339416af74b8a4ebddb12a75d91e1338583151e9cd3b89e95bd5f53dffa93aac

General

Target

339416af74b8a4ebddb12a75d91e1338583151e9cd3b89e95bd5f53dffa93aac.exe
Size

689KB
MD5

935a7a0a4c48eee8fbcb63610be37d57
SHA1

eac0aefd3edb79c19f3e5fc6e50f2f5e4408d767
SHA256

339416af74b8a4ebddb12a75d91e1338583151e9cd3b89e95bd5f53dffa93aac
SHA512

6ec4c79d13a171aae60939676d4de03f3ffcaf6df82e016effe33b73cd7c506aa84341dbe5e9f1024931f01702eb89fd3104e2d6ff3bcd01140188a6c63a38e4
SSDEEP

12288:EbluqziUG4G4Y7jeKuVnvon+N83LwwiAn6KkM33nxD1jeKuVmvFb+N8+Lwwijn6Y:Exu2G4G37tUnvone83Z76bMHxJtUmvFB

Score

8^/10

adware discovery persistence spyware stealer

Malware Config

Signatures

Registers COM server for autorun 1 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Processes:

regsvr32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{f84dd66f-d569-42a6-943f-af34f03c1d27}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{f84dd66f-d569-42a6-943f-af34f03c1d27}\InprocServer32\ = "C:\\Program Files (x86)\\TrustMediaViewerV1\\TrustMediaViewerV1alpha3206\\ie\\TrustMediaViewerV1alpha3206x64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{f84dd66f-d569-42a6-943f-af34f03c1d27}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

339416af74b8a4ebddb12a75d91e1338583151e9cd3b89e95bd5f53dffa93aac.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	339416af74b8a4ebddb12a75d91e1338583151e9cd3b89e95bd5f53dffa93aac.exe

Loads dropped DLL 5 IoCs

Processes:

339416af74b8a4ebddb12a75d91e1338583151e9cd3b89e95bd5f53dffa93aac.exeregsvr32.exeregsvr32.exeregsvr32.exe

pid	process
5060	339416af74b8a4ebddb12a75d91e1338583151e9cd3b89e95bd5f53dffa93aac.exe
4328	regsvr32.exe
5060	339416af74b8a4ebddb12a75d91e1338583151e9cd3b89e95bd5f53dffa93aac.exe
5088	regsvr32.exe
4972	regsvr32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Installs/modifies Browser Helper Object 2 TTPs 6 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

Processes:

regsvr32.exeregsvr32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{f84dd66f-d569-42a6-943f-af34f03c1d27}\ = "TrustMediaViewerV1alpha3206"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{f84dd66f-d569-42a6-943f-af34f03c1d27}\NoExplorer = "1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{f84dd66f-d569-42a6-943f-af34f03c1d27}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{f84dd66f-d569-42a6-943f-af34f03c1d27}\ = "TrustMediaViewerV1alpha3206"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{f84dd66f-d569-42a6-943f-af34f03c1d27}\NoExplorer = "1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{f84dd66f-d569-42a6-943f-af34f03c1d27}	regsvr32.exe

Drops file in System32 directory 4 IoCs

Processes:

339416af74b8a4ebddb12a75d91e1338583151e9cd3b89e95bd5f53dffa93aac.exe

description	ioc	process
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	339416af74b8a4ebddb12a75d91e1338583151e9cd3b89e95bd5f53dffa93aac.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	339416af74b8a4ebddb12a75d91e1338583151e9cd3b89e95bd5f53dffa93aac.exe
File opened for modification	C:\Windows\System32\GroupPolicy	339416af74b8a4ebddb12a75d91e1338583151e9cd3b89e95bd5f53dffa93aac.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\gpt.ini	339416af74b8a4ebddb12a75d91e1338583151e9cd3b89e95bd5f53dffa93aac.exe

Drops file in Program Files directory 23 IoCs

Processes:

339416af74b8a4ebddb12a75d91e1338583151e9cd3b89e95bd5f53dffa93aac.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\TrustMediaViewerV1\TrustMediaViewerV1alpha3206\ff\chrome\content\icons\default	339416af74b8a4ebddb12a75d91e1338583151e9cd3b89e95bd5f53dffa93aac.exe
File opened for modification	C:\Program Files (x86)\TrustMediaViewerV1\TrustMediaViewerV1alpha3206\ch\TrustMediaViewerV1alpha3206.crx	339416af74b8a4ebddb12a75d91e1338583151e9cd3b89e95bd5f53dffa93aac.exe
File created	C:\Program Files (x86)\TrustMediaViewerV1\TrustMediaViewerV1alpha3206\ff\chrome.manifest	339416af74b8a4ebddb12a75d91e1338583151e9cd3b89e95bd5f53dffa93aac.exe
File created	C:\Program Files (x86)\TrustMediaViewerV1\TrustMediaViewerV1alpha3206\ff\chrome\content\ffTrustMediaViewerV1alpha3206.js	339416af74b8a4ebddb12a75d91e1338583151e9cd3b89e95bd5f53dffa93aac.exe
File opened for modification	C:\Program Files (x86)\TrustMediaViewerV1\TrustMediaViewerV1alpha3206\ff\chrome\content\overlay.xul	339416af74b8a4ebddb12a75d91e1338583151e9cd3b89e95bd5f53dffa93aac.exe
File created	C:\Program Files (x86)\TrustMediaViewerV1\TrustMediaViewerV1alpha3206\ff\install.rdf	339416af74b8a4ebddb12a75d91e1338583151e9cd3b89e95bd5f53dffa93aac.exe
File created	C:\Program Files (x86)\TrustMediaViewerV1\TrustMediaViewerV1alpha3206\ff\chrome\content\overlay.xul	339416af74b8a4ebddb12a75d91e1338583151e9cd3b89e95bd5f53dffa93aac.exe
File opened for modification	C:\Program Files (x86)\TrustMediaViewerV1\TrustMediaViewerV1alpha3206\ff\chrome\content\icons\Thumbs.db	339416af74b8a4ebddb12a75d91e1338583151e9cd3b89e95bd5f53dffa93aac.exe
File created	C:\Program Files (x86)\TrustMediaViewerV1\TrustMediaViewerV1alpha3206\uninstall.exe	339416af74b8a4ebddb12a75d91e1338583151e9cd3b89e95bd5f53dffa93aac.exe
File opened for modification	C:\Program Files (x86)\TrustMediaViewerV1\TrustMediaViewerV1alpha3206\ff\chrome\content\ffTrustMediaViewerV1alpha3206ffaction.js	339416af74b8a4ebddb12a75d91e1338583151e9cd3b89e95bd5f53dffa93aac.exe
File created	C:\Program Files (x86)\TrustMediaViewerV1\TrustMediaViewerV1alpha3206\ff\chrome\content\icons\Thumbs.db	339416af74b8a4ebddb12a75d91e1338583151e9cd3b89e95bd5f53dffa93aac.exe
File created	C:\Program Files (x86)\TrustMediaViewerV1\TrustMediaViewerV1alpha3206\ie\TrustMediaViewerV1alpha3206.dll	339416af74b8a4ebddb12a75d91e1338583151e9cd3b89e95bd5f53dffa93aac.exe
File created	C:\Program Files (x86)\TrustMediaViewerV1\TrustMediaViewerV1alpha3206\ie\TrustMediaViewerV1alpha3206x64.dll	339416af74b8a4ebddb12a75d91e1338583151e9cd3b89e95bd5f53dffa93aac.exe
File opened for modification	C:\Program Files (x86)\TrustMediaViewerV1\TrustMediaViewerV1alpha3206\ff\chrome.manifest	339416af74b8a4ebddb12a75d91e1338583151e9cd3b89e95bd5f53dffa93aac.exe
File created	C:\Program Files (x86)\TrustMediaViewerV1\TrustMediaViewerV1alpha3206\ff\chrome\content\ffTrustMediaViewerV1alpha3206ffaction.js	339416af74b8a4ebddb12a75d91e1338583151e9cd3b89e95bd5f53dffa93aac.exe
File opened for modification	C:\Program Files (x86)\TrustMediaViewerV1\TrustMediaViewerV1alpha3206\ff\chrome\content\ffTrustMediaViewerV1alpha3206.js	339416af74b8a4ebddb12a75d91e1338583151e9cd3b89e95bd5f53dffa93aac.exe
File opened for modification	C:\Program Files (x86)\TrustMediaViewerV1\TrustMediaViewerV1alpha3206\ff\chrome\content\icons	339416af74b8a4ebddb12a75d91e1338583151e9cd3b89e95bd5f53dffa93aac.exe
File created	C:\Program Files (x86)\TrustMediaViewerV1\TrustMediaViewerV1alpha3206\ff\chrome\content\icons\default\TrustMediaViewerV1alpha3206_32.png	339416af74b8a4ebddb12a75d91e1338583151e9cd3b89e95bd5f53dffa93aac.exe
File opened for modification	C:\Program Files (x86)\TrustMediaViewerV1\TrustMediaViewerV1alpha3206\ff\chrome\content\icons\default\TrustMediaViewerV1alpha3206_32.png	339416af74b8a4ebddb12a75d91e1338583151e9cd3b89e95bd5f53dffa93aac.exe
File created	C:\Program Files (x86)\TrustMediaViewerV1\TrustMediaViewerV1alpha3206\ch\TrustMediaViewerV1alpha3206.crx	339416af74b8a4ebddb12a75d91e1338583151e9cd3b89e95bd5f53dffa93aac.exe
File opened for modification	C:\Program Files (x86)\TrustMediaViewerV1\TrustMediaViewerV1alpha3206\ff\install.rdf	339416af74b8a4ebddb12a75d91e1338583151e9cd3b89e95bd5f53dffa93aac.exe
File opened for modification	C:\Program Files (x86)\TrustMediaViewerV1\TrustMediaViewerV1alpha3206\ff\chrome	339416af74b8a4ebddb12a75d91e1338583151e9cd3b89e95bd5f53dffa93aac.exe
File opened for modification	C:\Program Files (x86)\TrustMediaViewerV1\TrustMediaViewerV1alpha3206\ff\chrome\content	339416af74b8a4ebddb12a75d91e1338583151e9cd3b89e95bd5f53dffa93aac.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

339416af74b8a4ebddb12a75d91e1338583151e9cd3b89e95bd5f53dffa93aac.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Approved Extensions	339416af74b8a4ebddb12a75d91e1338583151e9cd3b89e95bd5f53dffa93aac.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Approved Extensions\{f84dd66f-d569-42a6-943f-af34f03c1d27} = 51667a6c4c1d3b1b7fc15de85880cb0b8a34f068f07a5c39	339416af74b8a4ebddb12a75d91e1338583151e9cd3b89e95bd5f53dffa93aac.exe

Modifies registry class 56 IoCs

Processes:

regsvr32.exeregsvr32.exe339416af74b8a4ebddb12a75d91e1338583151e9cd3b89e95bd5f53dffa93aac.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{f84dd66f-d569-42a6-943f-af34f03c1d27}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{f84dd66f-d569-42a6-943f-af34f03c1d27}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{31026408-D314-46EF-BC13-4DFFC2F80C15}\1.1\HELPDIR\ = "C:\\Program Files (x86)\\TrustMediaViewerV1\\TrustMediaViewerV1alpha3206\\ie"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{f84dd66f-d569-42a6-943f-af34f03c1d27}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{f84dd66f-d569-42a6-943f-af34f03c1d27}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C690B423-46B7-4BBE-8F7E-80360C831CC2}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{f84dd66f-d569-42a6-943f-af34f03c1d27}\Implemented Categories\{59fb2056-d625-48d0-a944-1a85b5ab2640}\	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C690B423-46B7-4BBE-8F7E-80360C831CC2}\ = "ITrustMediaViewerV1alpha3206BHO"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{f84dd66f-d569-42a6-943f-af34f03c1d27}\Implemented Categories\	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C690B423-46B7-4BBE-8F7E-80360C831CC2}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{f84dd66f-d569-42a6-943f-af34f03c1d27}\TypeLib\ = "{31026408-d314-46ef-bc13-4dffc2f80c15}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{f84dd66f-d569-42a6-943f-af34f03c1d27}\Implemented Categories\{59fb2056-d625-48d0-a944-1a85b5ab2640}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{31026408-D314-46EF-BC13-4DFFC2F80C15}\1.1	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C690B423-46B7-4BBE-8F7E-80360C831CC2}\TypeLib\ = "{31026408-D314-46EF-BC13-4DFFC2F80C15}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{f84dd66f-d569-42a6-943f-af34f03c1d27}\Version\ = "1.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{f84dd66f-d569-42a6-943f-af34f03c1d27}\Implemented Categories	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{f84dd66f-d569-42a6-943f-af34f03c1d27}\Implemented Categories\	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C690B423-46B7-4BBE-8F7E-80360C831CC2}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C690B423-46B7-4BBE-8F7E-80360C831CC2}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C690B423-46B7-4BBE-8F7E-80360C831CC2}\ = "ITrustMediaViewerV1alpha3206BHO"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C690B423-46B7-4BBE-8F7E-80360C831CC2}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{f84dd66f-d569-42a6-943f-af34f03c1d27}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{f84dd66f-d569-42a6-943f-af34f03c1d27}	339416af74b8a4ebddb12a75d91e1338583151e9cd3b89e95bd5f53dffa93aac.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{f84dd66f-d569-42a6-943f-af34f03c1d27}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{31026408-D314-46EF-BC13-4DFFC2F80C15}\1.1\FLAGS\ = "0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C690B423-46B7-4BBE-8F7E-80360C831CC2}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{f84dd66f-d569-42a6-943f-af34f03c1d27}\ = "TrustMediaViewerV1alpha3206"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{31026408-D314-46EF-BC13-4DFFC2F80C15}\1.1\0\win64	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{f84dd66f-d569-42a6-943f-af34f03c1d27}\InprocServer32\ = "C:\\Program Files (x86)\\TrustMediaViewerV1\\TrustMediaViewerV1alpha3206\\ie\\TrustMediaViewerV1alpha3206.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{31026408-D314-46EF-BC13-4DFFC2F80C15}\1.1\0\win32\ = "C:\\Program Files (x86)\\TrustMediaViewerV1\\TrustMediaViewerV1alpha3206\\ie\\TrustMediaViewerV1alpha3206.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{f84dd66f-d569-42a6-943f-af34f03c1d27}\Implemented Categories\{59fb2056-d625-48d0-a944-1a85b5ab2640}\	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C690B423-46B7-4BBE-8F7E-80360C831CC2}\TypeLib\Version = "1.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C690B423-46B7-4BBE-8F7E-80360C831CC2}\TypeLib\ = "{31026408-D314-46EF-BC13-4DFFC2F80C15}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{f84dd66f-d569-42a6-943f-af34f03c1d27}\Version\ = "1.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{31026408-D314-46EF-BC13-4DFFC2F80C15}\1.1\FLAGS	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{31026408-D314-46EF-BC13-4DFFC2F80C15}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{f84dd66f-d569-42a6-943f-af34f03c1d27}\InprocServer32\ = "C:\\Program Files (x86)\\TrustMediaViewerV1\\TrustMediaViewerV1alpha3206\\ie\\TrustMediaViewerV1alpha3206x64.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{f84dd66f-d569-42a6-943f-af34f03c1d27}\Implemented Categories\{59fb2056-d625-48d0-a944-1a85b5ab2640}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{f84dd66f-d569-42a6-943f-af34f03c1d27}\Version	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{f84dd66f-d569-42a6-943f-af34f03c1d27}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{f84dd66f-d569-42a6-943f-af34f03c1d27}\ = "Trust Media Viewer"	339416af74b8a4ebddb12a75d91e1338583151e9cd3b89e95bd5f53dffa93aac.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{f84dd66f-d569-42a6-943f-af34f03c1d27}\ = "TrustMediaViewerV1alpha3206"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{f84dd66f-d569-42a6-943f-af34f03c1d27}\Implemented Categories	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{31026408-D314-46EF-BC13-4DFFC2F80C15}\1.1\ = "TrustMediaViewerV1alpha3206Lib"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{31026408-D314-46EF-BC13-4DFFC2F80C15}\1.1\HELPDIR	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{31026408-D314-46EF-BC13-4DFFC2F80C15}\1.1\0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C690B423-46B7-4BBE-8F7E-80360C831CC2}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C690B423-46B7-4BBE-8F7E-80360C831CC2}\TypeLib\Version = "1.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{f84dd66f-d569-42a6-943f-af34f03c1d27}\Version	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{f84dd66f-d569-42a6-943f-af34f03c1d27}\Programmable	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{f84dd66f-d569-42a6-943f-af34f03c1d27}\TypeLib\ = "{31026408-d314-46ef-bc13-4dffc2f80c15}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{f84dd66f-d569-42a6-943f-af34f03c1d27}\Programmable	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{f84dd66f-d569-42a6-943f-af34f03c1d27}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{31026408-D314-46EF-BC13-4DFFC2F80C15}\1.1\0\win64\ = "C:\\Program Files (x86)\\TrustMediaViewerV1\\TrustMediaViewerV1alpha3206\\ie\\TrustMediaViewerV1alpha3206x64.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{31026408-D314-46EF-BC13-4DFFC2F80C15}\1.1\0\win32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C690B423-46B7-4BBE-8F7E-80360C831CC2}\TypeLib	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

339416af74b8a4ebddb12a75d91e1338583151e9cd3b89e95bd5f53dffa93aac.exe

pid	process
5060	339416af74b8a4ebddb12a75d91e1338583151e9cd3b89e95bd5f53dffa93aac.exe
5060	339416af74b8a4ebddb12a75d91e1338583151e9cd3b89e95bd5f53dffa93aac.exe
5060	339416af74b8a4ebddb12a75d91e1338583151e9cd3b89e95bd5f53dffa93aac.exe
5060	339416af74b8a4ebddb12a75d91e1338583151e9cd3b89e95bd5f53dffa93aac.exe
5060	339416af74b8a4ebddb12a75d91e1338583151e9cd3b89e95bd5f53dffa93aac.exe
5060	339416af74b8a4ebddb12a75d91e1338583151e9cd3b89e95bd5f53dffa93aac.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

339416af74b8a4ebddb12a75d91e1338583151e9cd3b89e95bd5f53dffa93aac.exeregsvr32.exe

description	pid	process	target process
PID 5060 wrote to memory of 4328	5060	339416af74b8a4ebddb12a75d91e1338583151e9cd3b89e95bd5f53dffa93aac.exe	regsvr32.exe
PID 5060 wrote to memory of 4328	5060	339416af74b8a4ebddb12a75d91e1338583151e9cd3b89e95bd5f53dffa93aac.exe	regsvr32.exe
PID 5060 wrote to memory of 4328	5060	339416af74b8a4ebddb12a75d91e1338583151e9cd3b89e95bd5f53dffa93aac.exe	regsvr32.exe
PID 5060 wrote to memory of 5088	5060	339416af74b8a4ebddb12a75d91e1338583151e9cd3b89e95bd5f53dffa93aac.exe	regsvr32.exe
PID 5060 wrote to memory of 5088	5060	339416af74b8a4ebddb12a75d91e1338583151e9cd3b89e95bd5f53dffa93aac.exe	regsvr32.exe
PID 5060 wrote to memory of 5088	5060	339416af74b8a4ebddb12a75d91e1338583151e9cd3b89e95bd5f53dffa93aac.exe	regsvr32.exe
PID 5088 wrote to memory of 4972	5088	regsvr32.exe	regsvr32.exe
PID 5088 wrote to memory of 4972	5088	regsvr32.exe	regsvr32.exe
PID 5060 wrote to memory of 992	5060	339416af74b8a4ebddb12a75d91e1338583151e9cd3b89e95bd5f53dffa93aac.exe	gpupdate.exe
PID 5060 wrote to memory of 992	5060	339416af74b8a4ebddb12a75d91e1338583151e9cd3b89e95bd5f53dffa93aac.exe	gpupdate.exe
PID 5060 wrote to memory of 992	5060	339416af74b8a4ebddb12a75d91e1338583151e9cd3b89e95bd5f53dffa93aac.exe	gpupdate.exe

C:\Users\Admin\AppData\Local\Temp\339416af74b8a4ebddb12a75d91e1338583151e9cd3b89e95bd5f53dffa93aac.exe
"C:\Users\Admin\AppData\Local\Temp\339416af74b8a4ebddb12a75d91e1338583151e9cd3b89e95bd5f53dffa93aac.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5060

C:\Windows\SysWOW64\regsvr32.exe
regsvr32 "C:\Program Files (x86)\TrustMediaViewerV1\TrustMediaViewerV1alpha3206\ie\TrustMediaViewerV1alpha3206.dll" /s
2⤵
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Modifies registry class
PID:4328

C:\Windows\SysWOW64\regsvr32.exe
regsvr32 /s "C:\Program Files (x86)\TrustMediaViewerV1\TrustMediaViewerV1alpha3206\ie\TrustMediaViewerV1alpha3206x64.dll"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:5088

C:\Windows\system32\regsvr32.exe
/s "C:\Program Files (x86)\TrustMediaViewerV1\TrustMediaViewerV1alpha3206\ie\TrustMediaViewerV1alpha3206x64.dll"
3⤵
- Registers COM server for autorun
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Modifies registry class
PID:4972

C:\Windows\SysWOW64\gpupdate.exe
"C:\Windows\System32\gpupdate.exe" /force
2⤵
PID:992

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:1008

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:4880

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Browser Extensions

1

T1176

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\TrustMediaViewerV1\TrustMediaViewerV1alpha3206\ie\TrustMediaViewerV1alpha3206.dll
Filesize
85KB

MD5
752af74604c689f37c7ff8eb731d3c6a

SHA1
86edb1965d56c29afe55c3fa371b310000459a4e

SHA256
91480103ba5aa604eb564aae021da0a3021fd65b0af32f0e73974e5607cedce2

SHA512
6e3106ba05640dba426699d0703dc6f768cb406b883a73612238a2332e59803ac77560eb2eae46f3d91ea90145192a23c6d1907c2a534db996db3dfa09aa7ba5

Download Submit
C:\Program Files (x86)\TrustMediaViewerV1\TrustMediaViewerV1alpha3206\ie\TrustMediaViewerV1alpha3206.dll
Filesize
85KB

MD5
752af74604c689f37c7ff8eb731d3c6a

SHA1
86edb1965d56c29afe55c3fa371b310000459a4e

SHA256
91480103ba5aa604eb564aae021da0a3021fd65b0af32f0e73974e5607cedce2

SHA512
6e3106ba05640dba426699d0703dc6f768cb406b883a73612238a2332e59803ac77560eb2eae46f3d91ea90145192a23c6d1907c2a534db996db3dfa09aa7ba5

Download Submit
C:\Program Files (x86)\TrustMediaViewerV1\TrustMediaViewerV1alpha3206\ie\TrustMediaViewerV1alpha3206x64.dll
Filesize
100KB

MD5
0980e5869f87e8f01d79e6dd60e6297e

SHA1
ff3282687e7c035561006b6bc7537299071a95a0

SHA256
1726038570a104b2f01bf1a2b49b9cac1205e2ca67b67586db021c9be62abe6f

SHA512
a26db9f122012c170b175ba0b2bf6bc4f1fab0ba46e5b188c7123140686e74c8a01b6b3d4fcd8476bd5d63fa6269abb5abccb2bf737efcfe96bb65505779c70c

Download Submit
C:\Program Files (x86)\TrustMediaViewerV1\TrustMediaViewerV1alpha3206\ie\TrustMediaViewerV1alpha3206x64.dll
Filesize
100KB

MD5
0980e5869f87e8f01d79e6dd60e6297e

SHA1
ff3282687e7c035561006b6bc7537299071a95a0

SHA256
1726038570a104b2f01bf1a2b49b9cac1205e2ca67b67586db021c9be62abe6f

SHA512
a26db9f122012c170b175ba0b2bf6bc4f1fab0ba46e5b188c7123140686e74c8a01b6b3d4fcd8476bd5d63fa6269abb5abccb2bf737efcfe96bb65505779c70c

Download Submit
C:\Program Files (x86)\TrustMediaViewerV1\TrustMediaViewerV1alpha3206\ie\TrustMediaViewerV1alpha3206x64.dll
Filesize
100KB

MD5
0980e5869f87e8f01d79e6dd60e6297e

SHA1
ff3282687e7c035561006b6bc7537299071a95a0

SHA256
1726038570a104b2f01bf1a2b49b9cac1205e2ca67b67586db021c9be62abe6f

SHA512
a26db9f122012c170b175ba0b2bf6bc4f1fab0ba46e5b188c7123140686e74c8a01b6b3d4fcd8476bd5d63fa6269abb5abccb2bf737efcfe96bb65505779c70c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsuBA4D.tmp\System.dll
Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsuBA4D.tmp\aminsis.dll
Filesize
567KB

MD5
f346047b13f37f79c462e59a6319faa1

SHA1
ce9e7cb9719000a69b463fe024c81229e322279f

SHA256
e78e0e61707cabec8383f1e74da9db8e0fa123a3a7b36f0080d70fbaed6f7453

SHA512
429209cc489ba9ac2d62055b128efb3cded3e31f966c7cdb1aee592ec7a54ab090526705fa2519498d92eb4bc2efa141cd83adc6c251b793388ad1208b172167

Download Submit
memory/992-142-0x0000000000000000-mapping.dmp

Download
memory/4328-133-0x0000000000000000-mapping.dmp

Download
memory/4972-140-0x0000000000000000-mapping.dmp

Download
memory/5088-137-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads