cf26d109210faef7d11e7f953e33f4b822624f5c8550fdad723bb63ac915a4e8

Analysis

max time kernel
146s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
24-12-2023 15:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

04a47d3ff527137f9f69e5d6ef82aecf.exe
Size

170KB
MD5

04a47d3ff527137f9f69e5d6ef82aecf
SHA1

b1f09d5fa2ac23d09560ee25be123bbc4766fc5e
SHA256

cf26d109210faef7d11e7f953e33f4b822624f5c8550fdad723bb63ac915a4e8
SHA512

eb76cfbbf9d5064cf57628226cd5f61a807c163ea2279bd78087863ff62813c7c6dae8799e0cff7a5e20cc5a770610747f8c819928f71a2bfef5a302a26177da
SSDEEP

3072:rFbZKoyQ4KBI1Jm1ozz7nFXpVcU1qboubhq8j1icx3nhtn1R9J2tGt50QiQ:rPKjQb1uFjcUuoikO/x3hvJ2ktEQ

Score

8^/10

adware discovery stealer

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\drivers\00005312.SYS	MIS_842_0.EXE

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation	04a47d3ff527137f9f69e5d6ef82aecf.exe

Executes dropped EXE 2 IoCs

pid	Process
4264	mms_842.exe
4620	MIS_842_0.EXE

Loads dropped DLL 2 IoCs

pid	Process
4620	MIS_842_0.EXE
1516	rundll32.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Installs/modifies Browser Helper Object 2 TTPs 2 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9FF268A8-5622-4DE0-9018-DDDA2D6B08C8}	MIS_842_0.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9FF268A8-5622-4DE0-9018-DDDA2D6B08C8}\ = "ttih"	MIS_842_0.EXE

Drops file in System32 directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\00005312.DAT	MIS_842_0.EXE
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5	rundll32.exe

Drops file in Program Files directory 7 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\ssrq\ggvx.dll	MIS_842_0.EXE
File opened for modification	C:\PROGRA~1\COMMON~1\ssrq\wwon.ini	MIS_842_0.EXE
File opened for modification	C:\Program Files\Common Files\ssrq\yyqp.ini	MIS_842_0.EXE
File created	C:\Program Files\Common Files\ssrq\wwon.ini	MIS_842_0.EXE
File opened for modification	C:\Program Files\Common Files\ssrq\wwon.ini	MIS_842_0.EXE
File created	C:\Program Files\Common Files\ssrq\ddvu.dll	MIS_842_0.EXE
File opened for modification	C:\Program Files\Common Files\ssrq\bbts.ini	MIS_842_0.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies data under HKEY_USERS 8 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	rundll32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	rundll32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	rundll32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	rundll32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	rundll32.exe

Modifies registry class 43 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\uujiho.uujissist.1	MIS_842_0.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\uujiho.uujissist.1\ = "uujiho.uujissist BHO"	MIS_842_0.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\uujiho.uujissistMenu\CurVer\ = "uujiho.uujissist.1"	MIS_842_0.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\uujiho.uujissistMenu.1	MIS_842_0.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\uujiho.uujissistMenu.1\CLSID\ = "{F8DBD9D0-EB0D-4F8D-AD82-E1EFB8798909}"	MIS_842_0.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F8DBD9D0-EB0D-4F8D-AD82-E1EFB8798909}	MIS_842_0.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F8DBD9D0-EB0D-4F8D-AD82-E1EFB8798909}\VersionIndependentProgID	MIS_842_0.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\uujiho.uujissist.1\CLSID	MIS_842_0.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9FF268A8-5622-4DE0-9018-DDDA2D6B08C8}\ = "uujiho.uujissist BHO"	MIS_842_0.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F8DBD9D0-EB0D-4F8D-AD82-E1EFB8798909}\InprocServer32	MIS_842_0.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\uujiho.uujissist\ = "uujiho.uujissist BHO"	MIS_842_0.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9FF268A8-5622-4DE0-9018-DDDA2D6B08C8}\InprocServer32	MIS_842_0.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9FF268A8-5622-4DE0-9018-DDDA2D6B08C8}\VersionIndependentProgID	MIS_842_0.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F8DBD9D0-EB0D-4F8D-AD82-E1EFB8798909}\ProgID\ = "uujiho.uujissistMenu.1"	MIS_842_0.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F8DBD9D0-EB0D-4F8D-AD82-E1EFB8798909}\VersionIndependentProgID\ = "uujiho.uujissistMenu"	MIS_842_0.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\uujiho.uujissist	MIS_842_0.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\uujiho.uujissist\CLSID\ = "{9FF268A8-5622-4DE0-9018-DDDA2D6B08C8}"	MIS_842_0.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\uujiho.uujissist\CurVer	MIS_842_0.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9FF268A8-5622-4DE0-9018-DDDA2D6B08C8}\ProgID	MIS_842_0.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9FF268A8-5622-4DE0-9018-DDDA2D6B08C8}\ProgID\ = "uujiho.uujissist.1"	MIS_842_0.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9FF268A8-5622-4DE0-9018-DDDA2D6B08C8}\Programmable	MIS_842_0.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F8DBD9D0-EB0D-4F8D-AD82-E1EFB8798909}\ProgID	MIS_842_0.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\uujiho.uujissist\CLSID	MIS_842_0.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\uujiho.uujissist\CurVer\ = "uujiho.uujissist.1"	MIS_842_0.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\uujiho.uujissist.1\CLSID\ = "{9FF268A8-5622-4DE0-9018-DDDA2D6B08C8}"	MIS_842_0.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F8DBD9D0-EB0D-4F8D-AD82-E1EFB8798909}\ = "uujiho.uujissistMenu"	MIS_842_0.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F8DBD9D0-EB0D-4F8D-AD82-E1EFB8798909}\Programmable	MIS_842_0.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9FF268A8-5622-4DE0-9018-DDDA2D6B08C8}	MIS_842_0.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\uujiho.uujissistMenu	MIS_842_0.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\uujiho.uujissistMenu\CurVer	MIS_842_0.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\uujiho.uujissistMenu.1\ = "uujiho.uujissistMenu"	MIS_842_0.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F8DBD9D0-EB0D-4F8D-AD82-E1EFB8798909}\InprocServer32\ = "C:\\PROGRA~1\\COMMON~1\\ssrq\\ddvu.dll"	MIS_842_0.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9FF268A8-5622-4DE0-9018-DDDA2D6B08C8}\ = "ttih"	MIS_842_0.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9FF268A8-5622-4DE0-9018-DDDA2D6B08C8}\InprocServer32	MIS_842_0.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\uujiho.uujissistMenu\ = "uujiho.uujissistMenu"	MIS_842_0.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\uujiho.uujissistMenu\CLSID	MIS_842_0.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\uujiho.uujissistMenu\CLSID\ = "{F8DBD9D0-EB0D-4F8D-AD82-E1EFB8798909}"	MIS_842_0.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9FF268A8-5622-4DE0-9018-DDDA2D6B08C8}	MIS_842_0.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9FF268A8-5622-4DE0-9018-DDDA2D6B08C8}\InprocServer32\ = "C:\\PROGRA~1\\COMMON~1\\ssrq\\ddvu.dll"	MIS_842_0.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9FF268A8-5622-4DE0-9018-DDDA2D6B08C8}\InprocServer32\ThreadingModel = "Apartment"	MIS_842_0.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9FF268A8-5622-4DE0-9018-DDDA2D6B08C8}\VersionIndependentProgID\ = "uujiho.uujissist"	MIS_842_0.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\uujiho.uujissistMenu.1\CLSID	MIS_842_0.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F8DBD9D0-EB0D-4F8D-AD82-E1EFB8798909}\InprocServer32\ThreadingModel = "Apartment"	MIS_842_0.EXE

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1076 wrote to memory of 4264	1076	04a47d3ff527137f9f69e5d6ef82aecf.exe	89
PID 1076 wrote to memory of 4264	1076	04a47d3ff527137f9f69e5d6ef82aecf.exe	89
PID 1076 wrote to memory of 4264	1076	04a47d3ff527137f9f69e5d6ef82aecf.exe	89
PID 4264 wrote to memory of 4620	4264	mms_842.exe	91
PID 4264 wrote to memory of 4620	4264	mms_842.exe	91
PID 4264 wrote to memory of 4620	4264	mms_842.exe	91

C:\Users\Admin\AppData\Local\Temp\04a47d3ff527137f9f69e5d6ef82aecf.exe
"C:\Users\Admin\AppData\Local\Temp\04a47d3ff527137f9f69e5d6ef82aecf.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1076
- C:\Users\Admin\AppData\Local\Temp\mms_842.exe
  "C:\Users\Admin\AppData\Local\Temp\mms_842.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4264
- - C:\Users\Admin\AppData\Local\Temp\MIS_842_0.EXE
    C:\Users\Admin\AppData\Local\Temp\MIS_842_0.EXE
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Loads dropped DLL
    - Installs/modifies Browser Helper Object
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - Modifies registry class
    PID:4620

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\SysWOW64\rundll32.exe C:\PROGRA~1\COMMON~1\ssrq\ggvx.dll,Service
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1516

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~1\COMMON~1\ssrq\ddvu.dll

Filesize
9KB

MD5
5821d0bde2ef2b92f8eae8101ca0e51e

SHA1
ee91a01b94d7daa3d5840be788a45ab6d38f54b7

SHA256
6443917a12cf9718ef4b3cc1648d65d09958862f10beace1fc435fd259d8b552

SHA512
f0974521931dca911af358c387dab1c7ff99b40dd6c8af9023659c0baf15ff9d8ec3a32c1734747f1ddaa7f609cc3bc091e49e190e5f23e594dac7b06fb34cca

Download Submit
C:\PROGRA~1\COMMON~1\ssrq\wwon.ini

Filesize
126B

MD5
48e6b3c7c381216ecc744766ebce733f

SHA1
a9e59cbea13588244c1a595b96004a156dfc1b15

SHA256
bd71efcf28ac1f5703149e3c513884f899169660c07d3b38de128df19fa9a7e5

SHA512
41b34582b5802ca142e28246c441a63af2dd064b45e205c8344155554bc179a5b8327950d578e2bacdfdfb65e9569243162099cd31da49ee681c50e83e0bde4c

Download Submit
C:\Program Files\Common Files\ssrq\ddvu.dll

Filesize
61KB

MD5
7462b70e73dfa1f9089f79d7c413f320

SHA1
7e26969d882aff3a92b125fc15d9f1a08f8134b7

SHA256
89268f8c4f2bf3240a627f24eb7a8fa1a13be8fe3d01b860e9e58795de90f0a3

SHA512
4f8f0d3b49e6dbfa048d146b75ef5d1b1745935767e5124a6fbb0f55abef8c802d82400679e9342dc78ee887130d613f510c7cc79e0a5701114cad6bee1e2faa

Download Submit
C:\Program Files\Common Files\ssrq\ggvx.dll

Filesize
136KB

MD5
b2c2450a67c90367e6bce1746991fb5d

SHA1
2343e85524b7842af1d3b2cc35f4774e4dbaea67

SHA256
ebe106cb3a6175da6c0e023a10da90ccf2f6347fa5df4c6734fd4675d986beea

SHA512
6a396dc7c9c1971a79fe7203b58d80787dc124157aa04c63834551798b16764552249d2e612b428dc07ae25143cacdceb6c5809e7bf473ae32085bf23a30560d

Download Submit
C:\Program Files\Common Files\ssrq\yyqp.ini

Filesize
170B

MD5
16c27b8fcd5d1ab5a3abb2737d6b9827

SHA1
d29d543f3dda4ded9a54203f347e402d58b63cf3

SHA256
c2ecbb1b2cf1887146b4347e67206872c683274f400a0a4c506adf3be994eda4

SHA512
4e6b0980b5a49dfd705379fd37d94458e986106dbbdbb057ee435c69438ece9040d59110c182a8f7c2e4f69b32d6a5e42de1a3ede513d4197e4b5500a75e2b87

Download Submit
C:\Users\Admin\AppData\Local\Temp\MIS_842_0.EXE

Filesize
48KB

MD5
8c4a45995e337683f9c8e15bdef3b56a

SHA1
8bb7e0b4406e551b55eafde4d0d67f62d4b92c8e

SHA256
32a08965e7f44af871f186f18f919eb37a50e48d5f73910cee7f8f2a841cfce7

SHA512
25801ae302abce7d008c23228d63d66481ef0c53d7981f25cb09d1d339b0dfeb0b5bf4dd55bf3501b4a01a39e50be668185e645780e71ce53bd0e97391ff1d27

Download Submit
C:\Users\Admin\AppData\Local\Temp\MIS_842_0.EXE

Filesize
71KB

MD5
efdf5d099767f06d6155893b4eadf07f

SHA1
053f8d64b6af312421d580c0014352994d1ba5ee

SHA256
792d0f34480a9714b97fa7ae4a2bd53d1444a4c1e04bf0be7254ba3eb2b5e1ed

SHA512
4ba014885894379962a52cbba9e5094efe7b220f9b93092c8a13e72cf47300695e29b60e96867d16c6c1aa36e4227945a763cb36e6660124eaf97c3c17bb2c47

Download Submit
C:\Users\Admin\AppData\Local\Temp\mms_842.exe

Filesize
128KB

MD5
082516a1315529c41be2ea45efb992db

SHA1
475cbc1f34eb85e723b98a89c31714733cc0320a

SHA256
c69a1dceaf4fc08d2f27b928968b5665a75eb9733d7a0376d07aac6c67b88d54

SHA512
06f40cdafc48e8f89630b2dc70b8545c761333816d200bc57d70b1dd92108be259fdbd50f0a48ee4cc947b11799e6ca2b00c139f73f7c8c3f0a2d2554ed2ca87

Download Submit
C:\Users\Admin\AppData\Local\Temp\mms_842.exe

Filesize
105KB

MD5
c163c87bb584375a09863165732a94bc

SHA1
41d11846f3a4715e1adb770dfee799826656b3c4

SHA256
f4ee4363eb758cda73f78bbb8a45f931d0c8bfc3d2ae01be454fb67f879e94cf

SHA512
5232be1b91dcef677175f4957248f28ba54e17161390f41738068bd4e5dbbe57830cdc0af4efadff292e884974248d9a9fb1c52b3c95634d27fd1d1df4516b55

Download Submit
memory/1076-0-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1076-2-0x0000000002170000-0x0000000002172000-memory.dmp

Filesize
8KB

Download
memory/1076-10-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download