8e538b14db8de2230c908e7e7d56112675762fa9edacfbc79e165e436df9a02e

General

Target

eb4943009e1976c9bf5bc6bf4ea44e4e.dll
Size

326KB
MD5

eb4943009e1976c9bf5bc6bf4ea44e4e
SHA1

85f969317976d0b9848e3719168624eca778467c
SHA256

8e538b14db8de2230c908e7e7d56112675762fa9edacfbc79e165e436df9a02e
SHA512

fe20d1be1680f22c30753e23a710e53c3bdf246141146a29dcecddccdfea482deeac878777532a794193b3645654f51ebf6e22303281424352e624644c37a6ad
SSDEEP

6144:qDzspNih30sJJSGTZN8xLOrbPzg0pIIAH1Gv8LTqcau1VA+6FlMx:qDzspNx4zN8xLO/PHAVOCVAlPA

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1212	Explorer.EXE

Loads dropped DLL 1 IoCs

pid	Process
2320	rundll32.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\OvzoZafqe = "regsvr32.exe \"C:\\ProgramData\\OvzoZafqe\\OvzoZafqe.dat\""	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\OvzoZafqe = "regsvr32.exe \"C:\\ProgramData\\OvzoZafqe\\OvzoZafqe.dat\""	Explorer.EXE

Modifies Internet Explorer Protected Mode 1 TTPs 1 IoCs

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500 = "3"	Explorer.EXE

Modifies Internet Explorer Protected Mode Banner 1 TTPs 1 IoCs

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\NoProtectedModeBanner = "1"	Explorer.EXE

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\TabProcGrowth = "0"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main	Explorer.EXE

Modifies registry class 11 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\CLSID\{6C8D6F31-567C-4EE7-A6F0-766B6EE527AC}	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\CLSID\{6C8D6F31-567C-4EE7-A6F0-766B6EE527AC}	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\CLSID\{4DE67E11-5DA1-48AA-9C90-6B50436C72F2}	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\CLSID\{4DE67E11-5DA1-48AA-9C90-6B50436C72F2}\{6E010C63-3D3F-4691-971B-3F771A2459BD} = 8092bc95	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\CLSID\{6C8D6F31-567C-4EE7-A6F0-766B6EE527AC}\#cert = 31	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\CLSID\{6C8D6F31-567C-4EE7-A6F0-766B6EE527AC}	DllHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\CLSID\{4DE67E11-5DA1-48AA-9C90-6B50436C72F2}	DllHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\CLSID\{6C8D6F31-567C-4EE7-A6F0-766B6EE527AC}	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\CLSID\{6C8D6F31-567C-4EE7-A6F0-766B6EE527AC}\#sd = 433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c54656d705c65623439343330303965313937366339626635626336626634656134346534652e646c6c00	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\CLSID\{4DE67E11-5DA1-48AA-9C90-6B50436C72F2}	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\CLSID\{4DE67E11-5DA1-48AA-9C90-6B50436C72F2}	rundll32.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2320	rundll32.exe

Suspicious use of AdjustPrivilegeToken 18 IoCs

description	pid	Process
Token: SeCreateGlobalPrivilege	1212	Explorer.EXE
Token: SeShutdownPrivilege	1212	Explorer.EXE
Token: SeDebugPrivilege	1212	Explorer.EXE
Token: SeCreateGlobalPrivilege	1668	DllHost.exe
Token: SeShutdownPrivilege	1668	DllHost.exe
Token: SeDebugPrivilege	1668	DllHost.exe
Token: SeCreateGlobalPrivilege	2868	rundll32.exe
Token: SeShutdownPrivilege	2868	rundll32.exe
Token: SeDebugPrivilege	2868	rundll32.exe
Token: SeCreateGlobalPrivilege	2320	rundll32.exe
Token: SeShutdownPrivilege	2320	rundll32.exe
Token: SeDebugPrivilege	2320	rundll32.exe
Token: SeShutdownPrivilege	1212	Explorer.EXE
Token: SeShutdownPrivilege	1212	Explorer.EXE
Token: SeShutdownPrivilege	1212	Explorer.EXE
Token: SeShutdownPrivilege	1212	Explorer.EXE
Token: SeShutdownPrivilege	1212	Explorer.EXE
Token: SeShutdownPrivilege	1212	Explorer.EXE

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 2868 wrote to memory of 2320	2868	rundll32.exe	16
PID 2868 wrote to memory of 2320	2868	rundll32.exe	16
PID 2868 wrote to memory of 2320	2868	rundll32.exe	16
PID 2868 wrote to memory of 2320	2868	rundll32.exe	16
PID 2868 wrote to memory of 2320	2868	rundll32.exe	16
PID 2868 wrote to memory of 2320	2868	rundll32.exe	16
PID 2868 wrote to memory of 2320	2868	rundll32.exe	16
PID 2320 wrote to memory of 1212	2320	rundll32.exe	7
PID 2320 wrote to memory of 1212	2320	rundll32.exe	7
PID 2320 wrote to memory of 1668	2320	rundll32.exe	5
PID 2320 wrote to memory of 1668	2320	rundll32.exe	5
PID 2320 wrote to memory of 2868	2320	rundll32.exe	1
PID 2320 wrote to memory of 2868	2320	rundll32.exe	1

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\eb4943009e1976c9bf5bc6bf4ea44e4e.dll,#1
1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2868
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\eb4943009e1976c9bf5bc6bf4ea44e4e.dll,#1
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2320

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:1668

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Deletes itself
- Adds Run key to start application
- Modifies Internet Explorer Protected Mode
- Modifies Internet Explorer Protected Mode Banner
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:1212

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

4

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\OvzoZafqe\OvzoZafqe.dat

Filesize
88KB

MD5
3d6c5fe7d9893ac02aedf3d07bd4d72a

SHA1
9529ceed35ed69ca14b36f8cc1f508e95a9d3c88

SHA256
1dbeae9add746d44f8acf5a10a1f6ebd5e33a3c33c9d8c18ece4ab6f76aa52d8

SHA512
481b9f292abf2733bf4d6bce0f9b3758c92ad3696c8cb74bfc033e97fd3027da4ae5cad4ea7c1436a141d94387f321f4f4446987e554ca5b1dfba61e2e561732

Download Submit
\ProgramData\OvzoZafqe\OvzoZafqe.dat

Filesize
220KB

MD5
06a5574979bee48807c561b064535b58

SHA1
156e62d3172933aba72e34e60d4b1a3fc47d75a9

SHA256
2137bdd0482d1fd80ae3a82dc893e4e9171212cec6d5444074ea179bb4e24c8f

SHA512
3219a640c4dcd02d46c077ba0b0b796e6377b9960ff63705921e25ee7d96a5decc9beb26a53f570127107ccbfcee7781f93155e48be95979e480f3657b896d7e

Download Submit
memory/1212-26-0x0000000002DF0000-0x0000000002E43000-memory.dmp

Filesize
332KB

Download
memory/1212-41-0x0000000002E60000-0x0000000002ECC000-memory.dmp

Filesize
432KB

Download
memory/1212-24-0x0000000002E60000-0x0000000002ECC000-memory.dmp

Filesize
432KB

Download
memory/1212-28-0x0000000002E60000-0x0000000002ECC000-memory.dmp

Filesize
432KB

Download
memory/1212-19-0x0000000002DF0000-0x0000000002E43000-memory.dmp

Filesize
332KB

Download
memory/1212-21-0x0000000002E60000-0x0000000002ECC000-memory.dmp

Filesize
432KB

Download
memory/1212-22-0x0000000076D30000-0x0000000076D31000-memory.dmp

Filesize
4KB

Download
memory/1668-33-0x0000000076D30000-0x0000000076D31000-memory.dmp

Filesize
4KB

Download
memory/1668-30-0x00000000022B0000-0x000000000231C000-memory.dmp

Filesize
432KB

Download
memory/2320-18-0x00000000001A0000-0x00000000001D3000-memory.dmp

Filesize
204KB

Download
memory/2320-35-0x0000000076F10000-0x0000000076F11000-memory.dmp

Filesize
4KB

Download
memory/2320-13-0x00000000001A0000-0x00000000001D1000-memory.dmp

Filesize
196KB

Download
memory/2320-1-0x0000000010000000-0x0000000010040000-memory.dmp

Filesize
256KB

Download
memory/2320-11-0x00000000001A0000-0x00000000001D3000-memory.dmp

Filesize
204KB

Download
memory/2320-39-0x00000000001A0000-0x00000000001D1000-memory.dmp

Filesize
196KB

Download
memory/2320-7-0x0000000010000000-0x0000000010051000-memory.dmp

Filesize
324KB

Download
memory/2320-0-0x0000000010000000-0x0000000010051000-memory.dmp

Filesize
324KB

Download
memory/2320-36-0x0000000000310000-0x0000000000363000-memory.dmp

Filesize
332KB

Download
memory/2320-37-0x0000000002D30000-0x0000000002DAB000-memory.dmp

Filesize
492KB

Download
memory/2320-38-0x0000000010000000-0x0000000010040000-memory.dmp

Filesize
256KB

Download
memory/2868-34-0x0000000076D30000-0x0000000076ED9000-memory.dmp

Filesize
1.7MB

Download
memory/2868-40-0x0000000076D30000-0x0000000076ED9000-memory.dmp

Filesize
1.7MB

Download
memory/2868-32-0x0000000001EB0000-0x0000000001F1C000-memory.dmp

Filesize
432KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads