Analysis
-
max time kernel
39s -
max time network
34s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
25-11-2022 07:32
Static task
static1
Behavioral task
behavioral1
Sample
85e349d32399386d238fc541af56cf8814ce8498cb5f4b463297270d903ed17b.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
85e349d32399386d238fc541af56cf8814ce8498cb5f4b463297270d903ed17b.exe
Resource
win10v2004-20220812-en
General
-
Target
85e349d32399386d238fc541af56cf8814ce8498cb5f4b463297270d903ed17b.exe
-
Size
3.8MB
-
MD5
2770087e0a50572bc792305441321954
-
SHA1
2cae181ef0748acd03cfac3d370e7ce572566ab9
-
SHA256
85e349d32399386d238fc541af56cf8814ce8498cb5f4b463297270d903ed17b
-
SHA512
60d3b466625861909cb674b74679a5691b96c15ef5b958e150409a019c0f622df710043c8de0ba3d488fd30eb912c83051841c0d3b2c9de6f6af1dd38b031011
-
SSDEEP
49152:gSmiYYyMSQVpvVl8R3Sso29dgiRBJLxvxZ/H74eNO/Jo+M/+/shIi9YSvMJRH:uilLC3Sy9dgipLxzH8eNO/jM/+/sXC
Malware Config
Signatures
-
Registers COM server for autorun 1 TTPs 4 IoCs
Processes:
regsvr32.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5a77e5fc-0e31-4634-aaff-84ae8f2f2ff6}\InprocServer32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5a77e5fc-0e31-4634-aaff-84ae8f2f2ff6}\InprocServer32\ = "C:\\Program Files (x86)\\YoUtubeADBolocKe\\7T2u237bpQ6Reu.x64.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5a77e5fc-0e31-4634-aaff-84ae8f2f2ff6}\InprocServer32\ThreadingModel = "Apartment" regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5a77e5fc-0e31-4634-aaff-84ae8f2f2ff6}\InprocServer32 regsvr32.exe -
Loads dropped DLL 3 IoCs
Processes:
85e349d32399386d238fc541af56cf8814ce8498cb5f4b463297270d903ed17b.exeregsvr32.exeregsvr32.exepid process 1724 85e349d32399386d238fc541af56cf8814ce8498cb5f4b463297270d903ed17b.exe 1520 regsvr32.exe 1152 regsvr32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Installs/modifies Browser Helper Object 2 TTPs 8 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
Processes:
85e349d32399386d238fc541af56cf8814ce8498cb5f4b463297270d903ed17b.exeregsvr32.exedescription ioc process Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{5a77e5fc-0e31-4634-aaff-84ae8f2f2ff6} 85e349d32399386d238fc541af56cf8814ce8498cb5f4b463297270d903ed17b.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5a77e5fc-0e31-4634-aaff-84ae8f2f2ff6} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5a77e5fc-0e31-4634-aaff-84ae8f2f2ff6}\ = "YoUtubeADBolocKe" regsvr32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5a77e5fc-0e31-4634-aaff-84ae8f2f2ff6}\NoExplorer = "1" regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5a77e5fc-0e31-4634-aaff-84ae8f2f2ff6} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{5a77e5fc-0e31-4634-aaff-84ae8f2f2ff6} 85e349d32399386d238fc541af56cf8814ce8498cb5f4b463297270d903ed17b.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{5a77e5fc-0e31-4634-aaff-84ae8f2f2ff6}\ = "YoUtubeADBolocKe" 85e349d32399386d238fc541af56cf8814ce8498cb5f4b463297270d903ed17b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{5a77e5fc-0e31-4634-aaff-84ae8f2f2ff6}\NoExplorer = "1" 85e349d32399386d238fc541af56cf8814ce8498cb5f4b463297270d903ed17b.exe -
Drops file in Program Files directory 8 IoCs
Processes:
85e349d32399386d238fc541af56cf8814ce8498cb5f4b463297270d903ed17b.exedescription ioc process File opened for modification C:\Program Files (x86)\YoUtubeADBolocKe\7T2u237bpQ6Reu.x64.dll 85e349d32399386d238fc541af56cf8814ce8498cb5f4b463297270d903ed17b.exe File created C:\Program Files (x86)\YoUtubeADBolocKe\7T2u237bpQ6Reu.dll 85e349d32399386d238fc541af56cf8814ce8498cb5f4b463297270d903ed17b.exe File opened for modification C:\Program Files (x86)\YoUtubeADBolocKe\7T2u237bpQ6Reu.dll 85e349d32399386d238fc541af56cf8814ce8498cb5f4b463297270d903ed17b.exe File created C:\Program Files (x86)\YoUtubeADBolocKe\7T2u237bpQ6Reu.tlb 85e349d32399386d238fc541af56cf8814ce8498cb5f4b463297270d903ed17b.exe File opened for modification C:\Program Files (x86)\YoUtubeADBolocKe\7T2u237bpQ6Reu.tlb 85e349d32399386d238fc541af56cf8814ce8498cb5f4b463297270d903ed17b.exe File created C:\Program Files (x86)\YoUtubeADBolocKe\7T2u237bpQ6Reu.dat 85e349d32399386d238fc541af56cf8814ce8498cb5f4b463297270d903ed17b.exe File opened for modification C:\Program Files (x86)\YoUtubeADBolocKe\7T2u237bpQ6Reu.dat 85e349d32399386d238fc541af56cf8814ce8498cb5f4b463297270d903ed17b.exe File created C:\Program Files (x86)\YoUtubeADBolocKe\7T2u237bpQ6Reu.x64.dll 85e349d32399386d238fc541af56cf8814ce8498cb5f4b463297270d903ed17b.exe -
Processes:
85e349d32399386d238fc541af56cf8814ce8498cb5f4b463297270d903ed17b.exeregsvr32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{5a77e5fc-0e31-4634-aaff-84ae8f2f2ff6} 85e349d32399386d238fc541af56cf8814ce8498cb5f4b463297270d903ed17b.exe Key deleted \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{5A77E5FC-0E31-4634-AAFF-84AE8F2F2FF6} 85e349d32399386d238fc541af56cf8814ce8498cb5f4b463297270d903ed17b.exe Key deleted \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration 85e349d32399386d238fc541af56cf8814ce8498cb5f4b463297270d903ed17b.exe Key deleted \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{5A77E5FC-0E31-4634-AAFF-84AE8F2F2FF6} regsvr32.exe Key deleted \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration regsvr32.exe Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration regsvr32.exe Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{5a77e5fc-0e31-4634-aaff-84ae8f2f2ff6} regsvr32.exe Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration 85e349d32399386d238fc541af56cf8814ce8498cb5f4b463297270d903ed17b.exe -
Modifies registry class 64 IoCs
Processes:
85e349d32399386d238fc541af56cf8814ce8498cb5f4b463297270d903ed17b.exeregsvr32.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.\CurVer 85e349d32399386d238fc541af56cf8814ce8498cb5f4b463297270d903ed17b.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF} 85e349d32399386d238fc541af56cf8814ce8498cb5f4b463297270d903ed17b.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib 85e349d32399386d238fc541af56cf8814ce8498cb5f4b463297270d903ed17b.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5a77e5fc-0e31-4634-aaff-84ae8f2f2ff6}\InprocServer32\ThreadingModel = "Apartment" regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5a77e5fc-0e31-4634-aaff-84ae8f2f2ff6}\VersionIndependentProgID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5A77E5FC-0E31-4634-AAFF-84AE8F2F2FF6} 85e349d32399386d238fc541af56cf8814ce8498cb5f4b463297270d903ed17b.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5A77E5FC-0E31-4634-AAFF-84AE8F2F2FF6}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640} 85e349d32399386d238fc541af56cf8814ce8498cb5f4b463297270d903ed17b.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\FLAGS\ = "0" 85e349d32399386d238fc541af56cf8814ce8498cb5f4b463297270d903ed17b.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" 85e349d32399386d238fc541af56cf8814ce8498cb5f4b463297270d903ed17b.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5A77E5FC-0E31-4634-AAFF-84AE8F2F2FF6} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\ = "IPlaghinMein" 85e349d32399386d238fc541af56cf8814ce8498cb5f4b463297270d903ed17b.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\ = "ILocalStorage" 85e349d32399386d238fc541af56cf8814ce8498cb5f4b463297270d903ed17b.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\..9\ = "YoUtubeADBolocKe" 85e349d32399386d238fc541af56cf8814ce8498cb5f4b463297270d903ed17b.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.\ = "YoUtubeADBolocKe" 85e349d32399386d238fc541af56cf8814ce8498cb5f4b463297270d903ed17b.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.\CLSID\ = "{5a77e5fc-0e31-4634-aaff-84ae8f2f2ff6}" 85e349d32399386d238fc541af56cf8814ce8498cb5f4b463297270d903ed17b.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755} 85e349d32399386d238fc541af56cf8814ce8498cb5f4b463297270d903ed17b.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win32 85e349d32399386d238fc541af56cf8814ce8498cb5f4b463297270d903ed17b.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win32\ = "C:\\Program Files (x86)\\YoUtubeADBolocKe\\7T2u237bpQ6Reu.tlb" 85e349d32399386d238fc541af56cf8814ce8498cb5f4b463297270d903ed17b.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\TypeLib\Version = "1.0" 85e349d32399386d238fc541af56cf8814ce8498cb5f4b463297270d903ed17b.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC} 85e349d32399386d238fc541af56cf8814ce8498cb5f4b463297270d903ed17b.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5a77e5fc-0e31-4634-aaff-84ae8f2f2ff6} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5A77E5FC-0E31-4634-AAFF-84AE8F2F2FF6}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}" 85e349d32399386d238fc541af56cf8814ce8498cb5f4b463297270d903ed17b.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.\CLSID\ = "{5a77e5fc-0e31-4634-aaff-84ae8f2f2ff6}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.\CurVer\ = ".9" 85e349d32399386d238fc541af56cf8814ce8498cb5f4b463297270d903ed17b.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5a77e5fc-0e31-4634-aaff-84ae8f2f2ff6}\InprocServer32\ThreadingModel = "Apartment" 85e349d32399386d238fc541af56cf8814ce8498cb5f4b463297270d903ed17b.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5a77e5fc-0e31-4634-aaff-84ae8f2f2ff6}\InprocServer32 85e349d32399386d238fc541af56cf8814ce8498cb5f4b463297270d903ed17b.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5a77e5fc-0e31-4634-aaff-84ae8f2f2ff6}\ProgID 85e349d32399386d238fc541af56cf8814ce8498cb5f4b463297270d903ed17b.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0 85e349d32399386d238fc541af56cf8814ce8498cb5f4b463297270d903ed17b.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\HELPDIR 85e349d32399386d238fc541af56cf8814ce8498cb5f4b463297270d903ed17b.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5a77e5fc-0e31-4634-aaff-84ae8f2f2ff6}\VersionIndependentProgID regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5a77e5fc-0e31-4634-aaff-84ae8f2f2ff6}\Programmable regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\..9\CLSID\ = "{5a77e5fc-0e31-4634-aaff-84ae8f2f2ff6}" 85e349d32399386d238fc541af56cf8814ce8498cb5f4b463297270d903ed17b.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5a77e5fc-0e31-4634-aaff-84ae8f2f2ff6}\ProgID 85e349d32399386d238fc541af56cf8814ce8498cb5f4b463297270d903ed17b.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5a77e5fc-0e31-4634-aaff-84ae8f2f2ff6}\VersionIndependentProgID 85e349d32399386d238fc541af56cf8814ce8498cb5f4b463297270d903ed17b.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\ = "IPlaghinMein" 85e349d32399386d238fc541af56cf8814ce8498cb5f4b463297270d903ed17b.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}" 85e349d32399386d238fc541af56cf8814ce8498cb5f4b463297270d903ed17b.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}" 85e349d32399386d238fc541af56cf8814ce8498cb5f4b463297270d903ed17b.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5a77e5fc-0e31-4634-aaff-84ae8f2f2ff6}\Programmable 85e349d32399386d238fc541af56cf8814ce8498cb5f4b463297270d903ed17b.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5a77e5fc-0e31-4634-aaff-84ae8f2f2ff6}\VersionIndependentProgID 85e349d32399386d238fc541af56cf8814ce8498cb5f4b463297270d903ed17b.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5a77e5fc-0e31-4634-aaff-84ae8f2f2ff6}\InprocServer32\ = "C:\\Program Files (x86)\\YoUtubeADBolocKe\\7T2u237bpQ6Reu.x64.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5a77e5fc-0e31-4634-aaff-84ae8f2f2ff6}\ = "YoUtubeADBolocKe" 85e349d32399386d238fc541af56cf8814ce8498cb5f4b463297270d903ed17b.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5A77E5FC-0E31-4634-AAFF-84AE8F2F2FF6}\Implemented Categories 85e349d32399386d238fc541af56cf8814ce8498cb5f4b463297270d903ed17b.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\YoUtubeADBolocKe" 85e349d32399386d238fc541af56cf8814ce8498cb5f4b463297270d903ed17b.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ = "IRegistry" 85e349d32399386d238fc541af56cf8814ce8498cb5f4b463297270d903ed17b.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\..9\ = "YoUtubeADBolocKe" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5a77e5fc-0e31-4634-aaff-84ae8f2f2ff6}\Programmable regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" 85e349d32399386d238fc541af56cf8814ce8498cb5f4b463297270d903ed17b.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5a77e5fc-0e31-4634-aaff-84ae8f2f2ff6}\InprocServer32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5a77e5fc-0e31-4634-aaff-84ae8f2f2ff6}\InprocServer32\ = "C:\\Program Files (x86)\\YoUtubeADBolocKe\\7T2u237bpQ6Reu.dll" 85e349d32399386d238fc541af56cf8814ce8498cb5f4b463297270d903ed17b.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\TypeLib 85e349d32399386d238fc541af56cf8814ce8498cb5f4b463297270d903ed17b.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\ProxyStubClsid32 85e349d32399386d238fc541af56cf8814ce8498cb5f4b463297270d903ed17b.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\TypeLib 85e349d32399386d238fc541af56cf8814ce8498cb5f4b463297270d903ed17b.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC} 85e349d32399386d238fc541af56cf8814ce8498cb5f4b463297270d903ed17b.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ = "IRegistry" 85e349d32399386d238fc541af56cf8814ce8498cb5f4b463297270d903ed17b.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5a77e5fc-0e31-4634-aaff-84ae8f2f2ff6} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\. 85e349d32399386d238fc541af56cf8814ce8498cb5f4b463297270d903ed17b.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\ = "ILocalStorage" 85e349d32399386d238fc541af56cf8814ce8498cb5f4b463297270d903ed17b.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" 85e349d32399386d238fc541af56cf8814ce8498cb5f4b463297270d903ed17b.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}" 85e349d32399386d238fc541af56cf8814ce8498cb5f4b463297270d903ed17b.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib\Version = "1.0" 85e349d32399386d238fc541af56cf8814ce8498cb5f4b463297270d903ed17b.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\..9\CLSID 85e349d32399386d238fc541af56cf8814ce8498cb5f4b463297270d903ed17b.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5a77e5fc-0e31-4634-aaff-84ae8f2f2ff6}\VersionIndependentProgID\ 85e349d32399386d238fc541af56cf8814ce8498cb5f4b463297270d903ed17b.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\FLAGS 85e349d32399386d238fc541af56cf8814ce8498cb5f4b463297270d903ed17b.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
85e349d32399386d238fc541af56cf8814ce8498cb5f4b463297270d903ed17b.exeregsvr32.exedescription pid process target process PID 1724 wrote to memory of 1520 1724 85e349d32399386d238fc541af56cf8814ce8498cb5f4b463297270d903ed17b.exe regsvr32.exe PID 1724 wrote to memory of 1520 1724 85e349d32399386d238fc541af56cf8814ce8498cb5f4b463297270d903ed17b.exe regsvr32.exe PID 1724 wrote to memory of 1520 1724 85e349d32399386d238fc541af56cf8814ce8498cb5f4b463297270d903ed17b.exe regsvr32.exe PID 1724 wrote to memory of 1520 1724 85e349d32399386d238fc541af56cf8814ce8498cb5f4b463297270d903ed17b.exe regsvr32.exe PID 1724 wrote to memory of 1520 1724 85e349d32399386d238fc541af56cf8814ce8498cb5f4b463297270d903ed17b.exe regsvr32.exe PID 1724 wrote to memory of 1520 1724 85e349d32399386d238fc541af56cf8814ce8498cb5f4b463297270d903ed17b.exe regsvr32.exe PID 1724 wrote to memory of 1520 1724 85e349d32399386d238fc541af56cf8814ce8498cb5f4b463297270d903ed17b.exe regsvr32.exe PID 1520 wrote to memory of 1152 1520 regsvr32.exe regsvr32.exe PID 1520 wrote to memory of 1152 1520 regsvr32.exe regsvr32.exe PID 1520 wrote to memory of 1152 1520 regsvr32.exe regsvr32.exe PID 1520 wrote to memory of 1152 1520 regsvr32.exe regsvr32.exe PID 1520 wrote to memory of 1152 1520 regsvr32.exe regsvr32.exe PID 1520 wrote to memory of 1152 1520 regsvr32.exe regsvr32.exe PID 1520 wrote to memory of 1152 1520 regsvr32.exe regsvr32.exe -
System policy modification 1 TTPs 2 IoCs
Processes:
85e349d32399386d238fc541af56cf8814ce8498cb5f4b463297270d903ed17b.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID 85e349d32399386d238fc541af56cf8814ce8498cb5f4b463297270d903ed17b.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{5a77e5fc-0e31-4634-aaff-84ae8f2f2ff6} = "1" 85e349d32399386d238fc541af56cf8814ce8498cb5f4b463297270d903ed17b.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\85e349d32399386d238fc541af56cf8814ce8498cb5f4b463297270d903ed17b.exe"C:\Users\Admin\AppData\Local\Temp\85e349d32399386d238fc541af56cf8814ce8498cb5f4b463297270d903ed17b.exe"1⤵
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1724 -
C:\Windows\SysWOW64\regsvr32.exeregsvr32.exe /s "C:\Program Files (x86)\YoUtubeADBolocKe\7T2u237bpQ6Reu.x64.dll"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1520 -
C:\Windows\system32\regsvr32.exe/s "C:\Program Files (x86)\YoUtubeADBolocKe\7T2u237bpQ6Reu.x64.dll"3⤵
- Registers COM server for autorun
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Modifies Internet Explorer settings
- Modifies registry class
PID:1152
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\YoUtubeADBolocKe\7T2u237bpQ6Reu.datFilesize
4KB
MD5447b29387d689e12589edef86c29cf0c
SHA141a0fb0d065f04793efa9426ae7ee5a9e7038371
SHA2561dd0fe09485ee5f546be50bb7ccfe51b1d0ef80f3baf55943f237fd835a2c0e1
SHA51206b97952afcee93163d753ce64e99f5c69f8fe8e669a9f56a4bca8a0b1609ba5ed46ea45c000d4a31e8d7411dd625bdfc35f7571f2a4d6d23662c14d5acbbcd5
-
C:\Program Files (x86)\YoUtubeADBolocKe\7T2u237bpQ6Reu.tlbFilesize
3KB
MD5f63e45b75ed3562f6c50814744974217
SHA1b28e268b0d187638768b26677a4e8d169f1a2534
SHA2561270f4ef72d9acd732bcd1fcb557b4b7cc8d7096aa41bd15dc3842a6c7c88299
SHA512550870876ab15911cc27bcbd4418296057f3a406e709ab7cd920a2cd0c0cc0a3876d85665a3d3be937a6f0ffb052b90cafcdabcac96ec90f0e0c4c90846dc687
-
C:\Program Files (x86)\YoUtubeADBolocKe\7T2u237bpQ6Reu.x64.dllFilesize
695KB
MD5e36b4bca5cf4357a407a67e8f06a0a6a
SHA120241811c3f501e3dae9f42aeb1fc42e7225944e
SHA256c496fc61570914401adfe0250668ef0b884f2e06eaca10edf8993773f58b5bcd
SHA512d9b005a2b02fc45283b5f1ffe9ce373ef3249562402a6893e6888f10beb3dc62f16f25db9640de636af438fa290b1e7065dc127e86b46e6efd5484717e9e74b1
-
\Program Files (x86)\YoUtubeADBolocKe\7T2u237bpQ6Reu.dllFilesize
616KB
MD570cef77fc8c44081de97f5194ac56278
SHA1fcf04dc14f17b655d5201cc7da5af9a17281dea5
SHA25610cabc84f17c476cf41a1281421b28be0c6784e25445988fdb536acf999c3ec2
SHA5120883aa731f245d484d4ece4e9dcb3067e4451c5e967a5d34c860137bc572142f2666d83c5f9806918d7fe371bd8a7c58ac39b23110c7cb7331c3e97dc3c8cda3
-
\Program Files (x86)\YoUtubeADBolocKe\7T2u237bpQ6Reu.x64.dllFilesize
695KB
MD5e36b4bca5cf4357a407a67e8f06a0a6a
SHA120241811c3f501e3dae9f42aeb1fc42e7225944e
SHA256c496fc61570914401adfe0250668ef0b884f2e06eaca10edf8993773f58b5bcd
SHA512d9b005a2b02fc45283b5f1ffe9ce373ef3249562402a6893e6888f10beb3dc62f16f25db9640de636af438fa290b1e7065dc127e86b46e6efd5484717e9e74b1
-
\Program Files (x86)\YoUtubeADBolocKe\7T2u237bpQ6Reu.x64.dllFilesize
695KB
MD5e36b4bca5cf4357a407a67e8f06a0a6a
SHA120241811c3f501e3dae9f42aeb1fc42e7225944e
SHA256c496fc61570914401adfe0250668ef0b884f2e06eaca10edf8993773f58b5bcd
SHA512d9b005a2b02fc45283b5f1ffe9ce373ef3249562402a6893e6888f10beb3dc62f16f25db9640de636af438fa290b1e7065dc127e86b46e6efd5484717e9e74b1
-
memory/1152-65-0x0000000000000000-mapping.dmp
-
memory/1152-66-0x000007FEFC201000-0x000007FEFC203000-memory.dmpFilesize
8KB
-
memory/1520-61-0x0000000000000000-mapping.dmp
-
memory/1724-54-0x0000000075DF1000-0x0000000075DF3000-memory.dmpFilesize
8KB
-
memory/1724-55-0x0000000002800000-0x00000000028A6000-memory.dmpFilesize
664KB