Malware Analysis Report

2024-07-28 05:21

Sample ID 240603-db8q1sgf6w
Target b8e80b78c82888231dc9c122812a5f22222436fc85a82eaccbcd0f71cd3a9035
SHA256 b8e80b78c82888231dc9c122812a5f22222436fc85a82eaccbcd0f71cd3a9035
Tags
adware persistence stealer
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

b8e80b78c82888231dc9c122812a5f22222436fc85a82eaccbcd0f71cd3a9035

Threat Level: Likely malicious

The file b8e80b78c82888231dc9c122812a5f22222436fc85a82eaccbcd0f71cd3a9035 was found to be: Likely malicious.

Malicious Activity Summary

adware persistence stealer

Modifies Shared Task Scheduler registry keys

Installs/modifies Browser Helper Object

Drops file in System32 directory

Unsigned PE

Modifies registry class

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Browser Extensions
T1176
Privilege Escalation
TA0004
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Defense Evasion
TA0005
Modify Registry
T1112
Credential Access
TA0006
Discovery
TA0007
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-03 02:51

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-03 02:51

Reported

2024-06-03 02:53

Platform

win10v2004-20240426-en

Max time kernel

141s

Max time network

100s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\b8e80b78c82888231dc9c122812a5f22222436fc85a82eaccbcd0f71cd3a9035.dll,#1

Signatures

Modifies Shared Task Scheduler registry keys

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler C:\Windows\SysWOW64\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{049D27C1-16AF-C15A-E27B-7C059F38C16A} C:\Windows\SysWOW64\rundll32.exe N/A

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AF38C26B-B049-6B04-8C16-16AF49E27B04}\ C:\Windows\SysWOW64\rundll32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AF38C26B-B049-6B04-8C16-16AF49E27B04} C:\Windows\SysWOW64\rundll32.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\UNFYQU.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\SysWOW64\UNFYQU.dll C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Windows\SysWOW64\ASLDWZ.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\SysWOW64\ASLDWZ.dll C:\Windows\SysWOW64\rundll32.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AF38C26B-B049-6B04-8C16-16AF49E27B04}\InprocServer32 C:\Windows\SysWOW64\rundll32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{049D27C1-16AF-C15A-E27B-7C059F38C16A} C:\Windows\SysWOW64\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{049D27C1-16AF-C15A-E27B-7C059F38C16A}\InprocServer32\ = "C:\\Windows\\SysWow64\\ASLDWZ.dll" C:\Windows\SysWOW64\rundll32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AF38C26B-B049-6B04-8C16-16AF49E27B04} C:\Windows\SysWOW64\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AF38C26B-B049-6B04-8C16-16AF49E27B04}\ C:\Windows\SysWOW64\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AF38C26B-B049-6B04-8C16-16AF49E27B04}\InprocServer32\ = "C:\\Windows\\SysWow64\\UNFYQU.dll" C:\Windows\SysWOW64\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AF38C26B-B049-6B04-8C16-16AF49E27B04}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{049D27C1-16AF-C15A-E27B-7C059F38C16A}\ C:\Windows\SysWOW64\rundll32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{049D27C1-16AF-C15A-E27B-7C059F38C16A}\InprocServer32 C:\Windows\SysWOW64\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{049D27C1-16AF-C15A-E27B-7C059F38C16A}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2908 wrote to memory of 3012 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2908 wrote to memory of 3012 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2908 wrote to memory of 3012 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\b8e80b78c82888231dc9c122812a5f22222436fc85a82eaccbcd0f71cd3a9035.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\b8e80b78c82888231dc9c122812a5f22222436fc85a82eaccbcd0f71cd3a9035.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
US 52.111.227.11:443 tcp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp

Files

memory/3012-0-0x0000000000610000-0x000000000066C000-memory.dmp

memory/3012-1-0x0000000077A84000-0x0000000077A85000-memory.dmp

C:\Windows\SysWOW64\UNFYQU.dll

MD5 cea9c31d02c86ce0ccc8b22642b51254
SHA1 decdbb28fa2f756757b6d22821189222279d3fc5
SHA256 1e2cff20bc0a5f94ed7c3594a777c1d7cc16a526b16d6bf09fbdabf96a659eb9
SHA512 8c003b9f8d8d14f21b015fda66f34954b5a07732fb140c98a09e59aafea609e3a408950a139a1bf79b26b4aba3a4bdfd47e873e5f9c81f630bafb99b0d8b0efb

memory/3012-12-0x0000000000610000-0x000000000066C000-memory.dmp

memory/3012-13-0x0000000000610000-0x000000000066C000-memory.dmp

memory/3012-14-0x0000000000610000-0x000000000066C000-memory.dmp

memory/3012-15-0x0000000000610000-0x000000000066C000-memory.dmp

memory/3012-16-0x0000000000610000-0x000000000066C000-memory.dmp

memory/3012-17-0x0000000000610000-0x000000000066C000-memory.dmp

memory/3012-18-0x0000000000610000-0x000000000066C000-memory.dmp

memory/3012-19-0x0000000000610000-0x000000000066C000-memory.dmp

memory/3012-20-0x0000000000610000-0x000000000066C000-memory.dmp

memory/3012-21-0x0000000000610000-0x000000000066C000-memory.dmp

memory/3012-22-0x0000000000610000-0x000000000066C000-memory.dmp

memory/3012-23-0x0000000000610000-0x000000000066C000-memory.dmp

memory/3012-24-0x0000000000610000-0x000000000066C000-memory.dmp

memory/3012-25-0x0000000000610000-0x000000000066C000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-03 02:51

Reported

2024-06-03 02:53

Platform

win7-20240220-en

Max time kernel

150s

Max time network

123s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\b8e80b78c82888231dc9c122812a5f22222436fc85a82eaccbcd0f71cd3a9035.dll,#1

Signatures

Modifies Shared Task Scheduler registry keys

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\SharedTaskScheduler\{EDB98642-0ECA-B975-CA97-6420FDBA9753} C:\Windows\SysWOW64\rundll32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler C:\Windows\SysWOW64\rundll32.exe N/A

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{975320EC-A864-531F-6531-0ECA976431FD} C:\Windows\SysWOW64\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{975320EC-A864-531F-6531-0ECA976431FD}\ C:\Windows\SysWOW64\rundll32.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\L.dll C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Windows\SysWOW64\Q.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\SysWOW64\Q.dll C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Windows\SysWOW64\L.dll C:\Windows\SysWOW64\rundll32.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EDB98642-0ECA-B975-CA97-6420FDBA9753}\ C:\Windows\SysWOW64\rundll32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EDB98642-0ECA-B975-CA97-6420FDBA9753}\InprocServer32 C:\Windows\SysWOW64\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EDB98642-0ECA-B975-CA97-6420FDBA9753}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{975320EC-A864-531F-6531-0ECA976431FD}\InprocServer32\ = "C:\\Windows\\SysWow64\\L.dll" C:\Windows\SysWOW64\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{975320EC-A864-531F-6531-0ECA976431FD}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\rundll32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EDB98642-0ECA-B975-CA97-6420FDBA9753} C:\Windows\SysWOW64\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EDB98642-0ECA-B975-CA97-6420FDBA9753}\InprocServer32\ = "C:\\Windows\\SysWow64\\Q.dll" C:\Windows\SysWOW64\rundll32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{975320EC-A864-531F-6531-0ECA976431FD} C:\Windows\SysWOW64\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{975320EC-A864-531F-6531-0ECA976431FD}\ C:\Windows\SysWOW64\rundll32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{975320EC-A864-531F-6531-0ECA976431FD}\InprocServer32 C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2700 wrote to memory of 2228 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2700 wrote to memory of 2228 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2700 wrote to memory of 2228 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2700 wrote to memory of 2228 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2700 wrote to memory of 2228 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2700 wrote to memory of 2228 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2700 wrote to memory of 2228 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\b8e80b78c82888231dc9c122812a5f22222436fc85a82eaccbcd0f71cd3a9035.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\b8e80b78c82888231dc9c122812a5f22222436fc85a82eaccbcd0f71cd3a9035.dll,#1

Network

N/A

Files

memory/2228-0-0x00000000006F0000-0x000000000074C000-memory.dmp

memory/2228-1-0x00000000774B0000-0x00000000774B1000-memory.dmp

C:\Windows\SysWOW64\L.dll

MD5 cea9c31d02c86ce0ccc8b22642b51254
SHA1 decdbb28fa2f756757b6d22821189222279d3fc5
SHA256 1e2cff20bc0a5f94ed7c3594a777c1d7cc16a526b16d6bf09fbdabf96a659eb9
SHA512 8c003b9f8d8d14f21b015fda66f34954b5a07732fb140c98a09e59aafea609e3a408950a139a1bf79b26b4aba3a4bdfd47e873e5f9c81f630bafb99b0d8b0efb

memory/2228-12-0x00000000006F0000-0x000000000074C000-memory.dmp

memory/2228-13-0x00000000006F0000-0x000000000074C000-memory.dmp

memory/2228-14-0x00000000006F0000-0x000000000074C000-memory.dmp

memory/2228-15-0x00000000006F0000-0x000000000074C000-memory.dmp

memory/2228-16-0x00000000006F0000-0x000000000074C000-memory.dmp

memory/2228-17-0x00000000006F0000-0x000000000074C000-memory.dmp

memory/2228-18-0x00000000006F0000-0x000000000074C000-memory.dmp

memory/2228-19-0x00000000006F0000-0x000000000074C000-memory.dmp

memory/2228-20-0x00000000006F0000-0x000000000074C000-memory.dmp

memory/2228-21-0x00000000006F0000-0x000000000074C000-memory.dmp

memory/2228-22-0x00000000006F0000-0x000000000074C000-memory.dmp

memory/2228-23-0x00000000006F0000-0x000000000074C000-memory.dmp

memory/2228-24-0x00000000006F0000-0x000000000074C000-memory.dmp

memory/2228-25-0x00000000006F0000-0x000000000074C000-memory.dmp