88823f6114e66075cc7083187afcf849ea77ba39e2c79e567f1430e4490c39d8

General

Target

88823f6114e66075cc7083187afcf849ea77ba39e2c79e567f1430e4490c39d8.exe
Size

3.7MB
MD5

597f9e74852ab00b775ecc409ce199aa
SHA1

9499b0d376299c359fa3d2429f1eeb5c7f309b0a
SHA256

88823f6114e66075cc7083187afcf849ea77ba39e2c79e567f1430e4490c39d8
SHA512

e7eb828cde6faa178b39c718526402a2cd66c500745fd4f6934ed7c8333dd20d23902e694c9354e11ac51b0deb5ba6d8ef2ed4245980ac4af3fd5f7521e4e609
SSDEEP

49152:6qg+btyBy2S/6/frsPNNzLkC9cGNd+BvP1qewTV9BXZ6es3090xh0mop5rR:hiO6nrsP3zLkgcGut1afBQeskSxho

Score

8^/10

adware discovery persistence spyware stealer

Malware Config

Signatures

Registers COM server for autorun 1 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Processes:

regsvr32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{04f3e782-6a66-465d-ac9e-ff3454c7ccb1}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{04f3e782-6a66-465d-ac9e-ff3454c7ccb1}\InprocServer32\ = "C:\\Program Files (x86)\\YOuTUbEAdBlocKe\\1qNmMZURppzMTL.x64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{04f3e782-6a66-465d-ac9e-ff3454c7ccb1}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{04f3e782-6a66-465d-ac9e-ff3454c7ccb1}\InprocServer32	regsvr32.exe

Loads dropped DLL 3 IoCs

Processes:

88823f6114e66075cc7083187afcf849ea77ba39e2c79e567f1430e4490c39d8.exeregsvr32.exeregsvr32.exe

pid process

1388 88823f6114e66075cc7083187afcf849ea77ba39e2c79e567f1430e4490c39d8.exe
860 regsvr32.exe
1392 regsvr32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

pid	process
1388	88823f6114e66075cc7083187afcf849ea77ba39e2c79e567f1430e4490c39d8.exe
860	regsvr32.exe
1392	regsvr32.exe

Installs/modifies Browser Helper Object 2 TTPs 8 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

Processes:

88823f6114e66075cc7083187afcf849ea77ba39e2c79e567f1430e4490c39d8.exeregsvr32.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{04f3e782-6a66-465d-ac9e-ff3454c7ccb1}\NoExplorer = "1"	88823f6114e66075cc7083187afcf849ea77ba39e2c79e567f1430e4490c39d8.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{04f3e782-6a66-465d-ac9e-ff3454c7ccb1}	88823f6114e66075cc7083187afcf849ea77ba39e2c79e567f1430e4490c39d8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{04f3e782-6a66-465d-ac9e-ff3454c7ccb1}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{04f3e782-6a66-465d-ac9e-ff3454c7ccb1}\ = "YOuTUbEAdBlocKe"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{04f3e782-6a66-465d-ac9e-ff3454c7ccb1}\NoExplorer = "1"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{04f3e782-6a66-465d-ac9e-ff3454c7ccb1}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{04f3e782-6a66-465d-ac9e-ff3454c7ccb1}	88823f6114e66075cc7083187afcf849ea77ba39e2c79e567f1430e4490c39d8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{04f3e782-6a66-465d-ac9e-ff3454c7ccb1}\ = "YOuTUbEAdBlocKe"	88823f6114e66075cc7083187afcf849ea77ba39e2c79e567f1430e4490c39d8.exe

Drops file in Program Files directory 8 IoCs

Processes:

88823f6114e66075cc7083187afcf849ea77ba39e2c79e567f1430e4490c39d8.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\YOuTUbEAdBlocKe\1qNmMZURppzMTL.dat	88823f6114e66075cc7083187afcf849ea77ba39e2c79e567f1430e4490c39d8.exe
File created	C:\Program Files (x86)\YOuTUbEAdBlocKe\1qNmMZURppzMTL.x64.dll	88823f6114e66075cc7083187afcf849ea77ba39e2c79e567f1430e4490c39d8.exe
File opened for modification	C:\Program Files (x86)\YOuTUbEAdBlocKe\1qNmMZURppzMTL.x64.dll	88823f6114e66075cc7083187afcf849ea77ba39e2c79e567f1430e4490c39d8.exe
File created	C:\Program Files (x86)\YOuTUbEAdBlocKe\1qNmMZURppzMTL.dll	88823f6114e66075cc7083187afcf849ea77ba39e2c79e567f1430e4490c39d8.exe
File opened for modification	C:\Program Files (x86)\YOuTUbEAdBlocKe\1qNmMZURppzMTL.dll	88823f6114e66075cc7083187afcf849ea77ba39e2c79e567f1430e4490c39d8.exe
File created	C:\Program Files (x86)\YOuTUbEAdBlocKe\1qNmMZURppzMTL.tlb	88823f6114e66075cc7083187afcf849ea77ba39e2c79e567f1430e4490c39d8.exe
File opened for modification	C:\Program Files (x86)\YOuTUbEAdBlocKe\1qNmMZURppzMTL.tlb	88823f6114e66075cc7083187afcf849ea77ba39e2c79e567f1430e4490c39d8.exe
File created	C:\Program Files (x86)\YOuTUbEAdBlocKe\1qNmMZURppzMTL.dat	88823f6114e66075cc7083187afcf849ea77ba39e2c79e567f1430e4490c39d8.exe

Modifies Internet Explorer settings 1 TTPs 8 IoCs

adware spyware

Modify Registry

T1112

Processes:

regsvr32.exe88823f6114e66075cc7083187afcf849ea77ba39e2c79e567f1430e4490c39d8.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{04f3e782-6a66-465d-ac9e-ff3454c7ccb1}	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration	88823f6114e66075cc7083187afcf849ea77ba39e2c79e567f1430e4490c39d8.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{04f3e782-6a66-465d-ac9e-ff3454c7ccb1}	88823f6114e66075cc7083187afcf849ea77ba39e2c79e567f1430e4490c39d8.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{04F3E782-6A66-465D-AC9E-FF3454C7CCB1}	88823f6114e66075cc7083187afcf849ea77ba39e2c79e567f1430e4490c39d8.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration	88823f6114e66075cc7083187afcf849ea77ba39e2c79e567f1430e4490c39d8.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{04F3E782-6A66-465D-AC9E-FF3454C7CCB1}	regsvr32.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration	regsvr32.exe

Modifies registry class 64 IoCs

Processes:

88823f6114e66075cc7083187afcf849ea77ba39e2c79e567f1430e4490c39d8.exeregsvr32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\..9	88823f6114e66075cc7083187afcf849ea77ba39e2c79e567f1430e4490c39d8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	88823f6114e66075cc7083187afcf849ea77ba39e2c79e567f1430e4490c39d8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib\Version = "1.0"	88823f6114e66075cc7083187afcf849ea77ba39e2c79e567f1430e4490c39d8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.\CLSID\ = "{04f3e782-6a66-465d-ac9e-ff3454c7ccb1}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{04f3e782-6a66-465d-ac9e-ff3454c7ccb1}\InprocServer32	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{04f3e782-6a66-465d-ac9e-ff3454c7ccb1}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	88823f6114e66075cc7083187afcf849ea77ba39e2c79e567f1430e4490c39d8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{04f3e782-6a66-465d-ac9e-ff3454c7ccb1}\VersionIndependentProgID	88823f6114e66075cc7083187afcf849ea77ba39e2c79e567f1430e4490c39d8.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{04f3e782-6a66-465d-ac9e-ff3454c7ccb1}\InprocServer32	88823f6114e66075cc7083187afcf849ea77ba39e2c79e567f1430e4490c39d8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{04F3E782-6A66-465D-AC9E-FF3454C7CCB1}\Implemented Categories	88823f6114e66075cc7083187afcf849ea77ba39e2c79e567f1430e4490c39d8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\FLAGS\ = "0"	88823f6114e66075cc7083187afcf849ea77ba39e2c79e567f1430e4490c39d8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win32	88823f6114e66075cc7083187afcf849ea77ba39e2c79e567f1430e4490c39d8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\ = "IPlaghinMein"	88823f6114e66075cc7083187afcf849ea77ba39e2c79e567f1430e4490c39d8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}	88823f6114e66075cc7083187afcf849ea77ba39e2c79e567f1430e4490c39d8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.\CurVer\ = ".9"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.\ = "YOuTUbEAdBlocKe"	88823f6114e66075cc7083187afcf849ea77ba39e2c79e567f1430e4490c39d8.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{04f3e782-6a66-465d-ac9e-ff3454c7ccb1}	88823f6114e66075cc7083187afcf849ea77ba39e2c79e567f1430e4490c39d8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	88823f6114e66075cc7083187afcf849ea77ba39e2c79e567f1430e4490c39d8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ = "IRegistry"	88823f6114e66075cc7083187afcf849ea77ba39e2c79e567f1430e4490c39d8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib	88823f6114e66075cc7083187afcf849ea77ba39e2c79e567f1430e4490c39d8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib\Version = "1.0"	88823f6114e66075cc7083187afcf849ea77ba39e2c79e567f1430e4490c39d8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\..9\CLSID\ = "{04f3e782-6a66-465d-ac9e-ff3454c7ccb1}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}	88823f6114e66075cc7083187afcf849ea77ba39e2c79e567f1430e4490c39d8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}	88823f6114e66075cc7083187afcf849ea77ba39e2c79e567f1430e4490c39d8.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{04f3e782-6a66-465d-ac9e-ff3454c7ccb1}\VersionIndependentProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{04f3e782-6a66-465d-ac9e-ff3454c7ccb1}\InprocServer32\ = "C:\\Program Files (x86)\\YOuTUbEAdBlocKe\\1qNmMZURppzMTL.x64.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{04f3e782-6a66-465d-ac9e-ff3454c7ccb1}	88823f6114e66075cc7083187afcf849ea77ba39e2c79e567f1430e4490c39d8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win32\ = "C:\\Program Files (x86)\\YOuTUbEAdBlocKe\\1qNmMZURppzMTL.tlb"	88823f6114e66075cc7083187afcf849ea77ba39e2c79e567f1430e4490c39d8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	88823f6114e66075cc7083187afcf849ea77ba39e2c79e567f1430e4490c39d8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\TypeLib	88823f6114e66075cc7083187afcf849ea77ba39e2c79e567f1430e4490c39d8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}	88823f6114e66075cc7083187afcf849ea77ba39e2c79e567f1430e4490c39d8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	88823f6114e66075cc7083187afcf849ea77ba39e2c79e567f1430e4490c39d8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\..9\ = "YOuTUbEAdBlocKe"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{04f3e782-6a66-465d-ac9e-ff3454c7ccb1}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.\CurVer\ = ".9"	88823f6114e66075cc7083187afcf849ea77ba39e2c79e567f1430e4490c39d8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{04f3e782-6a66-465d-ac9e-ff3454c7ccb1}\ProgID\ = ".9"	88823f6114e66075cc7083187afcf849ea77ba39e2c79e567f1430e4490c39d8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{04f3e782-6a66-465d-ac9e-ff3454c7ccb1}\InprocServer32\ = "C:\\Program Files (x86)\\YOuTUbEAdBlocKe\\1qNmMZURppzMTL.dll"	88823f6114e66075cc7083187afcf849ea77ba39e2c79e567f1430e4490c39d8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\HELPDIR	88823f6114e66075cc7083187afcf849ea77ba39e2c79e567f1430e4490c39d8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}	88823f6114e66075cc7083187afcf849ea77ba39e2c79e567f1430e4490c39d8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\TypeLib\Version = "1.0"	88823f6114e66075cc7083187afcf849ea77ba39e2c79e567f1430e4490c39d8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{04f3e782-6a66-465d-ac9e-ff3454c7ccb1}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\TypeLib	88823f6114e66075cc7083187afcf849ea77ba39e2c79e567f1430e4490c39d8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\TypeLib	88823f6114e66075cc7083187afcf849ea77ba39e2c79e567f1430e4490c39d8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\..9\CLSID\ = "{04f3e782-6a66-465d-ac9e-ff3454c7ccb1}"	88823f6114e66075cc7083187afcf849ea77ba39e2c79e567f1430e4490c39d8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.\CurVer	88823f6114e66075cc7083187afcf849ea77ba39e2c79e567f1430e4490c39d8.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{04f3e782-6a66-465d-ac9e-ff3454c7ccb1}\ProgID	88823f6114e66075cc7083187afcf849ea77ba39e2c79e567f1430e4490c39d8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{04f3e782-6a66-465d-ac9e-ff3454c7ccb1}\ = "YOuTUbEAdBlocKe"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{04F3E782-6A66-465D-AC9E-FF3454C7CCB1}\Implemented Categories	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{04f3e782-6a66-465d-ac9e-ff3454c7ccb1}\ = "YOuTUbEAdBlocKe"	88823f6114e66075cc7083187afcf849ea77ba39e2c79e567f1430e4490c39d8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{04f3e782-6a66-465d-ac9e-ff3454c7ccb1}\ProgID	88823f6114e66075cc7083187afcf849ea77ba39e2c79e567f1430e4490c39d8.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{04f3e782-6a66-465d-ac9e-ff3454c7ccb1}\Programmable	88823f6114e66075cc7083187afcf849ea77ba39e2c79e567f1430e4490c39d8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\ = "IEPluginLib"	88823f6114e66075cc7083187afcf849ea77ba39e2c79e567f1430e4490c39d8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\FLAGS	88823f6114e66075cc7083187afcf849ea77ba39e2c79e567f1430e4490c39d8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{04f3e782-6a66-465d-ac9e-ff3454c7ccb1}\ProgID\ = ".9"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{04f3e782-6a66-465d-ac9e-ff3454c7ccb1}\Programmable	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{04F3E782-6A66-465D-AC9E-FF3454C7CCB1}	88823f6114e66075cc7083187afcf849ea77ba39e2c79e567f1430e4490c39d8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\YOuTUbEAdBlocKe"	88823f6114e66075cc7083187afcf849ea77ba39e2c79e567f1430e4490c39d8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	88823f6114e66075cc7083187afcf849ea77ba39e2c79e567f1430e4490c39d8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib	88823f6114e66075cc7083187afcf849ea77ba39e2c79e567f1430e4490c39d8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	88823f6114e66075cc7083187afcf849ea77ba39e2c79e567f1430e4490c39d8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.\ = "YOuTUbEAdBlocKe"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{04f3e782-6a66-465d-ac9e-ff3454c7ccb1}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\..9\CLSID	88823f6114e66075cc7083187afcf849ea77ba39e2c79e567f1430e4490c39d8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{04f3e782-6a66-465d-ac9e-ff3454c7ccb1}\InprocServer32\ThreadingModel = "Apartment"	88823f6114e66075cc7083187afcf849ea77ba39e2c79e567f1430e4490c39d8.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

88823f6114e66075cc7083187afcf849ea77ba39e2c79e567f1430e4490c39d8.exeregsvr32.exe

description	pid	process	target process
PID 1388 wrote to memory of 860	1388	88823f6114e66075cc7083187afcf849ea77ba39e2c79e567f1430e4490c39d8.exe	regsvr32.exe
PID 1388 wrote to memory of 860	1388	88823f6114e66075cc7083187afcf849ea77ba39e2c79e567f1430e4490c39d8.exe	regsvr32.exe
PID 1388 wrote to memory of 860	1388	88823f6114e66075cc7083187afcf849ea77ba39e2c79e567f1430e4490c39d8.exe	regsvr32.exe
PID 1388 wrote to memory of 860	1388	88823f6114e66075cc7083187afcf849ea77ba39e2c79e567f1430e4490c39d8.exe	regsvr32.exe
PID 1388 wrote to memory of 860	1388	88823f6114e66075cc7083187afcf849ea77ba39e2c79e567f1430e4490c39d8.exe	regsvr32.exe
PID 1388 wrote to memory of 860	1388	88823f6114e66075cc7083187afcf849ea77ba39e2c79e567f1430e4490c39d8.exe	regsvr32.exe
PID 1388 wrote to memory of 860	1388	88823f6114e66075cc7083187afcf849ea77ba39e2c79e567f1430e4490c39d8.exe	regsvr32.exe
PID 860 wrote to memory of 1392	860	regsvr32.exe	regsvr32.exe
PID 860 wrote to memory of 1392	860	regsvr32.exe	regsvr32.exe
PID 860 wrote to memory of 1392	860	regsvr32.exe	regsvr32.exe
PID 860 wrote to memory of 1392	860	regsvr32.exe	regsvr32.exe
PID 860 wrote to memory of 1392	860	regsvr32.exe	regsvr32.exe
PID 860 wrote to memory of 1392	860	regsvr32.exe	regsvr32.exe
PID 860 wrote to memory of 1392	860	regsvr32.exe	regsvr32.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

88823f6114e66075cc7083187afcf849ea77ba39e2c79e567f1430e4490c39d8.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID	88823f6114e66075cc7083187afcf849ea77ba39e2c79e567f1430e4490c39d8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{04f3e782-6a66-465d-ac9e-ff3454c7ccb1} = "1"	88823f6114e66075cc7083187afcf849ea77ba39e2c79e567f1430e4490c39d8.exe

C:\Users\Admin\AppData\Local\Temp\88823f6114e66075cc7083187afcf849ea77ba39e2c79e567f1430e4490c39d8.exe
"C:\Users\Admin\AppData\Local\Temp\88823f6114e66075cc7083187afcf849ea77ba39e2c79e567f1430e4490c39d8.exe"
1⤵
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1388

C:\Windows\SysWOW64\regsvr32.exe
regsvr32.exe /s "C:\Program Files (x86)\YOuTUbEAdBlocKe\1qNmMZURppzMTL.x64.dll"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:860

C:\Windows\system32\regsvr32.exe
/s "C:\Program Files (x86)\YOuTUbEAdBlocKe\1qNmMZURppzMTL.x64.dll"
3⤵
- Registers COM server for autorun
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Modifies Internet Explorer settings
- Modifies registry class
PID:1392

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Browser Extensions

1

T1176

Privilege Escalation

Defense Evasion

Modify Registry

3

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\YOuTUbEAdBlocKe\1qNmMZURppzMTL.dat
Filesize
4KB

MD5
360c92b7a45061f5d0e4d7119d22aef5

SHA1
7a2db6b1df9f48bb98804541b4bb0137fe38d72c

SHA256
28dce8a2595bff3549cd4f2083d76209b4d9760fd82f9a321af53bb09056f817

SHA512
f6bc9e969f163542017c642ecc82fa575de32f9d391b4ec3520aee82edef03ecc03a9a56b22b9246f1750600befcdd68e7272a39a62088ee47a251d92ad1eb59

Download Submit
C:\Program Files (x86)\YOuTUbEAdBlocKe\1qNmMZURppzMTL.tlb
Filesize
3KB

MD5
a6a73f1a452ca95398b6dc3fd5e17164

SHA1
c9ac5a4c9f748a7d9511e354b0a7e70756150e16

SHA256
9ee94cc3fe8448ee7f2758a8a4834e220744544954cc4eac820a2392eb8a0692

SHA512
3ad4f49cb336cd559d57003be0b651996069dc1b585501f534f50ba33e2eaa456f0d876e20b77c91d03c17aa5151510535b6aa75e3591dc9188f3910d3de40a5

Download Submit
C:\Program Files (x86)\YOuTUbEAdBlocKe\1qNmMZURppzMTL.x64.dll
Filesize
701KB

MD5
e871358a5ec05daf462f0207ac39f057

SHA1
329a89f3f034faef6de160b50661854a851671fa

SHA256
dfcb071f1af3cdef73955a74b91a4c71893d1e251a3c40b53397db6013d5581d

SHA512
9b8da63c4204c8f1846b413ee2b1040270e626bb96a0eac763bdfba5997811c38a608f033e1bdfc1a09fd124c1998c5214e572e74c3580d8f4134b705b8dfc9e

Download Submit
\Program Files (x86)\YOuTUbEAdBlocKe\1qNmMZURppzMTL.dll
Filesize
622KB

MD5
18302eec6f8f71f505986c43101e2742

SHA1
c370c11f8722a7e31175862f532fa49dbf5ec7dc

SHA256
9a6a2bcf52012cbb3497838a8db024da0d6a07a30c0f71bd22748b24bbf631d5

SHA512
bb1a3b446ee2b4145c186b53e99ae4297e2e33159f6ae8d64b2d57d326a8f546f82d49f8a772b7dc2016722c7c0f0c00feccab4ca9005865772d9591da0b2227

Download Submit
\Program Files (x86)\YOuTUbEAdBlocKe\1qNmMZURppzMTL.x64.dll
Filesize
701KB

MD5
e871358a5ec05daf462f0207ac39f057

SHA1
329a89f3f034faef6de160b50661854a851671fa

SHA256
dfcb071f1af3cdef73955a74b91a4c71893d1e251a3c40b53397db6013d5581d

SHA512
9b8da63c4204c8f1846b413ee2b1040270e626bb96a0eac763bdfba5997811c38a608f033e1bdfc1a09fd124c1998c5214e572e74c3580d8f4134b705b8dfc9e

Download Submit
\Program Files (x86)\YOuTUbEAdBlocKe\1qNmMZURppzMTL.x64.dll
Filesize
701KB

MD5
e871358a5ec05daf462f0207ac39f057

SHA1
329a89f3f034faef6de160b50661854a851671fa

SHA256
dfcb071f1af3cdef73955a74b91a4c71893d1e251a3c40b53397db6013d5581d

SHA512
9b8da63c4204c8f1846b413ee2b1040270e626bb96a0eac763bdfba5997811c38a608f033e1bdfc1a09fd124c1998c5214e572e74c3580d8f4134b705b8dfc9e

Download Submit
memory/860-69-0x0000000000000000-mapping.dmp

Download
memory/1388-54-0x0000000074AD1000-0x0000000074AD3000-memory.dmp

Filesize
8KB

Download
memory/1388-55-0x0000000000370000-0x0000000000413000-memory.dmp

Filesize
652KB

Download
memory/1392-73-0x0000000000000000-mapping.dmp

Download
memory/1392-74-0x000007FEFB591000-0x000007FEFB593000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads