ede3942b5dd89e23d32c46f67ebe1c925d81402249ac7ef1d33f4d1e9f3d5b47

General

Target

ede3942b5dd89e23d32c46f67ebe1c925d81402249ac7ef1d33f4d1e9f3d5b47.exe
Size

46KB
MD5

b3c341a600e3cfa5eba64c13b6db5e87
SHA1

0da1642952dc65664453c587277634af0fe0354d
SHA256

ede3942b5dd89e23d32c46f67ebe1c925d81402249ac7ef1d33f4d1e9f3d5b47
SHA512

6d932a3c36a05b094103d7bd33f3ec55be6780ad3ad99ac288e407ab690923283a46a0d40f388feaaf7880e68e4ce0ac9b413e5cc8a76f17878f6316501d1a64
SSDEEP

384:rxSIazxksfSGPCTFA0WO25HgsnghJQdVmQsZn9ZldG5F6BufsiN+FG:XyxjOFA0TwHWJQdV7sRbHG5Ff+FG

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1756	winlognn.exe

Deletes itself 1 IoCs

pid	Process
1396	cmd.exe

Loads dropped DLL 3 IoCs

pid	Process
1048	Regsvr32.exe
276	ede3942b5dd89e23d32c46f67ebe1c925d81402249ac7ef1d33f4d1e9f3d5b47.exe
276	ede3942b5dd89e23d32c46f67ebe1c925d81402249ac7ef1d33f4d1e9f3d5b47.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\lrijh8s73jhbfgfd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\winlognn.exe"	winlognn.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	winlognn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\lrijh8s73jhbfgfd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\winlognn.exe"	winlognn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	winlognn.exe

Installs/modifies Browser Helper Object 2 TTPs 3 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}	Regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF}	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D5BF4552-94F1-42BD-F434-3604812C807D}	Regsvr32.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\eawdh3hbg87dkjn.dll	ede3942b5dd89e23d32c46f67ebe1c925d81402249ac7ef1d33f4d1e9f3d5b47.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 6 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D5BF4552-94F1-42BD-F434-3604812C807D}	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D5BF4552-94F1-42BD-F434-3604812C807D}\ = "C:\\Windows\\SysWow64\\eawdh3hbg87dkjn.dll"	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D5BF4552-94F1-42BD-F434-3604812C807D}\ThreadingModel = "Apartment"	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D5BF4552-94F1-42BD-F434-3604812C807D}\InProcServer32	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D5BF4552-94F1-42BD-F434-3604812C807D}\InProcServer32\ = "C:\\Windows\\SysWow64\\eawdh3hbg87dkjn.dll"	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D5BF4552-94F1-42BD-F434-3604812C807D}\InProcServer32\ThreadingModel = "Apartment"	Regsvr32.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1048	Regsvr32.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 276 wrote to memory of 1048	276	ede3942b5dd89e23d32c46f67ebe1c925d81402249ac7ef1d33f4d1e9f3d5b47.exe	28
PID 276 wrote to memory of 1048	276	ede3942b5dd89e23d32c46f67ebe1c925d81402249ac7ef1d33f4d1e9f3d5b47.exe	28
PID 276 wrote to memory of 1048	276	ede3942b5dd89e23d32c46f67ebe1c925d81402249ac7ef1d33f4d1e9f3d5b47.exe	28
PID 276 wrote to memory of 1048	276	ede3942b5dd89e23d32c46f67ebe1c925d81402249ac7ef1d33f4d1e9f3d5b47.exe	28
PID 276 wrote to memory of 1048	276	ede3942b5dd89e23d32c46f67ebe1c925d81402249ac7ef1d33f4d1e9f3d5b47.exe	28
PID 276 wrote to memory of 1048	276	ede3942b5dd89e23d32c46f67ebe1c925d81402249ac7ef1d33f4d1e9f3d5b47.exe	28
PID 276 wrote to memory of 1048	276	ede3942b5dd89e23d32c46f67ebe1c925d81402249ac7ef1d33f4d1e9f3d5b47.exe	28
PID 276 wrote to memory of 1756	276	ede3942b5dd89e23d32c46f67ebe1c925d81402249ac7ef1d33f4d1e9f3d5b47.exe	29
PID 276 wrote to memory of 1756	276	ede3942b5dd89e23d32c46f67ebe1c925d81402249ac7ef1d33f4d1e9f3d5b47.exe	29
PID 276 wrote to memory of 1756	276	ede3942b5dd89e23d32c46f67ebe1c925d81402249ac7ef1d33f4d1e9f3d5b47.exe	29
PID 276 wrote to memory of 1756	276	ede3942b5dd89e23d32c46f67ebe1c925d81402249ac7ef1d33f4d1e9f3d5b47.exe	29
PID 276 wrote to memory of 1540	276	ede3942b5dd89e23d32c46f67ebe1c925d81402249ac7ef1d33f4d1e9f3d5b47.exe	33
PID 276 wrote to memory of 1540	276	ede3942b5dd89e23d32c46f67ebe1c925d81402249ac7ef1d33f4d1e9f3d5b47.exe	33
PID 276 wrote to memory of 1540	276	ede3942b5dd89e23d32c46f67ebe1c925d81402249ac7ef1d33f4d1e9f3d5b47.exe	33
PID 276 wrote to memory of 1540	276	ede3942b5dd89e23d32c46f67ebe1c925d81402249ac7ef1d33f4d1e9f3d5b47.exe	33
PID 276 wrote to memory of 1396	276	ede3942b5dd89e23d32c46f67ebe1c925d81402249ac7ef1d33f4d1e9f3d5b47.exe	34
PID 276 wrote to memory of 1396	276	ede3942b5dd89e23d32c46f67ebe1c925d81402249ac7ef1d33f4d1e9f3d5b47.exe	34
PID 276 wrote to memory of 1396	276	ede3942b5dd89e23d32c46f67ebe1c925d81402249ac7ef1d33f4d1e9f3d5b47.exe	34
PID 276 wrote to memory of 1396	276	ede3942b5dd89e23d32c46f67ebe1c925d81402249ac7ef1d33f4d1e9f3d5b47.exe	34

C:\Users\Admin\AppData\Local\Temp\ede3942b5dd89e23d32c46f67ebe1c925d81402249ac7ef1d33f4d1e9f3d5b47.exe
"C:\Users\Admin\AppData\Local\Temp\ede3942b5dd89e23d32c46f67ebe1c925d81402249ac7ef1d33f4d1e9f3d5b47.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:276
- C:\Windows\SysWOW64\Regsvr32.exe
  Regsvr32.exe /s C:\Windows\system32\eawdh3hbg87dkjn.dll
  2⤵
  - Loads dropped DLL
  - Installs/modifies Browser Helper Object
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:1048
- C:\Users\Admin\AppData\Local\Temp\winlognn.exe
  C:\Users\Admin\AppData\Local\Temp\winlognn.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:1756
- C:\Windows\SysWOW64\explorer.exe
  explorer.exe
  2⤵
  PID:1540
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\p2hhr.bat" "C:\Users\Admin\AppData\Local\Temp\ede3942b5dd89e23d32c46f67ebe1c925d81402249ac7ef1d33f4d1e9f3d5b47.exe""
  2⤵
  - Deletes itself
  PID:1396

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Browser Extensions

1

T1176

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\p2hhr.bat

Filesize
46B

MD5
4eb5eeba568b8c5912ccd65442c964ce

SHA1
b4af6dd121ef6a57e5799e812bb795db0659a8a1

SHA256
a0620011f49bc3947e6d1d8c45c3135f640c331b679ed0eb6f97d7028ec113e6

SHA512
671b8be20b29af30450d4a36c8f71d6bc29718cfcac35b3788cd60c8141206ac3081a93c094234a6c7d1126e4690ce6536ab9a6535072d80a866b1ce83812b89

Download Submit
C:\Users\Admin\AppData\Local\Temp\winlognn.exe

Filesize
14KB

MD5
2b8473ecc65c913d7352235707ca7968

SHA1
843d8455d2facba96a2accda0f9306987ae8c11a

SHA256
295562e1691358ff11f14a72c936a1db789627b7789476bcde38bf7899d63063

SHA512
4911a6252f0f4e716e5812076695e68524a19577e08fdb971a6987e72a24ca2d8bd204f9f1fd2b4572c11956d7af56519dcf99955ca31a02b40ff15c17bb2f27

Download Submit
C:\Windows\SysWOW64\eawdh3hbg87dkjn.dll

Filesize
14KB

MD5
ab1269a7a2c902423b35b0f116dc1608

SHA1
616761ccde5a7eb19cfe18f700b0d8d414a0b5c0

SHA256
773f6c603e464bfcfbd13c2999a54cc96d2a47411c5ad1576ec89006480d113a

SHA512
ec1c86a76e873f07b126f7ded278c9118dc00d19ce4b1c2912272d41c5a0c1b1295b864f4d36d5e1ada84bcc0313ee2130e91f832843f408a9d8812b74315a80

Download Submit
\Users\Admin\AppData\Local\Temp\winlognn.exe

Filesize
14KB

MD5
2b8473ecc65c913d7352235707ca7968

SHA1
843d8455d2facba96a2accda0f9306987ae8c11a

SHA256
295562e1691358ff11f14a72c936a1db789627b7789476bcde38bf7899d63063

SHA512
4911a6252f0f4e716e5812076695e68524a19577e08fdb971a6987e72a24ca2d8bd204f9f1fd2b4572c11956d7af56519dcf99955ca31a02b40ff15c17bb2f27

Download Submit
\Users\Admin\AppData\Local\Temp\winlognn.exe

Filesize
14KB

MD5
2b8473ecc65c913d7352235707ca7968

SHA1
843d8455d2facba96a2accda0f9306987ae8c11a

SHA256
295562e1691358ff11f14a72c936a1db789627b7789476bcde38bf7899d63063

SHA512
4911a6252f0f4e716e5812076695e68524a19577e08fdb971a6987e72a24ca2d8bd204f9f1fd2b4572c11956d7af56519dcf99955ca31a02b40ff15c17bb2f27

Download Submit
\Windows\SysWOW64\eawdh3hbg87dkjn.dll

Filesize
14KB

MD5
ab1269a7a2c902423b35b0f116dc1608

SHA1
616761ccde5a7eb19cfe18f700b0d8d414a0b5c0

SHA256
773f6c603e464bfcfbd13c2999a54cc96d2a47411c5ad1576ec89006480d113a

SHA512
ec1c86a76e873f07b126f7ded278c9118dc00d19ce4b1c2912272d41c5a0c1b1295b864f4d36d5e1ada84bcc0313ee2130e91f832843f408a9d8812b74315a80

Download Submit
memory/276-65-0x0000000000220000-0x0000000000225000-memory.dmp

Filesize
20KB

Download
memory/276-54-0x00000000753C1000-0x00000000753C3000-memory.dmp

Filesize
8KB

Download
memory/276-64-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/276-67-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/276-73-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1540-71-0x00000000746F1000-0x00000000746F3000-memory.dmp

Filesize
8KB

Download
memory/1756-66-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/1756-68-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads