64234b590422a1d522fcfed13cd7c1aa17d33511a0f9497b876be68ce8873b1e

Analysis

max time kernel
54s
max time network
68s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
30-06-2024 22:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

64234b590422a1d522fcfed13cd7c1aa17d33511a0f9497b876be68ce8873b1e.dll
Size

235KB
MD5

58c415820f32552249b6939ede3c1957
SHA1

7973c42613a60768e7cb813105b3e1c263652aed
SHA256

64234b590422a1d522fcfed13cd7c1aa17d33511a0f9497b876be68ce8873b1e
SHA512

38c14872e5f750d920f01f0792a2484853fca17975a436b6dd66bba25576b021490ea16049d09031cd9e369b7cb71f8fc47682116b7a0dc08ed1d5c6ebc5df83
SSDEEP

6144:qONxvbbl1+A0nqLqT/BX9dv5MpfKKRn5tr43VIGY:qOTvj+AEqLqTtLv5MpfKKR5BC

Score

6^/10

adware stealer

Malware Config

Signatures

Installs/modifies Browser Helper Object 2 TTPs 3 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

Processes:

regsvr32.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5E37FEF9-EC6F-484F-98E3-04B1A5B3D6EA}\NoExplorer = "1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5E37FEF9-EC6F-484F-98E3-04B1A5B3D6EA}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5E37FEF9-EC6F-484F-98E3-04B1A5B3D6EA}\	regsvr32.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

regsvr32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Approved Extensions	regsvr32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Approved Extensions\{5E37FEF9-EC6F-484F-98E3-04B1A5B3D6EA} = 51667a6c4c1d3b1be9e126445fb7220184eb42f1a7f790f7	regsvr32.exe

Modifies registry class 50 IoCs

Processes:

regsvr32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{30AA70B7-F81C-4B91-9242-7FEC390F2846}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9F968ABD-B17F-4426-B37E-191D879E4529}\1.0\ = "Toolbar 1.0 Type Library"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{30AA70B7-F81C-4B91-9242-7FEC390F2846}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C13D165F-FCC9-464E-A028-5D8FAF2BC88F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5E37FEF9-EC6F-484F-98E3-04B1A5B3D6EA}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\64234b590422a1d522fcfed13cd7c1aa17d33511a0f9497b876be68ce8873b1e.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5E37FEF9-EC6F-484F-98E3-04B1A5B3D6EA}\Implemented Categories	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{30AA70B7-F81C-4B91-9242-7FEC390F2846}\ = "IToolbarHelperObject"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{30AA70B7-F81C-4B91-9242-7FEC390F2846}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C13D165F-FCC9-464E-A028-5D8FAF2BC88F}\ = "IToolbarButton"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{30AA70B7-F81C-4B91-9242-7FEC390F2846}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C13D165F-FCC9-464E-A028-5D8FAF2BC88F}\ = "IToolbarButton"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5E37FEF9-EC6F-484F-98E3-04B1A5B3D6EA}\VersionIndependentProgID = "Toolbar.ExtensionHelperObject"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5E37FEF9-EC6F-484F-98E3-04B1A5B3D6EA}\TypeLib = "{1D5A4199-956E-49BC-B89F-6A35C57C0D13}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5E37FEF9-EC6F-484F-98E3-04B1A5B3D6EA}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9F968ABD-B17F-4426-B37E-191D879E4529}\1.0\HELPDIR	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{30AA70B7-F81C-4B91-9242-7FEC390F2846}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C13D165F-FCC9-464E-A028-5D8FAF2BC88F}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C13D165F-FCC9-464E-A028-5D8FAF2BC88F}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C13D165F-FCC9-464E-A028-5D8FAF2BC88F}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5E37FEF9-EC6F-484F-98E3-04B1A5B3D6EA}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C13D165F-FCC9-464E-A028-5D8FAF2BC88F}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9F968ABD-B17F-4426-B37E-191D879E4529}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\64234b590422a1d522fcfed13cd7c1aa17d33511a0f9497b876be68ce8873b1e.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{30AA70B7-F81C-4B91-9242-7FEC390F2846}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C13D165F-FCC9-464E-A028-5D8FAF2BC88F}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5E37FEF9-EC6F-484F-98E3-04B1A5B3D6EA}\	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{30AA70B7-F81C-4B91-9242-7FEC390F2846}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C13D165F-FCC9-464E-A028-5D8FAF2BC88F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5E37FEF9-EC6F-484F-98E3-04B1A5B3D6EA}\Programmable	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5E37FEF9-EC6F-484F-98E3-04B1A5B3D6EA}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9F968ABD-B17F-4426-B37E-191D879E4529}\1.0\FLAGS\ = "0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9F968ABD-B17F-4426-B37E-191D879E4529}\1.0\0\win32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{30AA70B7-F81C-4B91-9242-7FEC390F2846}\TypeLib\ = "{9F968ABD-B17F-4426-B37E-191D879E4529}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5E37FEF9-EC6F-484F-98E3-04B1A5B3D6EA}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C13D165F-FCC9-464E-A028-5D8FAF2BC88F}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C13D165F-FCC9-464E-A028-5D8FAF2BC88F}\TypeLib\ = "{9F968ABD-B17F-4426-B37E-191D879E4529}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{30AA70B7-F81C-4B91-9242-7FEC390F2846}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5E37FEF9-EC6F-484F-98E3-04B1A5B3D6EA}\Programmable\	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9F968ABD-B17F-4426-B37E-191D879E4529}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{30AA70B7-F81C-4B91-9242-7FEC390F2846}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{30AA70B7-F81C-4B91-9242-7FEC390F2846}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C13D165F-FCC9-464E-A028-5D8FAF2BC88F}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C13D165F-FCC9-464E-A028-5D8FAF2BC88F}\TypeLib\ = "{9F968ABD-B17F-4426-B37E-191D879E4529}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9F968ABD-B17F-4426-B37E-191D879E4529}\1.0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{30AA70B7-F81C-4B91-9242-7FEC390F2846}\ = "IToolbarHelperObject"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9F968ABD-B17F-4426-B37E-191D879E4529}\1.0\0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C13D165F-FCC9-464E-A028-5D8FAF2BC88F}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5E37FEF9-EC6F-484F-98E3-04B1A5B3D6EA}\ProgID = "Toolbar.ExtensionHelperObject.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9F968ABD-B17F-4426-B37E-191D879E4529}\1.0\FLAGS	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9F968ABD-B17F-4426-B37E-191D879E4529}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{30AA70B7-F81C-4B91-9242-7FEC390F2846}\TypeLib\ = "{9F968ABD-B17F-4426-B37E-191D879E4529}"	regsvr32.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

regsvr32.exe

description	pid	process	target process
PID 4756 wrote to memory of 3256	4756	regsvr32.exe	regsvr32.exe
PID 4756 wrote to memory of 3256	4756	regsvr32.exe	regsvr32.exe
PID 4756 wrote to memory of 3256	4756	regsvr32.exe	regsvr32.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\64234b590422a1d522fcfed13cd7c1aa17d33511a0f9497b876be68ce8873b1e.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:4756

C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\64234b590422a1d522fcfed13cd7c1aa17d33511a0f9497b876be68ce8873b1e.dll
2⤵
- Installs/modifies Browser Helper Object
- Modifies Internet Explorer settings
- Modifies registry class
PID:3256

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads