22f23ef52229aa74af56612bc19ade61c60482ea48437225a0f375b695a6a3a0

General

Target

09ded9d67c67f75bfe9d3c6df6e2e4cd.exe
Size

136KB
MD5

09ded9d67c67f75bfe9d3c6df6e2e4cd
SHA1

9d6ffdb1ed0fe781a516bf704c6e882bc6c494e5
SHA256

22f23ef52229aa74af56612bc19ade61c60482ea48437225a0f375b695a6a3a0
SHA512

141fd7d7433daf3526cc8f04c771792cf8f50cca7b47674e061ff44c33664a9df4718493251593771b767ca07cf73ab2366f7f7b7079e563bbc6ef3da24ffa45
SSDEEP

3072:yBUIYrsgIDmJP45GBUuXjHD/xbSBkUb8c7DVsqViv0vRnXP5LVL:yGsA3ieHD5JY8IDVUSRnXP5pL

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 4 IoCs

pid	Process
1188	09ded9d67c67f75bfe9d3c6df6e2e4cd.exe
1188	09ded9d67c67f75bfe9d3c6df6e2e4cd.exe
1188	09ded9d67c67f75bfe9d3c6df6e2e4cd.exe
2720	regsvr32.exe

Installs/modifies Browser Helper Object 2 TTPs 2 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{296AB1B8-FB22-4D17-8834-064E2BA0A6F0}	regsvr32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{296AB1B8-FB22-4D17-8834-064E2BA0A6F0}	09ded9d67c67f75bfe9d3c6df6e2e4cd.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\UoDo\game.dll	09ded9d67c67f75bfe9d3c6df6e2e4cd.exe
File created	C:\Windows\UoDo\game.dll	09ded9d67c67f75bfe9d3c6df6e2e4cd.exe
File opened for modification	C:\Windows\system.ini	09ded9d67c67f75bfe9d3c6df6e2e4cd.exe
File opened for modification	C:\Windows\system.ini	regsvr32.exe
File opened for modification	C:\Windows\UoDo\game.dll	regsvr32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 12 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{296AB1B8-FB22-4D17-8834-064E2BA0A6F0}\InProcServer32\ThreadingModel = "Apartment"	09ded9d67c67f75bfe9d3c6df6e2e4cd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{296AB1B8-FB22-4D17-8834-064E2BA0A6F0}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{296AB1B8-FB22-4D17-8834-064E2BA0A6F0}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{296AB1B8-FB22-4D17-8834-064E2BA0A6F0}\TypeLib\ = "{296AB1B8-FB22-4D17-8834"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{296AB1B8-FB22-4D17-8834-064E2BA0A6F0}	09ded9d67c67f75bfe9d3c6df6e2e4cd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{296AB1B8-FB22-4D17-8834-064E2BA0A6F0}\TypeLib\ = "{296AB1B8-FB22-4D17-8834"	09ded9d67c67f75bfe9d3c6df6e2e4cd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{296AB1B8-FB22-4D17-8834-064E2BA0A6F0}\InProcServer32	09ded9d67c67f75bfe9d3c6df6e2e4cd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{296AB1B8-FB22-4D17-8834-064E2BA0A6F0}\InProcServer32\ = "C:\\Windows\\UoDo\\game.dll"	09ded9d67c67f75bfe9d3c6df6e2e4cd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{296AB1B8-FB22-4D17-8834-064E2BA0A6F0}\InProcServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{296AB1B8-FB22-4D17-8834-064E2BA0A6F0}\InProcServer32\ = "C:\\Windows\\UoDo\\game.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{296AB1B8-FB22-4D17-8834-064E2BA0A6F0}\InProcServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{296AB1B8-FB22-4D17-8834-064E2BA0A6F0}\TypeLib	09ded9d67c67f75bfe9d3c6df6e2e4cd.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1188 wrote to memory of 2720	1188	09ded9d67c67f75bfe9d3c6df6e2e4cd.exe	23
PID 1188 wrote to memory of 2720	1188	09ded9d67c67f75bfe9d3c6df6e2e4cd.exe	23
PID 1188 wrote to memory of 2720	1188	09ded9d67c67f75bfe9d3c6df6e2e4cd.exe	23
PID 1188 wrote to memory of 2720	1188	09ded9d67c67f75bfe9d3c6df6e2e4cd.exe	23
PID 1188 wrote to memory of 2720	1188	09ded9d67c67f75bfe9d3c6df6e2e4cd.exe	23
PID 1188 wrote to memory of 2720	1188	09ded9d67c67f75bfe9d3c6df6e2e4cd.exe	23
PID 1188 wrote to memory of 2720	1188	09ded9d67c67f75bfe9d3c6df6e2e4cd.exe	23

C:\Users\Admin\AppData\Local\Temp\09ded9d67c67f75bfe9d3c6df6e2e4cd.exe
"C:\Users\Admin\AppData\Local\Temp\09ded9d67c67f75bfe9d3c6df6e2e4cd.exe"
1⤵
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1188
- C:\Windows\SysWOW64\regsvr32.exe
  "regsvr32.exe" "C:\Windows\UoDo\game.dll" /s
  2⤵
  - Loads dropped DLL
  - Installs/modifies Browser Helper Object
  - Drops file in Windows directory
  - Modifies registry class
  PID:2720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Browser Extensions

1

T1176

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nst8AF3.tmp\System.dll

Filesize
10KB

MD5
bf01b2d04e8fad306ba2f364cfc4edfa

SHA1
58f42b45ca9fc1818c4498ecd8bac088d20f2b18

SHA256
d3f9c99e0c1c9acd81a1b33bc3dbd305140def90d10485c253cf1d455f0dc903

SHA512
30ca1663d659c5efac7fed3d1aaba81c47d5d5fda77f30f021124c882b858732e17f917bfd0aa3ee7b269fad86e75b1b9388d8f916e7a4e2c9961669f2c772e7

Download Submit
\Users\Admin\AppData\Local\Temp\nst8AF3.tmp\System.dll

Filesize
3KB

MD5
00d9e9a73f23e4cdbf618a9b7e86d42b

SHA1
87e0d26c14ead6fdcaa0f74834d54707f094f211

SHA256
72baeacba68cb5e3918c4de28b13311cb662d21d38b88053b9d810e02725f2cc

SHA512
4c9c9aaf0235c64996b06d913647ef0f6fffb40ae5b463b6b03ce4018fc119a225db83b2d821b85b1a5f2417f276b5346ca191bd992530da841812f48e7be316

Download Submit
memory/1188-11-0x0000000000860000-0x000000000088A000-memory.dmp

Filesize
168KB

Download

Analysis

Sharing