da2c871c43c9170d90191f4b952d2dfb0d2def9aabe8d4792b10c0f1dad1327d

General

Target

0e6d9b5e4df3607811a555d4fafa2768.exe
Size

64KB
MD5

0e6d9b5e4df3607811a555d4fafa2768
SHA1

d09b3bac7d74843b746099a040ad7ebebd6444f4
SHA256

da2c871c43c9170d90191f4b952d2dfb0d2def9aabe8d4792b10c0f1dad1327d
SHA512

7a64ed610ca5d78fee218d72edc46d28e168fd2b635e972036ad821f3a10e9d402572ee133e2d752144d2791c5db8a5387e11d465acaa8b34edea75a3ebf98d6
SSDEEP

1536:5FpJ5FRZYNf2eUAkrilPFI+bgfaSJzc1wVAoqbJ8QqdM:5FpJVZ42fANlPFIagZJQ1wqXbJ8bM

Score

8^/10

adware persistence stealer

Malware Config

Signatures

Modifies AppInit DLL entries 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1547.001

Modify Registry
T1112

Loads dropped DLL 2 IoCs

pid	Process
4760	0e6d9b5e4df3607811a555d4fafa2768.exe
4760	0e6d9b5e4df3607811a555d4fafa2768.exe

Unexpected DNS network traffic destination 1 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	77.74.48.110

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\zilajebumi = "Rundll32.exe \"C:\\Windows\\system32\\kuluzone.dll\",s"	0e6d9b5e4df3607811a555d4fafa2768.exe

Installs/modifies Browser Helper Object 2 TTPs 1 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{a0476159-9951-4983-a3a2-504a72de23f8}	0e6d9b5e4df3607811a555d4fafa2768.exe

Drops file in System32 directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\dilonoza.dll	0e6d9b5e4df3607811a555d4fafa2768.exe
File opened for modification	C:\Windows\SysWOW64\zobihapu.dll	0e6d9b5e4df3607811a555d4fafa2768.exe
File opened for modification	C:\Windows\SysWOW64\fudenuva.dll	0e6d9b5e4df3607811a555d4fafa2768.exe
File opened for modification	C:\Windows\SysWOW64\dikihewo.dll	0e6d9b5e4df3607811a555d4fafa2768.exe
File opened for modification	C:\Windows\SysWOW64\kuluzone.dll	0e6d9b5e4df3607811a555d4fafa2768.exe
File opened for modification	C:\Windows\SysWOW64\tubokita.dll	0e6d9b5e4df3607811a555d4fafa2768.exe
File opened for modification	C:\Windows\SysWOW64\pokokuvi	0e6d9b5e4df3607811a555d4fafa2768.exe
File opened for modification	C:\Windows\SysWOW64\henijuyo.dll	0e6d9b5e4df3607811a555d4fafa2768.exe

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{a0476159-9951-4983-a3a2-504a72de23f8}	0e6d9b5e4df3607811a555d4fafa2768.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{a0476159-9951-4983-a3a2-504a72de23f8}\InprocServer32	0e6d9b5e4df3607811a555d4fafa2768.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{a0476159-9951-4983-a3a2-504a72de23f8}\InprocServer32\ = "C:\\Windows\\SysWow64\\dikihewo.dll"	0e6d9b5e4df3607811a555d4fafa2768.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{a0476159-9951-4983-a3a2-504a72de23f8}\InprocServer32\ThreadingModel = "Both"	0e6d9b5e4df3607811a555d4fafa2768.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4760	0e6d9b5e4df3607811a555d4fafa2768.exe
4760	0e6d9b5e4df3607811a555d4fafa2768.exe
4760	0e6d9b5e4df3607811a555d4fafa2768.exe
4760	0e6d9b5e4df3607811a555d4fafa2768.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4760	0e6d9b5e4df3607811a555d4fafa2768.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4760	0e6d9b5e4df3607811a555d4fafa2768.exe
4760	0e6d9b5e4df3607811a555d4fafa2768.exe

Suspicious use of WriteProcessMemory 1 IoCs

description	pid	Process	procid_target
PID 4760 wrote to memory of 3496	4760	0e6d9b5e4df3607811a555d4fafa2768.exe	12

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3496
- C:\Users\Admin\AppData\Local\Temp\0e6d9b5e4df3607811a555d4fafa2768.exe
  "C:\Users\Admin\AppData\Local\Temp\0e6d9b5e4df3607811a555d4fafa2768.exe"
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - Installs/modifies Browser Helper Object
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

Browser Extensions

Privilege Escalation

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

2

T1547.001

Defense Evasion

Modify Registry

3

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\kuluzone.dll

Filesize
64KB

MD5
8705097bea2b661c6ae45035b4b82292

SHA1
81bbbfda3188c2193ed71be5955c173c6a78e81b

SHA256
74e08056f9309b0ddfd354f9071a528050d7e4b6ba1123d1ec31eb25f089516c

SHA512
944887e7cbde6f9f04c0f9ff3c8014a9e1ebaa459096fef67dfe432599602ccc0acd3887746f828e3e1f001ab75cc9eaf62fee3d68bbb6552844b9817b5fbcba

Download Submit
C:\Windows\SysWOW64\pokokuvi

Filesize
1KB

MD5
fda923135536ee97c655903a583486f0

SHA1
a6daf9129200292e7d979550cd6870afde8ce471

SHA256
ad47b95cb3be25319aa35fee23da3aef03eac9019b90c4cac0073fec04e3408f

SHA512
d2077d027715d171fa73aa3786714084dec27e57410984776da72079977ba15f974f430dcc8f51434ca5547bc1567ccff29210fe8c8ae2a54d4b0ea963bdea14

Download Submit
memory/4760-1-0x0000000002150000-0x00000000021DA000-memory.dmp

Filesize
552KB

Download
memory/4760-2-0x0000000010000000-0x000000001001D3A9-memory.dmp

Filesize
116KB

Download
memory/4760-0-0x0000000010000000-0x000000001001D3A9-memory.dmp

Filesize
116KB

Download
memory/4760-3-0x0000000010000000-0x000000001001D3A9-memory.dmp

Filesize
116KB

Download
memory/4760-11-0x0000000010000000-0x000000001001D3A9-memory.dmp

Filesize
116KB

Download
memory/4760-19-0x00000000021D0000-0x00000000021EE000-memory.dmp

Filesize
120KB

Download
memory/4760-22-0x00000000021D0000-0x00000000021EE000-memory.dmp

Filesize
120KB

Download
memory/4760-23-0x00000000021D0000-0x00000000021EE000-memory.dmp

Filesize
120KB

Download
memory/4760-29-0x00000000021D0000-0x00000000021EE000-memory.dmp

Filesize
120KB

Download
memory/4760-31-0x00000000021D0000-0x00000000021EE000-memory.dmp

Filesize
120KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads