0589f6889a04ed5dbbe794dc8e850749fa8398739e2912a8f370092202d3fa52

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
18-08-2024 10:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a65bde36f9d84c8f244d913c30e82b0d_JaffaCakes118.exe
Size

513KB
MD5

a65bde36f9d84c8f244d913c30e82b0d
SHA1

22b0372cb5d7e2a534d235870677af208b7829ef
SHA256

0589f6889a04ed5dbbe794dc8e850749fa8398739e2912a8f370092202d3fa52
SHA512

af25c67bdb928d45b39c0751eed8bafbfc50f6b5ee5ef38131904f8bcbad9541f04e04f31087bd3054fea6446f32b4c694d8f7862887c23fe3a8672d1d79626a
SSDEEP

12288:ZO0crBSWN3aFAmeH2ZHYik3jm9scW8ZA9jYM:ZOzAY35lpgWH9

Score

8^/10

adware discovery persistence stealer

Malware Config

Signatures

Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs

persistence

Terminal Services DLL

T1505.005

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\ClipArt\Parameters\ServiceDll = "C:\\Windows\\system32\\ygqcv.dll"	rundll32.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	a65bde36f9d84c8f244d913c30e82b0d_JaffaCakes118.exe

Executes dropped EXE 4 IoCs

pid	Process
3832	rundll2000.exe
3532	rundll2000.exe
452	RUNDLL2000.EXE
1144	bar.exe

Loads dropped DLL 5 IoCs

pid	Process
3832	rundll2000.exe
3532	rundll2000.exe
452	RUNDLL2000.EXE
516	rundll32.exe
1144	bar.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System = "C:\\Program Files (x86)\\Common Files\\System\\Updaterun.exe"	a65bde36f9d84c8f244d913c30e82b0d_JaffaCakes118.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Installs/modifies Browser Helper Object 2 TTPs 3 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6CFD436C-7AAD-4e50-992F-C0C87A94CAD2}	bar.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6CFD436C-7AAD-4e50-992F-C0C87A94CAD2}\ = "ÊµÓÃËÑË÷"	bar.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6CFD436C-7AAD-4e50-992F-C0C87A94CAD2}	bar.exe

Drops file in System32 directory 17 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\wbem\ocmor.dll	a65bde36f9d84c8f244d913c30e82b0d_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\wbem\ocmor.dll	a65bde36f9d84c8f244d913c30e82b0d_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\ygqcv.dll	a65bde36f9d84c8f244d913c30e82b0d_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\rundll2000.exe	a65bde36f9d84c8f244d913c30e82b0d_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\wbem\lhpzb.dll	a65bde36f9d84c8f244d913c30e82b0d_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\wbem\lhpzb.dll	a65bde36f9d84c8f244d913c30e82b0d_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Score.txt	RUNDLL2000.EXE
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	RUNDLL2000.EXE
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5	RUNDLL2000.EXE
File opened for modification	C:\Windows\SysWOW64\ocmor.dll	RUNDLL2000.EXE
File opened for modification	C:\WINDOWS\SysWOW64\WBEM\ocmor.dll	RUNDLL2000.EXE
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	RUNDLL2000.EXE
File opened for modification	C:\Windows\SysWOW64\advport.dll	a65bde36f9d84c8f244d913c30e82b0d_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\rundll2000.exe	a65bde36f9d84c8f244d913c30e82b0d_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	RUNDLL2000.EXE
File created	C:\Windows\SysWOW64\advport.dll	a65bde36f9d84c8f244d913c30e82b0d_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\ygqcv.dll	a65bde36f9d84c8f244d913c30e82b0d_JaffaCakes118.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Common Files\System\Updaterun.exe	a65bde36f9d84c8f244d913c30e82b0d_JaffaCakes118.exe
File created	C:\Program Files (x86)\superutilbar\superutilbar.dll	bar.exe
File created	C:\Program Files (x86)\superutilbar\uninst.exe	bar.exe
File created	C:\Program Files (x86)\Common Files\System\Updaterun.exe	a65bde36f9d84c8f244d913c30e82b0d_JaffaCakes118.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\bar.exe	a65bde36f9d84c8f244d913c30e82b0d_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a65bde36f9d84c8f244d913c30e82b0d_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll2000.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll2000.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RUNDLL2000.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bar.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\TypedURLs\url5 = "http://www.3839.com/index.html"	a65bde36f9d84c8f244d913c30e82b0d_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Toolbar	bar.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Toolbar\{03465FF5-00AE-411a-9C34-960ED566EC03} = "ÊµÓÃËÑË÷¹¤¾ßÌõ2.0"	bar.exe

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	RUNDLL2000.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	RUNDLL2000.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	RUNDLL2000.EXE

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\6781.TOOLBAR.1\ = "ÊµÓÃËÑË÷¹¤¾ßÌõ2.0"	bar.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\6781.TOOLBAR\CurVer	bar.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{03465FF5-00AE-411a-9C34-960ED566EC03}\Programmable	bar.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{03465FF5-00AE-411a-9C34-960ED566EC03}	bar.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{03D0C547-EBAD-43D9-8B57-DE16E7A93B52}\0.0	bar.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\6781.TOOLBAR	bar.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6CFD436C-7AAD-4e50-992F-C0C87A94CAD2}\InprocServer32\ThreadingModel = "Apartment"	bar.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\6781.TOOLBAR.1	bar.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{03D0C547-EBAD-43D9-8B57-DE16E7A93B52}\0.0\0\win32\ = "C:\\Program Files (x86)\\superutilbar\\superutilbar.dll"	bar.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\6781.TOOLBAR.1\CLSID	bar.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6CFD436C-7AAD-4e50-992F-C0C87A94CAD2}	bar.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\6781.TOOLBARLOADER\CurVer	bar.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{03465FF5-00AE-411a-9C34-960ED566EC03}\VersionIndependentProgID	bar.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{03D0C547-EBAD-43D9-8B57-DE16E7A93B52}\0.0\0	bar.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\6781.TOOLBAR.1	bar.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\6781.TOOLBAR\CLSID	bar.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{03465FF5-00AE-411a-9C34-960ED566EC03}\InprocServer32\ = "C:\\Program Files (x86)\\superutilbar\\superutilbar.dll"	bar.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{03465FF5-00AE-411a-9C34-960ED566EC03}\TypeLib\ = "{03D0C547-EBAD-43d9-8B57-DE16E7A93B52}"	bar.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6CFD436C-7AAD-4e50-992F-C0C87A94CAD2}\InprocServer32\ = "C:\\Program Files (x86)\\superutilbar\\superutilbar.dll"	bar.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6CFD436C-7AAD-4e50-992F-C0C87A94CAD2}\TypeLib	bar.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6CFD436C-7AAD-4e50-992F-C0C87A94CAD2}\ProgID	bar.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6CFD436C-7AAD-4e50-992F-C0C87A94CAD2}\ProgID	bar.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\6781.TOOLBAR\CurVer	bar.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{03465FF5-00AE-411a-9C34-960ED566EC03}\InprocServer32	bar.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{03465FF5-00AE-411a-9C34-960ED566EC03}\TypeLib	bar.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6CFD436C-7AAD-4e50-992F-C0C87A94CAD2}	bar.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{03D0C547-EBAD-43D9-8B57-DE16E7A93B52}\0.0\HELPDIR\ = "C:\\Program Files (x86)\\superutilbar\\"	bar.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{03465FF5-00AE-411a-9C34-960ED566EC03}\VersionIndependentProgID	bar.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6CFD436C-7AAD-4e50-992F-C0C87A94CAD2}\Programmable	bar.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\6781.TOOLBAR	bar.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{03465FF5-00AE-411a-9C34-960ED566EC03}\ProgID	bar.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6CFD436C-7AAD-4e50-992F-C0C87A94CAD2}\Programmable	bar.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{03D0C547-EBAD-43D9-8B57-DE16E7A93B52}\0.0\HELPDIR	bar.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\6781.TOOLBARLOADER.1	bar.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\6781.TOOLBARLOADER	bar.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{03465FF5-00AE-411a-9C34-960ED566EC03}\ = "ÊµÓÃËÑË÷¹¤¾ßÌõ2.0"	bar.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\6781.TOOLBARLOADER.1\CLSID	bar.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{03D0C547-EBAD-43D9-8B57-DE16E7A93B52}\0.0\ = "TOOLBARLIB"	bar.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{03465FF5-00AE-411a-9C34-960ED566EC03}	bar.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{03465FF5-00AE-411a-9C34-960ED566EC03}\ProgID\ = "6781.TOOLBAR.1"	bar.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{03D0C547-EBAD-43D9-8B57-DE16E7A93B52}\0.0\FLAGS	bar.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\6781.TOOLBARLOADER.1\CLSID	bar.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\6781.TOOLBARLOADER.1\CLSID\ = "{6CFD436C-7AAD-4e50-992F-C0C87A94CAD2}"	bar.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\6781.TOOLBARLOADER\CLSID\ = "{6CFD436C-7AAD-4e50-992F-C0C87A94CAD2}"	bar.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\6781.TOOLBAR\ = "ÊµÓÃËÑË÷¹¤¾ßÌõ2.0"	bar.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\6781.TOOLBAR\CLSID\ = "{03465FF5-00AE-411a-9C34-960ED566EC03}"	bar.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\6781.TOOLBARLOADER\CurVer	bar.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{03465FF5-00AE-411a-9C34-960ED566EC03}\ProgID	bar.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\6781.TOOLBAR.1\CLSID	bar.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6CFD436C-7AAD-4e50-992F-C0C87A94CAD2}\InprocServer32	bar.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6CFD436C-7AAD-4e50-992F-C0C87A94CAD2}\VersionIndependentProgID	bar.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\6781.TOOLBARLOADER.1\ = "ÊµÓÃËÑË÷"	bar.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6CFD436C-7AAD-4e50-992F-C0C87A94CAD2}\InprocServer32	bar.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{03D0C547-EBAD-43D9-8B57-DE16E7A93B52}\0.0\0\win32	bar.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\6781.TOOLBAR.1\CLSID\ = "{03465FF5-00AE-411a-9C34-960ED566EC03}"	bar.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\6781.TOOLBARLOADER.1	bar.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{03465FF5-00AE-411a-9C34-960ED566EC03}\InprocServer32\ThreadingModel = "Apartment"	bar.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{03465FF5-00AE-411a-9C34-960ED566EC03}\TypeLib	bar.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{03465FF5-00AE-411a-9C34-960ED566EC03}\VersionIndependentProgID\ = "6781.TOOLBAR"	bar.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6CFD436C-7AAD-4e50-992F-C0C87A94CAD2}\VersionIndependentProgID\ = "6781.TOOLBARLOADER"	bar.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\6781.TOOLBAR\CLSID	bar.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\6781.TOOLBARLOADER\CLSID	bar.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\6781.TOOLBARLOADER	bar.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{03D0C547-EBAD-43D9-8B57-DE16E7A93B52}	bar.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4936 wrote to memory of 3832	4936	a65bde36f9d84c8f244d913c30e82b0d_JaffaCakes118.exe	84
PID 4936 wrote to memory of 3832	4936	a65bde36f9d84c8f244d913c30e82b0d_JaffaCakes118.exe	84
PID 4936 wrote to memory of 3832	4936	a65bde36f9d84c8f244d913c30e82b0d_JaffaCakes118.exe	84
PID 4936 wrote to memory of 3532	4936	a65bde36f9d84c8f244d913c30e82b0d_JaffaCakes118.exe	92
PID 4936 wrote to memory of 3532	4936	a65bde36f9d84c8f244d913c30e82b0d_JaffaCakes118.exe	92
PID 4936 wrote to memory of 3532	4936	a65bde36f9d84c8f244d913c30e82b0d_JaffaCakes118.exe	92
PID 4936 wrote to memory of 516	4936	a65bde36f9d84c8f244d913c30e82b0d_JaffaCakes118.exe	96
PID 4936 wrote to memory of 516	4936	a65bde36f9d84c8f244d913c30e82b0d_JaffaCakes118.exe	96
PID 4936 wrote to memory of 516	4936	a65bde36f9d84c8f244d913c30e82b0d_JaffaCakes118.exe	96
PID 4936 wrote to memory of 1144	4936	a65bde36f9d84c8f244d913c30e82b0d_JaffaCakes118.exe	100
PID 4936 wrote to memory of 1144	4936	a65bde36f9d84c8f244d913c30e82b0d_JaffaCakes118.exe	100
PID 4936 wrote to memory of 1144	4936	a65bde36f9d84c8f244d913c30e82b0d_JaffaCakes118.exe	100

C:\Users\Admin\AppData\Local\Temp\a65bde36f9d84c8f244d913c30e82b0d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a65bde36f9d84c8f244d913c30e82b0d_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:4936
- C:\Windows\SysWOW64\rundll2000.exe
  "C:\Windows\system32\rundll2000.exe" "C:\Windows\system32\wbem\lhpzb.dll",Export @install
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:3832
- C:\Windows\SysWOW64\rundll2000.exe
  "C:\Windows\system32\rundll2000.exe" "C:\Windows\system32\wbem\lhpzb.dll",Export @start
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:3532
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\ygqcv.dll",ExportFunc 1001
  2⤵
  - Server Software Component: Terminal Services DLL
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:516
- C:\Windows\bar.exe
  "C:\Windows\bar.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Installs/modifies Browser Helper Object
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Modifies registry class
  PID:1144

C:\WINDOWS\SysWOW64\RUNDLL2000.EXE
C:\WINDOWS\SysWOW64\RUNDLL2000.EXE C:\WINDOWS\SYSTEM32\WBEM\LHPZB.DLL,Export 1087
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:452

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Browser Extensions

T1176

Server Software Component

T1505

Terminal Services DLL

T1505.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\superutilbar\superutilbar.dll

Filesize
225KB

MD5
70bd8878156db1490145bdebe88e349a

SHA1
51533c4d229f4667fd36616cc29dc3549a7a14c9

SHA256
37531889177a599fe9546d12a93209039e051c92adc5e22fabbfb792010a0f14

SHA512
44eae7748715f7c047a05ae2962900cf74aebbc0ce5b78a8db9d1c7a82412bd842011372f9f58d8c02751160a331a1643a4e026e81c12778efe0a72cae735340

Download Submit
C:\WINDOWS\SysWOW64\WBEM\ocmor.dll

Filesize
6KB

MD5
2c9c3948edbbdb7015054eda23d1cca0

SHA1
14a6aa1d75dfdfc2fd213545f150c034b0f7286f

SHA256
b75790e97df65e074970d9347148d60860328b91c6e0be08deacdc204b076fea

SHA512
75c70cb432107b43e20f6df8dc9484deb60d0a4dd2bf7182686a56bc533aaf44862015f40a62d867224502a5a505611b4d90b5638cf86721fcca378098fa9e9b

Download Submit
C:\Windows\SysWOW64\rundll2000.exe

Filesize
10KB

MD5
4936a6954ed59700a3c706f9094685ee

SHA1
124edd171bfc8a5c7f5fcf2147f6ff43b705bb79

SHA256
e598bcf79618ab6ab58b29b7a7f3e5fc01ce6c7dbefcaa308565d3d9168249fe

SHA512
1ef09ed6a9b22d761981e759fa2089e9c461fda4a46cba66431817bc7b75451d4639e63cd3872a71c3bf123831983590075fc924424833adf0ef491056de32ea

Download Submit
C:\Windows\SysWOW64\wbem\lhpzb.dll

Filesize
212KB

MD5
f818461f1c77a129a381d0e41364b462

SHA1
3921bf63a956d3af71e9ee5803ad84839546379c

SHA256
98dd83dc7fe47cbf9bb4afe0bf216dae0dabbc64e81b4108ac5e6846c1577a76

SHA512
75d93b83080068f0801f48969bf0179bf8a02b4f9bc037d1c3c82a3deeff8498e744cc220d6f606ceb83fd22a8ed4fc2ca5f68b9fc209196c23dddef4d53e3c7

Download Submit
C:\Windows\SysWOW64\ygqcv.dll

Filesize
234KB

MD5
de306418b972f8b45466478a3c0a5cba

SHA1
cae00b0088ee48e332fbcaef7cc5e3a234936248

SHA256
8f7ff96b97836082c165cf7cd933fdb7bd87fb1c1f76740e9cf562633da69460

SHA512
d503ff66f9a54c894934f2e44d99d9590bb35de3cd49c7477a3e09e84ec5b48dc7dbc86b0a957afc37a2548a0cce9ee2102d19856ffa113015605f37e29741c3

Download Submit
C:\Windows\bar.exe

Filesize
272KB

MD5
3c103af2fc889d3dae65e1cd335e1144

SHA1
9b36cecf2d2731e617cb621c3e4dbd977d7fc209

SHA256
9ce2504516ebd4653b9139d3828b93ace39d3530f1f22c4b166d04f11c2903af

SHA512
763e49e23e8b43ac6d6ec68e83f9a72ad144b446b1f60c3d7fd80aeac9d3340bb80815b7feb38b3076fd2a525176fe56602377891837f9e0b932cb8bf83c33d9

Download Submit
memory/452-49-0x0000000001000000-0x0000000001004000-memory.dmp

Filesize
16KB

Download
memory/1144-45-0x0000000010000000-0x00000000100C5000-memory.dmp

Filesize
788KB

Download
memory/3532-23-0x0000000001000000-0x0000000001004000-memory.dmp

Filesize
16KB

Download
memory/3832-14-0x0000000001000000-0x0000000001004000-memory.dmp

Filesize
16KB

Download
memory/3832-10-0x0000000001000000-0x0000000001004000-memory.dmp

Filesize
16KB

Download
memory/4936-39-0x0000000000400000-0x00000000004805C0-memory.dmp

Filesize
513KB

Download
memory/4936-28-0x0000000000400000-0x00000000004805C0-memory.dmp

Filesize
513KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads