Analysis Overview
SHA256
c81a29252c15461ac2e4ba94ed321f175fd682ebd780dd9e17f208a019a33896
Threat Level: Likely malicious
The file c81a29252c15461ac2e4ba94ed321f175fd682ebd780dd9e17f208a019a33896 was found to be: Likely malicious.
Malicious Activity Summary
Modifies Shared Task Scheduler registry keys
Installs/modifies Browser Helper Object
Drops file in System32 directory
Unsigned PE
Modifies registry class
Suspicious use of WriteProcessMemory
Modifies Internet Explorer settings
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-04 02:52
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-04 02:52
Reported
2024-05-04 02:55
Platform
win7-20240221-en
Max time kernel
150s
Max time network
118s
Command Line
Signatures
Modifies Shared Task Scheduler registry keys
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\SharedTaskScheduler\{7F6D5D5C-807F-3B2A-5D4B-E6D5D5C3B3B3} | C:\Windows\SysWOW64\rundll32.exe | N/A |
Installs/modifies Browser Helper Object
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1908F7F6-2A19-E5C4-F7E6-807F7F6D5D5D} | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{1908F7F6-2A19-E5C4-F7E6-807F7F6D5D5D}\ | C:\Windows\SysWOW64\rundll32.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\ZPUJZP.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ZPUJZP.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File created | C:\Windows\SysWOW64\TJOETJ.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\TJOETJ.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\New Windows\Allow | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\New Windows\Allow\www. | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\New Windows\Allow\www.google.cn | C:\Windows\SysWOW64\rundll32.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1908F7F6-2A19-E5C4-F7E6-807F7F6D5D5D}\InprocServer32 | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1908F7F6-2A19-E5C4-F7E6-807F7F6D5D5D}\InprocServer32\ = "C:\\Windows\\SysWow64\\TJOETJ.dll" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7F6D5D5C-807F-3B2A-5D4B-E6D5D5C3B3B3} | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7F6D5D5C-807F-3B2A-5D4B-E6D5D5C3B3B3}\InprocServer32 | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7F6D5D5C-807F-3B2A-5D4B-E6D5D5C3B3B3}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1908F7F6-2A19-E5C4-F7E6-807F7F6D5D5D} | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1908F7F6-2A19-E5C4-F7E6-807F7F6D5D5D}\ | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7F6D5D5C-807F-3B2A-5D4B-E6D5D5C3B3B3}\InprocServer32\ = "C:\\Windows\\SysWow64\\ZPUJZP.dll" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1908F7F6-2A19-E5C4-F7E6-807F7F6D5D5D}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7F6D5D5C-807F-3B2A-5D4B-E6D5D5C3B3B3}\ | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2316 wrote to memory of 2208 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2316 wrote to memory of 2208 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2316 wrote to memory of 2208 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2316 wrote to memory of 2208 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2316 wrote to memory of 2208 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2316 wrote to memory of 2208 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2316 wrote to memory of 2208 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\c81a29252c15461ac2e4ba94ed321f175fd682ebd780dd9e17f208a019a33896.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\c81a29252c15461ac2e4ba94ed321f175fd682ebd780dd9e17f208a019a33896.dll,#1
Network
Files
memory/2208-0-0x00000000001F0000-0x000000000024E000-memory.dmp
memory/2208-1-0x0000000077070000-0x0000000077071000-memory.dmp
C:\Windows\SysWOW64\TJOETJ.dll
| MD5 | 861642a320ae23037a6441d6f588045a |
| SHA1 | eb674afd96e5ed93c4ddf90f294f2cb31ff3833d |
| SHA256 | df64fdd1009e88236743299892f580e48d491d1f416325bc8bf8f7e38bfdde97 |
| SHA512 | 27171e29b58689a4f4a3cdd814c0c44883ad4b24ec72be81c6544ede5da52b0a48ebd7de995cce2559cbd0223be34e2c47cbc8059b637effe40dab5ca1171624 |
memory/2208-12-0x00000000001F0000-0x000000000024E000-memory.dmp
memory/2208-13-0x00000000001F0000-0x000000000024E000-memory.dmp
memory/2208-14-0x00000000001F0000-0x000000000024E000-memory.dmp
memory/2208-15-0x00000000001F0000-0x000000000024E000-memory.dmp
memory/2208-16-0x00000000001F0000-0x000000000024E000-memory.dmp
memory/2208-17-0x00000000001F0000-0x000000000024E000-memory.dmp
memory/2208-18-0x00000000001F0000-0x000000000024E000-memory.dmp
memory/2208-19-0x00000000001F0000-0x000000000024E000-memory.dmp
memory/2208-20-0x00000000001F0000-0x000000000024E000-memory.dmp
memory/2208-21-0x00000000001F0000-0x000000000024E000-memory.dmp
memory/2208-22-0x00000000001F0000-0x000000000024E000-memory.dmp
memory/2208-23-0x00000000001F0000-0x000000000024E000-memory.dmp
memory/2208-24-0x00000000001F0000-0x000000000024E000-memory.dmp
memory/2208-25-0x00000000001F0000-0x000000000024E000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-04 02:52
Reported
2024-05-04 02:55
Platform
win10v2004-20240419-en
Max time kernel
140s
Max time network
102s
Command Line
Signatures
Modifies Shared Task Scheduler registry keys
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{06E5C3A1-18F6-C3A1-E4C3-7E5C4A29F7E5} | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler | C:\Windows\SysWOW64\rundll32.exe | N/A |
Installs/modifies Browser Helper Object
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A08F6D4C-B291-6D4C-8E6D-18F7E4C3918F} | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A08F6D4C-B291-6D4C-8E6D-18F7E4C3918F}\ | C:\Windows\SysWOW64\rundll32.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\IUSPMZ.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File created | C:\Windows\SysWOW64\COMJGT.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\COMJGT.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File created | C:\Windows\SysWOW64\IUSPMZ.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Software\Microsoft\Internet Explorer\New Windows\Allow | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Internet Explorer\New Windows\Allow\www. | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Internet Explorer\New Windows\Allow\www.google.cn | C:\Windows\SysWOW64\rundll32.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A08F6D4C-B291-6D4C-8E6D-18F7E4C3918F} | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A08F6D4C-B291-6D4C-8E6D-18F7E4C3918F}\InprocServer32\ = "C:\\Windows\\SysWow64\\COMJGT.dll" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A08F6D4C-B291-6D4C-8E6D-18F7E4C3918F}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{06E5C3A1-18F6-C3A1-E4C3-7E5C4A29F7E5}\InprocServer32 | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A08F6D4C-B291-6D4C-8E6D-18F7E4C3918F}\ | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A08F6D4C-B291-6D4C-8E6D-18F7E4C3918F}\InprocServer32 | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{06E5C3A1-18F6-C3A1-E4C3-7E5C4A29F7E5} | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{06E5C3A1-18F6-C3A1-E4C3-7E5C4A29F7E5}\ | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{06E5C3A1-18F6-C3A1-E4C3-7E5C4A29F7E5}\InprocServer32\ = "C:\\Windows\\SysWow64\\IUSPMZ.dll" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{06E5C3A1-18F6-C3A1-E4C3-7E5C4A29F7E5}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4660 wrote to memory of 812 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4660 wrote to memory of 812 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4660 wrote to memory of 812 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\c81a29252c15461ac2e4ba94ed321f175fd682ebd780dd9e17f208a019a33896.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\c81a29252c15461ac2e4ba94ed321f175fd682ebd780dd9e17f208a019a33896.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 65.139.73.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 49.15.97.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
Files
memory/812-0-0x0000000076FE4000-0x0000000076FE5000-memory.dmp
C:\Windows\SysWOW64\COMJGT.dll
| MD5 | 9258b002a3af380d25df5c0680b5d681 |
| SHA1 | 7f5aa4b7d839ced181a16827ea2f6aa6d66dcab5 |
| SHA256 | c0f6279e50edd5bef820bff03217d73af18a8156852389c38e090b387bc23352 |
| SHA512 | 04c3dc01004a7da4212c03a98cfa576998cca96fbb3032669a93674bfe78832fb44a15d0b9d998151dd68c9adac698b30d071a863ccb68dc1b7d7879d2fa6b95 |
memory/812-11-0x0000000000400000-0x000000000045E000-memory.dmp
memory/812-12-0x0000000000400000-0x000000000045E000-memory.dmp
memory/812-13-0x0000000000400000-0x000000000045E000-memory.dmp
memory/812-14-0x0000000000400000-0x000000000045E000-memory.dmp
memory/812-15-0x0000000000400000-0x000000000045E000-memory.dmp
memory/812-16-0x0000000000400000-0x000000000045E000-memory.dmp
memory/812-17-0x0000000000400000-0x000000000045E000-memory.dmp
memory/812-18-0x0000000000400000-0x000000000045E000-memory.dmp
memory/812-19-0x0000000000400000-0x000000000045E000-memory.dmp
memory/812-20-0x0000000000400000-0x000000000045E000-memory.dmp
memory/812-21-0x0000000000400000-0x000000000045E000-memory.dmp
memory/812-22-0x0000000000400000-0x000000000045E000-memory.dmp
memory/812-23-0x0000000000400000-0x000000000045E000-memory.dmp
memory/812-24-0x0000000000400000-0x000000000045E000-memory.dmp