Analysis
-
max time kernel
94s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
15/01/2025, 22:43
Static task
static1
Behavioral task
behavioral1
Sample
d1ff9e16abf3f1ed36f9860bb843cb64222c3230dbbbc8e7882133225723835fN.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
d1ff9e16abf3f1ed36f9860bb843cb64222c3230dbbbc8e7882133225723835fN.exe
Resource
win10v2004-20241007-en
General
-
Target
d1ff9e16abf3f1ed36f9860bb843cb64222c3230dbbbc8e7882133225723835fN.exe
-
Size
1.5MB
-
MD5
20be196e562a42c26883250666c0b860
-
SHA1
3df340b8cba4a6ee948094dc3280d6f70beadb6a
-
SHA256
d1ff9e16abf3f1ed36f9860bb843cb64222c3230dbbbc8e7882133225723835f
-
SHA512
deab3d3ca7dbc15d93d29d3e5cefd83dfd13b6ccc61bfa8d0b2769be4352fcbc0d2cc2512c882b722aeaaa115ae81f1efd437bb7817ce71e2e08744aa315b429
-
SSDEEP
49152:iF76ZMINgnSqCbmb3z9c5yrbd5PQOrmSU:ilFISnpCbQ5yy7QWmSU
Malware Config
Signatures
-
Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Executes dropped EXE 1 IoCs
pid Process 3312 N438XI.exe -
Loads dropped DLL 3 IoCs
pid Process 3312 N438XI.exe 1172 regsvr32.exe 3604 regsvr32.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops Chrome extension 5 IoCs
description ioc Process File created C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\decjnkimcnbijcgdofgopnmnaahffflg\1.0\manifest.json N438XI.exe File created C:\Users\DefaultAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\decjnkimcnbijcgdofgopnmnaahffflg\1.0\manifest.json N438XI.exe File created C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\decjnkimcnbijcgdofgopnmnaahffflg\1.0\manifest.json N438XI.exe File created C:\Users\WDAGUtilityAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\decjnkimcnbijcgdofgopnmnaahffflg\1.0\manifest.json N438XI.exe File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\decjnkimcnbijcgdofgopnmnaahffflg\1.0\manifest.json N438XI.exe -
Installs/modifies Browser Helper Object 2 TTPs 8 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{EED68B27-BE9E-1212-47AC-D6C052244161}\ = "YoutubeAdblocker" regsvr32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{EED68B27-BE9E-1212-47AC-D6C052244161}\NoExplorer = "1" regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{EED68B27-BE9E-1212-47AC-D6C052244161} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{EED68B27-BE9E-1212-47AC-D6C052244161} N438XI.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{EED68B27-BE9E-1212-47AC-D6C052244161}\ = "YoutubeAdblocker" N438XI.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{EED68B27-BE9E-1212-47AC-D6C052244161}\NoExplorer = "1" N438XI.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{EED68B27-BE9E-1212-47AC-D6C052244161} N438XI.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{EED68B27-BE9E-1212-47AC-D6C052244161} regsvr32.exe -
Drops file in Program Files directory 8 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\YoutubeAdblocker\8n2kB.dat N438XI.exe File created C:\Program Files (x86)\YoutubeAdblocker\8n2kB.x64.dll N438XI.exe File opened for modification C:\Program Files (x86)\YoutubeAdblocker\8n2kB.x64.dll N438XI.exe File created C:\Program Files (x86)\YoutubeAdblocker\8n2kB.dll N438XI.exe File opened for modification C:\Program Files (x86)\YoutubeAdblocker\8n2kB.dll N438XI.exe File created C:\Program Files (x86)\YoutubeAdblocker\8n2kB.tlb N438XI.exe File opened for modification C:\Program Files (x86)\YoutubeAdblocker\8n2kB.tlb N438XI.exe File created C:\Program Files (x86)\YoutubeAdblocker\8n2kB.dat N438XI.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N438XI.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regsvr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d1ff9e16abf3f1ed36f9860bb843cb64222c3230dbbbc8e7882133225723835fN.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\ApprovedExtensionsMigration regsvr32.exe Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{EED68B27-BE9E-1212-47AC-D6C052244161} regsvr32.exe Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\ApprovedExtensionsMigration N438XI.exe Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{EED68B27-BE9E-1212-47AC-D6C052244161} N438XI.exe Key deleted \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\MICROSOFT\INTERNET EXPLORER\APPROVEDEXTENSIONSMIGRATION\{EED68B27-BE9E-1212-47AC-D6C052244161} N438XI.exe Key deleted \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\ApprovedExtensionsMigration N438XI.exe Key deleted \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\MICROSOFT\INTERNET EXPLORER\APPROVEDEXTENSIONSMIGRATION\{EED68B27-BE9E-1212-47AC-D6C052244161} regsvr32.exe Key deleted \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\ApprovedExtensionsMigration regsvr32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\YoutubeAdblocker.YoutubeAdblocker\CurVer\ = "YoutubeAdblocker.1.0" N438XI.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EED68B27-BE9E-1212-47AC-D6C052244161}\VersionIndependentProgID N438XI.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EED68B27-BE9E-1212-47AC-D6C052244161}\VersionIndependentProgID\ = "YoutubeAdblocker" N438XI.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}" N438XI.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib\Version = "1.0" N438XI.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EED68B27-BE9E-1212-47AC-D6C052244161}\VersionIndependentProgID\ = "YoutubeAdblocker" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EED68B27-BE9E-1212-47AC-D6C052244161}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640} regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EED68B27-BE9E-1212-47AC-D6C052244161}\InprocServer32 N438XI.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}" N438XI.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ProxyStubClsid32 N438XI.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EED68B27-BE9E-1212-47AC-D6C052244161}\InprocServer32 regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EED68B27-BE9E-1212-47AC-D6C052244161}\ProgID regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EED68B27-BE9E-1212-47AC-D6C052244161}\VersionIndependentProgID regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EED68B27-BE9E-1212-47AC-D6C052244161}\Programmable N438XI.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F} N438XI.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ = "ILocalStorage" N438XI.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" N438XI.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\YoutubeAdblocker.YoutubeAdblocker.1.0\ = "YoutubeAdblocker" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\YoutubeAdblocker.YoutubeAdblocker\CurVer N438XI.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0 N438XI.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ProxyStubClsid32 N438XI.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EED68B27-BE9E-1212-47AC-D6C052244161}\ProgID regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win64\ = "C:\\Program Files (x86)\\YoutubeAdblocker\\8n2kB.x64.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" N438XI.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib\Version = "1.0" N438XI.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EED68B27-BE9E-1212-47AC-D6C052244161} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EED68B27-BE9E-1212-47AC-D6C052244161}\ProgID\ = "YoutubeAdblocker.1.0" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EED68B27-BE9E-1212-47AC-D6C052244161}\InprocServer32\ThreadingModel = "Apartment" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EED68B27-BE9E-1212-47AC-D6C052244161}\Programmable regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\YoutubeAdblocker.YoutubeAdblocker.1.0 N438XI.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\YoutubeAdblocker.YoutubeAdblocker\CLSID N438XI.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\YoutubeAdblocker.YoutubeAdblocker\CLSID\ = "{EED68B27-BE9E-1212-47AC-D6C052244161}" N438XI.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EED68B27-BE9E-1212-47AC-D6C052244161}\ = "YoutubeAdblocker" N438XI.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ = "IIEPluginMain" N438XI.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F} N438XI.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EED68B27-BE9E-1212-47AC-D6C052244161}\Implemented Categories N438XI.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" N438XI.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F} N438XI.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32 N438XI.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib N438XI.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\YoutubeAdblocker.YoutubeAdblocker\ = "YoutubeAdblocker" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EED68B27-BE9E-1212-47AC-D6C052244161}\InprocServer32\ = "C:\\Program Files (x86)\\YoutubeAdblocker\\8n2kB.x64.dll" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\YoutubeAdblocker.YoutubeAdblocker.1.0\CLSID N438XI.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EED68B27-BE9E-1212-47AC-D6C052244161}\InprocServer32\ThreadingModel = "Apartment" N438XI.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib N438XI.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC} N438XI.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755} N438XI.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0 N438XI.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" N438XI.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib N438XI.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ProxyStubClsid32 N438XI.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" N438XI.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\YoutubeAdblocker.YoutubeAdblocker.1.0\ = "YoutubeAdblocker" N438XI.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EED68B27-BE9E-1212-47AC-D6C052244161} N438XI.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EED68B27-BE9E-1212-47AC-D6C052244161}\ProgID N438XI.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EED68B27-BE9E-1212-47AC-D6C052244161}\InprocServer32\ = "C:\\Program Files (x86)\\YoutubeAdblocker\\8n2kB.dll" N438XI.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EED68B27-BE9E-1212-47AC-D6C052244161} N438XI.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib\Version = "1.0" N438XI.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" N438XI.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win32\ = "C:\\Program Files (x86)\\YoutubeAdblocker\\8n2kB.tlb" N438XI.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EED68B27-BE9E-1212-47AC-D6C052244161}\VersionIndependentProgID regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EED68B27-BE9E-1212-47AC-D6C052244161}\Programmable regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EED68B27-BE9E-1212-47AC-D6C052244161}\ProgID\ = "YoutubeAdblocker.1.0" N438XI.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\FLAGS\ = "0" N438XI.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 4560 wrote to memory of 3312 4560 d1ff9e16abf3f1ed36f9860bb843cb64222c3230dbbbc8e7882133225723835fN.exe 82 PID 4560 wrote to memory of 3312 4560 d1ff9e16abf3f1ed36f9860bb843cb64222c3230dbbbc8e7882133225723835fN.exe 82 PID 4560 wrote to memory of 3312 4560 d1ff9e16abf3f1ed36f9860bb843cb64222c3230dbbbc8e7882133225723835fN.exe 82 PID 3312 wrote to memory of 1172 3312 N438XI.exe 83 PID 3312 wrote to memory of 1172 3312 N438XI.exe 83 PID 3312 wrote to memory of 1172 3312 N438XI.exe 83 PID 1172 wrote to memory of 3604 1172 regsvr32.exe 84 PID 1172 wrote to memory of 3604 1172 regsvr32.exe 84 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{EED68B27-BE9E-1212-47AC-D6C052244161} = "1" N438XI.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\d1ff9e16abf3f1ed36f9860bb843cb64222c3230dbbbc8e7882133225723835fN.exe"C:\Users\Admin\AppData\Local\Temp\d1ff9e16abf3f1ed36f9860bb843cb64222c3230dbbbc8e7882133225723835fN.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4560 -
C:\Users\Admin\AppData\Local\Temp\3d780473\N438XI.exe"C:\Users\Admin\AppData\Local\Temp/3d780473/N438XI.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops Chrome extension
- Installs/modifies Browser Helper Object
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3312 -
C:\Windows\SysWOW64\regsvr32.exeregsvr32.exe /s "C:\Program Files (x86)\YoutubeAdblocker\8n2kB.x64.dll"3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1172 -
C:\Windows\system32\regsvr32.exe/s "C:\Program Files (x86)\YoutubeAdblocker\8n2kB.x64.dll"4⤵
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Modifies Internet Explorer settings
- Modifies registry class
PID:3604
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Browser Extensions
1Event Triggered Execution
1Component Object Model Hijacking
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
414KB
MD5ffe3f0c62f2fede9890b18d73724fd97
SHA10dafa42039405f8d49a6790180194076bd57c833
SHA2562ec40c7a7808d8aeee27eb8db1ed36424dd7d692e6d2043b20b3c75e8dd2b4d8
SHA51284fb90d2214beae1e0c90b2d4a8678c8a55792daf60e70c441d6b5e279ae7ab5e03f49c401e14b7610189f4e885095f7f569add030254656c0e7e41f75eb8bfc
-
Filesize
3KB
MD58d10c52cfa044ccdcfff4e0b5775babd
SHA13b2c872ab3237d7b74377032ed7a5239c82df766
SHA256af8efa41494e63e07553fed5bd5df73cf55c160de292ea2a2ee0568cf12e0156
SHA512123d5af4dec8a370a1176fe50998be5a97d3bc46ed7dd9fa365f8f4fc669785b4ed3cb0b65b266095edd3dc3512a4a1d916c035d6184e8e134617502b90f9700
-
Filesize
461KB
MD50231aebb8155fd069d17eab6a679cc1e
SHA161cb4b5228e6253863391ef3346c2f9920dbc554
SHA256fde9e3251cc1237aa3b2ad89acfb5691e8fee5a434989d9a9308ab41b774b672
SHA51242c61873d4287d4a7fb17760fc9e9902723d8c74b21be92ddf6a949b1d6170894abbab9e03680a1518c997decf58ccafc351a5ed619e6515532379663e4f5434
-
Filesize
3KB
MD56756ab3272d1b86ea59ef6cf69c75915
SHA1eb882c295736705fa7b96e098c6b7c89640d7271
SHA2562c8100a420444cb5ad536739842ceb0dc47e6f6a847c3561894d9eee58dd19b7
SHA512bbfe4890c8aad00526f6620d864b3c119601b46573378392a4d73badf569cea8e604fbc557239354998995f2ea491290c879308d4b93490c238daadd2f1b180b
-
Filesize
528KB
MD59c354249e2b00af7362d8eecaee9b2b2
SHA113ffdbab9f8df78798ee14ab2640f21eb7deaa67
SHA25669da81656ee601972241df4c1cf0debdf2c09eefce5753b10d58a9136cf45023
SHA51255713fdbee4a11a4677d6375f5975e7ff2c1a197a3bc639beba09b506a6d8856793f9ee3cf917be0ae24cddbc47b24d6e36c01be0841f85d84d7069f389c1119
-
Filesize
144B
MD5bf8dad3c3ea73f269c2028c8c907052a
SHA116ac030b5436001a146c5cc4d88fe0be4aaa4262
SHA256bbf6020d19ab323ae4c0bc12ffaba7a81ca76e6be172bf80109e7749f7af90ef
SHA512dc3d522c58485eb6d7364e0f1f6e10b3bad4a4b2a3d0e002050ef45d4d8fc8050c7170616eea70f6ee0ce1536111de72145c98255fa9fe9541913c75ebfa6846
-
Filesize
144B
MD50654917402505bc71a231599d02e09a2
SHA1e24d4fcf6f136c3be86b4dc01bd3bf446ce462ff
SHA2569577828de9e701114e75cca9918972c9028689518882edcb6aa193f9353c19ae
SHA5123e7077342d4c06d1192898a4ec5c9b19f3ca8883c5fd7c6e2a581d855959b748b5a8c4b07e3468cfc8b79e6abc1595fefccb41011c179da665567d5dc4b2da5d
-
Filesize
531B
MD536d98318ab2b3b2585a30984db328afb
SHA1f30b85fbe08e1d569ad49dfeafaf7cb2da6585a5
SHA256ea2caf61817c6f7781ee049217e51c1083c8fc4f1e08e07792052dfdfa529ae7
SHA5126f61ccda2eba18369409850b2c91c9817fc741755e29a1579646e3816e0deab80e34a5adb9ff865c773793d32ac338163a224dbf363b46420d6ea42a7bbb2b3a
-
Filesize
508B
MD5e2832fbedae560495781610b5c511afa
SHA195f9c6fe1ea5a6ee009bce1e9c215ef53fb5c108
SHA2566e03e688a9f7cc23a788e004cea4c87ee73e36c1053d2fb34a214bcc597f3ea2
SHA5122e206b58d02a88d21cb0cd74d5523b9f07f4558b4af9a19936befb256c2dc868107ab1716849e09b665721d1ac7b01ba6762bb54822596e39a4cdad763c68cb9
-
Filesize
6KB
MD511925b51dd1028d94cb51d5032f8eef9
SHA1d6e02e9f2d60b176fac570bb997d7d3a3bec0b25
SHA256cc36379fdb7ac8956c2c3e4408b8dbaef7a6c8fbeb08e32580183da78fe8617d
SHA51294f81b967105638a34f573e949bb700c8317e06cf050472929685cc53854b8cba18c42a2cf1d5346865731f8867853e7d0fd8d692f2374e2f077a0d8ec6248b8
-
C:\Users\Admin\AppData\Local\Temp\3d780473\[email protected]\bootstrap.js
Filesize2KB
MD5df13f711e20e9c80171846d4f2f7ae06
SHA156d29cda58427efe0e21d3880d39eb1b0ef60bee
SHA2566c325461fba531a94cf8cbdcfc52755494973df0629ce0ee3fef734ab0838fc4
SHA5126c51cee3bf13f164c4a5c9884cc6053cbf9db9701d34c07dc5761d2c047d3d1f7a361b32996a430107e9a4ce68a29149d747a84c76778a1e8780719a3d30470e
-
C:\Users\Admin\AppData\Local\Temp\3d780473\[email protected]\chrome.manifest
Filesize26B
MD5ab4518bcc2597f39cdd8a4e4f3f92734
SHA1174da52f6304602e9d2ce2dc1c5e3d932dc3267c
SHA2561c17bb02562ff09222f4d392e9ff6d94b801506f84f6f7750dfd9227e8299340
SHA512df698968e6464d6527162273c8fc1a393e8663375568e75ac6e4ce7d14b70236a6246cd8be6c99f206cdd936337cb5eea46c5f8fe25a431ecdf36003db669823
-
C:\Users\Admin\AppData\Local\Temp\3d780473\[email protected]\content\bg.js
Filesize8KB
MD5b5f20fc536d3a1204f8064cb4da795fe
SHA1275411f9a822776ad18b8e65951b438f90aff7ed
SHA2569f6f614a0464f1d5419466f407955e85fef39050e5a3102aa6f16f1f890d5fd5
SHA5124d157df9780b5b2c38667082feab02e1f9179ac66c5516ce6997d16957ddef3d94fb4dee5b6543ed28b55325ad791c8356da8eb075c5e3a5214df4b62092c425
-
C:\Users\Admin\AppData\Local\Temp\3d780473\[email protected]\install.rdf
Filesize610B
MD52cf63f0661d2a96210f4be3d17dcb394
SHA1c72be832b89282f6f903ba7ce46fd14e5d361d35
SHA256eefb8da139326382c8433d9ea23d55e8906f98f685847ead8456d18669aa4042
SHA5126dd156affe899de3cda2385af9b066d742c4dce5dadc8c6cc12c85b3ef2ef669149ef1860b0df1eb86596c22f295e463bc40bc8fe3ca53913a2871b68e440836