91bebfe6d870b6cc1cbe3be00b9e10bab87c849c36b4264bb79a14d8c64cafb6

Analysis

max time kernel
91s
max time network
133s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
25/11/2022, 19:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

91bebfe6d870b6cc1cbe3be00b9e10bab87c849c36b4264bb79a14d8c64cafb6.exe
Size

2.2MB
MD5

2d7e2bc74ede724226fac02b0bc3d451
SHA1

bd244c7d85370f6981c4d6f4ea2493d94093c9a1
SHA256

91bebfe6d870b6cc1cbe3be00b9e10bab87c849c36b4264bb79a14d8c64cafb6
SHA512

f78cefa295a8912c91701234274aee7d421d8f2194745af6c1201928de9703a2b71bc37691f050ae16ebe837a703339fec4da94c29bdd95a2e156d8fbb39de36
SSDEEP

49152:ahDwLQifdBoDfAxtURbQcwdQIloIdWeqRG+EefTa9AfXjCZeRase4BXgOswsFtej:aI/fdBOfAxtURbEQIloIdWeqRG+EefTc

Score

8^/10

adware discovery persistence spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3172	sxDcemm691fsgGr.exe

Registers COM server for autorun 1 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{b1eba650-9073-4b8b-bcb8-d242261827d2}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{b1eba650-9073-4b8b-bcb8-d242261827d2}\InprocServer32\ = "C:\\Program Files (x86)\\YoutubeAdBlocke\\BiZtbkCXa3A9Pr.x64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{b1eba650-9073-4b8b-bcb8-d242261827d2}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{b1eba650-9073-4b8b-bcb8-d242261827d2}\InprocServer32	regsvr32.exe

Loads dropped DLL 3 IoCs

pid	Process
3172	sxDcemm691fsgGr.exe
3380	regsvr32.exe
1392	regsvr32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Installs/modifies Browser Helper Object 2 TTPs 8 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{b1eba650-9073-4b8b-bcb8-d242261827d2}\NoExplorer = "1"	sxDcemm691fsgGr.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{b1eba650-9073-4b8b-bcb8-d242261827d2}	sxDcemm691fsgGr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{b1eba650-9073-4b8b-bcb8-d242261827d2}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{b1eba650-9073-4b8b-bcb8-d242261827d2}\ = "YoutubeAdBlocke"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{b1eba650-9073-4b8b-bcb8-d242261827d2}\NoExplorer = "1"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{b1eba650-9073-4b8b-bcb8-d242261827d2}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{b1eba650-9073-4b8b-bcb8-d242261827d2}	sxDcemm691fsgGr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{b1eba650-9073-4b8b-bcb8-d242261827d2}\ = "YoutubeAdBlocke"	sxDcemm691fsgGr.exe

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\YoutubeAdBlocke\BiZtbkCXa3A9Pr.tlb	sxDcemm691fsgGr.exe
File created	C:\Program Files (x86)\YoutubeAdBlocke\BiZtbkCXa3A9Pr.dat	sxDcemm691fsgGr.exe
File opened for modification	C:\Program Files (x86)\YoutubeAdBlocke\BiZtbkCXa3A9Pr.dat	sxDcemm691fsgGr.exe
File created	C:\Program Files (x86)\YoutubeAdBlocke\BiZtbkCXa3A9Pr.x64.dll	sxDcemm691fsgGr.exe
File opened for modification	C:\Program Files (x86)\YoutubeAdBlocke\BiZtbkCXa3A9Pr.x64.dll	sxDcemm691fsgGr.exe
File created	C:\Program Files (x86)\YoutubeAdBlocke\BiZtbkCXa3A9Pr.dll	sxDcemm691fsgGr.exe
File opened for modification	C:\Program Files (x86)\YoutubeAdBlocke\BiZtbkCXa3A9Pr.dll	sxDcemm691fsgGr.exe
File created	C:\Program Files (x86)\YoutubeAdBlocke\BiZtbkCXa3A9Pr.tlb	sxDcemm691fsgGr.exe

Modifies Internet Explorer settings 1 TTPs 8 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key deleted	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\MICROSOFT\INTERNET EXPLORER\APPROVEDEXTENSIONSMIGRATION\{B1EBA650-9073-4B8B-BCB8-D242261827D2}	sxDcemm691fsgGr.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\ApprovedExtensionsMigration	sxDcemm691fsgGr.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\MICROSOFT\INTERNET EXPLORER\APPROVEDEXTENSIONSMIGRATION\{B1EBA650-9073-4B8B-BCB8-D242261827D2}	regsvr32.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\ApprovedExtensionsMigration	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\ApprovedExtensionsMigration	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{b1eba650-9073-4b8b-bcb8-d242261827d2}	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\ApprovedExtensionsMigration	sxDcemm691fsgGr.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{b1eba650-9073-4b8b-bcb8-d242261827d2}	sxDcemm691fsgGr.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{b1eba650-9073-4b8b-bcb8-d242261827d2}\ProgID	sxDcemm691fsgGr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	sxDcemm691fsgGr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}	sxDcemm691fsgGr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{b1eba650-9073-4b8b-bcb8-d242261827d2}\ = "YoutubeAdBlocke"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{b1eba650-9073-4b8b-bcb8-d242261827d2}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{b1eba650-9073-4b8b-bcb8-d242261827d2}\InprocServer32\ = "C:\\Program Files (x86)\\YoutubeAdBlocke\\BiZtbkCXa3A9Pr.x64.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.\CurVer	sxDcemm691fsgGr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.\CurVer\ = ".9"	sxDcemm691fsgGr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{b1eba650-9073-4b8b-bcb8-d242261827d2}\ProgID	sxDcemm691fsgGr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib	sxDcemm691fsgGr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{b1eba650-9073-4b8b-bcb8-d242261827d2}\ProgID\ = ".9"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\TypeLib\Version = "1.0"	sxDcemm691fsgGr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ProxyStubClsid32	sxDcemm691fsgGr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib\Version = "1.0"	sxDcemm691fsgGr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}	sxDcemm691fsgGr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0	sxDcemm691fsgGr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\YoutubeAdBlocke"	sxDcemm691fsgGr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\ = "IPlaghinMein"	sxDcemm691fsgGr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\ = "IPlaghinMein"	sxDcemm691fsgGr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ = "IRegistry"	sxDcemm691fsgGr.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{b1eba650-9073-4b8b-bcb8-d242261827d2}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B1EBA650-9073-4B8B-BCB8-D242261827D2}\Implemented Categories	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\..9	sxDcemm691fsgGr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{b1eba650-9073-4b8b-bcb8-d242261827d2}\InprocServer32	sxDcemm691fsgGr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\..9\ = "YoutubeAdBlocke"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\..9\CLSID\ = "{b1eba650-9073-4b8b-bcb8-d242261827d2}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\FLAGS	sxDcemm691fsgGr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	sxDcemm691fsgGr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.\CLSID\ = "{b1eba650-9073-4b8b-bcb8-d242261827d2}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{b1eba650-9073-4b8b-bcb8-d242261827d2}\InprocServer32	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{b1eba650-9073-4b8b-bcb8-d242261827d2}\VersionIndependentProgID	sxDcemm691fsgGr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\HELPDIR	sxDcemm691fsgGr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\ProxyStubClsid32	sxDcemm691fsgGr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib	sxDcemm691fsgGr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{b1eba650-9073-4b8b-bcb8-d242261827d2}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\ = "ILocalStorage"	sxDcemm691fsgGr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	sxDcemm691fsgGr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}	sxDcemm691fsgGr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.\ = "YoutubeAdBlocke"	sxDcemm691fsgGr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B1EBA650-9073-4B8B-BCB8-D242261827D2}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}	sxDcemm691fsgGr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\FLAGS\ = "0"	sxDcemm691fsgGr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win32\ = "C:\\Program Files (x86)\\YoutubeAdBlocke\\BiZtbkCXa3A9Pr.tlb"	sxDcemm691fsgGr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}	sxDcemm691fsgGr.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{b1eba650-9073-4b8b-bcb8-d242261827d2}\VersionIndependentProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\..9\CLSID	sxDcemm691fsgGr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win32	sxDcemm691fsgGr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\ = "ILocalStorage"	sxDcemm691fsgGr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	sxDcemm691fsgGr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{b1eba650-9073-4b8b-bcb8-d242261827d2}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.\CLSID	sxDcemm691fsgGr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{b1eba650-9073-4b8b-bcb8-d242261827d2}\ProgID\ = ".9"	sxDcemm691fsgGr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	sxDcemm691fsgGr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	sxDcemm691fsgGr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\ProxyStubClsid32	sxDcemm691fsgGr.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{b1eba650-9073-4b8b-bcb8-d242261827d2}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B1EBA650-9073-4B8B-BCB8-D242261827D2}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{b1eba650-9073-4b8b-bcb8-d242261827d2}\ = "YoutubeAdBlocke"	sxDcemm691fsgGr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{b1eba650-9073-4b8b-bcb8-d242261827d2}\Programmable	sxDcemm691fsgGr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\ = "IEPluginLib"	sxDcemm691fsgGr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	sxDcemm691fsgGr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	sxDcemm691fsgGr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	sxDcemm691fsgGr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.\CurVer\ = ".9"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\..9\CLSID\ = "{b1eba650-9073-4b8b-bcb8-d242261827d2}"	sxDcemm691fsgGr.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1400 wrote to memory of 3172	1400	91bebfe6d870b6cc1cbe3be00b9e10bab87c849c36b4264bb79a14d8c64cafb6.exe	81
PID 1400 wrote to memory of 3172	1400	91bebfe6d870b6cc1cbe3be00b9e10bab87c849c36b4264bb79a14d8c64cafb6.exe	81
PID 1400 wrote to memory of 3172	1400	91bebfe6d870b6cc1cbe3be00b9e10bab87c849c36b4264bb79a14d8c64cafb6.exe	81
PID 3172 wrote to memory of 3380	3172	sxDcemm691fsgGr.exe	82
PID 3172 wrote to memory of 3380	3172	sxDcemm691fsgGr.exe	82
PID 3172 wrote to memory of 3380	3172	sxDcemm691fsgGr.exe	82
PID 3380 wrote to memory of 1392	3380	regsvr32.exe	83
PID 3380 wrote to memory of 1392	3380	regsvr32.exe	83

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{b1eba650-9073-4b8b-bcb8-d242261827d2} = "1"	sxDcemm691fsgGr.exe

C:\Users\Admin\AppData\Local\Temp\91bebfe6d870b6cc1cbe3be00b9e10bab87c849c36b4264bb79a14d8c64cafb6.exe
"C:\Users\Admin\AppData\Local\Temp\91bebfe6d870b6cc1cbe3be00b9e10bab87c849c36b4264bb79a14d8c64cafb6.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1400
- C:\Users\Admin\AppData\Local\Temp\404269c2\sxDcemm691fsgGr.exe
  "C:\Users\Admin\AppData\Local\Temp/404269c2/sxDcemm691fsgGr.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Installs/modifies Browser Helper Object
  - Drops file in Program Files directory
  - Modifies Internet Explorer settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:3172
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32.exe /s "C:\Program Files (x86)\YoutubeAdBlocke\BiZtbkCXa3A9Pr.x64.dll"
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:3380
  - - C:\Windows\system32\regsvr32.exe
      /s "C:\Program Files (x86)\YoutubeAdBlocke\BiZtbkCXa3A9Pr.x64.dll"
      4⤵
      Registers COM server for autorun
      Loads dropped DLL
      Installs/modifies Browser Helper Object
      Modifies Internet Explorer settings
      Modifies registry class
      PID:1392

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Browser Extensions

T1176

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\YoutubeAdBlocke\BiZtbkCXa3A9Pr.dat

Filesize
3KB

MD5
983bde2086dea676a7452b40823eebe1

SHA1
402841db62174b2b105c7ffe474f7fe307680290

SHA256
8415960ef53d5c20184e21929765f6542a013374bb37b4cc42b6c37d43c187ec

SHA512
c99b2c12b4093a5a33434edc9acb9ea837365184ad27c033710150702e2aa6b14cdc600ec35eefa3081ccf7e9d76bbeaa100c95959af33004d810d3845962f5d

Download Submit
C:\Program Files (x86)\YoutubeAdBlocke\BiZtbkCXa3A9Pr.dll

Filesize
615KB

MD5
1eaa91e0947d30dd98e8fef4de5511c0

SHA1
100957224870c455f723a3023485c1367e778428

SHA256
770877c5eeb92ae93fc752e2648bf63811f9d33b322c7b24a25d12f881ff343c

SHA512
a1263ed470cb4b07ccda33d7220315810dc21d6d79a629ced6e07e2f61c9b6706dc8a58765d18eac91d2184e3ab0a2f2e84148e16e7426b7fa68b6315f1d2a3d

Download Submit
C:\Program Files (x86)\YoutubeAdBlocke\BiZtbkCXa3A9Pr.tlb

Filesize
3KB

MD5
115d6d22fe2278653b9b429687bc4cdc

SHA1
0098ed796e103cd85780a48c00c65942010187fc

SHA256
55cdbc42ce94a3e3115a4c53fff47473525ed9af69ae774bbbd78a83ab60c9f3

SHA512
ba72fde0fba9c78d03da94d50e77fcd2469c9f6242ad2a475cc67f2f76742f1435af105d4c2c5353bb3f1083a423d702f461b0fe63e63edc774f4c6aada19bd6

Download Submit
C:\Program Files (x86)\YoutubeAdBlocke\BiZtbkCXa3A9Pr.x64.dll

Filesize
695KB

MD5
fb4a23e7f4ef5c4cdaa5a87ed0eff861

SHA1
f1fb97557ccc7c54dec798931f59bf0085e40fa2

SHA256
b64a38d8fa5b1be931e49e53f5c0ec1a5c1d47f17cd33484bde4cd05b3f8a1d4

SHA512
42bd11ca1dc2ad2da4500e6fbf1ecaac739f530e63362fdee01b5bb2f4e44ed4da78db9799ba5e2bb9ac79ef4b64b5be683aa6fdf20bca0660f9031c8dc0c127

Download Submit
C:\Program Files (x86)\YoutubeAdBlocke\BiZtbkCXa3A9Pr.x64.dll

Filesize
695KB

MD5
fb4a23e7f4ef5c4cdaa5a87ed0eff861

SHA1
f1fb97557ccc7c54dec798931f59bf0085e40fa2

SHA256
b64a38d8fa5b1be931e49e53f5c0ec1a5c1d47f17cd33484bde4cd05b3f8a1d4

SHA512
42bd11ca1dc2ad2da4500e6fbf1ecaac739f530e63362fdee01b5bb2f4e44ed4da78db9799ba5e2bb9ac79ef4b64b5be683aa6fdf20bca0660f9031c8dc0c127

Download Submit
C:\Program Files (x86)\YoutubeAdBlocke\BiZtbkCXa3A9Pr.x64.dll

Filesize
695KB

MD5
fb4a23e7f4ef5c4cdaa5a87ed0eff861

SHA1
f1fb97557ccc7c54dec798931f59bf0085e40fa2

SHA256
b64a38d8fa5b1be931e49e53f5c0ec1a5c1d47f17cd33484bde4cd05b3f8a1d4

SHA512
42bd11ca1dc2ad2da4500e6fbf1ecaac739f530e63362fdee01b5bb2f4e44ed4da78db9799ba5e2bb9ac79ef4b64b5be683aa6fdf20bca0660f9031c8dc0c127

Download Submit
C:\Users\Admin\AppData\Local\Temp\404269c2\BiZtbkCXa3A9Pr.dll

Filesize
615KB

MD5
1eaa91e0947d30dd98e8fef4de5511c0

SHA1
100957224870c455f723a3023485c1367e778428

SHA256
770877c5eeb92ae93fc752e2648bf63811f9d33b322c7b24a25d12f881ff343c

SHA512
a1263ed470cb4b07ccda33d7220315810dc21d6d79a629ced6e07e2f61c9b6706dc8a58765d18eac91d2184e3ab0a2f2e84148e16e7426b7fa68b6315f1d2a3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\404269c2\BiZtbkCXa3A9Pr.tlb

Filesize
3KB

MD5
115d6d22fe2278653b9b429687bc4cdc

SHA1
0098ed796e103cd85780a48c00c65942010187fc

SHA256
55cdbc42ce94a3e3115a4c53fff47473525ed9af69ae774bbbd78a83ab60c9f3

SHA512
ba72fde0fba9c78d03da94d50e77fcd2469c9f6242ad2a475cc67f2f76742f1435af105d4c2c5353bb3f1083a423d702f461b0fe63e63edc774f4c6aada19bd6

Download Submit
C:\Users\Admin\AppData\Local\Temp\404269c2\BiZtbkCXa3A9Pr.x64.dll

Filesize
695KB

MD5
fb4a23e7f4ef5c4cdaa5a87ed0eff861

SHA1
f1fb97557ccc7c54dec798931f59bf0085e40fa2

SHA256
b64a38d8fa5b1be931e49e53f5c0ec1a5c1d47f17cd33484bde4cd05b3f8a1d4

SHA512
42bd11ca1dc2ad2da4500e6fbf1ecaac739f530e63362fdee01b5bb2f4e44ed4da78db9799ba5e2bb9ac79ef4b64b5be683aa6fdf20bca0660f9031c8dc0c127

Download Submit
C:\Users\Admin\AppData\Local\Temp\404269c2\[email protected]\bootstrap.js

Filesize
2KB

MD5
df13f711e20e9c80171846d4f2f7ae06

SHA1
56d29cda58427efe0e21d3880d39eb1b0ef60bee

SHA256
6c325461fba531a94cf8cbdcfc52755494973df0629ce0ee3fef734ab0838fc4

SHA512
6c51cee3bf13f164c4a5c9884cc6053cbf9db9701d34c07dc5761d2c047d3d1f7a361b32996a430107e9a4ce68a29149d747a84c76778a1e8780719a3d30470e

Download Submit
C:\Users\Admin\AppData\Local\Temp\404269c2\[email protected]\chrome.manifest

Filesize
35B

MD5
3b41d681cf4fe5c29d015b123c6fe2e4

SHA1
81ac50f55b3cb6725b6fdf32a9b1b62ac17a538b

SHA256
84439dacdcaec7b4f3747834fd9bf64dac332ba2bf6502fa9dd88822594c5adb

SHA512
c98bc1e2fb7c0ca0299a00ead30a4d1acce276e98f9f7f6cdbc2f109e6657b53fd8119c8c556a691b96d81028cfbed18f0169aae2589b7becf6a825a933c5446

Download Submit
C:\Users\Admin\AppData\Local\Temp\404269c2\[email protected]\content\bg.js

Filesize
9KB

MD5
22d119930114412cf72f9301a593935a

SHA1
d3fd6af6bd98688a202a61286bbe278068a46c26

SHA256
908f5b6b09e39e300181c6e25a014267caa611dc61851f45caf0c809d2cbec81

SHA512
34cde808eb789a288094aae171bedd9066c9ad6e6a140383c4a24dad3416dd457c9a39cd7f866bbf8d1167506658f468e5c9c07b1fa03e7ff42724dcc899783e

Download Submit
C:\Users\Admin\AppData\Local\Temp\404269c2\[email protected]\install.rdf

Filesize
601B

MD5
a300687850e4a14e844269d6c2828d57

SHA1
1b2529ac9154294ed399dda15ade4d8c5112d537

SHA256
6db8ddc82c7f78fdae0b0a80a455427be4da74fd8fdd8d6881417f7b7d8b8eb2

SHA512
defb2fe8a3acb82f0f7eb71b21ebbcde8c4c38162f54ea33c03a5fb97e3b16dd1d35fc5614ff1588f7da0457bbbccc12e6eef8eefadd63c1915aa947890f8db1

Download Submit
C:\Users\Admin\AppData\Local\Temp\404269c2\sxDcemm691fsgGr.dat

Filesize
3KB

MD5
983bde2086dea676a7452b40823eebe1

SHA1
402841db62174b2b105c7ffe474f7fe307680290

SHA256
8415960ef53d5c20184e21929765f6542a013374bb37b4cc42b6c37d43c187ec

SHA512
c99b2c12b4093a5a33434edc9acb9ea837365184ad27c033710150702e2aa6b14cdc600ec35eefa3081ccf7e9d76bbeaa100c95959af33004d810d3845962f5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\404269c2\sxDcemm691fsgGr.exe

Filesize
620KB

MD5
36753a4a14ce9d5740ca200b1b9af325

SHA1
a34ab5b60bb97e5ece27f5cf0f69a4201c1803af

SHA256
d4ceddec76f76487b43b139e830a2ed180b99cfee787c361b6fd995b21f3c898

SHA512
c1b51c57c6b4859ece60ca4e8227823f5f8ef7582f2f62f58d2417946ce364ad571aa9e4d27def69e7084d4ce4c7693a14d240310410e901572f88220e9b1a5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\404269c2\sxDcemm691fsgGr.exe

Filesize
620KB

MD5
36753a4a14ce9d5740ca200b1b9af325

SHA1
a34ab5b60bb97e5ece27f5cf0f69a4201c1803af

SHA256
d4ceddec76f76487b43b139e830a2ed180b99cfee787c361b6fd995b21f3c898

SHA512
c1b51c57c6b4859ece60ca4e8227823f5f8ef7582f2f62f58d2417946ce364ad571aa9e4d27def69e7084d4ce4c7693a14d240310410e901572f88220e9b1a5c

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads