Analysis
-
max time kernel
96s -
max time network
146s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
29-11-2022 07:34
Behavioral task
behavioral1
Sample
fd1a6384883f2c2cd586656b504e36d948bc40c47701877b25e0d7aa0cef135c.dll
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
fd1a6384883f2c2cd586656b504e36d948bc40c47701877b25e0d7aa0cef135c.dll
Resource
win10v2004-20220812-en
General
-
Target
fd1a6384883f2c2cd586656b504e36d948bc40c47701877b25e0d7aa0cef135c.dll
-
Size
587KB
-
MD5
15979045343f876be259fa8082b133c4
-
SHA1
ff74fc79ffc9c380cdccbefe3fe1791f446389ec
-
SHA256
fd1a6384883f2c2cd586656b504e36d948bc40c47701877b25e0d7aa0cef135c
-
SHA512
b251e50d5dd63c3c433b5160f0d266c12aa670636fca9a35796b5cff18340cdd602ef8871f2cfd10f9a4d96fb0fcf54e34f9d5202bec626f4cc052a48c00144e
-
SSDEEP
12288:y4SMpJcv7N0Zx4OXkXZ1g4KNWRPSqZ6bHo6k:dJczN4x4OCZPKQRubIx
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 1888 regsvr32mgr.exe -
resource yara_rule behavioral1/files/0x000c0000000054a8-57.dat upx behavioral1/files/0x000c0000000054a8-58.dat upx behavioral1/files/0x000c0000000054a8-60.dat upx behavioral1/memory/1888-63-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral1/memory/1888-64-0x0000000000400000-0x0000000000456000-memory.dmp upx -
Loads dropped DLL 2 IoCs
pid Process 608 regsvr32.exe 608 regsvr32.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\regsvr32mgr.exe regsvr32.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{3D3E58F1-70AE-11ED-93F0-EAF6071D98F9} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{3D3E31E1-70AE-11ED-93F0-EAF6071D98F9} = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "376577902" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 1888 regsvr32mgr.exe 1888 regsvr32mgr.exe 1888 regsvr32mgr.exe 1888 regsvr32mgr.exe 1888 regsvr32mgr.exe 1888 regsvr32mgr.exe 1888 regsvr32mgr.exe 1888 regsvr32mgr.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1888 regsvr32mgr.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 1496 iexplore.exe 1448 iexplore.exe -
Suspicious use of SetWindowsHookEx 10 IoCs
pid Process 1496 iexplore.exe 1496 iexplore.exe 1448 iexplore.exe 1448 iexplore.exe 1444 IEXPLORE.EXE 1444 IEXPLORE.EXE 1400 IEXPLORE.EXE 1400 IEXPLORE.EXE 1444 IEXPLORE.EXE 1444 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 27 IoCs
description pid Process procid_target PID 1280 wrote to memory of 608 1280 regsvr32.exe 28 PID 1280 wrote to memory of 608 1280 regsvr32.exe 28 PID 1280 wrote to memory of 608 1280 regsvr32.exe 28 PID 1280 wrote to memory of 608 1280 regsvr32.exe 28 PID 1280 wrote to memory of 608 1280 regsvr32.exe 28 PID 1280 wrote to memory of 608 1280 regsvr32.exe 28 PID 1280 wrote to memory of 608 1280 regsvr32.exe 28 PID 608 wrote to memory of 1888 608 regsvr32.exe 29 PID 608 wrote to memory of 1888 608 regsvr32.exe 29 PID 608 wrote to memory of 1888 608 regsvr32.exe 29 PID 608 wrote to memory of 1888 608 regsvr32.exe 29 PID 1888 wrote to memory of 1448 1888 regsvr32mgr.exe 30 PID 1888 wrote to memory of 1448 1888 regsvr32mgr.exe 30 PID 1888 wrote to memory of 1448 1888 regsvr32mgr.exe 30 PID 1888 wrote to memory of 1448 1888 regsvr32mgr.exe 30 PID 1888 wrote to memory of 1496 1888 regsvr32mgr.exe 31 PID 1888 wrote to memory of 1496 1888 regsvr32mgr.exe 31 PID 1888 wrote to memory of 1496 1888 regsvr32mgr.exe 31 PID 1888 wrote to memory of 1496 1888 regsvr32mgr.exe 31 PID 1448 wrote to memory of 1444 1448 iexplore.exe 33 PID 1448 wrote to memory of 1444 1448 iexplore.exe 33 PID 1448 wrote to memory of 1444 1448 iexplore.exe 33 PID 1448 wrote to memory of 1444 1448 iexplore.exe 33 PID 1496 wrote to memory of 1400 1496 iexplore.exe 34 PID 1496 wrote to memory of 1400 1496 iexplore.exe 34 PID 1496 wrote to memory of 1400 1496 iexplore.exe 34 PID 1496 wrote to memory of 1400 1496 iexplore.exe 34
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\fd1a6384883f2c2cd586656b504e36d948bc40c47701877b25e0d7aa0cef135c.dll1⤵
- Suspicious use of WriteProcessMemory
PID:1280 -
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\fd1a6384883f2c2cd586656b504e36d948bc40c47701877b25e0d7aa0cef135c.dll2⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:608 -
C:\Windows\SysWOW64\regsvr32mgr.exeC:\Windows\SysWOW64\regsvr32mgr.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1888 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"4⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1448 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1448 CREDAT:275457 /prefetch:25⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1444
-
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"4⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1496 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1496 CREDAT:275457 /prefetch:25⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1400
-
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{3D3E31E1-70AE-11ED-93F0-EAF6071D98F9}.dat
Filesize5KB
MD5532036adde3e751c688fd0d0dc548636
SHA122703038842b49e372cb73350f555a2956249753
SHA2561170666dd6f4b2480779ff7496316e034be837c3fe4d8c57892d1041fb5be30d
SHA5126e60daa182eb2c64b7d1366b8b2185e4c59468f246f664da476f395cdf5a661b658c6694a05f5e95cbd3ea6f0e9e7401176973a2524591ff09e9abc39b9e5f2b
-
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{3D3E58F1-70AE-11ED-93F0-EAF6071D98F9}.dat
Filesize3KB
MD55e32c935057a31e223384b6e5ba238da
SHA1476e884296b1d2a6bc7e417fb36e9aa8a7ad73d5
SHA2566c4bb6ac0c15ad50294d3a1d1ca9756dc3e6098a38f81dece1902c525d9b6f4e
SHA5129d291ec5a384741be0bb0c6f27f79a729e9bae5fdb9612dd3db66bea86749937fa0fd725058b03c43c626fdc0a4cca42633b37a28e6b3efbf2c51ed4efaf682e
-
Filesize
603B
MD5ab62a029c38574633ab94fde3a7ac6c2
SHA18a394c77c608144f0b046e2611ddd1df45390e46
SHA256af74597aa5858bd36b782fd883a82ce3ec542e7d3887c54a95a429b083c7c103
SHA512cd4a6f2d7732aeb041e3b8a2901bd4e97bb71c7db8d9e6c90013095ddff8ba80bf0bfeb06e2b2520fe62132239058b6b2392e7203d79fa1ae876f772507a3c94
-
Filesize
104KB
MD584b7783804fa7506672a409e9899c6be
SHA12da8a6e9c04662564e18cdf98f73e224a5662533
SHA256b26a93c17ac6a412c6c191aa6a1543537f3185fe813c24153c6dec736fbad4ef
SHA5128a867296b05f45dd79ab64b11b6cc0cc8fad835b2f5ba9b8469981cc9b3e15c91f98b688cbe7addfab7ea2bd55a1d475fc853c004afb24be1b5691f8183c897c
-
Filesize
104KB
MD584b7783804fa7506672a409e9899c6be
SHA12da8a6e9c04662564e18cdf98f73e224a5662533
SHA256b26a93c17ac6a412c6c191aa6a1543537f3185fe813c24153c6dec736fbad4ef
SHA5128a867296b05f45dd79ab64b11b6cc0cc8fad835b2f5ba9b8469981cc9b3e15c91f98b688cbe7addfab7ea2bd55a1d475fc853c004afb24be1b5691f8183c897c
-
Filesize
104KB
MD584b7783804fa7506672a409e9899c6be
SHA12da8a6e9c04662564e18cdf98f73e224a5662533
SHA256b26a93c17ac6a412c6c191aa6a1543537f3185fe813c24153c6dec736fbad4ef
SHA5128a867296b05f45dd79ab64b11b6cc0cc8fad835b2f5ba9b8469981cc9b3e15c91f98b688cbe7addfab7ea2bd55a1d475fc853c004afb24be1b5691f8183c897c