05c59dd122d4b8fef678f9d4e6bb61afd4daa9024882a2233a1cffc30c1d5eb5

General

Target

05c59dd122d4b8fef678f9d4e6bb61afd4daa9024882a2233a1cffc30c1d5eb5.exe
Size

341KB
MD5

45fe7afd40e5c90ef95cb67b0647bcf9
SHA1

2eaa024a92658b2ffb09e2e20a13c284e64c19d4
SHA256

05c59dd122d4b8fef678f9d4e6bb61afd4daa9024882a2233a1cffc30c1d5eb5
SHA512

5571ec0ab9c41b1eede6d3d5e8331c53fdbd568de73987447e75cf0ffcb8e55e8bc88b22280a27ee4aa15544d10304f02208c182aafdc1c7f16fbb0e0c501072
SSDEEP

6144:bTfFDbRnOTrAZJzeC/c3ikR1W1rLrUNl8Y4PYsL9xiCZIWDq:d5ObC/cyJrLUlMAQ9xuz

Score

8^/10

adware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

oshuse.exe

pid process

208 oshuse.exe

pid	process
208	oshuse.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

05c59dd122d4b8fef678f9d4e6bb61afd4daa9024882a2233a1cffc30c1d5eb5.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	05c59dd122d4b8fef678f9d4e6bb61afd4daa9024882a2233a1cffc30c1d5eb5.exe

Loads dropped DLL 2 IoCs

Processes:

regsvr32.exe

pid process

2588 regsvr32.exe
2588 regsvr32.exe

pid	process
2588	regsvr32.exe
2588	regsvr32.exe

Installs/modifies Browser Helper Object 2 TTPs 2 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

Processes:

regsvr32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{3197FA43-07DD-455E-B8A6-D0F7ECC3484E}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3197FA43-07DD-455E-B8A6-D0F7ECC3484E}\	regsvr32.exe

Drops file in Program Files directory 10 IoCs

Processes:

oshuse.exe05c59dd122d4b8fef678f9d4e6bb61afd4daa9024882a2233a1cffc30c1d5eb5.exe

description	ioc	process
File created	C:\Program Files (x86)\Common Files\cvdbsy.bat	oshuse.exe
File created	C:\Program Files (x86)\Common Files\__tmp_rar_sfx_access_check_240600156	05c59dd122d4b8fef678f9d4e6bb61afd4daa9024882a2233a1cffc30c1d5eb5.exe
File opened for modification	C:\Program Files (x86)\Common Files\zopsue.vxd	05c59dd122d4b8fef678f9d4e6bb61afd4daa9024882a2233a1cffc30c1d5eb5.exe
File created	C:\Program Files (x86)\Common Files\yusidjs.vxd	05c59dd122d4b8fef678f9d4e6bb61afd4daa9024882a2233a1cffc30c1d5eb5.exe
File opened for modification	C:\Program Files (x86)\Common Files\yusidjs.vxd	05c59dd122d4b8fef678f9d4e6bb61afd4daa9024882a2233a1cffc30c1d5eb5.exe
File opened for modification	C:\Program Files (x86)\Common Files\oshuse.dll	05c59dd122d4b8fef678f9d4e6bb61afd4daa9024882a2233a1cffc30c1d5eb5.exe
File created	C:\Program Files (x86)\Common Files\zopsue.vxd	05c59dd122d4b8fef678f9d4e6bb61afd4daa9024882a2233a1cffc30c1d5eb5.exe
File created	C:\Program Files (x86)\Common Files\oshuse.exe	05c59dd122d4b8fef678f9d4e6bb61afd4daa9024882a2233a1cffc30c1d5eb5.exe
File opened for modification	C:\Program Files (x86)\Common Files\oshuse.exe	05c59dd122d4b8fef678f9d4e6bb61afd4daa9024882a2233a1cffc30c1d5eb5.exe
File created	C:\Program Files (x86)\Common Files\oshuse.dll	05c59dd122d4b8fef678f9d4e6bb61afd4daa9024882a2233a1cffc30c1d5eb5.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 6 IoCs

adware spyware

Modify Registry

T1112

Processes:

oshuse.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\baidu\DisplayName = "°Ù¶ÈËÑË÷"	oshuse.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\baidu\URL = "http://www.baidu.com/baidu?tn=flstudios_cb&word={searchTerms}&cl=3&ie=utf-8"	oshuse.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\SearchScopes	oshuse.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\DefaultScope = "baidu"	oshuse.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet explorer\Main	oshuse.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\SearchScopes\baidu	oshuse.exe

Modifies Internet Explorer start page 1 TTPs 1 IoCs

stealer

Modify Registry

T1112

Processes:

oshuse.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://hao.uenet.info"	oshuse.exe

Modifies registry class 23 IoCs

Processes:

oshuse.exeregsvr32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\OpenHomePage	oshuse.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\OpenHomePage\Command	oshuse.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	oshuse.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}	oshuse.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\OpenHomePage	oshuse.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3197FA43-07DD-455E-B8A6-D0F7ECC3484E}\	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\OpenHomePage\Command	oshuse.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\oshuse.mnswelg\	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\oshuse.mnswelg\Clsid	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\oshuse.mnswelg\Clsid\ = "{3197FA43-07DD-455E-B8A6-D0F7ECC3484E}"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}	oshuse.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3197FA43-07DD-455E-B8A6-D0F7ECC3484E}\InprocServer32\ = "C:\\PROGRA~2\\COMMON~1\\oshuse.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\oshuse.mnswelg	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3197FA43-07DD-455E-B8A6-D0F7ECC3484E}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell	oshuse.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3197FA43-07DD-455E-B8A6-D0F7ECC3484E}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3197FA43-07DD-455E-B8A6-D0F7ECC3484E}\ProgID\ = "oshuse.mnswelg"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\WOW6432Node	oshuse.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\WOW6432Node\CLSID	oshuse.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell	oshuse.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\OpenHomePage\Command\ = "\"C:\\Program Files\\Internet Explorer\\iexplore.exe\" http://hao.uenet.info"	oshuse.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3197FA43-07DD-455E-B8A6-D0F7ECC3484E}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3197FA43-07DD-455E-B8A6-D0F7ECC3484E}\InprocServer32	regsvr32.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

05c59dd122d4b8fef678f9d4e6bb61afd4daa9024882a2233a1cffc30c1d5eb5.exeoshuse.exe

description	pid	process	target process
PID 2984 wrote to memory of 2588	2984	05c59dd122d4b8fef678f9d4e6bb61afd4daa9024882a2233a1cffc30c1d5eb5.exe	regsvr32.exe
PID 2984 wrote to memory of 2588	2984	05c59dd122d4b8fef678f9d4e6bb61afd4daa9024882a2233a1cffc30c1d5eb5.exe	regsvr32.exe
PID 2984 wrote to memory of 2588	2984	05c59dd122d4b8fef678f9d4e6bb61afd4daa9024882a2233a1cffc30c1d5eb5.exe	regsvr32.exe
PID 2984 wrote to memory of 208	2984	05c59dd122d4b8fef678f9d4e6bb61afd4daa9024882a2233a1cffc30c1d5eb5.exe	oshuse.exe
PID 2984 wrote to memory of 208	2984	05c59dd122d4b8fef678f9d4e6bb61afd4daa9024882a2233a1cffc30c1d5eb5.exe	oshuse.exe
PID 2984 wrote to memory of 208	2984	05c59dd122d4b8fef678f9d4e6bb61afd4daa9024882a2233a1cffc30c1d5eb5.exe	oshuse.exe
PID 208 wrote to memory of 3984	208	oshuse.exe	cmd.exe
PID 208 wrote to memory of 3984	208	oshuse.exe	cmd.exe
PID 208 wrote to memory of 3984	208	oshuse.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\05c59dd122d4b8fef678f9d4e6bb61afd4daa9024882a2233a1cffc30c1d5eb5.exe
"C:\Users\Admin\AppData\Local\Temp\05c59dd122d4b8fef678f9d4e6bb61afd4daa9024882a2233a1cffc30c1d5eb5.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2984

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" /s oshuse.dll
2⤵
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Modifies registry class
PID:2588

C:\Program Files (x86)\Common Files\oshuse.exe
"C:\Program Files (x86)\Common Files\oshuse.exe"
2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:208

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\Common Files\cvdbsy.bat""
3⤵
PID:3984

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Browser Extensions

1

T1176

Privilege Escalation

Defense Evasion

Modify Registry

3

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\cvdbsy.bat

Filesize
136B

MD5
23e266ffdd7e575b89e33e1a1bc28aa0

SHA1
0bed12334e0640aa112df3be66da0cb76408db3d

SHA256
1c943e49ab5889e2741f488c8f0edb0908c918e7fff96b373016abfae7b4ef61

SHA512
11a77e6be23ddfaf36f4bd45847d6f523f62e40e09ecb4b17b59f64ae1172e27f12727961db0225e9dcfa238e4beed69c7246cd66b4fc3c58cbb5cc8efb2fa39

Download Submit
C:\Program Files (x86)\Common Files\oshuse.dll

Filesize
411KB

MD5
4c6e1cbfe9e45b2ac004c8564e05c00d

SHA1
3991ee0160120837dddae6912a4d92e71fc1ca81

SHA256
a693865553d2e7ef7e21fe44ddbeb1d82fe4e372a39f161f91aa9bb2a6760989

SHA512
bc878bcc39924ad5840a4705d81076d2bf5807d5a34682bd8498468dfee3427c9f6339cb4448f58b8daead4582771c28448c5f8a0bd26c15632a75c5a24bf1c9

Download Submit
C:\Program Files (x86)\Common Files\oshuse.dll

Filesize
411KB

MD5
4c6e1cbfe9e45b2ac004c8564e05c00d

SHA1
3991ee0160120837dddae6912a4d92e71fc1ca81

SHA256
a693865553d2e7ef7e21fe44ddbeb1d82fe4e372a39f161f91aa9bb2a6760989

SHA512
bc878bcc39924ad5840a4705d81076d2bf5807d5a34682bd8498468dfee3427c9f6339cb4448f58b8daead4582771c28448c5f8a0bd26c15632a75c5a24bf1c9

Download Submit
C:\Program Files (x86)\Common Files\oshuse.dll

Filesize
411KB

MD5
4c6e1cbfe9e45b2ac004c8564e05c00d

SHA1
3991ee0160120837dddae6912a4d92e71fc1ca81

SHA256
a693865553d2e7ef7e21fe44ddbeb1d82fe4e372a39f161f91aa9bb2a6760989

SHA512
bc878bcc39924ad5840a4705d81076d2bf5807d5a34682bd8498468dfee3427c9f6339cb4448f58b8daead4582771c28448c5f8a0bd26c15632a75c5a24bf1c9

Download Submit
C:\Program Files (x86)\Common Files\oshuse.exe

Filesize
141KB

MD5
be25f13c451db3b166e8e816e41f81f0

SHA1
24cf45aaad6a111992f6814012b3331707fb82d1

SHA256
5b52b1bf8e412d14cf57a197356563feea90e2bc02f36c9e98c5a8f9fed8c86a

SHA512
9f65c9cce93a1f16b937430a67c95584730b1cbf9913f5ce92d0bb1ae6074ba3196224c9b7e5f8068652802a409028e666fa2fa9602cf7e29c244a1bd4e6c281

Download Submit
C:\Program Files (x86)\Common Files\oshuse.exe

Filesize
141KB

MD5
be25f13c451db3b166e8e816e41f81f0

SHA1
24cf45aaad6a111992f6814012b3331707fb82d1

SHA256
5b52b1bf8e412d14cf57a197356563feea90e2bc02f36c9e98c5a8f9fed8c86a

SHA512
9f65c9cce93a1f16b937430a67c95584730b1cbf9913f5ce92d0bb1ae6074ba3196224c9b7e5f8068652802a409028e666fa2fa9602cf7e29c244a1bd4e6c281

Download Submit
memory/208-137-0x0000000000000000-mapping.dmp

Download
memory/2588-132-0x0000000000000000-mapping.dmp

Download
memory/2588-136-0x00000000021F0000-0x000000000225B000-memory.dmp

Filesize
428KB

Download
memory/3984-140-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads