a0d8b71b4427bc89c140dd862e58756a44a1893e4e9886274c0cd2003897223e

General

Target

a0d8b71b4427bc89c140dd862e58756a44a1893e4e9886274c0cd2003897223e.exe
Size

3.7MB
MD5

1f56260cee564f6715b3939bad65e123
SHA1

8aee835c0a2e5ea8de59e574a4d3da74e6a42e62
SHA256

a0d8b71b4427bc89c140dd862e58756a44a1893e4e9886274c0cd2003897223e
SHA512

b36ad13c09ddcba8ef94f18ff8dcde259f542ad3542beb48e1217a8d10c488a8280e4cc6f7b5f011abe049e104267bf31996b9a0b338b3fbd7312b3181326bf2
SSDEEP

49152:5VxtnlfPuiGl+W6HTYJkR+lAAMufv8mrgShDjL5W68VTby:5VxJmlf6zLR+lAABfkiDvb8

Score

8^/10

adware discovery persistence spyware stealer

Malware Config

Signatures

Registers COM server for autorun 1 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Processes:

regsvr32.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{d531d0fd-7733-48cb-aac5-450b76b11ec8}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{d531d0fd-7733-48cb-aac5-450b76b11ec8}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{d531d0fd-7733-48cb-aac5-450b76b11ec8}\InprocServer32\ = "C:\\Program Files (x86)\\CostmIn\\rXwEanCiK6rA1x.x64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{d531d0fd-7733-48cb-aac5-450b76b11ec8}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe

Loads dropped DLL 3 IoCs

Processes:

a0d8b71b4427bc89c140dd862e58756a44a1893e4e9886274c0cd2003897223e.exeregsvr32.exeregsvr32.exe

pid process

1340 a0d8b71b4427bc89c140dd862e58756a44a1893e4e9886274c0cd2003897223e.exe
920 regsvr32.exe
852 regsvr32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 3 IoCs

Processes:

a0d8b71b4427bc89c140dd862e58756a44a1893e4e9886274c0cd2003897223e.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\coadhcmelnfobgcggleknkkbminnckbi\2.0\manifest.json	a0d8b71b4427bc89c140dd862e58756a44a1893e4e9886274c0cd2003897223e.exe
File created	C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\coadhcmelnfobgcggleknkkbminnckbi\2.0\manifest.json	a0d8b71b4427bc89c140dd862e58756a44a1893e4e9886274c0cd2003897223e.exe
File created	C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\coadhcmelnfobgcggleknkkbminnckbi\2.0\manifest.json	a0d8b71b4427bc89c140dd862e58756a44a1893e4e9886274c0cd2003897223e.exe

Installs/modifies Browser Helper Object 2 TTPs 8 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

Processes:

a0d8b71b4427bc89c140dd862e58756a44a1893e4e9886274c0cd2003897223e.exeregsvr32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{d531d0fd-7733-48cb-aac5-450b76b11ec8}	a0d8b71b4427bc89c140dd862e58756a44a1893e4e9886274c0cd2003897223e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{d531d0fd-7733-48cb-aac5-450b76b11ec8}\ = "CostmIn"	a0d8b71b4427bc89c140dd862e58756a44a1893e4e9886274c0cd2003897223e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{d531d0fd-7733-48cb-aac5-450b76b11ec8}\NoExplorer = "1"	a0d8b71b4427bc89c140dd862e58756a44a1893e4e9886274c0cd2003897223e.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{d531d0fd-7733-48cb-aac5-450b76b11ec8}	a0d8b71b4427bc89c140dd862e58756a44a1893e4e9886274c0cd2003897223e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{d531d0fd-7733-48cb-aac5-450b76b11ec8}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{d531d0fd-7733-48cb-aac5-450b76b11ec8}\ = "CostmIn"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{d531d0fd-7733-48cb-aac5-450b76b11ec8}\NoExplorer = "1"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{d531d0fd-7733-48cb-aac5-450b76b11ec8}	regsvr32.exe

Drops file in System32 directory 4 IoCs

Processes:

a0d8b71b4427bc89c140dd862e58756a44a1893e4e9886274c0cd2003897223e.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\gpt.ini	a0d8b71b4427bc89c140dd862e58756a44a1893e4e9886274c0cd2003897223e.exe
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	a0d8b71b4427bc89c140dd862e58756a44a1893e4e9886274c0cd2003897223e.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	a0d8b71b4427bc89c140dd862e58756a44a1893e4e9886274c0cd2003897223e.exe
File opened for modification	C:\Windows\System32\GroupPolicy	a0d8b71b4427bc89c140dd862e58756a44a1893e4e9886274c0cd2003897223e.exe

Drops file in Program Files directory 8 IoCs

Processes:

a0d8b71b4427bc89c140dd862e58756a44a1893e4e9886274c0cd2003897223e.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\CostmIn\rXwEanCiK6rA1x.dll	a0d8b71b4427bc89c140dd862e58756a44a1893e4e9886274c0cd2003897223e.exe
File created	C:\Program Files (x86)\CostmIn\rXwEanCiK6rA1x.tlb	a0d8b71b4427bc89c140dd862e58756a44a1893e4e9886274c0cd2003897223e.exe
File opened for modification	C:\Program Files (x86)\CostmIn\rXwEanCiK6rA1x.tlb	a0d8b71b4427bc89c140dd862e58756a44a1893e4e9886274c0cd2003897223e.exe
File created	C:\Program Files (x86)\CostmIn\rXwEanCiK6rA1x.dat	a0d8b71b4427bc89c140dd862e58756a44a1893e4e9886274c0cd2003897223e.exe
File opened for modification	C:\Program Files (x86)\CostmIn\rXwEanCiK6rA1x.dat	a0d8b71b4427bc89c140dd862e58756a44a1893e4e9886274c0cd2003897223e.exe
File created	C:\Program Files (x86)\CostmIn\rXwEanCiK6rA1x.x64.dll	a0d8b71b4427bc89c140dd862e58756a44a1893e4e9886274c0cd2003897223e.exe
File opened for modification	C:\Program Files (x86)\CostmIn\rXwEanCiK6rA1x.x64.dll	a0d8b71b4427bc89c140dd862e58756a44a1893e4e9886274c0cd2003897223e.exe
File created	C:\Program Files (x86)\CostmIn\rXwEanCiK6rA1x.dll	a0d8b71b4427bc89c140dd862e58756a44a1893e4e9886274c0cd2003897223e.exe

Modifies Internet Explorer settings 1 TTPs 8 IoCs

adware spyware

Modify Registry

T1112

Processes:

regsvr32.exea0d8b71b4427bc89c140dd862e58756a44a1893e4e9886274c0cd2003897223e.exe

description	ioc	process
Key deleted	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{D531D0FD-7733-48CB-AAC5-450B76B11EC8}	regsvr32.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{d531d0fd-7733-48cb-aac5-450b76b11ec8}	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration	a0d8b71b4427bc89c140dd862e58756a44a1893e4e9886274c0cd2003897223e.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{d531d0fd-7733-48cb-aac5-450b76b11ec8}	a0d8b71b4427bc89c140dd862e58756a44a1893e4e9886274c0cd2003897223e.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{D531D0FD-7733-48CB-AAC5-450B76B11EC8}	a0d8b71b4427bc89c140dd862e58756a44a1893e4e9886274c0cd2003897223e.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration	a0d8b71b4427bc89c140dd862e58756a44a1893e4e9886274c0cd2003897223e.exe

Modifies registry class 64 IoCs

Processes:

a0d8b71b4427bc89c140dd862e58756a44a1893e4e9886274c0cd2003897223e.exeregsvr32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\..9\ = "CostmIn"	a0d8b71b4427bc89c140dd862e58756a44a1893e4e9886274c0cd2003897223e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{d531d0fd-7733-48cb-aac5-450b76b11ec8}\ProgID	a0d8b71b4427bc89c140dd862e58756a44a1893e4e9886274c0cd2003897223e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\TypeLib\Version = "1.0"	a0d8b71b4427bc89c140dd862e58756a44a1893e4e9886274c0cd2003897223e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	a0d8b71b4427bc89c140dd862e58756a44a1893e4e9886274c0cd2003897223e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	a0d8b71b4427bc89c140dd862e58756a44a1893e4e9886274c0cd2003897223e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D531D0FD-7733-48CB-AAC5-450B76B11EC8}	a0d8b71b4427bc89c140dd862e58756a44a1893e4e9886274c0cd2003897223e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0	a0d8b71b4427bc89c140dd862e58756a44a1893e4e9886274c0cd2003897223e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	a0d8b71b4427bc89c140dd862e58756a44a1893e4e9886274c0cd2003897223e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D531D0FD-7733-48CB-AAC5-450B76B11EC8}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.\CurVer\ = ".9"	a0d8b71b4427bc89c140dd862e58756a44a1893e4e9886274c0cd2003897223e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{d531d0fd-7733-48cb-aac5-450b76b11ec8}\ProgID\ = ".9"	a0d8b71b4427bc89c140dd862e58756a44a1893e4e9886274c0cd2003897223e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\CostmIn"	a0d8b71b4427bc89c140dd862e58756a44a1893e4e9886274c0cd2003897223e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\..9\CLSID\ = "{d531d0fd-7733-48cb-aac5-450b76b11ec8}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{d531d0fd-7733-48cb-aac5-450b76b11ec8}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{d531d0fd-7733-48cb-aac5-450b76b11ec8}\Programmable	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{d531d0fd-7733-48cb-aac5-450b76b11ec8}\VersionIndependentProgID\	a0d8b71b4427bc89c140dd862e58756a44a1893e4e9886274c0cd2003897223e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\FLAGS	a0d8b71b4427bc89c140dd862e58756a44a1893e4e9886274c0cd2003897223e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.\CurVer\ = ".9"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	a0d8b71b4427bc89c140dd862e58756a44a1893e4e9886274c0cd2003897223e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}	a0d8b71b4427bc89c140dd862e58756a44a1893e4e9886274c0cd2003897223e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib\Version = "1.0"	a0d8b71b4427bc89c140dd862e58756a44a1893e4e9886274c0cd2003897223e.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{d531d0fd-7733-48cb-aac5-450b76b11ec8}\VersionIndependentProgID	a0d8b71b4427bc89c140dd862e58756a44a1893e4e9886274c0cd2003897223e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}	a0d8b71b4427bc89c140dd862e58756a44a1893e4e9886274c0cd2003897223e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	a0d8b71b4427bc89c140dd862e58756a44a1893e4e9886274c0cd2003897223e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib	a0d8b71b4427bc89c140dd862e58756a44a1893e4e9886274c0cd2003897223e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	a0d8b71b4427bc89c140dd862e58756a44a1893e4e9886274c0cd2003897223e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\TypeLib	a0d8b71b4427bc89c140dd862e58756a44a1893e4e9886274c0cd2003897223e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ProxyStubClsid32	a0d8b71b4427bc89c140dd862e58756a44a1893e4e9886274c0cd2003897223e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{d531d0fd-7733-48cb-aac5-450b76b11ec8}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{d531d0fd-7733-48cb-aac5-450b76b11ec8}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D531D0FD-7733-48CB-AAC5-450B76B11EC8}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.\CLSID	a0d8b71b4427bc89c140dd862e58756a44a1893e4e9886274c0cd2003897223e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.\CurVer	a0d8b71b4427bc89c140dd862e58756a44a1893e4e9886274c0cd2003897223e.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{d531d0fd-7733-48cb-aac5-450b76b11ec8}	a0d8b71b4427bc89c140dd862e58756a44a1893e4e9886274c0cd2003897223e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0	a0d8b71b4427bc89c140dd862e58756a44a1893e4e9886274c0cd2003897223e.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{d531d0fd-7733-48cb-aac5-450b76b11ec8}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\..9\ = "CostmIn"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{d531d0fd-7733-48cb-aac5-450b76b11ec8}	a0d8b71b4427bc89c140dd862e58756a44a1893e4e9886274c0cd2003897223e.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{d531d0fd-7733-48cb-aac5-450b76b11ec8}\InprocServer32	a0d8b71b4427bc89c140dd862e58756a44a1893e4e9886274c0cd2003897223e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\ = "IEPluginLib"	a0d8b71b4427bc89c140dd862e58756a44a1893e4e9886274c0cd2003897223e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win32\ = "C:\\Program Files (x86)\\CostmIn\\rXwEanCiK6rA1x.tlb"	a0d8b71b4427bc89c140dd862e58756a44a1893e4e9886274c0cd2003897223e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\ = "IPlaghinMein"	a0d8b71b4427bc89c140dd862e58756a44a1893e4e9886274c0cd2003897223e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\ProxyStubClsid32	a0d8b71b4427bc89c140dd862e58756a44a1893e4e9886274c0cd2003897223e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\TypeLib	a0d8b71b4427bc89c140dd862e58756a44a1893e4e9886274c0cd2003897223e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{d531d0fd-7733-48cb-aac5-450b76b11ec8}\InprocServer32	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{d531d0fd-7733-48cb-aac5-450b76b11ec8}\Programmable	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{d531d0fd-7733-48cb-aac5-450b76b11ec8}\VersionIndependentProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\ProxyStubClsid32	a0d8b71b4427bc89c140dd862e58756a44a1893e4e9886274c0cd2003897223e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\..9\CLSID\ = "{d531d0fd-7733-48cb-aac5-450b76b11ec8}"	a0d8b71b4427bc89c140dd862e58756a44a1893e4e9886274c0cd2003897223e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.\CLSID\ = "{d531d0fd-7733-48cb-aac5-450b76b11ec8}"	a0d8b71b4427bc89c140dd862e58756a44a1893e4e9886274c0cd2003897223e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\FLAGS\ = "0"	a0d8b71b4427bc89c140dd862e58756a44a1893e4e9886274c0cd2003897223e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\TypeLib	a0d8b71b4427bc89c140dd862e58756a44a1893e4e9886274c0cd2003897223e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\TypeLib\Version = "1.0"	a0d8b71b4427bc89c140dd862e58756a44a1893e4e9886274c0cd2003897223e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\ = "ILocalStorage"	a0d8b71b4427bc89c140dd862e58756a44a1893e4e9886274c0cd2003897223e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\TypeLib\Version = "1.0"	a0d8b71b4427bc89c140dd862e58756a44a1893e4e9886274c0cd2003897223e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib	a0d8b71b4427bc89c140dd862e58756a44a1893e4e9886274c0cd2003897223e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib\Version = "1.0"	a0d8b71b4427bc89c140dd862e58756a44a1893e4e9886274c0cd2003897223e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	a0d8b71b4427bc89c140dd862e58756a44a1893e4e9886274c0cd2003897223e.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{d531d0fd-7733-48cb-aac5-450b76b11ec8}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\TypeLib\Version = "1.0"	a0d8b71b4427bc89c140dd862e58756a44a1893e4e9886274c0cd2003897223e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.\ = "CostmIn"	a0d8b71b4427bc89c140dd862e58756a44a1893e4e9886274c0cd2003897223e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{d531d0fd-7733-48cb-aac5-450b76b11ec8}\Programmable	a0d8b71b4427bc89c140dd862e58756a44a1893e4e9886274c0cd2003897223e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{d531d0fd-7733-48cb-aac5-450b76b11ec8}\InprocServer32\ = "C:\\Program Files (x86)\\CostmIn\\rXwEanCiK6rA1x.dll"	a0d8b71b4427bc89c140dd862e58756a44a1893e4e9886274c0cd2003897223e.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{d531d0fd-7733-48cb-aac5-450b76b11ec8}\Programmable	a0d8b71b4427bc89c140dd862e58756a44a1893e4e9886274c0cd2003897223e.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

a0d8b71b4427bc89c140dd862e58756a44a1893e4e9886274c0cd2003897223e.exe

pid	process
1340	a0d8b71b4427bc89c140dd862e58756a44a1893e4e9886274c0cd2003897223e.exe
1340	a0d8b71b4427bc89c140dd862e58756a44a1893e4e9886274c0cd2003897223e.exe
1340	a0d8b71b4427bc89c140dd862e58756a44a1893e4e9886274c0cd2003897223e.exe
1340	a0d8b71b4427bc89c140dd862e58756a44a1893e4e9886274c0cd2003897223e.exe
1340	a0d8b71b4427bc89c140dd862e58756a44a1893e4e9886274c0cd2003897223e.exe
1340	a0d8b71b4427bc89c140dd862e58756a44a1893e4e9886274c0cd2003897223e.exe
1340	a0d8b71b4427bc89c140dd862e58756a44a1893e4e9886274c0cd2003897223e.exe
1340	a0d8b71b4427bc89c140dd862e58756a44a1893e4e9886274c0cd2003897223e.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

a0d8b71b4427bc89c140dd862e58756a44a1893e4e9886274c0cd2003897223e.exe

description	pid	process
Token: SeDebugPrivilege	1340	a0d8b71b4427bc89c140dd862e58756a44a1893e4e9886274c0cd2003897223e.exe
Token: SeDebugPrivilege	1340	a0d8b71b4427bc89c140dd862e58756a44a1893e4e9886274c0cd2003897223e.exe
Token: SeDebugPrivilege	1340	a0d8b71b4427bc89c140dd862e58756a44a1893e4e9886274c0cd2003897223e.exe
Token: SeDebugPrivilege	1340	a0d8b71b4427bc89c140dd862e58756a44a1893e4e9886274c0cd2003897223e.exe
Token: SeDebugPrivilege	1340	a0d8b71b4427bc89c140dd862e58756a44a1893e4e9886274c0cd2003897223e.exe
Token: SeDebugPrivilege	1340	a0d8b71b4427bc89c140dd862e58756a44a1893e4e9886274c0cd2003897223e.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

a0d8b71b4427bc89c140dd862e58756a44a1893e4e9886274c0cd2003897223e.exeregsvr32.exe

description	pid	process	target process
PID 1340 wrote to memory of 920	1340	a0d8b71b4427bc89c140dd862e58756a44a1893e4e9886274c0cd2003897223e.exe	regsvr32.exe
PID 1340 wrote to memory of 920	1340	a0d8b71b4427bc89c140dd862e58756a44a1893e4e9886274c0cd2003897223e.exe	regsvr32.exe
PID 1340 wrote to memory of 920	1340	a0d8b71b4427bc89c140dd862e58756a44a1893e4e9886274c0cd2003897223e.exe	regsvr32.exe
PID 1340 wrote to memory of 920	1340	a0d8b71b4427bc89c140dd862e58756a44a1893e4e9886274c0cd2003897223e.exe	regsvr32.exe
PID 1340 wrote to memory of 920	1340	a0d8b71b4427bc89c140dd862e58756a44a1893e4e9886274c0cd2003897223e.exe	regsvr32.exe
PID 1340 wrote to memory of 920	1340	a0d8b71b4427bc89c140dd862e58756a44a1893e4e9886274c0cd2003897223e.exe	regsvr32.exe
PID 1340 wrote to memory of 920	1340	a0d8b71b4427bc89c140dd862e58756a44a1893e4e9886274c0cd2003897223e.exe	regsvr32.exe
PID 920 wrote to memory of 852	920	regsvr32.exe	regsvr32.exe
PID 920 wrote to memory of 852	920	regsvr32.exe	regsvr32.exe
PID 920 wrote to memory of 852	920	regsvr32.exe	regsvr32.exe
PID 920 wrote to memory of 852	920	regsvr32.exe	regsvr32.exe
PID 920 wrote to memory of 852	920	regsvr32.exe	regsvr32.exe
PID 920 wrote to memory of 852	920	regsvr32.exe	regsvr32.exe
PID 920 wrote to memory of 852	920	regsvr32.exe	regsvr32.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

a0d8b71b4427bc89c140dd862e58756a44a1893e4e9886274c0cd2003897223e.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID	a0d8b71b4427bc89c140dd862e58756a44a1893e4e9886274c0cd2003897223e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{d531d0fd-7733-48cb-aac5-450b76b11ec8} = "1"	a0d8b71b4427bc89c140dd862e58756a44a1893e4e9886274c0cd2003897223e.exe

C:\Users\Admin\AppData\Local\Temp\a0d8b71b4427bc89c140dd862e58756a44a1893e4e9886274c0cd2003897223e.exe
"C:\Users\Admin\AppData\Local\Temp\a0d8b71b4427bc89c140dd862e58756a44a1893e4e9886274c0cd2003897223e.exe"
1⤵
- Loads dropped DLL
- Drops Chrome extension
- Installs/modifies Browser Helper Object
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1340

C:\Windows\SysWOW64\regsvr32.exe
regsvr32.exe /s "C:\Program Files (x86)\CostmIn\rXwEanCiK6rA1x.x64.dll"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:920

C:\Windows\system32\regsvr32.exe
/s "C:\Program Files (x86)\CostmIn\rXwEanCiK6rA1x.x64.dll"
3⤵
- Registers COM server for autorun
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Modifies Internet Explorer settings
- Modifies registry class
PID:852

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Browser Extensions

1

T1176

Privilege Escalation

Defense Evasion

Modify Registry

3

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\CostmIn\rXwEanCiK6rA1x.dat
Filesize
4KB

MD5
8941175b4fbdae15a814cf5025d1d439

SHA1
4ab6bae78bfc9181f76bdb8b7f3d461a74912e35

SHA256
2095734089ded303aa75e2579125ac8d0851afbbe360b341da417a96a1896ab5

SHA512
35f419508e78a1b48bd9c0cbdbde781a827de0525f3744927a7f39a223f8916211d07ba9aa75b0f2cc279db5f587ccc272570adb6d554e55e1d27f23d8d7a044

Download Submit
C:\Program Files (x86)\CostmIn\rXwEanCiK6rA1x.tlb
Filesize
3KB

MD5
62cb4133d9d3a46f4f1c6c0fb3688619

SHA1
feaaef6e2b8c41be2575d0763cc8de3e8c19478e

SHA256
3ddcfb4b206fc4856f5bb5c06bcc3761dde53882eea20b5dc5ddf4ee8864bea5

SHA512
cb30dc73d52eb502f745fe32b4055b53306f62f0847cae1275d0856608949ea62c30f40d7f252ad450909a4bd425cf0e50012400175cc42a4096cf1451d90123

Download Submit
C:\Program Files (x86)\CostmIn\rXwEanCiK6rA1x.x64.dll
Filesize
702KB

MD5
1287246338d36f26f77735bd58d74e70

SHA1
aabda37cd307e50f2444c73bd656eaf2b78fc291

SHA256
4d1d5893df770fc7c94b33c90f87f8cc8b9d7669f4f914df9139ddb22042acc1

SHA512
ee4177dbd58c1327ea0334e43499e99cea642d458844b589116d147d72a6f71e063fe5dadbe262a7bca7cf0ba7ec48708e64827b513abc3e46144bcfcc6f46f1

Download Submit
\Program Files (x86)\CostmIn\rXwEanCiK6rA1x.dll
Filesize
619KB

MD5
4f328f4e17a2c81830aac4c8c3d67141

SHA1
063c8e33d6a263dd604d072ffd143305f6c3d4a8

SHA256
303917029755e7a44a6e7392c5e751e4fbcb66feaa8a5f09142efaf5a91ad2fc

SHA512
d387cf9ee95426717be8bac7a6cd422b8ddc2aa925723a9b25a169d9b4a0f5cb5607e2f2b8161cadb0e4333d1fda4ba24ecb838dbb49571d55a6799efce404c0

Download Submit
\Program Files (x86)\CostmIn\rXwEanCiK6rA1x.x64.dll
Filesize
702KB

MD5
1287246338d36f26f77735bd58d74e70

SHA1
aabda37cd307e50f2444c73bd656eaf2b78fc291

SHA256
4d1d5893df770fc7c94b33c90f87f8cc8b9d7669f4f914df9139ddb22042acc1

SHA512
ee4177dbd58c1327ea0334e43499e99cea642d458844b589116d147d72a6f71e063fe5dadbe262a7bca7cf0ba7ec48708e64827b513abc3e46144bcfcc6f46f1

Download Submit
\Program Files (x86)\CostmIn\rXwEanCiK6rA1x.x64.dll
Filesize
702KB

MD5
1287246338d36f26f77735bd58d74e70

SHA1
aabda37cd307e50f2444c73bd656eaf2b78fc291

SHA256
4d1d5893df770fc7c94b33c90f87f8cc8b9d7669f4f914df9139ddb22042acc1

SHA512
ee4177dbd58c1327ea0334e43499e99cea642d458844b589116d147d72a6f71e063fe5dadbe262a7bca7cf0ba7ec48708e64827b513abc3e46144bcfcc6f46f1

Download Submit
memory/852-65-0x0000000000000000-mapping.dmp

Download
memory/852-66-0x000007FEFC1B1000-0x000007FEFC1B3000-memory.dmp

Filesize
8KB

Download
memory/920-61-0x0000000000000000-mapping.dmp

Download
memory/1340-54-0x00000000767F1000-0x00000000767F3000-memory.dmp

Filesize
8KB

Download
memory/1340-55-0x0000000002890000-0x0000000002932000-memory.dmp

Filesize
648KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads