Analysis
-
max time kernel
39s -
max time network
44s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
23/11/2022, 23:36
Static task
static1
Behavioral task
behavioral1
Sample
5816ea15122f215645469fd809973a07c914ffd3a6032a92206ab06bb2ef711c.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
5816ea15122f215645469fd809973a07c914ffd3a6032a92206ab06bb2ef711c.exe
Resource
win10v2004-20220812-en
Errors
General
-
Target
5816ea15122f215645469fd809973a07c914ffd3a6032a92206ab06bb2ef711c.exe
-
Size
244KB
-
MD5
4741f3c291f48e4355983f4c202dbcb5
-
SHA1
49f5df0cbcc827aa114be3fc269fa3feb600547e
-
SHA256
5816ea15122f215645469fd809973a07c914ffd3a6032a92206ab06bb2ef711c
-
SHA512
748412ac4c6423f4b2f9806e8485131d34416fadf0b6238b64ea5576943754dfa36496647a826349af01a6f1798fd5b7e56381d6b6599a6f114c5cbcb0f59c05
-
SSDEEP
6144:2LD1gvcfPbnFTEYEKNuZAlKUsut/m7pbprqcTBwSki3TmyM:K2gbnFAYEKEZAlKUFJiHXBwS3TQ
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2496 hov.exe -
Sets DLL path for service in the registry 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Iprip\Parameters\ServiceDll = "C:\\WINDOWS\\SYSTEM32\\liprip.dll" hov.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Iprip\Parameters\ServiceDll = "C:\\Windows\\system32\\liprip.dll" svchost.exe -
Loads dropped DLL 3 IoCs
pid Process 4224 svchost.exe 4224 svchost.exe 4224 svchost.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\repst = "C:\\Windows\\system32\\iprep.exe" svchost.exe -
Installs/modifies Browser Helper Object 2 TTPs 2 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BF50AC63-19DA-487E-AD4A-0B452D823B59}\ svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BF50AC63-19DA-487E-AD4A-0B452D823B59}\ svchost.exe -
Drops file in System32 directory 5 IoCs
description ioc Process File opened for modification C:\WINDOWS\SysWOW64\liprip.dll hov.exe File opened for modification C:\Windows\SysWOW64\fsutk.dll svchost.exe File created C:\Windows\SysWOW64\iprep.exe svchost.exe File created C:\Windows\SysWOW64\fsutk.dll 5816ea15122f215645469fd809973a07c914ffd3a6032a92206ab06bb2ef711c.exe File created C:\WINDOWS\SysWOW64\liprip.dll hov.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "182" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{BF50AC63-19DA-487E-AD4A-0B452D823B59} svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{BF50AC63-19DA-487E-AD4A-0B452D823B59}\Version = "*" svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{BF50AC63-19DA-487E-AD4A-0B452D823B59}\Flags = "0" svchost.exe Key created \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Autodesk\AutoCAD\R17.0 svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{BF50AC63-19DA-487E-AD4A-0B452D823B59} svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{BF50AC63-19DA-487E-AD4A-0B452D823B59}\ svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Autodesk\AutoCAD\R16.0 svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows svchost.exe Set value (str) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{BF50AC63-19DA-487E-AD4A-0B452D823B59}\ svchost.exe Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{BF50AC63-19DA-487E-AD4A-0B452D823B59}\Flags = "0" svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" LogonUI.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{BF50AC63-19DA-487E-AD4A-0B452D823B59}\ svchost.exe Key created \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{BF50AC63-19DA-487E-AD4A-0B452D823B59} svchost.exe Key created \REGISTRY\USER\S-1-5-20 svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion svchost.exe Key created \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Autodesk\AutoCAD\R17.2 svchost.exe Key created \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{BF50AC63-19DA-487E-AD4A-0B452D823B59}\ svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{BF50AC63-19DA-487E-AD4A-0B452D823B59}\Flags = "0" svchost.exe Key created \REGISTRY\USER\S-1-5-19 svchost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{BF50AC63-19DA-487E-AD4A-0B452D823B59}\ svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Autodesk\AutoCAD\R16.0 svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext svchost.exe Set value (str) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{BF50AC63-19DA-487E-AD4A-0B452D823B59}\Version = "*" svchost.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{BF50AC63-19DA-487E-AD4A-0B452D823B59}\ svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{BF50AC63-19DA-487E-AD4A-0B452D823B59}\ svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Settings svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{BF50AC63-19DA-487E-AD4A-0B452D823B59}\ svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Autodesk\AutoCAD\R16.1 svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Autodesk\AutoCAD\R17.1 svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM LogonUI.exe Key created \REGISTRY\USER\S-1-5-19\Software svchost.exe Key created \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Autodesk\AutoCAD svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Autodesk\AutoCAD\R16.2 svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{BF50AC63-19DA-487E-AD4A-0B452D823B59}\Version = "*" svchost.exe Key created \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Autodesk svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Autodesk\AutoCAD\R18.0 svchost.exe Key created \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext svchost.exe Key created \REGISTRY\USER\.DEFAULT svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings svchost.exe -
Modifies registry class 22 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IEHlprObj.IEHlprObj\ = "QuickFlash" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BF50AC63-19DA-487E-AD4A-0B452D823B59}\InprocServer32\ = "C:\\Windows\\SysWow64\\fsutk.dll" svchost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AF604EFE-8897-11D1-B944-00A0C90312E1}\InProcServer32\ hov.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BF50AC63-19DA-487E-AD4A-0B452D823B59}\ = "QuickFlash" svchost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BF50AC63-19DA-487E-AD4A-0B452D823B59}\InprocServer32\ svchost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BF50AC63-19DA-487E-AD4A-0B452D823B59}\ProgID\ svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IEHlprObj.IEHlprObj\CurVer\ = "IEHlprObj.IEHlprObj.1" svchost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0E5CBF21-D15F-11d0-8301-00AA005B4383}\InProcServer32\ svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BF50AC63-19DA-487E-AD4A-0B452D823B59}\ProgID\ = "IEHlprObj.IEHlprObj.1" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BF50AC63-19DA-487E-AD4A-0B452D823B59}\Programmable\ svchost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BF50AC63-19DA-487E-AD4A-0B452D823B59}\VersionIndependentProgID\ svchost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\IEHlprObj.IEHlprObj\ svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IEHlprObj.IEHlprObj.1\ = "QuickFlash" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IEHlprObj.IEHlprObj.1\CLSID\ = "{BF50AC63-19DA-487E-AD4A-0B452D823B59}" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BF50AC63-19DA-487E-AD4A-0B452D823B59}\VersionIndependentProgID\ = "IEHlprObj.IEHlprObj" svchost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\IEHlprObj.IEHlprObj\CurVer\ svchost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\IEHlprObj.IEHlprObj.1\ svchost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\IEHlprObj.IEHlprObj.1\CLSID\ svchost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AF604EFE-8897-11D1-B944-00A0C90312E1}\InProcServer32\ svchost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BF50AC63-19DA-487E-AD4A-0B452D823B59}\ svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BF50AC63-19DA-487E-AD4A-0B452D823B59}\InprocServer32\ThreadingModel = "Apartment" svchost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BF50AC63-19DA-487E-AD4A-0B452D823B59}\Programmable\ svchost.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeShutdownPrivilege 4224 svchost.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 3096 5816ea15122f215645469fd809973a07c914ffd3a6032a92206ab06bb2ef711c.exe 2496 hov.exe 2252 LogonUI.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3096 wrote to memory of 2496 3096 5816ea15122f215645469fd809973a07c914ffd3a6032a92206ab06bb2ef711c.exe 80 PID 3096 wrote to memory of 2496 3096 5816ea15122f215645469fd809973a07c914ffd3a6032a92206ab06bb2ef711c.exe 80 PID 3096 wrote to memory of 2496 3096 5816ea15122f215645469fd809973a07c914ffd3a6032a92206ab06bb2ef711c.exe 80
Processes
-
C:\Users\Admin\AppData\Local\Temp\5816ea15122f215645469fd809973a07c914ffd3a6032a92206ab06bb2ef711c.exe"C:\Users\Admin\AppData\Local\Temp\5816ea15122f215645469fd809973a07c914ffd3a6032a92206ab06bb2ef711c.exe"1⤵
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3096 -
C:\Users\Admin\AppData\Local\Temp\hov.exe"C:\Users\Admin\AppData\Local\Temp\hov.exe"2⤵
- Executes dropped EXE
- Sets DLL path for service in the registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2496
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs -s Iprip1⤵
- Sets DLL path for service in the registry
- Loads dropped DLL
- Adds Run key to start application
- Installs/modifies Browser Helper Object
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4224
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa3981855 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:2252
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
20KB
MD56deadc8b2023da2254381fad0da17f9e
SHA1c4c75c13813775311dd0abde4e6e8425e980040e
SHA25630efcb6689550e1a0a4afee34c9e6ea54f552eb8dd63cbaf7adab08e95141c82
SHA5121cb8c77ed0a30683c04376ab3bee41cf045ed3dc87474c1c3e0fd66b488c4ef59ebd01e141bd8fc10695fca55b9bf067b7c2799b9689251a70c810e68be8bfeb
-
Filesize
20KB
MD56deadc8b2023da2254381fad0da17f9e
SHA1c4c75c13813775311dd0abde4e6e8425e980040e
SHA25630efcb6689550e1a0a4afee34c9e6ea54f552eb8dd63cbaf7adab08e95141c82
SHA5121cb8c77ed0a30683c04376ab3bee41cf045ed3dc87474c1c3e0fd66b488c4ef59ebd01e141bd8fc10695fca55b9bf067b7c2799b9689251a70c810e68be8bfeb
-
Filesize
116KB
MD5ccebb21549fedbfa11f319198bc43803
SHA1f822321ca4cb8821fd038c77827c5ea38ebac6e2
SHA2561db2265a0bbdc02821f226b88ad0bdcf176c9ba4607397a135453937a82bbcf0
SHA512837dd6ff69b07f20d12a7881f3e39b5b0cb0deba34b9044ecc86d6eaf01eda5ce9bce62d025bc73d19d05a26204dcc6e4bf911fb75854f77f7451e166a3600f4
-
Filesize
116KB
MD5ccebb21549fedbfa11f319198bc43803
SHA1f822321ca4cb8821fd038c77827c5ea38ebac6e2
SHA2561db2265a0bbdc02821f226b88ad0bdcf176c9ba4607397a135453937a82bbcf0
SHA512837dd6ff69b07f20d12a7881f3e39b5b0cb0deba34b9044ecc86d6eaf01eda5ce9bce62d025bc73d19d05a26204dcc6e4bf911fb75854f77f7451e166a3600f4
-
Filesize
116KB
MD5ccebb21549fedbfa11f319198bc43803
SHA1f822321ca4cb8821fd038c77827c5ea38ebac6e2
SHA2561db2265a0bbdc02821f226b88ad0bdcf176c9ba4607397a135453937a82bbcf0
SHA512837dd6ff69b07f20d12a7881f3e39b5b0cb0deba34b9044ecc86d6eaf01eda5ce9bce62d025bc73d19d05a26204dcc6e4bf911fb75854f77f7451e166a3600f4
-
Filesize
84KB
MD59be1ab312e62a55c52e924169886be5a
SHA102c884978e94ce1dd49a4a923954ec17652eba36
SHA256984867ab146f62d99ec9a0dac2968ace26445aedbe11d3406aec9d6030d9d271
SHA512c82eb0912096e21f41cbb572c9c8437bbeb9e9cfe4e3d26bf1005e1ef38dbeeb2f068dd61252d370e99e9ca609f6f61adee64d23ceb8dd0ae0c1723a1b714c44
-
Filesize
220KB
MD53f2d9177b63985de4e274a996b0e069b
SHA19f33179f4c5f1a3e2298a3f29098e0665b42f1f0
SHA256f4698a8d995e79a68360663d8f7cddd8fabdd3164ac075e93c7125b2de4e406b
SHA512793b34a9d72387470335a1957d1fa57fcf143aa1d1a0e3e5bbc02fecb51014a2478ebcc966b5c83803c6bcdef62a63e9998c9ff7b1bced677928ef743f2ba4ec
-
Filesize
84KB
MD59be1ab312e62a55c52e924169886be5a
SHA102c884978e94ce1dd49a4a923954ec17652eba36
SHA256984867ab146f62d99ec9a0dac2968ace26445aedbe11d3406aec9d6030d9d271
SHA512c82eb0912096e21f41cbb572c9c8437bbeb9e9cfe4e3d26bf1005e1ef38dbeeb2f068dd61252d370e99e9ca609f6f61adee64d23ceb8dd0ae0c1723a1b714c44