850af59d75ac773dcba81ae7d9493d3215dbed2d2b1b9d7a54a16c14a0b5b102

General

Target

850af59d75ac773dcba81ae7d9493d3215dbed2d2b1b9d7a54a16c14a0b5b102.exe
Size

3.2MB
MD5

c18db26f1033e0e2e2f91f5509cdb87c
SHA1

de048ea07d348b2444cf13254ae24a7122dcb583
SHA256

850af59d75ac773dcba81ae7d9493d3215dbed2d2b1b9d7a54a16c14a0b5b102
SHA512

459a8042ec4ecc6fb5296edcaa3b18cf769d951af6c1e1cfc88c00554cc2d158998abf928fb4421edd07e5a06b31a59e61899ad7d83c0cd50e8d12fc27908169
SSDEEP

49152:K9nY1GLQBQDo56DWskgSGKjGRT8IIOuCltlgLOApVeNSij4cK9QT0apr7XstNfKI:KDQiEapKuT89Ou4frAuMse9Qrpr7u1V

Score

8^/10

adware discovery persistence spyware stealer

Malware Config

Signatures

Registers COM server for autorun 1 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Processes:

regsvr32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{c4c159e2-9ce2-4666-adfa-b3349d5557aa}\InprocServer32\ = "C:\\Program Files (x86)\\TInnyWalleat\\A7rMZimR18fnPb.x64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{c4c159e2-9ce2-4666-adfa-b3349d5557aa}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{c4c159e2-9ce2-4666-adfa-b3349d5557aa}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{c4c159e2-9ce2-4666-adfa-b3349d5557aa}\InprocServer32	regsvr32.exe

Loads dropped DLL 3 IoCs

Processes:

850af59d75ac773dcba81ae7d9493d3215dbed2d2b1b9d7a54a16c14a0b5b102.exeregsvr32.exeregsvr32.exe

pid process

4624 850af59d75ac773dcba81ae7d9493d3215dbed2d2b1b9d7a54a16c14a0b5b102.exe
1860 regsvr32.exe
2576 regsvr32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 5 IoCs

Processes:

850af59d75ac773dcba81ae7d9493d3215dbed2d2b1b9d7a54a16c14a0b5b102.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\akmhpgdbeighgmnaidpnadpmlfcgopnb\1.0\manifest.json	850af59d75ac773dcba81ae7d9493d3215dbed2d2b1b9d7a54a16c14a0b5b102.exe
File created	C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\akmhpgdbeighgmnaidpnadpmlfcgopnb\1.0\manifest.json	850af59d75ac773dcba81ae7d9493d3215dbed2d2b1b9d7a54a16c14a0b5b102.exe
File created	C:\Users\DefaultAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\akmhpgdbeighgmnaidpnadpmlfcgopnb\1.0\manifest.json	850af59d75ac773dcba81ae7d9493d3215dbed2d2b1b9d7a54a16c14a0b5b102.exe
File created	C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\akmhpgdbeighgmnaidpnadpmlfcgopnb\1.0\manifest.json	850af59d75ac773dcba81ae7d9493d3215dbed2d2b1b9d7a54a16c14a0b5b102.exe
File created	C:\Users\WDAGUtilityAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\akmhpgdbeighgmnaidpnadpmlfcgopnb\1.0\manifest.json	850af59d75ac773dcba81ae7d9493d3215dbed2d2b1b9d7a54a16c14a0b5b102.exe

Installs/modifies Browser Helper Object 2 TTPs 8 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

Processes:

regsvr32.exe850af59d75ac773dcba81ae7d9493d3215dbed2d2b1b9d7a54a16c14a0b5b102.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{c4c159e2-9ce2-4666-adfa-b3349d5557aa}\NoExplorer = "1"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{c4c159e2-9ce2-4666-adfa-b3349d5557aa}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{c4c159e2-9ce2-4666-adfa-b3349d5557aa}	850af59d75ac773dcba81ae7d9493d3215dbed2d2b1b9d7a54a16c14a0b5b102.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{c4c159e2-9ce2-4666-adfa-b3349d5557aa}\ = "TInnyWalleat"	850af59d75ac773dcba81ae7d9493d3215dbed2d2b1b9d7a54a16c14a0b5b102.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{c4c159e2-9ce2-4666-adfa-b3349d5557aa}\NoExplorer = "1"	850af59d75ac773dcba81ae7d9493d3215dbed2d2b1b9d7a54a16c14a0b5b102.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{c4c159e2-9ce2-4666-adfa-b3349d5557aa}	850af59d75ac773dcba81ae7d9493d3215dbed2d2b1b9d7a54a16c14a0b5b102.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{c4c159e2-9ce2-4666-adfa-b3349d5557aa}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{c4c159e2-9ce2-4666-adfa-b3349d5557aa}\ = "TInnyWalleat"	regsvr32.exe

Drops file in System32 directory 4 IoCs

Processes:

850af59d75ac773dcba81ae7d9493d3215dbed2d2b1b9d7a54a16c14a0b5b102.exe

description	ioc	process
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	850af59d75ac773dcba81ae7d9493d3215dbed2d2b1b9d7a54a16c14a0b5b102.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	850af59d75ac773dcba81ae7d9493d3215dbed2d2b1b9d7a54a16c14a0b5b102.exe
File opened for modification	C:\Windows\System32\GroupPolicy	850af59d75ac773dcba81ae7d9493d3215dbed2d2b1b9d7a54a16c14a0b5b102.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\gpt.ini	850af59d75ac773dcba81ae7d9493d3215dbed2d2b1b9d7a54a16c14a0b5b102.exe

Drops file in Program Files directory 8 IoCs

Processes:

850af59d75ac773dcba81ae7d9493d3215dbed2d2b1b9d7a54a16c14a0b5b102.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\TInnyWalleat\A7rMZimR18fnPb.dll	850af59d75ac773dcba81ae7d9493d3215dbed2d2b1b9d7a54a16c14a0b5b102.exe
File created	C:\Program Files (x86)\TInnyWalleat\A7rMZimR18fnPb.tlb	850af59d75ac773dcba81ae7d9493d3215dbed2d2b1b9d7a54a16c14a0b5b102.exe
File opened for modification	C:\Program Files (x86)\TInnyWalleat\A7rMZimR18fnPb.tlb	850af59d75ac773dcba81ae7d9493d3215dbed2d2b1b9d7a54a16c14a0b5b102.exe
File created	C:\Program Files (x86)\TInnyWalleat\A7rMZimR18fnPb.dat	850af59d75ac773dcba81ae7d9493d3215dbed2d2b1b9d7a54a16c14a0b5b102.exe
File opened for modification	C:\Program Files (x86)\TInnyWalleat\A7rMZimR18fnPb.dat	850af59d75ac773dcba81ae7d9493d3215dbed2d2b1b9d7a54a16c14a0b5b102.exe
File created	C:\Program Files (x86)\TInnyWalleat\A7rMZimR18fnPb.x64.dll	850af59d75ac773dcba81ae7d9493d3215dbed2d2b1b9d7a54a16c14a0b5b102.exe
File opened for modification	C:\Program Files (x86)\TInnyWalleat\A7rMZimR18fnPb.x64.dll	850af59d75ac773dcba81ae7d9493d3215dbed2d2b1b9d7a54a16c14a0b5b102.exe
File created	C:\Program Files (x86)\TInnyWalleat\A7rMZimR18fnPb.dll	850af59d75ac773dcba81ae7d9493d3215dbed2d2b1b9d7a54a16c14a0b5b102.exe

Modifies Internet Explorer settings 1 TTPs 8 IoCs

adware spyware

Modify Registry

T1112

Processes:

850af59d75ac773dcba81ae7d9493d3215dbed2d2b1b9d7a54a16c14a0b5b102.exeregsvr32.exe

description	ioc	process
Key deleted	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\MICROSOFT\INTERNET EXPLORER\APPROVEDEXTENSIONSMIGRATION\{C4C159E2-9CE2-4666-ADFA-B3349D5557AA}	850af59d75ac773dcba81ae7d9493d3215dbed2d2b1b9d7a54a16c14a0b5b102.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\ApprovedExtensionsMigration	850af59d75ac773dcba81ae7d9493d3215dbed2d2b1b9d7a54a16c14a0b5b102.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\MICROSOFT\INTERNET EXPLORER\APPROVEDEXTENSIONSMIGRATION\{C4C159E2-9CE2-4666-ADFA-B3349D5557AA}	regsvr32.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\ApprovedExtensionsMigration	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\ApprovedExtensionsMigration	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{c4c159e2-9ce2-4666-adfa-b3349d5557aa}	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\ApprovedExtensionsMigration	850af59d75ac773dcba81ae7d9493d3215dbed2d2b1b9d7a54a16c14a0b5b102.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{c4c159e2-9ce2-4666-adfa-b3349d5557aa}	850af59d75ac773dcba81ae7d9493d3215dbed2d2b1b9d7a54a16c14a0b5b102.exe

Modifies registry class 64 IoCs

Processes:

850af59d75ac773dcba81ae7d9493d3215dbed2d2b1b9d7a54a16c14a0b5b102.exeregsvr32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	850af59d75ac773dcba81ae7d9493d3215dbed2d2b1b9d7a54a16c14a0b5b102.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{c4c159e2-9ce2-4666-adfa-b3349d5557aa}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\..9\CLSID\ = "{c4c159e2-9ce2-4666-adfa-b3349d5557aa}"	850af59d75ac773dcba81ae7d9493d3215dbed2d2b1b9d7a54a16c14a0b5b102.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.\ = "TInnyWalleat"	850af59d75ac773dcba81ae7d9493d3215dbed2d2b1b9d7a54a16c14a0b5b102.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.\CLSID\ = "{c4c159e2-9ce2-4666-adfa-b3349d5557aa}"	850af59d75ac773dcba81ae7d9493d3215dbed2d2b1b9d7a54a16c14a0b5b102.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{c4c159e2-9ce2-4666-adfa-b3349d5557aa}	850af59d75ac773dcba81ae7d9493d3215dbed2d2b1b9d7a54a16c14a0b5b102.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{c4c159e2-9ce2-4666-adfa-b3349d5557aa}\VersionIndependentProgID	850af59d75ac773dcba81ae7d9493d3215dbed2d2b1b9d7a54a16c14a0b5b102.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	850af59d75ac773dcba81ae7d9493d3215dbed2d2b1b9d7a54a16c14a0b5b102.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	850af59d75ac773dcba81ae7d9493d3215dbed2d2b1b9d7a54a16c14a0b5b102.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{c4c159e2-9ce2-4666-adfa-b3349d5557aa}\Programmable	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\FLAGS	850af59d75ac773dcba81ae7d9493d3215dbed2d2b1b9d7a54a16c14a0b5b102.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win32	850af59d75ac773dcba81ae7d9493d3215dbed2d2b1b9d7a54a16c14a0b5b102.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}	850af59d75ac773dcba81ae7d9493d3215dbed2d2b1b9d7a54a16c14a0b5b102.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\ProxyStubClsid32	850af59d75ac773dcba81ae7d9493d3215dbed2d2b1b9d7a54a16c14a0b5b102.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\TypeLib\Version = "1.0"	850af59d75ac773dcba81ae7d9493d3215dbed2d2b1b9d7a54a16c14a0b5b102.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C4C159E2-9CE2-4666-ADFA-B3349D5557AA}\Implemented Categories	850af59d75ac773dcba81ae7d9493d3215dbed2d2b1b9d7a54a16c14a0b5b102.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\TypeLib\Version = "1.0"	850af59d75ac773dcba81ae7d9493d3215dbed2d2b1b9d7a54a16c14a0b5b102.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{c4c159e2-9ce2-4666-adfa-b3349d5557aa}\VersionIndependentProgID	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{c4c159e2-9ce2-4666-adfa-b3349d5557aa}\VersionIndependentProgID	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{c4c159e2-9ce2-4666-adfa-b3349d5557aa}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib	850af59d75ac773dcba81ae7d9493d3215dbed2d2b1b9d7a54a16c14a0b5b102.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{c4c159e2-9ce2-4666-adfa-b3349d5557aa}\InprocServer32	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{c4c159e2-9ce2-4666-adfa-b3349d5557aa}	850af59d75ac773dcba81ae7d9493d3215dbed2d2b1b9d7a54a16c14a0b5b102.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win32\ = "C:\\Program Files (x86)\\TInnyWalleat\\A7rMZimR18fnPb.tlb"	850af59d75ac773dcba81ae7d9493d3215dbed2d2b1b9d7a54a16c14a0b5b102.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\ProxyStubClsid32	850af59d75ac773dcba81ae7d9493d3215dbed2d2b1b9d7a54a16c14a0b5b102.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\ProxyStubClsid32	850af59d75ac773dcba81ae7d9493d3215dbed2d2b1b9d7a54a16c14a0b5b102.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ProxyStubClsid32	850af59d75ac773dcba81ae7d9493d3215dbed2d2b1b9d7a54a16c14a0b5b102.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	850af59d75ac773dcba81ae7d9493d3215dbed2d2b1b9d7a54a16c14a0b5b102.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\TypeLib	850af59d75ac773dcba81ae7d9493d3215dbed2d2b1b9d7a54a16c14a0b5b102.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}	850af59d75ac773dcba81ae7d9493d3215dbed2d2b1b9d7a54a16c14a0b5b102.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{c4c159e2-9ce2-4666-adfa-b3349d5557aa}\VersionIndependentProgID\	850af59d75ac773dcba81ae7d9493d3215dbed2d2b1b9d7a54a16c14a0b5b102.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{c4c159e2-9ce2-4666-adfa-b3349d5557aa}\InprocServer32\ThreadingModel = "Apartment"	850af59d75ac773dcba81ae7d9493d3215dbed2d2b1b9d7a54a16c14a0b5b102.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0	850af59d75ac773dcba81ae7d9493d3215dbed2d2b1b9d7a54a16c14a0b5b102.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\ = "IPlaghinMein"	850af59d75ac773dcba81ae7d9493d3215dbed2d2b1b9d7a54a16c14a0b5b102.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\TypeLib	850af59d75ac773dcba81ae7d9493d3215dbed2d2b1b9d7a54a16c14a0b5b102.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib	850af59d75ac773dcba81ae7d9493d3215dbed2d2b1b9d7a54a16c14a0b5b102.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.\CLSID\ = "{c4c159e2-9ce2-4666-adfa-b3349d5557aa}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.	850af59d75ac773dcba81ae7d9493d3215dbed2d2b1b9d7a54a16c14a0b5b102.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.\CurVer	850af59d75ac773dcba81ae7d9493d3215dbed2d2b1b9d7a54a16c14a0b5b102.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{c4c159e2-9ce2-4666-adfa-b3349d5557aa}\InprocServer32	850af59d75ac773dcba81ae7d9493d3215dbed2d2b1b9d7a54a16c14a0b5b102.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{c4c159e2-9ce2-4666-adfa-b3349d5557aa}\Programmable	850af59d75ac773dcba81ae7d9493d3215dbed2d2b1b9d7a54a16c14a0b5b102.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	850af59d75ac773dcba81ae7d9493d3215dbed2d2b1b9d7a54a16c14a0b5b102.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\ = "ILocalStorage"	850af59d75ac773dcba81ae7d9493d3215dbed2d2b1b9d7a54a16c14a0b5b102.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib\Version = "1.0"	850af59d75ac773dcba81ae7d9493d3215dbed2d2b1b9d7a54a16c14a0b5b102.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ = "IRegistry"	850af59d75ac773dcba81ae7d9493d3215dbed2d2b1b9d7a54a16c14a0b5b102.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\..9\ = "TInnyWalleat"	850af59d75ac773dcba81ae7d9493d3215dbed2d2b1b9d7a54a16c14a0b5b102.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{c4c159e2-9ce2-4666-adfa-b3349d5557aa}\ProgID\ = ".9"	850af59d75ac773dcba81ae7d9493d3215dbed2d2b1b9d7a54a16c14a0b5b102.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{c4c159e2-9ce2-4666-adfa-b3349d5557aa}\VersionIndependentProgID	850af59d75ac773dcba81ae7d9493d3215dbed2d2b1b9d7a54a16c14a0b5b102.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\FLAGS\ = "0"	850af59d75ac773dcba81ae7d9493d3215dbed2d2b1b9d7a54a16c14a0b5b102.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}	850af59d75ac773dcba81ae7d9493d3215dbed2d2b1b9d7a54a16c14a0b5b102.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{c4c159e2-9ce2-4666-adfa-b3349d5557aa}\ProgID\ = ".9"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{c4c159e2-9ce2-4666-adfa-b3349d5557aa}\InprocServer32\ = "C:\\Program Files (x86)\\TInnyWalleat\\A7rMZimR18fnPb.x64.dll"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{c4c159e2-9ce2-4666-adfa-b3349d5557aa}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{c4c159e2-9ce2-4666-adfa-b3349d5557aa}\InprocServer32	850af59d75ac773dcba81ae7d9493d3215dbed2d2b1b9d7a54a16c14a0b5b102.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	850af59d75ac773dcba81ae7d9493d3215dbed2d2b1b9d7a54a16c14a0b5b102.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}	850af59d75ac773dcba81ae7d9493d3215dbed2d2b1b9d7a54a16c14a0b5b102.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.\ = "TInnyWalleat"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.\CurVer\ = ".9"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	850af59d75ac773dcba81ae7d9493d3215dbed2d2b1b9d7a54a16c14a0b5b102.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	850af59d75ac773dcba81ae7d9493d3215dbed2d2b1b9d7a54a16c14a0b5b102.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\TypeLib	850af59d75ac773dcba81ae7d9493d3215dbed2d2b1b9d7a54a16c14a0b5b102.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	850af59d75ac773dcba81ae7d9493d3215dbed2d2b1b9d7a54a16c14a0b5b102.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib\Version = "1.0"	850af59d75ac773dcba81ae7d9493d3215dbed2d2b1b9d7a54a16c14a0b5b102.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{c4c159e2-9ce2-4666-adfa-b3349d5557aa}\ = "TInnyWalleat"	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

Processes:

850af59d75ac773dcba81ae7d9493d3215dbed2d2b1b9d7a54a16c14a0b5b102.exe

pid	process
4624	850af59d75ac773dcba81ae7d9493d3215dbed2d2b1b9d7a54a16c14a0b5b102.exe
4624	850af59d75ac773dcba81ae7d9493d3215dbed2d2b1b9d7a54a16c14a0b5b102.exe
4624	850af59d75ac773dcba81ae7d9493d3215dbed2d2b1b9d7a54a16c14a0b5b102.exe
4624	850af59d75ac773dcba81ae7d9493d3215dbed2d2b1b9d7a54a16c14a0b5b102.exe
4624	850af59d75ac773dcba81ae7d9493d3215dbed2d2b1b9d7a54a16c14a0b5b102.exe
4624	850af59d75ac773dcba81ae7d9493d3215dbed2d2b1b9d7a54a16c14a0b5b102.exe
4624	850af59d75ac773dcba81ae7d9493d3215dbed2d2b1b9d7a54a16c14a0b5b102.exe
4624	850af59d75ac773dcba81ae7d9493d3215dbed2d2b1b9d7a54a16c14a0b5b102.exe
4624	850af59d75ac773dcba81ae7d9493d3215dbed2d2b1b9d7a54a16c14a0b5b102.exe
4624	850af59d75ac773dcba81ae7d9493d3215dbed2d2b1b9d7a54a16c14a0b5b102.exe
4624	850af59d75ac773dcba81ae7d9493d3215dbed2d2b1b9d7a54a16c14a0b5b102.exe
4624	850af59d75ac773dcba81ae7d9493d3215dbed2d2b1b9d7a54a16c14a0b5b102.exe
4624	850af59d75ac773dcba81ae7d9493d3215dbed2d2b1b9d7a54a16c14a0b5b102.exe
4624	850af59d75ac773dcba81ae7d9493d3215dbed2d2b1b9d7a54a16c14a0b5b102.exe
4624	850af59d75ac773dcba81ae7d9493d3215dbed2d2b1b9d7a54a16c14a0b5b102.exe
4624	850af59d75ac773dcba81ae7d9493d3215dbed2d2b1b9d7a54a16c14a0b5b102.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

850af59d75ac773dcba81ae7d9493d3215dbed2d2b1b9d7a54a16c14a0b5b102.exe

description	pid	process
Token: SeDebugPrivilege	4624	850af59d75ac773dcba81ae7d9493d3215dbed2d2b1b9d7a54a16c14a0b5b102.exe
Token: SeDebugPrivilege	4624	850af59d75ac773dcba81ae7d9493d3215dbed2d2b1b9d7a54a16c14a0b5b102.exe
Token: SeDebugPrivilege	4624	850af59d75ac773dcba81ae7d9493d3215dbed2d2b1b9d7a54a16c14a0b5b102.exe
Token: SeDebugPrivilege	4624	850af59d75ac773dcba81ae7d9493d3215dbed2d2b1b9d7a54a16c14a0b5b102.exe
Token: SeDebugPrivilege	4624	850af59d75ac773dcba81ae7d9493d3215dbed2d2b1b9d7a54a16c14a0b5b102.exe
Token: SeDebugPrivilege	4624	850af59d75ac773dcba81ae7d9493d3215dbed2d2b1b9d7a54a16c14a0b5b102.exe

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

850af59d75ac773dcba81ae7d9493d3215dbed2d2b1b9d7a54a16c14a0b5b102.exeregsvr32.exe

description	pid	process	target process
PID 4624 wrote to memory of 1860	4624	850af59d75ac773dcba81ae7d9493d3215dbed2d2b1b9d7a54a16c14a0b5b102.exe	regsvr32.exe
PID 4624 wrote to memory of 1860	4624	850af59d75ac773dcba81ae7d9493d3215dbed2d2b1b9d7a54a16c14a0b5b102.exe	regsvr32.exe
PID 4624 wrote to memory of 1860	4624	850af59d75ac773dcba81ae7d9493d3215dbed2d2b1b9d7a54a16c14a0b5b102.exe	regsvr32.exe
PID 1860 wrote to memory of 2576	1860	regsvr32.exe	regsvr32.exe
PID 1860 wrote to memory of 2576	1860	regsvr32.exe	regsvr32.exe

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

Processes:

850af59d75ac773dcba81ae7d9493d3215dbed2d2b1b9d7a54a16c14a0b5b102.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{c4c159e2-9ce2-4666-adfa-b3349d5557aa} = "1"	850af59d75ac773dcba81ae7d9493d3215dbed2d2b1b9d7a54a16c14a0b5b102.exe

C:\Users\Admin\AppData\Local\Temp\850af59d75ac773dcba81ae7d9493d3215dbed2d2b1b9d7a54a16c14a0b5b102.exe
"C:\Users\Admin\AppData\Local\Temp\850af59d75ac773dcba81ae7d9493d3215dbed2d2b1b9d7a54a16c14a0b5b102.exe"
1⤵
- Loads dropped DLL
- Drops Chrome extension
- Installs/modifies Browser Helper Object
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4624

C:\Windows\SysWOW64\regsvr32.exe
regsvr32.exe /s "C:\Program Files (x86)\TInnyWalleat\A7rMZimR18fnPb.x64.dll"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1860

C:\Windows\system32\regsvr32.exe
/s "C:\Program Files (x86)\TInnyWalleat\A7rMZimR18fnPb.x64.dll"
3⤵
- Registers COM server for autorun
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Modifies Internet Explorer settings
- Modifies registry class
PID:2576

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:4792

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:4856

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Browser Extensions

1

T1176

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

3

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\TInnyWalleat\A7rMZimR18fnPb.dat
Filesize
4KB

MD5
9926d938e72e5498598b672887f84654

SHA1
5b852f331742676140d06e48875ada9cd329c48b

SHA256
b436dff5b839a88af06dad094a366332a5ec46583634e94f3c7d9348b7fc274a

SHA512
9c68f36a5ccaf071db59f45c55c4c2f025ed6dba5d9857c4fa6a0591030d2e9eb5cc8ff20371105d55a4d05898427dd0f25eed2b8465d6b5e33bad4d7a74bff9

Download Submit
C:\Program Files (x86)\TInnyWalleat\A7rMZimR18fnPb.dll
Filesize
626KB

MD5
beba939961c578072accb50452711766

SHA1
8ee507a90e18619a7a1db38de6f0a829f8c56b56

SHA256
12b325079015a5abefa21513fe4005ffddb8b16f89cd2d1f47f18049dd18b0aa

SHA512
284c7ced668d71a87e22aa78f8e94eed401a53a7bf8c495afef48278edd6c9f6efceac9274aacf99a41d553cbd8d21956747e34ddc2b643c683a9e2a03451126

Download Submit
C:\Program Files (x86)\TInnyWalleat\A7rMZimR18fnPb.tlb
Filesize
3KB

MD5
689aab2940dfe7d83e43bd88e5ae00a1

SHA1
85b1c4e552cab55a5b363b54322ebe42fc03ea6d

SHA256
ec02dfa1747e91b93c54b39a6aa491c69e056c5251cc52726d4fc637322d0a12

SHA512
1077632dc084cb4d33914a1aecccd638da037f0e0e45bf8a41e07be410bcd87fea8713ea2451f5eb8edbdb04baf508088dfafee95d3747d38a3ccabbb221c1c9

Download Submit
C:\Program Files (x86)\TInnyWalleat\A7rMZimR18fnPb.x64.dll
Filesize
702KB

MD5
50a859559413b0a88ea46c72c715e116

SHA1
e3ecc6e5c886bc2d3f68bbd700a94cdee9e5814b

SHA256
0da38857de4d56c7eb87b5a50e8ad3abf0b72fe31fcfd2cea4e398db12caf6a7

SHA512
a406d0e6814b6f33b2002e4afead1fae83f39e19b0e42560bbc15b31516e430b1bfb39ba53867b882249715b7b4e9f37215381663284032efbf175b2c7e4fd24

Download Submit
C:\Program Files (x86)\TInnyWalleat\A7rMZimR18fnPb.x64.dll
Filesize
702KB

MD5
50a859559413b0a88ea46c72c715e116

SHA1
e3ecc6e5c886bc2d3f68bbd700a94cdee9e5814b

SHA256
0da38857de4d56c7eb87b5a50e8ad3abf0b72fe31fcfd2cea4e398db12caf6a7

SHA512
a406d0e6814b6f33b2002e4afead1fae83f39e19b0e42560bbc15b31516e430b1bfb39ba53867b882249715b7b4e9f37215381663284032efbf175b2c7e4fd24

Download Submit
C:\Program Files (x86)\TInnyWalleat\A7rMZimR18fnPb.x64.dll
Filesize
702KB

MD5
50a859559413b0a88ea46c72c715e116

SHA1
e3ecc6e5c886bc2d3f68bbd700a94cdee9e5814b

SHA256
0da38857de4d56c7eb87b5a50e8ad3abf0b72fe31fcfd2cea4e398db12caf6a7

SHA512
a406d0e6814b6f33b2002e4afead1fae83f39e19b0e42560bbc15b31516e430b1bfb39ba53867b882249715b7b4e9f37215381663284032efbf175b2c7e4fd24

Download Submit
memory/1860-149-0x0000000000000000-mapping.dmp

Download
memory/2576-152-0x0000000000000000-mapping.dmp

Download
memory/4624-141-0x0000000001251000-0x0000000001254000-memory.dmp

Filesize
12KB

Download
memory/4624-146-0x0000000001251000-0x0000000001254000-memory.dmp

Filesize
12KB

Download
memory/4624-145-0x0000000001251000-0x0000000001254000-memory.dmp

Filesize
12KB

Download
memory/4624-144-0x0000000001251000-0x0000000001254000-memory.dmp

Filesize
12KB

Download
memory/4624-147-0x0000000001251000-0x0000000001254000-memory.dmp

Filesize
12KB

Download
memory/4624-143-0x0000000001251000-0x0000000001254000-memory.dmp

Filesize
12KB

Download
memory/4624-142-0x0000000001251000-0x0000000001254000-memory.dmp

Filesize
12KB

Download
memory/4624-132-0x0000000003610000-0x00000000036B7000-memory.dmp

Filesize
668KB

Download
memory/4624-140-0x0000000001251000-0x0000000001254000-memory.dmp

Filesize
12KB

Download
memory/4624-139-0x0000000001251000-0x0000000001254000-memory.dmp

Filesize
12KB

Download
memory/4624-138-0x0000000001251000-0x0000000001254000-memory.dmp

Filesize
12KB

Download
memory/4624-137-0x0000000001251000-0x0000000001254000-memory.dmp

Filesize
12KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads