483da6729b8187e1e8b3348049d0947c949a51b67ac0e9dbd883d35671777e0b

General

Target

483da6729b8187e1e8b3348049d0947c949a51b67ac0e9dbd883d35671777e0b.exe
Size

3.5MB
MD5

3f9ba51bc38aa10851f0e9c38278ab6f
SHA1

cb4c4a5c0f63fc13dafdbf8d195c3dedd3fd2854
SHA256

483da6729b8187e1e8b3348049d0947c949a51b67ac0e9dbd883d35671777e0b
SHA512

2a68e2550ae494ab35c60b2848e5732a16cb7b0aa5c335c8596bc8be71e4372db608fceb126b8ea0bab79b3be1944ad7cc7f85604d6db7244d2090fc4bb3c754
SSDEEP

98304:NxsG2XEqY3veKmr1U+yoyGaCR0mWJ+bgZs9DQ44s0:NWhRUfCR0mWJsghs

Score

8^/10

adware discovery persistence spyware stealer

Malware Config

Signatures

Registers COM server for autorun 1 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Processes:

regsvr32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{dfd9f424-6702-4281-8fc8-316c4703bd74}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{dfd9f424-6702-4281-8fc8-316c4703bd74}\InprocServer32\ = "C:\\Program Files (x86)\\SmartOnes\\WkUh1GNQgrFjwE.x64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{dfd9f424-6702-4281-8fc8-316c4703bd74}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{dfd9f424-6702-4281-8fc8-316c4703bd74}\InprocServer32	regsvr32.exe

Loads dropped DLL 3 IoCs

Processes:

483da6729b8187e1e8b3348049d0947c949a51b67ac0e9dbd883d35671777e0b.exeregsvr32.exeregsvr32.exe

pid process

1672 483da6729b8187e1e8b3348049d0947c949a51b67ac0e9dbd883d35671777e0b.exe
1092 regsvr32.exe
1188 regsvr32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 3 IoCs

Processes:

483da6729b8187e1e8b3348049d0947c949a51b67ac0e9dbd883d35671777e0b.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpeapomkfkkecofhcnkgmkkcgopaihf\4.0\manifest.json	483da6729b8187e1e8b3348049d0947c949a51b67ac0e9dbd883d35671777e0b.exe
File created	C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpeapomkfkkecofhcnkgmkkcgopaihf\4.0\manifest.json	483da6729b8187e1e8b3348049d0947c949a51b67ac0e9dbd883d35671777e0b.exe
File created	C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpeapomkfkkecofhcnkgmkkcgopaihf\4.0\manifest.json	483da6729b8187e1e8b3348049d0947c949a51b67ac0e9dbd883d35671777e0b.exe

Installs/modifies Browser Helper Object 2 TTPs 8 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

Processes:

regsvr32.exe483da6729b8187e1e8b3348049d0947c949a51b67ac0e9dbd883d35671777e0b.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{dfd9f424-6702-4281-8fc8-316c4703bd74}\NoExplorer = "1"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{dfd9f424-6702-4281-8fc8-316c4703bd74}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{dfd9f424-6702-4281-8fc8-316c4703bd74}	483da6729b8187e1e8b3348049d0947c949a51b67ac0e9dbd883d35671777e0b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{dfd9f424-6702-4281-8fc8-316c4703bd74}\ = "SmartOnes"	483da6729b8187e1e8b3348049d0947c949a51b67ac0e9dbd883d35671777e0b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{dfd9f424-6702-4281-8fc8-316c4703bd74}\NoExplorer = "1"	483da6729b8187e1e8b3348049d0947c949a51b67ac0e9dbd883d35671777e0b.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{dfd9f424-6702-4281-8fc8-316c4703bd74}	483da6729b8187e1e8b3348049d0947c949a51b67ac0e9dbd883d35671777e0b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{dfd9f424-6702-4281-8fc8-316c4703bd74}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{dfd9f424-6702-4281-8fc8-316c4703bd74}\ = "SmartOnes"	regsvr32.exe

Drops file in System32 directory 4 IoCs

Processes:

483da6729b8187e1e8b3348049d0947c949a51b67ac0e9dbd883d35671777e0b.exe

description	ioc	process
File opened for modification	C:\Windows\System32\GroupPolicy	483da6729b8187e1e8b3348049d0947c949a51b67ac0e9dbd883d35671777e0b.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\gpt.ini	483da6729b8187e1e8b3348049d0947c949a51b67ac0e9dbd883d35671777e0b.exe
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	483da6729b8187e1e8b3348049d0947c949a51b67ac0e9dbd883d35671777e0b.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	483da6729b8187e1e8b3348049d0947c949a51b67ac0e9dbd883d35671777e0b.exe

Drops file in Program Files directory 8 IoCs

Processes:

483da6729b8187e1e8b3348049d0947c949a51b67ac0e9dbd883d35671777e0b.exe

description	ioc	process
File created	C:\Program Files (x86)\SmartOnes\WkUh1GNQgrFjwE.dat	483da6729b8187e1e8b3348049d0947c949a51b67ac0e9dbd883d35671777e0b.exe
File opened for modification	C:\Program Files (x86)\SmartOnes\WkUh1GNQgrFjwE.dat	483da6729b8187e1e8b3348049d0947c949a51b67ac0e9dbd883d35671777e0b.exe
File created	C:\Program Files (x86)\SmartOnes\WkUh1GNQgrFjwE.x64.dll	483da6729b8187e1e8b3348049d0947c949a51b67ac0e9dbd883d35671777e0b.exe
File opened for modification	C:\Program Files (x86)\SmartOnes\WkUh1GNQgrFjwE.x64.dll	483da6729b8187e1e8b3348049d0947c949a51b67ac0e9dbd883d35671777e0b.exe
File created	C:\Program Files (x86)\SmartOnes\WkUh1GNQgrFjwE.dll	483da6729b8187e1e8b3348049d0947c949a51b67ac0e9dbd883d35671777e0b.exe
File opened for modification	C:\Program Files (x86)\SmartOnes\WkUh1GNQgrFjwE.dll	483da6729b8187e1e8b3348049d0947c949a51b67ac0e9dbd883d35671777e0b.exe
File created	C:\Program Files (x86)\SmartOnes\WkUh1GNQgrFjwE.tlb	483da6729b8187e1e8b3348049d0947c949a51b67ac0e9dbd883d35671777e0b.exe
File opened for modification	C:\Program Files (x86)\SmartOnes\WkUh1GNQgrFjwE.tlb	483da6729b8187e1e8b3348049d0947c949a51b67ac0e9dbd883d35671777e0b.exe

Modifies Internet Explorer settings 1 TTPs 8 IoCs

adware spyware

Modify Registry

T1112

Processes:

regsvr32.exe483da6729b8187e1e8b3348049d0947c949a51b67ac0e9dbd883d35671777e0b.exe

description	ioc	process
Key deleted	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{DFD9F424-6702-4281-8FC8-316C4703BD74}	regsvr32.exe
Key deleted	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{dfd9f424-6702-4281-8fc8-316c4703bd74}	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration	483da6729b8187e1e8b3348049d0947c949a51b67ac0e9dbd883d35671777e0b.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{dfd9f424-6702-4281-8fc8-316c4703bd74}	483da6729b8187e1e8b3348049d0947c949a51b67ac0e9dbd883d35671777e0b.exe
Key deleted	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{DFD9F424-6702-4281-8FC8-316C4703BD74}	483da6729b8187e1e8b3348049d0947c949a51b67ac0e9dbd883d35671777e0b.exe
Key deleted	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration	483da6729b8187e1e8b3348049d0947c949a51b67ac0e9dbd883d35671777e0b.exe

Modifies registry class 64 IoCs

Processes:

483da6729b8187e1e8b3348049d0947c949a51b67ac0e9dbd883d35671777e0b.exeregsvr32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	483da6729b8187e1e8b3348049d0947c949a51b67ac0e9dbd883d35671777e0b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{dfd9f424-6702-4281-8fc8-316c4703bd74}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{dfd9f424-6702-4281-8fc8-316c4703bd74}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{dfd9f424-6702-4281-8fc8-316c4703bd74}\Programmable	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DFD9F424-6702-4281-8FC8-316C4703BD74}	483da6729b8187e1e8b3348049d0947c949a51b67ac0e9dbd883d35671777e0b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\ProxyStubClsid32	483da6729b8187e1e8b3348049d0947c949a51b67ac0e9dbd883d35671777e0b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\TypeLib\Version = "1.0"	483da6729b8187e1e8b3348049d0947c949a51b67ac0e9dbd883d35671777e0b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib\Version = "1.0"	483da6729b8187e1e8b3348049d0947c949a51b67ac0e9dbd883d35671777e0b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.\ = "SmartOnes"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DFD9F424-6702-4281-8FC8-316C4703BD74}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.\CLSID	483da6729b8187e1e8b3348049d0947c949a51b67ac0e9dbd883d35671777e0b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{dfd9f424-6702-4281-8fc8-316c4703bd74}\ = "SmartOnes"	483da6729b8187e1e8b3348049d0947c949a51b67ac0e9dbd883d35671777e0b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\ = "ILocalStorage"	483da6729b8187e1e8b3348049d0947c949a51b67ac0e9dbd883d35671777e0b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	483da6729b8187e1e8b3348049d0947c949a51b67ac0e9dbd883d35671777e0b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib	483da6729b8187e1e8b3348049d0947c949a51b67ac0e9dbd883d35671777e0b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}	483da6729b8187e1e8b3348049d0947c949a51b67ac0e9dbd883d35671777e0b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DFD9F424-6702-4281-8FC8-316C4703BD74}\Implemented Categories	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{dfd9f424-6702-4281-8fc8-316c4703bd74}\InprocServer32\ThreadingModel = "Apartment"	483da6729b8187e1e8b3348049d0947c949a51b67ac0e9dbd883d35671777e0b.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{dfd9f424-6702-4281-8fc8-316c4703bd74}\ProgID	483da6729b8187e1e8b3348049d0947c949a51b67ac0e9dbd883d35671777e0b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\SmartOnes"	483da6729b8187e1e8b3348049d0947c949a51b67ac0e9dbd883d35671777e0b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\TypeLib\Version = "1.0"	483da6729b8187e1e8b3348049d0947c949a51b67ac0e9dbd883d35671777e0b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}	483da6729b8187e1e8b3348049d0947c949a51b67ac0e9dbd883d35671777e0b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	483da6729b8187e1e8b3348049d0947c949a51b67ac0e9dbd883d35671777e0b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\..9\CLSID\ = "{dfd9f424-6702-4281-8fc8-316c4703bd74}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{dfd9f424-6702-4281-8fc8-316c4703bd74}\InprocServer32\ = "C:\\Program Files (x86)\\SmartOnes\\WkUh1GNQgrFjwE.x64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\..9\CLSID\ = "{dfd9f424-6702-4281-8fc8-316c4703bd74}"	483da6729b8187e1e8b3348049d0947c949a51b67ac0e9dbd883d35671777e0b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{dfd9f424-6702-4281-8fc8-316c4703bd74}\ProgID	483da6729b8187e1e8b3348049d0947c949a51b67ac0e9dbd883d35671777e0b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{dfd9f424-6702-4281-8fc8-316c4703bd74}\InprocServer32\ = "C:\\Program Files (x86)\\SmartOnes\\WkUh1GNQgrFjwE.dll"	483da6729b8187e1e8b3348049d0947c949a51b67ac0e9dbd883d35671777e0b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}	483da6729b8187e1e8b3348049d0947c949a51b67ac0e9dbd883d35671777e0b.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{dfd9f424-6702-4281-8fc8-316c4703bd74}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{dfd9f424-6702-4281-8fc8-316c4703bd74}\VersionIndependentProgID	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{dfd9f424-6702-4281-8fc8-316c4703bd74}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.\ = "SmartOnes"	483da6729b8187e1e8b3348049d0947c949a51b67ac0e9dbd883d35671777e0b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0	483da6729b8187e1e8b3348049d0947c949a51b67ac0e9dbd883d35671777e0b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	483da6729b8187e1e8b3348049d0947c949a51b67ac0e9dbd883d35671777e0b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	483da6729b8187e1e8b3348049d0947c949a51b67ac0e9dbd883d35671777e0b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{dfd9f424-6702-4281-8fc8-316c4703bd74}\ = "SmartOnes"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{dfd9f424-6702-4281-8fc8-316c4703bd74}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\HELPDIR	483da6729b8187e1e8b3348049d0947c949a51b67ac0e9dbd883d35671777e0b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\TypeLib	483da6729b8187e1e8b3348049d0947c949a51b67ac0e9dbd883d35671777e0b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ProxyStubClsid32	483da6729b8187e1e8b3348049d0947c949a51b67ac0e9dbd883d35671777e0b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	483da6729b8187e1e8b3348049d0947c949a51b67ac0e9dbd883d35671777e0b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{dfd9f424-6702-4281-8fc8-316c4703bd74}\ProgID\ = ".9"	483da6729b8187e1e8b3348049d0947c949a51b67ac0e9dbd883d35671777e0b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{dfd9f424-6702-4281-8fc8-316c4703bd74}\Programmable	483da6729b8187e1e8b3348049d0947c949a51b67ac0e9dbd883d35671777e0b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	483da6729b8187e1e8b3348049d0947c949a51b67ac0e9dbd883d35671777e0b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.\CLSID\ = "{dfd9f424-6702-4281-8fc8-316c4703bd74}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{dfd9f424-6702-4281-8fc8-316c4703bd74}\InprocServer32	483da6729b8187e1e8b3348049d0947c949a51b67ac0e9dbd883d35671777e0b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win32\ = "C:\\Program Files (x86)\\SmartOnes\\WkUh1GNQgrFjwE.tlb"	483da6729b8187e1e8b3348049d0947c949a51b67ac0e9dbd883d35671777e0b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\ProxyStubClsid32	483da6729b8187e1e8b3348049d0947c949a51b67ac0e9dbd883d35671777e0b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\ProxyStubClsid32	483da6729b8187e1e8b3348049d0947c949a51b67ac0e9dbd883d35671777e0b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	483da6729b8187e1e8b3348049d0947c949a51b67ac0e9dbd883d35671777e0b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\TypeLib	483da6729b8187e1e8b3348049d0947c949a51b67ac0e9dbd883d35671777e0b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	483da6729b8187e1e8b3348049d0947c949a51b67ac0e9dbd883d35671777e0b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.\CurVer\ = ".9"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{dfd9f424-6702-4281-8fc8-316c4703bd74}\Programmable	483da6729b8187e1e8b3348049d0947c949a51b67ac0e9dbd883d35671777e0b.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{dfd9f424-6702-4281-8fc8-316c4703bd74}\VersionIndependentProgID	483da6729b8187e1e8b3348049d0947c949a51b67ac0e9dbd883d35671777e0b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}	483da6729b8187e1e8b3348049d0947c949a51b67ac0e9dbd883d35671777e0b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\ = "IPlaghinMein"	483da6729b8187e1e8b3348049d0947c949a51b67ac0e9dbd883d35671777e0b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DFD9F424-6702-4281-8FC8-316C4703BD74}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DFD9F424-6702-4281-8FC8-316C4703BD74}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}	483da6729b8187e1e8b3348049d0947c949a51b67ac0e9dbd883d35671777e0b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}	483da6729b8187e1e8b3348049d0947c949a51b67ac0e9dbd883d35671777e0b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\TypeLib\Version = "1.0"	483da6729b8187e1e8b3348049d0947c949a51b67ac0e9dbd883d35671777e0b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}	483da6729b8187e1e8b3348049d0947c949a51b67ac0e9dbd883d35671777e0b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\..9	483da6729b8187e1e8b3348049d0947c949a51b67ac0e9dbd883d35671777e0b.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

Processes:

483da6729b8187e1e8b3348049d0947c949a51b67ac0e9dbd883d35671777e0b.exe

pid	process
1672	483da6729b8187e1e8b3348049d0947c949a51b67ac0e9dbd883d35671777e0b.exe
1672	483da6729b8187e1e8b3348049d0947c949a51b67ac0e9dbd883d35671777e0b.exe
1672	483da6729b8187e1e8b3348049d0947c949a51b67ac0e9dbd883d35671777e0b.exe
1672	483da6729b8187e1e8b3348049d0947c949a51b67ac0e9dbd883d35671777e0b.exe
1672	483da6729b8187e1e8b3348049d0947c949a51b67ac0e9dbd883d35671777e0b.exe
1672	483da6729b8187e1e8b3348049d0947c949a51b67ac0e9dbd883d35671777e0b.exe
1672	483da6729b8187e1e8b3348049d0947c949a51b67ac0e9dbd883d35671777e0b.exe
1672	483da6729b8187e1e8b3348049d0947c949a51b67ac0e9dbd883d35671777e0b.exe
1672	483da6729b8187e1e8b3348049d0947c949a51b67ac0e9dbd883d35671777e0b.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

483da6729b8187e1e8b3348049d0947c949a51b67ac0e9dbd883d35671777e0b.exe

description	pid	process
Token: SeDebugPrivilege	1672	483da6729b8187e1e8b3348049d0947c949a51b67ac0e9dbd883d35671777e0b.exe
Token: SeDebugPrivilege	1672	483da6729b8187e1e8b3348049d0947c949a51b67ac0e9dbd883d35671777e0b.exe
Token: SeDebugPrivilege	1672	483da6729b8187e1e8b3348049d0947c949a51b67ac0e9dbd883d35671777e0b.exe
Token: SeDebugPrivilege	1672	483da6729b8187e1e8b3348049d0947c949a51b67ac0e9dbd883d35671777e0b.exe
Token: SeDebugPrivilege	1672	483da6729b8187e1e8b3348049d0947c949a51b67ac0e9dbd883d35671777e0b.exe
Token: SeDebugPrivilege	1672	483da6729b8187e1e8b3348049d0947c949a51b67ac0e9dbd883d35671777e0b.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

483da6729b8187e1e8b3348049d0947c949a51b67ac0e9dbd883d35671777e0b.exeregsvr32.exe

description	pid	process	target process
PID 1672 wrote to memory of 1092	1672	483da6729b8187e1e8b3348049d0947c949a51b67ac0e9dbd883d35671777e0b.exe	regsvr32.exe
PID 1672 wrote to memory of 1092	1672	483da6729b8187e1e8b3348049d0947c949a51b67ac0e9dbd883d35671777e0b.exe	regsvr32.exe
PID 1672 wrote to memory of 1092	1672	483da6729b8187e1e8b3348049d0947c949a51b67ac0e9dbd883d35671777e0b.exe	regsvr32.exe
PID 1672 wrote to memory of 1092	1672	483da6729b8187e1e8b3348049d0947c949a51b67ac0e9dbd883d35671777e0b.exe	regsvr32.exe
PID 1672 wrote to memory of 1092	1672	483da6729b8187e1e8b3348049d0947c949a51b67ac0e9dbd883d35671777e0b.exe	regsvr32.exe
PID 1672 wrote to memory of 1092	1672	483da6729b8187e1e8b3348049d0947c949a51b67ac0e9dbd883d35671777e0b.exe	regsvr32.exe
PID 1672 wrote to memory of 1092	1672	483da6729b8187e1e8b3348049d0947c949a51b67ac0e9dbd883d35671777e0b.exe	regsvr32.exe
PID 1092 wrote to memory of 1188	1092	regsvr32.exe	regsvr32.exe
PID 1092 wrote to memory of 1188	1092	regsvr32.exe	regsvr32.exe
PID 1092 wrote to memory of 1188	1092	regsvr32.exe	regsvr32.exe
PID 1092 wrote to memory of 1188	1092	regsvr32.exe	regsvr32.exe
PID 1092 wrote to memory of 1188	1092	regsvr32.exe	regsvr32.exe
PID 1092 wrote to memory of 1188	1092	regsvr32.exe	regsvr32.exe
PID 1092 wrote to memory of 1188	1092	regsvr32.exe	regsvr32.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

483da6729b8187e1e8b3348049d0947c949a51b67ac0e9dbd883d35671777e0b.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID	483da6729b8187e1e8b3348049d0947c949a51b67ac0e9dbd883d35671777e0b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{dfd9f424-6702-4281-8fc8-316c4703bd74} = "1"	483da6729b8187e1e8b3348049d0947c949a51b67ac0e9dbd883d35671777e0b.exe

C:\Users\Admin\AppData\Local\Temp\483da6729b8187e1e8b3348049d0947c949a51b67ac0e9dbd883d35671777e0b.exe
"C:\Users\Admin\AppData\Local\Temp\483da6729b8187e1e8b3348049d0947c949a51b67ac0e9dbd883d35671777e0b.exe"
1⤵
- Loads dropped DLL
- Drops Chrome extension
- Installs/modifies Browser Helper Object
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1672

C:\Windows\SysWOW64\regsvr32.exe
regsvr32.exe /s "C:\Program Files (x86)\SmartOnes\WkUh1GNQgrFjwE.x64.dll"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1092

C:\Windows\system32\regsvr32.exe
/s "C:\Program Files (x86)\SmartOnes\WkUh1GNQgrFjwE.x64.dll"
3⤵
- Registers COM server for autorun
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Modifies Internet Explorer settings
- Modifies registry class
PID:1188

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Browser Extensions

1

T1176

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

3

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\SmartOnes\WkUh1GNQgrFjwE.dat
Filesize
3KB

MD5
f68b243a1bc6a98e02eeb87d223b81ab

SHA1
d9ef54c2e780690c81ec37115b3342184abd7a4e

SHA256
de69ea4e0354342ee579bd177a999a9b1f1c32b128284dce117478540dd367fb

SHA512
779fcc469fa16f9dfd2cbbf8d52d08a3367d4ffc1d4b5d3bba48127731f69ae87b799dc28e5fe87ead1410c164da499d96b5e16601d36d23f29720155eb464ae

Download Submit
C:\Program Files (x86)\SmartOnes\WkUh1GNQgrFjwE.tlb
Filesize
3KB

MD5
d5c4233a6c3de331b459f5f6a35ae3dd

SHA1
b5f1bf145f4e0896d7ae500abecbfaca715c18ab

SHA256
f3fca93b2a2848af13dcd30cad6305d20319d0a96f622f96753c1aebb91c885c

SHA512
4af48daa80dcd76cf45018d7edef74f35c5917457dd598f5a2071bba8875d75280326e41f3f5885d5301a596c22a3833cb062e2f4c97e0d83a01ad2644056e76

Download Submit
C:\Program Files (x86)\SmartOnes\WkUh1GNQgrFjwE.x64.dll
Filesize
693KB

MD5
c59945c3f5074d51077f2d598680aa11

SHA1
7d2ab4599f476d9da677283bdfcff5164a30b2e7

SHA256
10658a9b7ad99f84d73c77bde58761c89f37b1318f90197710d63824ae894b5b

SHA512
d3ccea87caba7d10776c0d4726b26cad81e85562270a1c873a59ab59a0d73336bae0af6cb6a242fb8f1b4cb4278636ed9995bd03f4f0b32d84a705e19a7b7e61

Download Submit
\Program Files (x86)\SmartOnes\WkUh1GNQgrFjwE.dll
Filesize
611KB

MD5
123fde8f1a45be2f971b36a8ae5457ef

SHA1
78f77c976bec0b388407f986e7866818512eec97

SHA256
12869f73fb78fcbb8876e10772d081890b19fd1e228dd83ca012416cf26e931e

SHA512
4ae3708e45e15a49e7ba1d338a9186ed47f41abe57727d57833a33be887043dcb950d02bc52f79ee414df0df56c3e87f213995fa222a6f0e1c659393860231d9

Download Submit
\Program Files (x86)\SmartOnes\WkUh1GNQgrFjwE.x64.dll
Filesize
693KB

MD5
c59945c3f5074d51077f2d598680aa11

SHA1
7d2ab4599f476d9da677283bdfcff5164a30b2e7

SHA256
10658a9b7ad99f84d73c77bde58761c89f37b1318f90197710d63824ae894b5b

SHA512
d3ccea87caba7d10776c0d4726b26cad81e85562270a1c873a59ab59a0d73336bae0af6cb6a242fb8f1b4cb4278636ed9995bd03f4f0b32d84a705e19a7b7e61

Download Submit
\Program Files (x86)\SmartOnes\WkUh1GNQgrFjwE.x64.dll
Filesize
693KB

MD5
c59945c3f5074d51077f2d598680aa11

SHA1
7d2ab4599f476d9da677283bdfcff5164a30b2e7

SHA256
10658a9b7ad99f84d73c77bde58761c89f37b1318f90197710d63824ae894b5b

SHA512
d3ccea87caba7d10776c0d4726b26cad81e85562270a1c873a59ab59a0d73336bae0af6cb6a242fb8f1b4cb4278636ed9995bd03f4f0b32d84a705e19a7b7e61

Download Submit
memory/1092-61-0x0000000000000000-mapping.dmp

Download
memory/1188-65-0x0000000000000000-mapping.dmp

Download
memory/1188-66-0x000007FEFBC01000-0x000007FEFBC03000-memory.dmp

Filesize
8KB

Download
memory/1672-54-0x0000000075BD1000-0x0000000075BD3000-memory.dmp

Filesize
8KB

Download
memory/1672-55-0x0000000002670000-0x0000000002715000-memory.dmp

Filesize
660KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads