40db3319b8eeec04973e9f67ce1eb5f76160619c9c6a54e3a8208a18be7529d2

General

Target

03fbbba08443d719c48a16380a4c7bca.dll
Size

113KB
MD5

03fbbba08443d719c48a16380a4c7bca
SHA1

2ec24b53585b27f9a778845f4e530e6b0421a575
SHA256

40db3319b8eeec04973e9f67ce1eb5f76160619c9c6a54e3a8208a18be7529d2
SHA512

5e3042db83759db56f1d99cbdf52678f06297f678034a1806122f5012bf5ea38a186944dc1fed4e73ef9922dbe169849d49d70f0ef9fc000088e7592cd76cd86
SSDEEP

3072:sewc6DlnLPTOBZLJW7m3TfY1qCB2Y2FmH2:sewc6DBLbOJW7YfYstY2Fm

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 1 IoCs

pid	Process
2012	rundll32.exe

Installs/modifies Browser Helper Object 2 TTPs 4 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}	rundll32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{20767cd7-b8ca-4527-8676-542bf37515e6}	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{20767cd7-b8ca-4527-8676-542bf37515e6}\ = "{6e51573f-b245-6768-7254-ac8b7dc76702}"	rundll32.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\nulmqp.dll	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\nulmqp.dll	rundll32.exe

Modifies registry class 23 IoCs

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\ProgID	rundll32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}	rundll32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\Implemented Categories	rundll32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20767cd7-b8ca-4527-8676-542bf37515e6}	rundll32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\Programmable	rundll32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}\Implemented Categories	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20767cd7-b8ca-4527-8676-542bf37515e6}\InprocServer32	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20767cd7-b8ca-4527-8676-542bf37515e6}\InprocServer32\ = "C:\\Windows\\SysWow64\\nulmqp.dll"	rundll32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}\VersionIndependentProgID	rundll32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}\Version	rundll32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}\TypeLib	rundll32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\InprocServer32	rundll32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\TypeLib	rundll32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}	rundll32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}\Programmable	rundll32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}\ProgID	rundll32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}\InprocServer32	rundll32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	rundll32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\VersionIndependentProgID	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20767cd7-b8ca-4527-8676-542bf37515e6}\InprocServer32\ThreadingModel = "free"	rundll32.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4588 wrote to memory of 752	4588	rundll32.exe	89
PID 4588 wrote to memory of 752	4588	rundll32.exe	89
PID 4588 wrote to memory of 752	4588	rundll32.exe	89
PID 752 wrote to memory of 2012	752	rundll32.exe	93
PID 752 wrote to memory of 2012	752	rundll32.exe	93
PID 752 wrote to memory of 2012	752	rundll32.exe	93

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\03fbbba08443d719c48a16380a4c7bca.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4588
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\03fbbba08443d719c48a16380a4c7bca.dll,#1
  2⤵
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:752
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe "C:\Windows\system32\nulmqp.dll",i
    3⤵
    - Loads dropped DLL
    - Installs/modifies Browser Helper Object
    - Modifies registry class
    PID:2012

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Browser Extensions

1

T1176

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\nulmqp.dll

Filesize
113KB

MD5
03fbbba08443d719c48a16380a4c7bca

SHA1
2ec24b53585b27f9a778845f4e530e6b0421a575

SHA256
40db3319b8eeec04973e9f67ce1eb5f76160619c9c6a54e3a8208a18be7529d2

SHA512
5e3042db83759db56f1d99cbdf52678f06297f678034a1806122f5012bf5ea38a186944dc1fed4e73ef9922dbe169849d49d70f0ef9fc000088e7592cd76cd86

Download Submit
memory/752-0-0x0000000010000000-0x0000000010035000-memory.dmp

Filesize
212KB

Download
memory/752-1-0x0000000002DB0000-0x0000000002DB5000-memory.dmp

Filesize
20KB

Download
memory/752-7-0x0000000002DB0000-0x0000000002DB5000-memory.dmp

Filesize
20KB

Download
memory/2012-6-0x0000000000790000-0x0000000000795000-memory.dmp

Filesize
20KB

Download
memory/2012-5-0x0000000010000000-0x0000000010035000-memory.dmp

Filesize
212KB

Download

Analysis

Sharing