Malware Analysis Report

2024-12-07 03:03

Sample ID 241113-yktcxa1qbn
Target 1291e42002f2573e1ffc21e13697e8a7b2173d2097be645369e52e949a7ae834
SHA256 1291e42002f2573e1ffc21e13697e8a7b2173d2097be645369e52e949a7ae834
Tags
adware discovery persistence stealer
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

1291e42002f2573e1ffc21e13697e8a7b2173d2097be645369e52e949a7ae834

Threat Level: Likely malicious

The file 1291e42002f2573e1ffc21e13697e8a7b2173d2097be645369e52e949a7ae834 was found to be: Likely malicious.

Malicious Activity Summary

adware discovery persistence stealer

Modifies Shared Task Scheduler registry keys

Installs/modifies Browser Helper Object

Drops file in System32 directory

System Location Discovery: System Language Discovery

Unsigned PE

Modifies registry class

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-13 19:51

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-13 19:51

Reported

2024-11-13 19:53

Platform

win7-20240903-en

Max time kernel

150s

Max time network

122s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\1291e42002f2573e1ffc21e13697e8a7b2173d2097be645369e52e949a7ae834.dll,#1

Signatures

Modifies Shared Task Scheduler registry keys

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler C:\Windows\SysWOW64\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\SharedTaskScheduler\{EA72FA62-FC84-B73F-C850-52EA61E951D9} C:\Windows\SysWOW64\rundll32.exe N/A

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{851C940C-A62E-51D9-62FA-0C840B830B73} C:\Windows\SysWOW64\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{851C940C-A62E-51D9-62FA-0C840B830B73}\ C:\Windows\SysWOW64\rundll32.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\OSX.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\SysWOW64\OSX.dll C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Windows\SysWOW64\INR.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\SysWOW64\INR.dll C:\Windows\SysWOW64\rundll32.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{851C940C-A62E-51D9-62FA-0C840B830B73}\ C:\Windows\SysWOW64\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{851C940C-A62E-51D9-62FA-0C840B830B73}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EA72FA62-FC84-B73F-C850-52EA61E951D9}\ C:\Windows\SysWOW64\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EA72FA62-FC84-B73F-C850-52EA61E951D9}\InprocServer32\ = "C:\\Windows\\SysWow64\\OSX.dll" C:\Windows\SysWOW64\rundll32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{851C940C-A62E-51D9-62FA-0C840B830B73} C:\Windows\SysWOW64\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{851C940C-A62E-51D9-62FA-0C840B830B73}\InprocServer32\ = "C:\\Windows\\SysWow64\\INR.dll" C:\Windows\SysWOW64\rundll32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EA72FA62-FC84-B73F-C850-52EA61E951D9} C:\Windows\SysWOW64\rundll32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EA72FA62-FC84-B73F-C850-52EA61E951D9}\InprocServer32 C:\Windows\SysWOW64\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EA72FA62-FC84-B73F-C850-52EA61E951D9}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\rundll32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{851C940C-A62E-51D9-62FA-0C840B830B73}\InprocServer32 C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1916 wrote to memory of 1996 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1916 wrote to memory of 1996 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1916 wrote to memory of 1996 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1916 wrote to memory of 1996 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1916 wrote to memory of 1996 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1916 wrote to memory of 1996 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1916 wrote to memory of 1996 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\1291e42002f2573e1ffc21e13697e8a7b2173d2097be645369e52e949a7ae834.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\1291e42002f2573e1ffc21e13697e8a7b2173d2097be645369e52e949a7ae834.dll,#1

Network

N/A

Files

memory/1996-0-0x00000000006B0000-0x000000000070C000-memory.dmp

memory/1996-1-0x0000000077680000-0x0000000077681000-memory.dmp

C:\Windows\SysWOW64\INR.dll

MD5 02ed38b790361fc900eccfecaabdc632
SHA1 33a29f34d59fec86d9ecacd9e86dfe8229a34683
SHA256 d2101c6d5769cadc72cf03430722caa4dff8e3e7e8507027a31f3104266a407b
SHA512 ad9cddb043f52827ce7100298cfcf830c52ec703ffa062193efce522d8b0d37afe39d2da4804902235685b8470e57259eb2f99ee42790c7fe64bce3800ff1208

memory/1996-12-0x00000000006B0000-0x000000000070C000-memory.dmp

memory/1996-13-0x00000000006B0000-0x000000000070C000-memory.dmp

memory/1996-14-0x00000000006B0000-0x000000000070C000-memory.dmp

memory/1996-15-0x00000000006B0000-0x000000000070C000-memory.dmp

memory/1996-16-0x00000000006B0000-0x000000000070C000-memory.dmp

memory/1996-17-0x00000000006B0000-0x000000000070C000-memory.dmp

memory/1996-18-0x00000000006B0000-0x000000000070C000-memory.dmp

memory/1996-19-0x00000000006B0000-0x000000000070C000-memory.dmp

memory/1996-20-0x00000000006B0000-0x000000000070C000-memory.dmp

memory/1996-21-0x00000000006B0000-0x000000000070C000-memory.dmp

memory/1996-22-0x00000000006B0000-0x000000000070C000-memory.dmp

memory/1996-23-0x00000000006B0000-0x000000000070C000-memory.dmp

memory/1996-24-0x00000000006B0000-0x000000000070C000-memory.dmp

memory/1996-25-0x00000000006B0000-0x000000000070C000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-13 19:51

Reported

2024-11-13 19:53

Platform

win10v2004-20241007-en

Max time kernel

140s

Max time network

135s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\1291e42002f2573e1ffc21e13697e8a7b2173d2097be645369e52e949a7ae834.dll,#1

Signatures

Modifies Shared Task Scheduler registry keys

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler C:\Windows\SysWOW64\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{61C83EA5-72D9-3D84-4FA6-D83FA51C73E9} C:\Windows\SysWOW64\rundll32.exe N/A

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0B62D84F-2D73-D83E-E940-83D94FB61D83} C:\Windows\SysWOW64\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0B62D84F-2D73-D83E-E940-83D94FB61D83}\ C:\Windows\SysWOW64\rundll32.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\GJM.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\SysWOW64\GJM.dll C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Windows\SysWOW64\MPS.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\SysWOW64\MPS.dll C:\Windows\SysWOW64\rundll32.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0B62D84F-2D73-D83E-E940-83D94FB61D83}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{61C83EA5-72D9-3D84-4FA6-D83FA51C73E9}\ C:\Windows\SysWOW64\rundll32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{61C83EA5-72D9-3D84-4FA6-D83FA51C73E9}\InprocServer32 C:\Windows\SysWOW64\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0B62D84F-2D73-D83E-E940-83D94FB61D83}\InprocServer32\ = "C:\\Windows\\SysWow64\\GJM.dll" C:\Windows\SysWOW64\rundll32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{61C83EA5-72D9-3D84-4FA6-D83FA51C73E9} C:\Windows\SysWOW64\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{61C83EA5-72D9-3D84-4FA6-D83FA51C73E9}\InprocServer32\ = "C:\\Windows\\SysWow64\\MPS.dll" C:\Windows\SysWOW64\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{61C83EA5-72D9-3D84-4FA6-D83FA51C73E9}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\rundll32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0B62D84F-2D73-D83E-E940-83D94FB61D83} C:\Windows\SysWOW64\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0B62D84F-2D73-D83E-E940-83D94FB61D83}\ C:\Windows\SysWOW64\rundll32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0B62D84F-2D73-D83E-E940-83D94FB61D83}\InprocServer32 C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2660 wrote to memory of 440 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2660 wrote to memory of 440 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2660 wrote to memory of 440 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\1291e42002f2573e1ffc21e13697e8a7b2173d2097be645369e52e949a7ae834.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\1291e42002f2573e1ffc21e13697e8a7b2173d2097be645369e52e949a7ae834.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp

Files

memory/440-0-0x0000000077444000-0x0000000077445000-memory.dmp

C:\Windows\SysWOW64\GJM.dll

MD5 02ed38b790361fc900eccfecaabdc632
SHA1 33a29f34d59fec86d9ecacd9e86dfe8229a34683
SHA256 d2101c6d5769cadc72cf03430722caa4dff8e3e7e8507027a31f3104266a407b
SHA512 ad9cddb043f52827ce7100298cfcf830c52ec703ffa062193efce522d8b0d37afe39d2da4804902235685b8470e57259eb2f99ee42790c7fe64bce3800ff1208

memory/440-11-0x0000000000400000-0x000000000045C000-memory.dmp

memory/440-12-0x0000000000400000-0x000000000045C000-memory.dmp

memory/440-13-0x0000000000400000-0x000000000045C000-memory.dmp

memory/440-14-0x0000000000400000-0x000000000045C000-memory.dmp

memory/440-15-0x0000000000400000-0x000000000045C000-memory.dmp

memory/440-16-0x0000000000400000-0x000000000045C000-memory.dmp

memory/440-17-0x0000000000400000-0x000000000045C000-memory.dmp

memory/440-18-0x0000000000400000-0x000000000045C000-memory.dmp

memory/440-19-0x0000000000400000-0x000000000045C000-memory.dmp

memory/440-20-0x0000000000400000-0x000000000045C000-memory.dmp

memory/440-21-0x0000000000400000-0x000000000045C000-memory.dmp

memory/440-22-0x0000000000400000-0x000000000045C000-memory.dmp

memory/440-23-0x0000000000400000-0x000000000045C000-memory.dmp

memory/440-24-0x0000000000400000-0x000000000045C000-memory.dmp