22f23ef52229aa74af56612bc19ade61c60482ea48437225a0f375b695a6a3a0

General

Target

09ded9d67c67f75bfe9d3c6df6e2e4cd.exe
Size

136KB
MD5

09ded9d67c67f75bfe9d3c6df6e2e4cd
SHA1

9d6ffdb1ed0fe781a516bf704c6e882bc6c494e5
SHA256

22f23ef52229aa74af56612bc19ade61c60482ea48437225a0f375b695a6a3a0
SHA512

141fd7d7433daf3526cc8f04c771792cf8f50cca7b47674e061ff44c33664a9df4718493251593771b767ca07cf73ab2366f7f7b7079e563bbc6ef3da24ffa45
SSDEEP

3072:yBUIYrsgIDmJP45GBUuXjHD/xbSBkUb8c7DVsqViv0vRnXP5LVL:yGsA3ieHD5JY8IDVUSRnXP5pL

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 5 IoCs

pid	Process
3240	09ded9d67c67f75bfe9d3c6df6e2e4cd.exe
3240	09ded9d67c67f75bfe9d3c6df6e2e4cd.exe
3240	09ded9d67c67f75bfe9d3c6df6e2e4cd.exe
3240	09ded9d67c67f75bfe9d3c6df6e2e4cd.exe
5060	regsvr32.exe

Installs/modifies Browser Helper Object 2 TTPs 2 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{296AB1B8-FB22-4D17-8834-064E2BA0A6F0}	regsvr32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{296AB1B8-FB22-4D17-8834-064E2BA0A6F0}	09ded9d67c67f75bfe9d3c6df6e2e4cd.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system.ini	regsvr32.exe
File opened for modification	C:\Windows\UoDo\game.dll	regsvr32.exe
File opened for modification	C:\Windows\UoDo\game.dll	09ded9d67c67f75bfe9d3c6df6e2e4cd.exe
File created	C:\Windows\UoDo\game.dll	09ded9d67c67f75bfe9d3c6df6e2e4cd.exe
File opened for modification	C:\Windows\system.ini	09ded9d67c67f75bfe9d3c6df6e2e4cd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 12 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{296AB1B8-FB22-4D17-8834-064E2BA0A6F0}\InProcServer32\ = "C:\\Windows\\UoDo\\game.dll"	09ded9d67c67f75bfe9d3c6df6e2e4cd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{296AB1B8-FB22-4D17-8834-064E2BA0A6F0}\InProcServer32\ThreadingModel = "Apartment"	09ded9d67c67f75bfe9d3c6df6e2e4cd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{296AB1B8-FB22-4D17-8834-064E2BA0A6F0}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{296AB1B8-FB22-4D17-8834-064E2BA0A6F0}\TypeLib	09ded9d67c67f75bfe9d3c6df6e2e4cd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{296AB1B8-FB22-4D17-8834-064E2BA0A6F0}\TypeLib\ = "{296AB1B8-FB22-4D17-8834"	09ded9d67c67f75bfe9d3c6df6e2e4cd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{296AB1B8-FB22-4D17-8834-064E2BA0A6F0}\InProcServer32	09ded9d67c67f75bfe9d3c6df6e2e4cd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{296AB1B8-FB22-4D17-8834-064E2BA0A6F0}\InProcServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{296AB1B8-FB22-4D17-8834-064E2BA0A6F0}\InProcServer32\ = "C:\\Windows\\UoDo\\game.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{296AB1B8-FB22-4D17-8834-064E2BA0A6F0}\InProcServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{296AB1B8-FB22-4D17-8834-064E2BA0A6F0}	09ded9d67c67f75bfe9d3c6df6e2e4cd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{296AB1B8-FB22-4D17-8834-064E2BA0A6F0}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{296AB1B8-FB22-4D17-8834-064E2BA0A6F0}\TypeLib\ = "{296AB1B8-FB22-4D17-8834"	regsvr32.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3240 wrote to memory of 5060	3240	09ded9d67c67f75bfe9d3c6df6e2e4cd.exe	91
PID 3240 wrote to memory of 5060	3240	09ded9d67c67f75bfe9d3c6df6e2e4cd.exe	91
PID 3240 wrote to memory of 5060	3240	09ded9d67c67f75bfe9d3c6df6e2e4cd.exe	91

C:\Users\Admin\AppData\Local\Temp\09ded9d67c67f75bfe9d3c6df6e2e4cd.exe
"C:\Users\Admin\AppData\Local\Temp\09ded9d67c67f75bfe9d3c6df6e2e4cd.exe"
1⤵
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3240
- C:\Windows\SysWOW64\regsvr32.exe
  "regsvr32.exe" "C:\Windows\UoDo\game.dll" /s
  2⤵
  - Loads dropped DLL
  - Installs/modifies Browser Helper Object
  - Drops file in Windows directory
  - Modifies registry class
  PID:5060

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Browser Extensions

1

T1176

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nshA579.tmp\System.dll

Filesize
10KB

MD5
bf01b2d04e8fad306ba2f364cfc4edfa

SHA1
58f42b45ca9fc1818c4498ecd8bac088d20f2b18

SHA256
d3f9c99e0c1c9acd81a1b33bc3dbd305140def90d10485c253cf1d455f0dc903

SHA512
30ca1663d659c5efac7fed3d1aaba81c47d5d5fda77f30f021124c882b858732e17f917bfd0aa3ee7b269fad86e75b1b9388d8f916e7a4e2c9961669f2c772e7

Download Submit
C:\Windows\UoDo\game.dll

Filesize
160KB

MD5
11fdf29070e6e3462b6980a395ffdcb8

SHA1
0a824c7915fb0dd1df50566063811925f24beca8

SHA256
3410b64909af6c8e346503eda55d4362807f7b06771aec16ab2b9f53f25a513d

SHA512
5ef78405f63acda25fe9e0325129fcea13d531a4be4dfccdfe71ecf6185690350ca9725f313499f8581afa013c6589facaa6bea80b46f8e686d0b410252a6833

Download Submit
C:\Windows\system.ini

Filesize
247B

MD5
f6c42a4474a0b87a78c6254236c27ed7

SHA1
03e13ed0be5888996f6f4565f88785800e06b04e

SHA256
238613eee3d240877947df340b97808a05314dd3ebf5cd346c47d0fd084ab018

SHA512
f79c78506254dcbf1bc2470d7c0b5ff33e9a64783e48223229e4e8b90953f7ca1953d5191cdd9bdbeaa105389878c8145cd8b645dd9f3af5c59cd78d21be13ec

Download Submit
memory/3240-13-0x0000000002BC0000-0x0000000002BEA000-memory.dmp

Filesize
168KB

Download

Analysis

Sharing