da2c871c43c9170d90191f4b952d2dfb0d2def9aabe8d4792b10c0f1dad1327d

General

Target

0e6d9b5e4df3607811a555d4fafa2768.exe
Size

64KB
MD5

0e6d9b5e4df3607811a555d4fafa2768
SHA1

d09b3bac7d74843b746099a040ad7ebebd6444f4
SHA256

da2c871c43c9170d90191f4b952d2dfb0d2def9aabe8d4792b10c0f1dad1327d
SHA512

7a64ed610ca5d78fee218d72edc46d28e168fd2b635e972036ad821f3a10e9d402572ee133e2d752144d2791c5db8a5387e11d465acaa8b34edea75a3ebf98d6
SSDEEP

1536:5FpJ5FRZYNf2eUAkrilPFI+bgfaSJzc1wVAoqbJ8QqdM:5FpJVZ42fANlPFIagZJQ1wqXbJ8bM

Score

8^/10

adware persistence stealer

Malware Config

Signatures

Modifies AppInit DLL entries 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1547.001

Modify Registry
T1112

Loads dropped DLL 1 IoCs

pid	Process
2500	0e6d9b5e4df3607811a555d4fafa2768.exe

Unexpected DNS network traffic destination 1 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	77.74.48.110

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\tanusafope = "Rundll32.exe \"C:\\Windows\\system32\\lomerezu.dll\",s"	0e6d9b5e4df3607811a555d4fafa2768.exe

Installs/modifies Browser Helper Object 2 TTPs 1 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{b8815f4c-5b54-4a05-8a7a-016f80cf89ce}	0e6d9b5e4df3607811a555d4fafa2768.exe

Drops file in System32 directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\devebibo.dll	0e6d9b5e4df3607811a555d4fafa2768.exe
File opened for modification	C:\Windows\SysWOW64\mivizomi	0e6d9b5e4df3607811a555d4fafa2768.exe
File opened for modification	C:\Windows\SysWOW64\mofehibe.dll	0e6d9b5e4df3607811a555d4fafa2768.exe
File opened for modification	C:\Windows\SysWOW64\sonumina.dll	0e6d9b5e4df3607811a555d4fafa2768.exe
File opened for modification	C:\Windows\SysWOW64\felukoza.dll	0e6d9b5e4df3607811a555d4fafa2768.exe
File opened for modification	C:\Windows\SysWOW64\lomerezu.dll	0e6d9b5e4df3607811a555d4fafa2768.exe
File opened for modification	C:\Windows\SysWOW64\wabuheni.dll	0e6d9b5e4df3607811a555d4fafa2768.exe
File opened for modification	C:\Windows\SysWOW64\webuzufa.dll	0e6d9b5e4df3607811a555d4fafa2768.exe

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{b8815f4c-5b54-4a05-8a7a-016f80cf89ce}	0e6d9b5e4df3607811a555d4fafa2768.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{b8815f4c-5b54-4a05-8a7a-016f80cf89ce}\InprocServer32	0e6d9b5e4df3607811a555d4fafa2768.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{b8815f4c-5b54-4a05-8a7a-016f80cf89ce}\InprocServer32\ = "C:\\Windows\\SysWow64\\webuzufa.dll"	0e6d9b5e4df3607811a555d4fafa2768.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{b8815f4c-5b54-4a05-8a7a-016f80cf89ce}\InprocServer32\ThreadingModel = "Both"	0e6d9b5e4df3607811a555d4fafa2768.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2500	0e6d9b5e4df3607811a555d4fafa2768.exe
2500	0e6d9b5e4df3607811a555d4fafa2768.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2500	0e6d9b5e4df3607811a555d4fafa2768.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2500	0e6d9b5e4df3607811a555d4fafa2768.exe
2500	0e6d9b5e4df3607811a555d4fafa2768.exe

Suspicious use of WriteProcessMemory 1 IoCs

description	pid	Process	procid_target
PID 2500 wrote to memory of 1276	2500	0e6d9b5e4df3607811a555d4fafa2768.exe	20

C:\Users\Admin\AppData\Local\Temp\0e6d9b5e4df3607811a555d4fafa2768.exe
"C:\Users\Admin\AppData\Local\Temp\0e6d9b5e4df3607811a555d4fafa2768.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Installs/modifies Browser Helper Object
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2500

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1276

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

Browser Extensions

Privilege Escalation

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

2

T1547.001

Defense Evasion

Modify Registry

3

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\mivizomi

Filesize
1KB

MD5
63455d1d1b1b9ff698ddfe6cf5b0ece4

SHA1
fc6e291916cdcbcbefb8959e5444cc3fe4a75560

SHA256
32eab7de5c3caa95de4e8ea2ca8ca1008edb0c11dc8c23f630e4b79a4b679f08

SHA512
dc79a21fecf54ed01c530bb8a83e5e300804f132849d18cf68c9bee59a8ec9e3fb86209301fc08e4a22e199d2da30bb44c226416edb32a815612f976d8885207

Download Submit
\Windows\SysWOW64\webuzufa.dll

Filesize
64KB

MD5
6b5dfe653cfe0590771564a89e8eac4c

SHA1
06999c2ce79f499997249017b3bb0d4c0905c5fa

SHA256
52ba4ff79cbcb941882de54ff6a143d0e13209e98c27b17b2b10b543c1b5e15f

SHA512
9de8cd609aa9ffa8cd5869e6817fd2ddd19d28ff9de784137fd32d4804552bec978a1760b0030473d1f4f47d1ca43d128e6c374ad2abafc5493bdcf8186855a9

Download Submit
memory/1276-26-0x0000000002A10000-0x0000000002A11000-memory.dmp

Filesize
4KB

Download
memory/2500-20-0x0000000000330000-0x000000000034E000-memory.dmp

Filesize
120KB

Download
memory/2500-21-0x0000000000330000-0x000000000034E000-memory.dmp

Filesize
120KB

Download
memory/2500-17-0x0000000000330000-0x000000000034E000-memory.dmp

Filesize
120KB

Download
memory/2500-2-0x00000000002F0000-0x000000000037A000-memory.dmp

Filesize
552KB

Download
memory/2500-19-0x0000000001F30000-0x0000000001FBA000-memory.dmp

Filesize
552KB

Download
memory/2500-0-0x0000000010000000-0x000000001001D3A9-memory.dmp

Filesize
116KB

Download
memory/2500-24-0x0000000010000000-0x000000001001D3A9-memory.dmp

Filesize
116KB

Download
memory/2500-25-0x0000000000330000-0x000000000034E000-memory.dmp

Filesize
120KB

Download
memory/2500-1-0x0000000010000000-0x000000001001D3A9-memory.dmp

Filesize
116KB

Download
memory/2500-28-0x0000000000330000-0x000000000034E000-memory.dmp

Filesize
120KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads