Analysis
-
max time kernel
139s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
24-05-2022 18:30
Static task
static1
Behavioral task
behavioral1
Sample
d796cb0b385a6f163aab35fdc8401856712b918bc02be66fb00ec097e3b60d15.exe
Resource
win7-20220414-en
windows7_x64
0 signatures
0 seconds
General
-
Target
d796cb0b385a6f163aab35fdc8401856712b918bc02be66fb00ec097e3b60d15.exe
-
Size
34KB
-
MD5
e2dd408e8a2b8a0e8a9505f4f25be0de
-
SHA1
a57e61599cdef24559d61c6e64556c1412fcaa0b
-
SHA256
d796cb0b385a6f163aab35fdc8401856712b918bc02be66fb00ec097e3b60d15
-
SHA512
96083508cf50d6afb8bbb567eec09eb8b3e8985b8bd665c8a68e2f5e6eee7b0df611eddd6028b6b97ba1a32b02c1a2b4df2ed79321a52e03e5a6e59fd47488e8
Malware Config
Signatures
-
Installs/modifies Browser Helper Object 2 TTPs
BHOs are DLL modules which act as plugins for Internet Explorer.
-
Drops file in Windows directory 1 IoCs
Processes:
d796cb0b385a6f163aab35fdc8401856712b918bc02be66fb00ec097e3b60d15.exedescription ioc process File created C:\Windows\system\tlctw32.dll d796cb0b385a6f163aab35fdc8401856712b918bc02be66fb00ec097e3b60d15.exe -
Processes:
d796cb0b385a6f163aab35fdc8401856712b918bc02be66fb00ec097e3b60d15.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Internet Explorer\Main d796cb0b385a6f163aab35fdc8401856712b918bc02be66fb00ec097e3b60d15.exe Set value (str) \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Enable Browser Extensions = "yes" d796cb0b385a6f163aab35fdc8401856712b918bc02be66fb00ec097e3b60d15.exe -
Modifies registry class 6 IoCs
Processes:
d796cb0b385a6f163aab35fdc8401856712b918bc02be66fb00ec097e3b60d15.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3C657AAF-22D9-5A16-E17D-31457D631863}\InProcServer32\ThreadingModel = "Apartment" d796cb0b385a6f163aab35fdc8401856712b918bc02be66fb00ec097e3b60d15.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3C657AAF-22D9-5A16-E17D-31457D631863}\InProcServer32 d796cb0b385a6f163aab35fdc8401856712b918bc02be66fb00ec097e3b60d15.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node d796cb0b385a6f163aab35fdc8401856712b918bc02be66fb00ec097e3b60d15.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID d796cb0b385a6f163aab35fdc8401856712b918bc02be66fb00ec097e3b60d15.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3C657AAF-22D9-5A16-E17D-31457D631863} d796cb0b385a6f163aab35fdc8401856712b918bc02be66fb00ec097e3b60d15.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3C657AAF-22D9-5A16-E17D-31457D631863}\InProcServer32\ = "C:\\Windows\\system\\tlctw32.dll" d796cb0b385a6f163aab35fdc8401856712b918bc02be66fb00ec097e3b60d15.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\d796cb0b385a6f163aab35fdc8401856712b918bc02be66fb00ec097e3b60d15.exe"C:\Users\Admin\AppData\Local\Temp\d796cb0b385a6f163aab35fdc8401856712b918bc02be66fb00ec097e3b60d15.exe"1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class