Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
144s -
max time network
171s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
29/11/2022, 17:37
Static task
static1
Behavioral task
behavioral1
Sample
5af9fec9424eadfa4f8226dff7d19ffda593ab44c0c7acec457b807661b1392b.dll
Resource
win7-20221111-en
windows7-x64
4 signatures
150 seconds
General
-
Target
5af9fec9424eadfa4f8226dff7d19ffda593ab44c0c7acec457b807661b1392b.dll
-
Size
221KB
-
MD5
91d0e542a3a54f1cfd414a9325f6fa7f
-
SHA1
725027c1c6f5023314dcadb43ee5c54e403fb992
-
SHA256
5af9fec9424eadfa4f8226dff7d19ffda593ab44c0c7acec457b807661b1392b
-
SHA512
b4e34bd74761d70966f1d94baf51aaf50908879a67f3bb099e5ac384b06273a7df26c599f0574f6795e7b438291fd3e5942b7830c6aca0b63317f4cbc416540e
-
SSDEEP
1536:6yiyRGXp9u/wArd89lKcSlQ4nJyRMeJ/wfBRJlkfEZy0TvN6k81baplyjF:6yirXW/Drd8ZE4MGwbz0G6kaaplq
Malware Config
Signatures
-
Installs/modifies Browser Helper Object 2 TTPs 1 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AB705622-B25B-491B-A6BF-4A46FDDBC88E} regsvr32.exe -
Modifies registry class 42 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AB705622-B25B-491B-A6BF-4A46FDDBC88E}\ProgID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AB705628-B25B-491B-A6BF-4A46FDDBC88E}\1.0\HELPDIR regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AB705621-B25B-491B-A6BF-4A46FDDBC88E}\ = "IIEHlprObj" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AB705621-B25B-491B-A6BF-4A46FDDBC88E}\TypeLib regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\IEHlprObj.IEHlprObj.1\CLSID regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IEHlprObj.IEHlprObj\CurVer\ = "IEHlprObj.IEHlprObj.1" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AB705621-B25B-491B-A6BF-4A46FDDBC88E}\TypeLib\ = "{AB705628-B25B-491B-A6BF-4A46FDDBC88E}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AB705621-B25B-491B-A6BF-4A46FDDBC88E}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AB705622-B25B-491B-A6BF-4A46FDDBC88E} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AB705628-B25B-491B-A6BF-4A46FDDBC88E}\1.0\FLAGS regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AB705628-B25B-491B-A6BF-4A46FDDBC88E} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AB705621-B25B-491B-A6BF-4A46FDDBC88E} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AB705621-B25B-491B-A6BF-4A46FDDBC88E}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\IEHlprObj.IEHlprObj.1 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AB705622-B25B-491B-A6BF-4A46FDDBC88E}\VersionIndependentProgID\ = "IEHlprObj.IEHlprObj" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AB705628-B25B-491B-A6BF-4A46FDDBC88E}\1.0\ = "IEHelper 1.0 Type Library" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AB705628-B25B-491B-A6BF-4A46FDDBC88E}\1.0\0 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AB705621-B25B-491B-A6BF-4A46FDDBC88E}\ProxyStubClsid32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IEHlprObj.IEHlprObj.1\CLSID\ = "{AB705622-B25B-491B-A6BF-4A46FDDBC88E}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\IEHlprObj.IEHlprObj\CurVer regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AB705622-B25B-491B-A6BF-4A46FDDBC88E}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\5af9fec9424eadfa4f8226dff7d19ffda593ab44c0c7acec457b807661b1392b.dll" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AB705621-B25B-491B-A6BF-4A46FDDBC88E}\TypeLib regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AB705621-B25B-491B-A6BF-4A46FDDBC88E}\TypeLib\Version = "1.0" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AB705621-B25B-491B-A6BF-4A46FDDBC88E} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AB705621-B25B-491B-A6BF-4A46FDDBC88E}\TypeLib\Version = "1.0" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IEHlprObj.IEHlprObj.1\ = "IEHlprObj Class" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IEHlprObj.IEHlprObj\ = "IEHlprObj Class" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AB705622-B25B-491B-A6BF-4A46FDDBC88E}\VersionIndependentProgID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AB705622-B25B-491B-A6BF-4A46FDDBC88E}\Programmable regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AB705622-B25B-491B-A6BF-4A46FDDBC88E}\InprocServer32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AB705622-B25B-491B-A6BF-4A46FDDBC88E}\InprocServer32\ThreadingModel = "Apartment" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AB705628-B25B-491B-A6BF-4A46FDDBC88E}\1.0\FLAGS\ = "0" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AB705621-B25B-491B-A6BF-4A46FDDBC88E}\ = "IIEHlprObj" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\IEHlprObj.IEHlprObj regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AB705622-B25B-491B-A6BF-4A46FDDBC88E}\ProgID\ = "IEHlprObj.IEHlprObj.1" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AB705621-B25B-491B-A6BF-4A46FDDBC88E}\TypeLib\ = "{AB705628-B25B-491B-A6BF-4A46FDDBC88E}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AB705628-B25B-491B-A6BF-4A46FDDBC88E}\1.0\0\win32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AB705628-B25B-491B-A6BF-4A46FDDBC88E}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\5af9fec9424eadfa4f8226dff7d19ffda593ab44c0c7acec457b807661b1392b.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AB705628-B25B-491B-A6BF-4A46FDDBC88E}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AB705621-B25B-491B-A6BF-4A46FDDBC88E}\ProxyStubClsid32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AB705622-B25B-491B-A6BF-4A46FDDBC88E}\ = "IEHlprObj Class" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AB705628-B25B-491B-A6BF-4A46FDDBC88E}\1.0 regsvr32.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 4092 regsvr32.exe 4092 regsvr32.exe 4092 regsvr32.exe 4092 regsvr32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1376 wrote to memory of 4092 1376 regsvr32.exe 82 PID 1376 wrote to memory of 4092 1376 regsvr32.exe 82 PID 1376 wrote to memory of 4092 1376 regsvr32.exe 82
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\5af9fec9424eadfa4f8226dff7d19ffda593ab44c0c7acec457b807661b1392b.dll1⤵
- Suspicious use of WriteProcessMemory
PID:1376 -
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\5af9fec9424eadfa4f8226dff7d19ffda593ab44c0c7acec457b807661b1392b.dll2⤵
- Installs/modifies Browser Helper Object
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4092
-