068eb676a4a34e9caa7d52cf4367b41474efab4e5358baa92e4da5ca06e2825f

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
26-03-2024 10:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dee625955b257749e1e0560a69c02422.exe
Size

1.3MB
MD5

dee625955b257749e1e0560a69c02422
SHA1

ee131e446aaad0cc4a2eb7ee2edc42d15ad3e37b
SHA256

068eb676a4a34e9caa7d52cf4367b41474efab4e5358baa92e4da5ca06e2825f
SHA512

7dd12c4137df53bead8d72bad1674556d9c1776a20ce1e346ef1e21e6bbc03ed5b31190cf853cdcf3121b6ba9090ef9a38405f712ef2d48f0cc81e5d27bbeac3
SSDEEP

24576:z+pUFy+woYqrW9q8HTmCuhRQwIhxN2ynB/dr0xlEMolOBRPA8xPP65cm4+5KDSFn:z+5oYD3ubVIhjxBugMwOBO8x3hm4+YDw

Score

7^/10

adware discovery persistence spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
5044	6g.exe

Loads dropped DLL 3 IoCs

pid	Process
5044	6g.exe
404	regsvr32.exe
3296	regsvr32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Registers COM server for autorun 1 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2C1671CF-A247-A9F2-D6B9-9D9394FA7AD6}\InprocServer32\ = "C:\\Program Files (x86)\\YoutubeAdblocker\\O.x64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2C1671CF-A247-A9F2-D6B9-9D9394FA7AD6}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2C1671CF-A247-A9F2-D6B9-9D9394FA7AD6}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2C1671CF-A247-A9F2-D6B9-9D9394FA7AD6}\InprocServer32	regsvr32.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\odklibgoigagmemcgblfimbnnjgegcac\1.0\manifest.json	6g.exe

Installs/modifies Browser Helper Object 2 TTPs 8 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2C1671CF-A247-A9F2-D6B9-9D9394FA7AD6}\NoExplorer = "1"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2C1671CF-A247-A9F2-D6B9-9D9394FA7AD6}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2C1671CF-A247-A9F2-D6B9-9D9394FA7AD6}	6g.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2C1671CF-A247-A9F2-D6B9-9D9394FA7AD6}\ = "YoutubeAdblocker"	6g.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2C1671CF-A247-A9F2-D6B9-9D9394FA7AD6}\NoExplorer = "1"	6g.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2C1671CF-A247-A9F2-D6B9-9D9394FA7AD6}	6g.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2C1671CF-A247-A9F2-D6B9-9D9394FA7AD6}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2C1671CF-A247-A9F2-D6B9-9D9394FA7AD6}\ = "YoutubeAdblocker"	regsvr32.exe

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\YoutubeAdblocker\O.dll	6g.exe
File opened for modification	C:\Program Files (x86)\YoutubeAdblocker\O.dll	6g.exe
File created	C:\Program Files (x86)\YoutubeAdblocker\O.tlb	6g.exe
File opened for modification	C:\Program Files (x86)\YoutubeAdblocker\O.tlb	6g.exe
File created	C:\Program Files (x86)\YoutubeAdblocker\O.dat	6g.exe
File opened for modification	C:\Program Files (x86)\YoutubeAdblocker\O.dat	6g.exe
File created	C:\Program Files (x86)\YoutubeAdblocker\O.x64.dll	6g.exe
File opened for modification	C:\Program Files (x86)\YoutubeAdblocker\O.x64.dll	6g.exe

Modifies Internet Explorer settings 1 TTPs 8 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{2C1671CF-A247-A9F2-D6B9-9D9394FA7AD6}	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Internet Explorer\ApprovedExtensionsMigration	6g.exe
Key created	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{2C1671CF-A247-A9F2-D6B9-9D9394FA7AD6}	6g.exe
Key deleted	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\MICROSOFT\INTERNET EXPLORER\APPROVEDEXTENSIONSMIGRATION\{2C1671CF-A247-A9F2-D6B9-9D9394FA7AD6}	6g.exe
Key deleted	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Internet Explorer\ApprovedExtensionsMigration	6g.exe
Key deleted	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\MICROSOFT\INTERNET EXPLORER\APPROVEDEXTENSIONSMIGRATION\{2C1671CF-A247-A9F2-D6B9-9D9394FA7AD6}	regsvr32.exe
Key deleted	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Internet Explorer\ApprovedExtensionsMigration	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Internet Explorer\ApprovedExtensionsMigration	regsvr32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2C1671CF-A247-A9F2-D6B9-9D9394FA7AD6}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\YoutubeAdblocker.YoutubeAdblocker\CLSID\ = "{2C1671CF-A247-A9F2-D6B9-9D9394FA7AD6}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	6g.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ = "ILocalStorage"	6g.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win64\ = "C:\\Program Files (x86)\\YoutubeAdblocker\\O.x64.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2C1671CF-A247-A9F2-D6B9-9D9394FA7AD6}\InprocServer32	6g.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2C1671CF-A247-A9F2-D6B9-9D9394FA7AD6}\Programmable	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2C1671CF-A247-A9F2-D6B9-9D9394FA7AD6}\VersionIndependentProgID	6g.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2C1671CF-A247-A9F2-D6B9-9D9394FA7AD6}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win64	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib	6g.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ProxyStubClsid32	6g.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib	6g.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win32\ = "C:\\Program Files (x86)\\YoutubeAdblocker\\O.tlb"	6g.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\YoutubeAdblocker.YoutubeAdblocker.1.0\CLSID\ = "{2C1671CF-A247-A9F2-D6B9-9D9394FA7AD6}"	6g.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ = "IIEPluginMain"	6g.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2C1671CF-A247-A9F2-D6B9-9D9394FA7AD6}\Implemented Categories	6g.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\YoutubeAdblocker.YoutubeAdblocker\CurVer\ = "YoutubeAdblocker.1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2C1671CF-A247-A9F2-D6B9-9D9394FA7AD6}\InprocServer32\ThreadingModel = "Apartment"	6g.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ = "ILocalStorage"	6g.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib\Version = "1.0"	6g.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}	6g.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2C1671CF-A247-A9F2-D6B9-9D9394FA7AD6}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win32	6g.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2C1671CF-A247-A9F2-D6B9-9D9394FA7AD6}\VersionIndependentProgID	6g.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	6g.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\YoutubeAdblocker.YoutubeAdblocker\ = "YoutubeAdblocker"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2C1671CF-A247-A9F2-D6B9-9D9394FA7AD6}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2C1671CF-A247-A9F2-D6B9-9D9394FA7AD6}	6g.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib	6g.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib\Version = "1.0"	6g.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ = "IRegistry"	6g.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2C1671CF-A247-A9F2-D6B9-9D9394FA7AD6}\VersionIndependentProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\YoutubeAdblocker.YoutubeAdblocker.1.0\CLSID	6g.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}	6g.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ProxyStubClsid32	6g.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\YoutubeAdblocker"	6g.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32	6g.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2C1671CF-A247-A9F2-D6B9-9D9394FA7AD6}\Programmable	6g.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\ = "IEPluginLib"	6g.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win32\ = "C:\\Program Files (x86)\\YoutubeAdblocker\\O.dll"	6g.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}	6g.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	6g.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2C1671CF-A247-A9F2-D6B9-9D9394FA7AD6}\VersionIndependentProgID\ = "YoutubeAdblocker"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\YoutubeAdblocker.YoutubeAdblocker\CLSID	6g.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2C1671CF-A247-A9F2-D6B9-9D9394FA7AD6}\ProgID\ = "YoutubeAdblocker.1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib\Version = "1.0"	6g.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}	6g.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\YoutubeAdblocker.YoutubeAdblocker\CurVer\ = "YoutubeAdblocker.1.0"	6g.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2C1671CF-A247-A9F2-D6B9-9D9394FA7AD6}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}	6g.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2C1671CF-A247-A9F2-D6B9-9D9394FA7AD6}\InprocServer32\ = "C:\\Program Files (x86)\\YoutubeAdblocker\\O.dll"	6g.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	6g.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib\Version = "1.0"	6g.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2C1671CF-A247-A9F2-D6B9-9D9394FA7AD6}\ProgID	6g.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib	6g.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\YoutubeAdblocker.YoutubeAdblocker\CLSID\ = "{2C1671CF-A247-A9F2-D6B9-9D9394FA7AD6}"	6g.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2C1671CF-A247-A9F2-D6B9-9D9394FA7AD6}\InprocServer32	6g.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2C1671CF-A247-A9F2-D6B9-9D9394FA7AD6}\Programmable	6g.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\YoutubeAdblocker.YoutubeAdblocker\ = "YoutubeAdblocker"	6g.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2C1671CF-A247-A9F2-D6B9-9D9394FA7AD6}	6g.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib	6g.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2C1671CF-A247-A9F2-D6B9-9D9394FA7AD6}\VersionIndependentProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2C1671CF-A247-A9F2-D6B9-9D9394FA7AD6}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\YoutubeAdblocker.YoutubeAdblocker\CurVer	6g.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3944 wrote to memory of 5044	3944	dee625955b257749e1e0560a69c02422.exe	88
PID 3944 wrote to memory of 5044	3944	dee625955b257749e1e0560a69c02422.exe	88
PID 3944 wrote to memory of 5044	3944	dee625955b257749e1e0560a69c02422.exe	88
PID 5044 wrote to memory of 404	5044	6g.exe	89
PID 5044 wrote to memory of 404	5044	6g.exe	89
PID 5044 wrote to memory of 404	5044	6g.exe	89
PID 404 wrote to memory of 3296	404	regsvr32.exe	91
PID 404 wrote to memory of 3296	404	regsvr32.exe	91

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{2C1671CF-A247-A9F2-D6B9-9D9394FA7AD6} = "1"	6g.exe

C:\Users\Admin\AppData\Local\Temp\dee625955b257749e1e0560a69c02422.exe
"C:\Users\Admin\AppData\Local\Temp\dee625955b257749e1e0560a69c02422.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3944
- C:\Users\Admin\AppData\Local\Temp\00294823\6g.exe
  "C:\Users\Admin\AppData\Local\Temp/00294823/6g.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops Chrome extension
  - Installs/modifies Browser Helper Object
  - Drops file in Program Files directory
  - Modifies Internet Explorer settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:5044
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32.exe /s "C:\Program Files (x86)\YoutubeAdblocker\O.x64.dll"
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:404
  - - C:\Windows\system32\regsvr32.exe
      /s "C:\Program Files (x86)\YoutubeAdblocker\O.x64.dll"
      4⤵
      Loads dropped DLL
      Registers COM server for autorun
      Installs/modifies Browser Helper Object
      Modifies Internet Explorer settings
      Modifies registry class
      PID:3296

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Browser Extensions

T1176

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\00294823\6g.dat

Filesize
3KB

MD5
796ec42ea962e008b838a4c2906ef7c3

SHA1
1701ac955bc18f7d8fbe4a1c0d9b8adc3955ef79

SHA256
a499a8ddbdd290737ab5a80214d70ecf72f3e910bbdb66aa1f8b37a8e84b3a9c

SHA512
a842c106cb17da95bc1262e737033c1908bd2d5e4b12231da89c7cbf4cd15c2590259919d72e83ff592bdacd4046bf16e94061c9d358baf1d4eb40b7b12216c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\00294823\6g.exe

Filesize
356KB

MD5
6223a19e77e3b9b4f633e8863ee1cf40

SHA1
ee5ec9cffb59790d553f5a3394ad5808e1e37446

SHA256
d4041f6772da83d968fcf13181a9004ba69f89effc3a69bee019ab44b5ad1f46

SHA512
66c99f26af2895142c61d75025f9343cc132883f79a513b47c18da1f9eb2582971eeee0610779e20d51d378fda854bf4c5a51434a0f0425054a7d059f764bcb3

Download Submit
C:\Users\Admin\AppData\Local\Temp\00294823\O.dll

Filesize
363KB

MD5
9afeb7fa65aa31c6b871237d14a8fb94

SHA1
58f99ae9ea22f56f28b6c5fa798bda3109f297f6

SHA256
4cb847c3d1b5b9ae746e3725ae26b756c4eb980c93faf2a5963a030e9db2874a

SHA512
311655752677bad1e397ef2f03608ee9819157d211b65cb3b4d81a11b70c32fdd07a6e38c7b276e66ad7953f7549d1c881a0fd97ec82621365a4c2ec23dca855

Download Submit
C:\Users\Admin\AppData\Local\Temp\00294823\O.tlb

Filesize
3KB

MD5
9f260bfcd1ef83627ceb2792ee3324f5

SHA1
078164529ae639e5ff9cf0e4003a82259c2aace8

SHA256
8ce97c40c3fea5c0a6446b3e647cdb0d1d38eb0a07c40a91a8df4ad0517b2526

SHA512
3e3fa6af779fdda2ecd4e75cfb7b09eae69352eb39560fecbeae750130a111aa099a11d91dce90ab2a7dc11a9fe25d3898c65da8de7fb5729398cdb8260dcd6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\00294823\O.x64.dll

Filesize
398KB

MD5
410bb7e2c88f92de31b83a173e173e2d

SHA1
ff40233a038f80b7b1513431d6a9632e8f0e39f0

SHA256
afd8e3c979685360c26ff618eb85e0b788f7d9b743fc4e52b9337c242e5bf8d3

SHA512
d5a2727ac2936f189e4247852f147efe93f4473c690abb046c0e38cd8371198c601ae3ec41b04f389da208090c110b7d7ccc903bd3ae9f6ec1b926d5461fdd1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\00294823\odklibgoigagmemcgblfimbnnjgegcac\F4Y.js

Filesize
5KB

MD5
99a5eda4ee518c6fbe9907a51d348fe8

SHA1
0ff258a1f0eaa185bf0decf9c6a2a67e2dcb1772

SHA256
38dec30ce3bfeaf2e547414627a04fff77f205e6acc9e899692dc9301dc8fb14

SHA512
1004cd3b1e773ff31638d8c5fb33c1779dd109ba3b70ac661050de16782687fa6338b8879f8d90ec1f05d41085c7c81bfcbbc66b89085edd55930f3e8fa0640d

Download Submit
C:\Users\Admin\AppData\Local\Temp\00294823\odklibgoigagmemcgblfimbnnjgegcac\background.html

Filesize
140B

MD5
d4885c54351a86eb439b80ba8b4f0cab

SHA1
ed1ec2396e79470b7e9eaf6bb2f44df1c4010331

SHA256
0adc72edc9ee19b95229c0c8b0302f75fe3f612d51b03e07bc3f6644f477d54e

SHA512
0b04efc1274ebda70b509296447ceece580c6f337b3073f2f8d6175007c3b52c7cb4caf7c436b73318848762b37820a642a060b1f55825282423417c473bf760

Download Submit
C:\Users\Admin\AppData\Local\Temp\00294823\odklibgoigagmemcgblfimbnnjgegcac\content.js

Filesize
197B

MD5
5f9891607f65f433b0690bae7088b2c1

SHA1
b4edb7579dca34dcd00bca5d2c13cbc5c8fac0de

SHA256
fb01e87250ac9985ed08d97f2f99937a52998ea9faebdc88e4071d6517e1ea6b

SHA512
76018b39e4b62ff9ea92709d12b0255f33e8402dfc649ed403382eebc22fb37c347c403534a7792e6b5de0ed0a5d97a09b69f0ffc39031cb0d4c7d79e9440c7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\00294823\odklibgoigagmemcgblfimbnnjgegcac\lsdb.js

Filesize
559B

MD5
209b7ae0b6d8c3f9687c979d03b08089

SHA1
6449f8bff917115eef4e7488fae61942a869200f

SHA256
e3cf0049af8b9f6cb4f0223ccb8438f4b0c75863684c944450015868a0c45704

SHA512
1b38d5509283ef25de550b43ef2535dee1a13eff12ad5093f513165a47eec631bcc993242e2ce640f36c61974431ae2555bd6e2a97aba91eb689b7cd4bf25a25

Download Submit
C:\Users\Admin\AppData\Local\Temp\00294823\odklibgoigagmemcgblfimbnnjgegcac\manifest.json

Filesize
508B

MD5
e2832fbedae560495781610b5c511afa

SHA1
95f9c6fe1ea5a6ee009bce1e9c215ef53fb5c108

SHA256
6e03e688a9f7cc23a788e004cea4c87ee73e36c1053d2fb34a214bcc597f3ea2

SHA512
2e206b58d02a88d21cb0cd74d5523b9f07f4558b4af9a19936befb256c2dc868107ab1716849e09b665721d1ac7b01ba6762bb54822596e39a4cdad763c68cb9

Download Submit
C:\Users\Admin\AppData\Local\Temp\00294823\odklibgoigagmemcgblfimbnnjgegcac\sqlite.js

Filesize
1KB

MD5
cc6dae11e73e66c47de31d5d09e6934f

SHA1
3257169bd51548096c732896bc1c60b89aa74a1d

SHA256
f1e9972528562645d9cf09dec0956ca47514e0cb1ced5ba0098362d8d4965f0c

SHA512
80b8d497b734f988de0953b75b6190522b5770f891df44dbf9f8618c6363055686abfcc491d2eb1f7414d4c659d6650610ff8d0d70fdb48deb20b8e15a3f38c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\00294823\[email protected]\bootstrap.js

Filesize
2KB

MD5
1b53c596cfb1aa2209446ff64c17dabd

SHA1
2542da14728dcdbe1763f1ee39fe9ceae38ad414

SHA256
a7dfea4bf7e1d46a8b8e64ccfb2cf35017e3a5b350eead26d6671254d2b3c46f

SHA512
be54481675c38ef6a41697cf8cd3ab5a0b126922b192732a9c587dd8905b74b66c79eb0c849f62bbe8934979a894be63734b0ad59ffae295f5797cbfaa327030

Download Submit
C:\Users\Admin\AppData\Local\Temp\00294823\[email protected]\chrome.manifest

Filesize
96B

MD5
52707030191ea08951479b67c3a579c8

SHA1
a72f79884cfc6cc30901992ce9901f50e7c44572

SHA256
b7f664a35dc32f5640753e133356c2eff6f0a7b9d3e36a891f5cbe2d356d4bbf

SHA512
623eddd22f601f6fb081e45cc80262180f5ff32c76bb4b55fd6c66311a5ee4e858839d3935fd909c5503234157acf758d8e4e6eedfc6ba3f008245589941abe2

Download Submit
C:\Users\Admin\AppData\Local\Temp\00294823\[email protected]\content\bg.js

Filesize
9KB

MD5
db427a00b5c95dfd3791c47e3eeae7fe

SHA1
293431be3993f43310c9d07268e27818f6c47623

SHA256
cd9b7d2e4ca8444ae0de8b003669fbae2b1dc624f2874f455351196a4b079a52

SHA512
7eea3a376f43890cce66741322b06a64a90726e1dcb05a87d1ae35f10b671c511be28ecb05735cc1bec6bfdfda54fe0a6c278e59b22051a0264fbb86a5c79b15

Download Submit
C:\Users\Admin\AppData\Local\Temp\00294823\[email protected]\install.rdf

Filesize
607B

MD5
dceb784de416e41e465ba116c5575b80

SHA1
f7679a667ce1c9432e7c7b67948ab3b8c27a3ff1

SHA256
c04f1e051955d21e588a1f69eb2b1fa1dff87247fd4d9df4b4d6e1428d1cfedb

SHA512
79b3a6db513b4b9ebe6146aef116b157809672468e7b394c64e0546e06f1878ca3dfa6fde5be310c50328cb4a94691d89420db53851d85fa79bf3761b842d5bc

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads