9b06785cc3849340b17522965eeb9d19239be9bd006cb07988279bc4588ea982

Analysis

max time kernel
67s
max time network
30s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
01-03-2023 08:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

731e1a498611e33e76f3e69386fd70281168da539d0005212bc3bd4d0ce1b117.exe
Size

2.2MB
MD5

20136843871cbf97f966bd27c9522108
SHA1

96f6129e9103be1317236380079bbb3bbdb58d2d
SHA256

731e1a498611e33e76f3e69386fd70281168da539d0005212bc3bd4d0ce1b117
SHA512

2ab6a87949c11b33c8060794bee6b93c8cf668396398fa8817e59b4c8a706bfe01e3a7100cee9e575b32233624fb159cb038342ca2abfc11e46a0474b293c04b
SSDEEP

49152:Wf4JYjtvbdDUDYTSN4x1PjcvJ5dfSObPXAbVoE56ij:JI5wDYy4f7wdLbQVoEc

Score

7^/10

aspackv2 persistence spyware stealer upx

Malware Config

Signatures

ASPack v2.12-2.42 8 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\OqmBIi.exe	aspack_v212_v242
\Users\Admin\AppData\Local\Temp\OqmBIi.exe	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\OqmBIi.exe	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\OqmBIi.exe	aspack_v212_v242
\Users\Admin\AppData\Local\Temp\OqmBIi.exe	aspack_v212_v242
\Users\Admin\AppData\Local\Temp\OqmBIi.exe	aspack_v212_v242
\Users\Admin\AppData\Local\Temp\OqmBIi.exe	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\OqmBIi.exe	aspack_v212_v242

Executes dropped EXE 2 IoCs

Processes:

OqmBIi.exeLodopDllInstall64.exe

pid process

836 OqmBIi.exe
1112 LodopDllInstall64.exe

pid	process
836	OqmBIi.exe
1112	LodopDllInstall64.exe

Loads dropped DLL 10 IoCs

Processes:

731e1a498611e33e76f3e69386fd70281168da539d0005212bc3bd4d0ce1b117.exeOqmBIi.exeLodopDllInstall64.exe

pid	process
1716	731e1a498611e33e76f3e69386fd70281168da539d0005212bc3bd4d0ce1b117.exe
1716	731e1a498611e33e76f3e69386fd70281168da539d0005212bc3bd4d0ce1b117.exe
836	OqmBIi.exe
836	OqmBIi.exe
836	OqmBIi.exe
1716	731e1a498611e33e76f3e69386fd70281168da539d0005212bc3bd4d0ce1b117.exe
1716	731e1a498611e33e76f3e69386fd70281168da539d0005212bc3bd4d0ce1b117.exe
1112	LodopDllInstall64.exe
1716	731e1a498611e33e76f3e69386fd70281168da539d0005212bc3bd4d0ce1b117.exe
1716	731e1a498611e33e76f3e69386fd70281168da539d0005212bc3bd4d0ce1b117.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Registers COM server for autorun 1 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Processes:

LodopDllInstall64.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2105C259-1E0C-4534-8141-A753534CB4CA}\InprocServer32	LodopDllInstall64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2105C259-1E0C-4534-8141-A753534CB4CA}\InprocServer32\ = "C:\\PROGRA~2\\MOUNTT~1\\Lodop\\CAOSOF~1.OCX"	LodopDllInstall64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2105C259-1E0C-4534-8141-A753534CB4CA}\InprocServer32\ThreadingModel = "Apartment"	LodopDllInstall64.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1716-78-0x0000000000400000-0x0000000000B8C000-memory.dmp	upx
behavioral1/memory/1716-106-0x0000000000400000-0x0000000000B8C000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

Processes:

OqmBIi.exe

description	ioc	process
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	OqmBIi.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\excelcnv.exe	OqmBIi.exe
File opened for modification	C:\Program Files\DVD Maker\DVDMaker.exe	OqmBIi.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroTextExtractor.exe	OqmBIi.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE	OqmBIi.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\misc.exe	OqmBIi.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\SCANPST.EXE	OqmBIi.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\wab.exe	OqmBIi.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javap.exe	OqmBIi.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32Info.exe	OqmBIi.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	OqmBIi.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\unpack200.exe	OqmBIi.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	OqmBIi.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe	OqmBIi.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE	OqmBIi.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MSOUC.EXE	OqmBIi.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe	OqmBIi.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe	OqmBIi.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstat.exe	OqmBIi.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\MSOHTMED.EXE	OqmBIi.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	OqmBIi.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	OqmBIi.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MSOHTMED.EXE	OqmBIi.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\SELFCERT.EXE	OqmBIi.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javadoc.exe	OqmBIi.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jconsole.exe	OqmBIi.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\ktab.exe	OqmBIi.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	OqmBIi.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MSQRY32.EXE	OqmBIi.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe	OqmBIi.exe
File opened for modification	C:\Program Files\Java\jre7\bin\ktab.exe	OqmBIi.exe
File opened for modification	C:\Program Files\Java\jre7\bin\rmid.exe	OqmBIi.exe
File opened for modification	C:\Program Files\Java\jre7\bin\servertool.exe	OqmBIi.exe
File opened for modification	C:\Program Files\Microsoft Games\Purble Place\PurblePlace.exe	OqmBIi.exe
File opened for modification	C:\Program Files\Microsoft Games\Solitaire\Solitaire.exe	OqmBIi.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	OqmBIi.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\A3DUtility.exe	OqmBIi.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\pack200.exe	OqmBIi.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ktab.exe	OqmBIi.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javaw.exe	OqmBIi.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MSACCESS.EXE	OqmBIi.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\WinMail.exe	OqmBIi.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmiregistry.exe	OqmBIi.exe
File opened for modification	C:\Program Files\Java\jre7\bin\orbd.exe	OqmBIi.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	OqmBIi.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\servertool.exe	OqmBIi.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javaws.exe	OqmBIi.exe
File opened for modification	C:\Program Files\Java\jre7\bin\unpack200.exe	OqmBIi.exe
File opened for modification	C:\Program Files\Windows Defender\MSASCui.exe	OqmBIi.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	OqmBIi.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmic.exe	OqmBIi.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java.exe	OqmBIi.exe
File opened for modification	C:\Program Files\Microsoft Games\Hearts\Hearts.exe	OqmBIi.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	OqmBIi.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\ONENOTE.EXE	OqmBIi.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\SETLANG.EXE	OqmBIi.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\VPREVIEW.EXE	OqmBIi.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	OqmBIi.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jps.exe	OqmBIi.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javacpl.exe	OqmBIi.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	OqmBIi.exe
File opened for modification	C:\Program Files\Windows Sidebar\sidebar.exe	OqmBIi.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsgen.exe	OqmBIi.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\launcher.exe	OqmBIi.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 6 IoCs

adware spyware

Modify Registry

T1112

Processes:

731e1a498611e33e76f3e69386fd70281168da539d0005212bc3bd4d0ce1b117.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\Settings	731e1a498611e33e76f3e69386fd70281168da539d0005212bc3bd4d0ce1b117.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\Settings\LOCALMACHINE_CD_UNLOCK = "0"	731e1a498611e33e76f3e69386fd70281168da539d0005212bc3bd4d0ce1b117.exe
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN	731e1a498611e33e76f3e69386fd70281168da539d0005212bc3bd4d0ce1b117.exe
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\Main	731e1a498611e33e76f3e69386fd70281168da539d0005212bc3bd4d0ce1b117.exe
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl	731e1a498611e33e76f3e69386fd70281168da539d0005212bc3bd4d0ce1b117.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\iexplore.exe = "0"	731e1a498611e33e76f3e69386fd70281168da539d0005212bc3bd4d0ce1b117.exe

Modifies registry class 64 IoCs

Processes:

LodopDllInstall64.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Lodop.LodopX	LodopDllInstall64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2105C259-1E0C-4534-8141-A753534CB4CA}\MiscStatus\1	LodopDllInstall64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0F9014E9-F31C-408E-9CBA-C484B39066ED}\6.0\0\win32\ = "C:\\Program Files (x86)\\MountTaiSoftware\\Lodop\\CAOSOFT_WEB_PRINT_lodop64.ocx"	LodopDllInstall64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{409D8542-9C63-4719-8DF6-ABDA44494A4E}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	LodopDllInstall64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{409D8542-9C63-4719-8DF6-ABDA44494A4E}\TypeLib	LodopDllInstall64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0DC96C68-587A-486E-93D8-7BA1EAF5B9CB}\TypeLib\ = "{0F9014E9-F31C-408E-9CBA-C484B39066ED}"	LodopDllInstall64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0DC96C68-587A-486E-93D8-7BA1EAF5B9CB}\TypeLib\Version = "6.0"	LodopDllInstall64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2105C259-1E0C-4534-8141-A753534CB4CA}\InprocServer32\ThreadingModel = "Apartment"	LodopDllInstall64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2105C259-1E0C-4534-8141-A753534CB4CA}\ToolboxBitmap32\ = "C:\\Program Files (x86)\\MountTaiSoftware\\Lodop\\CAOSOFT_WEB_PRINT_lodop64.ocx,0"	LodopDllInstall64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2105C259-1E0C-4534-8141-A753534CB4CA}\Verb\0\ = "Properties,0,2"	LodopDllInstall64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0DC96C68-587A-486E-93D8-7BA1EAF5B9CB}\ProxyStubClsid32	LodopDllInstall64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2105C259-1E0C-4534-8141-A753534CB4CA}\ProgID\ = "Lodop.LodopX"	LodopDllInstall64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2105C259-1E0C-4534-8141-A753534CB4CA}\MiscStatus	LodopDllInstall64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{409D8542-9C63-4719-8DF6-ABDA44494A4E}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	LodopDllInstall64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{409D8542-9C63-4719-8DF6-ABDA44494A4E}\TypeLib	LodopDllInstall64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0DC96C68-587A-486E-93D8-7BA1EAF5B9CB}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	LodopDllInstall64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0DC96C68-587A-486E-93D8-7BA1EAF5B9CB}\ = "ILodopXEvents"	LodopDllInstall64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2105C259-1E0C-4534-8141-A753534CB4CA}	LodopDllInstall64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2105C259-1E0C-4534-8141-A753534CB4CA}\InprocServer32\ = "C:\\PROGRA~2\\MOUNTT~1\\Lodop\\CAOSOF~1.OCX"	LodopDllInstall64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0F9014E9-F31C-408E-9CBA-C484B39066ED}	LodopDllInstall64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{409D8542-9C63-4719-8DF6-ABDA44494A4E}\TypeLib\ = "{0F9014E9-F31C-408E-9CBA-C484B39066ED}"	LodopDllInstall64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2105C259-1E0C-4534-8141-A753534CB4CA}\InprocServer32	LodopDllInstall64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Lodop.LodopX\Clsid	LodopDllInstall64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Lodop.LodopX\Clsid\ = "{2105C259-1E0C-4534-8141-A753534CB4CA}"	LodopDllInstall64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2105C259-1E0C-4534-8141-A753534CB4CA}\TypeLib\ = "{0F9014E9-F31C-408E-9CBA-C484B39066ED}"	LodopDllInstall64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0DC96C68-587A-486E-93D8-7BA1EAF5B9CB}\ProxyStubClsid32	LodopDllInstall64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2105C259-1E0C-4534-8141-A753534CB4CA}\Verb	LodopDllInstall64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0F9014E9-F31C-408E-9CBA-C484B39066ED}\6.0\HELPDIR\ = "C:\\Program Files (x86)\\MountTaiSoftware\\Lodop\\"	LodopDllInstall64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{409D8542-9C63-4719-8DF6-ABDA44494A4E}\ProxyStubClsid32	LodopDllInstall64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0F9014E9-F31C-408E-9CBA-C484B39066ED}\6.0\ = "Lodop"	LodopDllInstall64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2105C259-1E0C-4534-8141-A753534CB4CA}\MiscStatus\1\ = "205201"	LodopDllInstall64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2105C259-1E0C-4534-8141-A753534CB4CA}\Verb\	LodopDllInstall64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2105C259-1E0C-4534-8141-A753534CB4CA}\Version\ = "6.0"	LodopDllInstall64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2105C259-1E0C-4534-8141-A753534CB4CA}\TypeLib	LodopDllInstall64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0F9014E9-F31C-408E-9CBA-C484B39066ED}\6.0\FLAGS\ = "2"	LodopDllInstall64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0F9014E9-F31C-408E-9CBA-C484B39066ED}\6.0\0\win32	LodopDllInstall64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0DC96C68-587A-486E-93D8-7BA1EAF5B9CB}	LodopDllInstall64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0DC96C68-587A-486E-93D8-7BA1EAF5B9CB}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	LodopDllInstall64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0DC96C68-587A-486E-93D8-7BA1EAF5B9CB}\TypeLib	LodopDllInstall64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2105C259-1E0C-4534-8141-A753534CB4CA}\ = "LodopX Control"	LodopDllInstall64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2105C259-1E0C-4534-8141-A753534CB4CA}\Control	LodopDllInstall64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2105C259-1E0C-4534-8141-A753534CB4CA}\Control\	LodopDllInstall64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{409D8542-9C63-4719-8DF6-ABDA44494A4E}\TypeLib\Version = "6.0"	LodopDllInstall64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2105C259-1E0C-4534-8141-A753534CB4CA}\Verb\0	LodopDllInstall64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0F9014E9-F31C-408E-9CBA-C484B39066ED}\6.0\FLAGS	LodopDllInstall64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{409D8542-9C63-4719-8DF6-ABDA44494A4E}\ = "ILodopX"	LodopDllInstall64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{409D8542-9C63-4719-8DF6-ABDA44494A4E}\ProxyStubClsid32	LodopDllInstall64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0DC96C68-587A-486E-93D8-7BA1EAF5B9CB}\ = "ILodopXEvents"	LodopDllInstall64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{409D8542-9C63-4719-8DF6-ABDA44494A4E}\ = "ILodopX"	LodopDllInstall64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0DC96C68-587A-486E-93D8-7BA1EAF5B9CB}\TypeLib\ = "{0F9014E9-F31C-408E-9CBA-C484B39066ED}"	LodopDllInstall64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2105C259-1E0C-4534-8141-A753534CB4CA}\ToolboxBitmap32	LodopDllInstall64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0F9014E9-F31C-408E-9CBA-C484B39066ED}\6.0	LodopDllInstall64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0F9014E9-F31C-408E-9CBA-C484B39066ED}\6.0\0	LodopDllInstall64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0F9014E9-F31C-408E-9CBA-C484B39066ED}\6.0\HELPDIR	LodopDllInstall64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{409D8542-9C63-4719-8DF6-ABDA44494A4E}\TypeLib\Version = "6.0"	LodopDllInstall64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{409D8542-9C63-4719-8DF6-ABDA44494A4E}\TypeLib\ = "{0F9014E9-F31C-408E-9CBA-C484B39066ED}"	LodopDllInstall64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2105C259-1E0C-4534-8141-A753534CB4CA}\Version	LodopDllInstall64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{409D8542-9C63-4719-8DF6-ABDA44494A4E}	LodopDllInstall64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0DC96C68-587A-486E-93D8-7BA1EAF5B9CB}	LodopDllInstall64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2105C259-1E0C-4534-8141-A753534CB4CA}\MiscStatus\ = "0"	LodopDllInstall64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0DC96C68-587A-486E-93D8-7BA1EAF5B9CB}\TypeLib	LodopDllInstall64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0DC96C68-587A-486E-93D8-7BA1EAF5B9CB}\TypeLib\Version = "6.0"	LodopDllInstall64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{409D8542-9C63-4719-8DF6-ABDA44494A4E}	LodopDllInstall64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Lodop.LodopX\ = "LodopX Control"	LodopDllInstall64.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

731e1a498611e33e76f3e69386fd70281168da539d0005212bc3bd4d0ce1b117.exe

pid	process
1716	731e1a498611e33e76f3e69386fd70281168da539d0005212bc3bd4d0ce1b117.exe
1716	731e1a498611e33e76f3e69386fd70281168da539d0005212bc3bd4d0ce1b117.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

731e1a498611e33e76f3e69386fd70281168da539d0005212bc3bd4d0ce1b117.exeOqmBIi.exe

description	pid	process	target process
PID 1716 wrote to memory of 836	1716	731e1a498611e33e76f3e69386fd70281168da539d0005212bc3bd4d0ce1b117.exe	OqmBIi.exe
PID 1716 wrote to memory of 836	1716	731e1a498611e33e76f3e69386fd70281168da539d0005212bc3bd4d0ce1b117.exe	OqmBIi.exe
PID 1716 wrote to memory of 836	1716	731e1a498611e33e76f3e69386fd70281168da539d0005212bc3bd4d0ce1b117.exe	OqmBIi.exe
PID 1716 wrote to memory of 836	1716	731e1a498611e33e76f3e69386fd70281168da539d0005212bc3bd4d0ce1b117.exe	OqmBIi.exe
PID 1716 wrote to memory of 836	1716	731e1a498611e33e76f3e69386fd70281168da539d0005212bc3bd4d0ce1b117.exe	OqmBIi.exe
PID 1716 wrote to memory of 836	1716	731e1a498611e33e76f3e69386fd70281168da539d0005212bc3bd4d0ce1b117.exe	OqmBIi.exe
PID 1716 wrote to memory of 836	1716	731e1a498611e33e76f3e69386fd70281168da539d0005212bc3bd4d0ce1b117.exe	OqmBIi.exe
PID 1716 wrote to memory of 1112	1716	731e1a498611e33e76f3e69386fd70281168da539d0005212bc3bd4d0ce1b117.exe	LodopDllInstall64.exe
PID 1716 wrote to memory of 1112	1716	731e1a498611e33e76f3e69386fd70281168da539d0005212bc3bd4d0ce1b117.exe	LodopDllInstall64.exe
PID 1716 wrote to memory of 1112	1716	731e1a498611e33e76f3e69386fd70281168da539d0005212bc3bd4d0ce1b117.exe	LodopDllInstall64.exe
PID 1716 wrote to memory of 1112	1716	731e1a498611e33e76f3e69386fd70281168da539d0005212bc3bd4d0ce1b117.exe	LodopDllInstall64.exe
PID 836 wrote to memory of 932	836	OqmBIi.exe	cmd.exe
PID 836 wrote to memory of 932	836	OqmBIi.exe	cmd.exe
PID 836 wrote to memory of 932	836	OqmBIi.exe	cmd.exe
PID 836 wrote to memory of 932	836	OqmBIi.exe	cmd.exe
PID 836 wrote to memory of 932	836	OqmBIi.exe	cmd.exe
PID 836 wrote to memory of 932	836	OqmBIi.exe	cmd.exe
PID 836 wrote to memory of 932	836	OqmBIi.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\731e1a498611e33e76f3e69386fd70281168da539d0005212bc3bd4d0ce1b117.exe
"C:\Users\Admin\AppData\Local\Temp\731e1a498611e33e76f3e69386fd70281168da539d0005212bc3bd4d0ce1b117.exe"
1⤵
- Loads dropped DLL
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1716

C:\Users\Admin\AppData\Local\Temp\OqmBIi.exe
C:\Users\Admin\AppData\Local\Temp\OqmBIi.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:836

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\74a13315.bat" "
3⤵
PID:932

C:\Program Files (x86)\MountTaiSoftware\Lodop\LodopDllInstall64.exe
"C:\Program Files (x86)\MountTaiSoftware\Lodop\LodopDllInstall64.exe" CAOSOFT_WEB_PRINT_lodop64.ocx
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Registers COM server for autorun
- Modifies registry class
PID:1112

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\MountTaiSoftware\Lodop\CAOSOFT_WEB_PRINT_lodop64.ocx
Filesize
6.0MB

MD5
167734e8f770e73bd8baf046caff17d6

SHA1
e84dac6c9cc7d4a42635cae46941e55c637b3e3d

SHA256
311eef48ed6ed5e930f193b3f62e45d91a075ac4c80b315b18add79e57a867a0

SHA512
aab9ef67c3a476974f7003f9c90806c76a220e9c9f1b62c65a1bc8f8b86e188d88dbb4f0476a2bcd658e06898576197c34c0cff3f66633a7f26316bae6635bc1

Download Submit
C:\Program Files (x86)\MountTaiSoftware\Lodop\LodopDllInstall64.exe
Filesize
475KB

MD5
129c19761074529f21e9b58760018538

SHA1
dc44d7184927adcb7ae2d509a56624f320c0ce94

SHA256
27b84c2b92bbea719f96769cfa287b94a48ab13c7c3ba6c4907a1886f3a6940a

SHA512
3dabfdda728aa6db59f5499b2500cecc7e332bef899f2c728213d48d96eee9fefa8720c91597c8223be4b1631ec0211c17c6d546f2ea330b7c458bdb56fc224e

Download Submit
C:\Program Files (x86)\MountTaiSoftware\Lodop\LodopDllInstall64.exe
Filesize
475KB

MD5
129c19761074529f21e9b58760018538

SHA1
dc44d7184927adcb7ae2d509a56624f320c0ce94

SHA256
27b84c2b92bbea719f96769cfa287b94a48ab13c7c3ba6c4907a1886f3a6940a

SHA512
3dabfdda728aa6db59f5499b2500cecc7e332bef899f2c728213d48d96eee9fefa8720c91597c8223be4b1631ec0211c17c6d546f2ea330b7c458bdb56fc224e

Download Submit
C:\Program Files (x86)\MountTaiSoftware\Lodop\LodopDllInstall64.exe
Filesize
475KB

MD5
129c19761074529f21e9b58760018538

SHA1
dc44d7184927adcb7ae2d509a56624f320c0ce94

SHA256
27b84c2b92bbea719f96769cfa287b94a48ab13c7c3ba6c4907a1886f3a6940a

SHA512
3dabfdda728aa6db59f5499b2500cecc7e332bef899f2c728213d48d96eee9fefa8720c91597c8223be4b1631ec0211c17c6d546f2ea330b7c458bdb56fc224e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4D33E1QE\k2[1].rar
Filesize
4B

MD5
d3b07384d113edec49eaa6238ad5ff00

SHA1
f1d2d2f924e986ac86fdf7b36c94bcdf32beec15

SHA256
b5bb9d8014a0f9b1d61e21e796d78dccdf1352f23cd32812f4850b878ae4944c

SHA512
0cf9180a764aba863a67b6d72f0918bc131c6772642cb2dce5a34f0a702f9470ddc2bf125c12198b1995c233c34b4afd346c54a2334c350a948a51b6e8b4e6b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\555F06EC.exe
Filesize
4B

MD5
20879c987e2f9a916e578386d499f629

SHA1
c7b33ddcc42361fdb847036fc07e880b81935d5d

SHA256
9f2981a7cc4d40a2a409dc895de64253acd819d7c0011c8e80b86fe899464e31

SHA512
bcdde1625364dd6dd143b45bdcec8d59cf8982aff33790d390b839f3869e0e815684568b14b555a596d616252aeeaa98dac2e6e551c9095ea11a575ff25ff84f

Download Submit
C:\Users\Admin\AppData\Local\Temp\74a13315.bat
Filesize
187B

MD5
ad734f3e4e989809173c4e418ce78649

SHA1
f0746f315269365a98c4978f61df6d274dc8eb52

SHA256
f0603d88d2cdeb81092003cdece1dc367e6be9a0eda3dbf47979daa382772320

SHA512
c89dd3d42ff76fa73afc70e0ea92319babb6be7311cdf18b427f0f9783d87368368499c395ed89ad68d79ddbadb9fac9b2191354ac1890c45fb4de02e9f3e142

Download Submit
C:\Users\Admin\AppData\Local\Temp\74a13315.bat
Filesize
187B

MD5
ad734f3e4e989809173c4e418ce78649

SHA1
f0746f315269365a98c4978f61df6d274dc8eb52

SHA256
f0603d88d2cdeb81092003cdece1dc367e6be9a0eda3dbf47979daa382772320

SHA512
c89dd3d42ff76fa73afc70e0ea92319babb6be7311cdf18b427f0f9783d87368368499c395ed89ad68d79ddbadb9fac9b2191354ac1890c45fb4de02e9f3e142

Download Submit
C:\Users\Admin\AppData\Local\Temp\OqmBIi.exe
Filesize
15KB

MD5
56b2c3810dba2e939a8bb9fa36d3cf96

SHA1
99ee31cd4b0d6a4b62779da36e0eeecdd80589fc

SHA256
4354970ccc7cd6bb16318f132c34f6a1b3d5c2ea7ff53e1c9271905527f2db07

SHA512
27812a9a034d7bd2ca73b337ae9e0b6dc79c38cfd1a2c6ac9d125d3cc8fa563c401a40d22155811d5054e5baa8cf8c8e7e03925f25fa856a9ba9dea708d15b4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\OqmBIi.exe
Filesize
15KB

MD5
56b2c3810dba2e939a8bb9fa36d3cf96

SHA1
99ee31cd4b0d6a4b62779da36e0eeecdd80589fc

SHA256
4354970ccc7cd6bb16318f132c34f6a1b3d5c2ea7ff53e1c9271905527f2db07

SHA512
27812a9a034d7bd2ca73b337ae9e0b6dc79c38cfd1a2c6ac9d125d3cc8fa563c401a40d22155811d5054e5baa8cf8c8e7e03925f25fa856a9ba9dea708d15b4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\OqmBIi.exe
Filesize
15KB

MD5
56b2c3810dba2e939a8bb9fa36d3cf96

SHA1
99ee31cd4b0d6a4b62779da36e0eeecdd80589fc

SHA256
4354970ccc7cd6bb16318f132c34f6a1b3d5c2ea7ff53e1c9271905527f2db07

SHA512
27812a9a034d7bd2ca73b337ae9e0b6dc79c38cfd1a2c6ac9d125d3cc8fa563c401a40d22155811d5054e5baa8cf8c8e7e03925f25fa856a9ba9dea708d15b4e

Download Submit
\Program Files (x86)\MountTaiSoftware\Lodop\CAOSOFT_WEB_PRINT_lodop64.ocx
Filesize
6.0MB

MD5
167734e8f770e73bd8baf046caff17d6

SHA1
e84dac6c9cc7d4a42635cae46941e55c637b3e3d

SHA256
311eef48ed6ed5e930f193b3f62e45d91a075ac4c80b315b18add79e57a867a0

SHA512
aab9ef67c3a476974f7003f9c90806c76a220e9c9f1b62c65a1bc8f8b86e188d88dbb4f0476a2bcd658e06898576197c34c0cff3f66633a7f26316bae6635bc1

Download Submit
\Program Files (x86)\MountTaiSoftware\Lodop\CAOSOFT_WEB_PRINT_lodop64.ocx
Filesize
6.0MB

MD5
167734e8f770e73bd8baf046caff17d6

SHA1
e84dac6c9cc7d4a42635cae46941e55c637b3e3d

SHA256
311eef48ed6ed5e930f193b3f62e45d91a075ac4c80b315b18add79e57a867a0

SHA512
aab9ef67c3a476974f7003f9c90806c76a220e9c9f1b62c65a1bc8f8b86e188d88dbb4f0476a2bcd658e06898576197c34c0cff3f66633a7f26316bae6635bc1

Download Submit
\Program Files (x86)\MountTaiSoftware\Lodop\CAOSOFT_WEB_PRINT_lodop64.ocx
Filesize
6.0MB

MD5
167734e8f770e73bd8baf046caff17d6

SHA1
e84dac6c9cc7d4a42635cae46941e55c637b3e3d

SHA256
311eef48ed6ed5e930f193b3f62e45d91a075ac4c80b315b18add79e57a867a0

SHA512
aab9ef67c3a476974f7003f9c90806c76a220e9c9f1b62c65a1bc8f8b86e188d88dbb4f0476a2bcd658e06898576197c34c0cff3f66633a7f26316bae6635bc1

Download Submit
\Program Files (x86)\MountTaiSoftware\Lodop\LodopDllInstall64.exe
Filesize
475KB

MD5
129c19761074529f21e9b58760018538

SHA1
dc44d7184927adcb7ae2d509a56624f320c0ce94

SHA256
27b84c2b92bbea719f96769cfa287b94a48ab13c7c3ba6c4907a1886f3a6940a

SHA512
3dabfdda728aa6db59f5499b2500cecc7e332bef899f2c728213d48d96eee9fefa8720c91597c8223be4b1631ec0211c17c6d546f2ea330b7c458bdb56fc224e

Download Submit
\Program Files (x86)\MountTaiSoftware\Lodop\LodopDllInstall64.exe
Filesize
475KB

MD5
129c19761074529f21e9b58760018538

SHA1
dc44d7184927adcb7ae2d509a56624f320c0ce94

SHA256
27b84c2b92bbea719f96769cfa287b94a48ab13c7c3ba6c4907a1886f3a6940a

SHA512
3dabfdda728aa6db59f5499b2500cecc7e332bef899f2c728213d48d96eee9fefa8720c91597c8223be4b1631ec0211c17c6d546f2ea330b7c458bdb56fc224e

Download Submit
\Users\Admin\AppData\Local\Temp\OqmBIi.exe
Filesize
15KB

MD5
56b2c3810dba2e939a8bb9fa36d3cf96

SHA1
99ee31cd4b0d6a4b62779da36e0eeecdd80589fc

SHA256
4354970ccc7cd6bb16318f132c34f6a1b3d5c2ea7ff53e1c9271905527f2db07

SHA512
27812a9a034d7bd2ca73b337ae9e0b6dc79c38cfd1a2c6ac9d125d3cc8fa563c401a40d22155811d5054e5baa8cf8c8e7e03925f25fa856a9ba9dea708d15b4e

Download Submit
\Users\Admin\AppData\Local\Temp\OqmBIi.exe
Filesize
15KB

MD5
56b2c3810dba2e939a8bb9fa36d3cf96

SHA1
99ee31cd4b0d6a4b62779da36e0eeecdd80589fc

SHA256
4354970ccc7cd6bb16318f132c34f6a1b3d5c2ea7ff53e1c9271905527f2db07

SHA512
27812a9a034d7bd2ca73b337ae9e0b6dc79c38cfd1a2c6ac9d125d3cc8fa563c401a40d22155811d5054e5baa8cf8c8e7e03925f25fa856a9ba9dea708d15b4e

Download Submit
\Users\Admin\AppData\Local\Temp\OqmBIi.exe
Filesize
15KB

MD5
56b2c3810dba2e939a8bb9fa36d3cf96

SHA1
99ee31cd4b0d6a4b62779da36e0eeecdd80589fc

SHA256
4354970ccc7cd6bb16318f132c34f6a1b3d5c2ea7ff53e1c9271905527f2db07

SHA512
27812a9a034d7bd2ca73b337ae9e0b6dc79c38cfd1a2c6ac9d125d3cc8fa563c401a40d22155811d5054e5baa8cf8c8e7e03925f25fa856a9ba9dea708d15b4e

Download Submit
\Users\Admin\AppData\Local\Temp\OqmBIi.exe
Filesize
15KB

MD5
56b2c3810dba2e939a8bb9fa36d3cf96

SHA1
99ee31cd4b0d6a4b62779da36e0eeecdd80589fc

SHA256
4354970ccc7cd6bb16318f132c34f6a1b3d5c2ea7ff53e1c9271905527f2db07

SHA512
27812a9a034d7bd2ca73b337ae9e0b6dc79c38cfd1a2c6ac9d125d3cc8fa563c401a40d22155811d5054e5baa8cf8c8e7e03925f25fa856a9ba9dea708d15b4e

Download Submit
\Users\Admin\AppData\Local\Temp\OqmBIi.exe
Filesize
15KB

MD5
56b2c3810dba2e939a8bb9fa36d3cf96

SHA1
99ee31cd4b0d6a4b62779da36e0eeecdd80589fc

SHA256
4354970ccc7cd6bb16318f132c34f6a1b3d5c2ea7ff53e1c9271905527f2db07

SHA512
27812a9a034d7bd2ca73b337ae9e0b6dc79c38cfd1a2c6ac9d125d3cc8fa563c401a40d22155811d5054e5baa8cf8c8e7e03925f25fa856a9ba9dea708d15b4e

Download Submit
memory/836-83-0x0000000000160000-0x0000000000169000-memory.dmp

Filesize
36KB

Download
memory/836-107-0x0000000000160000-0x0000000000169000-memory.dmp

Filesize
36KB

Download
memory/1112-77-0x0000000001CF0000-0x0000000002305000-memory.dmp

Filesize
6.1MB

Download
memory/1112-85-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1716-79-0x0000000001100000-0x000000000188C000-memory.dmp

Filesize
7.5MB

Download
memory/1716-78-0x0000000000400000-0x0000000000B8C000-memory.dmp

Filesize
7.5MB

Download
memory/1716-106-0x0000000000400000-0x0000000000B8C000-memory.dmp

Filesize
7.5MB

Download
memory/1716-84-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/1716-82-0x00000000001E0000-0x00000000001E9000-memory.dmp

Filesize
36KB

Download
memory/1716-81-0x00000000001E0000-0x00000000001E9000-memory.dmp

Filesize
36KB

Download
memory/1716-80-0x0000000001100000-0x000000000188C000-memory.dmp

Filesize
7.5MB

Download
memory/1716-136-0x0000000001100000-0x000000000188C000-memory.dmp

Filesize
7.5MB

Download