Analysis
-
max time kernel
99s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
23-11-2022 11:08
Static task
static1
Behavioral task
behavioral1
Sample
89d73afdd2133a0c365bcc1f24bb666a19723442b1abbd91fca0d8ee2b5f7b0a.dll
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
89d73afdd2133a0c365bcc1f24bb666a19723442b1abbd91fca0d8ee2b5f7b0a.dll
Resource
win10v2004-20220812-en
General
-
Target
89d73afdd2133a0c365bcc1f24bb666a19723442b1abbd91fca0d8ee2b5f7b0a.dll
-
Size
213KB
-
MD5
1ff99fc7fb648e3222a0d13c4dcdaf35
-
SHA1
8beddc11f35c3853f7f0ea314b37416b8b3d79dd
-
SHA256
89d73afdd2133a0c365bcc1f24bb666a19723442b1abbd91fca0d8ee2b5f7b0a
-
SHA512
7bc36d522dd46835807c77e5892b64cd13cebfa24604be7bbfca2f2570dbe943af5ecba749cf71fe237c0eebc8bcdab805a9bc49a60af823f1a53245fcadbfea
-
SSDEEP
3072:VM21iuIUW3PO2o39lPY3gew3Ate26mXjePeVUZGK3UbrrVt9akigGOMNrkZ:h1LIUWWh39lpeWce7P1Z7EHr1akIHkZ
Malware Config
Signatures
-
Registers COM server for autorun 1 TTPs 3 IoCs
Processes:
regsvr32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\WOW6432Node\CLSID\{F99BD4F5-D402-4c21-A8BC-510830B6BE37}\InprocServer32 regsvr32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\WOW6432Node\CLSID\{F99BD4F5-D402-4c21-A8BC-510830B6BE37}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\89d73afdd2133a0c365bcc1f24bb666a19723442b1abbd91fca0d8ee2b5f7b0a.dll" regsvr32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\WOW6432Node\CLSID\{F99BD4F5-D402-4c21-A8BC-510830B6BE37}\InprocServer32\ThreadingModel = "Apartment" regsvr32.exe -
Installs/modifies Browser Helper Object 2 TTPs 5 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
Processes:
regsvr32.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{F99BD4F5-D402-4c21-A8BC-510830B6BE37}\ = "Adobe PDF Reader Link Helper" regsvr32.exe Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{F99BD4F5-D402-4c21-A8BC-510830B6BE37}\NoExplorer = "1" regsvr32.exe Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{F99BD4F5-D402-4c21-A8BC-510830B6BE37} regsvr32.exe Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects regsvr32.exe Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{F99BD4F5-D402-4c21-A8BC-510830B6BE37} regsvr32.exe -
Modifies registry class 23 IoCs
Processes:
regsvr32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\WOW6432Node\CLSID\{F99BD4F5-D402-4c21-A8BC-510830B6BE37} regsvr32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\WOW6432Node\CLSID\{F99BD4F5-D402-4c21-A8BC-510830B6BE37}\AppID = "{74DB2CD7-094B-4d60-9656-ADC2F8830D29}" regsvr32.exe Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\WOW6432Node\CLSID\{F99BD4F5-D402-4c21-A8BC-510830B6BE37}\ProgID regsvr32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\WOW6432Node\CLSID\{F99BD4F5-D402-4c21-A8BC-510830B6BE37}\VersionIndependentProgID\ = "linkrdr.AIEbho" regsvr32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\linkrdr.AIEbho.1\ = "Adobe PDF Reader Link Helper" regsvr32.exe Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\linkrdr.AIEbho\CLSID regsvr32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\WOW6432Node\CLSID\{F99BD4F5-D402-4c21-A8BC-510830B6BE37}\ = "Adobe PDF Reader Link Helper" regsvr32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\WOW6432Node\CLSID\{F99BD4F5-D402-4c21-A8BC-510830B6BE37}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\89d73afdd2133a0c365bcc1f24bb666a19723442b1abbd91fca0d8ee2b5f7b0a.dll" regsvr32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\WOW6432Node\CLSID\{F99BD4F5-D402-4c21-A8BC-510830B6BE37}\ProgID\ = "linkrdr.AIEbho.1" regsvr32.exe Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\WOW6432Node\CLSID\{F99BD4F5-D402-4c21-A8BC-510830B6BE37}\VersionIndependentProgID regsvr32.exe Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\linkrdr.AIEbho.1 regsvr32.exe Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\linkrdr.AIEbho\CurVer regsvr32.exe Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\WOW6432Node\CLSID\{F99BD4F5-D402-4c21-A8BC-510830B6BE37}\Programmable regsvr32.exe Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\WOW6432Node\CLSID\{F99BD4F5-D402-4c21-A8BC-510830B6BE37}\InprocServer32 regsvr32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\WOW6432Node\CLSID\{F99BD4F5-D402-4c21-A8BC-510830B6BE37}\InprocServer32\ThreadingModel = "Apartment" regsvr32.exe Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\linkrdr.AIEbho regsvr32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\linkrdr.AIEbho\ = "Adobe PDF Reader Link Helper" regsvr32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\linkrdr.AIEbho\CLSID\ = "{F99BD4F5-D402-4c21-A8BC-510830B6BE37}" regsvr32.exe Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\linkrdr.AIEbho.1\CLSID regsvr32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\linkrdr.AIEbho.1\CLSID\ = "{F99BD4F5-D402-4c21-A8BC-510830B6BE37}" regsvr32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\linkrdr.AIEbho\CurVer\ = "linkrdr.AIEbho.1" regsvr32.exe Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\WOW6432Node\CLSID\{F99BD4F5-D402-4c21-A8BC-510830B6BE37}\TypeLib regsvr32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\WOW6432Node\CLSID\{F99BD4F5-D402-4c21-A8BC-510830B6BE37}\TypeLib\ = "{2B63B21A-4075-4298-A569-D8113F1D7045}" regsvr32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
regsvr32.exedescription pid process target process PID 3068 wrote to memory of 4864 3068 regsvr32.exe regsvr32.exe PID 3068 wrote to memory of 4864 3068 regsvr32.exe regsvr32.exe PID 3068 wrote to memory of 4864 3068 regsvr32.exe regsvr32.exe
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\89d73afdd2133a0c365bcc1f24bb666a19723442b1abbd91fca0d8ee2b5f7b0a.dll1⤵
- Suspicious use of WriteProcessMemory
PID:3068 -
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\89d73afdd2133a0c365bcc1f24bb666a19723442b1abbd91fca0d8ee2b5f7b0a.dll2⤵
- Registers COM server for autorun
- Installs/modifies Browser Helper Object
- Modifies registry class
PID:4864