0ea9bcdb91403808d4021a23cf4fc19ba59039a5bb07ecf7eb2754433ea0b6f9

General

Target

0ea9bcdb91403808d4021a23cf4fc19ba59039a5bb07ecf7eb2754433ea0b6f9.dll
Size

351KB
MD5

66ba1154bc762e559abec3381cad91e0
SHA1

59f7d1275db0cd833393371b4ee18ff355d397f1
SHA256

0ea9bcdb91403808d4021a23cf4fc19ba59039a5bb07ecf7eb2754433ea0b6f9
SHA512

494772769c554e56c9515b04faf26e68b872713cae38f8b4a9ea34ba4e0bd8c2af93d3a1efafe5a51e10968586e0005543868d8499c2e672edd319f678524c32
SSDEEP

6144:bxUKFcZft0ko5cPeIR/3ElxcCEjbucVry9xCTF6F1ifFC3I8t2tni5U:bk2ko5kapmmaSUFC7Yi5U

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 2 IoCs

pid	Process
1604	rundll32.exe
1604	rundll32.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows\CurrentVersion\Run	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\botdft = "regsvr32.exe \"C:\\ProgramData\\botdft.dat\""	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows\CurrentVersion\Run	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\botdft = "regsvr32.exe \"C:\\ProgramData\\botdft.dat\""	Explorer.EXE

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3332	3284	WerFault.exe	45

Modifies Internet Explorer Protected Mode 1 TTPs 1 IoCs

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500 = "3"	Explorer.EXE

Modifies Internet Explorer Protected Mode Banner 1 TTPs 1 IoCs

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Main\NoProtectedModeBanner = "1"	Explorer.EXE

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Main	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Main\TabProcGrowth = "0"	Explorer.EXE

Modifies registry class 23 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\CLSID\{76420A82-6EE4-4B8A-90A7-46D60FA41F52}	taskhostw.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\CLSID\{35F57EAD-761F-4226-916F-0A2E2A0F023C}	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\CLSID\{76420A82-6EE4-4B8A-90A7-46D60FA41F52}	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\CLSID\{35F57EAD-761F-4226-916F-0A2E2A0F023C}\#cert = 31	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\CLSID\{4819052B-70D1-48C0-A5FD-7E16098E024E}	StartMenuExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\WOW6432Node\CLSID\{35F57EAD-761F-4226-916F-0A2E2A0F023C}	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\CLSID\{35F57EAD-761F-4226-916F-0A2E2A0F023C}	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\CLSID\{76420A82-6EE4-4B8A-90A7-46D60FA41F52}	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\CLSID\{00261E27-52F6-4985-A297-2E1520AD7E1D}	StartMenuExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\CLSID\{76420A82-6EE4-4B8A-90A7-46D60FA41F52}	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\WOW6432Node\CLSID\{76420A82-6EE4-4B8A-90A7-46D60FA41F52}\{6D701950-69F7-4662-A46D-751634B35B40} = 5458b201	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\CLSID\{76420A82-6EE4-4B8A-90A7-46D60FA41F52}	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\CLSID\{35F57EAD-761F-4226-916F-0A2E2A0F023C}	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\WOW6432Node\CLSID\{35F57EAD-761F-4226-916F-0A2E2A0F023C}\#sd = 433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c54656d705c306561396263646239313430333830386434303231613233636634666331396261353930333961356262303765636637656232373534343333656130623666392e646c6c00	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\CLSID\{35F57EAD-761F-4226-916F-0A2E2A0F023C}	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\CLSID\{35F57EAD-761F-4226-916F-0A2E2A0F023C}	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\CLSID\{35F57EAD-761F-4226-916F-0A2E2A0F023C}	taskhostw.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\CLSID\{35F57EAD-761F-4226-916F-0A2E2A0F023C}	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\CLSID\{76420A82-6EE4-4B8A-90A7-46D60FA41F52}	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\WOW6432Node\CLSID\{76420A82-6EE4-4B8A-90A7-46D60FA41F52}	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\CLSID\{76420A82-6EE4-4B8A-90A7-46D60FA41F52}\{6D701950-69F7-4662-A46D-751634B35B40} = 5458b201	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\CLSID	StartMenuExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\CLSID\{76420A82-6EE4-4B8A-90A7-46D60FA41F52}	RuntimeBroker.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1604	rundll32.exe
1604	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3032	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 33 IoCs

description	pid	Process
Token: SeCreateGlobalPrivilege	2348	sihost.exe
Token: SeShutdownPrivilege	2348	sihost.exe
Token: SeDebugPrivilege	2348	sihost.exe
Token: SeCreateGlobalPrivilege	2480	taskhostw.exe
Token: SeShutdownPrivilege	2480	taskhostw.exe
Token: SeDebugPrivilege	2480	taskhostw.exe
Token: SeCreateGlobalPrivilege	3032	Explorer.EXE
Token: SeShutdownPrivilege	3032	Explorer.EXE
Token: SeDebugPrivilege	3032	Explorer.EXE
Token: SeCreateGlobalPrivilege	3372	StartMenuExperienceHost.exe
Token: SeShutdownPrivilege	3372	StartMenuExperienceHost.exe
Token: SeDebugPrivilege	3372	StartMenuExperienceHost.exe
Token: SeCreateGlobalPrivilege	3436	RuntimeBroker.exe
Token: SeShutdownPrivilege	3436	RuntimeBroker.exe
Token: SeDebugPrivilege	3436	RuntimeBroker.exe
Token: SeCreateGlobalPrivilege	3736	RuntimeBroker.exe
Token: SeShutdownPrivilege	3736	RuntimeBroker.exe
Token: SeDebugPrivilege	3736	RuntimeBroker.exe
Token: SeCreateGlobalPrivilege	4700	RuntimeBroker.exe
Token: SeShutdownPrivilege	4700	RuntimeBroker.exe
Token: SeDebugPrivilege	4700	RuntimeBroker.exe
Token: SeCreateGlobalPrivilege	1016	rundll32.exe
Token: SeShutdownPrivilege	1016	rundll32.exe
Token: SeDebugPrivilege	1016	rundll32.exe
Token: SeCreateGlobalPrivilege	1604	rundll32.exe
Token: SeShutdownPrivilege	1604	rundll32.exe
Token: SeDebugPrivilege	1604	rundll32.exe
Token: SeShutdownPrivilege	3032	Explorer.EXE
Token: SeCreatePagefilePrivilege	3032	Explorer.EXE
Token: SeShutdownPrivilege	3032	Explorer.EXE
Token: SeCreatePagefilePrivilege	3032	Explorer.EXE
Token: SeShutdownPrivilege	3436	RuntimeBroker.exe
Token: SeShutdownPrivilege	3436	RuntimeBroker.exe

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 1016 wrote to memory of 1604	1016	rundll32.exe	81
PID 1016 wrote to memory of 1604	1016	rundll32.exe	81
PID 1016 wrote to memory of 1604	1016	rundll32.exe	81
PID 1604 wrote to memory of 2348	1604	rundll32.exe	19
PID 1604 wrote to memory of 2348	1604	rundll32.exe	19
PID 1604 wrote to memory of 2480	1604	rundll32.exe	55
PID 1604 wrote to memory of 2480	1604	rundll32.exe	55
PID 1604 wrote to memory of 3032	1604	rundll32.exe	47
PID 1604 wrote to memory of 3032	1604	rundll32.exe	47
PID 1604 wrote to memory of 3284	1604	rundll32.exe	45
PID 1604 wrote to memory of 3284	1604	rundll32.exe	45
PID 1604 wrote to memory of 3372	1604	rundll32.exe	44
PID 1604 wrote to memory of 3372	1604	rundll32.exe	44
PID 1604 wrote to memory of 3436	1604	rundll32.exe	22
PID 1604 wrote to memory of 3436	1604	rundll32.exe	22
PID 1604 wrote to memory of 3520	1604	rundll32.exe	23
PID 1604 wrote to memory of 3520	1604	rundll32.exe	23
PID 1604 wrote to memory of 3736	1604	rundll32.exe	24
PID 1604 wrote to memory of 3736	1604	rundll32.exe	24
PID 1604 wrote to memory of 4700	1604	rundll32.exe	26
PID 1604 wrote to memory of 4700	1604	rundll32.exe	26
PID 1604 wrote to memory of 1016	1604	rundll32.exe	80
PID 1604 wrote to memory of 1016	1604	rundll32.exe	80

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:2348

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:3436

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3520

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:3736

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4700

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:3372

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3284
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3284 -s 760
  2⤵
  - Program crash
  PID:3332

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Adds Run key to start application
- Modifies Internet Explorer Protected Mode
- Modifies Internet Explorer Protected Mode Banner
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:3032
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\0ea9bcdb91403808d4021a23cf4fc19ba59039a5bb07ecf7eb2754433ea0b6f9.dll,#1
  2⤵
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1016
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\0ea9bcdb91403808d4021a23cf4fc19ba59039a5bb07ecf7eb2754433ea0b6f9.dll,#1
    3⤵
    - Loads dropped DLL
    - Adds Run key to start application
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1604

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:2480

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 444 -p 3284 -ip 3284
1⤵
PID:828

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

4

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\botdft.dat

Filesize
302KB

MD5
ab5f30882f49714171af0762f76e05fb

SHA1
b3ed7bf8910958f88586d14bf9edc248c9f09299

SHA256
41b72e1121c465bb180d8d967a0c9bc7723770f0b2ffbe5ab5ecf8eadb1275af

SHA512
2df8cd2f4e04dee3e661e610a4534af06acd1411420d26a367006a10e13b6400f58fda08a65272335f50a9214b6bd2486b3c36b59c2ba4a951d2ac73053b22fc

Download Submit
C:\ProgramData\botdft.dat

Filesize
302KB

MD5
ab5f30882f49714171af0762f76e05fb

SHA1
b3ed7bf8910958f88586d14bf9edc248c9f09299

SHA256
41b72e1121c465bb180d8d967a0c9bc7723770f0b2ffbe5ab5ecf8eadb1275af

SHA512
2df8cd2f4e04dee3e661e610a4534af06acd1411420d26a367006a10e13b6400f58fda08a65272335f50a9214b6bd2486b3c36b59c2ba4a951d2ac73053b22fc

Download Submit
C:\ProgramData\botdft.dat

Filesize
302KB

MD5
ab5f30882f49714171af0762f76e05fb

SHA1
b3ed7bf8910958f88586d14bf9edc248c9f09299

SHA256
41b72e1121c465bb180d8d967a0c9bc7723770f0b2ffbe5ab5ecf8eadb1275af

SHA512
2df8cd2f4e04dee3e661e610a4534af06acd1411420d26a367006a10e13b6400f58fda08a65272335f50a9214b6bd2486b3c36b59c2ba4a951d2ac73053b22fc

Download Submit
memory/1016-166-0x00007FFF964D0000-0x00007FFF966C5000-memory.dmp

Filesize
2.0MB

Download
memory/1016-158-0x00007FFF964D0000-0x00007FFF966C5000-memory.dmp

Filesize
2.0MB

Download
memory/1016-159-0x000001D0A4760000-0x000001D0A47C9000-memory.dmp

Filesize
420KB

Download
memory/1604-140-0x0000000002DF0000-0x0000000002E4E000-memory.dmp

Filesize
376KB

Download
memory/1604-153-0x0000000010000000-0x0000000010056000-memory.dmp

Filesize
344KB

Download
memory/1604-165-0x0000000003AF0000-0x0000000003B68000-memory.dmp

Filesize
480KB

Download
memory/1604-164-0x0000000002DF0000-0x0000000002E1F000-memory.dmp

Filesize
188KB

Download
memory/1604-138-0x0000000002DF0000-0x0000000002E1F000-memory.dmp

Filesize
188KB

Download
memory/1604-163-0x0000000010000000-0x0000000010044000-memory.dmp

Filesize
272KB

Download
memory/1604-162-0x0000000003AF0000-0x0000000003B68000-memory.dmp

Filesize
480KB

Download
memory/1604-161-0x0000000003A60000-0x0000000003AAE000-memory.dmp

Filesize
312KB

Download
memory/1604-160-0x0000000002DF0000-0x0000000002E4E000-memory.dmp

Filesize
376KB

Download
memory/1604-134-0x0000000010000000-0x0000000010044000-memory.dmp

Filesize
272KB

Download
memory/1604-133-0x0000000010000000-0x0000000010056000-memory.dmp

Filesize
344KB

Download
memory/2348-142-0x00007FFF964D0000-0x00007FFF964D2000-memory.dmp

Filesize
8KB

Download
memory/2348-143-0x0000000000DE0000-0x0000000000E2E000-memory.dmp

Filesize
312KB

Download
memory/2348-144-0x00000152B49C0000-0x00000152B4A29000-memory.dmp

Filesize
420KB

Download
memory/2480-145-0x00007FFF964D0000-0x00007FFF964D2000-memory.dmp

Filesize
8KB

Download
memory/2480-146-0x00000159A7140000-0x00000159A71A9000-memory.dmp

Filesize
420KB

Download
memory/3032-148-0x0000000002F20000-0x0000000002F89000-memory.dmp

Filesize
420KB

Download
memory/3032-147-0x00007FFF964D0000-0x00007FFF964D2000-memory.dmp

Filesize
8KB

Download
memory/3372-150-0x0000016210B00000-0x0000016210B69000-memory.dmp

Filesize
420KB

Download
memory/3372-149-0x00007FFF964D0000-0x00007FFF964D2000-memory.dmp

Filesize
8KB

Download
memory/3436-152-0x000001BEC1790000-0x000001BEC17F9000-memory.dmp

Filesize
420KB

Download
memory/3436-151-0x00007FFF964D0000-0x00007FFF964D2000-memory.dmp

Filesize
8KB

Download
memory/3736-155-0x000001B4A3500000-0x000001B4A3569000-memory.dmp

Filesize
420KB

Download
memory/3736-154-0x00007FFF964D0000-0x00007FFF964D2000-memory.dmp

Filesize
8KB

Download
memory/4700-156-0x00007FFF964D0000-0x00007FFF964D2000-memory.dmp

Filesize
8KB

Download
memory/4700-157-0x000001200C240000-0x000001200C2A9000-memory.dmp

Filesize
420KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads