cd8efeeac9e3a9efe818dca544bb0b692f6003799c713d2e965a78b50e112760

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
26-05-2024 07:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

TTSIEPlugin_64.dll
Size

145KB
MD5

40063a55aa8438de2b5aba42218cd81d
SHA1

864961262feea4014b5b359cef099778b4cc3e98
SHA256

2de26cb75e41daabc16dcb917aa37507e0b334e2d5c5b44763fcf85f0cec48d9
SHA512

d406c77aa1377f82c1a4d1426158637fe8d4f1915939006fde4d5fb623b18c3969c45404b92287b9c4701bafb27b5a9a664cee8a5027882156c8b14a65a719d6
SSDEEP

3072:xQJxhQcoNwOf0yprdkIgTeeY8bOgNhuWnwefuOiyWQV:x8wPwOf00SNTeeY8fNIn2v

Score

7^/10

adware persistence stealer

Malware Config

Signatures

Registers COM server for autorun 1 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Processes:

regsvr32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E1022531-9301-4071-A07A-F7237D0DE741}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E1022531-9301-4071-A07A-F7237D0DE741}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TTSIEPlugin_64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E1022531-9301-4071-A07A-F7237D0DE741}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe

Installs/modifies Browser Helper Object 2 TTPs 3 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

Processes:

regsvr32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E1022531-9301-4071-A07A-F7237D0DE741}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E1022531-9301-4071-A07A-F7237D0DE741}\ = "TTSIEBHO"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E1022531-9301-4071-A07A-F7237D0DE741}\NoExplorer = "1"	regsvr32.exe

Modifies registry class 50 IoCs

Processes:

regsvr32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BECB3B22-289A-45C1-B704-F27172FF7E20}\ = "ITTSIEBHO"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{ADCF888E-D1CB-4B41-A065-33EDAB7A1DF9}\ = "TTSIEPlugin"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E1022531-9301-4071-A07A-F7237D0DE741}\ = "ÌÔÌÔËÑ±È¼Û(ÌÔÍ¬¿î)"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E1022531-9301-4071-A07A-F7237D0DE741}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TTSIEPlugin.TTSIEBHO\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E1022531-9301-4071-A07A-F7237D0DE741}\Programmable	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E1022531-9301-4071-A07A-F7237D0DE741}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AFB37209-747D-48B7-98A8-682371F2C841}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AFB37209-747D-48B7-98A8-682371F2C841}\1.0\0\win64\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TTSIEPlugin_64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E1022531-9301-4071-A07A-F7237D0DE741}\VersionIndependentProgID\ = "TTSIEPlugin.TTSIEBHO"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BECB3B22-289A-45C1-B704-F27172FF7E20}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BECB3B22-289A-45C1-B704-F27172FF7E20}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AFB37209-747D-48B7-98A8-682371F2C841}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BECB3B22-289A-45C1-B704-F27172FF7E20}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E1022531-9301-4071-A07A-F7237D0DE741}\VersionIndependentProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E1022531-9301-4071-A07A-F7237D0DE741}\TypeLib\ = "{AFB37209-747D-48B7-98A8-682371F2C841}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\TTSIEPlugin.DLL	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TTSIEPlugin.TTSIEBHO.1	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TTSIEPlugin.TTSIEBHO.1\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AFB37209-747D-48B7-98A8-682371F2C841}\1.0\HELPDIR	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E1022531-9301-4071-A07A-F7237D0DE741}\ProgID\ = "TTSIEPlugin.TTSIEBHO.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AFB37209-747D-48B7-98A8-682371F2C841}\1.0\ = "TTSIEPlugin 1.2 Type Library"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AFB37209-747D-48B7-98A8-682371F2C841}\1.0\FLAGS	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E1022531-9301-4071-A07A-F7237D0DE741}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BECB3B22-289A-45C1-B704-F27172FF7E20}\ = "ITTSIEBHO"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TTSIEPlugin.TTSIEBHO\CurVer\ = "TTSIEPlugin.TTSIEBHO.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AFB37209-747D-48B7-98A8-682371F2C841}\1.0\0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TTSIEPlugin.TTSIEBHO\CLSID\ = "{E1022531-9301-4071-A07A-F7237D0DE741}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AFB37209-747D-48B7-98A8-682371F2C841}\1.0\0\win64	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BECB3B22-289A-45C1-B704-F27172FF7E20}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TTSIEPlugin.TTSIEBHO.1\ = "ÌÔÌÔËÑ±È¼Û(ÌÔÍ¬¿î)"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TTSIEPlugin.TTSIEBHO	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AFB37209-747D-48B7-98A8-682371F2C841}\1.0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\TTSIEPlugin.DLL\AppID = "{ADCF888E-D1CB-4B41-A065-33EDAB7A1DF9}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TTSIEPlugin.TTSIEBHO.1\CLSID\ = "{E1022531-9301-4071-A07A-F7237D0DE741}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BECB3B22-289A-45C1-B704-F27172FF7E20}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TTSIEPlugin.TTSIEBHO\CurVer	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E1022531-9301-4071-A07A-F7237D0DE741}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TTSIEPlugin_64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AFB37209-747D-48B7-98A8-682371F2C841}\1.0\FLAGS\ = "0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BECB3B22-289A-45C1-B704-F27172FF7E20}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BECB3B22-289A-45C1-B704-F27172FF7E20}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BECB3B22-289A-45C1-B704-F27172FF7E20}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BECB3B22-289A-45C1-B704-F27172FF7E20}\TypeLib\ = "{AFB37209-747D-48B7-98A8-682371F2C841}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E1022531-9301-4071-A07A-F7237D0DE741}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BECB3B22-289A-45C1-B704-F27172FF7E20}\TypeLib\ = "{AFB37209-747D-48B7-98A8-682371F2C841}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BECB3B22-289A-45C1-B704-F27172FF7E20}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BECB3B22-289A-45C1-B704-F27172FF7E20}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{ADCF888E-D1CB-4B41-A065-33EDAB7A1DF9}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TTSIEPlugin.TTSIEBHO\ = "ÌÔÌÔËÑ±È¼Û(ÌÔÍ¬¿î)"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E1022531-9301-4071-A07A-F7237D0DE741}\InprocServer32	regsvr32.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\TTSIEPlugin_64.dll
1⤵
- Registers COM server for autorun
- Installs/modifies Browser Helper Object
- Modifies registry class
PID:3644

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Browser Extensions

T1176

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads