Analysis
-
max time kernel
38s -
max time network
47s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
27-04-2022 18:48
Static task
static1
Behavioral task
behavioral1
Sample
c44c5dc3cb8ad705e6e92ed9804adf53c314802b80e12548879bf2f3a6a11da3.dll
Resource
win7-20220414-en
windows7_x64
0 signatures
0 seconds
General
-
Target
c44c5dc3cb8ad705e6e92ed9804adf53c314802b80e12548879bf2f3a6a11da3.dll
-
Size
100KB
-
MD5
7efd1578873ba7d57b2622683b25ec82
-
SHA1
e4fa1b172ef6a1cc87f2c5d3cd4e71bb7d365b14
-
SHA256
c44c5dc3cb8ad705e6e92ed9804adf53c314802b80e12548879bf2f3a6a11da3
-
SHA512
f314357634f01e3e2532974f0429fbf358d43d14eabfba3c6a347628e9ddb1eec45d6d20d09e3936c29af66479d73910fcec639680d2ac3fa162f6d6084b1e5a
Malware Config
Signatures
-
Installs/modifies Browser Helper Object 2 TTPs
BHOs are DLL modules which act as plugins for Internet Explorer.
-
Modifies registry class 6 IoCs
Processes:
regsvr32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{853FEAE7-D145-4459-BC07-13EC080CD1C5}\InprocServer32\ThreadingModel = "apartment" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{853FEAE7-D145-4459-BC07-13EC080CD1C5}\InprocServer32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{853FEAE7-D145-4459-BC07-13EC080CD1C5} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{853FEAE7-D145-4459-BC07-13EC080CD1C5}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\c44c5dc3cb8ad705e6e92ed9804adf53c314802b80e12548879bf2f3a6a11da3.dll" regsvr32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
regsvr32.exedescription pid process target process PID 1976 wrote to memory of 1632 1976 regsvr32.exe regsvr32.exe PID 1976 wrote to memory of 1632 1976 regsvr32.exe regsvr32.exe PID 1976 wrote to memory of 1632 1976 regsvr32.exe regsvr32.exe PID 1976 wrote to memory of 1632 1976 regsvr32.exe regsvr32.exe PID 1976 wrote to memory of 1632 1976 regsvr32.exe regsvr32.exe PID 1976 wrote to memory of 1632 1976 regsvr32.exe regsvr32.exe PID 1976 wrote to memory of 1632 1976 regsvr32.exe regsvr32.exe
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\c44c5dc3cb8ad705e6e92ed9804adf53c314802b80e12548879bf2f3a6a11da3.dll1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\c44c5dc3cb8ad705e6e92ed9804adf53c314802b80e12548879bf2f3a6a11da3.dll2⤵
- Modifies registry class