Malware Analysis Report

2025-01-18 22:28

Sample ID 240504-dc4hpabd5w
Target c81a29252c15461ac2e4ba94ed321f175fd682ebd780dd9e17f208a019a33896
SHA256 c81a29252c15461ac2e4ba94ed321f175fd682ebd780dd9e17f208a019a33896
Tags
adware persistence stealer
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

c81a29252c15461ac2e4ba94ed321f175fd682ebd780dd9e17f208a019a33896

Threat Level: Likely malicious

The file c81a29252c15461ac2e4ba94ed321f175fd682ebd780dd9e17f208a019a33896 was found to be: Likely malicious.

Malicious Activity Summary

adware persistence stealer

Modifies Shared Task Scheduler registry keys

Installs/modifies Browser Helper Object

Drops file in System32 directory

Unsigned PE

Modifies registry class

Suspicious use of WriteProcessMemory

Modifies Internet Explorer settings

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-04 02:52

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-04 02:52

Reported

2024-05-04 02:55

Platform

win7-20240221-en

Max time kernel

150s

Max time network

118s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\c81a29252c15461ac2e4ba94ed321f175fd682ebd780dd9e17f208a019a33896.dll,#1

Signatures

Modifies Shared Task Scheduler registry keys

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler C:\Windows\SysWOW64\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\SharedTaskScheduler\{7F6D5D5C-807F-3B2A-5D4B-E6D5D5C3B3B3} C:\Windows\SysWOW64\rundll32.exe N/A

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1908F7F6-2A19-E5C4-F7E6-807F7F6D5D5D} C:\Windows\SysWOW64\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{1908F7F6-2A19-E5C4-F7E6-807F7F6D5D5D}\ C:\Windows\SysWOW64\rundll32.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\ZPUJZP.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\SysWOW64\ZPUJZP.dll C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Windows\SysWOW64\TJOETJ.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\SysWOW64\TJOETJ.dll C:\Windows\SysWOW64\rundll32.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\New Windows\Allow C:\Windows\SysWOW64\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\New Windows\Allow\www. C:\Windows\SysWOW64\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\New Windows\Allow\www.google.cn C:\Windows\SysWOW64\rundll32.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1908F7F6-2A19-E5C4-F7E6-807F7F6D5D5D}\InprocServer32 C:\Windows\SysWOW64\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1908F7F6-2A19-E5C4-F7E6-807F7F6D5D5D}\InprocServer32\ = "C:\\Windows\\SysWow64\\TJOETJ.dll" C:\Windows\SysWOW64\rundll32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7F6D5D5C-807F-3B2A-5D4B-E6D5D5C3B3B3} C:\Windows\SysWOW64\rundll32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7F6D5D5C-807F-3B2A-5D4B-E6D5D5C3B3B3}\InprocServer32 C:\Windows\SysWOW64\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7F6D5D5C-807F-3B2A-5D4B-E6D5D5C3B3B3}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\rundll32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1908F7F6-2A19-E5C4-F7E6-807F7F6D5D5D} C:\Windows\SysWOW64\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1908F7F6-2A19-E5C4-F7E6-807F7F6D5D5D}\ C:\Windows\SysWOW64\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7F6D5D5C-807F-3B2A-5D4B-E6D5D5C3B3B3}\InprocServer32\ = "C:\\Windows\\SysWow64\\ZPUJZP.dll" C:\Windows\SysWOW64\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1908F7F6-2A19-E5C4-F7E6-807F7F6D5D5D}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7F6D5D5C-807F-3B2A-5D4B-E6D5D5C3B3B3}\ C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2316 wrote to memory of 2208 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2316 wrote to memory of 2208 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2316 wrote to memory of 2208 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2316 wrote to memory of 2208 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2316 wrote to memory of 2208 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2316 wrote to memory of 2208 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2316 wrote to memory of 2208 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\c81a29252c15461ac2e4ba94ed321f175fd682ebd780dd9e17f208a019a33896.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\c81a29252c15461ac2e4ba94ed321f175fd682ebd780dd9e17f208a019a33896.dll,#1

Network

N/A

Files

memory/2208-0-0x00000000001F0000-0x000000000024E000-memory.dmp

memory/2208-1-0x0000000077070000-0x0000000077071000-memory.dmp

C:\Windows\SysWOW64\TJOETJ.dll

MD5 861642a320ae23037a6441d6f588045a
SHA1 eb674afd96e5ed93c4ddf90f294f2cb31ff3833d
SHA256 df64fdd1009e88236743299892f580e48d491d1f416325bc8bf8f7e38bfdde97
SHA512 27171e29b58689a4f4a3cdd814c0c44883ad4b24ec72be81c6544ede5da52b0a48ebd7de995cce2559cbd0223be34e2c47cbc8059b637effe40dab5ca1171624

memory/2208-12-0x00000000001F0000-0x000000000024E000-memory.dmp

memory/2208-13-0x00000000001F0000-0x000000000024E000-memory.dmp

memory/2208-14-0x00000000001F0000-0x000000000024E000-memory.dmp

memory/2208-15-0x00000000001F0000-0x000000000024E000-memory.dmp

memory/2208-16-0x00000000001F0000-0x000000000024E000-memory.dmp

memory/2208-17-0x00000000001F0000-0x000000000024E000-memory.dmp

memory/2208-18-0x00000000001F0000-0x000000000024E000-memory.dmp

memory/2208-19-0x00000000001F0000-0x000000000024E000-memory.dmp

memory/2208-20-0x00000000001F0000-0x000000000024E000-memory.dmp

memory/2208-21-0x00000000001F0000-0x000000000024E000-memory.dmp

memory/2208-22-0x00000000001F0000-0x000000000024E000-memory.dmp

memory/2208-23-0x00000000001F0000-0x000000000024E000-memory.dmp

memory/2208-24-0x00000000001F0000-0x000000000024E000-memory.dmp

memory/2208-25-0x00000000001F0000-0x000000000024E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-04 02:52

Reported

2024-05-04 02:55

Platform

win10v2004-20240419-en

Max time kernel

140s

Max time network

102s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\c81a29252c15461ac2e4ba94ed321f175fd682ebd780dd9e17f208a019a33896.dll,#1

Signatures

Modifies Shared Task Scheduler registry keys

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{06E5C3A1-18F6-C3A1-E4C3-7E5C4A29F7E5} C:\Windows\SysWOW64\rundll32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler C:\Windows\SysWOW64\rundll32.exe N/A

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A08F6D4C-B291-6D4C-8E6D-18F7E4C3918F} C:\Windows\SysWOW64\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A08F6D4C-B291-6D4C-8E6D-18F7E4C3918F}\ C:\Windows\SysWOW64\rundll32.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\IUSPMZ.dll C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Windows\SysWOW64\COMJGT.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\SysWOW64\COMJGT.dll C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Windows\SysWOW64\IUSPMZ.dll C:\Windows\SysWOW64\rundll32.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Software\Microsoft\Internet Explorer\New Windows\Allow C:\Windows\SysWOW64\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Internet Explorer\New Windows\Allow\www. C:\Windows\SysWOW64\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Internet Explorer\New Windows\Allow\www.google.cn C:\Windows\SysWOW64\rundll32.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A08F6D4C-B291-6D4C-8E6D-18F7E4C3918F} C:\Windows\SysWOW64\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A08F6D4C-B291-6D4C-8E6D-18F7E4C3918F}\InprocServer32\ = "C:\\Windows\\SysWow64\\COMJGT.dll" C:\Windows\SysWOW64\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A08F6D4C-B291-6D4C-8E6D-18F7E4C3918F}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\rundll32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{06E5C3A1-18F6-C3A1-E4C3-7E5C4A29F7E5}\InprocServer32 C:\Windows\SysWOW64\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A08F6D4C-B291-6D4C-8E6D-18F7E4C3918F}\ C:\Windows\SysWOW64\rundll32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A08F6D4C-B291-6D4C-8E6D-18F7E4C3918F}\InprocServer32 C:\Windows\SysWOW64\rundll32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{06E5C3A1-18F6-C3A1-E4C3-7E5C4A29F7E5} C:\Windows\SysWOW64\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{06E5C3A1-18F6-C3A1-E4C3-7E5C4A29F7E5}\ C:\Windows\SysWOW64\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{06E5C3A1-18F6-C3A1-E4C3-7E5C4A29F7E5}\InprocServer32\ = "C:\\Windows\\SysWow64\\IUSPMZ.dll" C:\Windows\SysWOW64\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{06E5C3A1-18F6-C3A1-E4C3-7E5C4A29F7E5}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4660 wrote to memory of 812 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4660 wrote to memory of 812 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4660 wrote to memory of 812 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\c81a29252c15461ac2e4ba94ed321f175fd682ebd780dd9e17f208a019a33896.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\c81a29252c15461ac2e4ba94ed321f175fd682ebd780dd9e17f208a019a33896.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 65.139.73.23.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 49.15.97.104.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp

Files

memory/812-0-0x0000000076FE4000-0x0000000076FE5000-memory.dmp

C:\Windows\SysWOW64\COMJGT.dll

MD5 9258b002a3af380d25df5c0680b5d681
SHA1 7f5aa4b7d839ced181a16827ea2f6aa6d66dcab5
SHA256 c0f6279e50edd5bef820bff03217d73af18a8156852389c38e090b387bc23352
SHA512 04c3dc01004a7da4212c03a98cfa576998cca96fbb3032669a93674bfe78832fb44a15d0b9d998151dd68c9adac698b30d071a863ccb68dc1b7d7879d2fa6b95

memory/812-11-0x0000000000400000-0x000000000045E000-memory.dmp

memory/812-12-0x0000000000400000-0x000000000045E000-memory.dmp

memory/812-13-0x0000000000400000-0x000000000045E000-memory.dmp

memory/812-14-0x0000000000400000-0x000000000045E000-memory.dmp

memory/812-15-0x0000000000400000-0x000000000045E000-memory.dmp

memory/812-16-0x0000000000400000-0x000000000045E000-memory.dmp

memory/812-17-0x0000000000400000-0x000000000045E000-memory.dmp

memory/812-18-0x0000000000400000-0x000000000045E000-memory.dmp

memory/812-19-0x0000000000400000-0x000000000045E000-memory.dmp

memory/812-20-0x0000000000400000-0x000000000045E000-memory.dmp

memory/812-21-0x0000000000400000-0x000000000045E000-memory.dmp

memory/812-22-0x0000000000400000-0x000000000045E000-memory.dmp

memory/812-23-0x0000000000400000-0x000000000045E000-memory.dmp

memory/812-24-0x0000000000400000-0x000000000045E000-memory.dmp