ca011c7f7084d951d24e2d8f21a4688425429695f339c01b6f0431027cd01a1b

Analysis

max time kernel
138s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
11/08/2024, 19:28

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

8ba9d5a3628a64034dc4e3d2ef06c428_JaffaCakes118.exe
Size

572KB
MD5

8ba9d5a3628a64034dc4e3d2ef06c428
SHA1

e4985b0e346fa11d11e9a520a300f890fbed81a6
SHA256

ca011c7f7084d951d24e2d8f21a4688425429695f339c01b6f0431027cd01a1b
SHA512

b7de8ebf23848e3cb94f51e3d7f4984c54efd5a93092f870efd070f4021bd09563518103b8b7664fbc07909de646028b72a9fa2f756052749164efb50535573f
SSDEEP

12288:Bc1WrtOLqz3/pWOxT7D0FftJ4DzcB3NCFNch+gF++P4PnQjA/Fp9WM:2grtea/pZNDyt+DCNCLM+wUQu9r

Score

8^/10

adware discovery persistence stealer

Malware Config

Signatures

Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs

persistence

Terminal Services DLL

T1505.005

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SmallCenter\Parameters\ServiceDll = "C:\\Windows\\system32\\lpvto.dll"	rundll32.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	8ba9d5a3628a64034dc4e3d2ef06c428_JaffaCakes118.exe

Executes dropped EXE 3 IoCs

pid	Process
3324	rundllfromwin2000.exe
2092	rundllfromwin2000.exe
4904	toolsp.exe

Loads dropped DLL 5 IoCs

pid	Process
3324	rundllfromwin2000.exe
2092	rundllfromwin2000.exe
3468	RUNDLL32.EXE
2640	rundll32.exe
4904	toolsp.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System = "C:\\Program Files (x86)\\Common Files\\System\\Updaterun.exe"	8ba9d5a3628a64034dc4e3d2ef06c428_JaffaCakes118.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Installs/modifies Browser Helper Object 2 TTPs 3 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6CFD436C-7AAD-4e50-992F-C0C87A94CAD2}	toolsp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6CFD436C-7AAD-4e50-992F-C0C87A94CAD2}\ = "ÊµÓÃËÑË÷"	toolsp.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6CFD436C-7AAD-4e50-992F-C0C87A94CAD2}	toolsp.exe

Drops file in System32 directory 10 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\wbem\ocmor.dll	8ba9d5a3628a64034dc4e3d2ef06c428_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\wbem\ocmor.dll	8ba9d5a3628a64034dc4e3d2ef06c428_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\wbem\huhvl.dll	8ba9d5a3628a64034dc4e3d2ef06c428_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\advport.dll	8ba9d5a3628a64034dc4e3d2ef06c428_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\lpvto.dll	8ba9d5a3628a64034dc4e3d2ef06c428_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\rundllfromwin2000.exe	8ba9d5a3628a64034dc4e3d2ef06c428_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\rundllfromwin2000.exe	8ba9d5a3628a64034dc4e3d2ef06c428_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\wbem\huhvl.dll	8ba9d5a3628a64034dc4e3d2ef06c428_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\advport.dll	8ba9d5a3628a64034dc4e3d2ef06c428_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\lpvto.dll	8ba9d5a3628a64034dc4e3d2ef06c428_JaffaCakes118.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Common Files\System\Updaterun.exe	8ba9d5a3628a64034dc4e3d2ef06c428_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\Updaterun.exe	8ba9d5a3628a64034dc4e3d2ef06c428_JaffaCakes118.exe
File created	C:\Program Files (x86)\superutilbar\superutilbar.dll	toolsp.exe
File created	C:\Program Files (x86)\superutilbar\uninst.exe	toolsp.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\toolsp.exe	8ba9d5a3628a64034dc4e3d2ef06c428_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
244	3468	WerFault.exe	91

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RUNDLL32.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	toolsp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8ba9d5a3628a64034dc4e3d2ef06c428_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundllfromwin2000.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundllfromwin2000.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Internet Explorer\TypedURLs\url5 = "http://www.3839.com/index.html"	8ba9d5a3628a64034dc4e3d2ef06c428_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Toolbar	toolsp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Toolbar\{03465FF5-00AE-411a-9C34-960ED566EC03} = "ÊµÓÃËÑË÷¹¤¾ßÌõ2.0"	toolsp.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\6781.TOOLBARLOADER.1	toolsp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\6781.TOOLBARLOADER.1\CLSID	toolsp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6CFD436C-7AAD-4e50-992F-C0C87A94CAD2}\InprocServer32	toolsp.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6CFD436C-7AAD-4e50-992F-C0C87A94CAD2}\InprocServer32	toolsp.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6CFD436C-7AAD-4e50-992F-C0C87A94CAD2}	toolsp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\6781.TOOLBAR.1	toolsp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\6781.TOOLBAR\CurVer\ = "6781.TOOLBAR.1"	toolsp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{03465FF5-00AE-411a-9C34-960ED566EC03}\InprocServer32\ = "C:\\Program Files (x86)\\superutilbar\\superutilbar.dll"	toolsp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{03D0C547-EBAD-43D9-8B57-DE16E7A93B52}\0.0\ = "TOOLBARLIB"	toolsp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{03D0C547-EBAD-43D9-8B57-DE16E7A93B52}\0.0\HELPDIR\ = "C:\\Program Files (x86)\\superutilbar\\"	toolsp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\6781.TOOLBAR\CLSID	toolsp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{03465FF5-00AE-411a-9C34-960ED566EC03}\ProgID	toolsp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{03465FF5-00AE-411a-9C34-960ED566EC03}\InprocServer32	toolsp.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\6781.TOOLBAR.1	toolsp.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\6781.TOOLBAR\CLSID	toolsp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\6781.TOOLBAR.1\CLSID	toolsp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{03465FF5-00AE-411a-9C34-960ED566EC03}\VersionIndependentProgID	toolsp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6CFD436C-7AAD-4e50-992F-C0C87A94CAD2}\VersionIndependentProgID	toolsp.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\6781.TOOLBAR\CurVer	toolsp.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\6781.TOOLBAR	toolsp.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{03465FF5-00AE-411a-9C34-960ED566EC03}\InprocServer32	toolsp.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6CFD436C-7AAD-4e50-992F-C0C87A94CAD2}\TypeLib	toolsp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{03D0C547-EBAD-43D9-8B57-DE16E7A93B52}	toolsp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{03465FF5-00AE-411a-9C34-960ED566EC03}	toolsp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{03465FF5-00AE-411a-9C34-960ED566EC03}\VersionIndependentProgID\ = "6781.TOOLBAR"	toolsp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6CFD436C-7AAD-4e50-992F-C0C87A94CAD2}\VersionIndependentProgID\ = "6781.TOOLBARLOADER"	toolsp.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\6781.TOOLBAR.1\CLSID	toolsp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{03D0C547-EBAD-43D9-8B57-DE16E7A93B52}\0.0\FLAGS	toolsp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{03465FF5-00AE-411a-9C34-960ED566EC03}\ProgID\ = "6781.TOOLBAR.1"	toolsp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\6781.TOOLBARLOADER\CLSID	toolsp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6CFD436C-7AAD-4e50-992F-C0C87A94CAD2}\Programmable	toolsp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6CFD436C-7AAD-4e50-992F-C0C87A94CAD2}\TypeLib\ = "{03D0C547-EBAD-43d9-8B57-DE16E7A93B52}"	toolsp.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\6781.TOOLBARLOADER\CurVer	toolsp.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6CFD436C-7AAD-4e50-992F-C0C87A94CAD2}\Programmable	toolsp.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6CFD436C-7AAD-4e50-992F-C0C87A94CAD2}\VersionIndependentProgID	toolsp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\6781.TOOLBAR\CLSID\ = "{03465FF5-00AE-411a-9C34-960ED566EC03}"	toolsp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{03465FF5-00AE-411a-9C34-960ED566EC03}\TypeLib\ = "{03D0C547-EBAD-43d9-8B57-DE16E7A93B52}"	toolsp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{03465FF5-00AE-411a-9C34-960ED566EC03}\InprocServer32\ThreadingModel = "Apartment"	toolsp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\6781.TOOLBARLOADER	toolsp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\6781.TOOLBARLOADER\ = "ÊµÓÃËÑË÷"	toolsp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{03D0C547-EBAD-43D9-8B57-DE16E7A93B52}\0.0\0\win32	toolsp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\6781.TOOLBAR\ = "ÊµÓÃËÑË÷¹¤¾ßÌõ2.0"	toolsp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{03465FF5-00AE-411a-9C34-960ED566EC03}\Programmable	toolsp.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{03465FF5-00AE-411a-9C34-960ED566EC03}\ProgID	toolsp.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{03465FF5-00AE-411a-9C34-960ED566EC03}\TypeLib	toolsp.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{03465FF5-00AE-411a-9C34-960ED566EC03}	toolsp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\6781.TOOLBAR	toolsp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\6781.TOOLBAR\CurVer	toolsp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{03465FF5-00AE-411a-9C34-960ED566EC03}\ = "ÊµÓÃËÑË÷¹¤¾ßÌõ2.0"	toolsp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6CFD436C-7AAD-4e50-992F-C0C87A94CAD2}\InprocServer32\ = "C:\\Program Files (x86)\\superutilbar\\superutilbar.dll"	toolsp.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\6781.TOOLBARLOADER.1	toolsp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{03D0C547-EBAD-43D9-8B57-DE16E7A93B52}\0.0\0\win32\ = "C:\\Program Files (x86)\\superutilbar\\superutilbar.dll"	toolsp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\6781.TOOLBAR.1\ = "ÊµÓÃËÑË÷¹¤¾ßÌõ2.0"	toolsp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6CFD436C-7AAD-4e50-992F-C0C87A94CAD2}\ProgID\ = "6781.TOOLBARLOADER.1"	toolsp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{03D0C547-EBAD-43D9-8B57-DE16E7A93B52}\0.0	toolsp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6CFD436C-7AAD-4e50-992F-C0C87A94CAD2}	toolsp.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\6781.TOOLBARLOADER	toolsp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{03D0C547-EBAD-43D9-8B57-DE16E7A93B52}\0.0\FLAGS\ = "0"	toolsp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\6781.TOOLBARLOADER\CurVer\ = "6781.TOOLBARLOADER.1"	toolsp.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\6781.TOOLBARLOADER\CLSID	toolsp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\6781.TOOLBARLOADER.1\CLSID\ = "{6CFD436C-7AAD-4e50-992F-C0C87A94CAD2}"	toolsp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6CFD436C-7AAD-4e50-992F-C0C87A94CAD2}\ProgID	toolsp.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{03465FF5-00AE-411a-9C34-960ED566EC03}\VersionIndependentProgID	toolsp.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6CFD436C-7AAD-4e50-992F-C0C87A94CAD2}\ProgID	toolsp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 528 wrote to memory of 3324	528	8ba9d5a3628a64034dc4e3d2ef06c428_JaffaCakes118.exe	84
PID 528 wrote to memory of 3324	528	8ba9d5a3628a64034dc4e3d2ef06c428_JaffaCakes118.exe	84
PID 528 wrote to memory of 3324	528	8ba9d5a3628a64034dc4e3d2ef06c428_JaffaCakes118.exe	84
PID 528 wrote to memory of 2092	528	8ba9d5a3628a64034dc4e3d2ef06c428_JaffaCakes118.exe	90
PID 528 wrote to memory of 2092	528	8ba9d5a3628a64034dc4e3d2ef06c428_JaffaCakes118.exe	90
PID 528 wrote to memory of 2092	528	8ba9d5a3628a64034dc4e3d2ef06c428_JaffaCakes118.exe	90
PID 528 wrote to memory of 2640	528	8ba9d5a3628a64034dc4e3d2ef06c428_JaffaCakes118.exe	103
PID 528 wrote to memory of 2640	528	8ba9d5a3628a64034dc4e3d2ef06c428_JaffaCakes118.exe	103
PID 528 wrote to memory of 2640	528	8ba9d5a3628a64034dc4e3d2ef06c428_JaffaCakes118.exe	103
PID 528 wrote to memory of 4904	528	8ba9d5a3628a64034dc4e3d2ef06c428_JaffaCakes118.exe	104
PID 528 wrote to memory of 4904	528	8ba9d5a3628a64034dc4e3d2ef06c428_JaffaCakes118.exe	104
PID 528 wrote to memory of 4904	528	8ba9d5a3628a64034dc4e3d2ef06c428_JaffaCakes118.exe	104

C:\Users\Admin\AppData\Local\Temp\8ba9d5a3628a64034dc4e3d2ef06c428_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\8ba9d5a3628a64034dc4e3d2ef06c428_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:528
- C:\Windows\SysWOW64\rundllfromwin2000.exe
  "C:\Windows\system32\rundllfromwin2000.exe" "C:\Windows\system32\wbem\huhvl.dll",Export @install
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:3324
- C:\Windows\SysWOW64\rundllfromwin2000.exe
  "C:\Windows\system32\rundllfromwin2000.exe" "C:\Windows\system32\wbem\huhvl.dll",Export @start
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2092
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\lpvto.dll",ExportFunc 1001
  2⤵
  - Server Software Component: Terminal Services DLL
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2640
- C:\Windows\toolsp.exe
  "C:\Windows\toolsp.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Installs/modifies Browser Helper Object
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Modifies registry class
  PID:4904

C:\WINDOWS\SysWOW64\RUNDLL32.EXE
C:\WINDOWS\SysWOW64\RUNDLL32.EXE C:\WINDOWS\SYSTEM32\WBEM\HUHVL.DLL,Export 1087
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:3468
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3468 -s 624
  2⤵
  - Program crash
  PID:244

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 3468 -ip 3468
1⤵
PID:4416

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Browser Extensions

T1176

Server Software Component

T1505

Terminal Services DLL

T1505.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\superutilbar\superutilbar.dll

Filesize
752KB

MD5
b677b0a8ab09a046f566f37e9f2fa798

SHA1
2f954b545d49b4e05d5f8a4f5ed4355435a59fa9

SHA256
0400a864a79f730340ba2e26a0fd2d2f2222d79b24636ba56554d8682c949c23

SHA512
86ae9c7118d4d14332a3bac85d411d0228b7150464e7379e9c0d9223878466f5a597b26deb390596f7882e46664ab189bed74439280f756c2214b13f53bb7ebf

Download Submit
C:\Windows\SysWOW64\lpvto.dll

Filesize
211KB

MD5
ea54217583c9176cf089c3c2f432671b

SHA1
b05a3d97ea517ba38d0c5a024dfb5c5f1421bf60

SHA256
dec3c480dc07306058c124729297da6a859243ea64767d710685ee731250f4c4

SHA512
4eb49a61bb35e14edbbec37a9fafc98b044c5f1386dd5742f405ab0de922fccb53ddbd0a3e4201157a75d93d2830486cd08dd363e3290e8562beb5d1fd2a0f98

Download Submit
C:\Windows\SysWOW64\rundllfromwin2000.exe

Filesize
10KB

MD5
4936a6954ed59700a3c706f9094685ee

SHA1
124edd171bfc8a5c7f5fcf2147f6ff43b705bb79

SHA256
e598bcf79618ab6ab58b29b7a7f3e5fc01ce6c7dbefcaa308565d3d9168249fe

SHA512
1ef09ed6a9b22d761981e759fa2089e9c461fda4a46cba66431817bc7b75451d4639e63cd3872a71c3bf123831983590075fc924424833adf0ef491056de32ea

Download Submit
C:\Windows\SysWOW64\wbem\huhvl.dll

Filesize
296KB

MD5
2534e95e3e2e158a48a908c83c8290a7

SHA1
fe80081fcf8941f7ae25c488acb85e6a2b8c5684

SHA256
e64f5d5e6a0d9a2ccf3e20fcec8c559e52c99421b1c1a9392e3237869e985952

SHA512
b35dc83c0e331d8a6fb5ba56a131d3d14d3b88b56dd23e0981a149a02506211fdd13dd7ebe3ad1f5828f89dca775e42e21b5e515074b97491d66ad0b4c90402d

Download Submit
C:\Windows\toolsp.exe

Filesize
311KB

MD5
7502638d9ca22027488b02b024f5d42f

SHA1
efd5abb39571f86726f323df786037d0401d08e6

SHA256
688e2f49a2a2b5828fafc392f953441c9d7612fcf6a2a9a68e0c590fa8787564

SHA512
368ef2460f4f459307f3f325f9829bea5a95ba99d3afbc245bf8e066cc898db596a5bdf0f89d357bb77b6d797efd25ae1e91b7f1b390b4ac56e7d265ca8b5332

Download Submit
memory/2092-16-0x0000000001000000-0x0000000001004000-memory.dmp

Filesize
16KB

Download
memory/2092-25-0x0000000001000000-0x0000000001004000-memory.dmp

Filesize
16KB

Download
memory/3324-10-0x0000000001000000-0x0000000001004000-memory.dmp

Filesize
16KB

Download
memory/3324-14-0x0000000001000000-0x0000000001004000-memory.dmp

Filesize
16KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads