Analysis

  • max time kernel
    157s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220112
  • submitted
    01-02-2022 10:15

General

  • Target

    62ba0fc2c6b17854c89aec29308f3df5db06f2e40f807584f48e7d3a9c0394dc.dll

  • Size

    39KB

  • MD5

    9af0c1b1b2b7882d9f14056202b5450e

  • SHA1

    36076c3d4d837d58d10ec2128b9e2b91535a05ba

  • SHA256

    62ba0fc2c6b17854c89aec29308f3df5db06f2e40f807584f48e7d3a9c0394dc

  • SHA512

    4af8310176bfe31c63d0536a391ae9d26019d0214f5bfab6c9d67edb296f8e6fd52726079c25a73fc9cb9488ac88a41dde25c1741eadd9ba3a6790ae628614c1

Score
8/10

Malware Config

Signatures

  • Sets service image path in registry 2 TTPs
  • Modifies Internet Explorer settings 1 TTPs 10 IoCs
  • Modifies data under HKEY_USERS 41 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\system32\regsvr32.exe
    regsvr32 /s C:\Users\Admin\AppData\Local\Temp\62ba0fc2c6b17854c89aec29308f3df5db06f2e40f807584f48e7d3a9c0394dc.dll
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3944
    • C:\Windows\SysWOW64\regsvr32.exe
      /s C:\Users\Admin\AppData\Local\Temp\62ba0fc2c6b17854c89aec29308f3df5db06f2e40f807584f48e7d3a9c0394dc.dll
      2⤵
        PID:3556
    • C:\Windows\System32\WaaSMedicAgent.exe
      C:\Windows\System32\WaaSMedicAgent.exe 9e6dc25d7650a0803e1f6619d565631e FqMpXtlXjESy+xQCAVM9uw.0.1.0.0.0
      1⤵
      • Modifies data under HKEY_USERS
      PID:2700
    • C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe -k wusvcs -p
      1⤵
        PID:3888
      • C:\Program Files (x86)\Internet Explorer\ielowutil.exe
        "C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding
        1⤵
          PID:2984
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
          1⤵
          • Modifies Internet Explorer settings
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2664
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2664 CREDAT:17410 /prefetch:2
            2⤵
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:2528
        • C:\Windows\system32\svchost.exe
          C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p
          1⤵
            PID:4020

          Network

          MITRE ATT&CK Matrix ATT&CK v6

          Persistence

          Registry Run Keys / Startup Folder

          1
          T1060

          Defense Evasion

          Modify Registry

          2
          T1112

          Replay Monitor

          Loading Replay Monitor...

          Downloads