Analysis
-
max time kernel
37s -
max time network
41s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
29-11-2022 07:46
Behavioral task
behavioral1
Sample
74ad52618132da189cca34dff67e0379572df46882b3591a60b6ae66128c70cc.dll
Resource
win7-20220812-en
windows7-x64
4 signatures
150 seconds
General
-
Target
74ad52618132da189cca34dff67e0379572df46882b3591a60b6ae66128c70cc.dll
-
Size
85KB
-
MD5
a648b96d93ab645e27c556e321bad0ec
-
SHA1
793556e21c76d9a54e336afd1a3b5608147a28f1
-
SHA256
74ad52618132da189cca34dff67e0379572df46882b3591a60b6ae66128c70cc
-
SHA512
99865583bb2b43f00df145ceba52fcaf14449702c3454b0bf06a909a88374d6beeda05bf8273fb23952787a85befe592c265c1b983007b315bb3d639cc09ee5f
-
SSDEEP
1536:ffNl7netQxMkCNkKoogQhnF11vlefT7UF:tlcGMvNhuQhnF11vlOU
Malware Config
Signatures
-
Installs/modifies Browser Helper Object 2 TTPs 1 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
Processes:
regsvr32.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{1451E202-0E77-416C-B1FA-4213912BFC2C} regsvr32.exe -
Modifies registry class 42 IoCs
Processes:
regsvr32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1451E201-0E77-416C-B1FA-4213912BFC2C}\TypeLib\ = "{1451E208-0E77-416C-B1FA-4213912BFC2C}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1451E202-0E77-416C-B1FA-4213912BFC2C}\ProgID regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1451E202-0E77-416C-B1FA-4213912BFC2C}\VersionIndependentProgID\ = "IEHlprObj.IEHlprObj" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1451E202-0E77-416C-B1FA-4213912BFC2C}\Programmable regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1451E208-0E77-416C-B1FA-4213912BFC2C}\1.0\0 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1451E201-0E77-416C-B1FA-4213912BFC2C}\TypeLib\Version = "1.0" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1451E201-0E77-416C-B1FA-4213912BFC2C}\ProxyStubClsid32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1451E201-0E77-416C-B1FA-4213912BFC2C}\TypeLib regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IEHlprObj.IEHlprObj.1\ = "IEHlprObj Class" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1451E202-0E77-416C-B1FA-4213912BFC2C}\InprocServer32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1451E202-0E77-416C-B1FA-4213912BFC2C}\ProgID\ = "IEHlprObj.IEHlprObj.1" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\IEHlprObj.IEHlprObj.1\CLSID regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1451E202-0E77-416C-B1FA-4213912BFC2C}\ = "IEHlprObj Class" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1451E202-0E77-416C-B1FA-4213912BFC2C}\InprocServer32\ThreadingModel = "Apartment" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1451E208-0E77-416C-B1FA-4213912BFC2C} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1451E208-0E77-416C-B1FA-4213912BFC2C}\1.0 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1451E208-0E77-416C-B1FA-4213912BFC2C}\1.0\ = "IEHelper 1.0 Type Library" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1451E208-0E77-416C-B1FA-4213912BFC2C}\1.0\FLAGS\ = "0" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\IEHlprObj.IEHlprObj.1 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1451E208-0E77-416C-B1FA-4213912BFC2C}\1.0\HELPDIR regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1451E201-0E77-416C-B1FA-4213912BFC2C}\TypeLib regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1451E201-0E77-416C-B1FA-4213912BFC2C}\TypeLib\ = "{1451E208-0E77-416C-B1FA-4213912BFC2C}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1451E201-0E77-416C-B1FA-4213912BFC2C}\ = "IIEHlprObj" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1451E201-0E77-416C-B1FA-4213912BFC2C}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1451E208-0E77-416C-B1FA-4213912BFC2C}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\74ad52618132da189cca34dff67e0379572df46882b3591a60b6ae66128c70cc.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1451E201-0E77-416C-B1FA-4213912BFC2C}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1451E201-0E77-416C-B1FA-4213912BFC2C}\TypeLib\Version = "1.0" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1451E208-0E77-416C-B1FA-4213912BFC2C}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1451E208-0E77-416C-B1FA-4213912BFC2C}\1.0\FLAGS regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1451E201-0E77-416C-B1FA-4213912BFC2C} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1451E201-0E77-416C-B1FA-4213912BFC2C}\ = "IIEHlprObj" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\IEHlprObj.IEHlprObj regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1451E202-0E77-416C-B1FA-4213912BFC2C} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1451E208-0E77-416C-B1FA-4213912BFC2C}\1.0\0\win32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IEHlprObj.IEHlprObj\ = "IEHlprObj Class" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\IEHlprObj.IEHlprObj\CurVer regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IEHlprObj.IEHlprObj\CurVer\ = "IEHlprObj.IEHlprObj.1" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1451E202-0E77-416C-B1FA-4213912BFC2C}\VersionIndependentProgID regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1451E202-0E77-416C-B1FA-4213912BFC2C}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\74ad52618132da189cca34dff67e0379572df46882b3591a60b6ae66128c70cc.dll" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1451E201-0E77-416C-B1FA-4213912BFC2C}\ProxyStubClsid32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1451E201-0E77-416C-B1FA-4213912BFC2C} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IEHlprObj.IEHlprObj.1\CLSID\ = "{1451E202-0E77-416C-B1FA-4213912BFC2C}" regsvr32.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
regsvr32.exepid process 1620 regsvr32.exe 1620 regsvr32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
regsvr32.exedescription pid process target process PID 1612 wrote to memory of 1620 1612 regsvr32.exe regsvr32.exe PID 1612 wrote to memory of 1620 1612 regsvr32.exe regsvr32.exe PID 1612 wrote to memory of 1620 1612 regsvr32.exe regsvr32.exe PID 1612 wrote to memory of 1620 1612 regsvr32.exe regsvr32.exe PID 1612 wrote to memory of 1620 1612 regsvr32.exe regsvr32.exe PID 1612 wrote to memory of 1620 1612 regsvr32.exe regsvr32.exe PID 1612 wrote to memory of 1620 1612 regsvr32.exe regsvr32.exe
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\74ad52618132da189cca34dff67e0379572df46882b3591a60b6ae66128c70cc.dll1⤵
- Suspicious use of WriteProcessMemory
PID:1612 -
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\74ad52618132da189cca34dff67e0379572df46882b3591a60b6ae66128c70cc.dll2⤵
- Installs/modifies Browser Helper Object
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1620