160103317557057f962ff1a70f3c963390e5e8f077470d86258ab753bf313c5f

General

Target

160103317557057f962ff1a70f3c963390e5e8f077470d86258ab753bf313c5f.exe
Size

1.8MB
MD5

102a0255fb8df57c440f07e6a5ce1b4d
SHA1

cdcde10b1a976cdfed7fce47927fb6bbb81dfbfa
SHA256

160103317557057f962ff1a70f3c963390e5e8f077470d86258ab753bf313c5f
SHA512

48c1313aad96c581437c5cfd9af0dbbacb8c46bcfda3234d262f9ce1c79404ab2396a40741acc608ac87e3bb76066694ccfb5ebe73aca53e11af7e6dc16f7a38
SSDEEP

49152:mM1uBezCKfSZEYh0y/VtqJVxBiYn1aR2no1:m/BQCKqZEM0ykTSR2no1

Score

8^/10

adware discovery persistence spyware stealer

Malware Config

Signatures

Registers COM server for autorun 1 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Processes:

regsvr32.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{870195E7-9B31-9175-53A1-7B45563E331B}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{870195E7-9B31-9175-53A1-7B45563E331B}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{870195E7-9B31-9175-53A1-7B45563E331B}\InprocServer32\ = "C:\\Program Files (x86)\\Adblocker\\EeI.x64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{870195E7-9B31-9175-53A1-7B45563E331B}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe

Loads dropped DLL 3 IoCs

Processes:

160103317557057f962ff1a70f3c963390e5e8f077470d86258ab753bf313c5f.exeregsvr32.exeregsvr32.exe

pid process

908 160103317557057f962ff1a70f3c963390e5e8f077470d86258ab753bf313c5f.exe
388 regsvr32.exe
764 regsvr32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

pid	process
908	160103317557057f962ff1a70f3c963390e5e8f077470d86258ab753bf313c5f.exe
388	regsvr32.exe
764	regsvr32.exe

Installs/modifies Browser Helper Object 2 TTPs 8 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

Processes:

160103317557057f962ff1a70f3c963390e5e8f077470d86258ab753bf313c5f.exeregsvr32.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{870195E7-9B31-9175-53A1-7B45563E331B}	160103317557057f962ff1a70f3c963390e5e8f077470d86258ab753bf313c5f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{870195E7-9B31-9175-53A1-7B45563E331B}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{870195E7-9B31-9175-53A1-7B45563E331B}\ = "Adblocker"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{870195E7-9B31-9175-53A1-7B45563E331B}\NoExplorer = "1"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{870195E7-9B31-9175-53A1-7B45563E331B}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{870195E7-9B31-9175-53A1-7B45563E331B}	160103317557057f962ff1a70f3c963390e5e8f077470d86258ab753bf313c5f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{870195E7-9B31-9175-53A1-7B45563E331B}\ = "Adblocker"	160103317557057f962ff1a70f3c963390e5e8f077470d86258ab753bf313c5f.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{870195E7-9B31-9175-53A1-7B45563E331B}\NoExplorer = "1"	160103317557057f962ff1a70f3c963390e5e8f077470d86258ab753bf313c5f.exe

Drops file in Program Files directory 8 IoCs

Processes:

160103317557057f962ff1a70f3c963390e5e8f077470d86258ab753bf313c5f.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Adblocker\EeI.x64.dll	160103317557057f962ff1a70f3c963390e5e8f077470d86258ab753bf313c5f.exe
File created	C:\Program Files (x86)\Adblocker\EeI.dll	160103317557057f962ff1a70f3c963390e5e8f077470d86258ab753bf313c5f.exe
File opened for modification	C:\Program Files (x86)\Adblocker\EeI.dll	160103317557057f962ff1a70f3c963390e5e8f077470d86258ab753bf313c5f.exe
File created	C:\Program Files (x86)\Adblocker\EeI.tlb	160103317557057f962ff1a70f3c963390e5e8f077470d86258ab753bf313c5f.exe
File opened for modification	C:\Program Files (x86)\Adblocker\EeI.tlb	160103317557057f962ff1a70f3c963390e5e8f077470d86258ab753bf313c5f.exe
File created	C:\Program Files (x86)\Adblocker\EeI.dat	160103317557057f962ff1a70f3c963390e5e8f077470d86258ab753bf313c5f.exe
File opened for modification	C:\Program Files (x86)\Adblocker\EeI.dat	160103317557057f962ff1a70f3c963390e5e8f077470d86258ab753bf313c5f.exe
File created	C:\Program Files (x86)\Adblocker\EeI.x64.dll	160103317557057f962ff1a70f3c963390e5e8f077470d86258ab753bf313c5f.exe

Modifies Internet Explorer settings 1 TTPs 8 IoCs

adware spyware

Modify Registry

T1112

Processes:

regsvr32.exe160103317557057f962ff1a70f3c963390e5e8f077470d86258ab753bf313c5f.exe

description	ioc	process
Key deleted	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{870195E7-9B31-9175-53A1-7B45563E331B}	regsvr32.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{870195E7-9B31-9175-53A1-7B45563E331B}	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration	160103317557057f962ff1a70f3c963390e5e8f077470d86258ab753bf313c5f.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{870195E7-9B31-9175-53A1-7B45563E331B}	160103317557057f962ff1a70f3c963390e5e8f077470d86258ab753bf313c5f.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{870195E7-9B31-9175-53A1-7B45563E331B}	160103317557057f962ff1a70f3c963390e5e8f077470d86258ab753bf313c5f.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration	160103317557057f962ff1a70f3c963390e5e8f077470d86258ab753bf313c5f.exe

Modifies registry class 64 IoCs

Processes:

160103317557057f962ff1a70f3c963390e5e8f077470d86258ab753bf313c5f.exeregsvr32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{870195E7-9B31-9175-53A1-7B45563E331B}	160103317557057f962ff1a70f3c963390e5e8f077470d86258ab753bf313c5f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{870195E7-9B31-9175-53A1-7B45563E331B}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}	160103317557057f962ff1a70f3c963390e5e8f077470d86258ab753bf313c5f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{870195E7-9B31-9175-53A1-7B45563E331B}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{870195E7-9B31-9175-53A1-7B45563E331B}\VersionIndependentProgID	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{870195E7-9B31-9175-53A1-7B45563E331B}\Programmable	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Adblocker.Adblocker.1.0\CLSID\ = "{870195E7-9B31-9175-53A1-7B45563E331B}"	160103317557057f962ff1a70f3c963390e5e8f077470d86258ab753bf313c5f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\HELPDIR	160103317557057f962ff1a70f3c963390e5e8f077470d86258ab753bf313c5f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\TypeLib\Version = "1.0"	160103317557057f962ff1a70f3c963390e5e8f077470d86258ab753bf313c5f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\ = "IPlaghinMein"	160103317557057f962ff1a70f3c963390e5e8f077470d86258ab753bf313c5f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	160103317557057f962ff1a70f3c963390e5e8f077470d86258ab753bf313c5f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ProxyStubClsid32	160103317557057f962ff1a70f3c963390e5e8f077470d86258ab753bf313c5f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Adblocker.Adblocker\CLSID\ = "{870195E7-9B31-9175-53A1-7B45563E331B}"	160103317557057f962ff1a70f3c963390e5e8f077470d86258ab753bf313c5f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{870195E7-9B31-9175-53A1-7B45563E331B}\ProgID\ = "Adblocker.1.0"	160103317557057f962ff1a70f3c963390e5e8f077470d86258ab753bf313c5f.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{870195E7-9B31-9175-53A1-7B45563E331B}\Programmable	160103317557057f962ff1a70f3c963390e5e8f077470d86258ab753bf313c5f.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{870195E7-9B31-9175-53A1-7B45563E331B}\VersionIndependentProgID	160103317557057f962ff1a70f3c963390e5e8f077470d86258ab753bf313c5f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	160103317557057f962ff1a70f3c963390e5e8f077470d86258ab753bf313c5f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}	160103317557057f962ff1a70f3c963390e5e8f077470d86258ab753bf313c5f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\TypeLib	160103317557057f962ff1a70f3c963390e5e8f077470d86258ab753bf313c5f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	160103317557057f962ff1a70f3c963390e5e8f077470d86258ab753bf313c5f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib\Version = "1.0"	160103317557057f962ff1a70f3c963390e5e8f077470d86258ab753bf313c5f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib	160103317557057f962ff1a70f3c963390e5e8f077470d86258ab753bf313c5f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	160103317557057f962ff1a70f3c963390e5e8f077470d86258ab753bf313c5f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Adblocker.Adblocker.1.0	160103317557057f962ff1a70f3c963390e5e8f077470d86258ab753bf313c5f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Adblocker.Adblocker\ = "Adblocker"	160103317557057f962ff1a70f3c963390e5e8f077470d86258ab753bf313c5f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{870195E7-9B31-9175-53A1-7B45563E331B}\Programmable	160103317557057f962ff1a70f3c963390e5e8f077470d86258ab753bf313c5f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\FLAGS	160103317557057f962ff1a70f3c963390e5e8f077470d86258ab753bf313c5f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}	160103317557057f962ff1a70f3c963390e5e8f077470d86258ab753bf313c5f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	160103317557057f962ff1a70f3c963390e5e8f077470d86258ab753bf313c5f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\ProxyStubClsid32	160103317557057f962ff1a70f3c963390e5e8f077470d86258ab753bf313c5f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ProxyStubClsid32	160103317557057f962ff1a70f3c963390e5e8f077470d86258ab753bf313c5f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Adblocker.Adblocker.1.0\ = "Adblocker"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{870195E7-9B31-9175-53A1-7B45563E331B}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{870195E7-9B31-9175-53A1-7B45563E331B}\VersionIndependentProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{870195E7-9B31-9175-53A1-7B45563E331B}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Adblocker.Adblocker\CLSID	160103317557057f962ff1a70f3c963390e5e8f077470d86258ab753bf313c5f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\TypeLib	160103317557057f962ff1a70f3c963390e5e8f077470d86258ab753bf313c5f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\ProxyStubClsid32	160103317557057f962ff1a70f3c963390e5e8f077470d86258ab753bf313c5f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{870195E7-9B31-9175-53A1-7B45563E331B}\VersionIndependentProgID\ = "Adblocker"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Adblocker.Adblocker\CurVer	160103317557057f962ff1a70f3c963390e5e8f077470d86258ab753bf313c5f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Adblocker.Adblocker\CurVer\ = "Adblocker.1.0"	160103317557057f962ff1a70f3c963390e5e8f077470d86258ab753bf313c5f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{870195E7-9B31-9175-53A1-7B45563E331B}\InprocServer32	160103317557057f962ff1a70f3c963390e5e8f077470d86258ab753bf313c5f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win32	160103317557057f962ff1a70f3c963390e5e8f077470d86258ab753bf313c5f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\ProxyStubClsid32	160103317557057f962ff1a70f3c963390e5e8f077470d86258ab753bf313c5f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}	160103317557057f962ff1a70f3c963390e5e8f077470d86258ab753bf313c5f.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{870195E7-9B31-9175-53A1-7B45563E331B}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Adblocker.Adblocker.1.0\CLSID\ = "{870195E7-9B31-9175-53A1-7B45563E331B}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{870195E7-9B31-9175-53A1-7B45563E331B}\ProgID	160103317557057f962ff1a70f3c963390e5e8f077470d86258ab753bf313c5f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{870195E7-9B31-9175-53A1-7B45563E331B}\Implemented Categories	160103317557057f962ff1a70f3c963390e5e8f077470d86258ab753bf313c5f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\ = "IEPluginLib"	160103317557057f962ff1a70f3c963390e5e8f077470d86258ab753bf313c5f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	160103317557057f962ff1a70f3c963390e5e8f077470d86258ab753bf313c5f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	160103317557057f962ff1a70f3c963390e5e8f077470d86258ab753bf313c5f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\TypeLib\Version = "1.0"	160103317557057f962ff1a70f3c963390e5e8f077470d86258ab753bf313c5f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	160103317557057f962ff1a70f3c963390e5e8f077470d86258ab753bf313c5f.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{870195E7-9B31-9175-53A1-7B45563E331B}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{870195E7-9B31-9175-53A1-7B45563E331B}\VersionIndependentProgID	160103317557057f962ff1a70f3c963390e5e8f077470d86258ab753bf313c5f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{870195E7-9B31-9175-53A1-7B45563E331B}\InprocServer32\ = "C:\\Program Files (x86)\\Adblocker\\EeI.dll"	160103317557057f962ff1a70f3c963390e5e8f077470d86258ab753bf313c5f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{870195E7-9B31-9175-53A1-7B45563E331B}\InprocServer32\ThreadingModel = "Apartment"	160103317557057f962ff1a70f3c963390e5e8f077470d86258ab753bf313c5f.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{870195E7-9B31-9175-53A1-7B45563E331B}\ProgID	160103317557057f962ff1a70f3c963390e5e8f077470d86258ab753bf313c5f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\Adblocker"	160103317557057f962ff1a70f3c963390e5e8f077470d86258ab753bf313c5f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\ProxyStubClsid32	160103317557057f962ff1a70f3c963390e5e8f077470d86258ab753bf313c5f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib	160103317557057f962ff1a70f3c963390e5e8f077470d86258ab753bf313c5f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	160103317557057f962ff1a70f3c963390e5e8f077470d86258ab753bf313c5f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Adblocker.Adblocker\CLSID\ = "{870195E7-9B31-9175-53A1-7B45563E331B}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Adblocker.Adblocker.1.0\ = "Adblocker"	160103317557057f962ff1a70f3c963390e5e8f077470d86258ab753bf313c5f.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

160103317557057f962ff1a70f3c963390e5e8f077470d86258ab753bf313c5f.exeregsvr32.exe

description	pid	process	target process
PID 908 wrote to memory of 388	908	160103317557057f962ff1a70f3c963390e5e8f077470d86258ab753bf313c5f.exe	regsvr32.exe
PID 908 wrote to memory of 388	908	160103317557057f962ff1a70f3c963390e5e8f077470d86258ab753bf313c5f.exe	regsvr32.exe
PID 908 wrote to memory of 388	908	160103317557057f962ff1a70f3c963390e5e8f077470d86258ab753bf313c5f.exe	regsvr32.exe
PID 908 wrote to memory of 388	908	160103317557057f962ff1a70f3c963390e5e8f077470d86258ab753bf313c5f.exe	regsvr32.exe
PID 908 wrote to memory of 388	908	160103317557057f962ff1a70f3c963390e5e8f077470d86258ab753bf313c5f.exe	regsvr32.exe
PID 908 wrote to memory of 388	908	160103317557057f962ff1a70f3c963390e5e8f077470d86258ab753bf313c5f.exe	regsvr32.exe
PID 908 wrote to memory of 388	908	160103317557057f962ff1a70f3c963390e5e8f077470d86258ab753bf313c5f.exe	regsvr32.exe
PID 388 wrote to memory of 764	388	regsvr32.exe	regsvr32.exe
PID 388 wrote to memory of 764	388	regsvr32.exe	regsvr32.exe
PID 388 wrote to memory of 764	388	regsvr32.exe	regsvr32.exe
PID 388 wrote to memory of 764	388	regsvr32.exe	regsvr32.exe
PID 388 wrote to memory of 764	388	regsvr32.exe	regsvr32.exe
PID 388 wrote to memory of 764	388	regsvr32.exe	regsvr32.exe
PID 388 wrote to memory of 764	388	regsvr32.exe	regsvr32.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

160103317557057f962ff1a70f3c963390e5e8f077470d86258ab753bf313c5f.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID	160103317557057f962ff1a70f3c963390e5e8f077470d86258ab753bf313c5f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{870195E7-9B31-9175-53A1-7B45563E331B} = "1"	160103317557057f962ff1a70f3c963390e5e8f077470d86258ab753bf313c5f.exe

C:\Users\Admin\AppData\Local\Temp\160103317557057f962ff1a70f3c963390e5e8f077470d86258ab753bf313c5f.exe
"C:\Users\Admin\AppData\Local\Temp\160103317557057f962ff1a70f3c963390e5e8f077470d86258ab753bf313c5f.exe"
1⤵
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
- System policy modification
PID:908

C:\Windows\SysWOW64\regsvr32.exe
regsvr32.exe /s "C:\Program Files (x86)\Adblocker\EeI.x64.dll"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:388

C:\Windows\system32\regsvr32.exe
/s "C:\Program Files (x86)\Adblocker\EeI.x64.dll"
3⤵
- Registers COM server for autorun
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Modifies Internet Explorer settings
- Modifies registry class
PID:764

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Browser Extensions

1

T1176

Privilege Escalation

Defense Evasion

Modify Registry

3

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Adblocker\EeI.dat
Filesize
3KB

MD5
ab47f7b8d74e7867a4ada15a6049025c

SHA1
35751cab33d39dfcd1645af3ac1797f7a1aad83c

SHA256
3ec54dd0a08efcac517308609276565c1b52e822c794980ffcd62d163ed0e9b1

SHA512
397ed3b40848ab2b1e74257189fb6e073baca8dafff2d68a181304edbcb3bfcfcb456975c5cc0ce621ca51bb0cb5e50e675e63698fded6cc2a4004ec830fc162

Download Submit
C:\Program Files (x86)\Adblocker\EeI.tlb
Filesize
3KB

MD5
b4d00d304c72ef9bc43c16b84823fb89

SHA1
86a5d31b4d542e33b2a819632234f0543464d0c7

SHA256
5bbb1a3795b6c31dac793761c3844aa2f5bb52458fb0014e4afe18b92be5598d

SHA512
9eb6b4ef6b37b82f83e224dfa273fd06991969731ab7dc8463172fd919970700d8538248024a4204c6be85f04f24bb9380376f14b784ca7096ceb215df26a813

Download Submit
C:\Program Files (x86)\Adblocker\EeI.x64.dll
Filesize
500KB

MD5
54e21b7dae36a033b7e663765a15b095

SHA1
b56a5511bf5713584b83863e6a7fea9bb3f36fd9

SHA256
167b1316ac4c3cd69fc330761be15805939b7ade91349693e6ddacee6fc1ea65

SHA512
aecbb56b9293e1ea2e401fefdd794cea617f03c529304585c8dcff87b064c48551be9093b2a1484ea9698750536fb7d6adb162c0eab6852c346fcd83bc2c51a9

Download Submit
\Program Files (x86)\Adblocker\EeI.dll
Filesize
441KB

MD5
374367ba293ed2c64cb7bfc4d1fe1417

SHA1
c0f4bcb661e0283f19dd86b5a8f6a3f9b7eb02b6

SHA256
320fdcf6ac910e1b67eb1379736348a887f43eb544dba49e8e909bc4f593eb51

SHA512
ab60c2fb82b1cc4de766a7b07c71e59e06d7c471e2e27c82088d9e9908a463835a80c2228fbb021d2740f6b583ccd43167902cf1557166b47592a8e9c131cfc1

Download Submit
\Program Files (x86)\Adblocker\EeI.x64.dll
Filesize
500KB

MD5
54e21b7dae36a033b7e663765a15b095

SHA1
b56a5511bf5713584b83863e6a7fea9bb3f36fd9

SHA256
167b1316ac4c3cd69fc330761be15805939b7ade91349693e6ddacee6fc1ea65

SHA512
aecbb56b9293e1ea2e401fefdd794cea617f03c529304585c8dcff87b064c48551be9093b2a1484ea9698750536fb7d6adb162c0eab6852c346fcd83bc2c51a9

Download Submit
\Program Files (x86)\Adblocker\EeI.x64.dll
Filesize
500KB

MD5
54e21b7dae36a033b7e663765a15b095

SHA1
b56a5511bf5713584b83863e6a7fea9bb3f36fd9

SHA256
167b1316ac4c3cd69fc330761be15805939b7ade91349693e6ddacee6fc1ea65

SHA512
aecbb56b9293e1ea2e401fefdd794cea617f03c529304585c8dcff87b064c48551be9093b2a1484ea9698750536fb7d6adb162c0eab6852c346fcd83bc2c51a9

Download Submit
memory/388-78-0x0000000000000000-mapping.dmp

Download
memory/764-83-0x000007FEFBA41000-0x000007FEFBA43000-memory.dmp

Filesize
8KB

Download
memory/764-82-0x0000000000000000-mapping.dmp

Download
memory/908-65-0x0000000000541000-0x0000000000545000-memory.dmp

Filesize
16KB

Download
memory/908-76-0x0000000000541000-0x0000000000545000-memory.dmp

Filesize
16KB

Download
memory/908-69-0x0000000000541000-0x0000000000545000-memory.dmp

Filesize
16KB

Download
memory/908-70-0x0000000000541000-0x0000000000545000-memory.dmp

Filesize
16KB

Download
memory/908-71-0x0000000000541000-0x0000000000545000-memory.dmp

Filesize
16KB

Download
memory/908-72-0x0000000000541000-0x0000000000545000-memory.dmp

Filesize
16KB

Download
memory/908-73-0x0000000000541000-0x0000000000545000-memory.dmp

Filesize
16KB

Download
memory/908-74-0x0000000000541000-0x0000000000545000-memory.dmp

Filesize
16KB

Download
memory/908-75-0x0000000000541000-0x0000000000545000-memory.dmp

Filesize
16KB

Download
memory/908-68-0x0000000000541000-0x0000000000545000-memory.dmp

Filesize
16KB

Download
memory/908-67-0x0000000000541000-0x0000000000545000-memory.dmp

Filesize
16KB

Download
memory/908-66-0x0000000000541000-0x0000000000545000-memory.dmp

Filesize
16KB

Download
memory/908-54-0x0000000075C81000-0x0000000075C83000-memory.dmp

Filesize
8KB

Download
memory/908-60-0x0000000000541000-0x0000000000545000-memory.dmp

Filesize
16KB

Download
memory/908-61-0x0000000000541000-0x0000000000545000-memory.dmp

Filesize
16KB

Download
memory/908-64-0x0000000000541000-0x0000000000545000-memory.dmp

Filesize
16KB

Download
memory/908-62-0x0000000000541000-0x0000000000545000-memory.dmp

Filesize
16KB

Download
memory/908-63-0x0000000000541000-0x0000000000545000-memory.dmp

Filesize
16KB

Download
memory/908-55-0x0000000000430000-0x00000000004D4000-memory.dmp

Filesize
656KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads