d9211ff5636bce8a832e32d5c7a8b45ea5731e6581fc7b452e3b98eb0f3d3b3f

General

Target

d9211ff5636bce8a832e32d5c7a8b45ea5731e6581fc7b452e3b98eb0f3d3b3f.dll
Size

2.4MB
MD5

133bf51d031b101ac6f87f6e13c85d53
SHA1

6e09b96d9ab68d673a872d47efe0d2625c09e3da
SHA256

d9211ff5636bce8a832e32d5c7a8b45ea5731e6581fc7b452e3b98eb0f3d3b3f
SHA512

39e8d610605620bb78d85253af21021860086132ce963b9a53a5d4f41b2e4aafa89f5261bff779e4a165e1545656b9686a66e6e27478c8792ff2b044bff9f7d2
SSDEEP

24576:y3mIEaiSE7PEDjG6VVWiqFQypkI8KJaZi3kPTa3g9yEj7OD2AH6CPsW:ylwSE7PEDjG6TaQ9yo1AN

Score

7^/10

adware evasion stealer themida

Malware Config

Signatures

Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

regsvr32.exe

description ioc process

Key opened \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Wine regsvr32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Wine	regsvr32.exe

Themida packer 4 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral1/memory/1344-57-0x0000000001F50000-0x000000000234C000-memory.dmp	themida
behavioral1/memory/1344-58-0x0000000001F50000-0x000000000234C000-memory.dmp	themida
behavioral1/memory/1344-59-0x0000000001F50000-0x000000000234C000-memory.dmp	themida
behavioral1/memory/1344-60-0x0000000001F50000-0x000000000234C000-memory.dmp	themida

Installs/modifies Browser Helper Object 2 TTPs 1 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

Processes:

regsvr32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{09AFB2CE-9837-CA3E-0CB1-0A0B00C83DF2}	regsvr32.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

regsvr32.exe

pid process

1344 regsvr32.exe

pid	process
1344	regsvr32.exe

Modifies registry class 11 IoCs

Processes:

regsvr32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\d9211ff5636bce8a832e32d5c7a8b45ea5731e6581fc7b452e3b98eb0f3d3b3f.MS_Plugin_116	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{09AFB2CE-9837-CA3E-0CB1-0A0B00C83DF2}\ = "MS_Plugin"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{09AFB2CE-9837-CA3E-0CB1-0A0B00C83DF2}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{09AFB2CE-9837-CA3E-0CB1-0A0B00C83DF2}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\d9211ff5636bce8a832e32d5c7a8b45ea5731e6581fc7b452e3b98eb0f3d3b3f.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\d9211ff5636bce8a832e32d5c7a8b45ea5731e6581fc7b452e3b98eb0f3d3b3f.MS_Plugin_116\Clsid	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\d9211ff5636bce8a832e32d5c7a8b45ea5731e6581fc7b452e3b98eb0f3d3b3f.MS_Plugin_116\Clsid\ = "{09AFB2CE-9837-CA3E-0CB1-0A0B00C83DF2}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{09AFB2CE-9837-CA3E-0CB1-0A0B00C83DF2}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{09AFB2CE-9837-CA3E-0CB1-0A0B00C83DF2}\ProgID\ = "d9211ff5636bce8a832e32d5c7a8b45ea5731e6581fc7b452e3b98eb0f3d3b3f.MS_Plugin_116"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{09AFB2CE-9837-CA3E-0CB1-0A0B00C83DF2}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{09AFB2CE-9837-CA3E-0CB1-0A0B00C83DF2}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\d9211ff5636bce8a832e32d5c7a8b45ea5731e6581fc7b452e3b98eb0f3d3b3f.MS_Plugin_116\ = "MS_Plugin"	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

regsvr32.exe

pid process

1344 regsvr32.exe

pid	process
1344	regsvr32.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

regsvr32.exe

description	pid	process	target process
PID 1172 wrote to memory of 1344	1172	regsvr32.exe	regsvr32.exe
PID 1172 wrote to memory of 1344	1172	regsvr32.exe	regsvr32.exe
PID 1172 wrote to memory of 1344	1172	regsvr32.exe	regsvr32.exe
PID 1172 wrote to memory of 1344	1172	regsvr32.exe	regsvr32.exe
PID 1172 wrote to memory of 1344	1172	regsvr32.exe	regsvr32.exe
PID 1172 wrote to memory of 1344	1172	regsvr32.exe	regsvr32.exe
PID 1172 wrote to memory of 1344	1172	regsvr32.exe	regsvr32.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\d9211ff5636bce8a832e32d5c7a8b45ea5731e6581fc7b452e3b98eb0f3d3b3f.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:1172

C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\d9211ff5636bce8a832e32d5c7a8b45ea5731e6581fc7b452e3b98eb0f3d3b3f.dll
2⤵
- Identifies Wine through registry keys
- Installs/modifies Browser Helper Object
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1344

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Browser Extensions

1

T1176

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

1

T1497

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

Virtualization/Sandbox Evasion

1

T1497

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1172-54-0x000007FEFB8A1000-0x000007FEFB8A3000-memory.dmp

Filesize
8KB

Download
memory/1344-55-0x0000000000000000-mapping.dmp

Download
memory/1344-56-0x00000000757E1000-0x00000000757E3000-memory.dmp

Filesize
8KB

Download
memory/1344-57-0x0000000001F50000-0x000000000234C000-memory.dmp

Filesize
4.0MB

Download
memory/1344-58-0x0000000001F50000-0x000000000234C000-memory.dmp

Filesize
4.0MB

Download
memory/1344-59-0x0000000001F50000-0x000000000234C000-memory.dmp

Filesize
4.0MB

Download
memory/1344-60-0x0000000001F50000-0x000000000234C000-memory.dmp

Filesize
4.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads