45f33b8774b796142853a333a7b0dd4ba11164088b6083aa29503dcfce8784d8

General

Target

45f33b8774b796142853a333a7b0dd4ba11164088b6083aa29503dcfce8784d8.exe
Size

4.2MB
MD5

92e77ecc8b3446cc5ceaa34570f8e22d
SHA1

744a9134fa9193e3f147cb5bc3443127264a610e
SHA256

45f33b8774b796142853a333a7b0dd4ba11164088b6083aa29503dcfce8784d8
SHA512

f0246a1e9f0c83af91ac7daa67cbdb439c861d7a5c20dbe4f0627f3099d689f33a789090b96b16a325850f9c7a5368203ed25f683723746886b7ff22c1be61b4
SSDEEP

49152:Ef9Psd6+ukjWM9VkhUKjElJKvdvad4mF6rgTUKz4IGy7Z3IXALUBz2Zkh5qd6zjR:Ef86+vjWOVkhjEPpLoWwz

Score

8^/10

adware discovery persistence spyware stealer

Malware Config

Signatures

Registers COM server for autorun 1 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Processes:

regsvr32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{c3634df6-a19d-48ec-8d63-181179e0963b}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{c3634df6-a19d-48ec-8d63-181179e0963b}\InprocServer32\ = "C:\\Program Files (x86)\\SmartOnes\\zjhgDmkDyYZoOL.x64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{c3634df6-a19d-48ec-8d63-181179e0963b}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{c3634df6-a19d-48ec-8d63-181179e0963b}\InprocServer32	regsvr32.exe

Loads dropped DLL 3 IoCs

Processes:

45f33b8774b796142853a333a7b0dd4ba11164088b6083aa29503dcfce8784d8.exeregsvr32.exeregsvr32.exe

pid process

1816 45f33b8774b796142853a333a7b0dd4ba11164088b6083aa29503dcfce8784d8.exe
1640 regsvr32.exe
1224 regsvr32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 3 IoCs

Processes:

45f33b8774b796142853a333a7b0dd4ba11164088b6083aa29503dcfce8784d8.exe

description	ioc	process
File created	C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\hgmmnllooncmednomgogkkdbeodddojh\4.0\manifest.json	45f33b8774b796142853a333a7b0dd4ba11164088b6083aa29503dcfce8784d8.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\hgmmnllooncmednomgogkkdbeodddojh\4.0\manifest.json	45f33b8774b796142853a333a7b0dd4ba11164088b6083aa29503dcfce8784d8.exe
File created	C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\hgmmnllooncmednomgogkkdbeodddojh\4.0\manifest.json	45f33b8774b796142853a333a7b0dd4ba11164088b6083aa29503dcfce8784d8.exe

Installs/modifies Browser Helper Object 2 TTPs 8 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

Processes:

45f33b8774b796142853a333a7b0dd4ba11164088b6083aa29503dcfce8784d8.exeregsvr32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{c3634df6-a19d-48ec-8d63-181179e0963b}\ = "SmartOnes"	45f33b8774b796142853a333a7b0dd4ba11164088b6083aa29503dcfce8784d8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{c3634df6-a19d-48ec-8d63-181179e0963b}\NoExplorer = "1"	45f33b8774b796142853a333a7b0dd4ba11164088b6083aa29503dcfce8784d8.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{c3634df6-a19d-48ec-8d63-181179e0963b}	45f33b8774b796142853a333a7b0dd4ba11164088b6083aa29503dcfce8784d8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{c3634df6-a19d-48ec-8d63-181179e0963b}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{c3634df6-a19d-48ec-8d63-181179e0963b}\ = "SmartOnes"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{c3634df6-a19d-48ec-8d63-181179e0963b}\NoExplorer = "1"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{c3634df6-a19d-48ec-8d63-181179e0963b}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{c3634df6-a19d-48ec-8d63-181179e0963b}	45f33b8774b796142853a333a7b0dd4ba11164088b6083aa29503dcfce8784d8.exe

Drops file in System32 directory 4 IoCs

Processes:

45f33b8774b796142853a333a7b0dd4ba11164088b6083aa29503dcfce8784d8.exe

description	ioc	process
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	45f33b8774b796142853a333a7b0dd4ba11164088b6083aa29503dcfce8784d8.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	45f33b8774b796142853a333a7b0dd4ba11164088b6083aa29503dcfce8784d8.exe
File opened for modification	C:\Windows\System32\GroupPolicy	45f33b8774b796142853a333a7b0dd4ba11164088b6083aa29503dcfce8784d8.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\gpt.ini	45f33b8774b796142853a333a7b0dd4ba11164088b6083aa29503dcfce8784d8.exe

Drops file in Program Files directory 8 IoCs

Processes:

45f33b8774b796142853a333a7b0dd4ba11164088b6083aa29503dcfce8784d8.exe

description	ioc	process
File created	C:\Program Files (x86)\SmartOnes\zjhgDmkDyYZoOL.dll	45f33b8774b796142853a333a7b0dd4ba11164088b6083aa29503dcfce8784d8.exe
File opened for modification	C:\Program Files (x86)\SmartOnes\zjhgDmkDyYZoOL.dll	45f33b8774b796142853a333a7b0dd4ba11164088b6083aa29503dcfce8784d8.exe
File created	C:\Program Files (x86)\SmartOnes\zjhgDmkDyYZoOL.tlb	45f33b8774b796142853a333a7b0dd4ba11164088b6083aa29503dcfce8784d8.exe
File opened for modification	C:\Program Files (x86)\SmartOnes\zjhgDmkDyYZoOL.tlb	45f33b8774b796142853a333a7b0dd4ba11164088b6083aa29503dcfce8784d8.exe
File created	C:\Program Files (x86)\SmartOnes\zjhgDmkDyYZoOL.dat	45f33b8774b796142853a333a7b0dd4ba11164088b6083aa29503dcfce8784d8.exe
File opened for modification	C:\Program Files (x86)\SmartOnes\zjhgDmkDyYZoOL.dat	45f33b8774b796142853a333a7b0dd4ba11164088b6083aa29503dcfce8784d8.exe
File created	C:\Program Files (x86)\SmartOnes\zjhgDmkDyYZoOL.x64.dll	45f33b8774b796142853a333a7b0dd4ba11164088b6083aa29503dcfce8784d8.exe
File opened for modification	C:\Program Files (x86)\SmartOnes\zjhgDmkDyYZoOL.x64.dll	45f33b8774b796142853a333a7b0dd4ba11164088b6083aa29503dcfce8784d8.exe

Modifies Internet Explorer settings 1 TTPs 8 IoCs

adware spyware

Modify Registry

T1112

Processes:

regsvr32.exe45f33b8774b796142853a333a7b0dd4ba11164088b6083aa29503dcfce8784d8.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{c3634df6-a19d-48ec-8d63-181179e0963b}	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration	45f33b8774b796142853a333a7b0dd4ba11164088b6083aa29503dcfce8784d8.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{c3634df6-a19d-48ec-8d63-181179e0963b}	45f33b8774b796142853a333a7b0dd4ba11164088b6083aa29503dcfce8784d8.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{C3634DF6-A19D-48EC-8D63-181179E0963B}	45f33b8774b796142853a333a7b0dd4ba11164088b6083aa29503dcfce8784d8.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration	45f33b8774b796142853a333a7b0dd4ba11164088b6083aa29503dcfce8784d8.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{C3634DF6-A19D-48EC-8D63-181179E0963B}	regsvr32.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration	regsvr32.exe

Modifies registry class 64 IoCs

Processes:

45f33b8774b796142853a333a7b0dd4ba11164088b6083aa29503dcfce8784d8.exeregsvr32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	45f33b8774b796142853a333a7b0dd4ba11164088b6083aa29503dcfce8784d8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	45f33b8774b796142853a333a7b0dd4ba11164088b6083aa29503dcfce8784d8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ = "IRegistry"	45f33b8774b796142853a333a7b0dd4ba11164088b6083aa29503dcfce8784d8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{c3634df6-a19d-48ec-8d63-181179e0963b}\ProgID\ = ".9"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\..9	45f33b8774b796142853a333a7b0dd4ba11164088b6083aa29503dcfce8784d8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{c3634df6-a19d-48ec-8d63-181179e0963b}\InprocServer32	45f33b8774b796142853a333a7b0dd4ba11164088b6083aa29503dcfce8784d8.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{c3634df6-a19d-48ec-8d63-181179e0963b}\InprocServer32	45f33b8774b796142853a333a7b0dd4ba11164088b6083aa29503dcfce8784d8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C3634DF6-A19D-48EC-8D63-181179E0963B}	45f33b8774b796142853a333a7b0dd4ba11164088b6083aa29503dcfce8784d8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	45f33b8774b796142853a333a7b0dd4ba11164088b6083aa29503dcfce8784d8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	45f33b8774b796142853a333a7b0dd4ba11164088b6083aa29503dcfce8784d8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\..9\CLSID\ = "{c3634df6-a19d-48ec-8d63-181179e0963b}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{c3634df6-a19d-48ec-8d63-181179e0963b}\Programmable	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\..9\ = "SmartOnes"	45f33b8774b796142853a333a7b0dd4ba11164088b6083aa29503dcfce8784d8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.	45f33b8774b796142853a333a7b0dd4ba11164088b6083aa29503dcfce8784d8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{c3634df6-a19d-48ec-8d63-181179e0963b}	45f33b8774b796142853a333a7b0dd4ba11164088b6083aa29503dcfce8784d8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{c3634df6-a19d-48ec-8d63-181179e0963b}\ProgID	45f33b8774b796142853a333a7b0dd4ba11164088b6083aa29503dcfce8784d8.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{c3634df6-a19d-48ec-8d63-181179e0963b}\ProgID	45f33b8774b796142853a333a7b0dd4ba11164088b6083aa29503dcfce8784d8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\ = "IPlaghinMein"	45f33b8774b796142853a333a7b0dd4ba11164088b6083aa29503dcfce8784d8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\TypeLib	45f33b8774b796142853a333a7b0dd4ba11164088b6083aa29503dcfce8784d8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ = "IRegistry"	45f33b8774b796142853a333a7b0dd4ba11164088b6083aa29503dcfce8784d8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{c3634df6-a19d-48ec-8d63-181179e0963b}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\FLAGS	45f33b8774b796142853a333a7b0dd4ba11164088b6083aa29503dcfce8784d8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}	45f33b8774b796142853a333a7b0dd4ba11164088b6083aa29503dcfce8784d8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\TypeLib\Version = "1.0"	45f33b8774b796142853a333a7b0dd4ba11164088b6083aa29503dcfce8784d8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\TypeLib	45f33b8774b796142853a333a7b0dd4ba11164088b6083aa29503dcfce8784d8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ProxyStubClsid32	45f33b8774b796142853a333a7b0dd4ba11164088b6083aa29503dcfce8784d8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{c3634df6-a19d-48ec-8d63-181179e0963b}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{c3634df6-a19d-48ec-8d63-181179e0963b}\VersionIndependentProgID\	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{c3634df6-a19d-48ec-8d63-181179e0963b}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{c3634df6-a19d-48ec-8d63-181179e0963b}\Programmable	45f33b8774b796142853a333a7b0dd4ba11164088b6083aa29503dcfce8784d8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}	45f33b8774b796142853a333a7b0dd4ba11164088b6083aa29503dcfce8784d8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	45f33b8774b796142853a333a7b0dd4ba11164088b6083aa29503dcfce8784d8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib\Version = "1.0"	45f33b8774b796142853a333a7b0dd4ba11164088b6083aa29503dcfce8784d8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}	45f33b8774b796142853a333a7b0dd4ba11164088b6083aa29503dcfce8784d8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\ProxyStubClsid32	45f33b8774b796142853a333a7b0dd4ba11164088b6083aa29503dcfce8784d8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\ProxyStubClsid32	45f33b8774b796142853a333a7b0dd4ba11164088b6083aa29503dcfce8784d8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\ProxyStubClsid32	45f33b8774b796142853a333a7b0dd4ba11164088b6083aa29503dcfce8784d8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.\ = "SmartOnes"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C3634DF6-A19D-48EC-8D63-181179E0963B}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\..9\CLSID	45f33b8774b796142853a333a7b0dd4ba11164088b6083aa29503dcfce8784d8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.\CLSID	45f33b8774b796142853a333a7b0dd4ba11164088b6083aa29503dcfce8784d8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.\CurVer\ = ".9"	45f33b8774b796142853a333a7b0dd4ba11164088b6083aa29503dcfce8784d8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	45f33b8774b796142853a333a7b0dd4ba11164088b6083aa29503dcfce8784d8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\HELPDIR	45f33b8774b796142853a333a7b0dd4ba11164088b6083aa29503dcfce8784d8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\ = "IPlaghinMein"	45f33b8774b796142853a333a7b0dd4ba11164088b6083aa29503dcfce8784d8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	45f33b8774b796142853a333a7b0dd4ba11164088b6083aa29503dcfce8784d8.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{c3634df6-a19d-48ec-8d63-181179e0963b}\ProgID	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{c3634df6-a19d-48ec-8d63-181179e0963b}\Programmable	45f33b8774b796142853a333a7b0dd4ba11164088b6083aa29503dcfce8784d8.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{c3634df6-a19d-48ec-8d63-181179e0963b}\VersionIndependentProgID	45f33b8774b796142853a333a7b0dd4ba11164088b6083aa29503dcfce8784d8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\ = "ILocalStorage"	45f33b8774b796142853a333a7b0dd4ba11164088b6083aa29503dcfce8784d8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}	45f33b8774b796142853a333a7b0dd4ba11164088b6083aa29503dcfce8784d8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{c3634df6-a19d-48ec-8d63-181179e0963b}\ = "SmartOnes"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{c3634df6-a19d-48ec-8d63-181179e0963b}\InprocServer32\ = "C:\\Program Files (x86)\\SmartOnes\\zjhgDmkDyYZoOL.x64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{c3634df6-a19d-48ec-8d63-181179e0963b}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{c3634df6-a19d-48ec-8d63-181179e0963b}\VersionIndependentProgID	45f33b8774b796142853a333a7b0dd4ba11164088b6083aa29503dcfce8784d8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\TypeLib	45f33b8774b796142853a333a7b0dd4ba11164088b6083aa29503dcfce8784d8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}	45f33b8774b796142853a333a7b0dd4ba11164088b6083aa29503dcfce8784d8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}	45f33b8774b796142853a333a7b0dd4ba11164088b6083aa29503dcfce8784d8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win32\ = "C:\\Program Files (x86)\\SmartOnes\\zjhgDmkDyYZoOL.tlb"	45f33b8774b796142853a333a7b0dd4ba11164088b6083aa29503dcfce8784d8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\SmartOnes"	45f33b8774b796142853a333a7b0dd4ba11164088b6083aa29503dcfce8784d8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\TypeLib	45f33b8774b796142853a333a7b0dd4ba11164088b6083aa29503dcfce8784d8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\ = "ILocalStorage"	45f33b8774b796142853a333a7b0dd4ba11164088b6083aa29503dcfce8784d8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.\CurVer	45f33b8774b796142853a333a7b0dd4ba11164088b6083aa29503dcfce8784d8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{c3634df6-a19d-48ec-8d63-181179e0963b}\InprocServer32\ = "C:\\Program Files (x86)\\SmartOnes\\zjhgDmkDyYZoOL.dll"	45f33b8774b796142853a333a7b0dd4ba11164088b6083aa29503dcfce8784d8.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

45f33b8774b796142853a333a7b0dd4ba11164088b6083aa29503dcfce8784d8.exe

pid	process
1816	45f33b8774b796142853a333a7b0dd4ba11164088b6083aa29503dcfce8784d8.exe
1816	45f33b8774b796142853a333a7b0dd4ba11164088b6083aa29503dcfce8784d8.exe
1816	45f33b8774b796142853a333a7b0dd4ba11164088b6083aa29503dcfce8784d8.exe
1816	45f33b8774b796142853a333a7b0dd4ba11164088b6083aa29503dcfce8784d8.exe
1816	45f33b8774b796142853a333a7b0dd4ba11164088b6083aa29503dcfce8784d8.exe
1816	45f33b8774b796142853a333a7b0dd4ba11164088b6083aa29503dcfce8784d8.exe
1816	45f33b8774b796142853a333a7b0dd4ba11164088b6083aa29503dcfce8784d8.exe
1816	45f33b8774b796142853a333a7b0dd4ba11164088b6083aa29503dcfce8784d8.exe
1816	45f33b8774b796142853a333a7b0dd4ba11164088b6083aa29503dcfce8784d8.exe
1816	45f33b8774b796142853a333a7b0dd4ba11164088b6083aa29503dcfce8784d8.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

45f33b8774b796142853a333a7b0dd4ba11164088b6083aa29503dcfce8784d8.exe

description	pid	process
Token: SeDebugPrivilege	1816	45f33b8774b796142853a333a7b0dd4ba11164088b6083aa29503dcfce8784d8.exe
Token: SeDebugPrivilege	1816	45f33b8774b796142853a333a7b0dd4ba11164088b6083aa29503dcfce8784d8.exe
Token: SeDebugPrivilege	1816	45f33b8774b796142853a333a7b0dd4ba11164088b6083aa29503dcfce8784d8.exe
Token: SeDebugPrivilege	1816	45f33b8774b796142853a333a7b0dd4ba11164088b6083aa29503dcfce8784d8.exe
Token: SeDebugPrivilege	1816	45f33b8774b796142853a333a7b0dd4ba11164088b6083aa29503dcfce8784d8.exe
Token: SeDebugPrivilege	1816	45f33b8774b796142853a333a7b0dd4ba11164088b6083aa29503dcfce8784d8.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

45f33b8774b796142853a333a7b0dd4ba11164088b6083aa29503dcfce8784d8.exeregsvr32.exe

description	pid	process	target process
PID 1816 wrote to memory of 1640	1816	45f33b8774b796142853a333a7b0dd4ba11164088b6083aa29503dcfce8784d8.exe	regsvr32.exe
PID 1816 wrote to memory of 1640	1816	45f33b8774b796142853a333a7b0dd4ba11164088b6083aa29503dcfce8784d8.exe	regsvr32.exe
PID 1816 wrote to memory of 1640	1816	45f33b8774b796142853a333a7b0dd4ba11164088b6083aa29503dcfce8784d8.exe	regsvr32.exe
PID 1816 wrote to memory of 1640	1816	45f33b8774b796142853a333a7b0dd4ba11164088b6083aa29503dcfce8784d8.exe	regsvr32.exe
PID 1816 wrote to memory of 1640	1816	45f33b8774b796142853a333a7b0dd4ba11164088b6083aa29503dcfce8784d8.exe	regsvr32.exe
PID 1816 wrote to memory of 1640	1816	45f33b8774b796142853a333a7b0dd4ba11164088b6083aa29503dcfce8784d8.exe	regsvr32.exe
PID 1816 wrote to memory of 1640	1816	45f33b8774b796142853a333a7b0dd4ba11164088b6083aa29503dcfce8784d8.exe	regsvr32.exe
PID 1640 wrote to memory of 1224	1640	regsvr32.exe	regsvr32.exe
PID 1640 wrote to memory of 1224	1640	regsvr32.exe	regsvr32.exe
PID 1640 wrote to memory of 1224	1640	regsvr32.exe	regsvr32.exe
PID 1640 wrote to memory of 1224	1640	regsvr32.exe	regsvr32.exe
PID 1640 wrote to memory of 1224	1640	regsvr32.exe	regsvr32.exe
PID 1640 wrote to memory of 1224	1640	regsvr32.exe	regsvr32.exe
PID 1640 wrote to memory of 1224	1640	regsvr32.exe	regsvr32.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

45f33b8774b796142853a333a7b0dd4ba11164088b6083aa29503dcfce8784d8.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID	45f33b8774b796142853a333a7b0dd4ba11164088b6083aa29503dcfce8784d8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{c3634df6-a19d-48ec-8d63-181179e0963b} = "1"	45f33b8774b796142853a333a7b0dd4ba11164088b6083aa29503dcfce8784d8.exe

C:\Users\Admin\AppData\Local\Temp\45f33b8774b796142853a333a7b0dd4ba11164088b6083aa29503dcfce8784d8.exe
"C:\Users\Admin\AppData\Local\Temp\45f33b8774b796142853a333a7b0dd4ba11164088b6083aa29503dcfce8784d8.exe"
1⤵
- Loads dropped DLL
- Drops Chrome extension
- Installs/modifies Browser Helper Object
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1816

C:\Windows\SysWOW64\regsvr32.exe
regsvr32.exe /s "C:\Program Files (x86)\SmartOnes\zjhgDmkDyYZoOL.x64.dll"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1640

C:\Windows\system32\regsvr32.exe
/s "C:\Program Files (x86)\SmartOnes\zjhgDmkDyYZoOL.x64.dll"
3⤵
- Registers COM server for autorun
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Modifies Internet Explorer settings
- Modifies registry class
PID:1224

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Browser Extensions

1

T1176

Privilege Escalation

Defense Evasion

Modify Registry

3

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\SmartOnes\zjhgDmkDyYZoOL.dat
Filesize
3KB

MD5
912a91e2819a75da7966c5e41d56b746

SHA1
afe3660cedeaef3d7199d551d908a4793729e30d

SHA256
8132d81446ba2c798c751929c7c1ac6e32f8a8012b68d78336d36e05e96250c9

SHA512
201bbf90ca51e881d5618d64beb4542ab434c712f7da2886f8718e0a76e78aa0fc78a3b260b91159c286f82fcf00d364a2d7a187edbaf191452d165a9824dd04

Download Submit
C:\Program Files (x86)\SmartOnes\zjhgDmkDyYZoOL.tlb
Filesize
3KB

MD5
ae9748c3367ea620c3a8dbe47d83dce9

SHA1
7bb97dc9888b97d54e6175f15ac7b048d2313300

SHA256
973b96b4136addcd6af0b6df96f2eddfcf17d1cadfbdbf8b367117663c6b567a

SHA512
ad991f84204ebba792e9f178530c279c2d552ec946d64d69f783ccc430575ca1d1c3a215a50a9fcd93a1fa757b1cd16b4816b117046ceb879402b2dcf93cb948

Download Submit
C:\Program Files (x86)\SmartOnes\zjhgDmkDyYZoOL.x64.dll
Filesize
877KB

MD5
776ed176b19d4327bd967d470355dbc3

SHA1
0fa9fc06857aa34a92693be3326e82f1a9cec96d

SHA256
136060eef1040c355b1d5bc16821e8457d7b48e59a17097481a802027b1f3f27

SHA512
b1333a2b7d42f9df66da338b65b01260efc4371f7747919f606fb3c8707ed526b5ebbae60d8227e75614a33e7a86a2bbb9ba9bfe61713c3b8f1624330765ede0

Download Submit
\Program Files (x86)\SmartOnes\zjhgDmkDyYZoOL.dll
Filesize
743KB

MD5
9ca2a4f7b1ecc189fe8a26637a44b129

SHA1
d9756a5ec485b8adfa5386d2996c6d244b0fa0d0

SHA256
9f84983285b6c3de4f9168707469509532c9dbe59270cc67f012b855fe7f9793

SHA512
340f817d6909e855ae42a264efbb65142f9f8b2e8424421f651c8e8ded9ae56847c4e2b12c46e71bd871f389909ab83f9f03ceed29d3d67555bd33b2bee95d31

Download Submit
\Program Files (x86)\SmartOnes\zjhgDmkDyYZoOL.x64.dll
Filesize
877KB

MD5
776ed176b19d4327bd967d470355dbc3

SHA1
0fa9fc06857aa34a92693be3326e82f1a9cec96d

SHA256
136060eef1040c355b1d5bc16821e8457d7b48e59a17097481a802027b1f3f27

SHA512
b1333a2b7d42f9df66da338b65b01260efc4371f7747919f606fb3c8707ed526b5ebbae60d8227e75614a33e7a86a2bbb9ba9bfe61713c3b8f1624330765ede0

Download Submit
\Program Files (x86)\SmartOnes\zjhgDmkDyYZoOL.x64.dll
Filesize
877KB

MD5
776ed176b19d4327bd967d470355dbc3

SHA1
0fa9fc06857aa34a92693be3326e82f1a9cec96d

SHA256
136060eef1040c355b1d5bc16821e8457d7b48e59a17097481a802027b1f3f27

SHA512
b1333a2b7d42f9df66da338b65b01260efc4371f7747919f606fb3c8707ed526b5ebbae60d8227e75614a33e7a86a2bbb9ba9bfe61713c3b8f1624330765ede0

Download Submit
memory/1224-69-0x000007FEFC001000-0x000007FEFC003000-memory.dmp

Filesize
8KB

Download
memory/1224-68-0x0000000000000000-mapping.dmp

Download
memory/1640-64-0x0000000000000000-mapping.dmp

Download
memory/1816-54-0x0000000075AC1000-0x0000000075AC3000-memory.dmp

Filesize
8KB

Download
memory/1816-55-0x0000000000E00000-0x0000000000ECA000-memory.dmp

Filesize
808KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads