Analysis
-
max time kernel
44s -
max time network
48s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
29-11-2022 06:19
Static task
static1
Behavioral task
behavioral1
Sample
871357d68fada12059eba4ebd097a3c0050624879a631270da74d09a10b86d99.exe
Resource
win7-20220901-en
General
-
Target
871357d68fada12059eba4ebd097a3c0050624879a631270da74d09a10b86d99.exe
-
Size
148KB
-
MD5
36ff9e1a03ac2902cd1278ad30481ba9
-
SHA1
7f2898a0745499668a1d3b7a29650c4e0015fa27
-
SHA256
871357d68fada12059eba4ebd097a3c0050624879a631270da74d09a10b86d99
-
SHA512
5d3bfc2c9ad0f3f07b6d832ee39a20615191b8113bfc6020c576565d8851cca0b34cbd4bdf1495cbe5cac5d94d71b7c0662e0db12fa475276460a878360ed13a
-
SSDEEP
3072:wDh380BMyJ1sizw4LiFjv7rveixfuHgmT0LeahNcnmhCGs:V0bPzw4Wjv7TzAHRZahNym0
Malware Config
Signatures
-
ACProtect 1.3x - 1.4x DLL software 1 IoCs
Detects file using ACProtect software.
Processes:
resource yara_rule \Windows\SysWOW64\msxml71.dll acprotect -
Processes:
resource yara_rule \Windows\SysWOW64\msxml71.dll upx -
Loads dropped DLL 1 IoCs
Processes:
871357d68fada12059eba4ebd097a3c0050624879a631270da74d09a10b86d99.exepid process 1388 871357d68fada12059eba4ebd097a3c0050624879a631270da74d09a10b86d99.exe -
Installs/modifies Browser Helper Object 2 TTPs 2 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
Processes:
871357d68fada12059eba4ebd097a3c0050624879a631270da74d09a10b86d99.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{500BCA15-57A7-4eaf-8143-8C619470B13D} 871357d68fada12059eba4ebd097a3c0050624879a631270da74d09a10b86d99.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{500BCA15-57A7-4eaf-8143-8C619470B13D}\ = "XML module" 871357d68fada12059eba4ebd097a3c0050624879a631270da74d09a10b86d99.exe -
Drops file in System32 directory 1 IoCs
Processes:
871357d68fada12059eba4ebd097a3c0050624879a631270da74d09a10b86d99.exedescription ioc process File created C:\Windows\SysWOW64\msxml71.dll 871357d68fada12059eba4ebd097a3c0050624879a631270da74d09a10b86d99.exe -
Modifies registry class 27 IoCs
Processes:
871357d68fada12059eba4ebd097a3c0050624879a631270da74d09a10b86d99.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{500BCA15-57A7-4eaf-8143-8C619470B13D}\TypeLib\ = "{5D2631E5-8696-7543-50B2-F674CD4308EB}" 871357d68fada12059eba4ebd097a3c0050624879a631270da74d09a10b86d99.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\XML.XML\CLSID\ = "{500BCA15-57A7-4eaf-8143-8C619470B13D}" 871357d68fada12059eba4ebd097a3c0050624879a631270da74d09a10b86d99.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5D2631E5-8696-7543-50B2-F674CD4308EB}\.0 871357d68fada12059eba4ebd097a3c0050624879a631270da74d09a10b86d99.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{500BCA15-57A7-4eaf-8143-8C619470B13D}\InprocServer32\ = "C:\\Windows\\SysWow64\\msxml71.dll" 871357d68fada12059eba4ebd097a3c0050624879a631270da74d09a10b86d99.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{500BCA15-57A7-4eaf-8143-8C619470B13D}\VersionIndependentProgID 871357d68fada12059eba4ebd097a3c0050624879a631270da74d09a10b86d99.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\XML.XML\ = "XML Class" 871357d68fada12059eba4ebd097a3c0050624879a631270da74d09a10b86d99.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\XML.XML\CurVer 871357d68fada12059eba4ebd097a3c0050624879a631270da74d09a10b86d99.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{500BCA15-57A7-4eaf-8143-8C619470B13D} 871357d68fada12059eba4ebd097a3c0050624879a631270da74d09a10b86d99.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\XML.XML 871357d68fada12059eba4ebd097a3c0050624879a631270da74d09a10b86d99.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\XML.XML\CurVer\ = "XML.XML.1" 871357d68fada12059eba4ebd097a3c0050624879a631270da74d09a10b86d99.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5D2631E5-8696-7543-50B2-F674CD4308EB} 871357d68fada12059eba4ebd097a3c0050624879a631270da74d09a10b86d99.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{500BCA15-57A7-4eaf-8143-8C619470B13D}\Programmable 871357d68fada12059eba4ebd097a3c0050624879a631270da74d09a10b86d99.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\XML.XML.1 871357d68fada12059eba4ebd097a3c0050624879a631270da74d09a10b86d99.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\XML.XML.1\ = "XML Class" 871357d68fada12059eba4ebd097a3c0050624879a631270da74d09a10b86d99.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\XML.XML.1\CLSID\ = "{500BCA15-57A7-4eaf-8143-8C619470B13D}" 871357d68fada12059eba4ebd097a3c0050624879a631270da74d09a10b86d99.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5D2631E5-8696-7543-50B2-F674CD4308EB}\.0\ = "C:\\Windows\\SysWow64\\msxml71.dll" 871357d68fada12059eba4ebd097a3c0050624879a631270da74d09a10b86d99.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{500BCA15-57A7-4eaf-8143-8C619470B13D}\InprocServer32 871357d68fada12059eba4ebd097a3c0050624879a631270da74d09a10b86d99.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{500BCA15-57A7-4eaf-8143-8C619470B13D}\InprocServer32\ThreadingModel = "Apartment" 871357d68fada12059eba4ebd097a3c0050624879a631270da74d09a10b86d99.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{500BCA15-57A7-4eaf-8143-8C619470B13D}\VersionIndependentProgID\ = "XML.XML" 871357d68fada12059eba4ebd097a3c0050624879a631270da74d09a10b86d99.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{500BCA15-57A7-4eaf-8143-8C619470B13D}\Install = "OK" 871357d68fada12059eba4ebd097a3c0050624879a631270da74d09a10b86d99.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{500BCA15-57A7-4eaf-8143-8C619470B13D}\ProgID\ = "XML.XML.1" 871357d68fada12059eba4ebd097a3c0050624879a631270da74d09a10b86d99.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\XML.XML\CLSID 871357d68fada12059eba4ebd097a3c0050624879a631270da74d09a10b86d99.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{500BCA15-57A7-4eaf-8143-8C619470B13D}\ = "XML Class" 871357d68fada12059eba4ebd097a3c0050624879a631270da74d09a10b86d99.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{500BCA15-57A7-4eaf-8143-8C619470B13D}\ProgID 871357d68fada12059eba4ebd097a3c0050624879a631270da74d09a10b86d99.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{500BCA15-57A7-4eaf-8143-8C619470B13D}\TypeLib 871357d68fada12059eba4ebd097a3c0050624879a631270da74d09a10b86d99.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\XML.XML.1\CLSID 871357d68fada12059eba4ebd097a3c0050624879a631270da74d09a10b86d99.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5D2631E5-8696-7543-50B2-F674CD4308EB}\.0\ = "XML Library" 871357d68fada12059eba4ebd097a3c0050624879a631270da74d09a10b86d99.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
871357d68fada12059eba4ebd097a3c0050624879a631270da74d09a10b86d99.exepid process 1388 871357d68fada12059eba4ebd097a3c0050624879a631270da74d09a10b86d99.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\871357d68fada12059eba4ebd097a3c0050624879a631270da74d09a10b86d99.exe"C:\Users\Admin\AppData\Local\Temp\871357d68fada12059eba4ebd097a3c0050624879a631270da74d09a10b86d99.exe"1⤵
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Windows\SysWOW64\msxml71.dllFilesize
116KB
MD5d6b4f88092ddc8e1086e1b3f5265f9dc
SHA197345d87f5895e4a078e12525e0d2955f4c89ef2
SHA256df47bc32943b8284d8aebd4e0da64cbeb668c0768b7c96fccfd191c84e7439cc
SHA512726d600aa0806cd6b51878ccc9b7663f33c4b5f92863194951d9c99d0f22285a1e9b43639c9dfeb887e5a6136f63931d5d6ae0316191d77bf50ef41a5b7be84c
-
memory/1388-54-0x0000000075711000-0x0000000075713000-memory.dmpFilesize
8KB