850af59d75ac773dcba81ae7d9493d3215dbed2d2b1b9d7a54a16c14a0b5b102

General

Target

850af59d75ac773dcba81ae7d9493d3215dbed2d2b1b9d7a54a16c14a0b5b102.exe
Size

3.2MB
MD5

c18db26f1033e0e2e2f91f5509cdb87c
SHA1

de048ea07d348b2444cf13254ae24a7122dcb583
SHA256

850af59d75ac773dcba81ae7d9493d3215dbed2d2b1b9d7a54a16c14a0b5b102
SHA512

459a8042ec4ecc6fb5296edcaa3b18cf769d951af6c1e1cfc88c00554cc2d158998abf928fb4421edd07e5a06b31a59e61899ad7d83c0cd50e8d12fc27908169
SSDEEP

49152:K9nY1GLQBQDo56DWskgSGKjGRT8IIOuCltlgLOApVeNSij4cK9QT0apr7XstNfKI:KDQiEapKuT89Ou4frAuMse9Qrpr7u1V

Score

8^/10

adware discovery persistence spyware stealer

Malware Config

Signatures

Registers COM server for autorun 1 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Processes:

regsvr32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{c4c159e2-9ce2-4666-adfa-b3349d5557aa}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{c4c159e2-9ce2-4666-adfa-b3349d5557aa}\InprocServer32\ = "C:\\Program Files (x86)\\TInnyWalleat\\A7rMZimR18fnPb.x64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{c4c159e2-9ce2-4666-adfa-b3349d5557aa}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{c4c159e2-9ce2-4666-adfa-b3349d5557aa}\InprocServer32	regsvr32.exe

Loads dropped DLL 3 IoCs

Processes:

850af59d75ac773dcba81ae7d9493d3215dbed2d2b1b9d7a54a16c14a0b5b102.exeregsvr32.exeregsvr32.exe

pid process

956 850af59d75ac773dcba81ae7d9493d3215dbed2d2b1b9d7a54a16c14a0b5b102.exe
1628 regsvr32.exe
2016 regsvr32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 3 IoCs

Processes:

850af59d75ac773dcba81ae7d9493d3215dbed2d2b1b9d7a54a16c14a0b5b102.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\akmhpgdbeighgmnaidpnadpmlfcgopnb\1.0\manifest.json	850af59d75ac773dcba81ae7d9493d3215dbed2d2b1b9d7a54a16c14a0b5b102.exe
File created	C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\akmhpgdbeighgmnaidpnadpmlfcgopnb\1.0\manifest.json	850af59d75ac773dcba81ae7d9493d3215dbed2d2b1b9d7a54a16c14a0b5b102.exe
File created	C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\akmhpgdbeighgmnaidpnadpmlfcgopnb\1.0\manifest.json	850af59d75ac773dcba81ae7d9493d3215dbed2d2b1b9d7a54a16c14a0b5b102.exe

Installs/modifies Browser Helper Object 2 TTPs 8 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

Processes:

regsvr32.exe850af59d75ac773dcba81ae7d9493d3215dbed2d2b1b9d7a54a16c14a0b5b102.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{c4c159e2-9ce2-4666-adfa-b3349d5557aa}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{c4c159e2-9ce2-4666-adfa-b3349d5557aa}	850af59d75ac773dcba81ae7d9493d3215dbed2d2b1b9d7a54a16c14a0b5b102.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{c4c159e2-9ce2-4666-adfa-b3349d5557aa}\ = "TInnyWalleat"	850af59d75ac773dcba81ae7d9493d3215dbed2d2b1b9d7a54a16c14a0b5b102.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{c4c159e2-9ce2-4666-adfa-b3349d5557aa}\NoExplorer = "1"	850af59d75ac773dcba81ae7d9493d3215dbed2d2b1b9d7a54a16c14a0b5b102.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{c4c159e2-9ce2-4666-adfa-b3349d5557aa}	850af59d75ac773dcba81ae7d9493d3215dbed2d2b1b9d7a54a16c14a0b5b102.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{c4c159e2-9ce2-4666-adfa-b3349d5557aa}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{c4c159e2-9ce2-4666-adfa-b3349d5557aa}\ = "TInnyWalleat"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{c4c159e2-9ce2-4666-adfa-b3349d5557aa}\NoExplorer = "1"	regsvr32.exe

Drops file in System32 directory 4 IoCs

Processes:

850af59d75ac773dcba81ae7d9493d3215dbed2d2b1b9d7a54a16c14a0b5b102.exe

description	ioc	process
File opened for modification	C:\Windows\System32\GroupPolicy	850af59d75ac773dcba81ae7d9493d3215dbed2d2b1b9d7a54a16c14a0b5b102.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\gpt.ini	850af59d75ac773dcba81ae7d9493d3215dbed2d2b1b9d7a54a16c14a0b5b102.exe
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	850af59d75ac773dcba81ae7d9493d3215dbed2d2b1b9d7a54a16c14a0b5b102.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	850af59d75ac773dcba81ae7d9493d3215dbed2d2b1b9d7a54a16c14a0b5b102.exe

Drops file in Program Files directory 8 IoCs

Processes:

850af59d75ac773dcba81ae7d9493d3215dbed2d2b1b9d7a54a16c14a0b5b102.exe

description	ioc	process
File created	C:\Program Files (x86)\TInnyWalleat\A7rMZimR18fnPb.tlb	850af59d75ac773dcba81ae7d9493d3215dbed2d2b1b9d7a54a16c14a0b5b102.exe
File opened for modification	C:\Program Files (x86)\TInnyWalleat\A7rMZimR18fnPb.tlb	850af59d75ac773dcba81ae7d9493d3215dbed2d2b1b9d7a54a16c14a0b5b102.exe
File created	C:\Program Files (x86)\TInnyWalleat\A7rMZimR18fnPb.dat	850af59d75ac773dcba81ae7d9493d3215dbed2d2b1b9d7a54a16c14a0b5b102.exe
File opened for modification	C:\Program Files (x86)\TInnyWalleat\A7rMZimR18fnPb.dat	850af59d75ac773dcba81ae7d9493d3215dbed2d2b1b9d7a54a16c14a0b5b102.exe
File created	C:\Program Files (x86)\TInnyWalleat\A7rMZimR18fnPb.x64.dll	850af59d75ac773dcba81ae7d9493d3215dbed2d2b1b9d7a54a16c14a0b5b102.exe
File opened for modification	C:\Program Files (x86)\TInnyWalleat\A7rMZimR18fnPb.x64.dll	850af59d75ac773dcba81ae7d9493d3215dbed2d2b1b9d7a54a16c14a0b5b102.exe
File created	C:\Program Files (x86)\TInnyWalleat\A7rMZimR18fnPb.dll	850af59d75ac773dcba81ae7d9493d3215dbed2d2b1b9d7a54a16c14a0b5b102.exe
File opened for modification	C:\Program Files (x86)\TInnyWalleat\A7rMZimR18fnPb.dll	850af59d75ac773dcba81ae7d9493d3215dbed2d2b1b9d7a54a16c14a0b5b102.exe

Modifies Internet Explorer settings 1 TTPs 8 IoCs

adware spyware

Modify Registry

T1112

Processes:

850af59d75ac773dcba81ae7d9493d3215dbed2d2b1b9d7a54a16c14a0b5b102.exeregsvr32.exe

description	ioc	process
Key deleted	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{C4C159E2-9CE2-4666-ADFA-B3349D5557AA}	850af59d75ac773dcba81ae7d9493d3215dbed2d2b1b9d7a54a16c14a0b5b102.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration	850af59d75ac773dcba81ae7d9493d3215dbed2d2b1b9d7a54a16c14a0b5b102.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{C4C159E2-9CE2-4666-ADFA-B3349D5557AA}	regsvr32.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{c4c159e2-9ce2-4666-adfa-b3349d5557aa}	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration	850af59d75ac773dcba81ae7d9493d3215dbed2d2b1b9d7a54a16c14a0b5b102.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{c4c159e2-9ce2-4666-adfa-b3349d5557aa}	850af59d75ac773dcba81ae7d9493d3215dbed2d2b1b9d7a54a16c14a0b5b102.exe

Modifies registry class 64 IoCs

Processes:

850af59d75ac773dcba81ae7d9493d3215dbed2d2b1b9d7a54a16c14a0b5b102.exeregsvr32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0	850af59d75ac773dcba81ae7d9493d3215dbed2d2b1b9d7a54a16c14a0b5b102.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\TypeLib	850af59d75ac773dcba81ae7d9493d3215dbed2d2b1b9d7a54a16c14a0b5b102.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{c4c159e2-9ce2-4666-adfa-b3349d5557aa}\Programmable	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.\ = "TInnyWalleat"	850af59d75ac773dcba81ae7d9493d3215dbed2d2b1b9d7a54a16c14a0b5b102.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}	850af59d75ac773dcba81ae7d9493d3215dbed2d2b1b9d7a54a16c14a0b5b102.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\ProxyStubClsid32	850af59d75ac773dcba81ae7d9493d3215dbed2d2b1b9d7a54a16c14a0b5b102.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	850af59d75ac773dcba81ae7d9493d3215dbed2d2b1b9d7a54a16c14a0b5b102.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}	850af59d75ac773dcba81ae7d9493d3215dbed2d2b1b9d7a54a16c14a0b5b102.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.\CLSID\ = "{c4c159e2-9ce2-4666-adfa-b3349d5557aa}"	850af59d75ac773dcba81ae7d9493d3215dbed2d2b1b9d7a54a16c14a0b5b102.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	850af59d75ac773dcba81ae7d9493d3215dbed2d2b1b9d7a54a16c14a0b5b102.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib\Version = "1.0"	850af59d75ac773dcba81ae7d9493d3215dbed2d2b1b9d7a54a16c14a0b5b102.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{c4c159e2-9ce2-4666-adfa-b3349d5557aa}\ProgID	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{c4c159e2-9ce2-4666-adfa-b3349d5557aa}\ProgID	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{c4c159e2-9ce2-4666-adfa-b3349d5557aa}	850af59d75ac773dcba81ae7d9493d3215dbed2d2b1b9d7a54a16c14a0b5b102.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{c4c159e2-9ce2-4666-adfa-b3349d5557aa}\Programmable	850af59d75ac773dcba81ae7d9493d3215dbed2d2b1b9d7a54a16c14a0b5b102.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\ProxyStubClsid32	850af59d75ac773dcba81ae7d9493d3215dbed2d2b1b9d7a54a16c14a0b5b102.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	850af59d75ac773dcba81ae7d9493d3215dbed2d2b1b9d7a54a16c14a0b5b102.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{c4c159e2-9ce2-4666-adfa-b3349d5557aa}\ = "TInnyWalleat"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{c4c159e2-9ce2-4666-adfa-b3349d5557aa}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{c4c159e2-9ce2-4666-adfa-b3349d5557aa}	850af59d75ac773dcba81ae7d9493d3215dbed2d2b1b9d7a54a16c14a0b5b102.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\TypeLib	850af59d75ac773dcba81ae7d9493d3215dbed2d2b1b9d7a54a16c14a0b5b102.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib\Version = "1.0"	850af59d75ac773dcba81ae7d9493d3215dbed2d2b1b9d7a54a16c14a0b5b102.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\..9\ = "TInnyWalleat"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.\CLSID\ = "{c4c159e2-9ce2-4666-adfa-b3349d5557aa}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}	850af59d75ac773dcba81ae7d9493d3215dbed2d2b1b9d7a54a16c14a0b5b102.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.\CurVer\ = ".9"	850af59d75ac773dcba81ae7d9493d3215dbed2d2b1b9d7a54a16c14a0b5b102.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C4C159E2-9CE2-4666-ADFA-B3349D5557AA}	850af59d75ac773dcba81ae7d9493d3215dbed2d2b1b9d7a54a16c14a0b5b102.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\HELPDIR	850af59d75ac773dcba81ae7d9493d3215dbed2d2b1b9d7a54a16c14a0b5b102.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\TInnyWalleat"	850af59d75ac773dcba81ae7d9493d3215dbed2d2b1b9d7a54a16c14a0b5b102.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}	850af59d75ac773dcba81ae7d9493d3215dbed2d2b1b9d7a54a16c14a0b5b102.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib	850af59d75ac773dcba81ae7d9493d3215dbed2d2b1b9d7a54a16c14a0b5b102.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\..9\CLSID	850af59d75ac773dcba81ae7d9493d3215dbed2d2b1b9d7a54a16c14a0b5b102.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.	850af59d75ac773dcba81ae7d9493d3215dbed2d2b1b9d7a54a16c14a0b5b102.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{c4c159e2-9ce2-4666-adfa-b3349d5557aa}\VersionIndependentProgID\	850af59d75ac773dcba81ae7d9493d3215dbed2d2b1b9d7a54a16c14a0b5b102.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0	850af59d75ac773dcba81ae7d9493d3215dbed2d2b1b9d7a54a16c14a0b5b102.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	850af59d75ac773dcba81ae7d9493d3215dbed2d2b1b9d7a54a16c14a0b5b102.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}	850af59d75ac773dcba81ae7d9493d3215dbed2d2b1b9d7a54a16c14a0b5b102.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	850af59d75ac773dcba81ae7d9493d3215dbed2d2b1b9d7a54a16c14a0b5b102.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	850af59d75ac773dcba81ae7d9493d3215dbed2d2b1b9d7a54a16c14a0b5b102.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\..9	850af59d75ac773dcba81ae7d9493d3215dbed2d2b1b9d7a54a16c14a0b5b102.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{c4c159e2-9ce2-4666-adfa-b3349d5557aa}\InprocServer32\ = "C:\\Program Files (x86)\\TInnyWalleat\\A7rMZimR18fnPb.x64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.\ = "TInnyWalleat"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{c4c159e2-9ce2-4666-adfa-b3349d5557aa}\ProgID\ = ".9"	850af59d75ac773dcba81ae7d9493d3215dbed2d2b1b9d7a54a16c14a0b5b102.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C4C159E2-9CE2-4666-ADFA-B3349D5557AA}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}	850af59d75ac773dcba81ae7d9493d3215dbed2d2b1b9d7a54a16c14a0b5b102.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	850af59d75ac773dcba81ae7d9493d3215dbed2d2b1b9d7a54a16c14a0b5b102.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ = "IRegistry"	850af59d75ac773dcba81ae7d9493d3215dbed2d2b1b9d7a54a16c14a0b5b102.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ProxyStubClsid32	850af59d75ac773dcba81ae7d9493d3215dbed2d2b1b9d7a54a16c14a0b5b102.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{c4c159e2-9ce2-4666-adfa-b3349d5557aa}\VersionIndependentProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.\CLSID	850af59d75ac773dcba81ae7d9493d3215dbed2d2b1b9d7a54a16c14a0b5b102.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{c4c159e2-9ce2-4666-adfa-b3349d5557aa}\ProgID	850af59d75ac773dcba81ae7d9493d3215dbed2d2b1b9d7a54a16c14a0b5b102.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{c4c159e2-9ce2-4666-adfa-b3349d5557aa}\VersionIndependentProgID	850af59d75ac773dcba81ae7d9493d3215dbed2d2b1b9d7a54a16c14a0b5b102.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\ = "IEPluginLib"	850af59d75ac773dcba81ae7d9493d3215dbed2d2b1b9d7a54a16c14a0b5b102.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\FLAGS	850af59d75ac773dcba81ae7d9493d3215dbed2d2b1b9d7a54a16c14a0b5b102.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	850af59d75ac773dcba81ae7d9493d3215dbed2d2b1b9d7a54a16c14a0b5b102.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\TypeLib	850af59d75ac773dcba81ae7d9493d3215dbed2d2b1b9d7a54a16c14a0b5b102.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\ = "IPlaghinMein"	850af59d75ac773dcba81ae7d9493d3215dbed2d2b1b9d7a54a16c14a0b5b102.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\..9\CLSID\ = "{c4c159e2-9ce2-4666-adfa-b3349d5557aa}"	850af59d75ac773dcba81ae7d9493d3215dbed2d2b1b9d7a54a16c14a0b5b102.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}	850af59d75ac773dcba81ae7d9493d3215dbed2d2b1b9d7a54a16c14a0b5b102.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\..9\CLSID\ = "{c4c159e2-9ce2-4666-adfa-b3349d5557aa}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{c4c159e2-9ce2-4666-adfa-b3349d5557aa}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{c4c159e2-9ce2-4666-adfa-b3349d5557aa}\VersionIndependentProgID\	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	850af59d75ac773dcba81ae7d9493d3215dbed2d2b1b9d7a54a16c14a0b5b102.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{c4c159e2-9ce2-4666-adfa-b3349d5557aa}\Programmable	850af59d75ac773dcba81ae7d9493d3215dbed2d2b1b9d7a54a16c14a0b5b102.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win32	850af59d75ac773dcba81ae7d9493d3215dbed2d2b1b9d7a54a16c14a0b5b102.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

850af59d75ac773dcba81ae7d9493d3215dbed2d2b1b9d7a54a16c14a0b5b102.exe

pid	process
956	850af59d75ac773dcba81ae7d9493d3215dbed2d2b1b9d7a54a16c14a0b5b102.exe
956	850af59d75ac773dcba81ae7d9493d3215dbed2d2b1b9d7a54a16c14a0b5b102.exe
956	850af59d75ac773dcba81ae7d9493d3215dbed2d2b1b9d7a54a16c14a0b5b102.exe
956	850af59d75ac773dcba81ae7d9493d3215dbed2d2b1b9d7a54a16c14a0b5b102.exe
956	850af59d75ac773dcba81ae7d9493d3215dbed2d2b1b9d7a54a16c14a0b5b102.exe
956	850af59d75ac773dcba81ae7d9493d3215dbed2d2b1b9d7a54a16c14a0b5b102.exe
956	850af59d75ac773dcba81ae7d9493d3215dbed2d2b1b9d7a54a16c14a0b5b102.exe
956	850af59d75ac773dcba81ae7d9493d3215dbed2d2b1b9d7a54a16c14a0b5b102.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

850af59d75ac773dcba81ae7d9493d3215dbed2d2b1b9d7a54a16c14a0b5b102.exe

description	pid	process
Token: SeDebugPrivilege	956	850af59d75ac773dcba81ae7d9493d3215dbed2d2b1b9d7a54a16c14a0b5b102.exe
Token: SeDebugPrivilege	956	850af59d75ac773dcba81ae7d9493d3215dbed2d2b1b9d7a54a16c14a0b5b102.exe
Token: SeDebugPrivilege	956	850af59d75ac773dcba81ae7d9493d3215dbed2d2b1b9d7a54a16c14a0b5b102.exe
Token: SeDebugPrivilege	956	850af59d75ac773dcba81ae7d9493d3215dbed2d2b1b9d7a54a16c14a0b5b102.exe
Token: SeDebugPrivilege	956	850af59d75ac773dcba81ae7d9493d3215dbed2d2b1b9d7a54a16c14a0b5b102.exe
Token: SeDebugPrivilege	956	850af59d75ac773dcba81ae7d9493d3215dbed2d2b1b9d7a54a16c14a0b5b102.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

850af59d75ac773dcba81ae7d9493d3215dbed2d2b1b9d7a54a16c14a0b5b102.exeregsvr32.exe

description	pid	process	target process
PID 956 wrote to memory of 1628	956	850af59d75ac773dcba81ae7d9493d3215dbed2d2b1b9d7a54a16c14a0b5b102.exe	regsvr32.exe
PID 956 wrote to memory of 1628	956	850af59d75ac773dcba81ae7d9493d3215dbed2d2b1b9d7a54a16c14a0b5b102.exe	regsvr32.exe
PID 956 wrote to memory of 1628	956	850af59d75ac773dcba81ae7d9493d3215dbed2d2b1b9d7a54a16c14a0b5b102.exe	regsvr32.exe
PID 956 wrote to memory of 1628	956	850af59d75ac773dcba81ae7d9493d3215dbed2d2b1b9d7a54a16c14a0b5b102.exe	regsvr32.exe
PID 956 wrote to memory of 1628	956	850af59d75ac773dcba81ae7d9493d3215dbed2d2b1b9d7a54a16c14a0b5b102.exe	regsvr32.exe
PID 956 wrote to memory of 1628	956	850af59d75ac773dcba81ae7d9493d3215dbed2d2b1b9d7a54a16c14a0b5b102.exe	regsvr32.exe
PID 956 wrote to memory of 1628	956	850af59d75ac773dcba81ae7d9493d3215dbed2d2b1b9d7a54a16c14a0b5b102.exe	regsvr32.exe
PID 1628 wrote to memory of 2016	1628	regsvr32.exe	regsvr32.exe
PID 1628 wrote to memory of 2016	1628	regsvr32.exe	regsvr32.exe
PID 1628 wrote to memory of 2016	1628	regsvr32.exe	regsvr32.exe
PID 1628 wrote to memory of 2016	1628	regsvr32.exe	regsvr32.exe
PID 1628 wrote to memory of 2016	1628	regsvr32.exe	regsvr32.exe
PID 1628 wrote to memory of 2016	1628	regsvr32.exe	regsvr32.exe
PID 1628 wrote to memory of 2016	1628	regsvr32.exe	regsvr32.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

850af59d75ac773dcba81ae7d9493d3215dbed2d2b1b9d7a54a16c14a0b5b102.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID	850af59d75ac773dcba81ae7d9493d3215dbed2d2b1b9d7a54a16c14a0b5b102.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{c4c159e2-9ce2-4666-adfa-b3349d5557aa} = "1"	850af59d75ac773dcba81ae7d9493d3215dbed2d2b1b9d7a54a16c14a0b5b102.exe

C:\Users\Admin\AppData\Local\Temp\850af59d75ac773dcba81ae7d9493d3215dbed2d2b1b9d7a54a16c14a0b5b102.exe
"C:\Users\Admin\AppData\Local\Temp\850af59d75ac773dcba81ae7d9493d3215dbed2d2b1b9d7a54a16c14a0b5b102.exe"
1⤵
- Loads dropped DLL
- Drops Chrome extension
- Installs/modifies Browser Helper Object
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:956

C:\Windows\SysWOW64\regsvr32.exe
regsvr32.exe /s "C:\Program Files (x86)\TInnyWalleat\A7rMZimR18fnPb.x64.dll"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1628

C:\Windows\system32\regsvr32.exe
/s "C:\Program Files (x86)\TInnyWalleat\A7rMZimR18fnPb.x64.dll"
3⤵
- Registers COM server for autorun
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Modifies Internet Explorer settings
- Modifies registry class
PID:2016

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Browser Extensions

1

T1176

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

3

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\TInnyWalleat\A7rMZimR18fnPb.dat
Filesize
4KB

MD5
9926d938e72e5498598b672887f84654

SHA1
5b852f331742676140d06e48875ada9cd329c48b

SHA256
b436dff5b839a88af06dad094a366332a5ec46583634e94f3c7d9348b7fc274a

SHA512
9c68f36a5ccaf071db59f45c55c4c2f025ed6dba5d9857c4fa6a0591030d2e9eb5cc8ff20371105d55a4d05898427dd0f25eed2b8465d6b5e33bad4d7a74bff9

Download Submit
C:\Program Files (x86)\TInnyWalleat\A7rMZimR18fnPb.tlb
Filesize
3KB

MD5
689aab2940dfe7d83e43bd88e5ae00a1

SHA1
85b1c4e552cab55a5b363b54322ebe42fc03ea6d

SHA256
ec02dfa1747e91b93c54b39a6aa491c69e056c5251cc52726d4fc637322d0a12

SHA512
1077632dc084cb4d33914a1aecccd638da037f0e0e45bf8a41e07be410bcd87fea8713ea2451f5eb8edbdb04baf508088dfafee95d3747d38a3ccabbb221c1c9

Download Submit
C:\Program Files (x86)\TInnyWalleat\A7rMZimR18fnPb.x64.dll
Filesize
702KB

MD5
50a859559413b0a88ea46c72c715e116

SHA1
e3ecc6e5c886bc2d3f68bbd700a94cdee9e5814b

SHA256
0da38857de4d56c7eb87b5a50e8ad3abf0b72fe31fcfd2cea4e398db12caf6a7

SHA512
a406d0e6814b6f33b2002e4afead1fae83f39e19b0e42560bbc15b31516e430b1bfb39ba53867b882249715b7b4e9f37215381663284032efbf175b2c7e4fd24

Download Submit
\Program Files (x86)\TInnyWalleat\A7rMZimR18fnPb.dll
Filesize
626KB

MD5
beba939961c578072accb50452711766

SHA1
8ee507a90e18619a7a1db38de6f0a829f8c56b56

SHA256
12b325079015a5abefa21513fe4005ffddb8b16f89cd2d1f47f18049dd18b0aa

SHA512
284c7ced668d71a87e22aa78f8e94eed401a53a7bf8c495afef48278edd6c9f6efceac9274aacf99a41d553cbd8d21956747e34ddc2b643c683a9e2a03451126

Download Submit
\Program Files (x86)\TInnyWalleat\A7rMZimR18fnPb.x64.dll
Filesize
702KB

MD5
50a859559413b0a88ea46c72c715e116

SHA1
e3ecc6e5c886bc2d3f68bbd700a94cdee9e5814b

SHA256
0da38857de4d56c7eb87b5a50e8ad3abf0b72fe31fcfd2cea4e398db12caf6a7

SHA512
a406d0e6814b6f33b2002e4afead1fae83f39e19b0e42560bbc15b31516e430b1bfb39ba53867b882249715b7b4e9f37215381663284032efbf175b2c7e4fd24

Download Submit
\Program Files (x86)\TInnyWalleat\A7rMZimR18fnPb.x64.dll
Filesize
702KB

MD5
50a859559413b0a88ea46c72c715e116

SHA1
e3ecc6e5c886bc2d3f68bbd700a94cdee9e5814b

SHA256
0da38857de4d56c7eb87b5a50e8ad3abf0b72fe31fcfd2cea4e398db12caf6a7

SHA512
a406d0e6814b6f33b2002e4afead1fae83f39e19b0e42560bbc15b31516e430b1bfb39ba53867b882249715b7b4e9f37215381663284032efbf175b2c7e4fd24

Download Submit
memory/956-72-0x0000000000942000-0x0000000000946000-memory.dmp

Filesize
16KB

Download
memory/956-75-0x0000000000942000-0x0000000000946000-memory.dmp

Filesize
16KB

Download
memory/956-66-0x0000000000942000-0x0000000000946000-memory.dmp

Filesize
16KB

Download
memory/956-67-0x0000000000942000-0x0000000000946000-memory.dmp

Filesize
16KB

Download
memory/956-68-0x0000000000942000-0x0000000000946000-memory.dmp

Filesize
16KB

Download
memory/956-69-0x0000000000942000-0x0000000000946000-memory.dmp

Filesize
16KB

Download
memory/956-70-0x0000000000942000-0x0000000000946000-memory.dmp

Filesize
16KB

Download
memory/956-71-0x0000000000942000-0x0000000000946000-memory.dmp

Filesize
16KB

Download
memory/956-54-0x0000000075FE1000-0x0000000075FE3000-memory.dmp

Filesize
8KB

Download
memory/956-73-0x0000000000942000-0x0000000000946000-memory.dmp

Filesize
16KB

Download
memory/956-74-0x0000000000942000-0x0000000000946000-memory.dmp

Filesize
16KB

Download
memory/956-65-0x0000000000942000-0x0000000000946000-memory.dmp

Filesize
16KB

Download
memory/956-76-0x0000000000942000-0x0000000000946000-memory.dmp

Filesize
16KB

Download
memory/956-77-0x0000000000946000-0x0000000000949000-memory.dmp

Filesize
12KB

Download
memory/956-64-0x0000000000942000-0x0000000000946000-memory.dmp

Filesize
16KB

Download
memory/956-55-0x0000000000820000-0x00000000008C7000-memory.dmp

Filesize
668KB

Download
memory/956-63-0x0000000000942000-0x0000000000946000-memory.dmp

Filesize
16KB

Download
memory/956-62-0x0000000000942000-0x0000000000946000-memory.dmp

Filesize
16KB

Download
memory/956-60-0x0000000000942000-0x0000000000946000-memory.dmp

Filesize
16KB

Download
memory/956-61-0x0000000000942000-0x0000000000946000-memory.dmp

Filesize
16KB

Download
memory/1628-79-0x0000000000000000-mapping.dmp

Download
memory/2016-84-0x000007FEFBAF1000-0x000007FEFBAF3000-memory.dmp

Filesize
8KB

Download
memory/2016-83-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads