ad0b5a9e37c5a4a887f8265e07efff946dbb81f3a9da36a4065391c3edffd70b

General

Target

ad0b5a9e37c5a4a887f8265e07efff946dbb81f3a9da36a4065391c3edffd70b.exe
Size

400KB
MD5

0b8bae993bb09b698f43178f6d7b52e2
SHA1

eea562a0342cb0c8fd3446e0621d695219dea6bb
SHA256

ad0b5a9e37c5a4a887f8265e07efff946dbb81f3a9da36a4065391c3edffd70b
SHA512

770b341b8c967def22fade39f17c4e02a339826ba1f8844299d364e04ee6756b55bedc1bc9464e8b2646e1e9767c802786d380ca9d4d2941a5e0cc4309cf1e97
SSDEEP

6144:iTAqNViKc2sg1b+jSmE10GkcHUwRmuY6DghPRCyUXP2himNCaz7O:VKt71b2SX1/pk6Dk5C9f2hia7

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 1 IoCs

pid	Process
2036	ad0b5a9e37c5a4a887f8265e07efff946dbb81f3a9da36a4065391c3edffd70b.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run	ad0b5a9e37c5a4a887f8265e07efff946dbb81f3a9da36a4065391c3edffd70b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\OuyjAjuma = "regsvr32.exe \"C:\\ProgramData\\OuyjAjuma\\OuyjAjuma.dat\""	ad0b5a9e37c5a4a887f8265e07efff946dbb81f3a9da36a4065391c3edffd70b.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\OuyjAjuma = "regsvr32.exe \"C:\\ProgramData\\OuyjAjuma\\OuyjAjuma.dat\""	Explorer.EXE

Modifies Internet Explorer Protected Mode 1 TTPs 1 IoCs

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500 = "3"	Explorer.EXE

Modifies Internet Explorer Protected Mode Banner 1 TTPs 1 IoCs

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\NoProtectedModeBanner = "1"	Explorer.EXE

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\TabProcGrowth = "0"	Explorer.EXE

Modifies registry class 6 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\CLSID\{02E9206B-7E6A-4ACA-94BF-6319071802DA}	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\CLSID\{15147FB4-7BA6-4C4E-A512-12051F1D7EEA}	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\CLSID\{15147FB4-7BA6-4C4E-A512-12051F1D7EEA}\{41772E63-7A91-4B1F-B05E-59597BF64465} = e439838b	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\CLSID\{02E9206B-7E6A-4ACA-94BF-6319071802DA}\#cert = 31	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\CLSID\{02E9206B-7E6A-4ACA-94BF-6319071802DA}	ad0b5a9e37c5a4a887f8265e07efff946dbb81f3a9da36a4065391c3edffd70b.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\CLSID\{02E9206B-7E6A-4ACA-94BF-6319071802DA}\#sd = 433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c54656d705c616430623561396533376335613461383837663832363565303765666666393436646262383166336139646133366134303635333931633365646666643730622e65786500	ad0b5a9e37c5a4a887f8265e07efff946dbb81f3a9da36a4065391c3edffd70b.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2036	ad0b5a9e37c5a4a887f8265e07efff946dbb81f3a9da36a4065391c3edffd70b.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeCreateGlobalPrivilege	2036	ad0b5a9e37c5a4a887f8265e07efff946dbb81f3a9da36a4065391c3edffd70b.exe
Token: SeDebugPrivilege	2036	ad0b5a9e37c5a4a887f8265e07efff946dbb81f3a9da36a4065391c3edffd70b.exe
Token: SeCreateGlobalPrivilege	1260	Explorer.EXE
Token: SeShutdownPrivilege	1260	Explorer.EXE
Token: SeDebugPrivilege	1260	Explorer.EXE

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
2036	ad0b5a9e37c5a4a887f8265e07efff946dbb81f3a9da36a4065391c3edffd70b.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2036 wrote to memory of 1012	2036	ad0b5a9e37c5a4a887f8265e07efff946dbb81f3a9da36a4065391c3edffd70b.exe	10
PID 2036 wrote to memory of 1012	2036	ad0b5a9e37c5a4a887f8265e07efff946dbb81f3a9da36a4065391c3edffd70b.exe	10
PID 2036 wrote to memory of 1260	2036	ad0b5a9e37c5a4a887f8265e07efff946dbb81f3a9da36a4065391c3edffd70b.exe	7
PID 2036 wrote to memory of 1260	2036	ad0b5a9e37c5a4a887f8265e07efff946dbb81f3a9da36a4065391c3edffd70b.exe	7
PID 2036 wrote to memory of 1940	2036	ad0b5a9e37c5a4a887f8265e07efff946dbb81f3a9da36a4065391c3edffd70b.exe	12
PID 2036 wrote to memory of 1940	2036	ad0b5a9e37c5a4a887f8265e07efff946dbb81f3a9da36a4065391c3edffd70b.exe	12

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Adds Run key to start application
- Modifies Internet Explorer Protected Mode
- Modifies Internet Explorer Protected Mode Banner
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:1260
- C:\Users\Admin\AppData\Local\Temp\ad0b5a9e37c5a4a887f8265e07efff946dbb81f3a9da36a4065391c3edffd70b.exe
  "C:\Users\Admin\AppData\Local\Temp\ad0b5a9e37c5a4a887f8265e07efff946dbb81f3a9da36a4065391c3edffd70b.exe"
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:2036

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:1012

C:\Windows\system32\sppsvc.exe
C:\Windows\system32\sppsvc.exe
1⤵
PID:1940

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

4

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\OuyjAjuma\OuyjAjuma.dat

Filesize
288KB

MD5
0c3434b847f3471ede6025d71dc39130

SHA1
ed9e30424a1edcc48cbf9251414336bb9bc322bc

SHA256
58e01a7dcdad06a1756fce592b0158476a1fb70ae3f8677cc597905cd7b76355

SHA512
01ed1b5d03f988c89cc9710d93f66ea9b161cd6e0ce81efd9d9dff445b15ee5f5dfd0bd7e0a1e5fd894bbacd00f3be3c9f24115e4e5c7fea335f110c5ad583b8

Download Submit
\ProgramData\OuyjAjuma\OuyjAjuma.dat

Filesize
288KB

MD5
0c3434b847f3471ede6025d71dc39130

SHA1
ed9e30424a1edcc48cbf9251414336bb9bc322bc

SHA256
58e01a7dcdad06a1756fce592b0158476a1fb70ae3f8677cc597905cd7b76355

SHA512
01ed1b5d03f988c89cc9710d93f66ea9b161cd6e0ce81efd9d9dff445b15ee5f5dfd0bd7e0a1e5fd894bbacd00f3be3c9f24115e4e5c7fea335f110c5ad583b8

Download Submit
memory/1012-61-0x0000000001BF0000-0x0000000001C44000-memory.dmp

Filesize
336KB

Download
memory/1260-66-0x00000000029C0000-0x0000000002A14000-memory.dmp

Filesize
336KB

Download
memory/1260-72-0x0000000002A70000-0x0000000002ADB000-memory.dmp

Filesize
428KB

Download
memory/2036-54-0x0000000076151000-0x0000000076153000-memory.dmp

Filesize
8KB

Download
memory/2036-55-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2036-56-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2036-59-0x0000000074EB0000-0x0000000074EE3000-memory.dmp

Filesize
204KB

Download
memory/2036-65-0x0000000074EB0000-0x0000000074F1E000-memory.dmp

Filesize
440KB

Download
memory/2036-73-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2036-74-0x0000000074EB0000-0x0000000074EE3000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads