Analysis
-
max time kernel
140s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
04/02/2024, 20:28
Behavioral task
behavioral1
Sample
90146ee8c911d1ba806bb51c9a6e6d62.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
90146ee8c911d1ba806bb51c9a6e6d62.exe
Resource
win10v2004-20231215-en
General
-
Target
90146ee8c911d1ba806bb51c9a6e6d62.exe
-
Size
104KB
-
MD5
90146ee8c911d1ba806bb51c9a6e6d62
-
SHA1
85f7a2631c58da5c85139e59fb225526438acc62
-
SHA256
bdb613c87738d5f8915b3581857f0bd5a7f231e281a2f094f6679c8f7acb53f8
-
SHA512
9abd90244984dd013519e3e90abbba2750f8a8eec19d73b22a387b7ea397ec0c49769686788330a2bbc0530e39c79566b5b57a0c2cae36b6bc0186329fd3083f
-
SSDEEP
3072:EkLlVIkXqjO5QM4f3oegG8bY2NvdVaBWsjlZf3:Jb6BM4f3DfkABWqZ
Malware Config
Signatures
-
Loads dropped DLL 5 IoCs
pid Process 1872 90146ee8c911d1ba806bb51c9a6e6d62.exe 2748 rundll32.exe 2748 rundll32.exe 2748 rundll32.exe 2748 rundll32.exe -
resource yara_rule behavioral1/memory/1872-4-0x0000000000400000-0x0000000000433000-memory.dmp upx behavioral1/memory/1872-14-0x0000000000400000-0x0000000000433000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ojfmqrd.dll = "C:\\Windows\\system32\\rundll32.exe C:\\Windows\\system32\\ojfmqrd.dll,fxotoj" 90146ee8c911d1ba806bb51c9a6e6d62.exe -
Installs/modifies Browser Helper Object 2 TTPs 1 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{318513FE-8B07-F98A-6407-08D912A74554} 90146ee8c911d1ba806bb51c9a6e6d62.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\ojfmqrd.dll 90146ee8c911d1ba806bb51c9a6e6d62.exe File created C:\Windows\SysWOW64\omcnjxg.dll 90146ee8c911d1ba806bb51c9a6e6d62.exe -
Modifies registry class 6 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{318513FE-8B07-F98A-6407-08D912A74554}\InprocServer32 90146ee8c911d1ba806bb51c9a6e6d62.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node 90146ee8c911d1ba806bb51c9a6e6d62.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID 90146ee8c911d1ba806bb51c9a6e6d62.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{318513FE-8B07-F98A-6407-08D912A74554} 90146ee8c911d1ba806bb51c9a6e6d62.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{318513FE-8B07-F98A-6407-08D912A74554}\InprocServer32\ = "C:\\Windows\\SysWow64\\omcnjxg.dll" 90146ee8c911d1ba806bb51c9a6e6d62.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{318513FE-8B07-F98A-6407-08D912A74554}\InprocServer32\ThreadingModel = "Apartment" 90146ee8c911d1ba806bb51c9a6e6d62.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 1872 90146ee8c911d1ba806bb51c9a6e6d62.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 1872 wrote to memory of 2748 1872 90146ee8c911d1ba806bb51c9a6e6d62.exe 28 PID 1872 wrote to memory of 2748 1872 90146ee8c911d1ba806bb51c9a6e6d62.exe 28 PID 1872 wrote to memory of 2748 1872 90146ee8c911d1ba806bb51c9a6e6d62.exe 28 PID 1872 wrote to memory of 2748 1872 90146ee8c911d1ba806bb51c9a6e6d62.exe 28 PID 1872 wrote to memory of 2748 1872 90146ee8c911d1ba806bb51c9a6e6d62.exe 28 PID 1872 wrote to memory of 2748 1872 90146ee8c911d1ba806bb51c9a6e6d62.exe 28 PID 1872 wrote to memory of 2748 1872 90146ee8c911d1ba806bb51c9a6e6d62.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\90146ee8c911d1ba806bb51c9a6e6d62.exe"C:\Users\Admin\AppData\Local\Temp\90146ee8c911d1ba806bb51c9a6e6d62.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Installs/modifies Browser Helper Object
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1872 -
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Windows\system32\ojfmqrd.dll,fxotoj2⤵
- Loads dropped DLL
PID:2748
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
92KB
MD556d4b45a20fc496519c6269291628d6b
SHA1cb2632b55a817049265a61c64c006e2fdf78559c
SHA2565f1d0884dbadc9ef0924258721dd661106356e4b96217e578457415db34ad39a
SHA512daf38cf0725730940900944b49c7c7e202685698b9c6a9bfe46c8381986aa58d4b51497bdea00d91081b80d9618806ba5bf681b1d03c796fea9a07970806ee3e
-
Filesize
64KB
MD5be8c7a21cd849265572918d8b9f0102d
SHA1bfca95a96e68deb3072d4b19c2fbb63cdc527dac
SHA2561e20adb2bf88af727b6fd397013aeaae0034abf2bed2f91371f0f1d8f0a9d0ee
SHA512b36998675a26eecf8a28ac76ad0956462f358a63c9e703d4d00b8699b9e6884c4ae1fb14c19616db71ca7d9a91d77be7168edeaabe987e60a20c7bf36dfee4f5
-
Filesize
69KB
MD5278dd526adb0537839e07c8c5df1518e
SHA1a255c19e03a416610c7e0384a828527dc3e346e6
SHA256d67c0b08fa4c51134835bf89efa84c2260260b202b76d5f57c2e02eb6265e4a0
SHA512cc60253675ca6e6f9b1cb1201c3e96da94a3c6232b873b1f8f8a1824a5708424aede85b1d636c47dda90cc20dcb5db948538efb197f42ac750729d36f5c6e451