89a78817264c766ad32c2ad244aef3187f94dd8857041c38dd550fc794f2bdc9

General

Target

89a78817264c766ad32c2ad244aef3187f94dd8857041c38dd550fc794f2bdc9.exe
Size

3.7MB
MD5

0963b76e011320fe147ce91610d65702
SHA1

47b34e4a5a19505c589eaf93cfb351efbca2950a
SHA256

89a78817264c766ad32c2ad244aef3187f94dd8857041c38dd550fc794f2bdc9
SHA512

db89dd731753cc23f8e3e14bf9282a65098ed5b7a97b8e511911136c37db3a295379706fba323deaa2315b0a5f8c86af54b63a9fbf81a659bc4be20b365421e8
SSDEEP

49152:uMm9etuSQVwJW28R3VssA453yUlKV/HUtauPfRx+zq2uHxg+cTrFC8aiY:C4BC3Vzr5iUAVHUt9xP2uo/

Score

8^/10

adware discovery persistence spyware stealer

Malware Config

Signatures

Registers COM server for autorun 1 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Processes:

regsvr32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{c6f4d4eb-15eb-42ef-b236-5866c3457288}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{c6f4d4eb-15eb-42ef-b236-5866c3457288}\InprocServer32\ = "C:\\Program Files (x86)\\YoutubeAAdBlOcke\\RDpt7vtARqamMj.x64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{c6f4d4eb-15eb-42ef-b236-5866c3457288}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{c6f4d4eb-15eb-42ef-b236-5866c3457288}\InprocServer32	regsvr32.exe

Loads dropped DLL 3 IoCs

Processes:

89a78817264c766ad32c2ad244aef3187f94dd8857041c38dd550fc794f2bdc9.exeregsvr32.exeregsvr32.exe

pid process

1808 89a78817264c766ad32c2ad244aef3187f94dd8857041c38dd550fc794f2bdc9.exe
1684 regsvr32.exe
1708 regsvr32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

pid	process
1808	89a78817264c766ad32c2ad244aef3187f94dd8857041c38dd550fc794f2bdc9.exe
1684	regsvr32.exe
1708	regsvr32.exe

Installs/modifies Browser Helper Object 2 TTPs 8 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

Processes:

89a78817264c766ad32c2ad244aef3187f94dd8857041c38dd550fc794f2bdc9.exeregsvr32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{c6f4d4eb-15eb-42ef-b236-5866c3457288}\ = "YoutubeAAdBlOcke"	89a78817264c766ad32c2ad244aef3187f94dd8857041c38dd550fc794f2bdc9.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{c6f4d4eb-15eb-42ef-b236-5866c3457288}\NoExplorer = "1"	89a78817264c766ad32c2ad244aef3187f94dd8857041c38dd550fc794f2bdc9.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{c6f4d4eb-15eb-42ef-b236-5866c3457288}	89a78817264c766ad32c2ad244aef3187f94dd8857041c38dd550fc794f2bdc9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{c6f4d4eb-15eb-42ef-b236-5866c3457288}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{c6f4d4eb-15eb-42ef-b236-5866c3457288}\ = "YoutubeAAdBlOcke"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{c6f4d4eb-15eb-42ef-b236-5866c3457288}\NoExplorer = "1"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{c6f4d4eb-15eb-42ef-b236-5866c3457288}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{c6f4d4eb-15eb-42ef-b236-5866c3457288}	89a78817264c766ad32c2ad244aef3187f94dd8857041c38dd550fc794f2bdc9.exe

Drops file in Program Files directory 8 IoCs

Processes:

89a78817264c766ad32c2ad244aef3187f94dd8857041c38dd550fc794f2bdc9.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\YoutubeAAdBlOcke\RDpt7vtARqamMj.dll	89a78817264c766ad32c2ad244aef3187f94dd8857041c38dd550fc794f2bdc9.exe
File created	C:\Program Files (x86)\YoutubeAAdBlOcke\RDpt7vtARqamMj.tlb	89a78817264c766ad32c2ad244aef3187f94dd8857041c38dd550fc794f2bdc9.exe
File opened for modification	C:\Program Files (x86)\YoutubeAAdBlOcke\RDpt7vtARqamMj.tlb	89a78817264c766ad32c2ad244aef3187f94dd8857041c38dd550fc794f2bdc9.exe
File created	C:\Program Files (x86)\YoutubeAAdBlOcke\RDpt7vtARqamMj.dat	89a78817264c766ad32c2ad244aef3187f94dd8857041c38dd550fc794f2bdc9.exe
File opened for modification	C:\Program Files (x86)\YoutubeAAdBlOcke\RDpt7vtARqamMj.dat	89a78817264c766ad32c2ad244aef3187f94dd8857041c38dd550fc794f2bdc9.exe
File created	C:\Program Files (x86)\YoutubeAAdBlOcke\RDpt7vtARqamMj.x64.dll	89a78817264c766ad32c2ad244aef3187f94dd8857041c38dd550fc794f2bdc9.exe
File opened for modification	C:\Program Files (x86)\YoutubeAAdBlOcke\RDpt7vtARqamMj.x64.dll	89a78817264c766ad32c2ad244aef3187f94dd8857041c38dd550fc794f2bdc9.exe
File created	C:\Program Files (x86)\YoutubeAAdBlOcke\RDpt7vtARqamMj.dll	89a78817264c766ad32c2ad244aef3187f94dd8857041c38dd550fc794f2bdc9.exe

Modifies Internet Explorer settings 1 TTPs 8 IoCs

adware spyware

Modify Registry

T1112

Processes:

regsvr32.exe89a78817264c766ad32c2ad244aef3187f94dd8857041c38dd550fc794f2bdc9.exe

description	ioc	process
Key deleted	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{C6F4D4EB-15EB-42EF-B236-5866C3457288}	regsvr32.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{c6f4d4eb-15eb-42ef-b236-5866c3457288}	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration	89a78817264c766ad32c2ad244aef3187f94dd8857041c38dd550fc794f2bdc9.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{c6f4d4eb-15eb-42ef-b236-5866c3457288}	89a78817264c766ad32c2ad244aef3187f94dd8857041c38dd550fc794f2bdc9.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{C6F4D4EB-15EB-42EF-B236-5866C3457288}	89a78817264c766ad32c2ad244aef3187f94dd8857041c38dd550fc794f2bdc9.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration	89a78817264c766ad32c2ad244aef3187f94dd8857041c38dd550fc794f2bdc9.exe

Modifies registry class 64 IoCs

Processes:

regsvr32.exe89a78817264c766ad32c2ad244aef3187f94dd8857041c38dd550fc794f2bdc9.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{c6f4d4eb-15eb-42ef-b236-5866c3457288}\Programmable	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.\CLSID	89a78817264c766ad32c2ad244aef3187f94dd8857041c38dd550fc794f2bdc9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0	89a78817264c766ad32c2ad244aef3187f94dd8857041c38dd550fc794f2bdc9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\HELPDIR	89a78817264c766ad32c2ad244aef3187f94dd8857041c38dd550fc794f2bdc9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\TypeLib	89a78817264c766ad32c2ad244aef3187f94dd8857041c38dd550fc794f2bdc9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	89a78817264c766ad32c2ad244aef3187f94dd8857041c38dd550fc794f2bdc9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{c6f4d4eb-15eb-42ef-b236-5866c3457288}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{c6f4d4eb-15eb-42ef-b236-5866c3457288}\Programmable	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{c6f4d4eb-15eb-42ef-b236-5866c3457288}\InprocServer32\ = "C:\\Program Files (x86)\\YoutubeAAdBlOcke\\RDpt7vtARqamMj.x64.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.	89a78817264c766ad32c2ad244aef3187f94dd8857041c38dd550fc794f2bdc9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.\CurVer\ = ".9"	89a78817264c766ad32c2ad244aef3187f94dd8857041c38dd550fc794f2bdc9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{c6f4d4eb-15eb-42ef-b236-5866c3457288}\ProgID\ = ".9"	89a78817264c766ad32c2ad244aef3187f94dd8857041c38dd550fc794f2bdc9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C6F4D4EB-15EB-42EF-B236-5866C3457288}	89a78817264c766ad32c2ad244aef3187f94dd8857041c38dd550fc794f2bdc9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}	89a78817264c766ad32c2ad244aef3187f94dd8857041c38dd550fc794f2bdc9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\ = "ILocalStorage"	89a78817264c766ad32c2ad244aef3187f94dd8857041c38dd550fc794f2bdc9.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{c6f4d4eb-15eb-42ef-b236-5866c3457288}\VersionIndependentProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{c6f4d4eb-15eb-42ef-b236-5866c3457288}\Programmable	89a78817264c766ad32c2ad244aef3187f94dd8857041c38dd550fc794f2bdc9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win32	89a78817264c766ad32c2ad244aef3187f94dd8857041c38dd550fc794f2bdc9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\ProxyStubClsid32	89a78817264c766ad32c2ad244aef3187f94dd8857041c38dd550fc794f2bdc9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\TypeLib	89a78817264c766ad32c2ad244aef3187f94dd8857041c38dd550fc794f2bdc9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\TypeLib\Version = "1.0"	89a78817264c766ad32c2ad244aef3187f94dd8857041c38dd550fc794f2bdc9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\TypeLib\Version = "1.0"	89a78817264c766ad32c2ad244aef3187f94dd8857041c38dd550fc794f2bdc9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{c6f4d4eb-15eb-42ef-b236-5866c3457288}\VersionIndependentProgID	89a78817264c766ad32c2ad244aef3187f94dd8857041c38dd550fc794f2bdc9.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{c6f4d4eb-15eb-42ef-b236-5866c3457288}\ProgID	89a78817264c766ad32c2ad244aef3187f94dd8857041c38dd550fc794f2bdc9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}	89a78817264c766ad32c2ad244aef3187f94dd8857041c38dd550fc794f2bdc9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{c6f4d4eb-15eb-42ef-b236-5866c3457288}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{c6f4d4eb-15eb-42ef-b236-5866c3457288}\InprocServer32	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{c6f4d4eb-15eb-42ef-b236-5866c3457288}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{c6f4d4eb-15eb-42ef-b236-5866c3457288}	89a78817264c766ad32c2ad244aef3187f94dd8857041c38dd550fc794f2bdc9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{c6f4d4eb-15eb-42ef-b236-5866c3457288}\VersionIndependentProgID\	89a78817264c766ad32c2ad244aef3187f94dd8857041c38dd550fc794f2bdc9.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{c6f4d4eb-15eb-42ef-b236-5866c3457288}\VersionIndependentProgID	89a78817264c766ad32c2ad244aef3187f94dd8857041c38dd550fc794f2bdc9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}	89a78817264c766ad32c2ad244aef3187f94dd8857041c38dd550fc794f2bdc9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	89a78817264c766ad32c2ad244aef3187f94dd8857041c38dd550fc794f2bdc9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.\CLSID\ = "{c6f4d4eb-15eb-42ef-b236-5866c3457288}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{c6f4d4eb-15eb-42ef-b236-5866c3457288}\ProgID	89a78817264c766ad32c2ad244aef3187f94dd8857041c38dd550fc794f2bdc9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\ProxyStubClsid32	89a78817264c766ad32c2ad244aef3187f94dd8857041c38dd550fc794f2bdc9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	89a78817264c766ad32c2ad244aef3187f94dd8857041c38dd550fc794f2bdc9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\ = "ILocalStorage"	89a78817264c766ad32c2ad244aef3187f94dd8857041c38dd550fc794f2bdc9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	89a78817264c766ad32c2ad244aef3187f94dd8857041c38dd550fc794f2bdc9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	89a78817264c766ad32c2ad244aef3187f94dd8857041c38dd550fc794f2bdc9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	89a78817264c766ad32c2ad244aef3187f94dd8857041c38dd550fc794f2bdc9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\ProxyStubClsid32	89a78817264c766ad32c2ad244aef3187f94dd8857041c38dd550fc794f2bdc9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\..9\CLSID	89a78817264c766ad32c2ad244aef3187f94dd8857041c38dd550fc794f2bdc9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.\CurVer	89a78817264c766ad32c2ad244aef3187f94dd8857041c38dd550fc794f2bdc9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{c6f4d4eb-15eb-42ef-b236-5866c3457288}\InprocServer32	89a78817264c766ad32c2ad244aef3187f94dd8857041c38dd550fc794f2bdc9.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{c6f4d4eb-15eb-42ef-b236-5866c3457288}\Programmable	89a78817264c766ad32c2ad244aef3187f94dd8857041c38dd550fc794f2bdc9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\FLAGS\ = "0"	89a78817264c766ad32c2ad244aef3187f94dd8857041c38dd550fc794f2bdc9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0	89a78817264c766ad32c2ad244aef3187f94dd8857041c38dd550fc794f2bdc9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C6F4D4EB-15EB-42EF-B236-5866C3457288}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib	89a78817264c766ad32c2ad244aef3187f94dd8857041c38dd550fc794f2bdc9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{c6f4d4eb-15eb-42ef-b236-5866c3457288}\VersionIndependentProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\..9	89a78817264c766ad32c2ad244aef3187f94dd8857041c38dd550fc794f2bdc9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\ = "IPlaghinMein"	89a78817264c766ad32c2ad244aef3187f94dd8857041c38dd550fc794f2bdc9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\TypeLib	89a78817264c766ad32c2ad244aef3187f94dd8857041c38dd550fc794f2bdc9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}	89a78817264c766ad32c2ad244aef3187f94dd8857041c38dd550fc794f2bdc9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\TypeLib	89a78817264c766ad32c2ad244aef3187f94dd8857041c38dd550fc794f2bdc9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib\Version = "1.0"	89a78817264c766ad32c2ad244aef3187f94dd8857041c38dd550fc794f2bdc9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{c6f4d4eb-15eb-42ef-b236-5866c3457288}\VersionIndependentProgID\	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}	89a78817264c766ad32c2ad244aef3187f94dd8857041c38dd550fc794f2bdc9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	89a78817264c766ad32c2ad244aef3187f94dd8857041c38dd550fc794f2bdc9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\..9\CLSID\ = "{c6f4d4eb-15eb-42ef-b236-5866c3457288}"	89a78817264c766ad32c2ad244aef3187f94dd8857041c38dd550fc794f2bdc9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{c6f4d4eb-15eb-42ef-b236-5866c3457288}\InprocServer32\ = "C:\\Program Files (x86)\\YoutubeAAdBlOcke\\RDpt7vtARqamMj.dll"	89a78817264c766ad32c2ad244aef3187f94dd8857041c38dd550fc794f2bdc9.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{c6f4d4eb-15eb-42ef-b236-5866c3457288}	89a78817264c766ad32c2ad244aef3187f94dd8857041c38dd550fc794f2bdc9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C6F4D4EB-15EB-42EF-B236-5866C3457288}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}	89a78817264c766ad32c2ad244aef3187f94dd8857041c38dd550fc794f2bdc9.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

89a78817264c766ad32c2ad244aef3187f94dd8857041c38dd550fc794f2bdc9.exeregsvr32.exe

description	pid	process	target process
PID 1808 wrote to memory of 1684	1808	89a78817264c766ad32c2ad244aef3187f94dd8857041c38dd550fc794f2bdc9.exe	regsvr32.exe
PID 1808 wrote to memory of 1684	1808	89a78817264c766ad32c2ad244aef3187f94dd8857041c38dd550fc794f2bdc9.exe	regsvr32.exe
PID 1808 wrote to memory of 1684	1808	89a78817264c766ad32c2ad244aef3187f94dd8857041c38dd550fc794f2bdc9.exe	regsvr32.exe
PID 1808 wrote to memory of 1684	1808	89a78817264c766ad32c2ad244aef3187f94dd8857041c38dd550fc794f2bdc9.exe	regsvr32.exe
PID 1808 wrote to memory of 1684	1808	89a78817264c766ad32c2ad244aef3187f94dd8857041c38dd550fc794f2bdc9.exe	regsvr32.exe
PID 1808 wrote to memory of 1684	1808	89a78817264c766ad32c2ad244aef3187f94dd8857041c38dd550fc794f2bdc9.exe	regsvr32.exe
PID 1808 wrote to memory of 1684	1808	89a78817264c766ad32c2ad244aef3187f94dd8857041c38dd550fc794f2bdc9.exe	regsvr32.exe
PID 1684 wrote to memory of 1708	1684	regsvr32.exe	regsvr32.exe
PID 1684 wrote to memory of 1708	1684	regsvr32.exe	regsvr32.exe
PID 1684 wrote to memory of 1708	1684	regsvr32.exe	regsvr32.exe
PID 1684 wrote to memory of 1708	1684	regsvr32.exe	regsvr32.exe
PID 1684 wrote to memory of 1708	1684	regsvr32.exe	regsvr32.exe
PID 1684 wrote to memory of 1708	1684	regsvr32.exe	regsvr32.exe
PID 1684 wrote to memory of 1708	1684	regsvr32.exe	regsvr32.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

89a78817264c766ad32c2ad244aef3187f94dd8857041c38dd550fc794f2bdc9.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID	89a78817264c766ad32c2ad244aef3187f94dd8857041c38dd550fc794f2bdc9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{c6f4d4eb-15eb-42ef-b236-5866c3457288} = "1"	89a78817264c766ad32c2ad244aef3187f94dd8857041c38dd550fc794f2bdc9.exe

C:\Users\Admin\AppData\Local\Temp\89a78817264c766ad32c2ad244aef3187f94dd8857041c38dd550fc794f2bdc9.exe
"C:\Users\Admin\AppData\Local\Temp\89a78817264c766ad32c2ad244aef3187f94dd8857041c38dd550fc794f2bdc9.exe"
1⤵
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1808

C:\Windows\SysWOW64\regsvr32.exe
regsvr32.exe /s "C:\Program Files (x86)\YoutubeAAdBlOcke\RDpt7vtARqamMj.x64.dll"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1684

C:\Windows\system32\regsvr32.exe
/s "C:\Program Files (x86)\YoutubeAAdBlOcke\RDpt7vtARqamMj.x64.dll"
3⤵
- Registers COM server for autorun
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Modifies Internet Explorer settings
- Modifies registry class
PID:1708

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Browser Extensions

1

T1176

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

3

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\YoutubeAAdBlOcke\RDpt7vtARqamMj.dat
Filesize
4KB

MD5
e24137f702efeeb883ce15a8ee14eef4

SHA1
b6142d0acfe20944e4987bb2778fcd3d43f6c949

SHA256
54eebd7f43984f49fc030068ab984ac509ceeec4e79fd4a2f5696223aeba5511

SHA512
3df1ea960c2fb9ef54e48b2da67f056765bc942be4f84261d54482c405a13e897a93b7c6548967efb56a8425c4bdd579c5e76cb893d2a8ff8493eb8e5f55b584

Download Submit
C:\Program Files (x86)\YoutubeAAdBlOcke\RDpt7vtARqamMj.tlb
Filesize
3KB

MD5
f63e45b75ed3562f6c50814744974217

SHA1
b28e268b0d187638768b26677a4e8d169f1a2534

SHA256
1270f4ef72d9acd732bcd1fcb557b4b7cc8d7096aa41bd15dc3842a6c7c88299

SHA512
550870876ab15911cc27bcbd4418296057f3a406e709ab7cd920a2cd0c0cc0a3876d85665a3d3be937a6f0ffb052b90cafcdabcac96ec90f0e0c4c90846dc687

Download Submit
C:\Program Files (x86)\YoutubeAAdBlOcke\RDpt7vtARqamMj.x64.dll
Filesize
695KB

MD5
e36b4bca5cf4357a407a67e8f06a0a6a

SHA1
20241811c3f501e3dae9f42aeb1fc42e7225944e

SHA256
c496fc61570914401adfe0250668ef0b884f2e06eaca10edf8993773f58b5bcd

SHA512
d9b005a2b02fc45283b5f1ffe9ce373ef3249562402a6893e6888f10beb3dc62f16f25db9640de636af438fa290b1e7065dc127e86b46e6efd5484717e9e74b1

Download Submit
\Program Files (x86)\YoutubeAAdBlOcke\RDpt7vtARqamMj.dll
Filesize
616KB

MD5
70cef77fc8c44081de97f5194ac56278

SHA1
fcf04dc14f17b655d5201cc7da5af9a17281dea5

SHA256
10cabc84f17c476cf41a1281421b28be0c6784e25445988fdb536acf999c3ec2

SHA512
0883aa731f245d484d4ece4e9dcb3067e4451c5e967a5d34c860137bc572142f2666d83c5f9806918d7fe371bd8a7c58ac39b23110c7cb7331c3e97dc3c8cda3

Download Submit
\Program Files (x86)\YoutubeAAdBlOcke\RDpt7vtARqamMj.x64.dll
Filesize
695KB

MD5
e36b4bca5cf4357a407a67e8f06a0a6a

SHA1
20241811c3f501e3dae9f42aeb1fc42e7225944e

SHA256
c496fc61570914401adfe0250668ef0b884f2e06eaca10edf8993773f58b5bcd

SHA512
d9b005a2b02fc45283b5f1ffe9ce373ef3249562402a6893e6888f10beb3dc62f16f25db9640de636af438fa290b1e7065dc127e86b46e6efd5484717e9e74b1

Download Submit
\Program Files (x86)\YoutubeAAdBlOcke\RDpt7vtARqamMj.x64.dll
Filesize
695KB

MD5
e36b4bca5cf4357a407a67e8f06a0a6a

SHA1
20241811c3f501e3dae9f42aeb1fc42e7225944e

SHA256
c496fc61570914401adfe0250668ef0b884f2e06eaca10edf8993773f58b5bcd

SHA512
d9b005a2b02fc45283b5f1ffe9ce373ef3249562402a6893e6888f10beb3dc62f16f25db9640de636af438fa290b1e7065dc127e86b46e6efd5484717e9e74b1

Download Submit
memory/1684-61-0x0000000000000000-mapping.dmp

Download
memory/1708-65-0x0000000000000000-mapping.dmp

Download
memory/1708-66-0x000007FEFBCB1000-0x000007FEFBCB3000-memory.dmp

Filesize
8KB

Download
memory/1808-54-0x0000000075211000-0x0000000075213000-memory.dmp

Filesize
8KB

Download
memory/1808-55-0x0000000000840000-0x00000000008E6000-memory.dmp

Filesize
664KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads