836354d10f9ec86a396a1b7e1640ddef79057ad49cdea843464375578b4ee3fc

Analysis

max time kernel
122s
max time network
128s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
05/08/2023, 23:17

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

836354d10f9ec86a396a1b7e1640ddef79057ad49cdea843464375578b4ee3fc.exe
Size

3.9MB
MD5

0ca9e08d8f678c91243e223dd0e5f02e
SHA1

87f5b77e3905e67ebb486311d659f854fedef20a
SHA256

836354d10f9ec86a396a1b7e1640ddef79057ad49cdea843464375578b4ee3fc
SHA512

18748c08c8db965dae221666bb1e81e2fae39da73573d54a3b3a1b45ba891cc9a49b802e33b9830b2dd7691a1efe6bdfb191bb9c135c999737cbeb85c0582d45
SSDEEP

49152:B7bKIhAShxMIOjJv38NbR3bAIdxx74nyBDh6mSuCmTTEIw3kukCPo9fS:7MpjJ/8NbR3bxTF4ni+Qxb96

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 1 IoCs

pid	Process
2188	regsvr32.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\Main	836354d10f9ec86a396a1b7e1640ddef79057ad49cdea843464375578b4ee3fc.exe
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_GPU_RENDERING	836354d10f9ec86a396a1b7e1640ddef79057ad49cdea843464375578b4ee3fc.exe
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl	836354d10f9ec86a396a1b7e1640ddef79057ad49cdea843464375578b4ee3fc.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_GPU_RENDERING\836354d10f9ec86a396a1b7e1640ddef79057ad49cdea843464375578b4ee3fc.exe = "12000"	836354d10f9ec86a396a1b7e1640ddef79057ad49cdea843464375578b4ee3fc.exe

Modifies registry class 43 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{27814197-307B-4ED8-BF3F-AE0A178F020A}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{27814197-307B-4ED8-BF3F-AE0A178F020A}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3759DFF2-9A3E-435D-8EE1-29B93B8F0DA2}\1.0\FLAGS	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3759DFF2-9A3E-435D-8EE1-29B93B8F0DA2}\1.0\FLAGS\ = "0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3759DFF2-9A3E-435D-8EE1-29B93B8F0DA2}\1.0\0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3759DFF2-9A3E-435D-8EE1-29B93B8F0DA2}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\haoi.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{68420D8D-7631-4A60-8A49-D938D2A8562D}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\haoi.dt\ = "dt Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{68420D8D-7631-4A60-8A49-D938D2A8562D}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\//\CurVer	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\//\CurVer\ = "haoi.dt"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{27814197-307B-4ED8-BF3F-AE0A178F020A}\VersionIndependentProgID\ = "haoi.dt"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{68420D8D-7631-4A60-8A49-D938D2A8562D}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{68420D8D-7631-4A60-8A49-D938D2A8562D}\ = "Idt"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\//	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\//\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{27814197-307B-4ED8-BF3F-AE0A178F020A}\ProgID\ = "haoi.dt"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3759DFF2-9A3E-435D-8EE1-29B93B8F0DA2}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{68420D8D-7631-4A60-8A49-D938D2A8562D}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{68420D8D-7631-4A60-8A49-D938D2A8562D}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\//\//	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\//\CLSID\ = "{27814197-307B-4ED8-BF3F-AE0A178F020A}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3759DFF2-9A3E-435D-8EE1-29B93B8F0DA2}\1.0\0\win32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\haoi.dt	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{68420D8D-7631-4A60-8A49-D938D2A8562D}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{68420D8D-7631-4A60-8A49-D938D2A8562D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{68420D8D-7631-4A60-8A49-D938D2A8562D}\TypeLib\ = "{3759DFF2-9A3E-435D-8EE1-29B93B8F0DA2}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{27814197-307B-4ED8-BF3F-AE0A178F020A}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\haoi.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{68420D8D-7631-4A60-8A49-D938D2A8562D}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{68420D8D-7631-4A60-8A49-D938D2A8562D}\TypeLib\ = "{3759DFF2-9A3E-435D-8EE1-29B93B8F0DA2}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{68420D8D-7631-4A60-8A49-D938D2A8562D}\ = "Idt"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{27814197-307B-4ED8-BF3F-AE0A178F020A}\InprocServer32\ThreadingModel = "both"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\haoi.dt\CLSID\ = "{27814197-307B-4ED8-BF3F-AE0A178F020A}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{27814197-307B-4ED8-BF3F-AE0A178F020A}\ = "dt Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3759DFF2-9A3E-435D-8EE1-29B93B8F0DA2}\1.0\ = "haoi"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3759DFF2-9A3E-435D-8EE1-29B93B8F0DA2}\1.0\HELPDIR	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3759DFF2-9A3E-435D-8EE1-29B93B8F0DA2}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{68420D8D-7631-4A60-8A49-D938D2A8562D}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\haoi.dt\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{27814197-307B-4ED8-BF3F-AE0A178F020A}\VersionIndependentProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3759DFF2-9A3E-435D-8EE1-29B93B8F0DA2}\1.0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{68420D8D-7631-4A60-8A49-D938D2A8562D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{27814197-307B-4ED8-BF3F-AE0A178F020A}\ProgID	regsvr32.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2576	836354d10f9ec86a396a1b7e1640ddef79057ad49cdea843464375578b4ee3fc.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
2576	836354d10f9ec86a396a1b7e1640ddef79057ad49cdea843464375578b4ee3fc.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
2576	836354d10f9ec86a396a1b7e1640ddef79057ad49cdea843464375578b4ee3fc.exe
2576	836354d10f9ec86a396a1b7e1640ddef79057ad49cdea843464375578b4ee3fc.exe
2576	836354d10f9ec86a396a1b7e1640ddef79057ad49cdea843464375578b4ee3fc.exe
2576	836354d10f9ec86a396a1b7e1640ddef79057ad49cdea843464375578b4ee3fc.exe
2576	836354d10f9ec86a396a1b7e1640ddef79057ad49cdea843464375578b4ee3fc.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2576 wrote to memory of 2188	2576	836354d10f9ec86a396a1b7e1640ddef79057ad49cdea843464375578b4ee3fc.exe	28
PID 2576 wrote to memory of 2188	2576	836354d10f9ec86a396a1b7e1640ddef79057ad49cdea843464375578b4ee3fc.exe	28
PID 2576 wrote to memory of 2188	2576	836354d10f9ec86a396a1b7e1640ddef79057ad49cdea843464375578b4ee3fc.exe	28
PID 2576 wrote to memory of 2188	2576	836354d10f9ec86a396a1b7e1640ddef79057ad49cdea843464375578b4ee3fc.exe	28
PID 2576 wrote to memory of 2188	2576	836354d10f9ec86a396a1b7e1640ddef79057ad49cdea843464375578b4ee3fc.exe	28
PID 2576 wrote to memory of 2188	2576	836354d10f9ec86a396a1b7e1640ddef79057ad49cdea843464375578b4ee3fc.exe	28
PID 2576 wrote to memory of 2188	2576	836354d10f9ec86a396a1b7e1640ddef79057ad49cdea843464375578b4ee3fc.exe	28

C:\Users\Admin\AppData\Local\Temp\836354d10f9ec86a396a1b7e1640ddef79057ad49cdea843464375578b4ee3fc.exe
"C:\Users\Admin\AppData\Local\Temp\836354d10f9ec86a396a1b7e1640ddef79057ad49cdea843464375578b4ee3fc.exe"
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2576
- C:\Windows\SysWOW64\regsvr32.exe
  regsvr32 /s haoi.dll
  2⤵
  - Loads dropped DLL
  - Modifies registry class
  PID:2188

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\haoi.dll

Filesize
160KB

MD5
203cd4ec29a18f1c8a1ddefadc3f7382

SHA1
47a4072edf7c4530d4e86b84cbe5118e277de543

SHA256
566086537066d3ff72167f09adc2522ac72d24da0601e7966367a8a85802a121

SHA512
28fb3cf0d811f35c387bb666070ce5b6422401e59d0748e420c246efcf7f3ecbe6ee938242d7e93103083e9b45590abe0e864e540b953bd3c4f3949b3d579a19

Download Submit
\Users\Admin\AppData\Local\Temp\haoi.dll

Filesize
160KB

MD5
203cd4ec29a18f1c8a1ddefadc3f7382

SHA1
47a4072edf7c4530d4e86b84cbe5118e277de543

SHA256
566086537066d3ff72167f09adc2522ac72d24da0601e7966367a8a85802a121

SHA512
28fb3cf0d811f35c387bb666070ce5b6422401e59d0748e420c246efcf7f3ecbe6ee938242d7e93103083e9b45590abe0e864e540b953bd3c4f3949b3d579a19

Download Submit