Analysis
-
max time kernel
111s -
max time network
164s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
27-04-2022 18:51
Static task
static1
Behavioral task
behavioral1
Sample
d3e08737dbca961b90c1da8a7cdc162d5fcee69a927c0ad0c24bcb2464bcb7e8.dll
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
d3e08737dbca961b90c1da8a7cdc162d5fcee69a927c0ad0c24bcb2464bcb7e8.dll
Resource
win10v2004-20220414-en
General
-
Target
d3e08737dbca961b90c1da8a7cdc162d5fcee69a927c0ad0c24bcb2464bcb7e8.dll
-
Size
19KB
-
MD5
2cca5e64480f406dae66f5d6ec27330e
-
SHA1
8da803b72806ef3716a741492eea4bb1761b2183
-
SHA256
d3e08737dbca961b90c1da8a7cdc162d5fcee69a927c0ad0c24bcb2464bcb7e8
-
SHA512
e19946116006f7889dc9bd31370cb9b761a44d7ba86cfe0356ee0801558e6a21f9cb9c1e129c59ab6a8bc043b34de585b7ab9e7fe454d36dba0d35081b707a34
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
regsvr32.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\IExplore adviser = "Regsvr32.exe /s C:\\Users\\Admin\\AppData\\Local\\Temp\\d3e08737dbca961b90c1da8a7cdc162d5fcee69a927c0ad0c24bcb2464bcb7e8.dll" regsvr32.exe -
Installs/modifies Browser Helper Object 2 TTPs
BHOs are DLL modules which act as plugins for Internet Explorer.
-
Modifies registry class 6 IoCs
Processes:
regsvr32.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9C5875B8-93F3-429D-FF34-660B206D897A} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9C5875B8-93F3-429D-FF34-660B206D897A}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\d3e08737dbca961b90c1da8a7cdc162d5fcee69a927c0ad0c24bcb2464bcb7e8.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9C5875B8-93F3-429D-FF34-660B206D897A}\InProcServer32\ThreadingModel = "Apartment" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9C5875B8-93F3-429D-FF34-660B206D897A}\InProcServer32 regsvr32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
regsvr32.exedescription pid process target process PID 3088 wrote to memory of 2972 3088 regsvr32.exe regsvr32.exe PID 3088 wrote to memory of 2972 3088 regsvr32.exe regsvr32.exe PID 3088 wrote to memory of 2972 3088 regsvr32.exe regsvr32.exe
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\d3e08737dbca961b90c1da8a7cdc162d5fcee69a927c0ad0c24bcb2464bcb7e8.dll1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\d3e08737dbca961b90c1da8a7cdc162d5fcee69a927c0ad0c24bcb2464bcb7e8.dll2⤵
- Adds Run key to start application
- Modifies registry class
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2972-130-0x0000000000000000-mapping.dmp