Analysis
-
max time kernel
75s -
max time network
137s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
27-04-2022 15:38
Static task
static1
Behavioral task
behavioral1
Sample
69b9dcb14dbc2cc0b019fb7a083f4792dc46078be468811acb4cf3f353afd15a.exe
Resource
win7-20220414-en
General
-
Target
69b9dcb14dbc2cc0b019fb7a083f4792dc46078be468811acb4cf3f353afd15a.exe
-
Size
44KB
-
MD5
4d7ff430fa4651b4ef3055758734fa10
-
SHA1
2557f9e0aaa60a465d7444db83a48bfe5e85686e
-
SHA256
69b9dcb14dbc2cc0b019fb7a083f4792dc46078be468811acb4cf3f353afd15a
-
SHA512
b0517722e3ec420afadce1ae227f0c0e957f57d8ed5661d567e96a97c420b9373c5d23de1f1b4f9b4923f77f6dbeb6b65e594c233ee42d5952c43cd82a9d9630
Malware Config
Signatures
-
Loads dropped DLL 1 IoCs
Processes:
regsvr32.exepid process 4136 regsvr32.exe -
Installs/modifies Browser Helper Object 2 TTPs
BHOs are DLL modules which act as plugins for Internet Explorer.
-
Drops file in System32 directory 1 IoCs
Processes:
69b9dcb14dbc2cc0b019fb7a083f4792dc46078be468811acb4cf3f353afd15a.exedescription ioc process File created C:\Windows\SysWOW64\spdji.dll 69b9dcb14dbc2cc0b019fb7a083f4792dc46078be468811acb4cf3f353afd15a.exe -
Processes:
regsvr32.exedescription ioc process Set value (data) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\cslnam = 222809f51056f149aa21729283e07086 regsvr32.exe -
Modifies registry class 7 IoCs
Processes:
regsvr32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F5092822-5610-49F1-AA21-729283E07086}\InprocServer32\ = "C:\\Windows\\SysWow64\\spdji.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F5092822-5610-49F1-AA21-729283E07086}\InprocServer32\ThreadingModel = "Apartment" regsvr32.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F5092822-5610-49F1-AA21-729283E07086}\emanelif = 37c13e1a798982fecb30f6d6512c6a7c6958e0c133e772cb457d9eb954 regsvr32.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F5092822-5610-49F1-AA21-729283E07086}\emanger = 078b172f65 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\clsid\{F5092822-5610-49F1-AA21-729283E07086} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F5092822-5610-49F1-AA21-729283E07086}\ = "IE SP2 AddOn" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F5092822-5610-49F1-AA21-729283E07086}\InprocServer32 regsvr32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
69b9dcb14dbc2cc0b019fb7a083f4792dc46078be468811acb4cf3f353afd15a.exedescription pid process target process PID 4732 wrote to memory of 4136 4732 69b9dcb14dbc2cc0b019fb7a083f4792dc46078be468811acb4cf3f353afd15a.exe regsvr32.exe PID 4732 wrote to memory of 4136 4732 69b9dcb14dbc2cc0b019fb7a083f4792dc46078be468811acb4cf3f353afd15a.exe regsvr32.exe PID 4732 wrote to memory of 4136 4732 69b9dcb14dbc2cc0b019fb7a083f4792dc46078be468811acb4cf3f353afd15a.exe regsvr32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\69b9dcb14dbc2cc0b019fb7a083f4792dc46078be468811acb4cf3f353afd15a.exe"C:\Users\Admin\AppData\Local\Temp\69b9dcb14dbc2cc0b019fb7a083f4792dc46078be468811acb4cf3f353afd15a.exe"1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s C:\Windows\system32\spdji.dll2⤵
- Loads dropped DLL
- Modifies Internet Explorer settings
- Modifies registry class
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\SysWOW64\spdji.dllFilesize
36KB
MD59a15cdb10be7564c5799f5c1cdc2c32e
SHA1d337f2481e15b53ce05aee534d4068f99a94453b
SHA25642265fd6a124e471b5cedaf083d9277afdffc927e9cc6c1f5d1c757bf511962c
SHA5124f91a48059fa82c3831fbe23f5031ae1cca81297420c4a3a94b138468183eeefdc74a9a0a6263bdf374e369f80400d9bc312b182f905bccc6d97e1ff3c42fdc8
-
C:\Windows\SysWOW64\spdji.dllFilesize
36KB
MD59a15cdb10be7564c5799f5c1cdc2c32e
SHA1d337f2481e15b53ce05aee534d4068f99a94453b
SHA25642265fd6a124e471b5cedaf083d9277afdffc927e9cc6c1f5d1c757bf511962c
SHA5124f91a48059fa82c3831fbe23f5031ae1cca81297420c4a3a94b138468183eeefdc74a9a0a6263bdf374e369f80400d9bc312b182f905bccc6d97e1ff3c42fdc8
-
memory/4136-131-0x0000000000000000-mapping.dmp
-
memory/4732-130-0x0000000000401000-0x0000000000403000-memory.dmpFilesize
8KB