Analysis
-
max time kernel
92s -
max time network
122s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
04/02/2024, 20:28
Behavioral task
behavioral1
Sample
90146ee8c911d1ba806bb51c9a6e6d62.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
90146ee8c911d1ba806bb51c9a6e6d62.exe
Resource
win10v2004-20231215-en
General
-
Target
90146ee8c911d1ba806bb51c9a6e6d62.exe
-
Size
104KB
-
MD5
90146ee8c911d1ba806bb51c9a6e6d62
-
SHA1
85f7a2631c58da5c85139e59fb225526438acc62
-
SHA256
bdb613c87738d5f8915b3581857f0bd5a7f231e281a2f094f6679c8f7acb53f8
-
SHA512
9abd90244984dd013519e3e90abbba2750f8a8eec19d73b22a387b7ea397ec0c49769686788330a2bbc0530e39c79566b5b57a0c2cae36b6bc0186329fd3083f
-
SSDEEP
3072:EkLlVIkXqjO5QM4f3oegG8bY2NvdVaBWsjlZf3:Jb6BM4f3DfkABWqZ
Malware Config
Signatures
-
Loads dropped DLL 2 IoCs
pid Process 2784 90146ee8c911d1ba806bb51c9a6e6d62.exe 2240 rundll32.exe -
resource yara_rule behavioral2/memory/2784-0-0x0000000000400000-0x0000000000433000-memory.dmp upx behavioral2/memory/2784-12-0x0000000000400000-0x0000000000433000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ojfmqrd.dll = "C:\\Windows\\system32\\rundll32.exe C:\\Windows\\system32\\ojfmqrd.dll,fxotoj" 90146ee8c911d1ba806bb51c9a6e6d62.exe -
Installs/modifies Browser Helper Object 2 TTPs 1 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{318513FE-8B07-F98A-6407-08D912A74554} 90146ee8c911d1ba806bb51c9a6e6d62.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\ojfmqrd.dll 90146ee8c911d1ba806bb51c9a6e6d62.exe File created C:\Windows\SysWOW64\omcnjxg.dll 90146ee8c911d1ba806bb51c9a6e6d62.exe -
Modifies registry class 6 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node 90146ee8c911d1ba806bb51c9a6e6d62.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID 90146ee8c911d1ba806bb51c9a6e6d62.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{318513FE-8B07-F98A-6407-08D912A74554} 90146ee8c911d1ba806bb51c9a6e6d62.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{318513FE-8B07-F98A-6407-08D912A74554}\InprocServer32\ = "C:\\Windows\\SysWow64\\omcnjxg.dll" 90146ee8c911d1ba806bb51c9a6e6d62.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{318513FE-8B07-F98A-6407-08D912A74554}\InprocServer32\ThreadingModel = "Apartment" 90146ee8c911d1ba806bb51c9a6e6d62.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{318513FE-8B07-F98A-6407-08D912A74554}\InprocServer32 90146ee8c911d1ba806bb51c9a6e6d62.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2784 90146ee8c911d1ba806bb51c9a6e6d62.exe 2784 90146ee8c911d1ba806bb51c9a6e6d62.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2784 wrote to memory of 2240 2784 90146ee8c911d1ba806bb51c9a6e6d62.exe 85 PID 2784 wrote to memory of 2240 2784 90146ee8c911d1ba806bb51c9a6e6d62.exe 85 PID 2784 wrote to memory of 2240 2784 90146ee8c911d1ba806bb51c9a6e6d62.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\90146ee8c911d1ba806bb51c9a6e6d62.exe"C:\Users\Admin\AppData\Local\Temp\90146ee8c911d1ba806bb51c9a6e6d62.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Installs/modifies Browser Helper Object
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2784 -
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Windows\system32\ojfmqrd.dll,fxotoj2⤵
- Loads dropped DLL
PID:2240
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
92KB
MD556d4b45a20fc496519c6269291628d6b
SHA1cb2632b55a817049265a61c64c006e2fdf78559c
SHA2565f1d0884dbadc9ef0924258721dd661106356e4b96217e578457415db34ad39a
SHA512daf38cf0725730940900944b49c7c7e202685698b9c6a9bfe46c8381986aa58d4b51497bdea00d91081b80d9618806ba5bf681b1d03c796fea9a07970806ee3e
-
Filesize
69KB
MD5278dd526adb0537839e07c8c5df1518e
SHA1a255c19e03a416610c7e0384a828527dc3e346e6
SHA256d67c0b08fa4c51134835bf89efa84c2260260b202b76d5f57c2e02eb6265e4a0
SHA512cc60253675ca6e6f9b1cb1201c3e96da94a3c6232b873b1f8f8a1824a5708424aede85b1d636c47dda90cc20dcb5db948538efb197f42ac750729d36f5c6e451