fe2b4c387c5c5d30baf95d5bb5587b092398b2f25acc909c2fc01c512716c2df

General

Target

fe2b4c387c5c5d30baf95d5bb5587b092398b2f25acc909c2fc01c512716c2df.exe
Size

143KB
MD5

48974fd1230af0ef4f380bf0c835aa86
SHA1

54424bd91e538f7c4978dda4c3a18f4587bbfc11
SHA256

fe2b4c387c5c5d30baf95d5bb5587b092398b2f25acc909c2fc01c512716c2df
SHA512

7ddc5f91d40a04cefb493763970179120015bac3765104842dfedc8b166cd9372fab9f1cbdc28f3b5f16c886384df41373b348bc127f58b5cee6d44aec060bc2
SSDEEP

3072:PXepGQJhYRPJB2U4jnFHM8fxunoqyNZHKJlh:vHQ7YRZwzZunoqMHab

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 5 IoCs

pid	Process
1736	fe2b4c387c5c5d30baf95d5bb5587b092398b2f25acc909c2fc01c512716c2df.exe
1736	fe2b4c387c5c5d30baf95d5bb5587b092398b2f25acc909c2fc01c512716c2df.exe
1736	fe2b4c387c5c5d30baf95d5bb5587b092398b2f25acc909c2fc01c512716c2df.exe
1736	fe2b4c387c5c5d30baf95d5bb5587b092398b2f25acc909c2fc01c512716c2df.exe
4764	regsvr32.exe

Installs/modifies Browser Helper Object 2 TTPs 2 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{296AB1B8-FB22-4D17-8834-064E2BA0A6F0}	fe2b4c387c5c5d30baf95d5bb5587b092398b2f25acc909c2fc01c512716c2df.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{296AB1B8-FB22-4D17-8834-064E2BA0A6F0}	regsvr32.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\UoDo\sun.dll	fe2b4c387c5c5d30baf95d5bb5587b092398b2f25acc909c2fc01c512716c2df.exe
File opened for modification	C:\Windows\system.ini	fe2b4c387c5c5d30baf95d5bb5587b092398b2f25acc909c2fc01c512716c2df.exe
File opened for modification	C:\Windows\UoDo\sun.dll	fe2b4c387c5c5d30baf95d5bb5587b092398b2f25acc909c2fc01c512716c2df.exe
File opened for modification	C:\Windows\system.ini	regsvr32.exe
File opened for modification	C:\Windows\UoDo\sun.dll	regsvr32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 12 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{296AB1B8-FB22-4D17-8834-064E2BA0A6F0}\TypeLib\ = "{296AB1B8-FB22-4D17-8834"	fe2b4c387c5c5d30baf95d5bb5587b092398b2f25acc909c2fc01c512716c2df.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{296AB1B8-FB22-4D17-8834-064E2BA0A6F0}\InProcServer32	fe2b4c387c5c5d30baf95d5bb5587b092398b2f25acc909c2fc01c512716c2df.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{296AB1B8-FB22-4D17-8834-064E2BA0A6F0}\InProcServer32\ = "C:\\Windows\\UoDo\\sun.dll"	fe2b4c387c5c5d30baf95d5bb5587b092398b2f25acc909c2fc01c512716c2df.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{296AB1B8-FB22-4D17-8834-064E2BA0A6F0}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{296AB1B8-FB22-4D17-8834-064E2BA0A6F0}\TypeLib\ = "{296AB1B8-FB22-4D17-8834"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{296AB1B8-FB22-4D17-8834-064E2BA0A6F0}\InProcServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{296AB1B8-FB22-4D17-8834-064E2BA0A6F0}\InProcServer32\ = "C:\\Windows\\UoDo\\sun.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{296AB1B8-FB22-4D17-8834-064E2BA0A6F0}	fe2b4c387c5c5d30baf95d5bb5587b092398b2f25acc909c2fc01c512716c2df.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{296AB1B8-FB22-4D17-8834-064E2BA0A6F0}\InProcServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{296AB1B8-FB22-4D17-8834-064E2BA0A6F0}\InProcServer32\ThreadingModel = "Apartment"	fe2b4c387c5c5d30baf95d5bb5587b092398b2f25acc909c2fc01c512716c2df.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{296AB1B8-FB22-4D17-8834-064E2BA0A6F0}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{296AB1B8-FB22-4D17-8834-064E2BA0A6F0}\TypeLib	fe2b4c387c5c5d30baf95d5bb5587b092398b2f25acc909c2fc01c512716c2df.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1736 wrote to memory of 4764	1736	fe2b4c387c5c5d30baf95d5bb5587b092398b2f25acc909c2fc01c512716c2df.exe	83
PID 1736 wrote to memory of 4764	1736	fe2b4c387c5c5d30baf95d5bb5587b092398b2f25acc909c2fc01c512716c2df.exe	83
PID 1736 wrote to memory of 4764	1736	fe2b4c387c5c5d30baf95d5bb5587b092398b2f25acc909c2fc01c512716c2df.exe	83

C:\Users\Admin\AppData\Local\Temp\fe2b4c387c5c5d30baf95d5bb5587b092398b2f25acc909c2fc01c512716c2df.exe
"C:\Users\Admin\AppData\Local\Temp\fe2b4c387c5c5d30baf95d5bb5587b092398b2f25acc909c2fc01c512716c2df.exe"
1⤵
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1736
- C:\Windows\SysWOW64\regsvr32.exe
  "regsvr32.exe" "C:\Windows\UoDo\sun.dll" /s
  2⤵
  - Loads dropped DLL
  - Installs/modifies Browser Helper Object
  - Drops file in Windows directory
  - Modifies registry class
  PID:4764

Network

DNS

97.97.242.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

97.97.242.52.in-addr.arpa

IN PTR

Response

209.197.3.8:80

260 B
5
209.197.3.8:80

260 B
5
93.184.220.29:80

322 B
7
93.184.220.29:80

322 B
7
209.197.3.8:80

322 B
7
51.116.253.168:443

322 B
7
104.80.225.205:443

322 B
7
93.184.220.29:80

322 B
7

8.8.8.8:53

97.97.242.52.in-addr.arpa

dns

71 B
145 B
1
1

DNS Request

97.97.242.52.in-addr.arpa

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Browser Extensions

1

T1176

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsfC73F.tmp\System.dll

Filesize
10KB

MD5
4eff5fafd746f5decb93a44e3a3d570c

SHA1
a11aa7681b7e2df1c7f7492a127d332d1495ea8a

SHA256
cf61ddd15d63c25a12caee70f51ea736cfc02195c42e56ee01b33f689d3754c5

SHA512
cde82d2a1f28506e4c2264f6b82017a00af32f138ebcdbaf4cc58463870fa626f708aa57465294c5a6f096c886841e7b9112b85bf3ea2f1d8f2da816b51b2d72

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsfC73F.tmp\System.dll

Filesize
10KB

MD5
4eff5fafd746f5decb93a44e3a3d570c

SHA1
a11aa7681b7e2df1c7f7492a127d332d1495ea8a

SHA256
cf61ddd15d63c25a12caee70f51ea736cfc02195c42e56ee01b33f689d3754c5

SHA512
cde82d2a1f28506e4c2264f6b82017a00af32f138ebcdbaf4cc58463870fa626f708aa57465294c5a6f096c886841e7b9112b85bf3ea2f1d8f2da816b51b2d72

Download Submit
C:\Windows\UoDo\sun.dll

Filesize
160KB

MD5
3604cd3a88c803844700cb3353f947eb

SHA1
520ba9cd8cd0f2015bad6cbdd8274f8a0e23c62e

SHA256
c96714fd67c0ea654ab3d80e2012f1119b7c1e5883b070f0577b910c7ff8fb4f

SHA512
d0cde7095ccee853a21c07de5b2acf13c2b1b3a22eb313d065e6f9dfdb79bde99fe603699a5fb2e0b995805326995bcd2981ef4dd9cc630357416bdcb1a3ef39

Download Submit
C:\Windows\UoDo\sun.dll

Filesize
160KB

MD5
3604cd3a88c803844700cb3353f947eb

SHA1
520ba9cd8cd0f2015bad6cbdd8274f8a0e23c62e

SHA256
c96714fd67c0ea654ab3d80e2012f1119b7c1e5883b070f0577b910c7ff8fb4f

SHA512
d0cde7095ccee853a21c07de5b2acf13c2b1b3a22eb313d065e6f9dfdb79bde99fe603699a5fb2e0b995805326995bcd2981ef4dd9cc630357416bdcb1a3ef39

Download Submit
C:\Windows\UoDo\sun.dll

Filesize
160KB

MD5
3604cd3a88c803844700cb3353f947eb

SHA1
520ba9cd8cd0f2015bad6cbdd8274f8a0e23c62e

SHA256
c96714fd67c0ea654ab3d80e2012f1119b7c1e5883b070f0577b910c7ff8fb4f

SHA512
d0cde7095ccee853a21c07de5b2acf13c2b1b3a22eb313d065e6f9dfdb79bde99fe603699a5fb2e0b995805326995bcd2981ef4dd9cc630357416bdcb1a3ef39

Download Submit
C:\Windows\UoDo\sun.dll

Filesize
160KB

MD5
3604cd3a88c803844700cb3353f947eb

SHA1
520ba9cd8cd0f2015bad6cbdd8274f8a0e23c62e

SHA256
c96714fd67c0ea654ab3d80e2012f1119b7c1e5883b070f0577b910c7ff8fb4f

SHA512
d0cde7095ccee853a21c07de5b2acf13c2b1b3a22eb313d065e6f9dfdb79bde99fe603699a5fb2e0b995805326995bcd2981ef4dd9cc630357416bdcb1a3ef39

Download Submit
C:\Windows\system.ini

Filesize
247B

MD5
3b807ea3f2692607a02185183e4719bd

SHA1
c25885a14a24bd2757df40a3f51769de71adbae3

SHA256
70b6b7e843e53e0e87479f8faf3c9c2759509ad2f9a3546c578f6ad796359159

SHA512
11933927aef2f8068eb8c58616e015312d45bf44a7b65f0c70e0a26624e80a6b7b082d3143cce0cdbb26ac4ed02479c53a05bd91a062d6855b1d3c53acb35d14

Download Submit
memory/1736-136-0x0000000002BF0000-0x0000000002C1A000-memory.dmp

Filesize
168KB

Download

Analysis

Sharing