ce25d12e8a646343cb0067adf988cc55053c59c92b04515c500f5ebe5500d925

General

Target

ce25d12e8a646343cb0067adf988cc55053c59c92b04515c500f5ebe5500d925.exe
Size

689KB
MD5

ba87ab0cc90d6895f3952987c2eb8a85
SHA1

027751bb9e9a42960c86dd09cd1333a95ea5d538
SHA256

ce25d12e8a646343cb0067adf988cc55053c59c92b04515c500f5ebe5500d925
SHA512

9750565d67241388fbba63f6412ec7276e7233711fed03713fe1d67b0693b04aee0cd6211ff8b597ca710b3f7b48e292dafb2888b95694b7e955aa985a2491c8
SSDEEP

12288:oC3XHygb5fVdsbkG4G4Y7jeKuVnvon+N83LwwiAn6KkM33nxD3jeKuVGv/9+N8Oe:o63yW5fVdHG4G37tUnvone83Z76bMHxN

Score

8^/10

adware discovery persistence spyware stealer

Malware Config

Signatures

Registers COM server for autorun 1 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Processes:

regsvr32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{183276ed-2d9c-493c-aa3f-764861396e48}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{183276ed-2d9c-493c-aa3f-764861396e48}\InprocServer32\ = "C:\\Program Files (x86)\\TrustMediaViewerV1\\TrustMediaViewerV1alpha4601\\ie\\TrustMediaViewerV1alpha4601x64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{183276ed-2d9c-493c-aa3f-764861396e48}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe

Loads dropped DLL 5 IoCs

Processes:

ce25d12e8a646343cb0067adf988cc55053c59c92b04515c500f5ebe5500d925.exeregsvr32.exeregsvr32.exeregsvr32.exe

pid	process
536	ce25d12e8a646343cb0067adf988cc55053c59c92b04515c500f5ebe5500d925.exe
912	regsvr32.exe
536	ce25d12e8a646343cb0067adf988cc55053c59c92b04515c500f5ebe5500d925.exe
1736	regsvr32.exe
1356	regsvr32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Installs/modifies Browser Helper Object 2 TTPs 6 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

Processes:

regsvr32.exeregsvr32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{183276ed-2d9c-493c-aa3f-764861396e48}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{183276ed-2d9c-493c-aa3f-764861396e48}\ = "TrustMediaViewerV1alpha4601"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{183276ed-2d9c-493c-aa3f-764861396e48}\NoExplorer = "1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{183276ed-2d9c-493c-aa3f-764861396e48}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{183276ed-2d9c-493c-aa3f-764861396e48}\ = "TrustMediaViewerV1alpha4601"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{183276ed-2d9c-493c-aa3f-764861396e48}\NoExplorer = "1"	regsvr32.exe

Drops file in System32 directory 4 IoCs

Processes:

ce25d12e8a646343cb0067adf988cc55053c59c92b04515c500f5ebe5500d925.exe

description	ioc	process
File opened for modification	C:\Windows\System32\GroupPolicy	ce25d12e8a646343cb0067adf988cc55053c59c92b04515c500f5ebe5500d925.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\gpt.ini	ce25d12e8a646343cb0067adf988cc55053c59c92b04515c500f5ebe5500d925.exe
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	ce25d12e8a646343cb0067adf988cc55053c59c92b04515c500f5ebe5500d925.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	ce25d12e8a646343cb0067adf988cc55053c59c92b04515c500f5ebe5500d925.exe

Drops file in Program Files directory 23 IoCs

Processes:

ce25d12e8a646343cb0067adf988cc55053c59c92b04515c500f5ebe5500d925.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\TrustMediaViewerV1\TrustMediaViewerV1alpha4601\ff\chrome\content\icons\default	ce25d12e8a646343cb0067adf988cc55053c59c92b04515c500f5ebe5500d925.exe
File created	C:\Program Files (x86)\TrustMediaViewerV1\TrustMediaViewerV1alpha4601\ch\TrustMediaViewerV1alpha4601.crx	ce25d12e8a646343cb0067adf988cc55053c59c92b04515c500f5ebe5500d925.exe
File opened for modification	C:\Program Files (x86)\TrustMediaViewerV1\TrustMediaViewerV1alpha4601\ch\TrustMediaViewerV1alpha4601.crx	ce25d12e8a646343cb0067adf988cc55053c59c92b04515c500f5ebe5500d925.exe
File created	C:\Program Files (x86)\TrustMediaViewerV1\TrustMediaViewerV1alpha4601\ff\chrome\content\ffTrustMediaViewerV1alpha4601.js	ce25d12e8a646343cb0067adf988cc55053c59c92b04515c500f5ebe5500d925.exe
File opened for modification	C:\Program Files (x86)\TrustMediaViewerV1\TrustMediaViewerV1alpha4601\ff\chrome\content\ffTrustMediaViewerV1alpha4601.js	ce25d12e8a646343cb0067adf988cc55053c59c92b04515c500f5ebe5500d925.exe
File opened for modification	C:\Program Files (x86)\TrustMediaViewerV1\TrustMediaViewerV1alpha4601\ff\chrome\content\ffTrustMediaViewerV1alpha4601ffaction.js	ce25d12e8a646343cb0067adf988cc55053c59c92b04515c500f5ebe5500d925.exe
File created	C:\Program Files (x86)\TrustMediaViewerV1\TrustMediaViewerV1alpha4601\ff\chrome\content\icons\Thumbs.db	ce25d12e8a646343cb0067adf988cc55053c59c92b04515c500f5ebe5500d925.exe
File opened for modification	C:\Program Files (x86)\TrustMediaViewerV1\TrustMediaViewerV1alpha4601\ff\chrome\content\icons\Thumbs.db	ce25d12e8a646343cb0067adf988cc55053c59c92b04515c500f5ebe5500d925.exe
File created	C:\Program Files (x86)\TrustMediaViewerV1\TrustMediaViewerV1alpha4601\uninstall.exe	ce25d12e8a646343cb0067adf988cc55053c59c92b04515c500f5ebe5500d925.exe
File created	C:\Program Files (x86)\TrustMediaViewerV1\TrustMediaViewerV1alpha4601\ie\TrustMediaViewerV1alpha4601.dll	ce25d12e8a646343cb0067adf988cc55053c59c92b04515c500f5ebe5500d925.exe
File created	C:\Program Files (x86)\TrustMediaViewerV1\TrustMediaViewerV1alpha4601\ff\chrome.manifest	ce25d12e8a646343cb0067adf988cc55053c59c92b04515c500f5ebe5500d925.exe
File created	C:\Program Files (x86)\TrustMediaViewerV1\TrustMediaViewerV1alpha4601\ff\install.rdf	ce25d12e8a646343cb0067adf988cc55053c59c92b04515c500f5ebe5500d925.exe
File opened for modification	C:\Program Files (x86)\TrustMediaViewerV1\TrustMediaViewerV1alpha4601\ff\install.rdf	ce25d12e8a646343cb0067adf988cc55053c59c92b04515c500f5ebe5500d925.exe
File created	C:\Program Files (x86)\TrustMediaViewerV1\TrustMediaViewerV1alpha4601\ff\chrome\content\ffTrustMediaViewerV1alpha4601ffaction.js	ce25d12e8a646343cb0067adf988cc55053c59c92b04515c500f5ebe5500d925.exe
File created	C:\Program Files (x86)\TrustMediaViewerV1\TrustMediaViewerV1alpha4601\ff\chrome\content\overlay.xul	ce25d12e8a646343cb0067adf988cc55053c59c92b04515c500f5ebe5500d925.exe
File opened for modification	C:\Program Files (x86)\TrustMediaViewerV1\TrustMediaViewerV1alpha4601\ff\chrome\content\icons	ce25d12e8a646343cb0067adf988cc55053c59c92b04515c500f5ebe5500d925.exe
File created	C:\Program Files (x86)\TrustMediaViewerV1\TrustMediaViewerV1alpha4601\ie\TrustMediaViewerV1alpha4601x64.dll	ce25d12e8a646343cb0067adf988cc55053c59c92b04515c500f5ebe5500d925.exe
File opened for modification	C:\Program Files (x86)\TrustMediaViewerV1\TrustMediaViewerV1alpha4601\ff\chrome.manifest	ce25d12e8a646343cb0067adf988cc55053c59c92b04515c500f5ebe5500d925.exe
File opened for modification	C:\Program Files (x86)\TrustMediaViewerV1\TrustMediaViewerV1alpha4601\ff\chrome\content	ce25d12e8a646343cb0067adf988cc55053c59c92b04515c500f5ebe5500d925.exe
File opened for modification	C:\Program Files (x86)\TrustMediaViewerV1\TrustMediaViewerV1alpha4601\ff\chrome\content\icons\default\TrustMediaViewerV1alpha4601_32.png	ce25d12e8a646343cb0067adf988cc55053c59c92b04515c500f5ebe5500d925.exe
File opened for modification	C:\Program Files (x86)\TrustMediaViewerV1\TrustMediaViewerV1alpha4601\ff\chrome	ce25d12e8a646343cb0067adf988cc55053c59c92b04515c500f5ebe5500d925.exe
File opened for modification	C:\Program Files (x86)\TrustMediaViewerV1\TrustMediaViewerV1alpha4601\ff\chrome\content\overlay.xul	ce25d12e8a646343cb0067adf988cc55053c59c92b04515c500f5ebe5500d925.exe
File created	C:\Program Files (x86)\TrustMediaViewerV1\TrustMediaViewerV1alpha4601\ff\chrome\content\icons\default\TrustMediaViewerV1alpha4601_32.png	ce25d12e8a646343cb0067adf988cc55053c59c92b04515c500f5ebe5500d925.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

ce25d12e8a646343cb0067adf988cc55053c59c92b04515c500f5ebe5500d925.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Approved Extensions	ce25d12e8a646343cb0067adf988cc55053c59c92b04515c500f5ebe5500d925.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Approved Extensions\{183276ed-2d9c-493c-aa3f-764861396e48} = 51667a6c4c1d3b1bfd6a2208a9775406bf363308637d2b51	ce25d12e8a646343cb0067adf988cc55053c59c92b04515c500f5ebe5500d925.exe

Modifies registry class 56 IoCs

Processes:

regsvr32.exeregsvr32.exece25d12e8a646343cb0067adf988cc55053c59c92b04515c500f5ebe5500d925.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B9386B92-893F-48FF-B0FE-24EFAEA0067B}\1.1\FLAGS\ = "0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{70C8A5C5-112C-476B-9A4C-2BDBCB8A571F}\TypeLib\Version = "1.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{183276ed-2d9c-493c-aa3f-764861396e48}\ = "TrustMediaViewerV1alpha4601"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{183276ed-2d9c-493c-aa3f-764861396e48}\Programmable	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{183276ed-2d9c-493c-aa3f-764861396e48}\TypeLib\ = "{b9386b92-893f-48ff-b0fe-24efaea0067b}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{183276ed-2d9c-493c-aa3f-764861396e48}\ = "TrustMediaViewerV1alpha4601"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B9386B92-893F-48FF-B0FE-24EFAEA0067B}\1.1\0\win32\ = "C:\\Program Files (x86)\\TrustMediaViewerV1\\TrustMediaViewerV1alpha4601\\ie\\TrustMediaViewerV1alpha4601.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{70C8A5C5-112C-476B-9A4C-2BDBCB8A571F}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{70C8A5C5-112C-476B-9A4C-2BDBCB8A571F}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{183276ed-2d9c-493c-aa3f-764861396e48}\InprocServer32\ = "C:\\Program Files (x86)\\TrustMediaViewerV1\\TrustMediaViewerV1alpha4601\\ie\\TrustMediaViewerV1alpha4601x64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B9386B92-893F-48FF-B0FE-24EFAEA0067B}\1.1\0\win64\ = "C:\\Program Files (x86)\\TrustMediaViewerV1\\TrustMediaViewerV1alpha4601\\ie\\TrustMediaViewerV1alpha4601x64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{183276ed-2d9c-493c-aa3f-764861396e48}\Implemented Categories\{59fb2056-d625-48d0-a944-1a85b5ab2640}\	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{183276ed-2d9c-493c-aa3f-764861396e48}\Implemented Categories	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{70C8A5C5-112C-476B-9A4C-2BDBCB8A571F}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B9386B92-893F-48FF-B0FE-24EFAEA0067B}\1.1\HELPDIR\ = "C:\\Program Files (x86)\\TrustMediaViewerV1\\TrustMediaViewerV1alpha4601\\ie"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{183276ed-2d9c-493c-aa3f-764861396e48}\Implemented Categories	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B9386B92-893F-48FF-B0FE-24EFAEA0067B}\1.1\0\win32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{183276ed-2d9c-493c-aa3f-764861396e48}\Version\ = "1.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B9386B92-893F-48FF-B0FE-24EFAEA0067B}\1.1\0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B9386B92-893F-48FF-B0FE-24EFAEA0067B}\1.1\HELPDIR	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{183276ed-2d9c-493c-aa3f-764861396e48}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{183276ed-2d9c-493c-aa3f-764861396e48}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{183276ed-2d9c-493c-aa3f-764861396e48}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{70C8A5C5-112C-476B-9A4C-2BDBCB8A571F}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{70C8A5C5-112C-476B-9A4C-2BDBCB8A571F}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B9386B92-893F-48FF-B0FE-24EFAEA0067B}\1.1\ = "TrustMediaViewerV1alpha4601Lib"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{70C8A5C5-112C-476B-9A4C-2BDBCB8A571F}\ = "ITrustMediaViewerV1alpha4601BHO"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{70C8A5C5-112C-476B-9A4C-2BDBCB8A571F}\ = "ITrustMediaViewerV1alpha4601BHO"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{70C8A5C5-112C-476B-9A4C-2BDBCB8A571F}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{183276ed-2d9c-493c-aa3f-764861396e48}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{70C8A5C5-112C-476B-9A4C-2BDBCB8A571F}\TypeLib\Version = "1.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{183276ed-2d9c-493c-aa3f-764861396e48}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{183276ed-2d9c-493c-aa3f-764861396e48}\Version	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{183276ed-2d9c-493c-aa3f-764861396e48}	ce25d12e8a646343cb0067adf988cc55053c59c92b04515c500f5ebe5500d925.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{183276ed-2d9c-493c-aa3f-764861396e48}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{183276ed-2d9c-493c-aa3f-764861396e48}\Version	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{70C8A5C5-112C-476B-9A4C-2BDBCB8A571F}\TypeLib\ = "{B9386B92-893F-48FF-B0FE-24EFAEA0067B}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B9386B92-893F-48FF-B0FE-24EFAEA0067B}\1.1\FLAGS	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{183276ed-2d9c-493c-aa3f-764861396e48}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{183276ed-2d9c-493c-aa3f-764861396e48}\Implemented Categories\	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{183276ed-2d9c-493c-aa3f-764861396e48}\TypeLib\ = "{b9386b92-893f-48ff-b0fe-24efaea0067b}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{183276ed-2d9c-493c-aa3f-764861396e48}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{183276ed-2d9c-493c-aa3f-764861396e48}\Version\ = "1.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{183276ed-2d9c-493c-aa3f-764861396e48}\Implemented Categories\{59fb2056-d625-48d0-a944-1a85b5ab2640}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{183276ed-2d9c-493c-aa3f-764861396e48}\InprocServer32\ = "C:\\Program Files (x86)\\TrustMediaViewerV1\\TrustMediaViewerV1alpha4601\\ie\\TrustMediaViewerV1alpha4601.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B9386B92-893F-48FF-B0FE-24EFAEA0067B}\1.1\0\win64	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B9386B92-893F-48FF-B0FE-24EFAEA0067B}\1.1	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{70C8A5C5-112C-476B-9A4C-2BDBCB8A571F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{70C8A5C5-112C-476B-9A4C-2BDBCB8A571F}\TypeLib\ = "{B9386B92-893F-48FF-B0FE-24EFAEA0067B}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{183276ed-2d9c-493c-aa3f-764861396e48}\Implemented Categories\	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{183276ed-2d9c-493c-aa3f-764861396e48}\ = "Trust Media Viewer"	ce25d12e8a646343cb0067adf988cc55053c59c92b04515c500f5ebe5500d925.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B9386B92-893F-48FF-B0FE-24EFAEA0067B}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{183276ed-2d9c-493c-aa3f-764861396e48}\Implemented Categories\{59fb2056-d625-48d0-a944-1a85b5ab2640}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{70C8A5C5-112C-476B-9A4C-2BDBCB8A571F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{183276ed-2d9c-493c-aa3f-764861396e48}\Implemented Categories\{59fb2056-d625-48d0-a944-1a85b5ab2640}\	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{183276ed-2d9c-493c-aa3f-764861396e48}\Programmable	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

ce25d12e8a646343cb0067adf988cc55053c59c92b04515c500f5ebe5500d925.exe

pid	process
536	ce25d12e8a646343cb0067adf988cc55053c59c92b04515c500f5ebe5500d925.exe
536	ce25d12e8a646343cb0067adf988cc55053c59c92b04515c500f5ebe5500d925.exe
536	ce25d12e8a646343cb0067adf988cc55053c59c92b04515c500f5ebe5500d925.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

ce25d12e8a646343cb0067adf988cc55053c59c92b04515c500f5ebe5500d925.exeregsvr32.exe

description	pid	process	target process
PID 536 wrote to memory of 912	536	ce25d12e8a646343cb0067adf988cc55053c59c92b04515c500f5ebe5500d925.exe	regsvr32.exe
PID 536 wrote to memory of 912	536	ce25d12e8a646343cb0067adf988cc55053c59c92b04515c500f5ebe5500d925.exe	regsvr32.exe
PID 536 wrote to memory of 912	536	ce25d12e8a646343cb0067adf988cc55053c59c92b04515c500f5ebe5500d925.exe	regsvr32.exe
PID 536 wrote to memory of 912	536	ce25d12e8a646343cb0067adf988cc55053c59c92b04515c500f5ebe5500d925.exe	regsvr32.exe
PID 536 wrote to memory of 912	536	ce25d12e8a646343cb0067adf988cc55053c59c92b04515c500f5ebe5500d925.exe	regsvr32.exe
PID 536 wrote to memory of 912	536	ce25d12e8a646343cb0067adf988cc55053c59c92b04515c500f5ebe5500d925.exe	regsvr32.exe
PID 536 wrote to memory of 912	536	ce25d12e8a646343cb0067adf988cc55053c59c92b04515c500f5ebe5500d925.exe	regsvr32.exe
PID 536 wrote to memory of 1736	536	ce25d12e8a646343cb0067adf988cc55053c59c92b04515c500f5ebe5500d925.exe	regsvr32.exe
PID 536 wrote to memory of 1736	536	ce25d12e8a646343cb0067adf988cc55053c59c92b04515c500f5ebe5500d925.exe	regsvr32.exe
PID 536 wrote to memory of 1736	536	ce25d12e8a646343cb0067adf988cc55053c59c92b04515c500f5ebe5500d925.exe	regsvr32.exe
PID 536 wrote to memory of 1736	536	ce25d12e8a646343cb0067adf988cc55053c59c92b04515c500f5ebe5500d925.exe	regsvr32.exe
PID 536 wrote to memory of 1736	536	ce25d12e8a646343cb0067adf988cc55053c59c92b04515c500f5ebe5500d925.exe	regsvr32.exe
PID 536 wrote to memory of 1736	536	ce25d12e8a646343cb0067adf988cc55053c59c92b04515c500f5ebe5500d925.exe	regsvr32.exe
PID 536 wrote to memory of 1736	536	ce25d12e8a646343cb0067adf988cc55053c59c92b04515c500f5ebe5500d925.exe	regsvr32.exe
PID 1736 wrote to memory of 1356	1736	regsvr32.exe	regsvr32.exe
PID 1736 wrote to memory of 1356	1736	regsvr32.exe	regsvr32.exe
PID 1736 wrote to memory of 1356	1736	regsvr32.exe	regsvr32.exe
PID 1736 wrote to memory of 1356	1736	regsvr32.exe	regsvr32.exe
PID 1736 wrote to memory of 1356	1736	regsvr32.exe	regsvr32.exe
PID 1736 wrote to memory of 1356	1736	regsvr32.exe	regsvr32.exe
PID 1736 wrote to memory of 1356	1736	regsvr32.exe	regsvr32.exe
PID 536 wrote to memory of 2036	536	ce25d12e8a646343cb0067adf988cc55053c59c92b04515c500f5ebe5500d925.exe	gpupdate.exe
PID 536 wrote to memory of 2036	536	ce25d12e8a646343cb0067adf988cc55053c59c92b04515c500f5ebe5500d925.exe	gpupdate.exe
PID 536 wrote to memory of 2036	536	ce25d12e8a646343cb0067adf988cc55053c59c92b04515c500f5ebe5500d925.exe	gpupdate.exe
PID 536 wrote to memory of 2036	536	ce25d12e8a646343cb0067adf988cc55053c59c92b04515c500f5ebe5500d925.exe	gpupdate.exe
PID 536 wrote to memory of 2036	536	ce25d12e8a646343cb0067adf988cc55053c59c92b04515c500f5ebe5500d925.exe	gpupdate.exe
PID 536 wrote to memory of 2036	536	ce25d12e8a646343cb0067adf988cc55053c59c92b04515c500f5ebe5500d925.exe	gpupdate.exe
PID 536 wrote to memory of 2036	536	ce25d12e8a646343cb0067adf988cc55053c59c92b04515c500f5ebe5500d925.exe	gpupdate.exe

C:\Users\Admin\AppData\Local\Temp\ce25d12e8a646343cb0067adf988cc55053c59c92b04515c500f5ebe5500d925.exe
"C:\Users\Admin\AppData\Local\Temp\ce25d12e8a646343cb0067adf988cc55053c59c92b04515c500f5ebe5500d925.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:536

C:\Windows\SysWOW64\regsvr32.exe
regsvr32 "C:\Program Files (x86)\TrustMediaViewerV1\TrustMediaViewerV1alpha4601\ie\TrustMediaViewerV1alpha4601.dll" /s
2⤵
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Modifies registry class
PID:912

C:\Windows\SysWOW64\regsvr32.exe
regsvr32 /s "C:\Program Files (x86)\TrustMediaViewerV1\TrustMediaViewerV1alpha4601\ie\TrustMediaViewerV1alpha4601x64.dll"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1736

C:\Windows\system32\regsvr32.exe
/s "C:\Program Files (x86)\TrustMediaViewerV1\TrustMediaViewerV1alpha4601\ie\TrustMediaViewerV1alpha4601x64.dll"
3⤵
- Registers COM server for autorun
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Modifies registry class
PID:1356

C:\Windows\SysWOW64\gpupdate.exe
"C:\Windows\System32\gpupdate.exe" /force
2⤵
PID:2036

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Browser Extensions

1

T1176

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\TrustMediaViewerV1\TrustMediaViewerV1alpha4601\ie\TrustMediaViewerV1alpha4601.dll
Filesize
85KB

MD5
dbd8f0b49d5f216097c9b0d04a963eef

SHA1
4ff1cbf6b6a9709208daf9156bdb9eb364dbd594

SHA256
3c601edddf1113b296bf50c0e41226e0e31dea80f790375fa5e75cc5e526172a

SHA512
cbd9f4ee75d727019d178d734b3888234f56829d2320f15b4fe10565e66726fc0c1ea25af56f70fd97c185277ca2690f107dfee0499f8d486f4696ff9c93dda3

Download Submit
C:\Program Files (x86)\TrustMediaViewerV1\TrustMediaViewerV1alpha4601\ie\TrustMediaViewerV1alpha4601x64.dll
Filesize
100KB

MD5
e7ae85e323093a23d04403d93694dac4

SHA1
923cdc2e49a59c9ae1f2d2ce35b605bcd9bd59af

SHA256
447736dfe55270fb70530606107d70fcd88423e6a0ccbfd17e26e60d46bbb6f3

SHA512
178dc0fbcc5d38aa35576e0c179399335cc9b596f35d9661ddd0f7671e6951d8482137459b290b16d4b278ff11e313f1f6071347bde4ef30a733e634b4ae5695

Download Submit
\Program Files (x86)\TrustMediaViewerV1\TrustMediaViewerV1alpha4601\ie\TrustMediaViewerV1alpha4601.dll
Filesize
85KB

MD5
dbd8f0b49d5f216097c9b0d04a963eef

SHA1
4ff1cbf6b6a9709208daf9156bdb9eb364dbd594

SHA256
3c601edddf1113b296bf50c0e41226e0e31dea80f790375fa5e75cc5e526172a

SHA512
cbd9f4ee75d727019d178d734b3888234f56829d2320f15b4fe10565e66726fc0c1ea25af56f70fd97c185277ca2690f107dfee0499f8d486f4696ff9c93dda3

Download Submit
\Program Files (x86)\TrustMediaViewerV1\TrustMediaViewerV1alpha4601\ie\TrustMediaViewerV1alpha4601x64.dll
Filesize
100KB

MD5
e7ae85e323093a23d04403d93694dac4

SHA1
923cdc2e49a59c9ae1f2d2ce35b605bcd9bd59af

SHA256
447736dfe55270fb70530606107d70fcd88423e6a0ccbfd17e26e60d46bbb6f3

SHA512
178dc0fbcc5d38aa35576e0c179399335cc9b596f35d9661ddd0f7671e6951d8482137459b290b16d4b278ff11e313f1f6071347bde4ef30a733e634b4ae5695

Download Submit
\Program Files (x86)\TrustMediaViewerV1\TrustMediaViewerV1alpha4601\ie\TrustMediaViewerV1alpha4601x64.dll
Filesize
100KB

MD5
e7ae85e323093a23d04403d93694dac4

SHA1
923cdc2e49a59c9ae1f2d2ce35b605bcd9bd59af

SHA256
447736dfe55270fb70530606107d70fcd88423e6a0ccbfd17e26e60d46bbb6f3

SHA512
178dc0fbcc5d38aa35576e0c179399335cc9b596f35d9661ddd0f7671e6951d8482137459b290b16d4b278ff11e313f1f6071347bde4ef30a733e634b4ae5695

Download Submit
\Users\Admin\AppData\Local\Temp\nstE1AA.tmp\System.dll
Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
\Users\Admin\AppData\Local\Temp\nstE1AA.tmp\aminsis.dll
Filesize
567KB

MD5
f346047b13f37f79c462e59a6319faa1

SHA1
ce9e7cb9719000a69b463fe024c81229e322279f

SHA256
e78e0e61707cabec8383f1e74da9db8e0fa123a3a7b36f0080d70fbaed6f7453

SHA512
429209cc489ba9ac2d62055b128efb3cded3e31f966c7cdb1aee592ec7a54ab090526705fa2519498d92eb4bc2efa141cd83adc6c251b793388ad1208b172167

Download Submit
memory/536-54-0x0000000075B11000-0x0000000075B13000-memory.dmp

Filesize
8KB

Download
memory/912-56-0x0000000000000000-mapping.dmp

Download
memory/1356-65-0x0000000000000000-mapping.dmp

Download
memory/1356-66-0x000007FEFBC61000-0x000007FEFBC63000-memory.dmp

Filesize
8KB

Download
memory/1736-61-0x0000000000000000-mapping.dmp

Download
memory/2036-68-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads