Analysis Overview
SHA256
97593b69833226ed1488e6914351418018094dcedbab0984eae4648e12d8b26b
Threat Level: Known bad
The file overcontrolling.tmp was found to be: Known bad.
Malicious Activity Summary
IcedID, BokBot
Blocklisted process makes network request
Program crash
Modifies data under HKEY_USERS
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2022-12-20 20:09
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-12-20 20:09
Reported
2022-12-20 20:12
Platform
win7-20220812-en
Max time kernel
146s
Max time network
150s
Command Line
Signatures
IcedID, BokBot
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\WerFault.exe | C:\Windows\system32\rundll32.exe |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection" | C:\Windows\system32\SearchIndexer.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine" | C:\Windows\system32\SearchIndexer.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration" | C:\Windows\system32\SearchIndexer.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration" | C:\Windows\system32\SearchIndexer.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration" | C:\Windows\system32\SearchIndexer.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\eHome\ehepgres.dll,-304 = "Public Recorded TV" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones | C:\Windows\system32\SearchIndexer.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 | C:\Windows\system32\SearchIndexer.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration" | C:\Windows\system32\SearchIndexer.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\windows journal\journal.exe,-62005 = "Tablet PC" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration" | C:\Windows\system32\SearchIndexer.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration" | C:\Windows\system32\SearchIndexer.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection" | C:\Windows\system32\SearchIndexer.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{993BE281-6695-4BA5-8A2A-7AACBFAAB69E} {0000013A-0000-0000-C000-000000000046} 0xFFFF = 0100000000000000002712bbb714d901 | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\MCTRes.dll,-200005 = "Websites for United States" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap | C:\Windows\system32\SearchIndexer.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\eHome\ehepgres.dll,-312 = "Sample Media" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections | C:\Windows\system32\SearchIndexer.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: 33 | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: 33 | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| N/A | N/A | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| N/A | N/A | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| N/A | N/A | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| N/A | N/A | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| N/A | N/A | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| N/A | N/A | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| N/A | N/A | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| N/A | N/A | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| N/A | N/A | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| N/A | N/A | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| N/A | N/A | C:\Windows\system32\SearchProtocolHost.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\overcontrolling.dll,#1
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1664 -s 136
C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x140
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-3845472200-3839195424-595303356-10001_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-3845472200-3839195424-595303356-10001 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"
C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 512 516 524 65536 520
C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
C:\Windows\system32\verclsid.exe
"C:\Windows\system32\verclsid.exe" /S /C {9E175B8B-F52A-11D8-B9A5-505054503030} /I {0C733A8A-2A1C-11CE-ADE5-00AA0044773D} /X 0x401
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
C:\Windows\system32\rundll32.exe
rundll32 overcontrolling.dll init
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | estrabornhot.com | udp |
| N/A | 143.198.92.88:80 | estrabornhot.com | tcp |
Files
memory/1972-54-0x0000000000000000-mapping.dmp
memory/1928-55-0x000007FEFB7B1000-0x000007FEFB7B3000-memory.dmp
memory/1528-56-0x0000000001660000-0x0000000001670000-memory.dmp
memory/1528-72-0x0000000001760000-0x0000000001770000-memory.dmp
memory/1528-88-0x00000000011B0000-0x00000000011B8000-memory.dmp
memory/1528-91-0x00000000011B0000-0x00000000011B8000-memory.dmp
memory/1528-92-0x0000000002B90000-0x0000000002B98000-memory.dmp
memory/1644-93-0x0000000000000000-mapping.dmp
memory/1076-94-0x0000000000000000-mapping.dmp
memory/1224-95-0x0000000000000000-mapping.dmp
memory/1744-97-0x0000000000000000-mapping.dmp
memory/1744-98-0x0000000000120000-0x0000000000129000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-12-20 20:09
Reported
2022-12-20 20:40
Platform
win10v2004-20221111-en
Max time kernel
1542s
Max time network
1580s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\WerFault.exe | C:\Windows\system32\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\overcontrolling.dll,#1
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 448 -p 4136 -ip 4136
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 4136 -s 372
Network
| Country | Destination | Domain | Proto |
| N/A | 72.21.81.240:80 | tcp | |
| N/A | 104.80.225.205:443 | tcp |