5537a9a58bd5f81fef7c51b0f153bc1526bf67910af90bedfc5927542d0eef90

General

Target

5537a9a58bd5f81fef7c51b0f153bc1526bf67910af90bedfc5927542d0eef90.dll
Size

140KB
MD5

035dda146051417ca897caa0282435d0
SHA1

d4e365c7fa51ead1a3218eada4cfc295501cd165
SHA256

5537a9a58bd5f81fef7c51b0f153bc1526bf67910af90bedfc5927542d0eef90
SHA512

783acad010ebff23acf69c8e5df3593d4bd80cc2544fa2692bffa9f38a7f212cf7657b6387fb910b9ec36e923dae407f163e8ff5a5345c8f74e2acfdc68e009a
SSDEEP

3072:qZMMrEQoS2ymTSUmdngNBTMPo7GACZTJIO2eRq8QpKlzIPOs2zLoRCyI:MMK6mdg7MPCGxJ43KSPSLoRm

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 4 IoCs

pid	Process
1608	rundll32.exe
1608	rundll32.exe
1608	rundll32.exe
1608	rundll32.exe

Installs/modifies Browser Helper Object 2 TTPs 2 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{902b83aa-3629-470d-9844-8841923519b8}	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{902b83aa-3629-470d-9844-8841923519b8}\ = "{8b915329-1488-4489-d074-9263aa38b209}"	rundll32.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\knohhg.dll	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\knohhg.dll	rundll32.exe

Modifies registry class 6 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{902b83aa-3629-470d-9844-8841923519b8}\InprocServer32	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{902b83aa-3629-470d-9844-8841923519b8}	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{902b83aa-3629-470d-9844-8841923519b8}\InprocServer32\ = "C:\\Windows\\SysWow64\\knohhg.dll"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{902b83aa-3629-470d-9844-8841923519b8}\InprocServer32\ThreadingModel = "free"	rundll32.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 864 wrote to memory of 1684	864	rundll32.exe	28
PID 864 wrote to memory of 1684	864	rundll32.exe	28
PID 864 wrote to memory of 1684	864	rundll32.exe	28
PID 864 wrote to memory of 1684	864	rundll32.exe	28
PID 864 wrote to memory of 1684	864	rundll32.exe	28
PID 864 wrote to memory of 1684	864	rundll32.exe	28
PID 864 wrote to memory of 1684	864	rundll32.exe	28
PID 1684 wrote to memory of 1608	1684	rundll32.exe	29
PID 1684 wrote to memory of 1608	1684	rundll32.exe	29
PID 1684 wrote to memory of 1608	1684	rundll32.exe	29
PID 1684 wrote to memory of 1608	1684	rundll32.exe	29
PID 1684 wrote to memory of 1608	1684	rundll32.exe	29
PID 1684 wrote to memory of 1608	1684	rundll32.exe	29
PID 1684 wrote to memory of 1608	1684	rundll32.exe	29

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\5537a9a58bd5f81fef7c51b0f153bc1526bf67910af90bedfc5927542d0eef90.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:864
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\5537a9a58bd5f81fef7c51b0f153bc1526bf67910af90bedfc5927542d0eef90.dll,#1
  2⤵
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:1684
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe "C:\Windows\system32\knohhg.dll",i
    3⤵
    - Loads dropped DLL
    - Installs/modifies Browser Helper Object
    - Modifies registry class
    PID:1608

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Browser Extensions

1

T1176

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\knohhg.dll

Filesize
140KB

MD5
035dda146051417ca897caa0282435d0

SHA1
d4e365c7fa51ead1a3218eada4cfc295501cd165

SHA256
5537a9a58bd5f81fef7c51b0f153bc1526bf67910af90bedfc5927542d0eef90

SHA512
783acad010ebff23acf69c8e5df3593d4bd80cc2544fa2692bffa9f38a7f212cf7657b6387fb910b9ec36e923dae407f163e8ff5a5345c8f74e2acfdc68e009a

Download Submit
\Windows\SysWOW64\knohhg.dll

Filesize
140KB

MD5
035dda146051417ca897caa0282435d0

SHA1
d4e365c7fa51ead1a3218eada4cfc295501cd165

SHA256
5537a9a58bd5f81fef7c51b0f153bc1526bf67910af90bedfc5927542d0eef90

SHA512
783acad010ebff23acf69c8e5df3593d4bd80cc2544fa2692bffa9f38a7f212cf7657b6387fb910b9ec36e923dae407f163e8ff5a5345c8f74e2acfdc68e009a

Download Submit
\Windows\SysWOW64\knohhg.dll

Filesize
140KB

MD5
035dda146051417ca897caa0282435d0

SHA1
d4e365c7fa51ead1a3218eada4cfc295501cd165

SHA256
5537a9a58bd5f81fef7c51b0f153bc1526bf67910af90bedfc5927542d0eef90

SHA512
783acad010ebff23acf69c8e5df3593d4bd80cc2544fa2692bffa9f38a7f212cf7657b6387fb910b9ec36e923dae407f163e8ff5a5345c8f74e2acfdc68e009a

Download Submit
\Windows\SysWOW64\knohhg.dll

Filesize
140KB

MD5
035dda146051417ca897caa0282435d0

SHA1
d4e365c7fa51ead1a3218eada4cfc295501cd165

SHA256
5537a9a58bd5f81fef7c51b0f153bc1526bf67910af90bedfc5927542d0eef90

SHA512
783acad010ebff23acf69c8e5df3593d4bd80cc2544fa2692bffa9f38a7f212cf7657b6387fb910b9ec36e923dae407f163e8ff5a5345c8f74e2acfdc68e009a

Download Submit
\Windows\SysWOW64\knohhg.dll

Filesize
140KB

MD5
035dda146051417ca897caa0282435d0

SHA1
d4e365c7fa51ead1a3218eada4cfc295501cd165

SHA256
5537a9a58bd5f81fef7c51b0f153bc1526bf67910af90bedfc5927542d0eef90

SHA512
783acad010ebff23acf69c8e5df3593d4bd80cc2544fa2692bffa9f38a7f212cf7657b6387fb910b9ec36e923dae407f163e8ff5a5345c8f74e2acfdc68e009a

Download Submit
memory/1684-55-0x0000000075B61000-0x0000000075B63000-memory.dmp

Filesize
8KB

Download
memory/1684-56-0x0000000010000000-0x000000001003C000-memory.dmp

Filesize
240KB

Download
memory/1684-57-0x0000000010000000-0x000000001003C000-memory.dmp

Filesize
240KB

Download
memory/1684-58-0x0000000010000000-0x000000001003C000-memory.dmp

Filesize
240KB

Download
memory/1684-59-0x0000000000AA0000-0x0000000000C46000-memory.dmp

Filesize
1.6MB

Download

Analysis

Sharing