7161d0b4a22cc2fb982eaefef37b60d0a8d3754df47bf6b834ade1a8de66a1c7

General

Target

7161d0b4a22cc2fb982eaefef37b60d0a8d3754df47bf6b834ade1a8de66a1c7.exe
Size

3.7MB
MD5

c6d4b7c87c5054287f8b013b52efcc70
SHA1

a890f74f0d1b841bc8c7e3b852a969e59953e29a
SHA256

7161d0b4a22cc2fb982eaefef37b60d0a8d3754df47bf6b834ade1a8de66a1c7
SHA512

9ac16d9f828be1c263c8782d6ecbf91bb80f6ee5b3f9f32912ba171c31f3db62096201971eb85328c1afd9f5f51dc5cc5ba23927792158cabf31770efdc13842
SSDEEP

98304:Biwqc1QOmgr95lruchODV02e752KRLafiiz3fXPsxJ0ZC/LHzE:Iwqc1QOmgr95lruchODV02e92KRLaNsK

Score

8^/10

adware discovery persistence spyware stealer

Malware Config

Signatures

Registers COM server for autorun 1 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Processes:

regsvr32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{83141d55-2d60-48e2-8715-d620e46d5a99}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{83141d55-2d60-48e2-8715-d620e46d5a99}\InprocServer32\ = "C:\\Program Files (x86)\\YOuutubeAdBlocke\\CN38aOIlqeZfpn.x64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{83141d55-2d60-48e2-8715-d620e46d5a99}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{83141d55-2d60-48e2-8715-d620e46d5a99}\InprocServer32	regsvr32.exe

Loads dropped DLL 3 IoCs

Processes:

7161d0b4a22cc2fb982eaefef37b60d0a8d3754df47bf6b834ade1a8de66a1c7.exeregsvr32.exeregsvr32.exe

pid process

552 7161d0b4a22cc2fb982eaefef37b60d0a8d3754df47bf6b834ade1a8de66a1c7.exe
1312 regsvr32.exe
4084 regsvr32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

pid	process
552	7161d0b4a22cc2fb982eaefef37b60d0a8d3754df47bf6b834ade1a8de66a1c7.exe
1312	regsvr32.exe
4084	regsvr32.exe

Installs/modifies Browser Helper Object 2 TTPs 8 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

Processes:

7161d0b4a22cc2fb982eaefef37b60d0a8d3754df47bf6b834ade1a8de66a1c7.exeregsvr32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{83141d55-2d60-48e2-8715-d620e46d5a99}\ = "YOuutubeAdBlocke"	7161d0b4a22cc2fb982eaefef37b60d0a8d3754df47bf6b834ade1a8de66a1c7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{83141d55-2d60-48e2-8715-d620e46d5a99}\NoExplorer = "1"	7161d0b4a22cc2fb982eaefef37b60d0a8d3754df47bf6b834ade1a8de66a1c7.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{83141d55-2d60-48e2-8715-d620e46d5a99}	7161d0b4a22cc2fb982eaefef37b60d0a8d3754df47bf6b834ade1a8de66a1c7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{83141d55-2d60-48e2-8715-d620e46d5a99}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{83141d55-2d60-48e2-8715-d620e46d5a99}\ = "YOuutubeAdBlocke"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{83141d55-2d60-48e2-8715-d620e46d5a99}\NoExplorer = "1"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{83141d55-2d60-48e2-8715-d620e46d5a99}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{83141d55-2d60-48e2-8715-d620e46d5a99}	7161d0b4a22cc2fb982eaefef37b60d0a8d3754df47bf6b834ade1a8de66a1c7.exe

Drops file in Program Files directory 8 IoCs

Processes:

7161d0b4a22cc2fb982eaefef37b60d0a8d3754df47bf6b834ade1a8de66a1c7.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\YOuutubeAdBlocke\CN38aOIlqeZfpn.dll	7161d0b4a22cc2fb982eaefef37b60d0a8d3754df47bf6b834ade1a8de66a1c7.exe
File created	C:\Program Files (x86)\YOuutubeAdBlocke\CN38aOIlqeZfpn.tlb	7161d0b4a22cc2fb982eaefef37b60d0a8d3754df47bf6b834ade1a8de66a1c7.exe
File opened for modification	C:\Program Files (x86)\YOuutubeAdBlocke\CN38aOIlqeZfpn.tlb	7161d0b4a22cc2fb982eaefef37b60d0a8d3754df47bf6b834ade1a8de66a1c7.exe
File created	C:\Program Files (x86)\YOuutubeAdBlocke\CN38aOIlqeZfpn.dat	7161d0b4a22cc2fb982eaefef37b60d0a8d3754df47bf6b834ade1a8de66a1c7.exe
File opened for modification	C:\Program Files (x86)\YOuutubeAdBlocke\CN38aOIlqeZfpn.dat	7161d0b4a22cc2fb982eaefef37b60d0a8d3754df47bf6b834ade1a8de66a1c7.exe
File created	C:\Program Files (x86)\YOuutubeAdBlocke\CN38aOIlqeZfpn.x64.dll	7161d0b4a22cc2fb982eaefef37b60d0a8d3754df47bf6b834ade1a8de66a1c7.exe
File opened for modification	C:\Program Files (x86)\YOuutubeAdBlocke\CN38aOIlqeZfpn.x64.dll	7161d0b4a22cc2fb982eaefef37b60d0a8d3754df47bf6b834ade1a8de66a1c7.exe
File created	C:\Program Files (x86)\YOuutubeAdBlocke\CN38aOIlqeZfpn.dll	7161d0b4a22cc2fb982eaefef37b60d0a8d3754df47bf6b834ade1a8de66a1c7.exe

Modifies Internet Explorer settings 1 TTPs 8 IoCs

adware spyware

Modify Registry

T1112

Processes:

regsvr32.exe7161d0b4a22cc2fb982eaefef37b60d0a8d3754df47bf6b834ade1a8de66a1c7.exe

description	ioc	process
Key deleted	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\ApprovedExtensionsMigration	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\ApprovedExtensionsMigration	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{83141d55-2d60-48e2-8715-d620e46d5a99}	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\ApprovedExtensionsMigration	7161d0b4a22cc2fb982eaefef37b60d0a8d3754df47bf6b834ade1a8de66a1c7.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{83141d55-2d60-48e2-8715-d620e46d5a99}	7161d0b4a22cc2fb982eaefef37b60d0a8d3754df47bf6b834ade1a8de66a1c7.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\MICROSOFT\INTERNET EXPLORER\APPROVEDEXTENSIONSMIGRATION\{83141D55-2D60-48E2-8715-D620E46D5A99}	7161d0b4a22cc2fb982eaefef37b60d0a8d3754df47bf6b834ade1a8de66a1c7.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\ApprovedExtensionsMigration	7161d0b4a22cc2fb982eaefef37b60d0a8d3754df47bf6b834ade1a8de66a1c7.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\MICROSOFT\INTERNET EXPLORER\APPROVEDEXTENSIONSMIGRATION\{83141D55-2D60-48E2-8715-D620E46D5A99}	regsvr32.exe

Modifies registry class 64 IoCs

Processes:

regsvr32.exe7161d0b4a22cc2fb982eaefef37b60d0a8d3754df47bf6b834ade1a8de66a1c7.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{83141D55-2D60-48E2-8715-D620E46D5A99}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0	7161d0b4a22cc2fb982eaefef37b60d0a8d3754df47bf6b834ade1a8de66a1c7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\ = "IPlaghinMein"	7161d0b4a22cc2fb982eaefef37b60d0a8d3754df47bf6b834ade1a8de66a1c7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\ = "IPlaghinMein"	7161d0b4a22cc2fb982eaefef37b60d0a8d3754df47bf6b834ade1a8de66a1c7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.\CurVer	7161d0b4a22cc2fb982eaefef37b60d0a8d3754df47bf6b834ade1a8de66a1c7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{83141D55-2D60-48E2-8715-D620E46D5A99}\Implemented Categories	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ProxyStubClsid32	7161d0b4a22cc2fb982eaefef37b60d0a8d3754df47bf6b834ade1a8de66a1c7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.	7161d0b4a22cc2fb982eaefef37b60d0a8d3754df47bf6b834ade1a8de66a1c7.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{83141d55-2d60-48e2-8715-d620e46d5a99}	7161d0b4a22cc2fb982eaefef37b60d0a8d3754df47bf6b834ade1a8de66a1c7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\FLAGS	7161d0b4a22cc2fb982eaefef37b60d0a8d3754df47bf6b834ade1a8de66a1c7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{83141d55-2d60-48e2-8715-d620e46d5a99}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{83141d55-2d60-48e2-8715-d620e46d5a99}\ = "YOuutubeAdBlocke"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.\CLSID	7161d0b4a22cc2fb982eaefef37b60d0a8d3754df47bf6b834ade1a8de66a1c7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\ = "ILocalStorage"	7161d0b4a22cc2fb982eaefef37b60d0a8d3754df47bf6b834ade1a8de66a1c7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	7161d0b4a22cc2fb982eaefef37b60d0a8d3754df47bf6b834ade1a8de66a1c7.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{83141d55-2d60-48e2-8715-d620e46d5a99}\ProgID	7161d0b4a22cc2fb982eaefef37b60d0a8d3754df47bf6b834ade1a8de66a1c7.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{83141d55-2d60-48e2-8715-d620e46d5a99}\VersionIndependentProgID	7161d0b4a22cc2fb982eaefef37b60d0a8d3754df47bf6b834ade1a8de66a1c7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{83141D55-2D60-48E2-8715-D620E46D5A99}\Implemented Categories	7161d0b4a22cc2fb982eaefef37b60d0a8d3754df47bf6b834ade1a8de66a1c7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\YOuutubeAdBlocke"	7161d0b4a22cc2fb982eaefef37b60d0a8d3754df47bf6b834ade1a8de66a1c7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\TypeLib	7161d0b4a22cc2fb982eaefef37b60d0a8d3754df47bf6b834ade1a8de66a1c7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\..9\CLSID\ = "{83141d55-2d60-48e2-8715-d620e46d5a99}"	7161d0b4a22cc2fb982eaefef37b60d0a8d3754df47bf6b834ade1a8de66a1c7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{83141d55-2d60-48e2-8715-d620e46d5a99}	7161d0b4a22cc2fb982eaefef37b60d0a8d3754df47bf6b834ade1a8de66a1c7.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{83141d55-2d60-48e2-8715-d620e46d5a99}\InprocServer32	7161d0b4a22cc2fb982eaefef37b60d0a8d3754df47bf6b834ade1a8de66a1c7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib\Version = "1.0"	7161d0b4a22cc2fb982eaefef37b60d0a8d3754df47bf6b834ade1a8de66a1c7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\TypeLib\Version = "1.0"	7161d0b4a22cc2fb982eaefef37b60d0a8d3754df47bf6b834ade1a8de66a1c7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	7161d0b4a22cc2fb982eaefef37b60d0a8d3754df47bf6b834ade1a8de66a1c7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	7161d0b4a22cc2fb982eaefef37b60d0a8d3754df47bf6b834ade1a8de66a1c7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	7161d0b4a22cc2fb982eaefef37b60d0a8d3754df47bf6b834ade1a8de66a1c7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}	7161d0b4a22cc2fb982eaefef37b60d0a8d3754df47bf6b834ade1a8de66a1c7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ = "IRegistry"	7161d0b4a22cc2fb982eaefef37b60d0a8d3754df47bf6b834ade1a8de66a1c7.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{83141d55-2d60-48e2-8715-d620e46d5a99}\VersionIndependentProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.\CLSID\ = "{83141d55-2d60-48e2-8715-d620e46d5a99}"	7161d0b4a22cc2fb982eaefef37b60d0a8d3754df47bf6b834ade1a8de66a1c7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	7161d0b4a22cc2fb982eaefef37b60d0a8d3754df47bf6b834ade1a8de66a1c7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	7161d0b4a22cc2fb982eaefef37b60d0a8d3754df47bf6b834ade1a8de66a1c7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\TypeLib	7161d0b4a22cc2fb982eaefef37b60d0a8d3754df47bf6b834ade1a8de66a1c7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	7161d0b4a22cc2fb982eaefef37b60d0a8d3754df47bf6b834ade1a8de66a1c7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib	7161d0b4a22cc2fb982eaefef37b60d0a8d3754df47bf6b834ade1a8de66a1c7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{83141d55-2d60-48e2-8715-d620e46d5a99}\InprocServer32\ = "C:\\Program Files (x86)\\YOuutubeAdBlocke\\CN38aOIlqeZfpn.x64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{83141d55-2d60-48e2-8715-d620e46d5a99}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{83141d55-2d60-48e2-8715-d620e46d5a99}\Programmable	7161d0b4a22cc2fb982eaefef37b60d0a8d3754df47bf6b834ade1a8de66a1c7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0	7161d0b4a22cc2fb982eaefef37b60d0a8d3754df47bf6b834ade1a8de66a1c7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	7161d0b4a22cc2fb982eaefef37b60d0a8d3754df47bf6b834ade1a8de66a1c7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win32	7161d0b4a22cc2fb982eaefef37b60d0a8d3754df47bf6b834ade1a8de66a1c7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\TypeLib\Version = "1.0"	7161d0b4a22cc2fb982eaefef37b60d0a8d3754df47bf6b834ade1a8de66a1c7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\TypeLib\Version = "1.0"	7161d0b4a22cc2fb982eaefef37b60d0a8d3754df47bf6b834ade1a8de66a1c7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\TypeLib\Version = "1.0"	7161d0b4a22cc2fb982eaefef37b60d0a8d3754df47bf6b834ade1a8de66a1c7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib	7161d0b4a22cc2fb982eaefef37b60d0a8d3754df47bf6b834ade1a8de66a1c7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{83141d55-2d60-48e2-8715-d620e46d5a99}\InprocServer32\ThreadingModel = "Apartment"	7161d0b4a22cc2fb982eaefef37b60d0a8d3754df47bf6b834ade1a8de66a1c7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}	7161d0b4a22cc2fb982eaefef37b60d0a8d3754df47bf6b834ade1a8de66a1c7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\FLAGS\ = "0"	7161d0b4a22cc2fb982eaefef37b60d0a8d3754df47bf6b834ade1a8de66a1c7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{83141d55-2d60-48e2-8715-d620e46d5a99}\VersionIndependentProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{83141d55-2d60-48e2-8715-d620e46d5a99}\InprocServer32	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{83141d55-2d60-48e2-8715-d620e46d5a99}\ProgID	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{83141d55-2d60-48e2-8715-d620e46d5a99}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{83141d55-2d60-48e2-8715-d620e46d5a99}\VersionIndependentProgID	7161d0b4a22cc2fb982eaefef37b60d0a8d3754df47bf6b834ade1a8de66a1c7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	7161d0b4a22cc2fb982eaefef37b60d0a8d3754df47bf6b834ade1a8de66a1c7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{83141d55-2d60-48e2-8715-d620e46d5a99}\VersionIndependentProgID\	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ProxyStubClsid32	7161d0b4a22cc2fb982eaefef37b60d0a8d3754df47bf6b834ade1a8de66a1c7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\..9\ = "YOuutubeAdBlocke"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.\ = "YOuutubeAdBlocke"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{83141d55-2d60-48e2-8715-d620e46d5a99}\ = "YOuutubeAdBlocke"	7161d0b4a22cc2fb982eaefef37b60d0a8d3754df47bf6b834ade1a8de66a1c7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{83141d55-2d60-48e2-8715-d620e46d5a99}\ProgID\ = ".9"	7161d0b4a22cc2fb982eaefef37b60d0a8d3754df47bf6b834ade1a8de66a1c7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\ProxyStubClsid32	7161d0b4a22cc2fb982eaefef37b60d0a8d3754df47bf6b834ade1a8de66a1c7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}	7161d0b4a22cc2fb982eaefef37b60d0a8d3754df47bf6b834ade1a8de66a1c7.exe

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

7161d0b4a22cc2fb982eaefef37b60d0a8d3754df47bf6b834ade1a8de66a1c7.exeregsvr32.exe

description	pid	process	target process
PID 552 wrote to memory of 1312	552	7161d0b4a22cc2fb982eaefef37b60d0a8d3754df47bf6b834ade1a8de66a1c7.exe	regsvr32.exe
PID 552 wrote to memory of 1312	552	7161d0b4a22cc2fb982eaefef37b60d0a8d3754df47bf6b834ade1a8de66a1c7.exe	regsvr32.exe
PID 552 wrote to memory of 1312	552	7161d0b4a22cc2fb982eaefef37b60d0a8d3754df47bf6b834ade1a8de66a1c7.exe	regsvr32.exe
PID 1312 wrote to memory of 4084	1312	regsvr32.exe	regsvr32.exe
PID 1312 wrote to memory of 4084	1312	regsvr32.exe	regsvr32.exe

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

Processes:

7161d0b4a22cc2fb982eaefef37b60d0a8d3754df47bf6b834ade1a8de66a1c7.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{83141d55-2d60-48e2-8715-d620e46d5a99} = "1"	7161d0b4a22cc2fb982eaefef37b60d0a8d3754df47bf6b834ade1a8de66a1c7.exe

C:\Users\Admin\AppData\Local\Temp\7161d0b4a22cc2fb982eaefef37b60d0a8d3754df47bf6b834ade1a8de66a1c7.exe
"C:\Users\Admin\AppData\Local\Temp\7161d0b4a22cc2fb982eaefef37b60d0a8d3754df47bf6b834ade1a8de66a1c7.exe"
1⤵
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
- System policy modification
PID:552

C:\Windows\SysWOW64\regsvr32.exe
regsvr32.exe /s "C:\Program Files (x86)\YOuutubeAdBlocke\CN38aOIlqeZfpn.x64.dll"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1312

C:\Windows\system32\regsvr32.exe
/s "C:\Program Files (x86)\YOuutubeAdBlocke\CN38aOIlqeZfpn.x64.dll"
3⤵
- Registers COM server for autorun
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Modifies Internet Explorer settings
- Modifies registry class
PID:4084

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Browser Extensions

1

T1176

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

3

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\YOuutubeAdBlocke\CN38aOIlqeZfpn.dat
Filesize
4KB

MD5
16db54dc8e60805f7fcea302e7a71cd4

SHA1
7e515e1009b1c5d72b6dd9cdda7c1d417f05e148

SHA256
f4b8e88a4be975556118a32919c11c29ef883f743720f336a196b184825c18bb

SHA512
04331d6623937d4328b1437cad8c76014b9e9cab7b3bc69734c6f708658b37ecea1fa2d9b2e039cf03459ebe81315db34711d46e51d0e82d6dee6a3c43778c7c

Download Submit
C:\Program Files (x86)\YOuutubeAdBlocke\CN38aOIlqeZfpn.dll
Filesize
617KB

MD5
7790fe08687a9e4ec6b8bb58dc2f2133

SHA1
650c6d2a4d4bf55450e5ad5742ad83a17fb78033

SHA256
000a94cae2e65f4ee977cae0e0e6a8383457195cdd642cd944278b4df5f7f95f

SHA512
fb5708039fdb6562898da7edf83fe73f8cb3ee49e82fb111f23017005bcb7e20d44fe1e7861f2b91d575b0ed91eae424d2f6960c8e438052adf15bc4a0ec0fd1

Download Submit
C:\Program Files (x86)\YOuutubeAdBlocke\CN38aOIlqeZfpn.tlb
Filesize
3KB

MD5
10e9654d9a32090bdf382b83302b8f66

SHA1
5836eec3f54ebf2c96af319eef2ed5001426cf89

SHA256
93cc552a787357a6089c8509202a4015f14a3df28d67437a3a88a29938c2dbbc

SHA512
76985a5a562b84955f44ffb315f6f42663a5ddf4fb079bba1009df7cd446d0c954e7bb496dc5895ec3a1d8cd4b0a1db2b487dbb4771419e9ce27eace6aff7fb4

Download Submit
C:\Program Files (x86)\YOuutubeAdBlocke\CN38aOIlqeZfpn.x64.dll
Filesize
693KB

MD5
c3c9a768de308c15dae5bac83c29ea7a

SHA1
1e08a3f4bf11f93a3af6f9f3810ca027a1c5203a

SHA256
111913c81411882e1e07ac0998bfff90ab9fe53b7bca5b33151a67d0d9fe7c5a

SHA512
e1f13cb27f6bf4c2f6eb1b4ca6b1f52d17f587fdbe3e0f6a2c323ac74cb1a11e9ad8c181a0c12cd3d910bacfba763f023304e45681c51598e3d498c36ab7a047

Download Submit
C:\Program Files (x86)\YOuutubeAdBlocke\CN38aOIlqeZfpn.x64.dll
Filesize
693KB

MD5
c3c9a768de308c15dae5bac83c29ea7a

SHA1
1e08a3f4bf11f93a3af6f9f3810ca027a1c5203a

SHA256
111913c81411882e1e07ac0998bfff90ab9fe53b7bca5b33151a67d0d9fe7c5a

SHA512
e1f13cb27f6bf4c2f6eb1b4ca6b1f52d17f587fdbe3e0f6a2c323ac74cb1a11e9ad8c181a0c12cd3d910bacfba763f023304e45681c51598e3d498c36ab7a047

Download Submit
C:\Program Files (x86)\YOuutubeAdBlocke\CN38aOIlqeZfpn.x64.dll
Filesize
693KB

MD5
c3c9a768de308c15dae5bac83c29ea7a

SHA1
1e08a3f4bf11f93a3af6f9f3810ca027a1c5203a

SHA256
111913c81411882e1e07ac0998bfff90ab9fe53b7bca5b33151a67d0d9fe7c5a

SHA512
e1f13cb27f6bf4c2f6eb1b4ca6b1f52d17f587fdbe3e0f6a2c323ac74cb1a11e9ad8c181a0c12cd3d910bacfba763f023304e45681c51598e3d498c36ab7a047

Download Submit
memory/552-132-0x0000000002F90000-0x0000000003033000-memory.dmp

Filesize
652KB

Download
memory/1312-138-0x0000000000000000-mapping.dmp

Download
memory/4084-141-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads