8b0cd3850820c22b65df2a9ee6da6bbabc3bfb61cc6e96e79e083cee84aaca09

General

Target

8b0cd3850820c22b65df2a9ee6da6bbabc3bfb61cc6e96e79e083cee84aaca09.dll
Size

135KB
MD5

76463e4e6d602019c76a60c6445929d0
SHA1

72a6270d5f736456f7f6bb2cc3940b7dd2872d5a
SHA256

8b0cd3850820c22b65df2a9ee6da6bbabc3bfb61cc6e96e79e083cee84aaca09
SHA512

8b0e9d8369431f4956fc923568044c9faddf0088f063e28ae6e2511b486545136c67e99963c2a621c64f7ed0fa5ee8b7c6d096405e488493a5deb6d224780ec4
SSDEEP

3072:7wJ8mMSo+O7Wt8X+Rln3d9dxU6wHOvMvIEWs8HSrY:7K8iZV2K3dLxFrvMvr8HZ

Score

6^/10

adware stealer

Malware Config

Signatures

Installs/modifies Browser Helper Object 2 TTPs 2 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

Processes:

regsvr32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{3F0E0B46-8442-4cb6-93F6-245430498991}\	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3F0E0B46-8442-4cb6-93F6-245430498991}	regsvr32.exe

Modifies registry class 47 IoCs

Processes:

regsvr32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.TttPlayer	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.TttPlayer\CLSID\ = "{3F0E0B46-8442-4cb6-93F6-245430498991}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3F0E0B46-8442-4cb6-93F6-245430498991}\TypeLib\ = "{9988B8C4-FF5B-44F2-8F43-AA5237F82F6F}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9988B8C4-FF5B-44F2-8F43-AA5237F82F6F}\1.0\FLAGS\ = "0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{A32799DB-6B3B-4AE8-A44B-C6EE79CB9C0A}\ = "ITttPlayer"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{A32799DB-6B3B-4AE8-A44B-C6EE79CB9C0A}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A32799DB-6B3B-4AE8-A44B-C6EE79CB9C0A}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.TttPlayer\ = "CTttPlayer Object"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3F0E0B46-8442-4cb6-93F6-245430498991}\ = "CTttPlayer Object"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{A32799DB-6B3B-4AE8-A44B-C6EE79CB9C0A}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A32799DB-6B3B-4AE8-A44B-C6EE79CB9C0A}\ = "ITttPlayer"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3F0E0B46-8442-4cb6-93F6-245430498991}\VersionIndependentProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3F0E0B46-8442-4cb6-93F6-245430498991}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9988B8C4-FF5B-44F2-8F43-AA5237F82F6F}\1.0\FLAGS	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9988B8C4-FF5B-44F2-8F43-AA5237F82F6F}\1.0\0\win32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{A32799DB-6B3B-4AE8-A44B-C6EE79CB9C0A}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A32799DB-6B3B-4AE8-A44B-C6EE79CB9C0A}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3F0E0B46-8442-4cb6-93F6-245430498991}\VersionIndependentProgID\ = "BHO.TttPlayer"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3F0E0B46-8442-4cb6-93F6-245430498991}\AppID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9988B8C4-FF5B-44F2-8F43-AA5237F82F6F}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9988B8C4-FF5B-44F2-8F43-AA5237F82F6F}\1.0\HELPDIR	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A32799DB-6B3B-4AE8-A44B-C6EE79CB9C0A}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.TttPlayer.1	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3F0E0B46-8442-4cb6-93F6-245430498991}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.TttPlayer.1\CLSID\ = "{3F0E0B46-8442-4cb6-93F6-245430498991}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.TttPlayer\CurVer	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9988B8C4-FF5B-44F2-8F43-AA5237F82F6F}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A32799DB-6B3B-4AE8-A44B-C6EE79CB9C0A}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.TttPlayer.1\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.TttPlayer\CurVer\ = "BHO.TttPlayer.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3F0E0B46-8442-4cb6-93F6-245430498991}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3F0E0B46-8442-4cb6-93F6-245430498991}\Programmable	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3F0E0B46-8442-4cb6-93F6-245430498991}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\8b0cd3850820c22b65df2a9ee6da6bbabc3bfb61cc6e96e79e083cee84aaca09.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3F0E0B46-8442-4cb6-93F6-245430498991}\InprocServer32\ThreadingModel = "apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9988B8C4-FF5B-44F2-8F43-AA5237F82F6F}\1.0\ = "BHO 1.0 Type Library"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9988B8C4-FF5B-44F2-8F43-AA5237F82F6F}\1.0\0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9988B8C4-FF5B-44F2-8F43-AA5237F82F6F}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\8b0cd3850820c22b65df2a9ee6da6bbabc3bfb61cc6e96e79e083cee84aaca09.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{A32799DB-6B3B-4AE8-A44B-C6EE79CB9C0A}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{A32799DB-6B3B-4AE8-A44B-C6EE79CB9C0A}\TypeLib\ = "{9988B8C4-FF5B-44F2-8F43-AA5237F82F6F}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.TttPlayer.1\ = "CTttPlayer Object"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.TttPlayer\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3F0E0B46-8442-4cb6-93F6-245430498991}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3F0E0B46-8442-4cb6-93F6-245430498991}\ProgID\ = "BHO.TttPlayer.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9988B8C4-FF5B-44F2-8F43-AA5237F82F6F}\1.0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{A32799DB-6B3B-4AE8-A44B-C6EE79CB9C0A}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A32799DB-6B3B-4AE8-A44B-C6EE79CB9C0A}\TypeLib\ = "{9988B8C4-FF5B-44F2-8F43-AA5237F82F6F}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A32799DB-6B3B-4AE8-A44B-C6EE79CB9C0A}\TypeLib\Version = "1.0"	regsvr32.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

regsvr32.exe

description	pid	process	target process
PID 1672 wrote to memory of 576	1672	regsvr32.exe	regsvr32.exe
PID 1672 wrote to memory of 576	1672	regsvr32.exe	regsvr32.exe
PID 1672 wrote to memory of 576	1672	regsvr32.exe	regsvr32.exe
PID 1672 wrote to memory of 576	1672	regsvr32.exe	regsvr32.exe
PID 1672 wrote to memory of 576	1672	regsvr32.exe	regsvr32.exe
PID 1672 wrote to memory of 576	1672	regsvr32.exe	regsvr32.exe
PID 1672 wrote to memory of 576	1672	regsvr32.exe	regsvr32.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\8b0cd3850820c22b65df2a9ee6da6bbabc3bfb61cc6e96e79e083cee84aaca09.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:1672

C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\8b0cd3850820c22b65df2a9ee6da6bbabc3bfb61cc6e96e79e083cee84aaca09.dll
2⤵
- Installs/modifies Browser Helper Object
- Modifies registry class
PID:576

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Browser Extensions

1

T1176

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/576-55-0x0000000000000000-mapping.dmp

Download
memory/576-56-0x0000000075841000-0x0000000075843000-memory.dmp

Filesize
8KB

Download
memory/1672-54-0x000007FEFB7E1000-0x000007FEFB7E3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads