579e60906026f955fbf134ebcae26b2a0b350d1973789c70e535107dfdb89d77

General

Target

579e60906026f955fbf134ebcae26b2a0b350d1973789c70e535107dfdb89d77.exe
Size

3.7MB
MD5

941920003df198582921a40f8d2aca65
SHA1

37f5887ef0d94efc3d842fdfe5fc5083334f40e1
SHA256

579e60906026f955fbf134ebcae26b2a0b350d1973789c70e535107dfdb89d77
SHA512

b0eb721fe75cb07604872adc002217b9cfb44fe67f16492fb9c7ea9f9189800b5c89aa61e6f9aee8a933b056fd1b68f24ff1f4f0614b825aa2174083b7e63c4b
SSDEEP

98304:2iwKcVwuGALd20Lu8hvj40We85TKRrj/iqs9GRTUiF53O:rwKcVwuGALd20Lu8hvj40WekTKRrjH4/

Score

8^/10

adware discovery persistence spyware stealer

Malware Config

Signatures

Registers COM server for autorun 1 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Processes:

regsvr32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{48acf0d2-188b-4023-b317-e6b8b9220125}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{48acf0d2-188b-4023-b317-e6b8b9220125}\InprocServer32\ = "C:\\Program Files (x86)\\YoutubeeAddBlOcake\\6LCl2PWQabeRxR.x64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{48acf0d2-188b-4023-b317-e6b8b9220125}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{48acf0d2-188b-4023-b317-e6b8b9220125}\InprocServer32	regsvr32.exe

Loads dropped DLL 3 IoCs

Processes:

579e60906026f955fbf134ebcae26b2a0b350d1973789c70e535107dfdb89d77.exeregsvr32.exeregsvr32.exe

pid process

2112 579e60906026f955fbf134ebcae26b2a0b350d1973789c70e535107dfdb89d77.exe
4188 regsvr32.exe
2216 regsvr32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

pid	process
2112	579e60906026f955fbf134ebcae26b2a0b350d1973789c70e535107dfdb89d77.exe
4188	regsvr32.exe
2216	regsvr32.exe

Installs/modifies Browser Helper Object 2 TTPs 8 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

Processes:

579e60906026f955fbf134ebcae26b2a0b350d1973789c70e535107dfdb89d77.exeregsvr32.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{48acf0d2-188b-4023-b317-e6b8b9220125}	579e60906026f955fbf134ebcae26b2a0b350d1973789c70e535107dfdb89d77.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{48acf0d2-188b-4023-b317-e6b8b9220125}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{48acf0d2-188b-4023-b317-e6b8b9220125}\ = "YoutubeeAddBlOcake"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{48acf0d2-188b-4023-b317-e6b8b9220125}\NoExplorer = "1"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{48acf0d2-188b-4023-b317-e6b8b9220125}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{48acf0d2-188b-4023-b317-e6b8b9220125}	579e60906026f955fbf134ebcae26b2a0b350d1973789c70e535107dfdb89d77.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{48acf0d2-188b-4023-b317-e6b8b9220125}\ = "YoutubeeAddBlOcake"	579e60906026f955fbf134ebcae26b2a0b350d1973789c70e535107dfdb89d77.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{48acf0d2-188b-4023-b317-e6b8b9220125}\NoExplorer = "1"	579e60906026f955fbf134ebcae26b2a0b350d1973789c70e535107dfdb89d77.exe

Drops file in Program Files directory 8 IoCs

Processes:

579e60906026f955fbf134ebcae26b2a0b350d1973789c70e535107dfdb89d77.exe

description	ioc	process
File created	C:\Program Files (x86)\YoutubeeAddBlOcake\6LCl2PWQabeRxR.dll	579e60906026f955fbf134ebcae26b2a0b350d1973789c70e535107dfdb89d77.exe
File opened for modification	C:\Program Files (x86)\YoutubeeAddBlOcake\6LCl2PWQabeRxR.dll	579e60906026f955fbf134ebcae26b2a0b350d1973789c70e535107dfdb89d77.exe
File created	C:\Program Files (x86)\YoutubeeAddBlOcake\6LCl2PWQabeRxR.tlb	579e60906026f955fbf134ebcae26b2a0b350d1973789c70e535107dfdb89d77.exe
File opened for modification	C:\Program Files (x86)\YoutubeeAddBlOcake\6LCl2PWQabeRxR.tlb	579e60906026f955fbf134ebcae26b2a0b350d1973789c70e535107dfdb89d77.exe
File created	C:\Program Files (x86)\YoutubeeAddBlOcake\6LCl2PWQabeRxR.dat	579e60906026f955fbf134ebcae26b2a0b350d1973789c70e535107dfdb89d77.exe
File opened for modification	C:\Program Files (x86)\YoutubeeAddBlOcake\6LCl2PWQabeRxR.dat	579e60906026f955fbf134ebcae26b2a0b350d1973789c70e535107dfdb89d77.exe
File created	C:\Program Files (x86)\YoutubeeAddBlOcake\6LCl2PWQabeRxR.x64.dll	579e60906026f955fbf134ebcae26b2a0b350d1973789c70e535107dfdb89d77.exe
File opened for modification	C:\Program Files (x86)\YoutubeeAddBlOcake\6LCl2PWQabeRxR.x64.dll	579e60906026f955fbf134ebcae26b2a0b350d1973789c70e535107dfdb89d77.exe

Modifies Internet Explorer settings 1 TTPs 8 IoCs

adware spyware

Modify Registry

T1112

Processes:

regsvr32.exe579e60906026f955fbf134ebcae26b2a0b350d1973789c70e535107dfdb89d77.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{48acf0d2-188b-4023-b317-e6b8b9220125}	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\ApprovedExtensionsMigration	579e60906026f955fbf134ebcae26b2a0b350d1973789c70e535107dfdb89d77.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{48acf0d2-188b-4023-b317-e6b8b9220125}	579e60906026f955fbf134ebcae26b2a0b350d1973789c70e535107dfdb89d77.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\MICROSOFT\INTERNET EXPLORER\APPROVEDEXTENSIONSMIGRATION\{48ACF0D2-188B-4023-B317-E6B8B9220125}	579e60906026f955fbf134ebcae26b2a0b350d1973789c70e535107dfdb89d77.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\ApprovedExtensionsMigration	579e60906026f955fbf134ebcae26b2a0b350d1973789c70e535107dfdb89d77.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\MICROSOFT\INTERNET EXPLORER\APPROVEDEXTENSIONSMIGRATION\{48ACF0D2-188B-4023-B317-E6B8B9220125}	regsvr32.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\ApprovedExtensionsMigration	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\ApprovedExtensionsMigration	regsvr32.exe

Modifies registry class 64 IoCs

Processes:

regsvr32.exe579e60906026f955fbf134ebcae26b2a0b350d1973789c70e535107dfdb89d77.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{48acf0d2-188b-4023-b317-e6b8b9220125}\Programmable	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\TypeLib\Version = "1.0"	579e60906026f955fbf134ebcae26b2a0b350d1973789c70e535107dfdb89d77.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{48ACF0D2-188B-4023-B317-E6B8B9220125}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.\CurVer\ = ".9"	579e60906026f955fbf134ebcae26b2a0b350d1973789c70e535107dfdb89d77.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{48acf0d2-188b-4023-b317-e6b8b9220125}	579e60906026f955fbf134ebcae26b2a0b350d1973789c70e535107dfdb89d77.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\ = "IPlaghinMein"	579e60906026f955fbf134ebcae26b2a0b350d1973789c70e535107dfdb89d77.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\TypeLib	579e60906026f955fbf134ebcae26b2a0b350d1973789c70e535107dfdb89d77.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\TypeLib	579e60906026f955fbf134ebcae26b2a0b350d1973789c70e535107dfdb89d77.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	579e60906026f955fbf134ebcae26b2a0b350d1973789c70e535107dfdb89d77.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ = "IRegistry"	579e60906026f955fbf134ebcae26b2a0b350d1973789c70e535107dfdb89d77.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\..9\ = "YoutubeeAddBlOcake"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{48acf0d2-188b-4023-b317-e6b8b9220125}\ProgID\ = ".9"	579e60906026f955fbf134ebcae26b2a0b350d1973789c70e535107dfdb89d77.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{48ACF0D2-188B-4023-B317-E6B8B9220125}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}	579e60906026f955fbf134ebcae26b2a0b350d1973789c70e535107dfdb89d77.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0	579e60906026f955fbf134ebcae26b2a0b350d1973789c70e535107dfdb89d77.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\ProxyStubClsid32	579e60906026f955fbf134ebcae26b2a0b350d1973789c70e535107dfdb89d77.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	579e60906026f955fbf134ebcae26b2a0b350d1973789c70e535107dfdb89d77.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{48acf0d2-188b-4023-b317-e6b8b9220125}\ = "YoutubeeAddBlOcake"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{48acf0d2-188b-4023-b317-e6b8b9220125}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{48acf0d2-188b-4023-b317-e6b8b9220125}\InprocServer32	579e60906026f955fbf134ebcae26b2a0b350d1973789c70e535107dfdb89d77.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\ = "IPlaghinMein"	579e60906026f955fbf134ebcae26b2a0b350d1973789c70e535107dfdb89d77.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}	579e60906026f955fbf134ebcae26b2a0b350d1973789c70e535107dfdb89d77.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\ = "ILocalStorage"	579e60906026f955fbf134ebcae26b2a0b350d1973789c70e535107dfdb89d77.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{48acf0d2-188b-4023-b317-e6b8b9220125}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{48acf0d2-188b-4023-b317-e6b8b9220125}\ProgID\ = ".9"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{48acf0d2-188b-4023-b317-e6b8b9220125}\Programmable	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{48acf0d2-188b-4023-b317-e6b8b9220125}\VersionIndependentProgID	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{48acf0d2-188b-4023-b317-e6b8b9220125}	579e60906026f955fbf134ebcae26b2a0b350d1973789c70e535107dfdb89d77.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	579e60906026f955fbf134ebcae26b2a0b350d1973789c70e535107dfdb89d77.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\TypeLib\Version = "1.0"	579e60906026f955fbf134ebcae26b2a0b350d1973789c70e535107dfdb89d77.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\ProxyStubClsid32	579e60906026f955fbf134ebcae26b2a0b350d1973789c70e535107dfdb89d77.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{48ACF0D2-188B-4023-B317-E6B8B9220125}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\TypeLib\Version = "1.0"	579e60906026f955fbf134ebcae26b2a0b350d1973789c70e535107dfdb89d77.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	579e60906026f955fbf134ebcae26b2a0b350d1973789c70e535107dfdb89d77.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\TypeLib\Version = "1.0"	579e60906026f955fbf134ebcae26b2a0b350d1973789c70e535107dfdb89d77.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{48acf0d2-188b-4023-b317-e6b8b9220125}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\..9\CLSID\ = "{48acf0d2-188b-4023-b317-e6b8b9220125}"	579e60906026f955fbf134ebcae26b2a0b350d1973789c70e535107dfdb89d77.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{48acf0d2-188b-4023-b317-e6b8b9220125}\VersionIndependentProgID	579e60906026f955fbf134ebcae26b2a0b350d1973789c70e535107dfdb89d77.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{48acf0d2-188b-4023-b317-e6b8b9220125}\Programmable	579e60906026f955fbf134ebcae26b2a0b350d1973789c70e535107dfdb89d77.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	579e60906026f955fbf134ebcae26b2a0b350d1973789c70e535107dfdb89d77.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{48acf0d2-188b-4023-b317-e6b8b9220125}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	579e60906026f955fbf134ebcae26b2a0b350d1973789c70e535107dfdb89d77.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ProxyStubClsid32	579e60906026f955fbf134ebcae26b2a0b350d1973789c70e535107dfdb89d77.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ProxyStubClsid32	579e60906026f955fbf134ebcae26b2a0b350d1973789c70e535107dfdb89d77.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	579e60906026f955fbf134ebcae26b2a0b350d1973789c70e535107dfdb89d77.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.\CLSID\ = "{48acf0d2-188b-4023-b317-e6b8b9220125}"	579e60906026f955fbf134ebcae26b2a0b350d1973789c70e535107dfdb89d77.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\ = "IEPluginLib"	579e60906026f955fbf134ebcae26b2a0b350d1973789c70e535107dfdb89d77.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win32	579e60906026f955fbf134ebcae26b2a0b350d1973789c70e535107dfdb89d77.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\TypeLib	579e60906026f955fbf134ebcae26b2a0b350d1973789c70e535107dfdb89d77.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{48acf0d2-188b-4023-b317-e6b8b9220125}\VersionIndependentProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\ProxyStubClsid32	579e60906026f955fbf134ebcae26b2a0b350d1973789c70e535107dfdb89d77.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}	579e60906026f955fbf134ebcae26b2a0b350d1973789c70e535107dfdb89d77.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ = "IRegistry"	579e60906026f955fbf134ebcae26b2a0b350d1973789c70e535107dfdb89d77.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib	579e60906026f955fbf134ebcae26b2a0b350d1973789c70e535107dfdb89d77.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{48acf0d2-188b-4023-b317-e6b8b9220125}\InprocServer32\ = "C:\\Program Files (x86)\\YoutubeeAddBlOcake\\6LCl2PWQabeRxR.dll"	579e60906026f955fbf134ebcae26b2a0b350d1973789c70e535107dfdb89d77.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{48acf0d2-188b-4023-b317-e6b8b9220125}\ProgID	579e60906026f955fbf134ebcae26b2a0b350d1973789c70e535107dfdb89d77.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	579e60906026f955fbf134ebcae26b2a0b350d1973789c70e535107dfdb89d77.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	579e60906026f955fbf134ebcae26b2a0b350d1973789c70e535107dfdb89d77.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\..9\CLSID\ = "{48acf0d2-188b-4023-b317-e6b8b9220125}"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{48acf0d2-188b-4023-b317-e6b8b9220125}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	579e60906026f955fbf134ebcae26b2a0b350d1973789c70e535107dfdb89d77.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.	579e60906026f955fbf134ebcae26b2a0b350d1973789c70e535107dfdb89d77.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.\CurVer	579e60906026f955fbf134ebcae26b2a0b350d1973789c70e535107dfdb89d77.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\HELPDIR	579e60906026f955fbf134ebcae26b2a0b350d1973789c70e535107dfdb89d77.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\ProxyStubClsid32	579e60906026f955fbf134ebcae26b2a0b350d1973789c70e535107dfdb89d77.exe

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

579e60906026f955fbf134ebcae26b2a0b350d1973789c70e535107dfdb89d77.exeregsvr32.exe

description	pid	process	target process
PID 2112 wrote to memory of 4188	2112	579e60906026f955fbf134ebcae26b2a0b350d1973789c70e535107dfdb89d77.exe	regsvr32.exe
PID 2112 wrote to memory of 4188	2112	579e60906026f955fbf134ebcae26b2a0b350d1973789c70e535107dfdb89d77.exe	regsvr32.exe
PID 2112 wrote to memory of 4188	2112	579e60906026f955fbf134ebcae26b2a0b350d1973789c70e535107dfdb89d77.exe	regsvr32.exe
PID 4188 wrote to memory of 2216	4188	regsvr32.exe	regsvr32.exe
PID 4188 wrote to memory of 2216	4188	regsvr32.exe	regsvr32.exe

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

Processes:

579e60906026f955fbf134ebcae26b2a0b350d1973789c70e535107dfdb89d77.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{48acf0d2-188b-4023-b317-e6b8b9220125} = "1"	579e60906026f955fbf134ebcae26b2a0b350d1973789c70e535107dfdb89d77.exe

C:\Users\Admin\AppData\Local\Temp\579e60906026f955fbf134ebcae26b2a0b350d1973789c70e535107dfdb89d77.exe
"C:\Users\Admin\AppData\Local\Temp\579e60906026f955fbf134ebcae26b2a0b350d1973789c70e535107dfdb89d77.exe"
1⤵
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2112

C:\Windows\SysWOW64\regsvr32.exe
regsvr32.exe /s "C:\Program Files (x86)\YoutubeeAddBlOcake\6LCl2PWQabeRxR.x64.dll"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4188

C:\Windows\system32\regsvr32.exe
/s "C:\Program Files (x86)\YoutubeeAddBlOcake\6LCl2PWQabeRxR.x64.dll"
3⤵
- Registers COM server for autorun
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Modifies Internet Explorer settings
- Modifies registry class
PID:2216

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Browser Extensions

1

T1176

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

3

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\YoutubeeAddBlOcake\6LCl2PWQabeRxR.dat
Filesize
4KB

MD5
debfb3ea792a7b3eb26877943a6a48bf

SHA1
1f3c013e5424b8e9217b8e4d97aafe6cce1fe19d

SHA256
c3d778e02bab349506efccf5ad266013d9675da1d842b7b40e641c10d3e31fd3

SHA512
bdae1d443bccef2c4f96e7e10c38e6d571fa3a5cd6dac2b2f921cd27359957bcbbaaacd1d75f3380c06c4cc809477292f7d0960d9c5f56104ca1f4d5f0089f3c

Download Submit
C:\Program Files (x86)\YoutubeeAddBlOcake\6LCl2PWQabeRxR.dll
Filesize
617KB

MD5
7790fe08687a9e4ec6b8bb58dc2f2133

SHA1
650c6d2a4d4bf55450e5ad5742ad83a17fb78033

SHA256
000a94cae2e65f4ee977cae0e0e6a8383457195cdd642cd944278b4df5f7f95f

SHA512
fb5708039fdb6562898da7edf83fe73f8cb3ee49e82fb111f23017005bcb7e20d44fe1e7861f2b91d575b0ed91eae424d2f6960c8e438052adf15bc4a0ec0fd1

Download Submit
C:\Program Files (x86)\YoutubeeAddBlOcake\6LCl2PWQabeRxR.tlb
Filesize
3KB

MD5
10e9654d9a32090bdf382b83302b8f66

SHA1
5836eec3f54ebf2c96af319eef2ed5001426cf89

SHA256
93cc552a787357a6089c8509202a4015f14a3df28d67437a3a88a29938c2dbbc

SHA512
76985a5a562b84955f44ffb315f6f42663a5ddf4fb079bba1009df7cd446d0c954e7bb496dc5895ec3a1d8cd4b0a1db2b487dbb4771419e9ce27eace6aff7fb4

Download Submit
C:\Program Files (x86)\YoutubeeAddBlOcake\6LCl2PWQabeRxR.x64.dll
Filesize
693KB

MD5
c3c9a768de308c15dae5bac83c29ea7a

SHA1
1e08a3f4bf11f93a3af6f9f3810ca027a1c5203a

SHA256
111913c81411882e1e07ac0998bfff90ab9fe53b7bca5b33151a67d0d9fe7c5a

SHA512
e1f13cb27f6bf4c2f6eb1b4ca6b1f52d17f587fdbe3e0f6a2c323ac74cb1a11e9ad8c181a0c12cd3d910bacfba763f023304e45681c51598e3d498c36ab7a047

Download Submit
C:\Program Files (x86)\YoutubeeAddBlOcake\6LCl2PWQabeRxR.x64.dll
Filesize
693KB

MD5
c3c9a768de308c15dae5bac83c29ea7a

SHA1
1e08a3f4bf11f93a3af6f9f3810ca027a1c5203a

SHA256
111913c81411882e1e07ac0998bfff90ab9fe53b7bca5b33151a67d0d9fe7c5a

SHA512
e1f13cb27f6bf4c2f6eb1b4ca6b1f52d17f587fdbe3e0f6a2c323ac74cb1a11e9ad8c181a0c12cd3d910bacfba763f023304e45681c51598e3d498c36ab7a047

Download Submit
C:\Program Files (x86)\YoutubeeAddBlOcake\6LCl2PWQabeRxR.x64.dll
Filesize
693KB

MD5
c3c9a768de308c15dae5bac83c29ea7a

SHA1
1e08a3f4bf11f93a3af6f9f3810ca027a1c5203a

SHA256
111913c81411882e1e07ac0998bfff90ab9fe53b7bca5b33151a67d0d9fe7c5a

SHA512
e1f13cb27f6bf4c2f6eb1b4ca6b1f52d17f587fdbe3e0f6a2c323ac74cb1a11e9ad8c181a0c12cd3d910bacfba763f023304e45681c51598e3d498c36ab7a047

Download Submit
memory/2112-132-0x0000000003480000-0x0000000003523000-memory.dmp

Filesize
652KB

Download
memory/2216-141-0x0000000000000000-mapping.dmp

Download
memory/4188-138-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads