Analysis
-
max time kernel
150s -
max time network
164s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
27-04-2022 18:35
Static task
static1
Behavioral task
behavioral1
Sample
bb8fc2a5ff3416ee363da175e35534f0c01da2362b49d8bfb5839a339c382759.dll
Resource
win7-20220414-en
windows7_x64
0 signatures
0 seconds
General
-
Target
bb8fc2a5ff3416ee363da175e35534f0c01da2362b49d8bfb5839a339c382759.dll
-
Size
191KB
-
MD5
3960a95b0585f7813c19fb012d10fe93
-
SHA1
a12af3edc11d87bd00cecc22753094dc37cfee91
-
SHA256
bb8fc2a5ff3416ee363da175e35534f0c01da2362b49d8bfb5839a339c382759
-
SHA512
e80de35dfa65a0bbe5f319f0e60b15ec15055f2d1afc9989ad59ec005c0729458e6987b21637d4c8c86e1bc3842f9b48fb03afdccc58f89e0462100a552618ff
Malware Config
Signatures
-
Installs/modifies Browser Helper Object 2 TTPs
BHOs are DLL modules which act as plugins for Internet Explorer.
-
Modifies registry class 11 IoCs
Processes:
regsvr32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{47CFDDF9-6FBD-4C06-8752-24FEFBA10D58}\ regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{47CFDDF9-6FBD-4C06-8752-24FEFBA10D58}\InprocServer32\ThreadingModel = "Apartment" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\bb8fc2a5ff3416ee363da175e35534f0c01da2362b49d8bfb5839a339c382759.mgrsia\ regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{47CFDDF9-6FBD-4C06-8752-24FEFBA10D58}\ProgID regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{47CFDDF9-6FBD-4C06-8752-24FEFBA10D58}\ProgID\ = "bb8fc2a5ff3416ee363da175e35534f0c01da2362b49d8bfb5839a339c382759.mgrsia" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{47CFDDF9-6FBD-4C06-8752-24FEFBA10D58} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{47CFDDF9-6FBD-4C06-8752-24FEFBA10D58}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bb8fc2a5ff3416ee363da175e35534f0c01da2362b49d8bfb5839a339c382759.dll" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\bb8fc2a5ff3416ee363da175e35534f0c01da2362b49d8bfb5839a339c382759.mgrsia regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\bb8fc2a5ff3416ee363da175e35534f0c01da2362b49d8bfb5839a339c382759.mgrsia\Clsid regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\bb8fc2a5ff3416ee363da175e35534f0c01da2362b49d8bfb5839a339c382759.mgrsia\Clsid\ = "{47CFDDF9-6FBD-4C06-8752-24FEFBA10D58}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{47CFDDF9-6FBD-4C06-8752-24FEFBA10D58}\InprocServer32 regsvr32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
regsvr32.exedescription pid process target process PID 3144 wrote to memory of 5048 3144 regsvr32.exe regsvr32.exe PID 3144 wrote to memory of 5048 3144 regsvr32.exe regsvr32.exe PID 3144 wrote to memory of 5048 3144 regsvr32.exe regsvr32.exe
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\bb8fc2a5ff3416ee363da175e35534f0c01da2362b49d8bfb5839a339c382759.dll1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\bb8fc2a5ff3416ee363da175e35534f0c01da2362b49d8bfb5839a339c382759.dll2⤵
- Modifies registry class
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/5048-130-0x0000000000000000-mapping.dmp