Analysis
-
max time kernel
150s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
24-12-2023 14:58
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
02a093c3fe495b1a1dbcee6793868bf0.exe
Resource
win7-20231215-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
02a093c3fe495b1a1dbcee6793868bf0.exe
Resource
win10v2004-20231215-en
windows10-2004-x64
8 signatures
150 seconds
General
-
Target
02a093c3fe495b1a1dbcee6793868bf0.exe
-
Size
198KB
-
MD5
02a093c3fe495b1a1dbcee6793868bf0
-
SHA1
e36b4cb29ecd00f79f20a5b59db11504b58055ca
-
SHA256
a9a09261d1119645f45596d1c354af3603ff979d07ccf7a49630326322d6e9e5
-
SHA512
10bee08b1724f25b6e175679c944bbafe2dc7c1c13ea5c55a7f4d6a0098380865bb4f74d17a323b623b446558a5ce0a64992c725f97648d88d4c9493fdded4a1
-
SSDEEP
3072:ry+mrh42ya4kcFoWZHlWzzXGOJlBpPlPlUGVa0Th+7dUchBYp:rSrh42xcTHlrMXRlPH+7dd
Score
8/10
Malware Config
Signatures
-
Sets file execution options in registry 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe\Debugger 02a093c3fe495b1a1dbcee6793868bf0.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ctfmon.exe regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ctfmon.exe\Debugger = "C:\\Windows\\system32\\ctfmon_lr.exe" regsvr32.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Control Panel\International\Geo\Nation 02a093c3fe495b1a1dbcee6793868bf0.exe -
Loads dropped DLL 1 IoCs
pid Process 2180 regsvr32.exe -
Installs/modifies Browser Helper Object 2 TTPs 3 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{F3EF6552-D4A2-3BBC-9272-8A743BEF479D}\IExplore = "1" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{F3EF6552-D4A2-3BBC-9272-8A743BEF479D} regsvr32.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\dq29073.dll 02a093c3fe495b1a1dbcee6793868bf0.exe File created C:\Windows\SysWOW64\ctfmon_lr.exe regsvr32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 41 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FAA49417-5BF3-3526-A201-99CAF6947259}\ProxyStubClsid32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\D.1\CLSID regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F3EF6552-D4A2-3BBC-9272-8A743BEF479D}\ = "D" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F3EF6552-D4A2-3BBC-9272-8A743BEF479D}\ProgID\ = "D.1" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F3EF6552-D4A2-3BBC-9272-8A743BEF479D}\InprocServer32\ = "C:\\Windows\\SysWow64\\dq29073.dll" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0DC384F7-2A1B-3C2E-8553-09ABE27C4004} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0DC384F7-2A1B-3C2E-8553-09ABE27C4004}\1.0\ = "LIB" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\D regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F3EF6552-D4A2-3BBC-9272-8A743BEF479D}\ProgID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F3EF6552-D4A2-3BBC-9272-8A743BEF479D}\InprocServer32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F3EF6552-D4A2-3BBC-9272-8A743BEF479D} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F3EF6552-D4A2-3BBC-9272-8A743BEF479D}\VersionIndependentProgID\ = "D" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0DC384F7-2A1B-3C2E-8553-09ABE27C4004}\1.0\HELPDIR regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FAA49417-5BF3-3526-A201-99CAF6947259}\TypeLib\ = "{0DC384F7-2A1B-3C2E-8553-09ABE27C4004}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FAA49417-5BF3-3526-A201-99CAF6947259}\TypeLib\Version = "1.0" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\D.1\ = "D" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\D\ = "D" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\D\CLSID\ = "{F3EF6552-D4A2-3BBC-9272-8A743BEF479D}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\D.1\CLSID\ = "{F3EF6552-D4A2-3BBC-9272-8A743BEF479D}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0DC384F7-2A1B-3C2E-8553-09ABE27C4004}\1.0 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FAA49417-5BF3-3526-A201-99CAF6947259} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FAA49417-5BF3-3526-A201-99CAF6947259}\ProxyStubClsid32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FAA49417-5BF3-3526-A201-99CAF6947259}\TypeLib\Version = "1.0" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FAA49417-5BF3-3526-A201-99CAF6947259}\ = "IDOMPeek" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0DC384F7-2A1B-3C2E-8553-09ABE27C4004}\1.0\0\win32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0DC384F7-2A1B-3C2E-8553-09ABE27C4004}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\dq29073.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0DC384F7-2A1B-3C2E-8553-09ABE27C4004}\1.0\HELPDIR\ = "C:\\Windows\\SysWow64\\" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FAA49417-5BF3-3526-A201-99CAF6947259}\TypeLib regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FAA49417-5BF3-3526-A201-99CAF6947259}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F3EF6552-D4A2-3BBC-9272-8A743BEF479D}\VersionIndependentProgID regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F3EF6552-D4A2-3BBC-9272-8A743BEF479D}\InprocServer32\ThreadingModel = "Apartment" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0DC384F7-2A1B-3C2E-8553-09ABE27C4004}\1.0\FLAGS\ = "0" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FAA49417-5BF3-3526-A201-99CAF6947259}\ = "IDOMPeek" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FAA49417-5BF3-3526-A201-99CAF6947259}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\D.1 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\D\CLSID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0DC384F7-2A1B-3C2E-8553-09ABE27C4004}\1.0\FLAGS regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FAA49417-5BF3-3526-A201-99CAF6947259}\TypeLib\ = "{0DC384F7-2A1B-3C2E-8553-09ABE27C4004}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0DC384F7-2A1B-3C2E-8553-09ABE27C4004}\1.0\0 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FAA49417-5BF3-3526-A201-99CAF6947259} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FAA49417-5BF3-3526-A201-99CAF6947259}\TypeLib regsvr32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3668 wrote to memory of 2180 3668 02a093c3fe495b1a1dbcee6793868bf0.exe 91 PID 3668 wrote to memory of 2180 3668 02a093c3fe495b1a1dbcee6793868bf0.exe 91 PID 3668 wrote to memory of 2180 3668 02a093c3fe495b1a1dbcee6793868bf0.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\02a093c3fe495b1a1dbcee6793868bf0.exe"C:\Users\Admin\AppData\Local\Temp\02a093c3fe495b1a1dbcee6793868bf0.exe"1⤵
- Sets file execution options in registry
- Checks computer location settings
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3668 -
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\System32\regsvr32.exe" /s C:\Windows\system32\dq29073.dll2⤵
- Sets file execution options in registry
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Drops file in System32 directory
- Modifies registry class
PID:2180
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
192KB
MD517a6400999dc2e020e2a3378a7abd945
SHA158b7c2a0684c204cecd5fb778736caae06e7cfde
SHA2562d865ea3d9f3a65bc8ccacb6bcb6c5ffff3ba717b56d6b2092ff03fe3eb70926
SHA5123e1b6f7728bd421308856d5984327df56886ba7be972a61aa157d157357704048931e1171bfed20be42f3e66a21830a19aca3ebede9cecfaa6dd8d4df162eca4