03fe5a90843c9bf40d63f8614057175cb80edc0c9671b40a304869a9876d9255

General

Target

03fe5a90843c9bf40d63f8614057175cb80edc0c9671b40a304869a9876d9255.dll
Size

400KB
MD5

4c4560da5b64cecdbbc7c1b7734e3000
SHA1

66c5ac4a5e9a6907b934bbf30d6e99c2a36d3e42
SHA256

03fe5a90843c9bf40d63f8614057175cb80edc0c9671b40a304869a9876d9255
SHA512

1abb2fd04c52ea925bccdcf38bfe439bf10e62c31fa7415d27288f88752e3c69433558891770bb2589f434fa7764e3c8c2f79845555f298d584fb4822dbbee04
SSDEEP

12288:2uiW+x87s5lXl2yU36PUVFp7Ws8WGYUAsw:biW3gNLU2Uss8

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1368	Explorer.EXE

Loads dropped DLL 1 IoCs

pid	Process
892	regsvr32.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\HumeWbuy = "regsvr32.exe \"C:\\ProgramData\\HumeWbuy\\QozgAqsap.jfy\""	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\HumeWbuy = "regsvr32.exe \"C:\\ProgramData\\HumeWbuy\\QozgAqsap.jfy\""	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run	Explorer.EXE

Modifies Internet Explorer Protected Mode 1 TTPs 1 IoCs

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500 = "3"	Explorer.EXE

Modifies Internet Explorer Protected Mode Banner 1 TTPs 1 IoCs

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\NoProtectedModeBanner = "1"	Explorer.EXE

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\TabProcGrowth = "0"	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
892	regsvr32.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
892	regsvr32.exe
1368	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeCreateGlobalPrivilege	892	regsvr32.exe
Token: SeDebugPrivilege	892	regsvr32.exe
Token: SeCreateGlobalPrivilege	1368	Explorer.EXE
Token: SeShutdownPrivilege	1368	Explorer.EXE
Token: SeDebugPrivilege	1368	Explorer.EXE

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 2032 wrote to memory of 2016	2032	rundll32.exe	27
PID 2032 wrote to memory of 2016	2032	rundll32.exe	27
PID 2032 wrote to memory of 2016	2032	rundll32.exe	27
PID 2032 wrote to memory of 2016	2032	rundll32.exe	27
PID 2032 wrote to memory of 2016	2032	rundll32.exe	27
PID 2032 wrote to memory of 2016	2032	rundll32.exe	27
PID 2032 wrote to memory of 2016	2032	rundll32.exe	27
PID 2016 wrote to memory of 892	2016	rundll32.exe	28
PID 2016 wrote to memory of 892	2016	rundll32.exe	28
PID 2016 wrote to memory of 892	2016	rundll32.exe	28
PID 2016 wrote to memory of 892	2016	rundll32.exe	28
PID 2016 wrote to memory of 892	2016	rundll32.exe	28
PID 2016 wrote to memory of 892	2016	rundll32.exe	28
PID 2016 wrote to memory of 892	2016	rundll32.exe	28
PID 892 wrote to memory of 284	892	regsvr32.exe	18
PID 892 wrote to memory of 284	892	regsvr32.exe	18
PID 892 wrote to memory of 1368	892	regsvr32.exe	15
PID 892 wrote to memory of 1368	892	regsvr32.exe	15
PID 892 wrote to memory of 796	892	regsvr32.exe	12
PID 892 wrote to memory of 796	892	regsvr32.exe	12
PID 892 wrote to memory of 1840	892	regsvr32.exe	11
PID 892 wrote to memory of 1840	892	regsvr32.exe	11

\\?\C:\Windows\system32\wbem\WMIADAP.EXE
wmiadap.exe /F /T /R
1⤵
PID:1840

C:\Windows\system32\sppsvc.exe
C:\Windows\system32\sppsvc.exe
1⤵
PID:796

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Deletes itself
- Adds Run key to start application
- Modifies Internet Explorer Protected Mode
- Modifies Internet Explorer Protected Mode Banner
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1368
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\03fe5a90843c9bf40d63f8614057175cb80edc0c9671b40a304869a9876d9255.dll,#1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2032
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\03fe5a90843c9bf40d63f8614057175cb80edc0c9671b40a304869a9876d9255.dll,#1
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2016
  - - C:\Windows\SysWOW64\regsvr32.exe
      regsvr32.exe "C:\Users\Admin\AppData\Local\Temp\\~006C0906.tmp"
      4⤵
      Loads dropped DLL
      Adds Run key to start application
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:892

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:284

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

4

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\HumeWbuy\QozgAqsap.jfy

Filesize
281KB

MD5
5fc0a35bb3de5e0a86ca37f6770cd002

SHA1
0b2e889a1df3c5264c129c8a062321dcfa34fcce

SHA256
6125bb16e35306ea1ed2160c8bfcb3edb2d90e50946b3993052b5aa1694ad467

SHA512
21c8bd24fc43e8fe95de75dca3529b51e053bd53149a67a294bf74c767a6b07c66fd6d1e31dbffe3a66e05a6d8c92970002445c82c3cef24cc5926170732f78f

Download Submit
C:\Users\Admin\AppData\Local\Temp\~006C0906.tmp

Filesize
281KB

MD5
5fc0a35bb3de5e0a86ca37f6770cd002

SHA1
0b2e889a1df3c5264c129c8a062321dcfa34fcce

SHA256
6125bb16e35306ea1ed2160c8bfcb3edb2d90e50946b3993052b5aa1694ad467

SHA512
21c8bd24fc43e8fe95de75dca3529b51e053bd53149a67a294bf74c767a6b07c66fd6d1e31dbffe3a66e05a6d8c92970002445c82c3cef24cc5926170732f78f

Download Submit
\Users\Admin\AppData\Local\Temp\~006C0906.tmp

Filesize
281KB

MD5
5fc0a35bb3de5e0a86ca37f6770cd002

SHA1
0b2e889a1df3c5264c129c8a062321dcfa34fcce

SHA256
6125bb16e35306ea1ed2160c8bfcb3edb2d90e50946b3993052b5aa1694ad467

SHA512
21c8bd24fc43e8fe95de75dca3529b51e053bd53149a67a294bf74c767a6b07c66fd6d1e31dbffe3a66e05a6d8c92970002445c82c3cef24cc5926170732f78f

Download Submit
memory/284-69-0x0000000001C30000-0x0000000001C85000-memory.dmp

Filesize
340KB

Download
memory/892-63-0x0000000010000000-0x000000001004A000-memory.dmp

Filesize
296KB

Download
memory/892-65-0x0000000010000000-0x000000001003B000-memory.dmp

Filesize
236KB

Download
memory/892-78-0x0000000010000000-0x000000001003B000-memory.dmp

Filesize
236KB

Download
memory/1368-79-0x0000000002570000-0x00000000025C5000-memory.dmp

Filesize
340KB

Download
memory/1368-80-0x000007FFFFF00000-0x000007FFFFF6D000-memory.dmp

Filesize
436KB

Download
memory/1368-81-0x000007FEF6DD0000-0x000007FEF6F13000-memory.dmp

Filesize
1.3MB

Download
memory/1368-82-0x000007FEBAFC0000-0x000007FEBAFCA000-memory.dmp

Filesize
40KB

Download
memory/2016-59-0x0000000010000000-0x000000001004B000-memory.dmp

Filesize
300KB

Download
memory/2016-55-0x00000000766D1000-0x00000000766D3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads