053a92295bb64f66565794c6c977f6f0a61977a55985863c3a75a841a296a112

General

Target

5b30ec492e8e46df703e8320533e4059.dll
Size

212KB
MD5

5b30ec492e8e46df703e8320533e4059
SHA1

2957e8fd1993a84867912e271cc25271993af82b
SHA256

053a92295bb64f66565794c6c977f6f0a61977a55985863c3a75a841a296a112
SHA512

1ae8b8b840a0fe39aef875c36bf68ab51ce61754199bb7802cbe1e617f8b14e46955cdce7c7f7bff61bdf42ae12f7a2557de81f1fc31ebbe3f745af3be2fe8e0
SSDEEP

3072:BtTk/szI//RTqHLteeNIzblvtui1zPy03OBh3HqbK9xxzhP:HY/szCErdN69tuk1+Bh3HqbKZzt

Score

6^/10

adware stealer

Malware Config

Signatures

Installs/modifies Browser Helper Object 2 TTPs 2 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{500BCA15-57A7-4eaf-8143-8C619470B13D}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{500BCA15-57A7-4eaf-8143-8C619470B13D}\ = "XML module"	regsvr32.exe

Modifies registry class 27 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{500BCA15-57A7-4eaf-8143-8C619470B13D}\TypeLib\ = "{9233C3C0-1472-4091-A505-5580A23BB4AC}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{500BCA15-57A7-4eaf-8143-8C619470B13D}\VersionIndependentProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{500BCA15-57A7-4eaf-8143-8C619470B13D}\VersionIndependentProgID\ = "XML.XML"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9233C3C0-1472-4091-A505-5580A23BB4AC}\.0\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\5b30ec492e8e46df703e8320533e4059.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{500BCA15-57A7-4eaf-8143-8C619470B13D}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\XML.XML	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\XML.XML\CurVer\ = "XML.XML.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\XML.XML.1\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{500BCA15-57A7-4eaf-8143-8C619470B13D}\ProgID\ = "XML.XML.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{500BCA15-57A7-4eaf-8143-8C619470B13D}\Install = "OK"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9233C3C0-1472-4091-A505-5580A23BB4AC}\.0\ = "XML Library"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{500BCA15-57A7-4eaf-8143-8C619470B13D}\ = "XML Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\XML.XML\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\XML.XML\CLSID\ = "{500BCA15-57A7-4eaf-8143-8C619470B13D}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{500BCA15-57A7-4eaf-8143-8C619470B13D}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\XML.XML.1\ = "XML Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\XML.XML.1\CLSID\ = "{500BCA15-57A7-4eaf-8143-8C619470B13D}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{500BCA15-57A7-4eaf-8143-8C619470B13D}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{500BCA15-57A7-4eaf-8143-8C619470B13D}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{500BCA15-57A7-4eaf-8143-8C619470B13D}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{500BCA15-57A7-4eaf-8143-8C619470B13D}\Programmable	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\XML.XML\CurVer	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\XML.XML.1	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{500BCA15-57A7-4eaf-8143-8C619470B13D}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\5b30ec492e8e46df703e8320533e4059.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9233C3C0-1472-4091-A505-5580A23BB4AC}\.0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9233C3C0-1472-4091-A505-5580A23BB4AC}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\XML.XML\ = "XML Class"	regsvr32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1688 wrote to memory of 2036	1688	regsvr32.exe	2
PID 1688 wrote to memory of 2036	1688	regsvr32.exe	2
PID 1688 wrote to memory of 2036	1688	regsvr32.exe	2
PID 1688 wrote to memory of 2036	1688	regsvr32.exe	2
PID 1688 wrote to memory of 2036	1688	regsvr32.exe	2
PID 1688 wrote to memory of 2036	1688	regsvr32.exe	2
PID 1688 wrote to memory of 2036	1688	regsvr32.exe	2

C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\5b30ec492e8e46df703e8320533e4059.dll
1⤵
- Installs/modifies Browser Helper Object
- Modifies registry class
PID:2036

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\5b30ec492e8e46df703e8320533e4059.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:1688

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Browser Extensions

1

T1176

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2036-0-0x0000000010000000-0x0000000010036000-memory.dmp

Filesize
216KB

Download

Analysis

Sharing