862fe2efe19fb6fcb90f1eb3c01b30cece654acf3adcbbdc711165a08a18cdf6

General

Target

862fe2efe19fb6fcb90f1eb3c01b30cece654acf3adcbbdc711165a08a18cdf6.exe
Size

81KB
MD5

0ebe7ac38810d5c97d9906ce8932bf2c
SHA1

1a82bc74026e8e97103ead39fb4199b981140779
SHA256

862fe2efe19fb6fcb90f1eb3c01b30cece654acf3adcbbdc711165a08a18cdf6
SHA512

3020310d2ac0275c8f5545b861773948ead039335e4943bc221c462a8111aaa71c0ec468c4a199ed2252313a556e7a585ea173697b21c614d005dcfdd8ae44fd
SSDEEP

1536:q1DIsjedzv1GNJf9iYCOMYw1csRTytngW1NCCAN4z+t0CFfLz:q1DI8M4NpyYwmemn2Tp

Score

8^/10

adware persistence stealer upx

Malware Config

Signatures

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4964-136-0x0000000000400000-0x0000000000429000-memory.dmp	upx
behavioral2/memory/4964-142-0x0000000000400000-0x0000000000429000-memory.dmp	upx
behavioral2/memory/4964-143-0x0000000000400000-0x0000000000429000-memory.dmp	upx

Loads dropped DLL 2 IoCs

pid	Process
4964	862fe2efe19fb6fcb90f1eb3c01b30cece654acf3adcbbdc711165a08a18cdf6.exe
4980	rundll32.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\lskyqon.dll = "C:\\Windows\\system32\\rundll32.exe C:\\Windows\\system32\\lskyqon.dll,htbsxcf"	862fe2efe19fb6fcb90f1eb3c01b30cece654acf3adcbbdc711165a08a18cdf6.exe

Installs/modifies Browser Helper Object 2 TTPs 1 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6065FEDA-18F9-7EE8-F5AE-00041CDE0F0E}	862fe2efe19fb6fcb90f1eb3c01b30cece654acf3adcbbdc711165a08a18cdf6.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\lskyqon.dll	862fe2efe19fb6fcb90f1eb3c01b30cece654acf3adcbbdc711165a08a18cdf6.exe
File created	C:\Windows\SysWOW64\evqkzue.dll	862fe2efe19fb6fcb90f1eb3c01b30cece654acf3adcbbdc711165a08a18cdf6.exe

Modifies registry class 6 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	862fe2efe19fb6fcb90f1eb3c01b30cece654acf3adcbbdc711165a08a18cdf6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	862fe2efe19fb6fcb90f1eb3c01b30cece654acf3adcbbdc711165a08a18cdf6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6065FEDA-18F9-7EE8-F5AE-00041CDE0F0E}	862fe2efe19fb6fcb90f1eb3c01b30cece654acf3adcbbdc711165a08a18cdf6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6065FEDA-18F9-7EE8-F5AE-00041CDE0F0E}\InprocServer32\ = "C:\\Windows\\SysWow64\\evqkzue.dll"	862fe2efe19fb6fcb90f1eb3c01b30cece654acf3adcbbdc711165a08a18cdf6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6065FEDA-18F9-7EE8-F5AE-00041CDE0F0E}\InprocServer32\ThreadingModel = "Apartment"	862fe2efe19fb6fcb90f1eb3c01b30cece654acf3adcbbdc711165a08a18cdf6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6065FEDA-18F9-7EE8-F5AE-00041CDE0F0E}\InprocServer32	862fe2efe19fb6fcb90f1eb3c01b30cece654acf3adcbbdc711165a08a18cdf6.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4964	862fe2efe19fb6fcb90f1eb3c01b30cece654acf3adcbbdc711165a08a18cdf6.exe
4964	862fe2efe19fb6fcb90f1eb3c01b30cece654acf3adcbbdc711165a08a18cdf6.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4964 wrote to memory of 4980	4964	862fe2efe19fb6fcb90f1eb3c01b30cece654acf3adcbbdc711165a08a18cdf6.exe	81
PID 4964 wrote to memory of 4980	4964	862fe2efe19fb6fcb90f1eb3c01b30cece654acf3adcbbdc711165a08a18cdf6.exe	81
PID 4964 wrote to memory of 4980	4964	862fe2efe19fb6fcb90f1eb3c01b30cece654acf3adcbbdc711165a08a18cdf6.exe	81

C:\Users\Admin\AppData\Local\Temp\862fe2efe19fb6fcb90f1eb3c01b30cece654acf3adcbbdc711165a08a18cdf6.exe
"C:\Users\Admin\AppData\Local\Temp\862fe2efe19fb6fcb90f1eb3c01b30cece654acf3adcbbdc711165a08a18cdf6.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Installs/modifies Browser Helper Object
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4964
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\system32\rundll32.exe C:\Windows\system32\lskyqon.dll,htbsxcf
  2⤵
  - Loads dropped DLL
  PID:4980

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Browser Extensions

1

T1176

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\evqkzue.dll

Filesize
56KB

MD5
d484ac0844a15c92cd58a39133732998

SHA1
e28f9d5c1e659d28d5c0c9d72df65790dcfb9573

SHA256
735299938b7a61f40b1b254b7f4ca39c9896c613f5da7639b49a089dc2f5f73b

SHA512
6d67bf50910155d55e414072843db4cd31b97a3cc6f0ab47298c673885dce0d8a54e836dcab4306c8b70f2b045b82021f9d0595678ece9002b2d3f27f0f9d441

Download Submit
C:\Windows\SysWOW64\lskyqon.dll

Filesize
48KB

MD5
d7c5f0ebb46d417f909d7f31885b0311

SHA1
29cca02c7033ae876f077146eaa673d784b13fe3

SHA256
755ca5979f28c1d7c8e6994211682e17f7da9c0f206a5141d839cb8fb3641052

SHA512
260970f6d6ccf9d0550bed7a31380a8891bca0dd96385d1a8597d40299a919c19deb70cad42c778c170435fd1e8b32ef7cbcd6d6580fdef0d73313cd4cffae76

Download Submit
C:\Windows\SysWOW64\lskyqon.dll

Filesize
48KB

MD5
d7c5f0ebb46d417f909d7f31885b0311

SHA1
29cca02c7033ae876f077146eaa673d784b13fe3

SHA256
755ca5979f28c1d7c8e6994211682e17f7da9c0f206a5141d839cb8fb3641052

SHA512
260970f6d6ccf9d0550bed7a31380a8891bca0dd96385d1a8597d40299a919c19deb70cad42c778c170435fd1e8b32ef7cbcd6d6580fdef0d73313cd4cffae76

Download Submit
memory/4964-136-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4964-137-0x0000000010000000-0x0000000010015000-memory.dmp

Filesize
84KB

Download
memory/4964-142-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4964-143-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4964-144-0x0000000010000000-0x0000000010015000-memory.dmp

Filesize
84KB

Download
memory/4980-141-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads