Malware Analysis Report

2025-08-05 16:44

Sample ID 240204-y9bjdsaag4
Target 90146ee8c911d1ba806bb51c9a6e6d62
SHA256 bdb613c87738d5f8915b3581857f0bd5a7f231e281a2f094f6679c8f7acb53f8
Tags
upx adware persistence stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

bdb613c87738d5f8915b3581857f0bd5a7f231e281a2f094f6679c8f7acb53f8

Threat Level: Shows suspicious behavior

The file 90146ee8c911d1ba806bb51c9a6e6d62 was found to be: Shows suspicious behavior.

Malicious Activity Summary

upx adware persistence stealer

UPX packed file

Loads dropped DLL

Installs/modifies Browser Helper Object

Adds Run key to start application

Drops file in System32 directory

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-04 20:28

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-04 20:28

Reported

2024-02-04 20:31

Platform

win7-20231215-en

Max time kernel

140s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\90146ee8c911d1ba806bb51c9a6e6d62.exe"

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ojfmqrd.dll = "C:\\Windows\\system32\\rundll32.exe C:\\Windows\\system32\\ojfmqrd.dll,fxotoj" C:\Users\Admin\AppData\Local\Temp\90146ee8c911d1ba806bb51c9a6e6d62.exe N/A

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{318513FE-8B07-F98A-6407-08D912A74554} C:\Users\Admin\AppData\Local\Temp\90146ee8c911d1ba806bb51c9a6e6d62.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\ojfmqrd.dll C:\Users\Admin\AppData\Local\Temp\90146ee8c911d1ba806bb51c9a6e6d62.exe N/A
File created C:\Windows\SysWOW64\omcnjxg.dll C:\Users\Admin\AppData\Local\Temp\90146ee8c911d1ba806bb51c9a6e6d62.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{318513FE-8B07-F98A-6407-08D912A74554}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\90146ee8c911d1ba806bb51c9a6e6d62.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node C:\Users\Admin\AppData\Local\Temp\90146ee8c911d1ba806bb51c9a6e6d62.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID C:\Users\Admin\AppData\Local\Temp\90146ee8c911d1ba806bb51c9a6e6d62.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{318513FE-8B07-F98A-6407-08D912A74554} C:\Users\Admin\AppData\Local\Temp\90146ee8c911d1ba806bb51c9a6e6d62.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{318513FE-8B07-F98A-6407-08D912A74554}\InprocServer32\ = "C:\\Windows\\SysWow64\\omcnjxg.dll" C:\Users\Admin\AppData\Local\Temp\90146ee8c911d1ba806bb51c9a6e6d62.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{318513FE-8B07-F98A-6407-08D912A74554}\InprocServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Temp\90146ee8c911d1ba806bb51c9a6e6d62.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\90146ee8c911d1ba806bb51c9a6e6d62.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\90146ee8c911d1ba806bb51c9a6e6d62.exe

"C:\Users\Admin\AppData\Local\Temp\90146ee8c911d1ba806bb51c9a6e6d62.exe"

C:\Windows\SysWOW64\rundll32.exe

C:\Windows\system32\rundll32.exe C:\Windows\system32\ojfmqrd.dll,fxotoj

Network

Country Destination Domain Proto
NL 88.208.8.8:80 tcp
NL 88.208.8.8:80 tcp

Files

\Windows\SysWOW64\omcnjxg.dll

MD5 278dd526adb0537839e07c8c5df1518e
SHA1 a255c19e03a416610c7e0384a828527dc3e346e6
SHA256 d67c0b08fa4c51134835bf89efa84c2260260b202b76d5f57c2e02eb6265e4a0
SHA512 cc60253675ca6e6f9b1cb1201c3e96da94a3c6232b873b1f8f8a1824a5708424aede85b1d636c47dda90cc20dcb5db948538efb197f42ac750729d36f5c6e451

memory/1872-4-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1872-5-0x0000000010000000-0x0000000010019000-memory.dmp

C:\Windows\SysWOW64\ojfmqrd.dll

MD5 56d4b45a20fc496519c6269291628d6b
SHA1 cb2632b55a817049265a61c64c006e2fdf78559c
SHA256 5f1d0884dbadc9ef0924258721dd661106356e4b96217e578457415db34ad39a
SHA512 daf38cf0725730940900944b49c7c7e202685698b9c6a9bfe46c8381986aa58d4b51497bdea00d91081b80d9618806ba5bf681b1d03c796fea9a07970806ee3e

\Windows\SysWOW64\ojfmqrd.dll

MD5 be8c7a21cd849265572918d8b9f0102d
SHA1 bfca95a96e68deb3072d4b19c2fbb63cdc527dac
SHA256 1e20adb2bf88af727b6fd397013aeaae0034abf2bed2f91371f0f1d8f0a9d0ee
SHA512 b36998675a26eecf8a28ac76ad0956462f358a63c9e703d4d00b8699b9e6884c4ae1fb14c19616db71ca7d9a91d77be7168edeaabe987e60a20c7bf36dfee4f5

memory/2748-11-0x0000000010000000-0x000000001001E000-memory.dmp

memory/2748-12-0x0000000010000000-0x000000001001E000-memory.dmp

memory/2748-13-0x0000000010000000-0x000000001001E000-memory.dmp

memory/1872-14-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1872-20-0x0000000010000000-0x0000000010019000-memory.dmp

memory/2748-21-0x0000000010000000-0x000000001001E000-memory.dmp

memory/2748-22-0x0000000010000000-0x000000001001E000-memory.dmp

memory/1872-31-0x0000000010000000-0x0000000010019000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-04 20:28

Reported

2024-02-04 20:31

Platform

win10v2004-20231215-en

Max time kernel

92s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\90146ee8c911d1ba806bb51c9a6e6d62.exe"

Signatures

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\90146ee8c911d1ba806bb51c9a6e6d62.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ojfmqrd.dll = "C:\\Windows\\system32\\rundll32.exe C:\\Windows\\system32\\ojfmqrd.dll,fxotoj" C:\Users\Admin\AppData\Local\Temp\90146ee8c911d1ba806bb51c9a6e6d62.exe N/A

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{318513FE-8B07-F98A-6407-08D912A74554} C:\Users\Admin\AppData\Local\Temp\90146ee8c911d1ba806bb51c9a6e6d62.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\ojfmqrd.dll C:\Users\Admin\AppData\Local\Temp\90146ee8c911d1ba806bb51c9a6e6d62.exe N/A
File created C:\Windows\SysWOW64\omcnjxg.dll C:\Users\Admin\AppData\Local\Temp\90146ee8c911d1ba806bb51c9a6e6d62.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node C:\Users\Admin\AppData\Local\Temp\90146ee8c911d1ba806bb51c9a6e6d62.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID C:\Users\Admin\AppData\Local\Temp\90146ee8c911d1ba806bb51c9a6e6d62.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{318513FE-8B07-F98A-6407-08D912A74554} C:\Users\Admin\AppData\Local\Temp\90146ee8c911d1ba806bb51c9a6e6d62.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{318513FE-8B07-F98A-6407-08D912A74554}\InprocServer32\ = "C:\\Windows\\SysWow64\\omcnjxg.dll" C:\Users\Admin\AppData\Local\Temp\90146ee8c911d1ba806bb51c9a6e6d62.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{318513FE-8B07-F98A-6407-08D912A74554}\InprocServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Temp\90146ee8c911d1ba806bb51c9a6e6d62.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{318513FE-8B07-F98A-6407-08D912A74554}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\90146ee8c911d1ba806bb51c9a6e6d62.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\90146ee8c911d1ba806bb51c9a6e6d62.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90146ee8c911d1ba806bb51c9a6e6d62.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\90146ee8c911d1ba806bb51c9a6e6d62.exe

"C:\Users\Admin\AppData\Local\Temp\90146ee8c911d1ba806bb51c9a6e6d62.exe"

C:\Windows\SysWOW64\rundll32.exe

C:\Windows\system32\rundll32.exe C:\Windows\system32\ojfmqrd.dll,fxotoj

Network

Country Destination Domain Proto
NL 88.208.8.8:80 tcp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 175.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 178.223.142.52.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 23.160.77.104.in-addr.arpa udp
US 8.8.8.8:53 206.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 187.178.17.96.in-addr.arpa udp

Files

memory/2784-0-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\omcnjxg.dll

MD5 278dd526adb0537839e07c8c5df1518e
SHA1 a255c19e03a416610c7e0384a828527dc3e346e6
SHA256 d67c0b08fa4c51134835bf89efa84c2260260b202b76d5f57c2e02eb6265e4a0
SHA512 cc60253675ca6e6f9b1cb1201c3e96da94a3c6232b873b1f8f8a1824a5708424aede85b1d636c47dda90cc20dcb5db948538efb197f42ac750729d36f5c6e451

memory/2784-6-0x0000000010000000-0x0000000010019000-memory.dmp

C:\Windows\SysWOW64\ojfmqrd.dll

MD5 56d4b45a20fc496519c6269291628d6b
SHA1 cb2632b55a817049265a61c64c006e2fdf78559c
SHA256 5f1d0884dbadc9ef0924258721dd661106356e4b96217e578457415db34ad39a
SHA512 daf38cf0725730940900944b49c7c7e202685698b9c6a9bfe46c8381986aa58d4b51497bdea00d91081b80d9618806ba5bf681b1d03c796fea9a07970806ee3e

memory/2240-9-0x0000000010000000-0x000000001001E000-memory.dmp

memory/2240-11-0x0000000010000000-0x000000001001E000-memory.dmp

memory/2784-12-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2784-16-0x0000000010000000-0x0000000010019000-memory.dmp