74ad52618132da189cca34dff67e0379572df46882b3591a60b6ae66128c70cc

General

Target

74ad52618132da189cca34dff67e0379572df46882b3591a60b6ae66128c70cc.dll
Size

85KB
MD5

a648b96d93ab645e27c556e321bad0ec
SHA1

793556e21c76d9a54e336afd1a3b5608147a28f1
SHA256

74ad52618132da189cca34dff67e0379572df46882b3591a60b6ae66128c70cc
SHA512

99865583bb2b43f00df145ceba52fcaf14449702c3454b0bf06a909a88374d6beeda05bf8273fb23952787a85befe592c265c1b983007b315bb3d639cc09ee5f
SSDEEP

1536:ffNl7netQxMkCNkKoogQhnF11vlefT7UF:tlcGMvNhuQhnF11vlOU

Score

6^/10

adware stealer

Malware Config

Signatures

Installs/modifies Browser Helper Object 2 TTPs 1 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

Processes:

regsvr32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1451E202-0E77-416C-B1FA-4213912BFC2C}	regsvr32.exe

Modifies registry class 42 IoCs

Processes:

regsvr32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1451E201-0E77-416C-B1FA-4213912BFC2C}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1451E201-0E77-416C-B1FA-4213912BFC2C}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1451E201-0E77-416C-B1FA-4213912BFC2C}\TypeLib\ = "{1451E208-0E77-416C-B1FA-4213912BFC2C}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1451E201-0E77-416C-B1FA-4213912BFC2C}\ = "IIEHlprObj"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1451E201-0E77-416C-B1FA-4213912BFC2C}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1451E202-0E77-416C-B1FA-4213912BFC2C}\VersionIndependentProgID\ = "IEHlprObj.IEHlprObj"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1451E202-0E77-416C-B1FA-4213912BFC2C}\Programmable	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1451E208-0E77-416C-B1FA-4213912BFC2C}\1.0\0\win32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1451E202-0E77-416C-B1FA-4213912BFC2C}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1451E202-0E77-416C-B1FA-4213912BFC2C}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1451E208-0E77-416C-B1FA-4213912BFC2C}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1451E201-0E77-416C-B1FA-4213912BFC2C}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IEHlprObj.IEHlprObj.1\ = "IEHlprObj Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IEHlprObj.IEHlprObj\CurVer	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1451E208-0E77-416C-B1FA-4213912BFC2C}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1451E201-0E77-416C-B1FA-4213912BFC2C}\ = "IIEHlprObj"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1451E201-0E77-416C-B1FA-4213912BFC2C}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1451E201-0E77-416C-B1FA-4213912BFC2C}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IEHlprObj.IEHlprObj\ = "IEHlprObj Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IEHlprObj.IEHlprObj\CurVer\ = "IEHlprObj.IEHlprObj.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1451E208-0E77-416C-B1FA-4213912BFC2C}\1.0\FLAGS	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IEHlprObj.IEHlprObj	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1451E202-0E77-416C-B1FA-4213912BFC2C}\ = "IEHlprObj Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1451E202-0E77-416C-B1FA-4213912BFC2C}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\74ad52618132da189cca34dff67e0379572df46882b3591a60b6ae66128c70cc.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1451E208-0E77-416C-B1FA-4213912BFC2C}\1.0\ = "IEHelper 1.0 Type Library"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IEHlprObj.IEHlprObj.1\CLSID\ = "{1451E202-0E77-416C-B1FA-4213912BFC2C}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1451E202-0E77-416C-B1FA-4213912BFC2C}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1451E202-0E77-416C-B1FA-4213912BFC2C}\ProgID\ = "IEHlprObj.IEHlprObj.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1451E208-0E77-416C-B1FA-4213912BFC2C}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\74ad52618132da189cca34dff67e0379572df46882b3591a60b6ae66128c70cc.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1451E201-0E77-416C-B1FA-4213912BFC2C}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1451E201-0E77-416C-B1FA-4213912BFC2C}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IEHlprObj.IEHlprObj.1	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IEHlprObj.IEHlprObj.1\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1451E208-0E77-416C-B1FA-4213912BFC2C}\1.0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1451E208-0E77-416C-B1FA-4213912BFC2C}\1.0\FLAGS\ = "0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1451E208-0E77-416C-B1FA-4213912BFC2C}\1.0\0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1451E208-0E77-416C-B1FA-4213912BFC2C}\1.0\HELPDIR	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1451E201-0E77-416C-B1FA-4213912BFC2C}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1451E201-0E77-416C-B1FA-4213912BFC2C}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1451E202-0E77-416C-B1FA-4213912BFC2C}\VersionIndependentProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1451E202-0E77-416C-B1FA-4213912BFC2C}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1451E201-0E77-416C-B1FA-4213912BFC2C}\TypeLib\ = "{1451E208-0E77-416C-B1FA-4213912BFC2C}"	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

regsvr32.exe

pid process

5068 regsvr32.exe
5068 regsvr32.exe
5068 regsvr32.exe
5068 regsvr32.exe

pid	process
5068	regsvr32.exe
5068	regsvr32.exe
5068	regsvr32.exe
5068	regsvr32.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

regsvr32.exe

description	pid	process	target process
PID 2136 wrote to memory of 5068	2136	regsvr32.exe	regsvr32.exe
PID 2136 wrote to memory of 5068	2136	regsvr32.exe	regsvr32.exe
PID 2136 wrote to memory of 5068	2136	regsvr32.exe	regsvr32.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\74ad52618132da189cca34dff67e0379572df46882b3591a60b6ae66128c70cc.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:2136

C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\74ad52618132da189cca34dff67e0379572df46882b3591a60b6ae66128c70cc.dll
2⤵
- Installs/modifies Browser Helper Object
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:5068

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Browser Extensions

1

T1176

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/5068-132-0x0000000000000000-mapping.dmp

Download
memory/5068-133-0x0000000010000000-0x000000001002E000-memory.dmp

Filesize
184KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads