736e3da2213e4b8203bb5c8c36adbf8713ac075cb1a8323bcea5f33edc5e3c6a

General

Target

736e3da2213e4b8203bb5c8c36adbf8713ac075cb1a8323bcea5f33edc5e3c6aN.dll
Size

339KB
MD5

a3a922e97dfffb56401d8beb21c49ba0
SHA1

10ba1c4fe11f450a8efb7b00c69bb41cc4e18a75
SHA256

736e3da2213e4b8203bb5c8c36adbf8713ac075cb1a8323bcea5f33edc5e3c6a
SHA512

14012e6a53c030c6576ca437cbc82a9f38ebd8a97415250a6be8c49bfe586fc0c5d833be681c8980f2e406b1ffd20d464e9c39804bc041042eea1d1244aea212
SSDEEP

6144:xJ7D5RtYutKWXfsMWxbsFMTk8YnpjAycXdBkr:PbtYapX0yrXr

Score

8^/10

adware discovery persistence stealer

Malware Config

Signatures

Modifies Shared Task Scheduler registry keys 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

rundll32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\SharedTaskScheduler\{91808080-A2A2-5D5D-7F6E-080807F7F7E5}	rundll32.exe

Installs/modifies Browser Helper Object 2 TTPs 2 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

Processes:

rundll32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3B3A2A2A-4C4C-F7F7-1918-A2A2A191919F}	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{3B3A2A2A-4C4C-F7F7-1918-A2A2A191919F}\	rundll32.exe

Drops file in System32 directory 4 IoCs

Processes:

rundll32.exe

description	ioc	process
File created	C:\Windows\SysWOW64\PBNYKW.dll	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\PBNYKW.dll	rundll32.exe
File created	C:\Windows\SysWOW64\VHSEQC.dll	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\VHSEQC.dll	rundll32.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
discovery

System Language Discovery
T1614.001

Processes:

rundll32.exe

description ioc process

Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe

Modifies registry class 10 IoCs

Processes:

rundll32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3B3A2A2A-4C4C-F7F7-1918-A2A2A191919F}\	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3B3A2A2A-4C4C-F7F7-1918-A2A2A191919F}\InprocServer32	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3B3A2A2A-4C4C-F7F7-1918-A2A2A191919F}\InprocServer32\ThreadingModel = "Apartment"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{91808080-A2A2-5D5D-7F6E-080807F7F7E5}	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{91808080-A2A2-5D5D-7F6E-080807F7F7E5}\InprocServer32	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{91808080-A2A2-5D5D-7F6E-080807F7F7E5}\InprocServer32\ = "C:\\Windows\\SysWow64\\VHSEQC.dll"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{91808080-A2A2-5D5D-7F6E-080807F7F7E5}\InprocServer32\ThreadingModel = "Apartment"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3B3A2A2A-4C4C-F7F7-1918-A2A2A191919F}	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{91808080-A2A2-5D5D-7F6E-080807F7F7E5}\	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3B3A2A2A-4C4C-F7F7-1918-A2A2A191919F}\InprocServer32\ = "C:\\Windows\\SysWow64\\PBNYKW.dll"	rundll32.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 1964 wrote to memory of 1720	1964	rundll32.exe	rundll32.exe
PID 1964 wrote to memory of 1720	1964	rundll32.exe	rundll32.exe
PID 1964 wrote to memory of 1720	1964	rundll32.exe	rundll32.exe
PID 1964 wrote to memory of 1720	1964	rundll32.exe	rundll32.exe
PID 1964 wrote to memory of 1720	1964	rundll32.exe	rundll32.exe
PID 1964 wrote to memory of 1720	1964	rundll32.exe	rundll32.exe
PID 1964 wrote to memory of 1720	1964	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\736e3da2213e4b8203bb5c8c36adbf8713ac075cb1a8323bcea5f33edc5e3c6aN.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1964
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\736e3da2213e4b8203bb5c8c36adbf8713ac075cb1a8323bcea5f33edc5e3c6aN.dll,#1
  2⤵
  - Modifies Shared Task Scheduler registry keys
  - Installs/modifies Browser Helper Object
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  PID:1720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Browser Extensions

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\PBNYKW.dll

Filesize
339KB

MD5
8a185f23f0c626b14b29410f13adf9a6

SHA1
00f479513e5e2d4c9524ee705d7ada50003ee379

SHA256
7f56d273eb992c6b837614bb8c530e59b7bae2088efb4f4d2acd38bdbbdd5c01

SHA512
4fc58d5481042560ebaf274ef903ee47d5163aa6388fa101fce03e3f287c6820faa51dc208a77de75d4dbf90e7ba1665f00ddac35b75c9625e356dac6bfad6bb

Download Submit
memory/1720-15-0x0000000000730000-0x000000000078C000-memory.dmp

Filesize
368KB

Download
memory/1720-1-0x0000000076F00000-0x0000000076F01000-memory.dmp

Filesize
4KB

Download
memory/1720-12-0x0000000000730000-0x000000000078C000-memory.dmp

Filesize
368KB

Download
memory/1720-13-0x0000000000730000-0x000000000078C000-memory.dmp

Filesize
368KB

Download
memory/1720-14-0x0000000000730000-0x000000000078C000-memory.dmp

Filesize
368KB

Download
memory/1720-0-0x0000000000730000-0x000000000078C000-memory.dmp

Filesize
368KB

Download
memory/1720-16-0x0000000000730000-0x000000000078C000-memory.dmp

Filesize
368KB

Download
memory/1720-17-0x0000000000730000-0x000000000078C000-memory.dmp

Filesize
368KB

Download
memory/1720-18-0x0000000000730000-0x000000000078C000-memory.dmp

Filesize
368KB

Download
memory/1720-19-0x0000000000730000-0x000000000078C000-memory.dmp

Filesize
368KB

Download
memory/1720-20-0x0000000000730000-0x000000000078C000-memory.dmp

Filesize
368KB

Download
memory/1720-21-0x0000000000730000-0x000000000078C000-memory.dmp

Filesize
368KB

Download
memory/1720-22-0x0000000000730000-0x000000000078C000-memory.dmp

Filesize
368KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads