Analysis
-
max time kernel
40s -
max time network
45s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
29-11-2022 05:59
Static task
static1
Behavioral task
behavioral1
Sample
899c1a8c84639fa28d43d448a92f63a1676f799dc49650bbf9aed89d8c2718d7.dll
Resource
win7-20220812-en
windows7-x64
3 signatures
150 seconds
General
-
Target
899c1a8c84639fa28d43d448a92f63a1676f799dc49650bbf9aed89d8c2718d7.dll
-
Size
628KB
-
MD5
5d9b85907ce965d3b2bae2b800ad8490
-
SHA1
93f621b08ec30a81603bebacb30ed73482096740
-
SHA256
899c1a8c84639fa28d43d448a92f63a1676f799dc49650bbf9aed89d8c2718d7
-
SHA512
01f4cd64202b334ef2de4f87ccbbf5e9e481d07040d07e1a81d90e4f70df482c0bef9eaf34792067431e3569a9bcdbd75560e4c9b7dac5fe3142c9b8928e8156
-
SSDEEP
12288:ey/QjSBRIKYS7+1hoAZBsnNkCDmrtpwPvr5QYfnscTFo5Hgj:dYGBR0S7+1h3ZmnybtpwPidcT
Malware Config
Signatures
-
Installs/modifies Browser Helper Object 2 TTPs 1 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
Processes:
regsvr32.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0D73CA3E-3151-4A45-93C7-90BE943D3166} regsvr32.exe -
Modifies registry class 5 IoCs
Processes:
regsvr32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0D73CA3E-3151-4A45-93C7-90BE943D3166}\InprocServer32\ThreadingModel = "Apartment" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0D73CA3E-3151-4A45-93C7-90BE943D3166} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0D73CA3E-3151-4A45-93C7-90BE943D3166}\ regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0D73CA3E-3151-4A45-93C7-90BE943D3166}\InprocServer32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0D73CA3E-3151-4A45-93C7-90BE943D3166}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\899c1a8c84639fa28d43d448a92f63a1676f799dc49650bbf9aed89d8c2718d7.dll" regsvr32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
regsvr32.exedescription pid process target process PID 368 wrote to memory of 1324 368 regsvr32.exe regsvr32.exe PID 368 wrote to memory of 1324 368 regsvr32.exe regsvr32.exe PID 368 wrote to memory of 1324 368 regsvr32.exe regsvr32.exe PID 368 wrote to memory of 1324 368 regsvr32.exe regsvr32.exe PID 368 wrote to memory of 1324 368 regsvr32.exe regsvr32.exe PID 368 wrote to memory of 1324 368 regsvr32.exe regsvr32.exe PID 368 wrote to memory of 1324 368 regsvr32.exe regsvr32.exe
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\899c1a8c84639fa28d43d448a92f63a1676f799dc49650bbf9aed89d8c2718d7.dll1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\899c1a8c84639fa28d43d448a92f63a1676f799dc49650bbf9aed89d8c2718d7.dll2⤵
- Installs/modifies Browser Helper Object
- Modifies registry class
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/368-54-0x000007FEFB9F1000-0x000007FEFB9F3000-memory.dmpFilesize
8KB
-
memory/1324-55-0x0000000000000000-mapping.dmp
-
memory/1324-56-0x0000000075E81000-0x0000000075E83000-memory.dmpFilesize
8KB
-
memory/1324-57-0x0000000000AC0000-0x0000000000B66000-memory.dmpFilesize
664KB