Analysis
-
max time kernel
11s -
max time network
101s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
08-11-2020 17:56
Static task
static1
Behavioral task
behavioral1
Sample
3f2dd0bb49b0e584c00ecd1c342d116856a4685b6d0cd4dfc864efe19679e88b.dll
Resource
win7v20201028
Behavioral task
behavioral2
Sample
3f2dd0bb49b0e584c00ecd1c342d116856a4685b6d0cd4dfc864efe19679e88b.dll
Resource
win10v20201028
General
-
Target
3f2dd0bb49b0e584c00ecd1c342d116856a4685b6d0cd4dfc864efe19679e88b.dll
-
Size
1.5MB
-
MD5
532a002f871ef5284a1d23c72abf2389
-
SHA1
5b29aef3fb97935b4e873669ccfcdcc46320f7a8
-
SHA256
3f2dd0bb49b0e584c00ecd1c342d116856a4685b6d0cd4dfc864efe19679e88b
-
SHA512
3a8da72933bfbaaeab10af81112f9bcedbf5c89c40eb7f9691b62866f551bad5d5d7db38ee6046fd5b3f94937ed6331b9089995cd09b4c68f649bcc0f4ed736c
Malware Config
Signatures
-
Registers COM server for autorun 1 TTPs
-
Installs/modifies Browser Helper Object 2 TTPs
BHOs are DLL modules which act as plugins for Internet Explorer.
-
Processes:
regsvr32.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}\Policy = "3" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D7E97865-918F-41E4-9CD0-25AB1C574CE8} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}\AppName = "3f2dd0bb49b0e584c00ecd1c342d116856a4685b6d0cd4dfc864efe19679e88b.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}\AppPath = "C:\\Users\\Admin\\AppData\\Local\\Temp" regsvr32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}\Policy = "3" regsvr32.exe Key created \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Main regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D7E97865-918F-41E4-9CD0-25AB1C574CE8} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}\AppName = "3f2dd0bb49b0e584c00ecd1c342d116856a4685b6d0cd4dfc864efe19679e88b.dll" regsvr32.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{D7E97865-918F-41E4-9CD0-25AB1C574CE8} = 00 regsvr32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\IEWatsonEnabled = "0" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}\AppPath = "C:\\Users\\Admin\\AppData\\Local\\Temp" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar regsvr32.exe -
Modifies registry class 127 IoCs
Processes:
regsvr32.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0E56FAFA-1B09-480E-B653-4B23918DC58A} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0E56FAFA-1B09-480E-B653-4B23918DC58A}\TypeLib regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Inbox.IBX404\ regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D3D233D5-9F6D-436C-B6C7-E63F77503B30}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\3f2dd0bb49b0e584c00ecd1c342d116856a4685b6d0cd4dfc864efe19679e88b.dll" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Inbox.IBX404 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{37540F19-DD4C-478B-B2DF-C19281BCAF27}\InProcServer32\ThreadingModel = "Apartment" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CBEF8724-D080-4737-88DA-111EEC6651AA}\1.0\0 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0E56FAFA-1B09-480E-B653-4B23918DC58A}\ProxyStubClsid32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C7C55C60-F5B5-40A3-A2E9-EC00E1FE08F3}\ = "Inbox Toolbar" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C7C55C60-F5B5-40A3-A2E9-EC00E1FE08F3}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C7C55C60-F5B5-40A3-A2E9-EC00E1FE08F3}\InprocServer32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C7C55C60-F5B5-40A3-A2E9-EC00E1FE08F3}\Implemented Categories\ regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{37540F19-DD4C-478B-B2DF-C19281BCAF27}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\3f2dd0bb49b0e584c00ecd1c342d116856a4685b6d0cd4dfc864efe19679e88b.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0E56FAFA-1B09-480E-B653-4B23918DC58A}\ = "IJSServer2" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0E56FAFA-1B09-480E-B653-4B23918DC58A} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Inbox.JSServer2\Clsid\ = "{C7C55C60-F5B5-40A3-A2E9-EC00E1FE08F3}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{37540F19-DD4C-478B-B2DF-C19281BCAF27}\InProcServer32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{CE057E0D-2D7E-4DFF-A890-07BA69B8C762}\ = "IJSServer" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{CE057E0D-2D7E-4DFF-A890-07BA69B8C762}\TypeLib\ = "{CBEF8724-D080-4737-88DA-111EEC6651AA}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}\InprocServer32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C7C55C60-F5B5-40A3-A2E9-EC00E1FE08F3}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}\ regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{042DA63B-0933-403D-9395-B49307691690}\TypeLib\ = "{CBEF8724-D080-4737-88DA-111EEC6651AA}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{042DA63B-0933-403D-9395-B49307691690}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C7C55C60-F5B5-40A3-A2E9-EC00E1FE08F3}\InprocServer32\ThreadingModel = "Apartment" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\3f2dd0bb49b0e584c00ecd1c342d116856a4685b6d0cd4dfc864efe19679e88b.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}\ = "&Inbox Toolbar" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{37540F19-DD4C-478B-B2DF-C19281BCAF27}\InprocServer32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\inbox\ = "inbox" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CBEF8724-D080-4737-88DA-111EEC6651AA}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\3f2dd0bb49b0e584c00ecd1c342d116856a4685b6d0cd4dfc864efe19679e88b.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CE057E0D-2D7E-4DFF-A890-07BA69B8C762}\TypeLib\ = "{CBEF8724-D080-4737-88DA-111EEC6651AA}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Inbox.JSServer2\ regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{042DA63B-0933-403D-9395-B49307691690}\TypeLib regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{042DA63B-0933-403D-9395-B49307691690}\ProgID\ = "Inbox.JSServer" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D3D233D5-9F6D-436C-B6C7-E63F77503B30}\InprocServer32\ThreadingModel = "Apartment" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{37540F19-DD4C-478B-B2DF-C19281BCAF27}\InprocServer32\ThreadingModel = "Apartment" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{CE057E0D-2D7E-4DFF-A890-07BA69B8C762}\TypeLib\Version = "1.0" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0E56FAFA-1B09-480E-B653-4B23918DC58A}\TypeLib\Version = "1.0" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C7C55C60-F5B5-40A3-A2E9-EC00E1FE08F3} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C7C55C60-F5B5-40A3-A2E9-EC00E1FE08F3}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\3f2dd0bb49b0e584c00ecd1c342d116856a4685b6d0cd4dfc864efe19679e88b.dll" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{CE057E0D-2D7E-4DFF-A890-07BA69B8C762} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{CE057E0D-2D7E-4DFF-A890-07BA69B8C762}\TypeLib regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Inbox.Toolbar\Clsid\ = "{D7E97865-918F-41E4-9CD0-25AB1C574CE8}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}\InprocServer32\ThreadingModel = "Apartment" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C7C55C60-F5B5-40A3-A2E9-EC00E1FE08F3}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Inbox.JSServer\ regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{042DA63B-0933-403D-9395-B49307691690}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CBEF8724-D080-4737-88DA-111EEC6651AA}\1.0\HELPDIR regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0E56FAFA-1B09-480E-B653-4B23918DC58A}\ = "IJSServer2" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Inbox.JSServer2 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{042DA63B-0933-403D-9395-B49307691690}\Version regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{37540F19-DD4C-478B-B2DF-C19281BCAF27}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\3f2dd0bb49b0e584c00ecd1c342d116856a4685b6d0cd4dfc864efe19679e88b.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CBEF8724-D080-4737-88DA-111EEC6651AA}\1.0\ = "Inbox" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{042DA63B-0933-403D-9395-B49307691690}\ regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{042DA63B-0933-403D-9395-B49307691690}\Implemented Categories\ regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{37540F19-DD4C-478B-B2DF-C19281BCAF27}\ regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{CE057E0D-2D7E-4DFF-A890-07BA69B8C762}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0E56FAFA-1B09-480E-B653-4B23918DC58A}\TypeLib\ = "{CBEF8724-D080-4737-88DA-111EEC6651AA}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{042DA63B-0933-403D-9395-B49307691690}\InProcServer32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D7E97865-918F-41E4-9CD0-25AB1C574CE8} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0E56FAFA-1B09-480E-B653-4B23918DC58A}\ProxyStubClsid32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Inbox.JSServer\Clsid regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0E56FAFA-1B09-480E-B653-4B23918DC58A}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Inbox.JSServer regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{042DA63B-0933-403D-9395-B49307691690}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4} regsvr32.exe