c8b6cea9447d9b07cfcf9e7d34792aaf097f01c59f4778ff43c7ab3446685d8b

General

Target

c8b6cea9447d9b07cfcf9e7d34792aaf097f01c59f4778ff43c7ab3446685d8b.dll
Size

172KB
MD5

0bd12bb0b5b270f069b69300ab58ff19
SHA1

c8074b2d4ff234030d04aaaab0379fc27e4269f1
SHA256

c8b6cea9447d9b07cfcf9e7d34792aaf097f01c59f4778ff43c7ab3446685d8b
SHA512

b8f308d78b94d22bf9370ed5d9dabb77c1751fbc9f1a4fa4dc51565e06e26e3c4fa7d20dec140ab6c00ec3202dc1f917059186e5e195a87b31edd1a86576dab9
SSDEEP

3072:cVILMQHLsDa5ZOqX0wt7V+N2U6OYuYMy+X5Hp8O7djf5JcUyC:czQHLsm5ZOre7V+ABJuYMychdjf5h

Score

6^/10

adware stealer

Malware Config

Signatures

Installs/modifies Browser Helper Object 2 TTPs 3 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

Processes:

regsvr32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B4E78303-A521-31AE-B881-8E834D2958E8}	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B4E78303-A521-31AE-B881-8E834D2958E8}\IExplore = "1"	regsvr32.exe

Modifies registry class 29 IoCs

Processes:

regsvr32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C2D2EE26-99ED-324C-BEDB-C2797D90332D}\ = "IDOMPeek"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C2D2EE26-99ED-324C-BEDB-C2797D90332D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{43BF4DB8-9520-381B-BBC0-DDE8CCD7ECC1}\1.0\FLAGS\ = "0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C2D2EE26-99ED-324C-BEDB-C2797D90332D}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C2D2EE26-99ED-324C-BEDB-C2797D90332D}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C2D2EE26-99ED-324C-BEDB-C2797D90332D}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B4E78303-A521-31AE-B881-8E834D2958E8}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{43BF4DB8-9520-381B-BBC0-DDE8CCD7ECC1}\1.0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{43BF4DB8-9520-381B-BBC0-DDE8CCD7ECC1}\1.0\ = "LIB"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{43BF4DB8-9520-381B-BBC0-DDE8CCD7ECC1}\1.0\0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C2D2EE26-99ED-324C-BEDB-C2797D90332D}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C2D2EE26-99ED-324C-BEDB-C2797D90332D}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B4E78303-A521-31AE-B881-8E834D2958E8}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\c8b6cea9447d9b07cfcf9e7d34792aaf097f01c59f4778ff43c7ab3446685d8b.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{43BF4DB8-9520-381B-BBC0-DDE8CCD7ECC1}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C2D2EE26-99ED-324C-BEDB-C2797D90332D}\TypeLib\ = "{43BF4DB8-9520-381B-BBC0-DDE8CCD7ECC1}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C2D2EE26-99ED-324C-BEDB-C2797D90332D}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{43BF4DB8-9520-381B-BBC0-DDE8CCD7ECC1}\1.0\0\win32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{43BF4DB8-9520-381B-BBC0-DDE8CCD7ECC1}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\c8b6cea9447d9b07cfcf9e7d34792aaf097f01c59f4778ff43c7ab3446685d8b.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{43BF4DB8-9520-381B-BBC0-DDE8CCD7ECC1}\1.0\HELPDIR	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B4E78303-A521-31AE-B881-8E834D2958E8}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{43BF4DB8-9520-381B-BBC0-DDE8CCD7ECC1}\1.0\FLAGS	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C2D2EE26-99ED-324C-BEDB-C2797D90332D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B4E78303-A521-31AE-B881-8E834D2958E8}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C2D2EE26-99ED-324C-BEDB-C2797D90332D}\ = "IDOMPeek"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C2D2EE26-99ED-324C-BEDB-C2797D90332D}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C2D2EE26-99ED-324C-BEDB-C2797D90332D}\TypeLib\ = "{43BF4DB8-9520-381B-BBC0-DDE8CCD7ECC1}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C2D2EE26-99ED-324C-BEDB-C2797D90332D}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B4E78303-A521-31AE-B881-8E834D2958E8}\ = "D"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{43BF4DB8-9520-381B-BBC0-DDE8CCD7ECC1}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	regsvr32.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

regsvr32.exe

description	pid	process	target process
PID 1316 wrote to memory of 4760	1316	regsvr32.exe	regsvr32.exe
PID 1316 wrote to memory of 4760	1316	regsvr32.exe	regsvr32.exe
PID 1316 wrote to memory of 4760	1316	regsvr32.exe	regsvr32.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\c8b6cea9447d9b07cfcf9e7d34792aaf097f01c59f4778ff43c7ab3446685d8b.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:1316

C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\c8b6cea9447d9b07cfcf9e7d34792aaf097f01c59f4778ff43c7ab3446685d8b.dll
2⤵
- Installs/modifies Browser Helper Object
- Modifies registry class
PID:4760

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Browser Extensions

1

T1176

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4760-132-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads