3ab114207384aff54a61e522aae0f0af5d14a34421f881a8c450472693d17a49

Analysis

max time kernel
94s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
16-07-2024 10:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4def4ddba40e11df24d6f10447676eae_JaffaCakes118.exe
Size

520KB
MD5

4def4ddba40e11df24d6f10447676eae
SHA1

dfeca41d7e103f6f8175dd7a256b39747d8cce23
SHA256

3ab114207384aff54a61e522aae0f0af5d14a34421f881a8c450472693d17a49
SHA512

0d43ce0f730ada9eed3badf123ea8b678ef9a77b60204eacb6b0849c9f534484e99634444cd0c1cf220cc3b24c744fef1b12f07f02d06912e78aff2ed60cb778
SSDEEP

12288:IO0crBSWN3aFAmeGytrgv2reFrq3yZzITU6ztZs:IOzAY35msg+reEm2bt

Score

8^/10

adware discovery persistence stealer

Malware Config

Signatures

Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs

persistence

Terminal Services DLL

T1505.005

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Indtry\Parameters\ServiceDll = "C:\\Windows\\system32\\anorl.dll"	rundll32.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-47134698-4092160662-1261813102-1000\Control Panel\International\Geo\Nation	4def4ddba40e11df24d6f10447676eae_JaffaCakes118.exe

Executes dropped EXE 4 IoCs

pid	Process
1872	rundll2000.exe
2076	rundll2000.exe
4988	RUNDLL2000.EXE
3912	bar.exe

Loads dropped DLL 5 IoCs

pid	Process
1872	rundll2000.exe
2076	rundll2000.exe
4988	RUNDLL2000.EXE
3824	rundll32.exe
3912	bar.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System = "C:\\Program Files (x86)\\Common Files\\System\\Updaterun.exe"	4def4ddba40e11df24d6f10447676eae_JaffaCakes118.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Installs/modifies Browser Helper Object 2 TTPs 3 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6CFD436C-7AAD-4e50-992F-C0C87A94CAD2}	bar.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6CFD436C-7AAD-4e50-992F-C0C87A94CAD2}\ = "ÊµÓÃËÑË÷"	bar.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6CFD436C-7AAD-4e50-992F-C0C87A94CAD2}	bar.exe

Drops file in System32 directory 17 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\wbem\ocmor.dll	4def4ddba40e11df24d6f10447676eae_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	RUNDLL2000.EXE
File opened for modification	C:\Windows\SysWOW64\advport.dll	4def4ddba40e11df24d6f10447676eae_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\rundll2000.exe	4def4ddba40e11df24d6f10447676eae_JaffaCakes118.exe
File opened for modification	C:\WINDOWS\SysWOW64\WBEM\ocmor.dll	RUNDLL2000.EXE
File created	C:\Windows\SysWOW64\Score.txt	RUNDLL2000.EXE
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	RUNDLL2000.EXE
File created	C:\Windows\SysWOW64\anorl.dll	4def4ddba40e11df24d6f10447676eae_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\anorl.dll	4def4ddba40e11df24d6f10447676eae_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\wbem\sviin.dll	4def4ddba40e11df24d6f10447676eae_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\ocmor.dll	RUNDLL2000.EXE
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	RUNDLL2000.EXE
File created	C:\Windows\SysWOW64\advport.dll	4def4ddba40e11df24d6f10447676eae_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\wbem\ocmor.dll	4def4ddba40e11df24d6f10447676eae_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\wbem\sviin.dll	4def4ddba40e11df24d6f10447676eae_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5	RUNDLL2000.EXE
File created	C:\Windows\SysWOW64\rundll2000.exe	4def4ddba40e11df24d6f10447676eae_JaffaCakes118.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\superutilbar\superutilbar.dll	bar.exe
File created	C:\Program Files (x86)\superutilbar\uninst.exe	bar.exe
File created	C:\Program Files (x86)\Common Files\System\Updaterun.exe	4def4ddba40e11df24d6f10447676eae_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\Updaterun.exe	4def4ddba40e11df24d6f10447676eae_JaffaCakes118.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\bar.exe	4def4ddba40e11df24d6f10447676eae_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-47134698-4092160662-1261813102-1000\SOFTWARE\Microsoft\Internet Explorer\TypedURLs\url5 = "http://www.3839.com/index.html"	4def4ddba40e11df24d6f10447676eae_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Toolbar	bar.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Toolbar\{03465FF5-00AE-411a-9C34-960ED566EC03} = "ÊµÓÃËÑË÷¹¤¾ßÌõ2.0"	bar.exe

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	RUNDLL2000.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	RUNDLL2000.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	RUNDLL2000.EXE

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6CFD436C-7AAD-4e50-992F-C0C87A94CAD2}	bar.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6CFD436C-7AAD-4e50-992F-C0C87A94CAD2}\InprocServer32\ThreadingModel = "Apartment"	bar.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6CFD436C-7AAD-4e50-992F-C0C87A94CAD2}\TypeLib	bar.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{03465FF5-00AE-411a-9C34-960ED566EC03}\InprocServer32	bar.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{03D0C547-EBAD-43D9-8B57-DE16E7A93B52}	bar.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\6781.TOOLBARLOADER\CLSID	bar.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\6781.TOOLBARLOADER.1\ = "ÊµÓÃËÑË÷"	bar.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{03465FF5-00AE-411a-9C34-960ED566EC03}\InprocServer32	bar.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6CFD436C-7AAD-4e50-992F-C0C87A94CAD2}\TypeLib\ = "{03D0C547-EBAD-43d9-8B57-DE16E7A93B52}"	bar.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{03D0C547-EBAD-43D9-8B57-DE16E7A93B52}\0.0\FLAGS\ = "0"	bar.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\6781.TOOLBAR\ = "ÊµÓÃËÑË÷¹¤¾ßÌõ2.0"	bar.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\6781.TOOLBAR\CLSID	bar.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{03465FF5-00AE-411a-9C34-960ED566EC03}\InprocServer32\ThreadingModel = "Apartment"	bar.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\6781.TOOLBARLOADER	bar.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{03D0C547-EBAD-43D9-8B57-DE16E7A93B52}\0.0\ = "TOOLBARLIB"	bar.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{03465FF5-00AE-411a-9C34-960ED566EC03}\Programmable	bar.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\6781.TOOLBAR.1	bar.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\6781.TOOLBAR\CurVer	bar.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{03465FF5-00AE-411a-9C34-960ED566EC03}\InprocServer32\ = "C:\\Program Files (x86)\\superutilbar\\superutilbar.dll"	bar.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{03465FF5-00AE-411a-9C34-960ED566EC03}\ProgID\ = "6781.TOOLBAR.1"	bar.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{03465FF5-00AE-411a-9C34-960ED566EC03}\Programmable	bar.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\6781.TOOLBAR	bar.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{03D0C547-EBAD-43D9-8B57-DE16E7A93B52}\0.0\0\win32\ = "C:\\Program Files (x86)\\superutilbar\\superutilbar.dll"	bar.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\6781.TOOLBAR	bar.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{03465FF5-00AE-411a-9C34-960ED566EC03}\VersionIndependentProgID\ = "6781.TOOLBAR"	bar.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\6781.TOOLBARLOADER\CurVer	bar.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6CFD436C-7AAD-4e50-992F-C0C87A94CAD2}\TypeLib	bar.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\6781.TOOLBARLOADER\CurVer	bar.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\6781.TOOLBAR.1\CLSID	bar.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\6781.TOOLBAR\CurVer\ = "6781.TOOLBAR.1"	bar.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\6781.TOOLBARLOADER.1\CLSID\ = "{6CFD436C-7AAD-4e50-992F-C0C87A94CAD2}"	bar.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\6781.TOOLBARLOADER	bar.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{03465FF5-00AE-411a-9C34-960ED566EC03}\VersionIndependentProgID	bar.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{03D0C547-EBAD-43D9-8B57-DE16E7A93B52}\0.0\0\win32	bar.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\6781.TOOLBAR.1\ = "ÊµÓÃËÑË÷¹¤¾ßÌõ2.0"	bar.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6CFD436C-7AAD-4e50-992F-C0C87A94CAD2}\VersionIndependentProgID	bar.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6CFD436C-7AAD-4e50-992F-C0C87A94CAD2}\Programmable	bar.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\6781.TOOLBARLOADER.1\CLSID	bar.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{03D0C547-EBAD-43D9-8B57-DE16E7A93B52}\0.0\HELPDIR\ = "C:\\Program Files (x86)\\superutilbar\\"	bar.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{03465FF5-00AE-411a-9C34-960ED566EC03}\ = "ÊµÓÃËÑË÷¹¤¾ßÌõ2.0"	bar.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6CFD436C-7AAD-4e50-992F-C0C87A94CAD2}\VersionIndependentProgID\ = "6781.TOOLBARLOADER"	bar.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{03465FF5-00AE-411a-9C34-960ED566EC03}\ProgID	bar.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\6781.TOOLBARLOADER\CLSID\ = "{6CFD436C-7AAD-4e50-992F-C0C87A94CAD2}"	bar.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\6781.TOOLBARLOADER.1	bar.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\6781.TOOLBARLOADER\CLSID	bar.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6CFD436C-7AAD-4e50-992F-C0C87A94CAD2}\VersionIndependentProgID	bar.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{03D0C547-EBAD-43D9-8B57-DE16E7A93B52}\0.0\HELPDIR	bar.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{03465FF5-00AE-411a-9C34-960ED566EC03}\TypeLib\ = "{03D0C547-EBAD-43d9-8B57-DE16E7A93B52}"	bar.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6CFD436C-7AAD-4e50-992F-C0C87A94CAD2}\ = "ÊµÓÃËÑË÷"	bar.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6CFD436C-7AAD-4e50-992F-C0C87A94CAD2}\ProgID	bar.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{03465FF5-00AE-411a-9C34-960ED566EC03}\TypeLib	bar.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6CFD436C-7AAD-4e50-992F-C0C87A94CAD2}\Programmable	bar.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{03D0C547-EBAD-43D9-8B57-DE16E7A93B52}\0.0	bar.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{03D0C547-EBAD-43D9-8B57-DE16E7A93B52}\0.0\0	bar.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\6781.TOOLBARLOADER\CurVer\ = "6781.TOOLBARLOADER.1"	bar.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\6781.TOOLBARLOADER\ = "ÊµÓÃËÑË÷"	bar.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{03465FF5-00AE-411a-9C34-960ED566EC03}	bar.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6CFD436C-7AAD-4e50-992F-C0C87A94CAD2}\InprocServer32	bar.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6CFD436C-7AAD-4e50-992F-C0C87A94CAD2}\InprocServer32	bar.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\6781.TOOLBARLOADER.1\CLSID	bar.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{03465FF5-00AE-411a-9C34-960ED566EC03}\VersionIndependentProgID	bar.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{03465FF5-00AE-411a-9C34-960ED566EC03}\TypeLib	bar.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6CFD436C-7AAD-4e50-992F-C0C87A94CAD2}\ProgID\ = "6781.TOOLBARLOADER.1"	bar.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\6781.TOOLBAR.1\CLSID	bar.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3428 wrote to memory of 1872	3428	4def4ddba40e11df24d6f10447676eae_JaffaCakes118.exe	83
PID 3428 wrote to memory of 1872	3428	4def4ddba40e11df24d6f10447676eae_JaffaCakes118.exe	83
PID 3428 wrote to memory of 1872	3428	4def4ddba40e11df24d6f10447676eae_JaffaCakes118.exe	83
PID 3428 wrote to memory of 2076	3428	4def4ddba40e11df24d6f10447676eae_JaffaCakes118.exe	87
PID 3428 wrote to memory of 2076	3428	4def4ddba40e11df24d6f10447676eae_JaffaCakes118.exe	87
PID 3428 wrote to memory of 2076	3428	4def4ddba40e11df24d6f10447676eae_JaffaCakes118.exe	87
PID 3428 wrote to memory of 3824	3428	4def4ddba40e11df24d6f10447676eae_JaffaCakes118.exe	89
PID 3428 wrote to memory of 3824	3428	4def4ddba40e11df24d6f10447676eae_JaffaCakes118.exe	89
PID 3428 wrote to memory of 3824	3428	4def4ddba40e11df24d6f10447676eae_JaffaCakes118.exe	89
PID 3428 wrote to memory of 3912	3428	4def4ddba40e11df24d6f10447676eae_JaffaCakes118.exe	90
PID 3428 wrote to memory of 3912	3428	4def4ddba40e11df24d6f10447676eae_JaffaCakes118.exe	90
PID 3428 wrote to memory of 3912	3428	4def4ddba40e11df24d6f10447676eae_JaffaCakes118.exe	90

C:\Users\Admin\AppData\Local\Temp\4def4ddba40e11df24d6f10447676eae_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\4def4ddba40e11df24d6f10447676eae_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:3428
- C:\Windows\SysWOW64\rundll2000.exe
  "C:\Windows\system32\rundll2000.exe" "C:\Windows\system32\wbem\sviin.dll",Export @install
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:1872
- C:\Windows\SysWOW64\rundll2000.exe
  "C:\Windows\system32\rundll2000.exe" "C:\Windows\system32\wbem\sviin.dll",Export @start
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2076
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\anorl.dll",ExportFunc 1001
  2⤵
  - Server Software Component: Terminal Services DLL
  - Loads dropped DLL
  PID:3824
- C:\Windows\bar.exe
  "C:\Windows\bar.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Installs/modifies Browser Helper Object
  - Drops file in Program Files directory
  - Modifies Internet Explorer settings
  - Modifies registry class
  PID:3912

C:\WINDOWS\SysWOW64\RUNDLL2000.EXE
C:\WINDOWS\SysWOW64\RUNDLL2000.EXE C:\WINDOWS\SYSTEM32\WBEM\SVIIN.DLL,Export 1087
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:4988

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Browser Extensions

T1176

Server Software Component

T1505

Terminal Services DLL

T1505.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\superutilbar\superutilbar.dll

Filesize
225KB

MD5
70bd8878156db1490145bdebe88e349a

SHA1
51533c4d229f4667fd36616cc29dc3549a7a14c9

SHA256
37531889177a599fe9546d12a93209039e051c92adc5e22fabbfb792010a0f14

SHA512
44eae7748715f7c047a05ae2962900cf74aebbc0ce5b78a8db9d1c7a82412bd842011372f9f58d8c02751160a331a1643a4e026e81c12778efe0a72cae735340

Download Submit
C:\WINDOWS\SysWOW64\WBEM\ocmor.dll

Filesize
6KB

MD5
2c9c3948edbbdb7015054eda23d1cca0

SHA1
14a6aa1d75dfdfc2fd213545f150c034b0f7286f

SHA256
b75790e97df65e074970d9347148d60860328b91c6e0be08deacdc204b076fea

SHA512
75c70cb432107b43e20f6df8dc9484deb60d0a4dd2bf7182686a56bc533aaf44862015f40a62d867224502a5a505611b4d90b5638cf86721fcca378098fa9e9b

Download Submit
C:\Windows\SysWOW64\anorl.dll

Filesize
236KB

MD5
c4eb7f80a7861092d38f49d22f3ec6e8

SHA1
f63e3fe1c7dcf41787e75f44720e45d5c74c93ef

SHA256
a84821340f3229c4a940199160f47cc076b8664c5ac220c078bb353295edbdf4

SHA512
e75615fd63e79c922c746272bd7e8ee55ab2bf879be46535de57977b6319d964d8fe096ee844a9bd1f84958d3d24fc1842aaaea44ec845339c99295e69b8ac29

Download Submit
C:\Windows\SysWOW64\rundll2000.exe

Filesize
10KB

MD5
4936a6954ed59700a3c706f9094685ee

SHA1
124edd171bfc8a5c7f5fcf2147f6ff43b705bb79

SHA256
e598bcf79618ab6ab58b29b7a7f3e5fc01ce6c7dbefcaa308565d3d9168249fe

SHA512
1ef09ed6a9b22d761981e759fa2089e9c461fda4a46cba66431817bc7b75451d4639e63cd3872a71c3bf123831983590075fc924424833adf0ef491056de32ea

Download Submit
C:\Windows\SysWOW64\wbem\sviin.dll

Filesize
236KB

MD5
84cebf4537b592af9bd4a54e7488cafc

SHA1
d9d445b3d7bcf2b02881a5b7d23643bde3bd451a

SHA256
51f48d3615f285efd7fc00395d312497fda20a3a325a088141ad97b176b4497d

SHA512
0d048966d997fe7892260341021ceb3975eb06897f77e28cbb7cc853851fd97a08a2f57639c569f731f280310f284017e48895cec657976d7ab43e582d65b33b

Download Submit
C:\Windows\bar.exe

Filesize
272KB

MD5
3c103af2fc889d3dae65e1cd335e1144

SHA1
9b36cecf2d2731e617cb621c3e4dbd977d7fc209

SHA256
9ce2504516ebd4653b9139d3828b93ace39d3530f1f22c4b166d04f11c2903af

SHA512
763e49e23e8b43ac6d6ec68e83f9a72ad144b446b1f60c3d7fd80aeac9d3340bb80815b7feb38b3076fd2a525176fe56602377891837f9e0b932cb8bf83c33d9

Download Submit
memory/1872-14-0x0000000001000000-0x0000000001004000-memory.dmp

Filesize
16KB

Download
memory/1872-12-0x0000000001000000-0x0000000001004000-memory.dmp

Filesize
16KB

Download
memory/2076-24-0x0000000001000000-0x0000000001004000-memory.dmp

Filesize
16KB

Download
memory/2076-17-0x0000000001000000-0x0000000001004000-memory.dmp

Filesize
16KB

Download
memory/3428-29-0x0000000000400000-0x0000000000482200-memory.dmp

Filesize
520KB

Download
memory/3428-40-0x0000000000400000-0x0000000000482200-memory.dmp

Filesize
520KB

Download
memory/3912-46-0x0000000010000000-0x00000000100C5000-memory.dmp

Filesize
788KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads