f5508c57f116baf22d0e1a8114d85797565f09571103a3af1cc12b3ce790364e

General

Target

f5508c57f116baf22d0e1a8114d85797565f09571103a3af1cc12b3ce790364e.dll
Size

371KB
MD5

61b6d64f7ca14f2bba31c68f10c3cd20
SHA1

2b792503db2cbca825c9a782fff9728a3d080e13
SHA256

f5508c57f116baf22d0e1a8114d85797565f09571103a3af1cc12b3ce790364e
SHA512

4b96c66705b9867f7872b1720fa09c35eebf744148663e1a3540bf6d371c6c5219f7d8554527330df7d24a8571c1b7c98a9ee55bf7cc42224668c3439e85d96a
SSDEEP

6144:4cTsPrjFXNlkArqecU3KmeBKahiom7EIrIczmyHfsip+rGf8xxrKDRwv2o7:4cTs99jKUheBKah2EOX/FktKE2G

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1196	Explorer.EXE

Loads dropped DLL 1 IoCs

pid	Process
1500	regsvr32.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\EusxaVqutv = "regsvr32.exe \"C:\\ProgramData\\EusxaVqutv\\GaveTdut.arx\""	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\EusxaVqutv = "regsvr32.exe \"C:\\ProgramData\\EusxaVqutv\\GaveTdut.arx\""	Explorer.EXE

Modifies Internet Explorer Protected Mode 1 TTPs 1 IoCs

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500 = "3"	Explorer.EXE

Modifies Internet Explorer Protected Mode Banner 1 TTPs 1 IoCs

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\NoProtectedModeBanner = "1"	Explorer.EXE

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\TabProcGrowth = "0"	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1500	regsvr32.exe
2036	wmiprvse.exe
2036	wmiprvse.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeLoadDriverPrivilege	1436	rundll32.exe
Token: SeLoadDriverPrivilege	1436	rundll32.exe
Token: SeCreateGlobalPrivilege	1500	regsvr32.exe
Token: SeDebugPrivilege	1500	regsvr32.exe
Token: SeCreateGlobalPrivilege	1196	Explorer.EXE
Token: SeShutdownPrivilege	1196	Explorer.EXE
Token: SeDebugPrivilege	1196	Explorer.EXE
Token: SeShutdownPrivilege	1196	Explorer.EXE
Token: SeShutdownPrivilege	1196	Explorer.EXE

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 844 wrote to memory of 1436	844	rundll32.exe	28
PID 844 wrote to memory of 1436	844	rundll32.exe	28
PID 844 wrote to memory of 1436	844	rundll32.exe	28
PID 844 wrote to memory of 1436	844	rundll32.exe	28
PID 844 wrote to memory of 1436	844	rundll32.exe	28
PID 844 wrote to memory of 1436	844	rundll32.exe	28
PID 844 wrote to memory of 1436	844	rundll32.exe	28
PID 1436 wrote to memory of 1500	1436	rundll32.exe	29
PID 1436 wrote to memory of 1500	1436	rundll32.exe	29
PID 1436 wrote to memory of 1500	1436	rundll32.exe	29
PID 1436 wrote to memory of 1500	1436	rundll32.exe	29
PID 1436 wrote to memory of 1500	1436	rundll32.exe	29
PID 1436 wrote to memory of 1500	1436	rundll32.exe	29
PID 1436 wrote to memory of 1500	1436	rundll32.exe	29
PID 1500 wrote to memory of 744	1500	regsvr32.exe	19
PID 1500 wrote to memory of 744	1500	regsvr32.exe	19
PID 1500 wrote to memory of 1196	1500	regsvr32.exe	16
PID 1500 wrote to memory of 1196	1500	regsvr32.exe	16
PID 1500 wrote to memory of 1032	1500	regsvr32.exe	14
PID 1500 wrote to memory of 1032	1500	regsvr32.exe	14
PID 1500 wrote to memory of 1992	1500	regsvr32.exe	13
PID 1500 wrote to memory of 1992	1500	regsvr32.exe	13
PID 1500 wrote to memory of 2036	1500	regsvr32.exe	12
PID 1500 wrote to memory of 2036	1500	regsvr32.exe	12

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:2036

\\?\C:\Windows\system32\wbem\WMIADAP.EXE
wmiadap.exe /F /T /R
1⤵
PID:1992

C:\Windows\system32\sppsvc.exe
C:\Windows\system32\sppsvc.exe
1⤵
PID:1032

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Deletes itself
- Adds Run key to start application
- Modifies Internet Explorer Protected Mode
- Modifies Internet Explorer Protected Mode Banner
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
PID:1196
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\f5508c57f116baf22d0e1a8114d85797565f09571103a3af1cc12b3ce790364e.dll,#1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:844
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\f5508c57f116baf22d0e1a8114d85797565f09571103a3af1cc12b3ce790364e.dll,#1
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1436
  - - C:\Windows\SysWOW64\regsvr32.exe
      regsvr32.exe "C:\Users\Admin\AppData\Local\Temp\\~006CD5D6.tmp"
      4⤵
      Loads dropped DLL
      Adds Run key to start application
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1500

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:744

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

4

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\EusxaVqutv\GaveTdut.arx

Filesize
316KB

MD5
06ada37de20838002300892a94eca0de

SHA1
8e8f5bf1db0afec749f517293ee4408d5efb134a

SHA256
c544881e6cf47d28c56a5133a3a0e88f14a72e0bfe644ed65ac9824517dbdb85

SHA512
f994a4e14cb77f4027d54e1823f4d94d0283618ad6b2bbef53956530117c18afaf0babe762d72b976b4b7e20efcabd70eb353feda95072b009e557686ed4b974

Download Submit
C:\Users\Admin\AppData\Local\Temp\~006CD5D6.tmp

Filesize
316KB

MD5
06ada37de20838002300892a94eca0de

SHA1
8e8f5bf1db0afec749f517293ee4408d5efb134a

SHA256
c544881e6cf47d28c56a5133a3a0e88f14a72e0bfe644ed65ac9824517dbdb85

SHA512
f994a4e14cb77f4027d54e1823f4d94d0283618ad6b2bbef53956530117c18afaf0babe762d72b976b4b7e20efcabd70eb353feda95072b009e557686ed4b974

Download Submit
\Users\Admin\AppData\Local\Temp\~006CD5D6.tmp

Filesize
316KB

MD5
06ada37de20838002300892a94eca0de

SHA1
8e8f5bf1db0afec749f517293ee4408d5efb134a

SHA256
c544881e6cf47d28c56a5133a3a0e88f14a72e0bfe644ed65ac9824517dbdb85

SHA512
f994a4e14cb77f4027d54e1823f4d94d0283618ad6b2bbef53956530117c18afaf0babe762d72b976b4b7e20efcabd70eb353feda95072b009e557686ed4b974

Download Submit
memory/744-72-0x0000000001B70000-0x0000000001BC5000-memory.dmp

Filesize
340KB

Download
memory/1196-84-0x0000000002200000-0x0000000002255000-memory.dmp

Filesize
340KB

Download
memory/1196-85-0x000007FFFFF00000-0x000007FFFFF6D000-memory.dmp

Filesize
436KB

Download
memory/1436-63-0x0000000075330000-0x000000007537F000-memory.dmp

Filesize
316KB

Download
memory/1436-61-0x0000000075330000-0x000000007538D000-memory.dmp

Filesize
372KB

Download
memory/1436-57-0x0000000075330000-0x000000007537F000-memory.dmp

Filesize
316KB

Download
memory/1436-55-0x00000000762F1000-0x00000000762F3000-memory.dmp

Filesize
8KB

Download
memory/1500-68-0x0000000010000000-0x000000001003B000-memory.dmp

Filesize
236KB

Download
memory/1500-83-0x0000000010000000-0x000000001003B000-memory.dmp

Filesize
236KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads