fdff8387f45a3cee3354f45a3cc95455eaafa032756b21e360ccdc345ab3b2f9

General

Target

fdff8387f45a3cee3354f45a3cc95455eaafa032756b21e360ccdc345ab3b2f9.exe
Size

3.8MB
MD5

0125683b50471b887dd416f72e021417
SHA1

06700ca90cc5511aeaae8bfd2e60f3de0fb8512d
SHA256

fdff8387f45a3cee3354f45a3cc95455eaafa032756b21e360ccdc345ab3b2f9
SHA512

ccbe967b75cf36c82af93918c73c987ea4fa7432b88e1912eeabad9655480b34e73cc21662be1ec0001b35cfe82e47bbfcab72df6bf4eecc7d525eb540056e4b
SSDEEP

98304:xM5P6ZwrV/HZUydS1sUW5xf1g2pG3Ttaqevs8SdmzOxDa12hggS/0l77YwdQe7e7:OrVOyqg

Score

8^/10

adware discovery persistence spyware stealer

Malware Config

Signatures

Registers COM server for autorun 1 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Processes:

regsvr32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{e8133ea3-e05a-4129-8ffc-94694913bb75}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{e8133ea3-e05a-4129-8ffc-94694913bb75}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{e8133ea3-e05a-4129-8ffc-94694913bb75}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{e8133ea3-e05a-4129-8ffc-94694913bb75}\InprocServer32\ = "C:\\Program Files (x86)\\YoutubeAdBlocke\\sJnWX5Ye4mw3Fo.x64.dll"	regsvr32.exe

Loads dropped DLL 3 IoCs

Processes:

fdff8387f45a3cee3354f45a3cc95455eaafa032756b21e360ccdc345ab3b2f9.exeregsvr32.exeregsvr32.exe

pid process

3104 fdff8387f45a3cee3354f45a3cc95455eaafa032756b21e360ccdc345ab3b2f9.exe
1300 regsvr32.exe
4168 regsvr32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

pid	process
3104	fdff8387f45a3cee3354f45a3cc95455eaafa032756b21e360ccdc345ab3b2f9.exe
1300	regsvr32.exe
4168	regsvr32.exe

Installs/modifies Browser Helper Object 2 TTPs 8 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

Processes:

regsvr32.exefdff8387f45a3cee3354f45a3cc95455eaafa032756b21e360ccdc345ab3b2f9.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{e8133ea3-e05a-4129-8ffc-94694913bb75}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{e8133ea3-e05a-4129-8ffc-94694913bb75}	fdff8387f45a3cee3354f45a3cc95455eaafa032756b21e360ccdc345ab3b2f9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{e8133ea3-e05a-4129-8ffc-94694913bb75}\ = "YoutubeAdBlocke"	fdff8387f45a3cee3354f45a3cc95455eaafa032756b21e360ccdc345ab3b2f9.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{e8133ea3-e05a-4129-8ffc-94694913bb75}\NoExplorer = "1"	fdff8387f45a3cee3354f45a3cc95455eaafa032756b21e360ccdc345ab3b2f9.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{e8133ea3-e05a-4129-8ffc-94694913bb75}	fdff8387f45a3cee3354f45a3cc95455eaafa032756b21e360ccdc345ab3b2f9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{e8133ea3-e05a-4129-8ffc-94694913bb75}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{e8133ea3-e05a-4129-8ffc-94694913bb75}\ = "YoutubeAdBlocke"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{e8133ea3-e05a-4129-8ffc-94694913bb75}\NoExplorer = "1"	regsvr32.exe

Drops file in Program Files directory 8 IoCs

Processes:

fdff8387f45a3cee3354f45a3cc95455eaafa032756b21e360ccdc345ab3b2f9.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\YoutubeAdBlocke\sJnWX5Ye4mw3Fo.dat	fdff8387f45a3cee3354f45a3cc95455eaafa032756b21e360ccdc345ab3b2f9.exe
File created	C:\Program Files (x86)\YoutubeAdBlocke\sJnWX5Ye4mw3Fo.x64.dll	fdff8387f45a3cee3354f45a3cc95455eaafa032756b21e360ccdc345ab3b2f9.exe
File opened for modification	C:\Program Files (x86)\YoutubeAdBlocke\sJnWX5Ye4mw3Fo.x64.dll	fdff8387f45a3cee3354f45a3cc95455eaafa032756b21e360ccdc345ab3b2f9.exe
File created	C:\Program Files (x86)\YoutubeAdBlocke\sJnWX5Ye4mw3Fo.dll	fdff8387f45a3cee3354f45a3cc95455eaafa032756b21e360ccdc345ab3b2f9.exe
File opened for modification	C:\Program Files (x86)\YoutubeAdBlocke\sJnWX5Ye4mw3Fo.dll	fdff8387f45a3cee3354f45a3cc95455eaafa032756b21e360ccdc345ab3b2f9.exe
File created	C:\Program Files (x86)\YoutubeAdBlocke\sJnWX5Ye4mw3Fo.tlb	fdff8387f45a3cee3354f45a3cc95455eaafa032756b21e360ccdc345ab3b2f9.exe
File opened for modification	C:\Program Files (x86)\YoutubeAdBlocke\sJnWX5Ye4mw3Fo.tlb	fdff8387f45a3cee3354f45a3cc95455eaafa032756b21e360ccdc345ab3b2f9.exe
File created	C:\Program Files (x86)\YoutubeAdBlocke\sJnWX5Ye4mw3Fo.dat	fdff8387f45a3cee3354f45a3cc95455eaafa032756b21e360ccdc345ab3b2f9.exe

Modifies Internet Explorer settings 1 TTPs 8 IoCs

adware spyware

Modify Registry

T1112

Processes:

regsvr32.exefdff8387f45a3cee3354f45a3cc95455eaafa032756b21e360ccdc345ab3b2f9.exe

description	ioc	process
Key deleted	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\MICROSOFT\INTERNET EXPLORER\APPROVEDEXTENSIONSMIGRATION\{E8133EA3-E05A-4129-8FFC-94694913BB75}	regsvr32.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\ApprovedExtensionsMigration	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\ApprovedExtensionsMigration	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{e8133ea3-e05a-4129-8ffc-94694913bb75}	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\ApprovedExtensionsMigration	fdff8387f45a3cee3354f45a3cc95455eaafa032756b21e360ccdc345ab3b2f9.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{e8133ea3-e05a-4129-8ffc-94694913bb75}	fdff8387f45a3cee3354f45a3cc95455eaafa032756b21e360ccdc345ab3b2f9.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\MICROSOFT\INTERNET EXPLORER\APPROVEDEXTENSIONSMIGRATION\{E8133EA3-E05A-4129-8FFC-94694913BB75}	fdff8387f45a3cee3354f45a3cc95455eaafa032756b21e360ccdc345ab3b2f9.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\ApprovedExtensionsMigration	fdff8387f45a3cee3354f45a3cc95455eaafa032756b21e360ccdc345ab3b2f9.exe

Modifies registry class 64 IoCs

Processes:

fdff8387f45a3cee3354f45a3cc95455eaafa032756b21e360ccdc345ab3b2f9.exeregsvr32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}	fdff8387f45a3cee3354f45a3cc95455eaafa032756b21e360ccdc345ab3b2f9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\ProxyStubClsid32	fdff8387f45a3cee3354f45a3cc95455eaafa032756b21e360ccdc345ab3b2f9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\ = "ILocalStorage"	fdff8387f45a3cee3354f45a3cc95455eaafa032756b21e360ccdc345ab3b2f9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib\Version = "1.0"	fdff8387f45a3cee3354f45a3cc95455eaafa032756b21e360ccdc345ab3b2f9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ = "IRegistry"	fdff8387f45a3cee3354f45a3cc95455eaafa032756b21e360ccdc345ab3b2f9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.\ = "YoutubeAdBlocke"	fdff8387f45a3cee3354f45a3cc95455eaafa032756b21e360ccdc345ab3b2f9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e8133ea3-e05a-4129-8ffc-94694913bb75}	fdff8387f45a3cee3354f45a3cc95455eaafa032756b21e360ccdc345ab3b2f9.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e8133ea3-e05a-4129-8ffc-94694913bb75}\Programmable	fdff8387f45a3cee3354f45a3cc95455eaafa032756b21e360ccdc345ab3b2f9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{e8133ea3-e05a-4129-8ffc-94694913bb75}\VersionIndependentProgID\	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	fdff8387f45a3cee3354f45a3cc95455eaafa032756b21e360ccdc345ab3b2f9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{e8133ea3-e05a-4129-8ffc-94694913bb75}\ProgID	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{e8133ea3-e05a-4129-8ffc-94694913bb75}\VersionIndependentProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.\CLSID	fdff8387f45a3cee3354f45a3cc95455eaafa032756b21e360ccdc345ab3b2f9.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e8133ea3-e05a-4129-8ffc-94694913bb75}	fdff8387f45a3cee3354f45a3cc95455eaafa032756b21e360ccdc345ab3b2f9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E8133EA3-E05A-4129-8FFC-94694913BB75}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}	fdff8387f45a3cee3354f45a3cc95455eaafa032756b21e360ccdc345ab3b2f9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\..9\ = "YoutubeAdBlocke"	fdff8387f45a3cee3354f45a3cc95455eaafa032756b21e360ccdc345ab3b2f9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e8133ea3-e05a-4129-8ffc-94694913bb75}\InprocServer32\ = "C:\\Program Files (x86)\\YoutubeAdBlocke\\sJnWX5Ye4mw3Fo.dll"	fdff8387f45a3cee3354f45a3cc95455eaafa032756b21e360ccdc345ab3b2f9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E8133EA3-E05A-4129-8FFC-94694913BB75}\Implemented Categories	fdff8387f45a3cee3354f45a3cc95455eaafa032756b21e360ccdc345ab3b2f9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}	fdff8387f45a3cee3354f45a3cc95455eaafa032756b21e360ccdc345ab3b2f9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{e8133ea3-e05a-4129-8ffc-94694913bb75}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.\CurVer	fdff8387f45a3cee3354f45a3cc95455eaafa032756b21e360ccdc345ab3b2f9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e8133ea3-e05a-4129-8ffc-94694913bb75}\ = "YoutubeAdBlocke"	fdff8387f45a3cee3354f45a3cc95455eaafa032756b21e360ccdc345ab3b2f9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}	fdff8387f45a3cee3354f45a3cc95455eaafa032756b21e360ccdc345ab3b2f9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\..9\CLSID\ = "{e8133ea3-e05a-4129-8ffc-94694913bb75}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{e8133ea3-e05a-4129-8ffc-94694913bb75}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E8133EA3-E05A-4129-8FFC-94694913BB75}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e8133ea3-e05a-4129-8ffc-94694913bb75}\ProgID	fdff8387f45a3cee3354f45a3cc95455eaafa032756b21e360ccdc345ab3b2f9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}	fdff8387f45a3cee3354f45a3cc95455eaafa032756b21e360ccdc345ab3b2f9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}	fdff8387f45a3cee3354f45a3cc95455eaafa032756b21e360ccdc345ab3b2f9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\ = "IPlaghinMein"	fdff8387f45a3cee3354f45a3cc95455eaafa032756b21e360ccdc345ab3b2f9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	fdff8387f45a3cee3354f45a3cc95455eaafa032756b21e360ccdc345ab3b2f9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\TypeLib	fdff8387f45a3cee3354f45a3cc95455eaafa032756b21e360ccdc345ab3b2f9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\ = "ILocalStorage"	fdff8387f45a3cee3354f45a3cc95455eaafa032756b21e360ccdc345ab3b2f9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ProxyStubClsid32	fdff8387f45a3cee3354f45a3cc95455eaafa032756b21e360ccdc345ab3b2f9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\..9\CLSID\ = "{e8133ea3-e05a-4129-8ffc-94694913bb75}"	fdff8387f45a3cee3354f45a3cc95455eaafa032756b21e360ccdc345ab3b2f9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e8133ea3-e05a-4129-8ffc-94694913bb75}\Programmable	fdff8387f45a3cee3354f45a3cc95455eaafa032756b21e360ccdc345ab3b2f9.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e8133ea3-e05a-4129-8ffc-94694913bb75}\VersionIndependentProgID	fdff8387f45a3cee3354f45a3cc95455eaafa032756b21e360ccdc345ab3b2f9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib	fdff8387f45a3cee3354f45a3cc95455eaafa032756b21e360ccdc345ab3b2f9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	fdff8387f45a3cee3354f45a3cc95455eaafa032756b21e360ccdc345ab3b2f9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.\CurVer\ = ".9"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{e8133ea3-e05a-4129-8ffc-94694913bb75}\Programmable	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{e8133ea3-e05a-4129-8ffc-94694913bb75}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.\CurVer\ = ".9"	fdff8387f45a3cee3354f45a3cc95455eaafa032756b21e360ccdc345ab3b2f9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win32\ = "C:\\Program Files (x86)\\YoutubeAdBlocke\\sJnWX5Ye4mw3Fo.tlb"	fdff8387f45a3cee3354f45a3cc95455eaafa032756b21e360ccdc345ab3b2f9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ProxyStubClsid32	fdff8387f45a3cee3354f45a3cc95455eaafa032756b21e360ccdc345ab3b2f9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.	fdff8387f45a3cee3354f45a3cc95455eaafa032756b21e360ccdc345ab3b2f9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E8133EA3-E05A-4129-8FFC-94694913BB75}	fdff8387f45a3cee3354f45a3cc95455eaafa032756b21e360ccdc345ab3b2f9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	fdff8387f45a3cee3354f45a3cc95455eaafa032756b21e360ccdc345ab3b2f9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib	fdff8387f45a3cee3354f45a3cc95455eaafa032756b21e360ccdc345ab3b2f9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.\ = "YoutubeAdBlocke"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.\CLSID\ = "{e8133ea3-e05a-4129-8ffc-94694913bb75}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{e8133ea3-e05a-4129-8ffc-94694913bb75}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e8133ea3-e05a-4129-8ffc-94694913bb75}\ProgID\ = ".9"	fdff8387f45a3cee3354f45a3cc95455eaafa032756b21e360ccdc345ab3b2f9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\HELPDIR	fdff8387f45a3cee3354f45a3cc95455eaafa032756b21e360ccdc345ab3b2f9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\TypeLib\Version = "1.0"	fdff8387f45a3cee3354f45a3cc95455eaafa032756b21e360ccdc345ab3b2f9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0	fdff8387f45a3cee3354f45a3cc95455eaafa032756b21e360ccdc345ab3b2f9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\ = "IEPluginLib"	fdff8387f45a3cee3354f45a3cc95455eaafa032756b21e360ccdc345ab3b2f9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\YoutubeAdBlocke"	fdff8387f45a3cee3354f45a3cc95455eaafa032756b21e360ccdc345ab3b2f9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\TypeLib	fdff8387f45a3cee3354f45a3cc95455eaafa032756b21e360ccdc345ab3b2f9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	fdff8387f45a3cee3354f45a3cc95455eaafa032756b21e360ccdc345ab3b2f9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e8133ea3-e05a-4129-8ffc-94694913bb75}\VersionIndependentProgID\	fdff8387f45a3cee3354f45a3cc95455eaafa032756b21e360ccdc345ab3b2f9.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e8133ea3-e05a-4129-8ffc-94694913bb75}\InprocServer32	fdff8387f45a3cee3354f45a3cc95455eaafa032756b21e360ccdc345ab3b2f9.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e8133ea3-e05a-4129-8ffc-94694913bb75}\ProgID	fdff8387f45a3cee3354f45a3cc95455eaafa032756b21e360ccdc345ab3b2f9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib\Version = "1.0"	fdff8387f45a3cee3354f45a3cc95455eaafa032756b21e360ccdc345ab3b2f9.exe

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

fdff8387f45a3cee3354f45a3cc95455eaafa032756b21e360ccdc345ab3b2f9.exeregsvr32.exe

description	pid	process	target process
PID 3104 wrote to memory of 1300	3104	fdff8387f45a3cee3354f45a3cc95455eaafa032756b21e360ccdc345ab3b2f9.exe	regsvr32.exe
PID 3104 wrote to memory of 1300	3104	fdff8387f45a3cee3354f45a3cc95455eaafa032756b21e360ccdc345ab3b2f9.exe	regsvr32.exe
PID 3104 wrote to memory of 1300	3104	fdff8387f45a3cee3354f45a3cc95455eaafa032756b21e360ccdc345ab3b2f9.exe	regsvr32.exe
PID 1300 wrote to memory of 4168	1300	regsvr32.exe	regsvr32.exe
PID 1300 wrote to memory of 4168	1300	regsvr32.exe	regsvr32.exe

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

Processes:

fdff8387f45a3cee3354f45a3cc95455eaafa032756b21e360ccdc345ab3b2f9.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{e8133ea3-e05a-4129-8ffc-94694913bb75} = "1"	fdff8387f45a3cee3354f45a3cc95455eaafa032756b21e360ccdc345ab3b2f9.exe

C:\Users\Admin\AppData\Local\Temp\fdff8387f45a3cee3354f45a3cc95455eaafa032756b21e360ccdc345ab3b2f9.exe
"C:\Users\Admin\AppData\Local\Temp\fdff8387f45a3cee3354f45a3cc95455eaafa032756b21e360ccdc345ab3b2f9.exe"
1⤵
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3104

C:\Windows\SysWOW64\regsvr32.exe
regsvr32.exe /s "C:\Program Files (x86)\YoutubeAdBlocke\sJnWX5Ye4mw3Fo.x64.dll"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1300

C:\Windows\system32\regsvr32.exe
/s "C:\Program Files (x86)\YoutubeAdBlocke\sJnWX5Ye4mw3Fo.x64.dll"
3⤵
- Registers COM server for autorun
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Modifies Internet Explorer settings
- Modifies registry class
PID:4168

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Browser Extensions

1

T1176

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

3

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\YoutubeAdBlocke\sJnWX5Ye4mw3Fo.dat

Filesize
4KB

MD5
df2c14c3d0c0434cd9eaa8d67749bece

SHA1
1951b60991974d468e44b4d697501e61a9b8f443

SHA256
8039f40e6851e9a867fdddb211fa1efc3b6c723164a465dd0eae3c540e0d4fe5

SHA512
ef196e9a4e3d4db4bb5c383012fa5d20fce5a0bbb3d7337634253319c1239384b2c4c0b8fbc0732f9cc1ad1ae2fc67018d9ec0650d5921bcbadfe0c887ea0888

Download Submit
C:\Program Files (x86)\YoutubeAdBlocke\sJnWX5Ye4mw3Fo.dll

Filesize
626KB

MD5
4e0e23ba26861ab8e3108cff4dad6444

SHA1
0656dbf15e2f027ddc3a8085f527afef8ed2b2ce

SHA256
ded4862864f6f4193cb22da1f0c2014c189c0f0711c73a21c4823ae81737c413

SHA512
929a6a57887dd323ed46abc8af8a9b8025692542177f8707f069b2586ebafba0c869af71be6672b6502b9a902387614911136ea09923ae262b38c496dcff7682

Download Submit
C:\Program Files (x86)\YoutubeAdBlocke\sJnWX5Ye4mw3Fo.tlb

Filesize
3KB

MD5
483914b56a1cb353f0a197a745876aa5

SHA1
f1722f19285f64c9972629125596313ae4785fc5

SHA256
53d0ab33abb39dd687a9f14671e5e7ea616595ad4a0a0b816552dfa6d0fdcdd4

SHA512
bfafa826bf3c5efa3b3bb3cc5e5d4b9e7e639ba7a779e71c7592f4a215195a2a77cae962cb6501c3a9bba7f71d352d87d54c58baae252a746800a9db057ccca5

Download Submit
C:\Program Files (x86)\YoutubeAdBlocke\sJnWX5Ye4mw3Fo.x64.dll

Filesize
704KB

MD5
02f633490a7d26daecca911445bfd102

SHA1
b30cc81d90cf6bdc9001ce25bcc4fcf13e2107a1

SHA256
d016ffe9fe06d687ba6003e695c6fbccf70c70456ae9e5085da743178fc2fd0f

SHA512
9a2c22e89befd3ac7bda0ee2ed6e291fb112833a1f5ac964ddae6ffea2dfbb36bb09c1065bb9ded71fff8a14ee4e6ae677f2514d7a684761319037e2a04c7498

Download Submit
C:\Program Files (x86)\YoutubeAdBlocke\sJnWX5Ye4mw3Fo.x64.dll

Filesize
704KB

MD5
02f633490a7d26daecca911445bfd102

SHA1
b30cc81d90cf6bdc9001ce25bcc4fcf13e2107a1

SHA256
d016ffe9fe06d687ba6003e695c6fbccf70c70456ae9e5085da743178fc2fd0f

SHA512
9a2c22e89befd3ac7bda0ee2ed6e291fb112833a1f5ac964ddae6ffea2dfbb36bb09c1065bb9ded71fff8a14ee4e6ae677f2514d7a684761319037e2a04c7498

Download Submit
C:\Program Files (x86)\YoutubeAdBlocke\sJnWX5Ye4mw3Fo.x64.dll

Filesize
704KB

MD5
02f633490a7d26daecca911445bfd102

SHA1
b30cc81d90cf6bdc9001ce25bcc4fcf13e2107a1

SHA256
d016ffe9fe06d687ba6003e695c6fbccf70c70456ae9e5085da743178fc2fd0f

SHA512
9a2c22e89befd3ac7bda0ee2ed6e291fb112833a1f5ac964ddae6ffea2dfbb36bb09c1065bb9ded71fff8a14ee4e6ae677f2514d7a684761319037e2a04c7498

Download Submit
memory/1300-138-0x0000000000000000-mapping.dmp

Download
memory/3104-132-0x0000000002E80000-0x0000000002F21000-memory.dmp

Filesize
644KB

Download
memory/4168-141-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads