Analysis
-
max time kernel
163s -
max time network
176s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
29-11-2022 05:57
Behavioral task
behavioral1
Sample
89de5e56f2ff532995dcba9dca189a7426d569bd0f7c524c5209800c80ba445f.dll
Resource
win7-20220812-en
windows7-x64
4 signatures
150 seconds
General
-
Target
89de5e56f2ff532995dcba9dca189a7426d569bd0f7c524c5209800c80ba445f.dll
-
Size
65KB
-
MD5
616e76c0d3df4a3f5664b7de7b314f0c
-
SHA1
e3d580eeab98b16154adc71daf762778c1c6d6b0
-
SHA256
89de5e56f2ff532995dcba9dca189a7426d569bd0f7c524c5209800c80ba445f
-
SHA512
f01f98cbf18ce6e4f02baad8bcb47b7c7ce1c3f0f2ac27b4c5ac9b8b59a7247036a319534f197ec5f6e292725096c5a516d8d1c77ae42279dda8e33aec741ba5
-
SSDEEP
1536:7MwOseGSxyRgwjfFcVG2DYmOkHttDi7Hnh/3QgE8qd0JS:773SxEPcVG2DGUq7H9fEv9
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral2/memory/1572-133-0x0000000010000000-0x000000001002F000-memory.dmp upx -
Installs/modifies Browser Helper Object 2 TTPs 1 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
Processes:
rundll32.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{938A8A03-A938-4019-B764-03FF8D167D79} rundll32.exe -
Modifies registry class 4 IoCs
Processes:
rundll32.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{938A8A03-A938-4019-B764-03FF8D167D79} rundll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{938A8A03-A938-4019-B764-03FF8D167D79}\InprocServer32 rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{938A8A03-A938-4019-B764-03FF8D167D79}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\89de5e56f2ff532995dcba9dca189a7426d569bd0f7c524c5209800c80ba445f.dll" rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{938A8A03-A938-4019-B764-03FF8D167D79}\InprocServer32\ThreadingModel = "Both" rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 1432 wrote to memory of 1572 1432 rundll32.exe rundll32.exe PID 1432 wrote to memory of 1572 1432 rundll32.exe rundll32.exe PID 1432 wrote to memory of 1572 1432 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\89de5e56f2ff532995dcba9dca189a7426d569bd0f7c524c5209800c80ba445f.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\89de5e56f2ff532995dcba9dca189a7426d569bd0f7c524c5209800c80ba445f.dll,#12⤵
- Installs/modifies Browser Helper Object
- Modifies registry class