736e3da2213e4b8203bb5c8c36adbf8713ac075cb1a8323bcea5f33edc5e3c6a

General

Target

736e3da2213e4b8203bb5c8c36adbf8713ac075cb1a8323bcea5f33edc5e3c6aN.dll
Size

339KB
MD5

a3a922e97dfffb56401d8beb21c49ba0
SHA1

10ba1c4fe11f450a8efb7b00c69bb41cc4e18a75
SHA256

736e3da2213e4b8203bb5c8c36adbf8713ac075cb1a8323bcea5f33edc5e3c6a
SHA512

14012e6a53c030c6576ca437cbc82a9f38ebd8a97415250a6be8c49bfe586fc0c5d833be681c8980f2e406b1ffd20d464e9c39804bc041042eea1d1244aea212
SSDEEP

6144:xJ7D5RtYutKWXfsMWxbsFMTk8YnpjAycXdBkr:PbtYapX0yrXr

Score

8^/10

adware discovery persistence stealer

Malware Config

Signatures

Modifies Shared Task Scheduler registry keys 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{2469BD02-358A-E135-0247-9BE0357ACE13}	rundll32.exe

Installs/modifies Browser Helper Object 2 TTPs 2 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{CE1358AC-D024-8BDF-ACE1-368ADF1468BD}	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{CE1358AC-D024-8BDF-ACE1-368ADF1468BD}\	rundll32.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\W.dll	rundll32.exe
File created	C:\Windows\SysWOW64\C.dll	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\C.dll	rundll32.exe
File created	C:\Windows\SysWOW64\W.dll	rundll32.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe

Modifies registry class 10 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CE1358AC-D024-8BDF-ACE1-368ADF1468BD}\InprocServer32\ThreadingModel = "Apartment"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2469BD02-358A-E135-0247-9BE0357ACE13}	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2469BD02-358A-E135-0247-9BE0357ACE13}\InprocServer32\ThreadingModel = "Apartment"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CE1358AC-D024-8BDF-ACE1-368ADF1468BD}	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CE1358AC-D024-8BDF-ACE1-368ADF1468BD}\	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CE1358AC-D024-8BDF-ACE1-368ADF1468BD}\InprocServer32	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CE1358AC-D024-8BDF-ACE1-368ADF1468BD}\InprocServer32\ = "C:\\Windows\\SysWow64\\W.dll"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2469BD02-358A-E135-0247-9BE0357ACE13}\	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2469BD02-358A-E135-0247-9BE0357ACE13}\InprocServer32	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2469BD02-358A-E135-0247-9BE0357ACE13}\InprocServer32\ = "C:\\Windows\\SysWow64\\C.dll"	rundll32.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4624 wrote to memory of 2656	4624	rundll32.exe	83
PID 4624 wrote to memory of 2656	4624	rundll32.exe	83
PID 4624 wrote to memory of 2656	4624	rundll32.exe	83

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\736e3da2213e4b8203bb5c8c36adbf8713ac075cb1a8323bcea5f33edc5e3c6aN.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4624
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\736e3da2213e4b8203bb5c8c36adbf8713ac075cb1a8323bcea5f33edc5e3c6aN.dll,#1
  2⤵
  - Modifies Shared Task Scheduler registry keys
  - Installs/modifies Browser Helper Object
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  PID:2656

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Browser Extensions

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\W.dll

Filesize
339KB

MD5
6ca22fb39daf2d7e8bf153e6d2f9a992

SHA1
d36539e8ebb6cf98ddf1b9de59ba9b425c22b7d5

SHA256
394563982060bdea780a5618d678bbea70fd72e457a67e6cf13c683cd2fd088e

SHA512
a48b0c978f69d01d2abc18578c1d4ffd81a70b6058d267265ccf9aebb6d44fc5bc8ed78af446d685580a6947ed46f2a1775da6702c1db567f56c403d9e59754d

Download Submit
memory/2656-15-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2656-11-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2656-12-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2656-13-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2656-14-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2656-0-0x00000000776C4000-0x00000000776C5000-memory.dmp

Filesize
4KB

Download
memory/2656-16-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2656-17-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2656-18-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2656-19-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2656-20-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2656-21-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads