Analysis
-
max time kernel
133s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
25-11-2022 13:47
Static task
static1
Behavioral task
behavioral1
Sample
45f33b8774b796142853a333a7b0dd4ba11164088b6083aa29503dcfce8784d8.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
45f33b8774b796142853a333a7b0dd4ba11164088b6083aa29503dcfce8784d8.exe
Resource
win10v2004-20220812-en
General
-
Target
45f33b8774b796142853a333a7b0dd4ba11164088b6083aa29503dcfce8784d8.exe
-
Size
4.2MB
-
MD5
92e77ecc8b3446cc5ceaa34570f8e22d
-
SHA1
744a9134fa9193e3f147cb5bc3443127264a610e
-
SHA256
45f33b8774b796142853a333a7b0dd4ba11164088b6083aa29503dcfce8784d8
-
SHA512
f0246a1e9f0c83af91ac7daa67cbdb439c861d7a5c20dbe4f0627f3099d689f33a789090b96b16a325850f9c7a5368203ed25f683723746886b7ff22c1be61b4
-
SSDEEP
49152:Ef9Psd6+ukjWM9VkhUKjElJKvdvad4mF6rgTUKz4IGy7Z3IXALUBz2Zkh5qd6zjR:Ef86+vjWOVkhjEPpLoWwz
Malware Config
Signatures
-
Registers COM server for autorun 1 TTPs 4 IoCs
Processes:
regsvr32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{c3634df6-a19d-48ec-8d63-181179e0963b}\InprocServer32\ThreadingModel = "Apartment" regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{c3634df6-a19d-48ec-8d63-181179e0963b}\InprocServer32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{c3634df6-a19d-48ec-8d63-181179e0963b}\InprocServer32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{c3634df6-a19d-48ec-8d63-181179e0963b}\InprocServer32\ = "C:\\Program Files (x86)\\SmartOnes\\zjhgDmkDyYZoOL.x64.dll" regsvr32.exe -
Loads dropped DLL 3 IoCs
Processes:
45f33b8774b796142853a333a7b0dd4ba11164088b6083aa29503dcfce8784d8.exeregsvr32.exeregsvr32.exepid process 3996 45f33b8774b796142853a333a7b0dd4ba11164088b6083aa29503dcfce8784d8.exe 3352 regsvr32.exe 4140 regsvr32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops Chrome extension 5 IoCs
Processes:
45f33b8774b796142853a333a7b0dd4ba11164088b6083aa29503dcfce8784d8.exedescription ioc process File created C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\hgmmnllooncmednomgogkkdbeodddojh\4.0\manifest.json 45f33b8774b796142853a333a7b0dd4ba11164088b6083aa29503dcfce8784d8.exe File created C:\Users\DefaultAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\hgmmnllooncmednomgogkkdbeodddojh\4.0\manifest.json 45f33b8774b796142853a333a7b0dd4ba11164088b6083aa29503dcfce8784d8.exe File created C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\hgmmnllooncmednomgogkkdbeodddojh\4.0\manifest.json 45f33b8774b796142853a333a7b0dd4ba11164088b6083aa29503dcfce8784d8.exe File created C:\Users\WDAGUtilityAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\hgmmnllooncmednomgogkkdbeodddojh\4.0\manifest.json 45f33b8774b796142853a333a7b0dd4ba11164088b6083aa29503dcfce8784d8.exe File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\hgmmnllooncmednomgogkkdbeodddojh\4.0\manifest.json 45f33b8774b796142853a333a7b0dd4ba11164088b6083aa29503dcfce8784d8.exe -
Installs/modifies Browser Helper Object 2 TTPs 8 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
Processes:
regsvr32.exe45f33b8774b796142853a333a7b0dd4ba11164088b6083aa29503dcfce8784d8.exedescription ioc process Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{c3634df6-a19d-48ec-8d63-181179e0963b} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{c3634df6-a19d-48ec-8d63-181179e0963b} 45f33b8774b796142853a333a7b0dd4ba11164088b6083aa29503dcfce8784d8.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{c3634df6-a19d-48ec-8d63-181179e0963b}\ = "SmartOnes" 45f33b8774b796142853a333a7b0dd4ba11164088b6083aa29503dcfce8784d8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{c3634df6-a19d-48ec-8d63-181179e0963b}\NoExplorer = "1" 45f33b8774b796142853a333a7b0dd4ba11164088b6083aa29503dcfce8784d8.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{c3634df6-a19d-48ec-8d63-181179e0963b} 45f33b8774b796142853a333a7b0dd4ba11164088b6083aa29503dcfce8784d8.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{c3634df6-a19d-48ec-8d63-181179e0963b} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{c3634df6-a19d-48ec-8d63-181179e0963b}\ = "SmartOnes" regsvr32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{c3634df6-a19d-48ec-8d63-181179e0963b}\NoExplorer = "1" regsvr32.exe -
Drops file in System32 directory 4 IoCs
Processes:
45f33b8774b796142853a333a7b0dd4ba11164088b6083aa29503dcfce8784d8.exedescription ioc process File opened for modification C:\Windows\System32\GroupPolicy 45f33b8774b796142853a333a7b0dd4ba11164088b6083aa29503dcfce8784d8.exe File opened for modification C:\Windows\SysWOW64\GroupPolicy\gpt.ini 45f33b8774b796142853a333a7b0dd4ba11164088b6083aa29503dcfce8784d8.exe File created C:\Windows\System32\GroupPolicy\Machine\Registry.pol 45f33b8774b796142853a333a7b0dd4ba11164088b6083aa29503dcfce8784d8.exe File opened for modification C:\Windows\System32\GroupPolicy\GPT.INI 45f33b8774b796142853a333a7b0dd4ba11164088b6083aa29503dcfce8784d8.exe -
Drops file in Program Files directory 8 IoCs
Processes:
45f33b8774b796142853a333a7b0dd4ba11164088b6083aa29503dcfce8784d8.exedescription ioc process File opened for modification C:\Program Files (x86)\SmartOnes\zjhgDmkDyYZoOL.x64.dll 45f33b8774b796142853a333a7b0dd4ba11164088b6083aa29503dcfce8784d8.exe File created C:\Program Files (x86)\SmartOnes\zjhgDmkDyYZoOL.dll 45f33b8774b796142853a333a7b0dd4ba11164088b6083aa29503dcfce8784d8.exe File opened for modification C:\Program Files (x86)\SmartOnes\zjhgDmkDyYZoOL.dll 45f33b8774b796142853a333a7b0dd4ba11164088b6083aa29503dcfce8784d8.exe File created C:\Program Files (x86)\SmartOnes\zjhgDmkDyYZoOL.tlb 45f33b8774b796142853a333a7b0dd4ba11164088b6083aa29503dcfce8784d8.exe File opened for modification C:\Program Files (x86)\SmartOnes\zjhgDmkDyYZoOL.tlb 45f33b8774b796142853a333a7b0dd4ba11164088b6083aa29503dcfce8784d8.exe File created C:\Program Files (x86)\SmartOnes\zjhgDmkDyYZoOL.dat 45f33b8774b796142853a333a7b0dd4ba11164088b6083aa29503dcfce8784d8.exe File opened for modification C:\Program Files (x86)\SmartOnes\zjhgDmkDyYZoOL.dat 45f33b8774b796142853a333a7b0dd4ba11164088b6083aa29503dcfce8784d8.exe File created C:\Program Files (x86)\SmartOnes\zjhgDmkDyYZoOL.x64.dll 45f33b8774b796142853a333a7b0dd4ba11164088b6083aa29503dcfce8784d8.exe -
Processes:
regsvr32.exe45f33b8774b796142853a333a7b0dd4ba11164088b6083aa29503dcfce8784d8.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\ApprovedExtensionsMigration regsvr32.exe Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{c3634df6-a19d-48ec-8d63-181179e0963b} regsvr32.exe Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\ApprovedExtensionsMigration 45f33b8774b796142853a333a7b0dd4ba11164088b6083aa29503dcfce8784d8.exe Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{c3634df6-a19d-48ec-8d63-181179e0963b} 45f33b8774b796142853a333a7b0dd4ba11164088b6083aa29503dcfce8784d8.exe Key deleted \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\MICROSOFT\INTERNET EXPLORER\APPROVEDEXTENSIONSMIGRATION\{C3634DF6-A19D-48EC-8D63-181179E0963B} 45f33b8774b796142853a333a7b0dd4ba11164088b6083aa29503dcfce8784d8.exe Key deleted \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\ApprovedExtensionsMigration 45f33b8774b796142853a333a7b0dd4ba11164088b6083aa29503dcfce8784d8.exe Key deleted \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\MICROSOFT\INTERNET EXPLORER\APPROVEDEXTENSIONSMIGRATION\{C3634DF6-A19D-48EC-8D63-181179E0963B} regsvr32.exe Key deleted \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\ApprovedExtensionsMigration regsvr32.exe -
Modifies registry class 64 IoCs
Processes:
45f33b8774b796142853a333a7b0dd4ba11164088b6083aa29503dcfce8784d8.exeregsvr32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\ = "IPlaghinMein" 45f33b8774b796142853a333a7b0dd4ba11164088b6083aa29503dcfce8784d8.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0} 45f33b8774b796142853a333a7b0dd4ba11164088b6083aa29503dcfce8784d8.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\TypeLib 45f33b8774b796142853a333a7b0dd4ba11164088b6083aa29503dcfce8784d8.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{c3634df6-a19d-48ec-8d63-181179e0963b} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C3634DF6-A19D-48EC-8D63-181179E0963B}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640} 45f33b8774b796142853a333a7b0dd4ba11164088b6083aa29503dcfce8784d8.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755} 45f33b8774b796142853a333a7b0dd4ba11164088b6083aa29503dcfce8784d8.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\ProxyStubClsid32 45f33b8774b796142853a333a7b0dd4ba11164088b6083aa29503dcfce8784d8.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\ = "ILocalStorage" 45f33b8774b796142853a333a7b0dd4ba11164088b6083aa29503dcfce8784d8.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" 45f33b8774b796142853a333a7b0dd4ba11164088b6083aa29503dcfce8784d8.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib\Version = "1.0" 45f33b8774b796142853a333a7b0dd4ba11164088b6083aa29503dcfce8784d8.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{c3634df6-a19d-48ec-8d63-181179e0963b}\ProgID\ = ".9" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C3634DF6-A19D-48EC-8D63-181179E0963B} regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{c3634df6-a19d-48ec-8d63-181179e0963b}\ProgID 45f33b8774b796142853a333a7b0dd4ba11164088b6083aa29503dcfce8784d8.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{c3634df6-a19d-48ec-8d63-181179e0963b}\VersionIndependentProgID 45f33b8774b796142853a333a7b0dd4ba11164088b6083aa29503dcfce8784d8.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0 45f33b8774b796142853a333a7b0dd4ba11164088b6083aa29503dcfce8784d8.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\ProxyStubClsid32 45f33b8774b796142853a333a7b0dd4ba11164088b6083aa29503dcfce8784d8.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" 45f33b8774b796142853a333a7b0dd4ba11164088b6083aa29503dcfce8784d8.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib\Version = "1.0" 45f33b8774b796142853a333a7b0dd4ba11164088b6083aa29503dcfce8784d8.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" 45f33b8774b796142853a333a7b0dd4ba11164088b6083aa29503dcfce8784d8.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.\ = "SmartOnes" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\..9\CLSID\ = "{c3634df6-a19d-48ec-8d63-181179e0963b}" 45f33b8774b796142853a333a7b0dd4ba11164088b6083aa29503dcfce8784d8.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{c3634df6-a19d-48ec-8d63-181179e0963b}\InprocServer32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{c3634df6-a19d-48ec-8d63-181179e0963b}\VersionIndependentProgID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{c3634df6-a19d-48ec-8d63-181179e0963b}\InprocServer32 45f33b8774b796142853a333a7b0dd4ba11164088b6083aa29503dcfce8784d8.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\FLAGS 45f33b8774b796142853a333a7b0dd4ba11164088b6083aa29503dcfce8784d8.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\TypeLib 45f33b8774b796142853a333a7b0dd4ba11164088b6083aa29503dcfce8784d8.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{c3634df6-a19d-48ec-8d63-181179e0963b}\ProgID 45f33b8774b796142853a333a7b0dd4ba11164088b6083aa29503dcfce8784d8.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C3634DF6-A19D-48EC-8D63-181179E0963B} 45f33b8774b796142853a333a7b0dd4ba11164088b6083aa29503dcfce8784d8.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ProxyStubClsid32 45f33b8774b796142853a333a7b0dd4ba11164088b6083aa29503dcfce8784d8.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{c3634df6-a19d-48ec-8d63-181179e0963b}\InprocServer32\ = "C:\\Program Files (x86)\\SmartOnes\\zjhgDmkDyYZoOL.x64.dll" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.\CurVer 45f33b8774b796142853a333a7b0dd4ba11164088b6083aa29503dcfce8784d8.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{c3634df6-a19d-48ec-8d63-181179e0963b}\InprocServer32 45f33b8774b796142853a333a7b0dd4ba11164088b6083aa29503dcfce8784d8.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" 45f33b8774b796142853a333a7b0dd4ba11164088b6083aa29503dcfce8784d8.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.\CLSID\ = "{c3634df6-a19d-48ec-8d63-181179e0963b}" regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{c3634df6-a19d-48ec-8d63-181179e0963b}\ProgID regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{c3634df6-a19d-48ec-8d63-181179e0963b}\ = "SmartOnes" 45f33b8774b796142853a333a7b0dd4ba11164088b6083aa29503dcfce8784d8.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0 45f33b8774b796142853a333a7b0dd4ba11164088b6083aa29503dcfce8784d8.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}" 45f33b8774b796142853a333a7b0dd4ba11164088b6083aa29503dcfce8784d8.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{c3634df6-a19d-48ec-8d63-181179e0963b}\VersionIndependentProgID regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.\ = "SmartOnes" 45f33b8774b796142853a333a7b0dd4ba11164088b6083aa29503dcfce8784d8.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF} 45f33b8774b796142853a333a7b0dd4ba11164088b6083aa29503dcfce8784d8.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF} 45f33b8774b796142853a333a7b0dd4ba11164088b6083aa29503dcfce8784d8.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" 45f33b8774b796142853a333a7b0dd4ba11164088b6083aa29503dcfce8784d8.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\..9\ = "SmartOnes" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\..9\CLSID\ = "{c3634df6-a19d-48ec-8d63-181179e0963b}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win32\ = "C:\\Program Files (x86)\\SmartOnes\\zjhgDmkDyYZoOL.tlb" 45f33b8774b796142853a333a7b0dd4ba11164088b6083aa29503dcfce8784d8.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.\CLSID\ = "{c3634df6-a19d-48ec-8d63-181179e0963b}" 45f33b8774b796142853a333a7b0dd4ba11164088b6083aa29503dcfce8784d8.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{c3634df6-a19d-48ec-8d63-181179e0963b} 45f33b8774b796142853a333a7b0dd4ba11164088b6083aa29503dcfce8784d8.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{c3634df6-a19d-48ec-8d63-181179e0963b}\InprocServer32\ThreadingModel = "Apartment" 45f33b8774b796142853a333a7b0dd4ba11164088b6083aa29503dcfce8784d8.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\ProxyStubClsid32 45f33b8774b796142853a333a7b0dd4ba11164088b6083aa29503dcfce8784d8.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ProxyStubClsid32 45f33b8774b796142853a333a7b0dd4ba11164088b6083aa29503dcfce8784d8.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{c3634df6-a19d-48ec-8d63-181179e0963b}\Programmable regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{c3634df6-a19d-48ec-8d63-181179e0963b}\InprocServer32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\..9 45f33b8774b796142853a333a7b0dd4ba11164088b6083aa29503dcfce8784d8.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" 45f33b8774b796142853a333a7b0dd4ba11164088b6083aa29503dcfce8784d8.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\TypeLib\Version = "1.0" 45f33b8774b796142853a333a7b0dd4ba11164088b6083aa29503dcfce8784d8.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ = "IRegistry" 45f33b8774b796142853a333a7b0dd4ba11164088b6083aa29503dcfce8784d8.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC} 45f33b8774b796142853a333a7b0dd4ba11164088b6083aa29503dcfce8784d8.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\..9\CLSID 45f33b8774b796142853a333a7b0dd4ba11164088b6083aa29503dcfce8784d8.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.\CurVer\ = ".9" 45f33b8774b796142853a333a7b0dd4ba11164088b6083aa29503dcfce8784d8.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{c3634df6-a19d-48ec-8d63-181179e0963b}\VersionIndependentProgID\ 45f33b8774b796142853a333a7b0dd4ba11164088b6083aa29503dcfce8784d8.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{c3634df6-a19d-48ec-8d63-181179e0963b}\Programmable 45f33b8774b796142853a333a7b0dd4ba11164088b6083aa29503dcfce8784d8.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{c3634df6-a19d-48ec-8d63-181179e0963b}\InprocServer32\ = "C:\\Program Files (x86)\\SmartOnes\\zjhgDmkDyYZoOL.dll" 45f33b8774b796142853a333a7b0dd4ba11164088b6083aa29503dcfce8784d8.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{c3634df6-a19d-48ec-8d63-181179e0963b}\Programmable 45f33b8774b796142853a333a7b0dd4ba11164088b6083aa29503dcfce8784d8.exe -
Suspicious behavior: EnumeratesProcesses 20 IoCs
Processes:
45f33b8774b796142853a333a7b0dd4ba11164088b6083aa29503dcfce8784d8.exepid process 3996 45f33b8774b796142853a333a7b0dd4ba11164088b6083aa29503dcfce8784d8.exe 3996 45f33b8774b796142853a333a7b0dd4ba11164088b6083aa29503dcfce8784d8.exe 3996 45f33b8774b796142853a333a7b0dd4ba11164088b6083aa29503dcfce8784d8.exe 3996 45f33b8774b796142853a333a7b0dd4ba11164088b6083aa29503dcfce8784d8.exe 3996 45f33b8774b796142853a333a7b0dd4ba11164088b6083aa29503dcfce8784d8.exe 3996 45f33b8774b796142853a333a7b0dd4ba11164088b6083aa29503dcfce8784d8.exe 3996 45f33b8774b796142853a333a7b0dd4ba11164088b6083aa29503dcfce8784d8.exe 3996 45f33b8774b796142853a333a7b0dd4ba11164088b6083aa29503dcfce8784d8.exe 3996 45f33b8774b796142853a333a7b0dd4ba11164088b6083aa29503dcfce8784d8.exe 3996 45f33b8774b796142853a333a7b0dd4ba11164088b6083aa29503dcfce8784d8.exe 3996 45f33b8774b796142853a333a7b0dd4ba11164088b6083aa29503dcfce8784d8.exe 3996 45f33b8774b796142853a333a7b0dd4ba11164088b6083aa29503dcfce8784d8.exe 3996 45f33b8774b796142853a333a7b0dd4ba11164088b6083aa29503dcfce8784d8.exe 3996 45f33b8774b796142853a333a7b0dd4ba11164088b6083aa29503dcfce8784d8.exe 3996 45f33b8774b796142853a333a7b0dd4ba11164088b6083aa29503dcfce8784d8.exe 3996 45f33b8774b796142853a333a7b0dd4ba11164088b6083aa29503dcfce8784d8.exe 3996 45f33b8774b796142853a333a7b0dd4ba11164088b6083aa29503dcfce8784d8.exe 3996 45f33b8774b796142853a333a7b0dd4ba11164088b6083aa29503dcfce8784d8.exe 3996 45f33b8774b796142853a333a7b0dd4ba11164088b6083aa29503dcfce8784d8.exe 3996 45f33b8774b796142853a333a7b0dd4ba11164088b6083aa29503dcfce8784d8.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
45f33b8774b796142853a333a7b0dd4ba11164088b6083aa29503dcfce8784d8.exedescription pid process Token: SeDebugPrivilege 3996 45f33b8774b796142853a333a7b0dd4ba11164088b6083aa29503dcfce8784d8.exe Token: SeDebugPrivilege 3996 45f33b8774b796142853a333a7b0dd4ba11164088b6083aa29503dcfce8784d8.exe Token: SeDebugPrivilege 3996 45f33b8774b796142853a333a7b0dd4ba11164088b6083aa29503dcfce8784d8.exe Token: SeDebugPrivilege 3996 45f33b8774b796142853a333a7b0dd4ba11164088b6083aa29503dcfce8784d8.exe Token: SeDebugPrivilege 3996 45f33b8774b796142853a333a7b0dd4ba11164088b6083aa29503dcfce8784d8.exe Token: SeDebugPrivilege 3996 45f33b8774b796142853a333a7b0dd4ba11164088b6083aa29503dcfce8784d8.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
45f33b8774b796142853a333a7b0dd4ba11164088b6083aa29503dcfce8784d8.exeregsvr32.exedescription pid process target process PID 3996 wrote to memory of 3352 3996 45f33b8774b796142853a333a7b0dd4ba11164088b6083aa29503dcfce8784d8.exe regsvr32.exe PID 3996 wrote to memory of 3352 3996 45f33b8774b796142853a333a7b0dd4ba11164088b6083aa29503dcfce8784d8.exe regsvr32.exe PID 3996 wrote to memory of 3352 3996 45f33b8774b796142853a333a7b0dd4ba11164088b6083aa29503dcfce8784d8.exe regsvr32.exe PID 3352 wrote to memory of 4140 3352 regsvr32.exe regsvr32.exe PID 3352 wrote to memory of 4140 3352 regsvr32.exe regsvr32.exe -
System policy modification 1 TTPs 1 IoCs
Processes:
45f33b8774b796142853a333a7b0dd4ba11164088b6083aa29503dcfce8784d8.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{c3634df6-a19d-48ec-8d63-181179e0963b} = "1" 45f33b8774b796142853a333a7b0dd4ba11164088b6083aa29503dcfce8784d8.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\45f33b8774b796142853a333a7b0dd4ba11164088b6083aa29503dcfce8784d8.exe"C:\Users\Admin\AppData\Local\Temp\45f33b8774b796142853a333a7b0dd4ba11164088b6083aa29503dcfce8784d8.exe"1⤵
- Loads dropped DLL
- Drops Chrome extension
- Installs/modifies Browser Helper Object
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32.exe /s "C:\Program Files (x86)\SmartOnes\zjhgDmkDyYZoOL.x64.dll"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\regsvr32.exe/s "C:\Program Files (x86)\SmartOnes\zjhgDmkDyYZoOL.x64.dll"3⤵
- Registers COM server for autorun
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Modifies Internet Explorer settings
- Modifies registry class
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\SmartOnes\zjhgDmkDyYZoOL.datFilesize
3KB
MD5912a91e2819a75da7966c5e41d56b746
SHA1afe3660cedeaef3d7199d551d908a4793729e30d
SHA2568132d81446ba2c798c751929c7c1ac6e32f8a8012b68d78336d36e05e96250c9
SHA512201bbf90ca51e881d5618d64beb4542ab434c712f7da2886f8718e0a76e78aa0fc78a3b260b91159c286f82fcf00d364a2d7a187edbaf191452d165a9824dd04
-
C:\Program Files (x86)\SmartOnes\zjhgDmkDyYZoOL.dllFilesize
743KB
MD59ca2a4f7b1ecc189fe8a26637a44b129
SHA1d9756a5ec485b8adfa5386d2996c6d244b0fa0d0
SHA2569f84983285b6c3de4f9168707469509532c9dbe59270cc67f012b855fe7f9793
SHA512340f817d6909e855ae42a264efbb65142f9f8b2e8424421f651c8e8ded9ae56847c4e2b12c46e71bd871f389909ab83f9f03ceed29d3d67555bd33b2bee95d31
-
C:\Program Files (x86)\SmartOnes\zjhgDmkDyYZoOL.tlbFilesize
3KB
MD5ae9748c3367ea620c3a8dbe47d83dce9
SHA17bb97dc9888b97d54e6175f15ac7b048d2313300
SHA256973b96b4136addcd6af0b6df96f2eddfcf17d1cadfbdbf8b367117663c6b567a
SHA512ad991f84204ebba792e9f178530c279c2d552ec946d64d69f783ccc430575ca1d1c3a215a50a9fcd93a1fa757b1cd16b4816b117046ceb879402b2dcf93cb948
-
C:\Program Files (x86)\SmartOnes\zjhgDmkDyYZoOL.x64.dllFilesize
877KB
MD5776ed176b19d4327bd967d470355dbc3
SHA10fa9fc06857aa34a92693be3326e82f1a9cec96d
SHA256136060eef1040c355b1d5bc16821e8457d7b48e59a17097481a802027b1f3f27
SHA512b1333a2b7d42f9df66da338b65b01260efc4371f7747919f606fb3c8707ed526b5ebbae60d8227e75614a33e7a86a2bbb9ba9bfe61713c3b8f1624330765ede0
-
C:\Program Files (x86)\SmartOnes\zjhgDmkDyYZoOL.x64.dllFilesize
877KB
MD5776ed176b19d4327bd967d470355dbc3
SHA10fa9fc06857aa34a92693be3326e82f1a9cec96d
SHA256136060eef1040c355b1d5bc16821e8457d7b48e59a17097481a802027b1f3f27
SHA512b1333a2b7d42f9df66da338b65b01260efc4371f7747919f606fb3c8707ed526b5ebbae60d8227e75614a33e7a86a2bbb9ba9bfe61713c3b8f1624330765ede0
-
C:\Program Files (x86)\SmartOnes\zjhgDmkDyYZoOL.x64.dllFilesize
877KB
MD5776ed176b19d4327bd967d470355dbc3
SHA10fa9fc06857aa34a92693be3326e82f1a9cec96d
SHA256136060eef1040c355b1d5bc16821e8457d7b48e59a17097481a802027b1f3f27
SHA512b1333a2b7d42f9df66da338b65b01260efc4371f7747919f606fb3c8707ed526b5ebbae60d8227e75614a33e7a86a2bbb9ba9bfe61713c3b8f1624330765ede0
-
memory/3352-138-0x0000000000000000-mapping.dmp
-
memory/3996-132-0x00000000037E0000-0x00000000038AA000-memory.dmpFilesize
808KB
-
memory/4140-141-0x0000000000000000-mapping.dmp