Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
42s -
max time network
45s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
29/11/2022, 17:35
Static task
static1
Behavioral task
behavioral1
Sample
c96289c934c9aa070cbcf18a7edd7729c643141cf87ad7a5a8a7e544e81d0662.dll
Resource
win7-20220812-en
windows7-x64
4 signatures
150 seconds
General
-
Target
c96289c934c9aa070cbcf18a7edd7729c643141cf87ad7a5a8a7e544e81d0662.dll
-
Size
276KB
-
MD5
0b17f0f5398171c1b321e7af0c8cbeb0
-
SHA1
5d7b930d7a361a8c8e74d21db026ac77410c9e22
-
SHA256
c96289c934c9aa070cbcf18a7edd7729c643141cf87ad7a5a8a7e544e81d0662
-
SHA512
59ff05b2b07382e8f5cfc30fc38a74c7b7e10d2b24c9cd4285d6c3eb7d5791364888c8d35b12fd680a54120bbb0eca35c07c79774606775111796e3a3c6a8851
-
SSDEEP
3072:pWyhqXInG1kGvy30o/VPF/Z6MaCttBZ1RlpALK:pWy44nG1kGKRFxVa+19wK
Malware Config
Signatures
-
Installs/modifies Browser Helper Object 2 TTPs 1 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{AB705622-B25B-491B-A6BF-4A46FDDBC88E} regsvr32.exe -
Modifies registry class 42 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IEHlprObj.IEHlprObj.1\ = "IEHlprObj Class" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IEHlprObj.IEHlprObj.1\CLSID\ = "{AB705622-B25B-491B-A6BF-4A46FDDBC88E}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AB705622-B25B-491B-A6BF-4A46FDDBC88E}\InprocServer32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AB705628-B25B-491B-A6BF-4A46FDDBC88E}\1.0\FLAGS regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AB705628-B25B-491B-A6BF-4A46FDDBC88E}\1.0\0 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AB705622-B25B-491B-A6BF-4A46FDDBC88E}\ = "IEHlprObj Class" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AB705622-B25B-491B-A6BF-4A46FDDBC88E}\ProgID\ = "IEHlprObj.IEHlprObj.1" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AB705622-B25B-491B-A6BF-4A46FDDBC88E}\VersionIndependentProgID\ = "IEHlprObj.IEHlprObj" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AB705622-B25B-491B-A6BF-4A46FDDBC88E}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\c96289c934c9aa070cbcf18a7edd7729c643141cf87ad7a5a8a7e544e81d0662.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AB705621-B25B-491B-A6BF-4A46FDDBC88E}\TypeLib\Version = "1.0" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IEHlprObj.IEHlprObj\CurVer\ = "IEHlprObj.IEHlprObj.1" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AB705622-B25B-491B-A6BF-4A46FDDBC88E} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AB705622-B25B-491B-A6BF-4A46FDDBC88E}\Programmable regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AB705628-B25B-491B-A6BF-4A46FDDBC88E} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AB705628-B25B-491B-A6BF-4A46FDDBC88E}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AB705621-B25B-491B-A6BF-4A46FDDBC88E}\TypeLib\ = "{AB705628-B25B-491B-A6BF-4A46FDDBC88E}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AB705621-B25B-491B-A6BF-4A46FDDBC88E}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AB705628-B25B-491B-A6BF-4A46FDDBC88E}\1.0\0\win32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AB705628-B25B-491B-A6BF-4A46FDDBC88E}\1.0\HELPDIR regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AB705621-B25B-491B-A6BF-4A46FDDBC88E}\ProxyStubClsid32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AB705621-B25B-491B-A6BF-4A46FDDBC88E}\TypeLib\ = "{AB705628-B25B-491B-A6BF-4A46FDDBC88E}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IEHlprObj.IEHlprObj\ = "IEHlprObj Class" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AB705622-B25B-491B-A6BF-4A46FDDBC88E}\VersionIndependentProgID regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AB705622-B25B-491B-A6BF-4A46FDDBC88E}\InprocServer32\ThreadingModel = "Apartment" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AB705621-B25B-491B-A6BF-4A46FDDBC88E} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AB705621-B25B-491B-A6BF-4A46FDDBC88E}\TypeLib regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\IEHlprObj.IEHlprObj.1\CLSID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AB705622-B25B-491B-A6BF-4A46FDDBC88E}\ProgID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AB705628-B25B-491B-A6BF-4A46FDDBC88E}\1.0 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AB705621-B25B-491B-A6BF-4A46FDDBC88E}\ = "IIEHlprObj" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AB705621-B25B-491B-A6BF-4A46FDDBC88E}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\IEHlprObj.IEHlprObj.1 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\IEHlprObj.IEHlprObj regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\IEHlprObj.IEHlprObj\CurVer regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AB705628-B25B-491B-A6BF-4A46FDDBC88E}\1.0\ = "IEHelper 1.0 Type Library" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AB705621-B25B-491B-A6BF-4A46FDDBC88E} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AB705621-B25B-491B-A6BF-4A46FDDBC88E}\TypeLib regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AB705621-B25B-491B-A6BF-4A46FDDBC88E}\TypeLib\Version = "1.0" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AB705628-B25B-491B-A6BF-4A46FDDBC88E}\1.0\FLAGS\ = "0" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AB705628-B25B-491B-A6BF-4A46FDDBC88E}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\c96289c934c9aa070cbcf18a7edd7729c643141cf87ad7a5a8a7e544e81d0662.dll" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AB705621-B25B-491B-A6BF-4A46FDDBC88E}\ProxyStubClsid32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AB705621-B25B-491B-A6BF-4A46FDDBC88E}\ = "IIEHlprObj" regsvr32.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 896 regsvr32.exe 896 regsvr32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 752 wrote to memory of 896 752 regsvr32.exe 27 PID 752 wrote to memory of 896 752 regsvr32.exe 27 PID 752 wrote to memory of 896 752 regsvr32.exe 27 PID 752 wrote to memory of 896 752 regsvr32.exe 27 PID 752 wrote to memory of 896 752 regsvr32.exe 27 PID 752 wrote to memory of 896 752 regsvr32.exe 27 PID 752 wrote to memory of 896 752 regsvr32.exe 27
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\c96289c934c9aa070cbcf18a7edd7729c643141cf87ad7a5a8a7e544e81d0662.dll1⤵
- Suspicious use of WriteProcessMemory
PID:752 -
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\c96289c934c9aa070cbcf18a7edd7729c643141cf87ad7a5a8a7e544e81d0662.dll2⤵
- Installs/modifies Browser Helper Object
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:896
-