Analysis
-
max time kernel
119s -
max time network
127s -
platform
windows7_x64 -
resource
win7-20230831-en -
resource tags
arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system -
submitted
13/10/2023, 20:32
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
NEAS.97c127a9da16df3d1ac2936645232c40.dll
Resource
win7-20230831-en
windows7-x64
4 signatures
150 seconds
General
-
Target
NEAS.97c127a9da16df3d1ac2936645232c40.dll
-
Size
67KB
-
MD5
97c127a9da16df3d1ac2936645232c40
-
SHA1
6165a51959693291672c6f0fcb02fd37a103d936
-
SHA256
21a00f7726a032a887842d650fb1ce689a1d60b8a71ef0078b788cb063dac1ca
-
SHA512
34877a85e226d07a68c45ddc760fc3474e4c277ef7f1d4e2b34f87980234613c9e89fb78653dbd728dcc06274735bbd63276ba54e04050101f7286daa56c5def
-
SSDEEP
1536:xvTe+W6ilightyTi6pb39VENbPwFdBKDwpxtrsdHEd:xbhRwHtEiShqbPSJpxtN
Malware Config
Signatures
-
Installs/modifies Browser Helper Object 2 TTPs 1 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{AB705622-B25B-491B-A6BF-4A46FDDBC88E} regsvr32.exe -
Modifies registry class 42 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AB705621-B25B-491B-A6BF-4A46FDDBC88E} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AB705621-B25B-491B-A6BF-4A46FDDBC88E}\TypeLib\ = "{AB705628-B25B-491B-A6BF-4A46FDDBC88E}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AB705622-B25B-491B-A6BF-4A46FDDBC88E}\ = "IEHlprObj Class" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AB705622-B25B-491B-A6BF-4A46FDDBC88E}\InprocServer32\ThreadingModel = "Apartment" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AB705628-B25B-491B-A6BF-4A46FDDBC88E}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NEAS.97c127a9da16df3d1ac2936645232c40.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AB705621-B25B-491B-A6BF-4A46FDDBC88E}\ = "IIEHlprObj" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AB705621-B25B-491B-A6BF-4A46FDDBC88E}\TypeLib\Version = "1.0" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\IEHlprObj.IEHlprObj regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AB705622-B25B-491B-A6BF-4A46FDDBC88E}\InprocServer32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AB705628-B25B-491B-A6BF-4A46FDDBC88E}\1.0\ = "IEHelper 1.0 Type Library" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AB705628-B25B-491B-A6BF-4A46FDDBC88E}\1.0\FLAGS regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AB705628-B25B-491B-A6BF-4A46FDDBC88E}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AB705621-B25B-491B-A6BF-4A46FDDBC88E}\ProxyStubClsid32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AB705621-B25B-491B-A6BF-4A46FDDBC88E}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IEHlprObj.IEHlprObj\CurVer\ = "IEHlprObj.IEHlprObj.1" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AB705622-B25B-491B-A6BF-4A46FDDBC88E}\Programmable regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AB705622-B25B-491B-A6BF-4A46FDDBC88E}\VersionIndependentProgID\ = "IEHlprObj.IEHlprObj" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AB705628-B25B-491B-A6BF-4A46FDDBC88E} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AB705628-B25B-491B-A6BF-4A46FDDBC88E}\1.0\0 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AB705628-B25B-491B-A6BF-4A46FDDBC88E}\1.0\0\win32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\IEHlprObj.IEHlprObj.1 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IEHlprObj.IEHlprObj\ = "IEHlprObj Class" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AB705628-B25B-491B-A6BF-4A46FDDBC88E}\1.0\HELPDIR regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AB705621-B25B-491B-A6BF-4A46FDDBC88E}\ = "IIEHlprObj" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AB705621-B25B-491B-A6BF-4A46FDDBC88E}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\IEHlprObj.IEHlprObj.1\CLSID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AB705622-B25B-491B-A6BF-4A46FDDBC88E}\ProgID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AB705621-B25B-491B-A6BF-4A46FDDBC88E}\TypeLib regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AB705621-B25B-491B-A6BF-4A46FDDBC88E}\TypeLib\Version = "1.0" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AB705621-B25B-491B-A6BF-4A46FDDBC88E}\ProxyStubClsid32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AB705621-B25B-491B-A6BF-4A46FDDBC88E}\TypeLib\ = "{AB705628-B25B-491B-A6BF-4A46FDDBC88E}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AB705622-B25B-491B-A6BF-4A46FDDBC88E}\VersionIndependentProgID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AB705628-B25B-491B-A6BF-4A46FDDBC88E}\1.0 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\IEHlprObj.IEHlprObj\CurVer regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AB705622-B25B-491B-A6BF-4A46FDDBC88E} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AB705622-B25B-491B-A6BF-4A46FDDBC88E}\ProgID\ = "IEHlprObj.IEHlprObj.1" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AB705622-B25B-491B-A6BF-4A46FDDBC88E}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NEAS.97c127a9da16df3d1ac2936645232c40.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AB705628-B25B-491B-A6BF-4A46FDDBC88E}\1.0\FLAGS\ = "0" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AB705621-B25B-491B-A6BF-4A46FDDBC88E} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IEHlprObj.IEHlprObj.1\ = "IEHlprObj Class" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IEHlprObj.IEHlprObj.1\CLSID\ = "{AB705622-B25B-491B-A6BF-4A46FDDBC88E}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AB705621-B25B-491B-A6BF-4A46FDDBC88E}\TypeLib regsvr32.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2000 regsvr32.exe 2000 regsvr32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 2292 wrote to memory of 2000 2292 regsvr32.exe 28 PID 2292 wrote to memory of 2000 2292 regsvr32.exe 28 PID 2292 wrote to memory of 2000 2292 regsvr32.exe 28 PID 2292 wrote to memory of 2000 2292 regsvr32.exe 28 PID 2292 wrote to memory of 2000 2292 regsvr32.exe 28 PID 2292 wrote to memory of 2000 2292 regsvr32.exe 28 PID 2292 wrote to memory of 2000 2292 regsvr32.exe 28
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\NEAS.97c127a9da16df3d1ac2936645232c40.dll1⤵
- Suspicious use of WriteProcessMemory
PID:2292 -
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\NEAS.97c127a9da16df3d1ac2936645232c40.dll2⤵
- Installs/modifies Browser Helper Object
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:2000
-