\ProgID\ = ".9" a6070431968d441dbb3d0c09a7b201958d09ec39698502cd9be81c7b3b2865a2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{07e1b652-43f3-4cc0-8dd1-63280af6f869}\Programmable a6070431968d441dbb3d0c09a7b201958d09ec39698502cd9be81c7b3b2865a2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ = "IRegistry" a6070431968d441dbb3d0c09a7b201958d09ec39698502cd9be81c7b3b2865a2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ProxyStubClsid32 a6070431968d441dbb3d0c09a7b201958d09ec39698502cd9be81c7b3b2865a2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" a6070431968d441dbb3d0c09a7b201958d09ec39698502cd9be81c7b3b2865a2.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{07e1b652-43f3-4cc0-8dd1-63280af6f869} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\ = "IEPluginLib" a6070431968d441dbb3d0c09a7b201958d09ec39698502cd9be81c7b3b2865a2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}" a6070431968d441dbb3d0c09a7b201958d09ec39698502cd9be81c7b3b2865a2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}" a6070431968d441dbb3d0c09a7b201958d09ec39698502cd9be81c7b3b2865a2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0} a6070431968d441dbb3d0c09a7b201958d09ec39698502cd9be81c7b3b2865a2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.\ = "TinyWallet" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.\CurVer\ = ".9" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{07e1b652-43f3-4cc0-8dd1-63280af6f869}\VersionIndependentProgID\ regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{07e1b652-43f3-4cc0-8dd1-63280af6f869}\InprocServer32 a6070431968d441dbb3d0c09a7b201958d09ec39698502cd9be81c7b3b2865a2.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{07e1b652-43f3-4cc0-8dd1-63280af6f869}\InprocServer32 a6070431968d441dbb3d0c09a7b201958d09ec39698502cd9be81c7b3b2865a2.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{07e1b652-43f3-4cc0-8dd1-63280af6f869}\Programmable a6070431968d441dbb3d0c09a7b201958d09ec39698502cd9be81c7b3b2865a2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" a6070431968d441dbb3d0c09a7b201958d09ec39698502cd9be81c7b3b2865a2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\FLAGS\ = "0" a6070431968d441dbb3d0c09a7b201958d09ec39698502cd9be81c7b3b2865a2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\TypeLib a6070431968d441dbb3d0c09a7b201958d09ec39698502cd9be81c7b3b2865a2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\TypeLib\Version = "1.0" a6070431968d441dbb3d0c09a7b201958d09ec39698502cd9be81c7b3b2865a2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC} a6070431968d441dbb3d0c09a7b201958d09ec39698502cd9be81c7b3b2865a2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\..9 a6070431968d441dbb3d0c09a7b201958d09ec39698502cd9be81c7b3b2865a2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.\CurVer a6070431968d441dbb3d0c09a7b201958d09ec39698502cd9be81c7b3b2865a2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win32 a6070431968d441dbb3d0c09a7b201958d09ec39698502cd9be81c7b3b2865a2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF} a6070431968d441dbb3d0c09a7b201958d09ec39698502cd9be81c7b3b2865a2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" a6070431968d441dbb3d0c09a7b201958d09ec39698502cd9be81c7b3b2865a2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\..9\CLSID\ = "{07e1b652-43f3-4cc0-8dd1-63280af6f869}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{07e1b652-43f3-4cc0-8dd1-63280af6f869}\ProgID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{07E1B652-43F3-4CC0-8DD1-63280AF6F869}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.\ = "TinyWallet" a6070431968d441dbb3d0c09a7b201958d09ec39698502cd9be81c7b3b2865a2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{07e1b652-43f3-4cc0-8dd1-63280af6f869}\InprocServer32\ = "C:\\Program Files (x86)\\TinyWallet\\XLDG3dsTk1sRmg.dll" a6070431968d441dbb3d0c09a7b201958d09ec39698502cd9be81c7b3b2865a2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF} a6070431968d441dbb3d0c09a7b201958d09ec39698502cd9be81c7b3b2865a2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\TypeLib\Version = "1.0" a6070431968d441dbb3d0c09a7b201958d09ec39698502cd9be81c7b3b2865a2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{07e1b652-43f3-4cc0-8dd1-63280af6f869}\ProgID\ = ".9" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{07E1B652-43F3-4CC0-8DD1-63280AF6F869} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{07E1B652-43F3-4CC0-8DD1-63280AF6F869}\Implemented Categories regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{07e1b652-43f3-4cc0-8dd1-63280af6f869}\InprocServer32\ = "C:\\Program Files (x86)\\TinyWallet\\XLDG3dsTk1sRmg.x64.dll" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.\CLSID a6070431968d441dbb3d0c09a7b201958d09ec39698502cd9be81c7b3b2865a2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0} a6070431968d441dbb3d0c09a7b201958d09ec39698502cd9be81c7b3b2865a2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\ = "ILocalStorage" a6070431968d441dbb3d0c09a7b201958d09ec39698502cd9be81c7b3b2865a2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" a6070431968d441dbb3d0c09a7b201958d09ec39698502cd9be81c7b3b2865a2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}" a6070431968d441dbb3d0c09a7b201958d09ec39698502cd9be81c7b3b2865a2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib\Version = "1.0" a6070431968d441dbb3d0c09a7b201958d09ec39698502cd9be81c7b3b2865a2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\..9\ = "TinyWallet" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\HELPDIR a6070431968d441dbb3d0c09a7b201958d09ec39698502cd9be81c7b3b2865a2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" a6070431968d441dbb3d0c09a7b201958d09ec39698502cd9be81c7b3b2865a2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib a6070431968d441dbb3d0c09a7b201958d09ec39698502cd9be81c7b3b2865a2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib\Version = "1.0" a6070431968d441dbb3d0c09a7b201958d09ec39698502cd9be81c7b3b2865a2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{07e1b652-43f3-4cc0-8dd1-63280af6f869}\ = "TinyWallet" regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{07e1b652-43f3-4cc0-8dd1-63280af6f869}\VersionIndependentProgID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\. a6070431968d441dbb3d0c09a7b201958d09ec39698502cd9be81c7b3b2865a2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.\CLSID\ = "{07e1b652-43f3-4cc0-8dd1-63280af6f869}" a6070431968d441dbb3d0c09a7b201958d09ec39698502cd9be81c7b3b2865a2.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{07e1b652-43f3-4cc0-8dd1-63280af6f869}\ProgID a6070431968d441dbb3d0c09a7b201958d09ec39698502cd9be81c7b3b2865a2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\TypeLib\Version = "1.0" a6070431968d441dbb3d0c09a7b201958d09ec39698502cd9be81c7b3b2865a2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{07e1b652-43f3-4cc0-8dd1-63280af6f869}\InprocServer32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0 a6070431968d441dbb3d0c09a7b201958d09ec39698502cd9be81c7b3b2865a2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\TinyWallet" a6070431968d441dbb3d0c09a7b201958d09ec39698502cd9be81c7b3b2865a2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\ = "IPlaghinMein" a6070431968d441dbb3d0c09a7b201958d09ec39698502cd9be81c7b3b2865a2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\TypeLib a6070431968d441dbb3d0c09a7b201958d09ec39698502cd9be81c7b3b2865a2.exe -
Suspicious behavior: EnumeratesProcesses 20 IoCs
Processes:
a6070431968d441dbb3d0c09a7b201958d09ec39698502cd9be81c7b3b2865a2.exepid process 4856 a6070431968d441dbb3d0c09a7b201958d09ec39698502cd9be81c7b3b2865a2.exe 4856 a6070431968d441dbb3d0c09a7b201958d09ec39698502cd9be81c7b3b2865a2.exe 4856 a6070431968d441dbb3d0c09a7b201958d09ec39698502cd9be81c7b3b2865a2.exe 4856 a6070431968d441dbb3d0c09a7b201958d09ec39698502cd9be81c7b3b2865a2.exe 4856 a6070431968d441dbb3d0c09a7b201958d09ec39698502cd9be81c7b3b2865a2.exe 4856 a6070431968d441dbb3d0c09a7b201958d09ec39698502cd9be81c7b3b2865a2.exe 4856 a6070431968d441dbb3d0c09a7b201958d09ec39698502cd9be81c7b3b2865a2.exe 4856 a6070431968d441dbb3d0c09a7b201958d09ec39698502cd9be81c7b3b2865a2.exe 4856 a6070431968d441dbb3d0c09a7b201958d09ec39698502cd9be81c7b3b2865a2.exe 4856 a6070431968d441dbb3d0c09a7b201958d09ec39698502cd9be81c7b3b2865a2.exe 4856 a6070431968d441dbb3d0c09a7b201958d09ec39698502cd9be81c7b3b2865a2.exe 4856 a6070431968d441dbb3d0c09a7b201958d09ec39698502cd9be81c7b3b2865a2.exe 4856 a6070431968d441dbb3d0c09a7b201958d09ec39698502cd9be81c7b3b2865a2.exe 4856 a6070431968d441dbb3d0c09a7b201958d09ec39698502cd9be81c7b3b2865a2.exe 4856 a6070431968d441dbb3d0c09a7b201958d09ec39698502cd9be81c7b3b2865a2.exe 4856 a6070431968d441dbb3d0c09a7b201958d09ec39698502cd9be81c7b3b2865a2.exe 4856 a6070431968d441dbb3d0c09a7b201958d09ec39698502cd9be81c7b3b2865a2.exe 4856 a6070431968d441dbb3d0c09a7b201958d09ec39698502cd9be81c7b3b2865a2.exe 4856 a6070431968d441dbb3d0c09a7b201958d09ec39698502cd9be81c7b3b2865a2.exe 4856 a6070431968d441dbb3d0c09a7b201958d09ec39698502cd9be81c7b3b2865a2.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
a6070431968d441dbb3d0c09a7b201958d09ec39698502cd9be81c7b3b2865a2.exedescription pid process Token: SeDebugPrivilege 4856 a6070431968d441dbb3d0c09a7b201958d09ec39698502cd9be81c7b3b2865a2.exe Token: SeDebugPrivilege 4856 a6070431968d441dbb3d0c09a7b201958d09ec39698502cd9be81c7b3b2865a2.exe Token: SeDebugPrivilege 4856 a6070431968d441dbb3d0c09a7b201958d09ec39698502cd9be81c7b3b2865a2.exe Token: SeDebugPrivilege 4856 a6070431968d441dbb3d0c09a7b201958d09ec39698502cd9be81c7b3b2865a2.exe Token: SeDebugPrivilege 4856 a6070431968d441dbb3d0c09a7b201958d09ec39698502cd9be81c7b3b2865a2.exe Token: SeDebugPrivilege 4856 a6070431968d441dbb3d0c09a7b201958d09ec39698502cd9be81c7b3b2865a2.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
a6070431968d441dbb3d0c09a7b201958d09ec39698502cd9be81c7b3b2865a2.exeregsvr32.exedescription pid process target process PID 4856 wrote to memory of 4916 4856 a6070431968d441dbb3d0c09a7b201958d09ec39698502cd9be81c7b3b2865a2.exe regsvr32.exe PID 4856 wrote to memory of 4916 4856 a6070431968d441dbb3d0c09a7b201958d09ec39698502cd9be81c7b3b2865a2.exe regsvr32.exe PID 4856 wrote to memory of 4916 4856 a6070431968d441dbb3d0c09a7b201958d09ec39698502cd9be81c7b3b2865a2.exe regsvr32.exe PID 4916 wrote to memory of 1292 4916 regsvr32.exe regsvr32.exe PID 4916 wrote to memory of 1292 4916 regsvr32.exe regsvr32.exe -
System policy modification 1 TTPs 1 IoCs
Processes:
a6070431968d441dbb3d0c09a7b201958d09ec39698502cd9be81c7b3b2865a2.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{07e1b652-43f3-4cc0-8dd1-63280af6f869} = "1" a6070431968d441dbb3d0c09a7b201958d09ec39698502cd9be81c7b3b2865a2.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a6070431968d441dbb3d0c09a7b201958d09ec39698502cd9be81c7b3b2865a2.exe"C:\Users\Admin\AppData\Local\Temp\a6070431968d441dbb3d0c09a7b201958d09ec39698502cd9be81c7b3b2865a2.exe"1⤵
- Loads dropped DLL
- Drops Chrome extension
- Installs/modifies Browser Helper Object
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4856 -
C:\Windows\SysWOW64\regsvr32.exeregsvr32.exe /s "C:\Program Files (x86)\TinyWallet\XLDG3dsTk1sRmg.x64.dll"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4916 -
C:\Windows\system32\regsvr32.exe/s "C:\Program Files (x86)\TinyWallet\XLDG3dsTk1sRmg.x64.dll"3⤵
- Registers COM server for autorun
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Modifies Internet Explorer settings
- Modifies registry class
PID:1292
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc1⤵PID:3440
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum1⤵PID:4940
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\TinyWallet\XLDG3dsTk1sRmg.datFilesize
3KB
MD527fa9feb907921e6096f8fd86a16d8e4
SHA1cdac19f936adaa0fafc4752e8d8345b6788b897a
SHA25646493f703855f9b8d0ef1da345feb40186125c61f70ac0fb582cb6e1ac275208
SHA51272c840434f27c928c1cde92cd1f322897430a25dbd98daa585308043ea813b09e13bf4a7f45c35fc64e1d111010ab3e42b5d5f25371bddc71dce0a6fe0c1afb0
-
C:\Program Files (x86)\TinyWallet\XLDG3dsTk1sRmg.dllFilesize
753KB
MD512616f209056f6862945cec7d54be14e
SHA1fc0e12882ceb1d0d8e1b98de09d98a8670f8e729
SHA256d76f3a653ff95f8af915083ab8bcebdeecb605cf7842cf04b0f627cfdb72fc56
SHA51267849d35017a6481847bcba348cdfdb60eb0361262d3c22717f2bbc634d6d076fcc03420764aa66ccd0062e2d13a95a70e1b271fb1c4245ab18427eb10615f08
-
C:\Program Files (x86)\TinyWallet\XLDG3dsTk1sRmg.tlbFilesize
3KB
MD50152dae58a1c6dfd44a95f6e69b7b963
SHA1895438957356d0757810c9a65205a884faec2106
SHA25676794dc7bc140457b22160a2f056c2c51632c3f7f1240c1715b92ff5da13ad7e
SHA51224e23727571fdc54d4f6986df3ae18942bade4bba3706b93107ffb2df3a9c76ebd3ed1a3e013fd481709c86b26f45eac33b86d602690b4cfcf6544c8a358c2aa
-
C:\Program Files (x86)\TinyWallet\XLDG3dsTk1sRmg.x64.dllFilesize
890KB
MD5dbdd5a981bb803210188cc5f47853374
SHA13ee3427556bf240a4e381c59c221157474f6332e
SHA25682dd9d5cc8dffbdbbcbb846f9de1719467f957faec0e469cf03f661c6db34e95
SHA5128952131b23a1536f76e85d61f971827f17f3faba4e376e3ec2a57a98c57906ba36ba0d630f87eb684760fadd1d268ccf7e099c3731c09e755698726c01b91515
-
C:\Program Files (x86)\TinyWallet\XLDG3dsTk1sRmg.x64.dllFilesize
890KB
MD5dbdd5a981bb803210188cc5f47853374
SHA13ee3427556bf240a4e381c59c221157474f6332e
SHA25682dd9d5cc8dffbdbbcbb846f9de1719467f957faec0e469cf03f661c6db34e95
SHA5128952131b23a1536f76e85d61f971827f17f3faba4e376e3ec2a57a98c57906ba36ba0d630f87eb684760fadd1d268ccf7e099c3731c09e755698726c01b91515
-
C:\Program Files (x86)\TinyWallet\XLDG3dsTk1sRmg.x64.dllFilesize
890KB
MD5dbdd5a981bb803210188cc5f47853374
SHA13ee3427556bf240a4e381c59c221157474f6332e
SHA25682dd9d5cc8dffbdbbcbb846f9de1719467f957faec0e469cf03f661c6db34e95
SHA5128952131b23a1536f76e85d61f971827f17f3faba4e376e3ec2a57a98c57906ba36ba0d630f87eb684760fadd1d268ccf7e099c3731c09e755698726c01b91515
-
memory/1292-141-0x0000000000000000-mapping.dmp
-
memory/4856-132-0x0000000002CB0000-0x0000000002D79000-memory.dmpFilesize
804KB
-
memory/4916-138-0x0000000000000000-mapping.dmp