Analysis
-
max time kernel
151s -
max time network
162s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
19-06-2022 19:48
Static task
static1
Behavioral task
behavioral1
Sample
34da59691dc1f021d31048f709c0e9b612a87e1d70a14408cde0a8c3ce969e88.dll
Resource
win7-20220414-en
windows7_x64
0 signatures
0 seconds
General
-
Target
34da59691dc1f021d31048f709c0e9b612a87e1d70a14408cde0a8c3ce969e88.dll
-
Size
859KB
-
MD5
06bba2dceb45a8662063ef97f437b702
-
SHA1
fffe75f0bac7d09d55f5fce87898cd4825816ea9
-
SHA256
34da59691dc1f021d31048f709c0e9b612a87e1d70a14408cde0a8c3ce969e88
-
SHA512
b4199cab674714235f6ce1d81636862a171d0f8e2fc41357ebf1f64825f93ead434f9dd2d3a8c770154909e8b67da23adeacd57bff9a2f99598fb46218c97bd3
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral2/memory/1808-131-0x0000000002620000-0x00000000029B9000-memory.dmp themida behavioral2/memory/1808-132-0x0000000002620000-0x00000000029B9000-memory.dmp themida behavioral2/memory/1808-135-0x0000000002620000-0x00000000029B9000-memory.dmp themida -
Installs/modifies Browser Helper Object 2 TTPs 1 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
Processes:
regsvr32.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{09AFB2CE-9837-CA3E-0CB1-0A0B00C83DF2} regsvr32.exe -
Modifies registry class 11 IoCs
Processes:
regsvr32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{09AFB2CE-9837-CA3E-0CB1-0A0B00C83DF2}\ = "Alx2000" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{09AFB2CE-9837-CA3E-0CB1-0A0B00C83DF2}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\34da59691dc1f021d31048f709c0e9b612a87e1d70a14408cde0a8c3ce969e88.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{09AFB2CE-9837-CA3E-0CB1-0A0B00C83DF2}\InprocServer32\ThreadingModel = "Apartment" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\34da59691dc1f021d31048f709c0e9b612a87e1d70a14408cde0a8c3ce969e88.MsShutt_109\ = "Alx2000" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\34da59691dc1f021d31048f709c0e9b612a87e1d70a14408cde0a8c3ce969e88.MsShutt_109\Clsid\ = "{09AFB2CE-9837-CA3E-0CB1-0A0B00C83DF2}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{09AFB2CE-9837-CA3E-0CB1-0A0B00C83DF2}\ProgID regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{09AFB2CE-9837-CA3E-0CB1-0A0B00C83DF2}\ProgID\ = "34da59691dc1f021d31048f709c0e9b612a87e1d70a14408cde0a8c3ce969e88.MsShutt_109" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{09AFB2CE-9837-CA3E-0CB1-0A0B00C83DF2} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\34da59691dc1f021d31048f709c0e9b612a87e1d70a14408cde0a8c3ce969e88.MsShutt_109 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\34da59691dc1f021d31048f709c0e9b612a87e1d70a14408cde0a8c3ce969e88.MsShutt_109\Clsid regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{09AFB2CE-9837-CA3E-0CB1-0A0B00C83DF2}\InprocServer32 regsvr32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
regsvr32.exedescription pid process target process PID 1672 wrote to memory of 1808 1672 regsvr32.exe regsvr32.exe PID 1672 wrote to memory of 1808 1672 regsvr32.exe regsvr32.exe PID 1672 wrote to memory of 1808 1672 regsvr32.exe regsvr32.exe
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\34da59691dc1f021d31048f709c0e9b612a87e1d70a14408cde0a8c3ce969e88.dll1⤵
- Suspicious use of WriteProcessMemory
PID:1672 -
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\34da59691dc1f021d31048f709c0e9b612a87e1d70a14408cde0a8c3ce969e88.dll2⤵
- Installs/modifies Browser Helper Object
- Modifies registry class
PID:1808
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1808-130-0x0000000000000000-mapping.dmp
-
memory/1808-131-0x0000000002620000-0x00000000029B9000-memory.dmpFilesize
3.6MB
-
memory/1808-132-0x0000000002620000-0x00000000029B9000-memory.dmpFilesize
3.6MB
-
memory/1808-135-0x0000000002620000-0x00000000029B9000-memory.dmpFilesize
3.6MB