Malware Analysis Report

2025-01-18 21:12

Sample ID 240325-djf1zaed79
Target dd1302865b056ed7fdd1adc2a31f7be2
SHA256 39abb89be235d37f0f1a41f8595614ee1be22a57b6f38eebb3f052ba3ec7fe5d
Tags
adware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

39abb89be235d37f0f1a41f8595614ee1be22a57b6f38eebb3f052ba3ec7fe5d

Threat Level: Shows suspicious behavior

The file dd1302865b056ed7fdd1adc2a31f7be2 was found to be: Shows suspicious behavior.

Malicious Activity Summary

adware stealer

Loads dropped DLL

Installs/modifies Browser Helper Object

Drops file in System32 directory

Unsigned PE

Modifies registry class

Suspicious behavior: RenamesItself

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-25 03:02

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-25 03:02

Reported

2024-03-25 03:04

Platform

win7-20240221-en

Max time kernel

120s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\dd1302865b056ed7fdd1adc2a31f7be2.exe"

Signatures

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\dd1302865b056ed7fdd1adc2a31f7be2.exe N/A

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{F70F6880-3A4B-11DE-8230-0B7C55D89593}\ = "Maniqute" C:\Users\Admin\AppData\Local\Temp\dd1302865b056ed7fdd1adc2a31f7be2.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{F70F6880-3A4B-11DE-8230-0B7C55D89593}\NoExplorer = "1" C:\Users\Admin\AppData\Local\Temp\dd1302865b056ed7fdd1adc2a31f7be2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{F70F6880-3A4B-11DE-8230-0B7C55D89593} C:\Users\Admin\AppData\Local\Temp\dd1302865b056ed7fdd1adc2a31f7be2.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\vumer.dll C:\Users\Admin\AppData\Local\Temp\dd1302865b056ed7fdd1adc2a31f7be2.exe N/A
File opened for modification C:\Windows\SysWOW64\kusers.dll C:\Users\Admin\AppData\Local\Temp\dd1302865b056ed7fdd1adc2a31f7be2.exe N/A
File opened for modification C:\Windows\SysWOW64\kwpm.dll C:\Users\Admin\AppData\Local\Temp\dd1302865b056ed7fdd1adc2a31f7be2.exe N/A
File opened for modification C:\Windows\SysWOW64\bsm.dll C:\Users\Admin\AppData\Local\Temp\dd1302865b056ed7fdd1adc2a31f7be2.exe N/A
File opened for modification C:\Windows\SysWOW64\spria.dll C:\Users\Admin\AppData\Local\Temp\dd1302865b056ed7fdd1adc2a31f7be2.exe N/A
File opened for modification C:\Windows\SysWOW64\ire853.dll C:\Users\Admin\AppData\Local\Temp\dd1302865b056ed7fdd1adc2a31f7be2.exe N/A
File opened for modification C:\Windows\SysWOW64\ppobo.dll C:\Users\Admin\AppData\Local\Temp\dd1302865b056ed7fdd1adc2a31f7be2.exe N/A
File opened for modification C:\Windows\SysWOW64\cunta.dll C:\Users\Admin\AppData\Local\Temp\dd1302865b056ed7fdd1adc2a31f7be2.exe N/A
File opened for modification C:\Windows\SysWOW64\mukmil.dll C:\Users\Admin\AppData\Local\Temp\dd1302865b056ed7fdd1adc2a31f7be2.exe N/A
File created C:\Windows\SysWOW64\kusers.dll C:\Users\Admin\AppData\Local\Temp\dd1302865b056ed7fdd1adc2a31f7be2.exe N/A
File opened for modification C:\Windows\SysWOW64\16be9062187ac40aa04268ca1eaa29d2.tmp C:\Users\Admin\AppData\Local\Temp\dd1302865b056ed7fdd1adc2a31f7be2.exe N/A
File opened for modification C:\Windows\SysWOW64\260bff5a12bfe26b27ff01c8ad0f9529.tmp C:\Users\Admin\AppData\Local\Temp\dd1302865b056ed7fdd1adc2a31f7be2.exe N/A
File opened for modification C:\Windows\SysWOW64\e92508e7cb347377b9c9677f2873cc7b.tmp C:\Users\Admin\AppData\Local\Temp\dd1302865b056ed7fdd1adc2a31f7be2.exe N/A
File opened for modification C:\Windows\SysWOW64\ffdef82d90981756ff84a291c0b87435.tmp C:\Users\Admin\AppData\Local\Temp\dd1302865b056ed7fdd1adc2a31f7be2.exe N/A
File opened for modification C:\Windows\SysWOW64\gln.dll C:\Users\Admin\AppData\Local\Temp\dd1302865b056ed7fdd1adc2a31f7be2.exe N/A
File opened for modification C:\Windows\SysWOW64\ssa.dll C:\Users\Admin\AppData\Local\Temp\dd1302865b056ed7fdd1adc2a31f7be2.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5303E828-3A4C-11DE-AC1C-F77F55D89593} C:\Users\Admin\AppData\Local\Temp\dd1302865b056ed7fdd1adc2a31f7be2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6494B9BE-3A4C-11DE-91D2-BD8055D89593}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\dd1302865b056ed7fdd1adc2a31f7be2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6494B9BE-3A4C-11DE-91D2-BD8055D89593}\TypeLib\ = "{5303E828-3A4C-11DE-AC1C-F77F55D89593}" C:\Users\Admin\AppData\Local\Temp\dd1302865b056ed7fdd1adc2a31f7be2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6494B9BE-3A4C-11DE-91D2-BD8055D89593}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\dd1302865b056ed7fdd1adc2a31f7be2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\PartTimeB C:\Users\Admin\AppData\Local\Temp\dd1302865b056ed7fdd1adc2a31f7be2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\PartTimeB\CLSID\ = "{F70F6880-3A4B-11DE-8230-0B7C55D89593}" C:\Users\Admin\AppData\Local\Temp\dd1302865b056ed7fdd1adc2a31f7be2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\PartTimeB\CurVer\ = "InterMPlug" C:\Users\Admin\AppData\Local\Temp\dd1302865b056ed7fdd1adc2a31f7be2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F70F6880-3A4B-11DE-8230-0B7C55D89593}\ProgID C:\Users\Admin\AppData\Local\Temp\dd1302865b056ed7fdd1adc2a31f7be2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6494B9BE-3A4C-11DE-91D2-BD8055D89593}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\dd1302865b056ed7fdd1adc2a31f7be2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6494B9BE-3A4C-11DE-91D2-BD8055D89593}\TypeLib\ = "{5303E828-3A4C-11DE-AC1C-F77F55D89593}" C:\Users\Admin\AppData\Local\Temp\dd1302865b056ed7fdd1adc2a31f7be2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6494B9BE-3A4C-11DE-91D2-BD8055D89593}\ = "ITimeBl" C:\Users\Admin\AppData\Local\Temp\dd1302865b056ed7fdd1adc2a31f7be2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6494B9BE-3A4C-11DE-91D2-BD8055D89593}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\dd1302865b056ed7fdd1adc2a31f7be2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\PartTimeB\ = "Maniqute" C:\Users\Admin\AppData\Local\Temp\dd1302865b056ed7fdd1adc2a31f7be2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\PartTimeB\CurVer C:\Users\Admin\AppData\Local\Temp\dd1302865b056ed7fdd1adc2a31f7be2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5303E828-3A4C-11DE-AC1C-F77F55D89593}\1.0\FLAGS\ = "0" C:\Users\Admin\AppData\Local\Temp\dd1302865b056ed7fdd1adc2a31f7be2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5303E828-3A4C-11DE-AC1C-F77F55D89593}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\kusers.dll" C:\Users\Admin\AppData\Local\Temp\dd1302865b056ed7fdd1adc2a31f7be2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F70F6880-3A4B-11DE-8230-0B7C55D89593}\Programmable C:\Users\Admin\AppData\Local\Temp\dd1302865b056ed7fdd1adc2a31f7be2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5303E828-3A4C-11DE-AC1C-F77F55D89593}\1.0 C:\Users\Admin\AppData\Local\Temp\dd1302865b056ed7fdd1adc2a31f7be2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5303E828-3A4C-11DE-AC1C-F77F55D89593}\1.0\ = "DDSMEb 1.0 Type Library" C:\Users\Admin\AppData\Local\Temp\dd1302865b056ed7fdd1adc2a31f7be2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5303E828-3A4C-11DE-AC1C-F77F55D89593}\1.0\0\win32 C:\Users\Admin\AppData\Local\Temp\dd1302865b056ed7fdd1adc2a31f7be2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F70F6880-3A4B-11DE-8230-0B7C55D89593}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\dd1302865b056ed7fdd1adc2a31f7be2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5303E828-3A4C-11DE-AC1C-F77F55D89593}\1.0\HELPDIR\ = "C:\\Windows\\system32" C:\Users\Admin\AppData\Local\Temp\dd1302865b056ed7fdd1adc2a31f7be2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6494B9BE-3A4C-11DE-91D2-BD8055D89593} C:\Users\Admin\AppData\Local\Temp\dd1302865b056ed7fdd1adc2a31f7be2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5303E828-3A4C-11DE-AC1C-F77F55D89593}\1.0\0 C:\Users\Admin\AppData\Local\Temp\dd1302865b056ed7fdd1adc2a31f7be2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6494B9BE-3A4C-11DE-91D2-BD8055D89593}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\dd1302865b056ed7fdd1adc2a31f7be2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6494B9BE-3A4C-11DE-91D2-BD8055D89593} C:\Users\Admin\AppData\Local\Temp\dd1302865b056ed7fdd1adc2a31f7be2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6494B9BE-3A4C-11DE-91D2-BD8055D89593}\TypeLib C:\Users\Admin\AppData\Local\Temp\dd1302865b056ed7fdd1adc2a31f7be2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\PartTimeB\CLSID C:\Users\Admin\AppData\Local\Temp\dd1302865b056ed7fdd1adc2a31f7be2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F70F6880-3A4B-11DE-8230-0B7C55D89593}\VersionIndependentProgID C:\Users\Admin\AppData\Local\Temp\dd1302865b056ed7fdd1adc2a31f7be2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F70F6880-3A4B-11DE-8230-0B7C55D89593}\VersionIndependentProgID\ = "PartTimeB" C:\Users\Admin\AppData\Local\Temp\dd1302865b056ed7fdd1adc2a31f7be2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F70F6880-3A4B-11DE-8230-0B7C55D89593}\TypeLib\ = "{5303E828-3A4C-11DE-AC1C-F77F55D89593}" C:\Users\Admin\AppData\Local\Temp\dd1302865b056ed7fdd1adc2a31f7be2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\InterMPlug\ = "Maniqute" C:\Users\Admin\AppData\Local\Temp\dd1302865b056ed7fdd1adc2a31f7be2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\InterMPlug\CLSID C:\Users\Admin\AppData\Local\Temp\dd1302865b056ed7fdd1adc2a31f7be2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F70F6880-3A4B-11DE-8230-0B7C55D89593}\InprocServer32\ = "C:\\Windows\\SysWow64\\kusers.dll" C:\Users\Admin\AppData\Local\Temp\dd1302865b056ed7fdd1adc2a31f7be2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6494B9BE-3A4C-11DE-91D2-BD8055D89593}\TypeLib C:\Users\Admin\AppData\Local\Temp\dd1302865b056ed7fdd1adc2a31f7be2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5303E828-3A4C-11DE-AC1C-F77F55D89593}\1.0\FLAGS C:\Users\Admin\AppData\Local\Temp\dd1302865b056ed7fdd1adc2a31f7be2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6494B9BE-3A4C-11DE-91D2-BD8055D89593}\ = "ITimeBl" C:\Users\Admin\AppData\Local\Temp\dd1302865b056ed7fdd1adc2a31f7be2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F70F6880-3A4B-11DE-8230-0B7C55D89593} C:\Users\Admin\AppData\Local\Temp\dd1302865b056ed7fdd1adc2a31f7be2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F70F6880-3A4B-11DE-8230-0B7C55D89593}\ = "Maniqute" C:\Users\Admin\AppData\Local\Temp\dd1302865b056ed7fdd1adc2a31f7be2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F70F6880-3A4B-11DE-8230-0B7C55D89593}\ProgID\ = "InterMPlug" C:\Users\Admin\AppData\Local\Temp\dd1302865b056ed7fdd1adc2a31f7be2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F70F6880-3A4B-11DE-8230-0B7C55D89593}\InprocServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Temp\dd1302865b056ed7fdd1adc2a31f7be2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6494B9BE-3A4C-11DE-91D2-BD8055D89593}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\dd1302865b056ed7fdd1adc2a31f7be2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\InterMPlug C:\Users\Admin\AppData\Local\Temp\dd1302865b056ed7fdd1adc2a31f7be2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\InterMPlug\CLSID\ = "{F70F6880-3A4B-11DE-8230-0B7C55D89593}" C:\Users\Admin\AppData\Local\Temp\dd1302865b056ed7fdd1adc2a31f7be2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F70F6880-3A4B-11DE-8230-0B7C55D89593}\TypeLib C:\Users\Admin\AppData\Local\Temp\dd1302865b056ed7fdd1adc2a31f7be2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5303E828-3A4C-11DE-AC1C-F77F55D89593}\1.0\HELPDIR C:\Users\Admin\AppData\Local\Temp\dd1302865b056ed7fdd1adc2a31f7be2.exe N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\dd1302865b056ed7fdd1adc2a31f7be2.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\dd1302865b056ed7fdd1adc2a31f7be2.exe

"C:\Users\Admin\AppData\Local\Temp\dd1302865b056ed7fdd1adc2a31f7be2.exe"

Network

N/A

Files

\Windows\SysWOW64\kusers.dll

MD5 a64adc3e6519712bb6db91722af55037
SHA1 bfb3a0635453ba4d1ce83bf70d9473ca8a0745c3
SHA256 91d0fd6110cf5e46d21bf1f7e58ae2490c79ef8208212c1c54b0b27025b02b0d
SHA512 c0167f2903694a1e747a91f68ebee4b8491aba790bd01851d944c0401058a2143dedd45838cc6f25963ac9b543d424d7ac172969f95232dc74f407d1cd83c465

memory/2376-4-0x0000000074840000-0x0000000074854000-memory.dmp

memory/2376-3-0x0000000076500000-0x000000007652A000-memory.dmp

memory/2376-6-0x0000000074840000-0x0000000074854000-memory.dmp

memory/2376-7-0x0000000074840000-0x0000000074854000-memory.dmp

memory/2376-8-0x0000000076550000-0x000000007661C000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-25 03:02

Reported

2024-03-25 03:04

Platform

win10v2004-20240226-en

Max time kernel

141s

Max time network

137s

Command Line

"C:\Users\Admin\AppData\Local\Temp\dd1302865b056ed7fdd1adc2a31f7be2.exe"

Signatures

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\dd1302865b056ed7fdd1adc2a31f7be2.exe N/A

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{F70F6880-3A4B-11DE-8230-0B7C55D89593} C:\Users\Admin\AppData\Local\Temp\dd1302865b056ed7fdd1adc2a31f7be2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{F70F6880-3A4B-11DE-8230-0B7C55D89593}\ = "Maniqute" C:\Users\Admin\AppData\Local\Temp\dd1302865b056ed7fdd1adc2a31f7be2.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{F70F6880-3A4B-11DE-8230-0B7C55D89593}\NoExplorer = "1" C:\Users\Admin\AppData\Local\Temp\dd1302865b056ed7fdd1adc2a31f7be2.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\kwpm.dll C:\Users\Admin\AppData\Local\Temp\dd1302865b056ed7fdd1adc2a31f7be2.exe N/A
File opened for modification C:\Windows\SysWOW64\spria.dll C:\Users\Admin\AppData\Local\Temp\dd1302865b056ed7fdd1adc2a31f7be2.exe N/A
File opened for modification C:\Windows\SysWOW64\vumer.dll C:\Users\Admin\AppData\Local\Temp\dd1302865b056ed7fdd1adc2a31f7be2.exe N/A
File created C:\Windows\SysWOW64\kusers.dll C:\Users\Admin\AppData\Local\Temp\dd1302865b056ed7fdd1adc2a31f7be2.exe N/A
File opened for modification C:\Windows\SysWOW64\cunta.dll C:\Users\Admin\AppData\Local\Temp\dd1302865b056ed7fdd1adc2a31f7be2.exe N/A
File opened for modification C:\Windows\SysWOW64\ppobo.dll C:\Users\Admin\AppData\Local\Temp\dd1302865b056ed7fdd1adc2a31f7be2.exe N/A
File opened for modification C:\Windows\SysWOW64\ire853.dll C:\Users\Admin\AppData\Local\Temp\dd1302865b056ed7fdd1adc2a31f7be2.exe N/A
File opened for modification C:\Windows\SysWOW64\gln.dll C:\Users\Admin\AppData\Local\Temp\dd1302865b056ed7fdd1adc2a31f7be2.exe N/A
File opened for modification C:\Windows\SysWOW64\ssa.dll C:\Users\Admin\AppData\Local\Temp\dd1302865b056ed7fdd1adc2a31f7be2.exe N/A
File opened for modification C:\Windows\SysWOW64\kusers.dll C:\Users\Admin\AppData\Local\Temp\dd1302865b056ed7fdd1adc2a31f7be2.exe N/A
File opened for modification C:\Windows\SysWOW64\bsm.dll C:\Users\Admin\AppData\Local\Temp\dd1302865b056ed7fdd1adc2a31f7be2.exe N/A
File opened for modification C:\Windows\SysWOW64\fc80fa1674f2c7d0408f93b2ebcfdc6e.tmp C:\Users\Admin\AppData\Local\Temp\dd1302865b056ed7fdd1adc2a31f7be2.exe N/A
File opened for modification C:\Windows\SysWOW64\8e108d6b9527a7afa98dc56e9220c256.tmp C:\Users\Admin\AppData\Local\Temp\dd1302865b056ed7fdd1adc2a31f7be2.exe N/A
File opened for modification C:\Windows\SysWOW64\mukmil.dll C:\Users\Admin\AppData\Local\Temp\dd1302865b056ed7fdd1adc2a31f7be2.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6494B9BE-3A4C-11DE-91D2-BD8055D89593}\TypeLib\ = "{5303E828-3A4C-11DE-AC1C-F77F55D89593}" C:\Users\Admin\AppData\Local\Temp\dd1302865b056ed7fdd1adc2a31f7be2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\PartTimeB\CLSID C:\Users\Admin\AppData\Local\Temp\dd1302865b056ed7fdd1adc2a31f7be2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F70F6880-3A4B-11DE-8230-0B7C55D89593}\Programmable C:\Users\Admin\AppData\Local\Temp\dd1302865b056ed7fdd1adc2a31f7be2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5303E828-3A4C-11DE-AC1C-F77F55D89593}\1.0\FLAGS\ = "0" C:\Users\Admin\AppData\Local\Temp\dd1302865b056ed7fdd1adc2a31f7be2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6494B9BE-3A4C-11DE-91D2-BD8055D89593}\ = "ITimeBl" C:\Users\Admin\AppData\Local\Temp\dd1302865b056ed7fdd1adc2a31f7be2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6494B9BE-3A4C-11DE-91D2-BD8055D89593}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\dd1302865b056ed7fdd1adc2a31f7be2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\InterMPlug\ = "Maniqute" C:\Users\Admin\AppData\Local\Temp\dd1302865b056ed7fdd1adc2a31f7be2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\InterMPlug\CLSID\ = "{F70F6880-3A4B-11DE-8230-0B7C55D89593}" C:\Users\Admin\AppData\Local\Temp\dd1302865b056ed7fdd1adc2a31f7be2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\PartTimeB\CurVer C:\Users\Admin\AppData\Local\Temp\dd1302865b056ed7fdd1adc2a31f7be2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6494B9BE-3A4C-11DE-91D2-BD8055D89593}\TypeLib\ = "{5303E828-3A4C-11DE-AC1C-F77F55D89593}" C:\Users\Admin\AppData\Local\Temp\dd1302865b056ed7fdd1adc2a31f7be2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6494B9BE-3A4C-11DE-91D2-BD8055D89593} C:\Users\Admin\AppData\Local\Temp\dd1302865b056ed7fdd1adc2a31f7be2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5303E828-3A4C-11DE-AC1C-F77F55D89593}\1.0\0\win32 C:\Users\Admin\AppData\Local\Temp\dd1302865b056ed7fdd1adc2a31f7be2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6494B9BE-3A4C-11DE-91D2-BD8055D89593}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\dd1302865b056ed7fdd1adc2a31f7be2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6494B9BE-3A4C-11DE-91D2-BD8055D89593}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\dd1302865b056ed7fdd1adc2a31f7be2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\PartTimeB C:\Users\Admin\AppData\Local\Temp\dd1302865b056ed7fdd1adc2a31f7be2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\PartTimeB\CurVer\ = "InterMPlug" C:\Users\Admin\AppData\Local\Temp\dd1302865b056ed7fdd1adc2a31f7be2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F70F6880-3A4B-11DE-8230-0B7C55D89593}\ProgID C:\Users\Admin\AppData\Local\Temp\dd1302865b056ed7fdd1adc2a31f7be2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F70F6880-3A4B-11DE-8230-0B7C55D89593}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\dd1302865b056ed7fdd1adc2a31f7be2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5303E828-3A4C-11DE-AC1C-F77F55D89593}\1.0\ = "DDSMEb 1.0 Type Library" C:\Users\Admin\AppData\Local\Temp\dd1302865b056ed7fdd1adc2a31f7be2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6494B9BE-3A4C-11DE-91D2-BD8055D89593}\TypeLib C:\Users\Admin\AppData\Local\Temp\dd1302865b056ed7fdd1adc2a31f7be2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\InterMPlug C:\Users\Admin\AppData\Local\Temp\dd1302865b056ed7fdd1adc2a31f7be2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\InterMPlug\CLSID C:\Users\Admin\AppData\Local\Temp\dd1302865b056ed7fdd1adc2a31f7be2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F70F6880-3A4B-11DE-8230-0B7C55D89593} C:\Users\Admin\AppData\Local\Temp\dd1302865b056ed7fdd1adc2a31f7be2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5303E828-3A4C-11DE-AC1C-F77F55D89593}\1.0\HELPDIR\ = "C:\\Windows\\system32" C:\Users\Admin\AppData\Local\Temp\dd1302865b056ed7fdd1adc2a31f7be2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6494B9BE-3A4C-11DE-91D2-BD8055D89593} C:\Users\Admin\AppData\Local\Temp\dd1302865b056ed7fdd1adc2a31f7be2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F70F6880-3A4B-11DE-8230-0B7C55D89593}\VersionIndependentProgID\ = "PartTimeB" C:\Users\Admin\AppData\Local\Temp\dd1302865b056ed7fdd1adc2a31f7be2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5303E828-3A4C-11DE-AC1C-F77F55D89593} C:\Users\Admin\AppData\Local\Temp\dd1302865b056ed7fdd1adc2a31f7be2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5303E828-3A4C-11DE-AC1C-F77F55D89593}\1.0\0 C:\Users\Admin\AppData\Local\Temp\dd1302865b056ed7fdd1adc2a31f7be2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6494B9BE-3A4C-11DE-91D2-BD8055D89593}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\dd1302865b056ed7fdd1adc2a31f7be2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F70F6880-3A4B-11DE-8230-0B7C55D89593}\TypeLib\ = "{5303E828-3A4C-11DE-AC1C-F77F55D89593}" C:\Users\Admin\AppData\Local\Temp\dd1302865b056ed7fdd1adc2a31f7be2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6494B9BE-3A4C-11DE-91D2-BD8055D89593}\TypeLib C:\Users\Admin\AppData\Local\Temp\dd1302865b056ed7fdd1adc2a31f7be2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\PartTimeB\ = "Maniqute" C:\Users\Admin\AppData\Local\Temp\dd1302865b056ed7fdd1adc2a31f7be2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F70F6880-3A4B-11DE-8230-0B7C55D89593}\ProgID\ = "InterMPlug" C:\Users\Admin\AppData\Local\Temp\dd1302865b056ed7fdd1adc2a31f7be2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F70F6880-3A4B-11DE-8230-0B7C55D89593}\VersionIndependentProgID C:\Users\Admin\AppData\Local\Temp\dd1302865b056ed7fdd1adc2a31f7be2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F70F6880-3A4B-11DE-8230-0B7C55D89593}\InprocServer32\ = "C:\\Windows\\SysWow64\\kusers.dll" C:\Users\Admin\AppData\Local\Temp\dd1302865b056ed7fdd1adc2a31f7be2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F70F6880-3A4B-11DE-8230-0B7C55D89593}\TypeLib C:\Users\Admin\AppData\Local\Temp\dd1302865b056ed7fdd1adc2a31f7be2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6494B9BE-3A4C-11DE-91D2-BD8055D89593}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\dd1302865b056ed7fdd1adc2a31f7be2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F70F6880-3A4B-11DE-8230-0B7C55D89593}\ = "Maniqute" C:\Users\Admin\AppData\Local\Temp\dd1302865b056ed7fdd1adc2a31f7be2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F70F6880-3A4B-11DE-8230-0B7C55D89593}\InprocServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Temp\dd1302865b056ed7fdd1adc2a31f7be2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5303E828-3A4C-11DE-AC1C-F77F55D89593}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\kusers.dll" C:\Users\Admin\AppData\Local\Temp\dd1302865b056ed7fdd1adc2a31f7be2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5303E828-3A4C-11DE-AC1C-F77F55D89593}\1.0\HELPDIR C:\Users\Admin\AppData\Local\Temp\dd1302865b056ed7fdd1adc2a31f7be2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6494B9BE-3A4C-11DE-91D2-BD8055D89593}\ = "ITimeBl" C:\Users\Admin\AppData\Local\Temp\dd1302865b056ed7fdd1adc2a31f7be2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\PartTimeB\CLSID\ = "{F70F6880-3A4B-11DE-8230-0B7C55D89593}" C:\Users\Admin\AppData\Local\Temp\dd1302865b056ed7fdd1adc2a31f7be2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5303E828-3A4C-11DE-AC1C-F77F55D89593}\1.0 C:\Users\Admin\AppData\Local\Temp\dd1302865b056ed7fdd1adc2a31f7be2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5303E828-3A4C-11DE-AC1C-F77F55D89593}\1.0\FLAGS C:\Users\Admin\AppData\Local\Temp\dd1302865b056ed7fdd1adc2a31f7be2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6494B9BE-3A4C-11DE-91D2-BD8055D89593}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\dd1302865b056ed7fdd1adc2a31f7be2.exe N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\dd1302865b056ed7fdd1adc2a31f7be2.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\dd1302865b056ed7fdd1adc2a31f7be2.exe

"C:\Users\Admin\AppData\Local\Temp\dd1302865b056ed7fdd1adc2a31f7be2.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp

Files

C:\Windows\SysWOW64\kusers.dll

MD5 a64adc3e6519712bb6db91722af55037
SHA1 bfb3a0635453ba4d1ce83bf70d9473ca8a0745c3
SHA256 91d0fd6110cf5e46d21bf1f7e58ae2490c79ef8208212c1c54b0b27025b02b0d
SHA512 c0167f2903694a1e747a91f68ebee4b8491aba790bd01851d944c0401058a2143dedd45838cc6f25963ac9b543d424d7ac172969f95232dc74f407d1cd83c465