994a3fb6384c2afe995dadf11d72bae354e7739aead0bcc60a1363764818e9e5

General

Target

994a3fb6384c2afe995dadf11d72bae354e7739aead0bcc60a1363764818e9e5.exe
Size

4.0MB
MD5

0c93c54fb32cac93599996495d5895d0
SHA1

94e63e9104870793ced59d1155d43b54f906cb42
SHA256

994a3fb6384c2afe995dadf11d72bae354e7739aead0bcc60a1363764818e9e5
SHA512

b907a67c653a173b0ebb7bdb6d4c5cbd5bc19778753fa356cd3cd8b01e4cd3dc8edd2c0fe7629000e20e69e2b0b93c3158ed582752c9695c133ad1bcbe7a0c9b
SSDEEP

98304:DupCXNupABoDEKISSCCG3Kpg9PPtfRzz+dA:DaCa/P

Score

8^/10

adware discovery persistence spyware stealer

Malware Config

Signatures

Registers COM server for autorun 1 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Processes:

regsvr32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8b6e347d-51d3-401b-ba09-087803f2c2a4}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8b6e347d-51d3-401b-ba09-087803f2c2a4}\InprocServer32\ = "C:\\Program Files (x86)\\TinyuWAllet\\Tu2rCImMxqIX9B.x64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8b6e347d-51d3-401b-ba09-087803f2c2a4}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8b6e347d-51d3-401b-ba09-087803f2c2a4}\InprocServer32	regsvr32.exe

Loads dropped DLL 3 IoCs

Processes:

994a3fb6384c2afe995dadf11d72bae354e7739aead0bcc60a1363764818e9e5.exeregsvr32.exeregsvr32.exe

pid process

1080 994a3fb6384c2afe995dadf11d72bae354e7739aead0bcc60a1363764818e9e5.exe
1464 regsvr32.exe
1280 regsvr32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 3 IoCs

Processes:

994a3fb6384c2afe995dadf11d72bae354e7739aead0bcc60a1363764818e9e5.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\chjecnmemokcjpiopbijllemcoeppaie\1.0\manifest.json	994a3fb6384c2afe995dadf11d72bae354e7739aead0bcc60a1363764818e9e5.exe
File created	C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\chjecnmemokcjpiopbijllemcoeppaie\1.0\manifest.json	994a3fb6384c2afe995dadf11d72bae354e7739aead0bcc60a1363764818e9e5.exe
File created	C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\chjecnmemokcjpiopbijllemcoeppaie\1.0\manifest.json	994a3fb6384c2afe995dadf11d72bae354e7739aead0bcc60a1363764818e9e5.exe

Installs/modifies Browser Helper Object 2 TTPs 8 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

Processes:

regsvr32.exe994a3fb6384c2afe995dadf11d72bae354e7739aead0bcc60a1363764818e9e5.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8b6e347d-51d3-401b-ba09-087803f2c2a4}\ = "TinyuWAllet"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8b6e347d-51d3-401b-ba09-087803f2c2a4}\NoExplorer = "1"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8b6e347d-51d3-401b-ba09-087803f2c2a4}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{8b6e347d-51d3-401b-ba09-087803f2c2a4}	994a3fb6384c2afe995dadf11d72bae354e7739aead0bcc60a1363764818e9e5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{8b6e347d-51d3-401b-ba09-087803f2c2a4}\ = "TinyuWAllet"	994a3fb6384c2afe995dadf11d72bae354e7739aead0bcc60a1363764818e9e5.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{8b6e347d-51d3-401b-ba09-087803f2c2a4}\NoExplorer = "1"	994a3fb6384c2afe995dadf11d72bae354e7739aead0bcc60a1363764818e9e5.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{8b6e347d-51d3-401b-ba09-087803f2c2a4}	994a3fb6384c2afe995dadf11d72bae354e7739aead0bcc60a1363764818e9e5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8b6e347d-51d3-401b-ba09-087803f2c2a4}	regsvr32.exe

Drops file in System32 directory 4 IoCs

Processes:

994a3fb6384c2afe995dadf11d72bae354e7739aead0bcc60a1363764818e9e5.exe

description	ioc	process
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	994a3fb6384c2afe995dadf11d72bae354e7739aead0bcc60a1363764818e9e5.exe
File opened for modification	C:\Windows\System32\GroupPolicy	994a3fb6384c2afe995dadf11d72bae354e7739aead0bcc60a1363764818e9e5.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\gpt.ini	994a3fb6384c2afe995dadf11d72bae354e7739aead0bcc60a1363764818e9e5.exe
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	994a3fb6384c2afe995dadf11d72bae354e7739aead0bcc60a1363764818e9e5.exe

Drops file in Program Files directory 8 IoCs

Processes:

994a3fb6384c2afe995dadf11d72bae354e7739aead0bcc60a1363764818e9e5.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\TinyuWAllet\Tu2rCImMxqIX9B.dat	994a3fb6384c2afe995dadf11d72bae354e7739aead0bcc60a1363764818e9e5.exe
File created	C:\Program Files (x86)\TinyuWAllet\Tu2rCImMxqIX9B.x64.dll	994a3fb6384c2afe995dadf11d72bae354e7739aead0bcc60a1363764818e9e5.exe
File opened for modification	C:\Program Files (x86)\TinyuWAllet\Tu2rCImMxqIX9B.x64.dll	994a3fb6384c2afe995dadf11d72bae354e7739aead0bcc60a1363764818e9e5.exe
File created	C:\Program Files (x86)\TinyuWAllet\Tu2rCImMxqIX9B.dll	994a3fb6384c2afe995dadf11d72bae354e7739aead0bcc60a1363764818e9e5.exe
File opened for modification	C:\Program Files (x86)\TinyuWAllet\Tu2rCImMxqIX9B.dll	994a3fb6384c2afe995dadf11d72bae354e7739aead0bcc60a1363764818e9e5.exe
File created	C:\Program Files (x86)\TinyuWAllet\Tu2rCImMxqIX9B.tlb	994a3fb6384c2afe995dadf11d72bae354e7739aead0bcc60a1363764818e9e5.exe
File opened for modification	C:\Program Files (x86)\TinyuWAllet\Tu2rCImMxqIX9B.tlb	994a3fb6384c2afe995dadf11d72bae354e7739aead0bcc60a1363764818e9e5.exe
File created	C:\Program Files (x86)\TinyuWAllet\Tu2rCImMxqIX9B.dat	994a3fb6384c2afe995dadf11d72bae354e7739aead0bcc60a1363764818e9e5.exe

Modifies Internet Explorer settings 1 TTPs 8 IoCs

adware spyware

Modify Registry

T1112

Processes:

994a3fb6384c2afe995dadf11d72bae354e7739aead0bcc60a1363764818e9e5.exeregsvr32.exe

description	ioc	process
Key deleted	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{8B6E347D-51D3-401B-BA09-087803F2C2A4}	994a3fb6384c2afe995dadf11d72bae354e7739aead0bcc60a1363764818e9e5.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration	994a3fb6384c2afe995dadf11d72bae354e7739aead0bcc60a1363764818e9e5.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{8B6E347D-51D3-401B-BA09-087803F2C2A4}	regsvr32.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{8b6e347d-51d3-401b-ba09-087803f2c2a4}	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration	994a3fb6384c2afe995dadf11d72bae354e7739aead0bcc60a1363764818e9e5.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{8b6e347d-51d3-401b-ba09-087803f2c2a4}	994a3fb6384c2afe995dadf11d72bae354e7739aead0bcc60a1363764818e9e5.exe

Modifies registry class 64 IoCs

Processes:

994a3fb6384c2afe995dadf11d72bae354e7739aead0bcc60a1363764818e9e5.exeregsvr32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\TypeLib	994a3fb6384c2afe995dadf11d72bae354e7739aead0bcc60a1363764818e9e5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	994a3fb6384c2afe995dadf11d72bae354e7739aead0bcc60a1363764818e9e5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\TypeLib	994a3fb6384c2afe995dadf11d72bae354e7739aead0bcc60a1363764818e9e5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}	994a3fb6384c2afe995dadf11d72bae354e7739aead0bcc60a1363764818e9e5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\TypeLib\Version = "1.0"	994a3fb6384c2afe995dadf11d72bae354e7739aead0bcc60a1363764818e9e5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ProxyStubClsid32	994a3fb6384c2afe995dadf11d72bae354e7739aead0bcc60a1363764818e9e5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.\CurVer	994a3fb6384c2afe995dadf11d72bae354e7739aead0bcc60a1363764818e9e5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8b6e347d-51d3-401b-ba09-087803f2c2a4}\InprocServer32\ = "C:\\Program Files (x86)\\TinyuWAllet\\Tu2rCImMxqIX9B.dll"	994a3fb6384c2afe995dadf11d72bae354e7739aead0bcc60a1363764818e9e5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.\ = "TinyuWAllet"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\FLAGS\ = "0"	994a3fb6384c2afe995dadf11d72bae354e7739aead0bcc60a1363764818e9e5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8b6e347d-51d3-401b-ba09-087803f2c2a4}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8B6E347D-51D3-401B-BA09-087803F2C2A4}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.\ = "TinyuWAllet"	994a3fb6384c2afe995dadf11d72bae354e7739aead0bcc60a1363764818e9e5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8b6e347d-51d3-401b-ba09-087803f2c2a4}\ProgID\ = ".9"	994a3fb6384c2afe995dadf11d72bae354e7739aead0bcc60a1363764818e9e5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0	994a3fb6384c2afe995dadf11d72bae354e7739aead0bcc60a1363764818e9e5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\..9\ = "TinyuWAllet"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\..9\CLSID\ = "{8b6e347d-51d3-401b-ba09-087803f2c2a4}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8b6e347d-51d3-401b-ba09-087803f2c2a4}\ = "TinyuWAllet"	994a3fb6384c2afe995dadf11d72bae354e7739aead0bcc60a1363764818e9e5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8B6E347D-51D3-401B-BA09-087803F2C2A4}	994a3fb6384c2afe995dadf11d72bae354e7739aead0bcc60a1363764818e9e5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	994a3fb6384c2afe995dadf11d72bae354e7739aead0bcc60a1363764818e9e5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}	994a3fb6384c2afe995dadf11d72bae354e7739aead0bcc60a1363764818e9e5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\ = "IPlaghinMein"	994a3fb6384c2afe995dadf11d72bae354e7739aead0bcc60a1363764818e9e5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	994a3fb6384c2afe995dadf11d72bae354e7739aead0bcc60a1363764818e9e5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ = "IRegistry"	994a3fb6384c2afe995dadf11d72bae354e7739aead0bcc60a1363764818e9e5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	994a3fb6384c2afe995dadf11d72bae354e7739aead0bcc60a1363764818e9e5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win32	994a3fb6384c2afe995dadf11d72bae354e7739aead0bcc60a1363764818e9e5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\ = "IPlaghinMein"	994a3fb6384c2afe995dadf11d72bae354e7739aead0bcc60a1363764818e9e5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8b6e347d-51d3-401b-ba09-087803f2c2a4}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\TypeLib	994a3fb6384c2afe995dadf11d72bae354e7739aead0bcc60a1363764818e9e5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib\Version = "1.0"	994a3fb6384c2afe995dadf11d72bae354e7739aead0bcc60a1363764818e9e5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.\CurVer\ = ".9"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8b6e347d-51d3-401b-ba09-087803f2c2a4}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.\CLSID	994a3fb6384c2afe995dadf11d72bae354e7739aead0bcc60a1363764818e9e5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8B6E347D-51D3-401B-BA09-087803F2C2A4}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}	994a3fb6384c2afe995dadf11d72bae354e7739aead0bcc60a1363764818e9e5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\ProxyStubClsid32	994a3fb6384c2afe995dadf11d72bae354e7739aead0bcc60a1363764818e9e5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}	994a3fb6384c2afe995dadf11d72bae354e7739aead0bcc60a1363764818e9e5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ = "IRegistry"	994a3fb6384c2afe995dadf11d72bae354e7739aead0bcc60a1363764818e9e5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8b6e347d-51d3-401b-ba09-087803f2c2a4}\Programmable	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\..9\CLSID\ = "{8b6e347d-51d3-401b-ba09-087803f2c2a4}"	994a3fb6384c2afe995dadf11d72bae354e7739aead0bcc60a1363764818e9e5.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8b6e347d-51d3-401b-ba09-087803f2c2a4}\VersionIndependentProgID	994a3fb6384c2afe995dadf11d72bae354e7739aead0bcc60a1363764818e9e5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\FLAGS	994a3fb6384c2afe995dadf11d72bae354e7739aead0bcc60a1363764818e9e5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}	994a3fb6384c2afe995dadf11d72bae354e7739aead0bcc60a1363764818e9e5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\TypeLib\Version = "1.0"	994a3fb6384c2afe995dadf11d72bae354e7739aead0bcc60a1363764818e9e5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\ProxyStubClsid32	994a3fb6384c2afe995dadf11d72bae354e7739aead0bcc60a1363764818e9e5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\ = "ILocalStorage"	994a3fb6384c2afe995dadf11d72bae354e7739aead0bcc60a1363764818e9e5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	994a3fb6384c2afe995dadf11d72bae354e7739aead0bcc60a1363764818e9e5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.\CurVer\ = ".9"	994a3fb6384c2afe995dadf11d72bae354e7739aead0bcc60a1363764818e9e5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8b6e347d-51d3-401b-ba09-087803f2c2a4}\VersionIndependentProgID	994a3fb6384c2afe995dadf11d72bae354e7739aead0bcc60a1363764818e9e5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib\Version = "1.0"	994a3fb6384c2afe995dadf11d72bae354e7739aead0bcc60a1363764818e9e5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8b6e347d-51d3-401b-ba09-087803f2c2a4}\VersionIndependentProgID\	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8b6e347d-51d3-401b-ba09-087803f2c2a4}\Programmable	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}	994a3fb6384c2afe995dadf11d72bae354e7739aead0bcc60a1363764818e9e5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib	994a3fb6384c2afe995dadf11d72bae354e7739aead0bcc60a1363764818e9e5.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8b6e347d-51d3-401b-ba09-087803f2c2a4}\ProgID	994a3fb6384c2afe995dadf11d72bae354e7739aead0bcc60a1363764818e9e5.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8b6e347d-51d3-401b-ba09-087803f2c2a4}	994a3fb6384c2afe995dadf11d72bae354e7739aead0bcc60a1363764818e9e5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\TypeLib\Version = "1.0"	994a3fb6384c2afe995dadf11d72bae354e7739aead0bcc60a1363764818e9e5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\ProxyStubClsid32	994a3fb6384c2afe995dadf11d72bae354e7739aead0bcc60a1363764818e9e5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	994a3fb6384c2afe995dadf11d72bae354e7739aead0bcc60a1363764818e9e5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8b6e347d-51d3-401b-ba09-087803f2c2a4}\ProgID\ = ".9"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8b6e347d-51d3-401b-ba09-087803f2c2a4}\Programmable	994a3fb6384c2afe995dadf11d72bae354e7739aead0bcc60a1363764818e9e5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8b6e347d-51d3-401b-ba09-087803f2c2a4}\InprocServer32	994a3fb6384c2afe995dadf11d72bae354e7739aead0bcc60a1363764818e9e5.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8b6e347d-51d3-401b-ba09-087803f2c2a4}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8b6e347d-51d3-401b-ba09-087803f2c2a4}\InprocServer32	994a3fb6384c2afe995dadf11d72bae354e7739aead0bcc60a1363764818e9e5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8b6e347d-51d3-401b-ba09-087803f2c2a4}\VersionIndependentProgID	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

994a3fb6384c2afe995dadf11d72bae354e7739aead0bcc60a1363764818e9e5.exe

pid	process
1080	994a3fb6384c2afe995dadf11d72bae354e7739aead0bcc60a1363764818e9e5.exe
1080	994a3fb6384c2afe995dadf11d72bae354e7739aead0bcc60a1363764818e9e5.exe
1080	994a3fb6384c2afe995dadf11d72bae354e7739aead0bcc60a1363764818e9e5.exe
1080	994a3fb6384c2afe995dadf11d72bae354e7739aead0bcc60a1363764818e9e5.exe
1080	994a3fb6384c2afe995dadf11d72bae354e7739aead0bcc60a1363764818e9e5.exe
1080	994a3fb6384c2afe995dadf11d72bae354e7739aead0bcc60a1363764818e9e5.exe
1080	994a3fb6384c2afe995dadf11d72bae354e7739aead0bcc60a1363764818e9e5.exe
1080	994a3fb6384c2afe995dadf11d72bae354e7739aead0bcc60a1363764818e9e5.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

994a3fb6384c2afe995dadf11d72bae354e7739aead0bcc60a1363764818e9e5.exe

description	pid	process
Token: SeDebugPrivilege	1080	994a3fb6384c2afe995dadf11d72bae354e7739aead0bcc60a1363764818e9e5.exe
Token: SeDebugPrivilege	1080	994a3fb6384c2afe995dadf11d72bae354e7739aead0bcc60a1363764818e9e5.exe
Token: SeDebugPrivilege	1080	994a3fb6384c2afe995dadf11d72bae354e7739aead0bcc60a1363764818e9e5.exe
Token: SeDebugPrivilege	1080	994a3fb6384c2afe995dadf11d72bae354e7739aead0bcc60a1363764818e9e5.exe
Token: SeDebugPrivilege	1080	994a3fb6384c2afe995dadf11d72bae354e7739aead0bcc60a1363764818e9e5.exe
Token: SeDebugPrivilege	1080	994a3fb6384c2afe995dadf11d72bae354e7739aead0bcc60a1363764818e9e5.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

994a3fb6384c2afe995dadf11d72bae354e7739aead0bcc60a1363764818e9e5.exeregsvr32.exe

description	pid	process	target process
PID 1080 wrote to memory of 1464	1080	994a3fb6384c2afe995dadf11d72bae354e7739aead0bcc60a1363764818e9e5.exe	regsvr32.exe
PID 1080 wrote to memory of 1464	1080	994a3fb6384c2afe995dadf11d72bae354e7739aead0bcc60a1363764818e9e5.exe	regsvr32.exe
PID 1080 wrote to memory of 1464	1080	994a3fb6384c2afe995dadf11d72bae354e7739aead0bcc60a1363764818e9e5.exe	regsvr32.exe
PID 1080 wrote to memory of 1464	1080	994a3fb6384c2afe995dadf11d72bae354e7739aead0bcc60a1363764818e9e5.exe	regsvr32.exe
PID 1080 wrote to memory of 1464	1080	994a3fb6384c2afe995dadf11d72bae354e7739aead0bcc60a1363764818e9e5.exe	regsvr32.exe
PID 1080 wrote to memory of 1464	1080	994a3fb6384c2afe995dadf11d72bae354e7739aead0bcc60a1363764818e9e5.exe	regsvr32.exe
PID 1080 wrote to memory of 1464	1080	994a3fb6384c2afe995dadf11d72bae354e7739aead0bcc60a1363764818e9e5.exe	regsvr32.exe
PID 1464 wrote to memory of 1280	1464	regsvr32.exe	regsvr32.exe
PID 1464 wrote to memory of 1280	1464	regsvr32.exe	regsvr32.exe
PID 1464 wrote to memory of 1280	1464	regsvr32.exe	regsvr32.exe
PID 1464 wrote to memory of 1280	1464	regsvr32.exe	regsvr32.exe
PID 1464 wrote to memory of 1280	1464	regsvr32.exe	regsvr32.exe
PID 1464 wrote to memory of 1280	1464	regsvr32.exe	regsvr32.exe
PID 1464 wrote to memory of 1280	1464	regsvr32.exe	regsvr32.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

994a3fb6384c2afe995dadf11d72bae354e7739aead0bcc60a1363764818e9e5.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID	994a3fb6384c2afe995dadf11d72bae354e7739aead0bcc60a1363764818e9e5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{8b6e347d-51d3-401b-ba09-087803f2c2a4} = "1"	994a3fb6384c2afe995dadf11d72bae354e7739aead0bcc60a1363764818e9e5.exe

C:\Users\Admin\AppData\Local\Temp\994a3fb6384c2afe995dadf11d72bae354e7739aead0bcc60a1363764818e9e5.exe
"C:\Users\Admin\AppData\Local\Temp\994a3fb6384c2afe995dadf11d72bae354e7739aead0bcc60a1363764818e9e5.exe"
1⤵
- Loads dropped DLL
- Drops Chrome extension
- Installs/modifies Browser Helper Object
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1080

C:\Windows\SysWOW64\regsvr32.exe
regsvr32.exe /s "C:\Program Files (x86)\TinyuWAllet\Tu2rCImMxqIX9B.x64.dll"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1464

C:\Windows\system32\regsvr32.exe
/s "C:\Program Files (x86)\TinyuWAllet\Tu2rCImMxqIX9B.x64.dll"
3⤵
- Registers COM server for autorun
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Modifies Internet Explorer settings
- Modifies registry class
PID:1280

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Browser Extensions

1

T1176

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

3

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\TinyuWAllet\Tu2rCImMxqIX9B.dat
Filesize
4KB

MD5
651bbd6c254fda9af205c99dad782b39

SHA1
2f2b6027654b13845a0fe3ddb296d49315728ee3

SHA256
d2a0e35980b353c0e375a012d513d58ea4641f10caed8160c0fb290265360617

SHA512
e8129190b6749b36d8619ce4ab290879e7bef2feb4a25314291191def66062bf62b43d8fd895518bc4fe01e21a8cd1e9e89f3043b84511597e203c156f85d974

Download Submit
C:\Program Files (x86)\TinyuWAllet\Tu2rCImMxqIX9B.tlb
Filesize
3KB

MD5
f97b95a2c07b6c926106d4e9e110f93b

SHA1
6b76b71705374f84d81add54fad98b6fccd78c69

SHA256
3dca6f9ef4c0fa2d4511ee991298a97b5847720161efb3388b5dfe28694a0a97

SHA512
8d2b262861d126af9874c63e890b7f963a5823825ac4479e7ea917bf6ba1bbc49ec5d7da1c0cfa79deac6ae763be38799b99e76cbe744efd9d4cc018549f225c

Download Submit
C:\Program Files (x86)\TinyuWAllet\Tu2rCImMxqIX9B.x64.dll
Filesize
701KB

MD5
b30d08f15639c7642e6bba8187911fe9

SHA1
6f79350773fde83fef1b82607da0835d01a27e2a

SHA256
e13f07d2edc163c163511604bd7e94068839f8b39f1f14f2ed048b84a2a47954

SHA512
a1c350a84992d9d7ca245a0cb06150b4fddadcca3c4d9a80368c07454c35972a5beea5fb8fcecafbdf2ad9f694b68d85724c3b7476c2c52280832f35b06d852a

Download Submit
\Program Files (x86)\TinyuWAllet\Tu2rCImMxqIX9B.dll
Filesize
622KB

MD5
8a05c343e6e5fed3c750b3d9d0066ebb

SHA1
22d39fe1637510c4468e9c69081f288a107b8da1

SHA256
4acb52ac42bd0fd0e98752d4b0c24f1922f7baf7449b88c3c431958c374b8392

SHA512
35e3eecbb0dbc125e0dace43cba58151b5fbb6bc627075674195ca7fe2a577f3662fc969e9b1eb3aed1ca2028c16ef36b95dec27b4fe44e7f8ded1d3d78e12d1

Download Submit
\Program Files (x86)\TinyuWAllet\Tu2rCImMxqIX9B.x64.dll
Filesize
701KB

MD5
b30d08f15639c7642e6bba8187911fe9

SHA1
6f79350773fde83fef1b82607da0835d01a27e2a

SHA256
e13f07d2edc163c163511604bd7e94068839f8b39f1f14f2ed048b84a2a47954

SHA512
a1c350a84992d9d7ca245a0cb06150b4fddadcca3c4d9a80368c07454c35972a5beea5fb8fcecafbdf2ad9f694b68d85724c3b7476c2c52280832f35b06d852a

Download Submit
\Program Files (x86)\TinyuWAllet\Tu2rCImMxqIX9B.x64.dll
Filesize
701KB

MD5
b30d08f15639c7642e6bba8187911fe9

SHA1
6f79350773fde83fef1b82607da0835d01a27e2a

SHA256
e13f07d2edc163c163511604bd7e94068839f8b39f1f14f2ed048b84a2a47954

SHA512
a1c350a84992d9d7ca245a0cb06150b4fddadcca3c4d9a80368c07454c35972a5beea5fb8fcecafbdf2ad9f694b68d85724c3b7476c2c52280832f35b06d852a

Download Submit
memory/1080-54-0x0000000076411000-0x0000000076413000-memory.dmp

Filesize
8KB

Download
memory/1080-55-0x00000000029F0000-0x0000000002A94000-memory.dmp

Filesize
656KB

Download
memory/1280-65-0x0000000000000000-mapping.dmp

Download
memory/1280-66-0x000007FEFBFE1000-0x000007FEFBFE3000-memory.dmp

Filesize
8KB

Download
memory/1464-61-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads