b389b582e661d5bedc2e5d93656e2b9d25ab65b3a0785fac2e560648b439ce50

General

Target

b389b582e661d5bedc2e5d93656e2b9d25ab65b3a0785fac2e560648b439ce50.exe
Size

96KB
MD5

685d0110bbdc8e55dc8340001d5eab9e
SHA1

277b56e9391a4aec627eedd44cf63eb5ce057c3b
SHA256

b389b582e661d5bedc2e5d93656e2b9d25ab65b3a0785fac2e560648b439ce50
SHA512

abf19efd4fecc6ca72ae87265583bdc81e54ad5ee753bf65a264424225b03964dee2969e9bf91e1a09044f3bcc35afa99b32434c83f2f23d5aca9b011e6356c2
SSDEEP

1536:Pg8JY+gwf+JeRjY6hii6L3SSQAUm3jDJNdBb2N3iDMmpjZfDHqfqqfnm:PhJY2+6dTSQeJVS3iDMmlxD4nm

Score

8^/10

adware persistence stealer upx

Malware Config

Signatures

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/5096-132-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral2/memory/5096-139-0x0000000000400000-0x000000000042E000-memory.dmp	upx

Loads dropped DLL 2 IoCs

pid	Process
5096	b389b582e661d5bedc2e5d93656e2b9d25ab65b3a0785fac2e560648b439ce50.exe
5044	rundll32.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\udtyfwi.dll = "C:\\Windows\\system32\\rundll32.exe C:\\Windows\\system32\\udtyfwi.dll,fvgpbdf"	b389b582e661d5bedc2e5d93656e2b9d25ab65b3a0785fac2e560648b439ce50.exe

Installs/modifies Browser Helper Object 2 TTPs 1 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{11246469-E4E9-E3B4-062C-028B6129A9DC}	b389b582e661d5bedc2e5d93656e2b9d25ab65b3a0785fac2e560648b439ce50.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\udtyfwi.dll	b389b582e661d5bedc2e5d93656e2b9d25ab65b3a0785fac2e560648b439ce50.exe
File created	C:\Windows\SysWOW64\vgjkv.dll	b389b582e661d5bedc2e5d93656e2b9d25ab65b3a0785fac2e560648b439ce50.exe

Modifies registry class 6 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{11246469-E4E9-E3B4-062C-028B6129A9DC}\InprocServer32\ThreadingModel = "Apartment"	b389b582e661d5bedc2e5d93656e2b9d25ab65b3a0785fac2e560648b439ce50.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{11246469-E4E9-E3B4-062C-028B6129A9DC}\InprocServer32	b389b582e661d5bedc2e5d93656e2b9d25ab65b3a0785fac2e560648b439ce50.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	b389b582e661d5bedc2e5d93656e2b9d25ab65b3a0785fac2e560648b439ce50.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	b389b582e661d5bedc2e5d93656e2b9d25ab65b3a0785fac2e560648b439ce50.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{11246469-E4E9-E3B4-062C-028B6129A9DC}	b389b582e661d5bedc2e5d93656e2b9d25ab65b3a0785fac2e560648b439ce50.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{11246469-E4E9-E3B4-062C-028B6129A9DC}\InprocServer32\ = "C:\\Windows\\SysWow64\\vgjkv.dll"	b389b582e661d5bedc2e5d93656e2b9d25ab65b3a0785fac2e560648b439ce50.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
5096	b389b582e661d5bedc2e5d93656e2b9d25ab65b3a0785fac2e560648b439ce50.exe
5096	b389b582e661d5bedc2e5d93656e2b9d25ab65b3a0785fac2e560648b439ce50.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 5096 wrote to memory of 5044	5096	b389b582e661d5bedc2e5d93656e2b9d25ab65b3a0785fac2e560648b439ce50.exe	81
PID 5096 wrote to memory of 5044	5096	b389b582e661d5bedc2e5d93656e2b9d25ab65b3a0785fac2e560648b439ce50.exe	81
PID 5096 wrote to memory of 5044	5096	b389b582e661d5bedc2e5d93656e2b9d25ab65b3a0785fac2e560648b439ce50.exe	81

C:\Users\Admin\AppData\Local\Temp\b389b582e661d5bedc2e5d93656e2b9d25ab65b3a0785fac2e560648b439ce50.exe
"C:\Users\Admin\AppData\Local\Temp\b389b582e661d5bedc2e5d93656e2b9d25ab65b3a0785fac2e560648b439ce50.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Installs/modifies Browser Helper Object
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5096
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\system32\rundll32.exe C:\Windows\system32\udtyfwi.dll,fvgpbdf
  2⤵
  - Loads dropped DLL
  PID:5044

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Browser Extensions

1

T1176

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\udtyfwi.dll

Filesize
84KB

MD5
4b8b331ada6af36d8dfe5f7d81ffb170

SHA1
e64075e3fbb4365b907e95e23bd60f8f88ceff7e

SHA256
cad22f042c3bf578e9fd61ca25e72fb7a754fb9ea387c2a44d77c9c6e9225fc9

SHA512
2ca5bcbd2684c504f8fdc1d7f9a3dd3f4bd8cddf9032e981836c2e7bfb0bbce207f7c19a22ff8d0bc2f04afa1b3c7afc028fd941a36e03a622d7d7975539a416

Download Submit
C:\Windows\SysWOW64\udtyfwi.dll

Filesize
84KB

MD5
4b8b331ada6af36d8dfe5f7d81ffb170

SHA1
e64075e3fbb4365b907e95e23bd60f8f88ceff7e

SHA256
cad22f042c3bf578e9fd61ca25e72fb7a754fb9ea387c2a44d77c9c6e9225fc9

SHA512
2ca5bcbd2684c504f8fdc1d7f9a3dd3f4bd8cddf9032e981836c2e7bfb0bbce207f7c19a22ff8d0bc2f04afa1b3c7afc028fd941a36e03a622d7d7975539a416

Download Submit
C:\Windows\SysWOW64\vgjkv.dll

Filesize
62KB

MD5
658305d90dd9719a1696d2adfad63847

SHA1
1acb16f3453c19e8d7a53f6a214c1871d23110a9

SHA256
079ee037dcbcf5dd206ba779755ab34411a420d9f430aa9ccc48840f90ab638c

SHA512
ccb913ecf1167751ebaa111599e0cba3c69e10576c50795b573591aa6fbc14b4e73bd70a38c98f7918f46d66e4ce99ce3e5db9fd85a28ebcc1bb7ea32305d093

Download Submit
memory/5044-138-0x0000000010000000-0x000000001001C000-memory.dmp

Filesize
112KB

Download
memory/5096-132-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/5096-134-0x0000000010000000-0x0000000010016000-memory.dmp

Filesize
88KB

Download
memory/5096-139-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/5096-140-0x0000000010000000-0x0000000010016000-memory.dmp

Filesize
88KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads