b29975ce077747b8a5d8be72a259c788c46f90f638ed5b6c2dea89b14b75597c

General

Target

b29975ce077747b8a5d8be72a259c788c46f90f638ed5b6c2dea89b14b75597c.exe
Size

1.8MB
MD5

8c105437c2edf7b74f223b59a737b10d
SHA1

7a6bd38afa8250bd76805bc9bb46c9f8b179997c
SHA256

b29975ce077747b8a5d8be72a259c788c46f90f638ed5b6c2dea89b14b75597c
SHA512

86150d6ff2164189fd42d240ada970d6e0fe136878b81b240b2de01fa5257c539890a6a92555f646563bb27293f6d682fdd835c119ea12803862b3ffe5af3904
SSDEEP

49152:UM1jeOvZ94MypISORa1FvcaH1kTYZLflhOYhJXJ:UEeOnmIFa1FEaSYZTlhOYhJXJ

Score

8^/10

adware discovery persistence spyware stealer

Malware Config

Signatures

Registers COM server for autorun 1 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Processes:

regsvr32.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EA12F86A-314A-6675-EF64-6263AD6B92E9}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EA12F86A-314A-6675-EF64-6263AD6B92E9}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EA12F86A-314A-6675-EF64-6263AD6B92E9}\InprocServer32\ = "C:\\Program Files (x86)\\Adblocker\\qrz8spg.x64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EA12F86A-314A-6675-EF64-6263AD6B92E9}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe

Loads dropped DLL 3 IoCs

Processes:

b29975ce077747b8a5d8be72a259c788c46f90f638ed5b6c2dea89b14b75597c.exeregsvr32.exeregsvr32.exe

pid process

748 b29975ce077747b8a5d8be72a259c788c46f90f638ed5b6c2dea89b14b75597c.exe
2004 regsvr32.exe
1716 regsvr32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

pid	process
748	b29975ce077747b8a5d8be72a259c788c46f90f638ed5b6c2dea89b14b75597c.exe
2004	regsvr32.exe
1716	regsvr32.exe

Installs/modifies Browser Helper Object 2 TTPs 8 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

Processes:

b29975ce077747b8a5d8be72a259c788c46f90f638ed5b6c2dea89b14b75597c.exeregsvr32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{EA12F86A-314A-6675-EF64-6263AD6B92E9}\ = "Adblocker"	b29975ce077747b8a5d8be72a259c788c46f90f638ed5b6c2dea89b14b75597c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{EA12F86A-314A-6675-EF64-6263AD6B92E9}\NoExplorer = "1"	b29975ce077747b8a5d8be72a259c788c46f90f638ed5b6c2dea89b14b75597c.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{EA12F86A-314A-6675-EF64-6263AD6B92E9}	b29975ce077747b8a5d8be72a259c788c46f90f638ed5b6c2dea89b14b75597c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{EA12F86A-314A-6675-EF64-6263AD6B92E9}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{EA12F86A-314A-6675-EF64-6263AD6B92E9}\ = "Adblocker"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{EA12F86A-314A-6675-EF64-6263AD6B92E9}\NoExplorer = "1"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{EA12F86A-314A-6675-EF64-6263AD6B92E9}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{EA12F86A-314A-6675-EF64-6263AD6B92E9}	b29975ce077747b8a5d8be72a259c788c46f90f638ed5b6c2dea89b14b75597c.exe

Drops file in Program Files directory 8 IoCs

Processes:

b29975ce077747b8a5d8be72a259c788c46f90f638ed5b6c2dea89b14b75597c.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Adblocker\qrz8spg.tlb	b29975ce077747b8a5d8be72a259c788c46f90f638ed5b6c2dea89b14b75597c.exe
File created	C:\Program Files (x86)\Adblocker\qrz8spg.dat	b29975ce077747b8a5d8be72a259c788c46f90f638ed5b6c2dea89b14b75597c.exe
File opened for modification	C:\Program Files (x86)\Adblocker\qrz8spg.dat	b29975ce077747b8a5d8be72a259c788c46f90f638ed5b6c2dea89b14b75597c.exe
File created	C:\Program Files (x86)\Adblocker\qrz8spg.x64.dll	b29975ce077747b8a5d8be72a259c788c46f90f638ed5b6c2dea89b14b75597c.exe
File opened for modification	C:\Program Files (x86)\Adblocker\qrz8spg.x64.dll	b29975ce077747b8a5d8be72a259c788c46f90f638ed5b6c2dea89b14b75597c.exe
File created	C:\Program Files (x86)\Adblocker\qrz8spg.dll	b29975ce077747b8a5d8be72a259c788c46f90f638ed5b6c2dea89b14b75597c.exe
File opened for modification	C:\Program Files (x86)\Adblocker\qrz8spg.dll	b29975ce077747b8a5d8be72a259c788c46f90f638ed5b6c2dea89b14b75597c.exe
File created	C:\Program Files (x86)\Adblocker\qrz8spg.tlb	b29975ce077747b8a5d8be72a259c788c46f90f638ed5b6c2dea89b14b75597c.exe

Modifies Internet Explorer settings 1 TTPs 8 IoCs

adware spyware

Modify Registry

T1112

Processes:

regsvr32.exeb29975ce077747b8a5d8be72a259c788c46f90f638ed5b6c2dea89b14b75597c.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{EA12F86A-314A-6675-EF64-6263AD6B92E9}	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration	b29975ce077747b8a5d8be72a259c788c46f90f638ed5b6c2dea89b14b75597c.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{EA12F86A-314A-6675-EF64-6263AD6B92E9}	b29975ce077747b8a5d8be72a259c788c46f90f638ed5b6c2dea89b14b75597c.exe
Key deleted	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{EA12F86A-314A-6675-EF64-6263AD6B92E9}	b29975ce077747b8a5d8be72a259c788c46f90f638ed5b6c2dea89b14b75597c.exe
Key deleted	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration	b29975ce077747b8a5d8be72a259c788c46f90f638ed5b6c2dea89b14b75597c.exe
Key deleted	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{EA12F86A-314A-6675-EF64-6263AD6B92E9}	regsvr32.exe
Key deleted	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration	regsvr32.exe

Modifies registry class 64 IoCs

Processes:

b29975ce077747b8a5d8be72a259c788c46f90f638ed5b6c2dea89b14b75597c.exeregsvr32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EA12F86A-314A-6675-EF64-6263AD6B92E9}\ProgID	b29975ce077747b8a5d8be72a259c788c46f90f638ed5b6c2dea89b14b75597c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\FLAGS\ = "0"	b29975ce077747b8a5d8be72a259c788c46f90f638ed5b6c2dea89b14b75597c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ = "IRegistry"	b29975ce077747b8a5d8be72a259c788c46f90f638ed5b6c2dea89b14b75597c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib	b29975ce077747b8a5d8be72a259c788c46f90f638ed5b6c2dea89b14b75597c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EA12F86A-314A-6675-EF64-6263AD6B92E9}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EA12F86A-314A-6675-EF64-6263AD6B92E9}\VersionIndependentProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EA12F86A-314A-6675-EF64-6263AD6B92E9}\Implemented Categories	b29975ce077747b8a5d8be72a259c788c46f90f638ed5b6c2dea89b14b75597c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ProxyStubClsid32	b29975ce077747b8a5d8be72a259c788c46f90f638ed5b6c2dea89b14b75597c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Adblocker.Adblocker\ = "Adblocker"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EA12F86A-314A-6675-EF64-6263AD6B92E9}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Adblocker.Adblocker.1.0\ = "Adblocker"	b29975ce077747b8a5d8be72a259c788c46f90f638ed5b6c2dea89b14b75597c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}	b29975ce077747b8a5d8be72a259c788c46f90f638ed5b6c2dea89b14b75597c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\TypeLib\Version = "1.0"	b29975ce077747b8a5d8be72a259c788c46f90f638ed5b6c2dea89b14b75597c.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EA12F86A-314A-6675-EF64-6263AD6B92E9}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EA12F86A-314A-6675-EF64-6263AD6B92E9}\ = "Adblocker"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EA12F86A-314A-6675-EF64-6263AD6B92E9}\Programmable	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EA12F86A-314A-6675-EF64-6263AD6B92E9}\InprocServer32\ThreadingModel = "Apartment"	b29975ce077747b8a5d8be72a259c788c46f90f638ed5b6c2dea89b14b75597c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\HELPDIR	b29975ce077747b8a5d8be72a259c788c46f90f638ed5b6c2dea89b14b75597c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	b29975ce077747b8a5d8be72a259c788c46f90f638ed5b6c2dea89b14b75597c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\TypeLib	b29975ce077747b8a5d8be72a259c788c46f90f638ed5b6c2dea89b14b75597c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}	b29975ce077747b8a5d8be72a259c788c46f90f638ed5b6c2dea89b14b75597c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib\Version = "1.0"	b29975ce077747b8a5d8be72a259c788c46f90f638ed5b6c2dea89b14b75597c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EA12F86A-314A-6675-EF64-6263AD6B92E9}\InprocServer32	b29975ce077747b8a5d8be72a259c788c46f90f638ed5b6c2dea89b14b75597c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\Adblocker"	b29975ce077747b8a5d8be72a259c788c46f90f638ed5b6c2dea89b14b75597c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\ProxyStubClsid32	b29975ce077747b8a5d8be72a259c788c46f90f638ed5b6c2dea89b14b75597c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib\Version = "1.0"	b29975ce077747b8a5d8be72a259c788c46f90f638ed5b6c2dea89b14b75597c.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EA12F86A-314A-6675-EF64-6263AD6B92E9}\Programmable	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ = "IRegistry"	b29975ce077747b8a5d8be72a259c788c46f90f638ed5b6c2dea89b14b75597c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Adblocker.Adblocker\CLSID\ = "{EA12F86A-314A-6675-EF64-6263AD6B92E9}"	b29975ce077747b8a5d8be72a259c788c46f90f638ed5b6c2dea89b14b75597c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0	b29975ce077747b8a5d8be72a259c788c46f90f638ed5b6c2dea89b14b75597c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0	b29975ce077747b8a5d8be72a259c788c46f90f638ed5b6c2dea89b14b75597c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	b29975ce077747b8a5d8be72a259c788c46f90f638ed5b6c2dea89b14b75597c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\TypeLib	b29975ce077747b8a5d8be72a259c788c46f90f638ed5b6c2dea89b14b75597c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\TypeLib\Version = "1.0"	b29975ce077747b8a5d8be72a259c788c46f90f638ed5b6c2dea89b14b75597c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\TypeLib	b29975ce077747b8a5d8be72a259c788c46f90f638ed5b6c2dea89b14b75597c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	b29975ce077747b8a5d8be72a259c788c46f90f638ed5b6c2dea89b14b75597c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ProxyStubClsid32	b29975ce077747b8a5d8be72a259c788c46f90f638ed5b6c2dea89b14b75597c.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EA12F86A-314A-6675-EF64-6263AD6B92E9}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EA12F86A-314A-6675-EF64-6263AD6B92E9}\ = "Adblocker"	b29975ce077747b8a5d8be72a259c788c46f90f638ed5b6c2dea89b14b75597c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\TypeLib\Version = "1.0"	b29975ce077747b8a5d8be72a259c788c46f90f638ed5b6c2dea89b14b75597c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	b29975ce077747b8a5d8be72a259c788c46f90f638ed5b6c2dea89b14b75597c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Adblocker.Adblocker\CLSID\ = "{EA12F86A-314A-6675-EF64-6263AD6B92E9}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Adblocker.Adblocker\CurVer\ = "Adblocker.1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EA12F86A-314A-6675-EF64-6263AD6B92E9}\VersionIndependentProgID\ = "Adblocker"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Adblocker.Adblocker.1.0\CLSID	b29975ce077747b8a5d8be72a259c788c46f90f638ed5b6c2dea89b14b75597c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\TypeLib	b29975ce077747b8a5d8be72a259c788c46f90f638ed5b6c2dea89b14b75597c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	b29975ce077747b8a5d8be72a259c788c46f90f638ed5b6c2dea89b14b75597c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EA12F86A-314A-6675-EF64-6263AD6B92E9}\InprocServer32\ = "C:\\Program Files (x86)\\Adblocker\\qrz8spg.x64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EA12F86A-314A-6675-EF64-6263AD6B92E9}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Adblocker.Adblocker	b29975ce077747b8a5d8be72a259c788c46f90f638ed5b6c2dea89b14b75597c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win32\ = "C:\\Program Files (x86)\\Adblocker\\qrz8spg.tlb"	b29975ce077747b8a5d8be72a259c788c46f90f638ed5b6c2dea89b14b75597c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}	b29975ce077747b8a5d8be72a259c788c46f90f638ed5b6c2dea89b14b75597c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}	b29975ce077747b8a5d8be72a259c788c46f90f638ed5b6c2dea89b14b75597c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	b29975ce077747b8a5d8be72a259c788c46f90f638ed5b6c2dea89b14b75597c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EA12F86A-314A-6675-EF64-6263AD6B92E9}\Implemented Categories	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EA12F86A-314A-6675-EF64-6263AD6B92E9}	b29975ce077747b8a5d8be72a259c788c46f90f638ed5b6c2dea89b14b75597c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EA12F86A-314A-6675-EF64-6263AD6B92E9}\ProgID\ = "Adblocker.1.0"	b29975ce077747b8a5d8be72a259c788c46f90f638ed5b6c2dea89b14b75597c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EA12F86A-314A-6675-EF64-6263AD6B92E9}\VersionIndependentProgID\ = "Adblocker"	b29975ce077747b8a5d8be72a259c788c46f90f638ed5b6c2dea89b14b75597c.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EA12F86A-314A-6675-EF64-6263AD6B92E9}	b29975ce077747b8a5d8be72a259c788c46f90f638ed5b6c2dea89b14b75597c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	b29975ce077747b8a5d8be72a259c788c46f90f638ed5b6c2dea89b14b75597c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EA12F86A-314A-6675-EF64-6263AD6B92E9}\VersionIndependentProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\ProxyStubClsid32	b29975ce077747b8a5d8be72a259c788c46f90f638ed5b6c2dea89b14b75597c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EA12F86A-314A-6675-EF64-6263AD6B92E9}\InprocServer32\ = "C:\\Program Files (x86)\\Adblocker\\qrz8spg.dll"	b29975ce077747b8a5d8be72a259c788c46f90f638ed5b6c2dea89b14b75597c.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EA12F86A-314A-6675-EF64-6263AD6B92E9}\ProgID	b29975ce077747b8a5d8be72a259c788c46f90f638ed5b6c2dea89b14b75597c.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

b29975ce077747b8a5d8be72a259c788c46f90f638ed5b6c2dea89b14b75597c.exeregsvr32.exe

description	pid	process	target process
PID 748 wrote to memory of 2004	748	b29975ce077747b8a5d8be72a259c788c46f90f638ed5b6c2dea89b14b75597c.exe	regsvr32.exe
PID 748 wrote to memory of 2004	748	b29975ce077747b8a5d8be72a259c788c46f90f638ed5b6c2dea89b14b75597c.exe	regsvr32.exe
PID 748 wrote to memory of 2004	748	b29975ce077747b8a5d8be72a259c788c46f90f638ed5b6c2dea89b14b75597c.exe	regsvr32.exe
PID 748 wrote to memory of 2004	748	b29975ce077747b8a5d8be72a259c788c46f90f638ed5b6c2dea89b14b75597c.exe	regsvr32.exe
PID 748 wrote to memory of 2004	748	b29975ce077747b8a5d8be72a259c788c46f90f638ed5b6c2dea89b14b75597c.exe	regsvr32.exe
PID 748 wrote to memory of 2004	748	b29975ce077747b8a5d8be72a259c788c46f90f638ed5b6c2dea89b14b75597c.exe	regsvr32.exe
PID 748 wrote to memory of 2004	748	b29975ce077747b8a5d8be72a259c788c46f90f638ed5b6c2dea89b14b75597c.exe	regsvr32.exe
PID 2004 wrote to memory of 1716	2004	regsvr32.exe	regsvr32.exe
PID 2004 wrote to memory of 1716	2004	regsvr32.exe	regsvr32.exe
PID 2004 wrote to memory of 1716	2004	regsvr32.exe	regsvr32.exe
PID 2004 wrote to memory of 1716	2004	regsvr32.exe	regsvr32.exe
PID 2004 wrote to memory of 1716	2004	regsvr32.exe	regsvr32.exe
PID 2004 wrote to memory of 1716	2004	regsvr32.exe	regsvr32.exe
PID 2004 wrote to memory of 1716	2004	regsvr32.exe	regsvr32.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

b29975ce077747b8a5d8be72a259c788c46f90f638ed5b6c2dea89b14b75597c.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID	b29975ce077747b8a5d8be72a259c788c46f90f638ed5b6c2dea89b14b75597c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{EA12F86A-314A-6675-EF64-6263AD6B92E9} = "1"	b29975ce077747b8a5d8be72a259c788c46f90f638ed5b6c2dea89b14b75597c.exe

C:\Users\Admin\AppData\Local\Temp\b29975ce077747b8a5d8be72a259c788c46f90f638ed5b6c2dea89b14b75597c.exe
"C:\Users\Admin\AppData\Local\Temp\b29975ce077747b8a5d8be72a259c788c46f90f638ed5b6c2dea89b14b75597c.exe"
1⤵
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
- System policy modification
PID:748
- C:\Windows\SysWOW64\regsvr32.exe
  regsvr32.exe /s "C:\Program Files (x86)\Adblocker\qrz8spg.x64.dll"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2004
- - C:\Windows\system32\regsvr32.exe
    /s "C:\Program Files (x86)\Adblocker\qrz8spg.x64.dll"
    3⤵
    - Registers COM server for autorun
    - Loads dropped DLL
    - Installs/modifies Browser Helper Object
    - Modifies Internet Explorer settings
    - Modifies registry class
    PID:1716

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Browser Extensions

1

T1176

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

3

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Adblocker\qrz8spg.dat

Filesize
3KB

MD5
92bdc5b43ff1da8e7cded2c2459916f0

SHA1
6dfac6ec1db920f45b8614974ef6d2d4b2919fee

SHA256
f90b952c2c0ac13d19bebb2fb33405f64808ea7bf228acc5dfdc17448c1557d6

SHA512
96666437e6e9d1a69a4cad3237ca56b34e582529a7e39d80271a87755464d62014ac76e60a3d3a11057735decfb411b60ea6dfddb79e0ef2dcf3d2523ed3218d

Download Submit
C:\Program Files (x86)\Adblocker\qrz8spg.tlb

Filesize
3KB

MD5
b4d00d304c72ef9bc43c16b84823fb89

SHA1
86a5d31b4d542e33b2a819632234f0543464d0c7

SHA256
5bbb1a3795b6c31dac793761c3844aa2f5bb52458fb0014e4afe18b92be5598d

SHA512
9eb6b4ef6b37b82f83e224dfa273fd06991969731ab7dc8463172fd919970700d8538248024a4204c6be85f04f24bb9380376f14b784ca7096ceb215df26a813

Download Submit
C:\Program Files (x86)\Adblocker\qrz8spg.x64.dll

Filesize
500KB

MD5
54e21b7dae36a033b7e663765a15b095

SHA1
b56a5511bf5713584b83863e6a7fea9bb3f36fd9

SHA256
167b1316ac4c3cd69fc330761be15805939b7ade91349693e6ddacee6fc1ea65

SHA512
aecbb56b9293e1ea2e401fefdd794cea617f03c529304585c8dcff87b064c48551be9093b2a1484ea9698750536fb7d6adb162c0eab6852c346fcd83bc2c51a9

Download Submit
\Program Files (x86)\Adblocker\qrz8spg.dll

Filesize
441KB

MD5
374367ba293ed2c64cb7bfc4d1fe1417

SHA1
c0f4bcb661e0283f19dd86b5a8f6a3f9b7eb02b6

SHA256
320fdcf6ac910e1b67eb1379736348a887f43eb544dba49e8e909bc4f593eb51

SHA512
ab60c2fb82b1cc4de766a7b07c71e59e06d7c471e2e27c82088d9e9908a463835a80c2228fbb021d2740f6b583ccd43167902cf1557166b47592a8e9c131cfc1

Download Submit
\Program Files (x86)\Adblocker\qrz8spg.x64.dll

Filesize
500KB

MD5
54e21b7dae36a033b7e663765a15b095

SHA1
b56a5511bf5713584b83863e6a7fea9bb3f36fd9

SHA256
167b1316ac4c3cd69fc330761be15805939b7ade91349693e6ddacee6fc1ea65

SHA512
aecbb56b9293e1ea2e401fefdd794cea617f03c529304585c8dcff87b064c48551be9093b2a1484ea9698750536fb7d6adb162c0eab6852c346fcd83bc2c51a9

Download Submit
\Program Files (x86)\Adblocker\qrz8spg.x64.dll

Filesize
500KB

MD5
54e21b7dae36a033b7e663765a15b095

SHA1
b56a5511bf5713584b83863e6a7fea9bb3f36fd9

SHA256
167b1316ac4c3cd69fc330761be15805939b7ade91349693e6ddacee6fc1ea65

SHA512
aecbb56b9293e1ea2e401fefdd794cea617f03c529304585c8dcff87b064c48551be9093b2a1484ea9698750536fb7d6adb162c0eab6852c346fcd83bc2c51a9

Download Submit
memory/748-70-0x0000000000531000-0x0000000000535000-memory.dmp

Filesize
16KB

Download
memory/748-73-0x0000000000531000-0x0000000000535000-memory.dmp

Filesize
16KB

Download
memory/748-66-0x0000000000531000-0x0000000000535000-memory.dmp

Filesize
16KB

Download
memory/748-67-0x0000000000531000-0x0000000000535000-memory.dmp

Filesize
16KB

Download
memory/748-68-0x0000000000531000-0x0000000000535000-memory.dmp

Filesize
16KB

Download
memory/748-69-0x0000000000531000-0x0000000000535000-memory.dmp

Filesize
16KB

Download
memory/748-54-0x0000000074FB1000-0x0000000074FB3000-memory.dmp

Filesize
8KB

Download
memory/748-71-0x0000000000531000-0x0000000000535000-memory.dmp

Filesize
16KB

Download
memory/748-72-0x0000000000531000-0x0000000000535000-memory.dmp

Filesize
16KB

Download
memory/748-65-0x0000000000531000-0x0000000000535000-memory.dmp

Filesize
16KB

Download
memory/748-74-0x0000000000531000-0x0000000000535000-memory.dmp

Filesize
16KB

Download
memory/748-64-0x0000000000531000-0x0000000000535000-memory.dmp

Filesize
16KB

Download
memory/748-55-0x0000000000430000-0x00000000004D4000-memory.dmp

Filesize
656KB

Download
memory/748-63-0x0000000000531000-0x0000000000535000-memory.dmp

Filesize
16KB

Download
memory/748-62-0x0000000000531000-0x0000000000535000-memory.dmp

Filesize
16KB

Download
memory/748-60-0x0000000000531000-0x0000000000535000-memory.dmp

Filesize
16KB

Download
memory/748-61-0x0000000000531000-0x0000000000535000-memory.dmp

Filesize
16KB

Download
memory/1716-81-0x000007FEFBD71000-0x000007FEFBD73000-memory.dmp

Filesize
8KB

Download
memory/1716-80-0x0000000000000000-mapping.dmp

Download
memory/2004-76-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads