Analysis
-
max time kernel
112s -
max time network
133s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
25-11-2022 07:31
Static task
static1
Behavioral task
behavioral1
Sample
88823f6114e66075cc7083187afcf849ea77ba39e2c79e567f1430e4490c39d8.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
88823f6114e66075cc7083187afcf849ea77ba39e2c79e567f1430e4490c39d8.exe
Resource
win10v2004-20220901-en
General
-
Target
88823f6114e66075cc7083187afcf849ea77ba39e2c79e567f1430e4490c39d8.exe
-
Size
3.7MB
-
MD5
597f9e74852ab00b775ecc409ce199aa
-
SHA1
9499b0d376299c359fa3d2429f1eeb5c7f309b0a
-
SHA256
88823f6114e66075cc7083187afcf849ea77ba39e2c79e567f1430e4490c39d8
-
SHA512
e7eb828cde6faa178b39c718526402a2cd66c500745fd4f6934ed7c8333dd20d23902e694c9354e11ac51b0deb5ba6d8ef2ed4245980ac4af3fd5f7521e4e609
-
SSDEEP
49152:6qg+btyBy2S/6/frsPNNzLkC9cGNd+BvP1qewTV9BXZ6es3090xh0mop5rR:hiO6nrsP3zLkgcGut1afBQeskSxho
Malware Config
Signatures
-
Registers COM server for autorun 1 TTPs 4 IoCs
Processes:
regsvr32.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{04f3e782-6a66-465d-ac9e-ff3454c7ccb1}\InprocServer32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{04f3e782-6a66-465d-ac9e-ff3454c7ccb1}\InprocServer32\ = "C:\\Program Files (x86)\\YOuTUbEAdBlocKe\\1qNmMZURppzMTL.x64.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{04f3e782-6a66-465d-ac9e-ff3454c7ccb1}\InprocServer32\ThreadingModel = "Apartment" regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{04f3e782-6a66-465d-ac9e-ff3454c7ccb1}\InprocServer32 regsvr32.exe -
Loads dropped DLL 3 IoCs
Processes:
88823f6114e66075cc7083187afcf849ea77ba39e2c79e567f1430e4490c39d8.exeregsvr32.exeregsvr32.exepid process 2928 88823f6114e66075cc7083187afcf849ea77ba39e2c79e567f1430e4490c39d8.exe 2356 regsvr32.exe 3256 regsvr32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Installs/modifies Browser Helper Object 2 TTPs 8 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
Processes:
regsvr32.exe88823f6114e66075cc7083187afcf849ea77ba39e2c79e567f1430e4490c39d8.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{04f3e782-6a66-465d-ac9e-ff3454c7ccb1} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{04f3e782-6a66-465d-ac9e-ff3454c7ccb1}\ = "YOuTUbEAdBlocKe" regsvr32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{04f3e782-6a66-465d-ac9e-ff3454c7ccb1}\NoExplorer = "1" regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{04f3e782-6a66-465d-ac9e-ff3454c7ccb1} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{04f3e782-6a66-465d-ac9e-ff3454c7ccb1} 88823f6114e66075cc7083187afcf849ea77ba39e2c79e567f1430e4490c39d8.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{04f3e782-6a66-465d-ac9e-ff3454c7ccb1}\ = "YOuTUbEAdBlocKe" 88823f6114e66075cc7083187afcf849ea77ba39e2c79e567f1430e4490c39d8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{04f3e782-6a66-465d-ac9e-ff3454c7ccb1}\NoExplorer = "1" 88823f6114e66075cc7083187afcf849ea77ba39e2c79e567f1430e4490c39d8.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{04f3e782-6a66-465d-ac9e-ff3454c7ccb1} 88823f6114e66075cc7083187afcf849ea77ba39e2c79e567f1430e4490c39d8.exe -
Drops file in Program Files directory 8 IoCs
Processes:
88823f6114e66075cc7083187afcf849ea77ba39e2c79e567f1430e4490c39d8.exedescription ioc process File opened for modification C:\Program Files (x86)\YOuTUbEAdBlocKe\1qNmMZURppzMTL.dat 88823f6114e66075cc7083187afcf849ea77ba39e2c79e567f1430e4490c39d8.exe File created C:\Program Files (x86)\YOuTUbEAdBlocKe\1qNmMZURppzMTL.x64.dll 88823f6114e66075cc7083187afcf849ea77ba39e2c79e567f1430e4490c39d8.exe File opened for modification C:\Program Files (x86)\YOuTUbEAdBlocKe\1qNmMZURppzMTL.x64.dll 88823f6114e66075cc7083187afcf849ea77ba39e2c79e567f1430e4490c39d8.exe File created C:\Program Files (x86)\YOuTUbEAdBlocKe\1qNmMZURppzMTL.dll 88823f6114e66075cc7083187afcf849ea77ba39e2c79e567f1430e4490c39d8.exe File opened for modification C:\Program Files (x86)\YOuTUbEAdBlocKe\1qNmMZURppzMTL.dll 88823f6114e66075cc7083187afcf849ea77ba39e2c79e567f1430e4490c39d8.exe File created C:\Program Files (x86)\YOuTUbEAdBlocKe\1qNmMZURppzMTL.tlb 88823f6114e66075cc7083187afcf849ea77ba39e2c79e567f1430e4490c39d8.exe File opened for modification C:\Program Files (x86)\YOuTUbEAdBlocKe\1qNmMZURppzMTL.tlb 88823f6114e66075cc7083187afcf849ea77ba39e2c79e567f1430e4490c39d8.exe File created C:\Program Files (x86)\YOuTUbEAdBlocKe\1qNmMZURppzMTL.dat 88823f6114e66075cc7083187afcf849ea77ba39e2c79e567f1430e4490c39d8.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1168 2928 WerFault.exe 88823f6114e66075cc7083187afcf849ea77ba39e2c79e567f1430e4490c39d8.exe -
Processes:
regsvr32.exe88823f6114e66075cc7083187afcf849ea77ba39e2c79e567f1430e4490c39d8.exedescription ioc process Key deleted \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\MICROSOFT\INTERNET EXPLORER\APPROVEDEXTENSIONSMIGRATION\{04F3E782-6A66-465D-AC9E-FF3454C7CCB1} regsvr32.exe Key deleted \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\ApprovedExtensionsMigration regsvr32.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\ApprovedExtensionsMigration regsvr32.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{04f3e782-6a66-465d-ac9e-ff3454c7ccb1} regsvr32.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\ApprovedExtensionsMigration 88823f6114e66075cc7083187afcf849ea77ba39e2c79e567f1430e4490c39d8.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{04f3e782-6a66-465d-ac9e-ff3454c7ccb1} 88823f6114e66075cc7083187afcf849ea77ba39e2c79e567f1430e4490c39d8.exe Key deleted \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\MICROSOFT\INTERNET EXPLORER\APPROVEDEXTENSIONSMIGRATION\{04F3E782-6A66-465D-AC9E-FF3454C7CCB1} 88823f6114e66075cc7083187afcf849ea77ba39e2c79e567f1430e4490c39d8.exe Key deleted \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\ApprovedExtensionsMigration 88823f6114e66075cc7083187afcf849ea77ba39e2c79e567f1430e4490c39d8.exe -
Modifies registry class 64 IoCs
Processes:
88823f6114e66075cc7083187afcf849ea77ba39e2c79e567f1430e4490c39d8.exeregsvr32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib\Version = "1.0" 88823f6114e66075cc7083187afcf849ea77ba39e2c79e567f1430e4490c39d8.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.\ = "YOuTUbEAdBlocKe" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{04F3E782-6A66-465D-AC9E-FF3454C7CCB1}\Implemented Categories regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\ProxyStubClsid32 88823f6114e66075cc7083187afcf849ea77ba39e2c79e567f1430e4490c39d8.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0} 88823f6114e66075cc7083187afcf849ea77ba39e2c79e567f1430e4490c39d8.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}" 88823f6114e66075cc7083187afcf849ea77ba39e2c79e567f1430e4490c39d8.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\TypeLib 88823f6114e66075cc7083187afcf849ea77ba39e2c79e567f1430e4490c39d8.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ = "IRegistry" 88823f6114e66075cc7083187afcf849ea77ba39e2c79e567f1430e4490c39d8.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\..9 88823f6114e66075cc7083187afcf849ea77ba39e2c79e567f1430e4490c39d8.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\..9\CLSID\ = "{04f3e782-6a66-465d-ac9e-ff3454c7ccb1}" 88823f6114e66075cc7083187afcf849ea77ba39e2c79e567f1430e4490c39d8.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\FLAGS\ = "0" 88823f6114e66075cc7083187afcf849ea77ba39e2c79e567f1430e4490c39d8.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC} 88823f6114e66075cc7083187afcf849ea77ba39e2c79e567f1430e4490c39d8.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\..9\CLSID\ = "{04f3e782-6a66-465d-ac9e-ff3454c7ccb1}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{04f3e782-6a66-465d-ac9e-ff3454c7ccb1}\InprocServer32\ = "C:\\Program Files (x86)\\YOuTUbEAdBlocKe\\1qNmMZURppzMTL.dll" 88823f6114e66075cc7083187afcf849ea77ba39e2c79e567f1430e4490c39d8.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\YOuTUbEAdBlocKe" 88823f6114e66075cc7083187afcf849ea77ba39e2c79e567f1430e4490c39d8.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\TypeLib 88823f6114e66075cc7083187afcf849ea77ba39e2c79e567f1430e4490c39d8.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" 88823f6114e66075cc7083187afcf849ea77ba39e2c79e567f1430e4490c39d8.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\TypeLib\Version = "1.0" 88823f6114e66075cc7083187afcf849ea77ba39e2c79e567f1430e4490c39d8.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\TypeLib 88823f6114e66075cc7083187afcf849ea77ba39e2c79e567f1430e4490c39d8.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\ = "ILocalStorage" 88823f6114e66075cc7083187afcf849ea77ba39e2c79e567f1430e4490c39d8.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ProxyStubClsid32 88823f6114e66075cc7083187afcf849ea77ba39e2c79e567f1430e4490c39d8.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\..9\ = "YOuTUbEAdBlocKe" 88823f6114e66075cc7083187afcf849ea77ba39e2c79e567f1430e4490c39d8.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{04f3e782-6a66-465d-ac9e-ff3454c7ccb1}\ProgID\ = ".9" 88823f6114e66075cc7083187afcf849ea77ba39e2c79e567f1430e4490c39d8.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{04f3e782-6a66-465d-ac9e-ff3454c7ccb1}\InprocServer32 88823f6114e66075cc7083187afcf849ea77ba39e2c79e567f1430e4490c39d8.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{04f3e782-6a66-465d-ac9e-ff3454c7ccb1}\InprocServer32\ThreadingModel = "Apartment" regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{04f3e782-6a66-465d-ac9e-ff3454c7ccb1}\InprocServer32 regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{04f3e782-6a66-465d-ac9e-ff3454c7ccb1}\ProgID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{04F3E782-6A66-465D-AC9E-FF3454C7CCB1} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{04f3e782-6a66-465d-ac9e-ff3454c7ccb1}\ = "YOuTUbEAdBlocKe" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{04f3e782-6a66-465d-ac9e-ff3454c7ccb1}\VersionIndependentProgID\ regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{04f3e782-6a66-465d-ac9e-ff3454c7ccb1}\InprocServer32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755} 88823f6114e66075cc7083187afcf849ea77ba39e2c79e567f1430e4490c39d8.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\HELPDIR 88823f6114e66075cc7083187afcf849ea77ba39e2c79e567f1430e4490c39d8.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" 88823f6114e66075cc7083187afcf849ea77ba39e2c79e567f1430e4490c39d8.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" 88823f6114e66075cc7083187afcf849ea77ba39e2c79e567f1430e4490c39d8.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{04f3e782-6a66-465d-ac9e-ff3454c7ccb1} regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{04f3e782-6a66-465d-ac9e-ff3454c7ccb1}\ProgID 88823f6114e66075cc7083187afcf849ea77ba39e2c79e567f1430e4490c39d8.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{04f3e782-6a66-465d-ac9e-ff3454c7ccb1}\VersionIndependentProgID 88823f6114e66075cc7083187afcf849ea77ba39e2c79e567f1430e4490c39d8.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{04F3E782-6A66-465D-AC9E-FF3454C7CCB1}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640} 88823f6114e66075cc7083187afcf849ea77ba39e2c79e567f1430e4490c39d8.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{04F3E782-6A66-465D-AC9E-FF3454C7CCB1}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib\Version = "1.0" 88823f6114e66075cc7083187afcf849ea77ba39e2c79e567f1430e4490c39d8.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.\CurVer\ = ".9" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\ProxyStubClsid32 88823f6114e66075cc7083187afcf849ea77ba39e2c79e567f1430e4490c39d8.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\TypeLib\Version = "1.0" 88823f6114e66075cc7083187afcf849ea77ba39e2c79e567f1430e4490c39d8.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0} 88823f6114e66075cc7083187afcf849ea77ba39e2c79e567f1430e4490c39d8.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0 88823f6114e66075cc7083187afcf849ea77ba39e2c79e567f1430e4490c39d8.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win32\ = "C:\\Program Files (x86)\\YOuTUbEAdBlocKe\\1qNmMZURppzMTL.tlb" 88823f6114e66075cc7083187afcf849ea77ba39e2c79e567f1430e4490c39d8.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\ = "ILocalStorage" 88823f6114e66075cc7083187afcf849ea77ba39e2c79e567f1430e4490c39d8.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\TypeLib\Version = "1.0" 88823f6114e66075cc7083187afcf849ea77ba39e2c79e567f1430e4490c39d8.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\. 88823f6114e66075cc7083187afcf849ea77ba39e2c79e567f1430e4490c39d8.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{04f3e782-6a66-465d-ac9e-ff3454c7ccb1}\InprocServer32\ThreadingModel = "Apartment" 88823f6114e66075cc7083187afcf849ea77ba39e2c79e567f1430e4490c39d8.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{04f3e782-6a66-465d-ac9e-ff3454c7ccb1} 88823f6114e66075cc7083187afcf849ea77ba39e2c79e567f1430e4490c39d8.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{04f3e782-6a66-465d-ac9e-ff3454c7ccb1}\InprocServer32\ = "C:\\Program Files (x86)\\YOuTUbEAdBlocKe\\1qNmMZURppzMTL.x64.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.\ = "YOuTUbEAdBlocKe" 88823f6114e66075cc7083187afcf849ea77ba39e2c79e567f1430e4490c39d8.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}" 88823f6114e66075cc7083187afcf849ea77ba39e2c79e567f1430e4490c39d8.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}" 88823f6114e66075cc7083187afcf849ea77ba39e2c79e567f1430e4490c39d8.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{04f3e782-6a66-465d-ac9e-ff3454c7ccb1}\InprocServer32 88823f6114e66075cc7083187afcf849ea77ba39e2c79e567f1430e4490c39d8.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\ = "IEPluginLib" 88823f6114e66075cc7083187afcf849ea77ba39e2c79e567f1430e4490c39d8.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\..9\CLSID 88823f6114e66075cc7083187afcf849ea77ba39e2c79e567f1430e4490c39d8.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.\CLSID 88823f6114e66075cc7083187afcf849ea77ba39e2c79e567f1430e4490c39d8.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{04f3e782-6a66-465d-ac9e-ff3454c7ccb1}\VersionIndependentProgID\ 88823f6114e66075cc7083187afcf849ea77ba39e2c79e567f1430e4490c39d8.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\ProxyStubClsid32 88823f6114e66075cc7083187afcf849ea77ba39e2c79e567f1430e4490c39d8.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{04f3e782-6a66-465d-ac9e-ff3454c7ccb1}\ProgID regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.\CLSID\ = "{04f3e782-6a66-465d-ac9e-ff3454c7ccb1}" 88823f6114e66075cc7083187afcf849ea77ba39e2c79e567f1430e4490c39d8.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
88823f6114e66075cc7083187afcf849ea77ba39e2c79e567f1430e4490c39d8.exeregsvr32.exedescription pid process target process PID 2928 wrote to memory of 2356 2928 88823f6114e66075cc7083187afcf849ea77ba39e2c79e567f1430e4490c39d8.exe regsvr32.exe PID 2928 wrote to memory of 2356 2928 88823f6114e66075cc7083187afcf849ea77ba39e2c79e567f1430e4490c39d8.exe regsvr32.exe PID 2928 wrote to memory of 2356 2928 88823f6114e66075cc7083187afcf849ea77ba39e2c79e567f1430e4490c39d8.exe regsvr32.exe PID 2356 wrote to memory of 3256 2356 regsvr32.exe regsvr32.exe PID 2356 wrote to memory of 3256 2356 regsvr32.exe regsvr32.exe -
System policy modification 1 TTPs 1 IoCs
Processes:
88823f6114e66075cc7083187afcf849ea77ba39e2c79e567f1430e4490c39d8.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{04f3e782-6a66-465d-ac9e-ff3454c7ccb1} = "1" 88823f6114e66075cc7083187afcf849ea77ba39e2c79e567f1430e4490c39d8.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\88823f6114e66075cc7083187afcf849ea77ba39e2c79e567f1430e4490c39d8.exe"C:\Users\Admin\AppData\Local\Temp\88823f6114e66075cc7083187afcf849ea77ba39e2c79e567f1430e4490c39d8.exe"1⤵
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2928 -
C:\Windows\SysWOW64\regsvr32.exeregsvr32.exe /s "C:\Program Files (x86)\YOuTUbEAdBlocKe\1qNmMZURppzMTL.x64.dll"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2356 -
C:\Windows\system32\regsvr32.exe/s "C:\Program Files (x86)\YOuTUbEAdBlocKe\1qNmMZURppzMTL.x64.dll"3⤵
- Registers COM server for autorun
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Modifies Internet Explorer settings
- Modifies registry class
PID:3256 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2928 -s 4922⤵
- Program crash
PID:1168
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2928 -ip 29281⤵PID:3132
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\YOuTUbEAdBlocKe\1qNmMZURppzMTL.datFilesize
4KB
MD5360c92b7a45061f5d0e4d7119d22aef5
SHA17a2db6b1df9f48bb98804541b4bb0137fe38d72c
SHA25628dce8a2595bff3549cd4f2083d76209b4d9760fd82f9a321af53bb09056f817
SHA512f6bc9e969f163542017c642ecc82fa575de32f9d391b4ec3520aee82edef03ecc03a9a56b22b9246f1750600befcdd68e7272a39a62088ee47a251d92ad1eb59
-
C:\Program Files (x86)\YOuTUbEAdBlocKe\1qNmMZURppzMTL.dllFilesize
622KB
MD518302eec6f8f71f505986c43101e2742
SHA1c370c11f8722a7e31175862f532fa49dbf5ec7dc
SHA2569a6a2bcf52012cbb3497838a8db024da0d6a07a30c0f71bd22748b24bbf631d5
SHA512bb1a3b446ee2b4145c186b53e99ae4297e2e33159f6ae8d64b2d57d326a8f546f82d49f8a772b7dc2016722c7c0f0c00feccab4ca9005865772d9591da0b2227
-
C:\Program Files (x86)\YOuTUbEAdBlocKe\1qNmMZURppzMTL.tlbFilesize
3KB
MD5a6a73f1a452ca95398b6dc3fd5e17164
SHA1c9ac5a4c9f748a7d9511e354b0a7e70756150e16
SHA2569ee94cc3fe8448ee7f2758a8a4834e220744544954cc4eac820a2392eb8a0692
SHA5123ad4f49cb336cd559d57003be0b651996069dc1b585501f534f50ba33e2eaa456f0d876e20b77c91d03c17aa5151510535b6aa75e3591dc9188f3910d3de40a5
-
C:\Program Files (x86)\YOuTUbEAdBlocKe\1qNmMZURppzMTL.x64.dllFilesize
701KB
MD5e871358a5ec05daf462f0207ac39f057
SHA1329a89f3f034faef6de160b50661854a851671fa
SHA256dfcb071f1af3cdef73955a74b91a4c71893d1e251a3c40b53397db6013d5581d
SHA5129b8da63c4204c8f1846b413ee2b1040270e626bb96a0eac763bdfba5997811c38a608f033e1bdfc1a09fd124c1998c5214e572e74c3580d8f4134b705b8dfc9e
-
C:\Program Files (x86)\YOuTUbEAdBlocKe\1qNmMZURppzMTL.x64.dllFilesize
701KB
MD5e871358a5ec05daf462f0207ac39f057
SHA1329a89f3f034faef6de160b50661854a851671fa
SHA256dfcb071f1af3cdef73955a74b91a4c71893d1e251a3c40b53397db6013d5581d
SHA5129b8da63c4204c8f1846b413ee2b1040270e626bb96a0eac763bdfba5997811c38a608f033e1bdfc1a09fd124c1998c5214e572e74c3580d8f4134b705b8dfc9e
-
C:\Program Files (x86)\YOuTUbEAdBlocKe\1qNmMZURppzMTL.x64.dllFilesize
701KB
MD5e871358a5ec05daf462f0207ac39f057
SHA1329a89f3f034faef6de160b50661854a851671fa
SHA256dfcb071f1af3cdef73955a74b91a4c71893d1e251a3c40b53397db6013d5581d
SHA5129b8da63c4204c8f1846b413ee2b1040270e626bb96a0eac763bdfba5997811c38a608f033e1bdfc1a09fd124c1998c5214e572e74c3580d8f4134b705b8dfc9e
-
memory/2356-138-0x0000000000000000-mapping.dmp
-
memory/2928-132-0x0000000000400000-0x00000000004A3000-memory.dmpFilesize
652KB
-
memory/3256-141-0x0000000000000000-mapping.dmp