8189a26f6dd7cdd3413d5136998a886135ddae1e2b052232457627f1dae50efd

Analysis

max time kernel
137s
max time network
138s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
26/12/2023, 05:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

582da3ba348b78220805d801b6d2cdeb.exe
Size

42KB
MD5

582da3ba348b78220805d801b6d2cdeb
SHA1

003e9ec78589dbc5c365cf0a2f9aac13ac087cda
SHA256

8189a26f6dd7cdd3413d5136998a886135ddae1e2b052232457627f1dae50efd
SHA512

2f2ccc8d516c61d06740284890896110df867310be78dc914760b3fed22833fc65d478dd61c48fc1ba1ea6c2eba98538a421da4fdd1ff67656296d4ca56f2c56
SSDEEP

768:omv1AfVOs9Lm1BS4GwVmueZvxFnUvwxejJ3GKM7IhUa+GIueroKs8b+4eMOL626:oigVOu4GwVcvUIwjJ3Gj7IhUaXIuUViC

Score

7^/10

persistence upx

Malware Config

Signatures

Loads dropped DLL 1 IoCs

pid	Process
3420	regsvr32.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/824-0-0x0000000000400000-0x0000000000464000-memory.dmp	upx
behavioral2/memory/824-7-0x0000000000400000-0x0000000000464000-memory.dmp	upx

Modifies WinLogon 2 TTPs 6 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\logondll\Impersonate = "0"	582da3ba348b78220805d801b6d2cdeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\logondll\Startup = "EventStartup"	582da3ba348b78220805d801b6d2cdeb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\logondll	582da3ba348b78220805d801b6d2cdeb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify	582da3ba348b78220805d801b6d2cdeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\logondll\DllName = "fly9797.dll"	582da3ba348b78220805d801b6d2cdeb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\logondll\Asynchronous = "1"	582da3ba348b78220805d801b6d2cdeb.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\flyplug.dll	582da3ba348b78220805d801b6d2cdeb.exe
File created	C:\Windows\SysWOW64\fly9797.dll	582da3ba348b78220805d801b6d2cdeb.exe
File created	C:\Windows\SysWOW64\dllcache\fly9797.dll	582da3ba348b78220805d801b6d2cdeb.exe
File created	C:\Windows\SysWOW64\flymain9797.dll	582da3ba348b78220805d801b6d2cdeb.exe
File created	C:\Windows\SysWOW64\dllcache\flymain9797.dll	582da3ba348b78220805d801b6d2cdeb.exe
File created	C:\Windows\SysWOW64\flymain.dll	582da3ba348b78220805d801b6d2cdeb.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\DisplayName = "°Ù¶È"	582da3ba348b78220805d801b6d2cdeb.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\URL = "http://www.baidu.com/s?wd={searchTerms}&tn=bdwxl_5007032ahm_pg&ie=utf-8"	582da3ba348b78220805d801b6d2cdeb.exe

Modifies registry class 43 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{19E65A85-5FEC-4CC3-8F60-738F1E9F1CD0}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\My.Control.1	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{34B90EED-B1AB-42A9-BA14-F8825153F575}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{34B90EED-B1AB-42A9-BA14-F8825153F575}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\flyplug.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{19E65A85-5FEC-4CC3-8F60-738F1E9F1CD0}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{19E65A85-5FEC-4CC3-8F60-738F1E9F1CD0}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\My.Control\CLSID\ = "{7138527F-430B-45B0-B164-9AA396644263}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7138527F-430B-45B0-B164-9AA396644263}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7138527F-430B-45B0-B164-9AA396644263}\ProgID\ = "My.Control.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7138527F-430B-45B0-B164-9AA396644263}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{34B90EED-B1AB-42A9-BA14-F8825153F575}\1.0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{34B90EED-B1AB-42A9-BA14-F8825153F575}\1.0\FLAGS	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{34B90EED-B1AB-42A9-BA14-F8825153F575}\1.0\0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{34B90EED-B1AB-42A9-BA14-F8825153F575}\1.0\HELPDIR	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\{7138527F-430B-45B0-B164-9AA396644263}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\My.Control.1\ = "Control Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\My.Control\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{19E65A85-5FEC-4CC3-8F60-738F1E9F1CD0}\ = "IControl"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{19E65A85-5FEC-4CC3-8F60-738F1E9F1CD0}\TypeLib\ = "{34B90EED-B1AB-42A9-BA14-F8825153F575}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{34B90EED-B1AB-42A9-BA14-F8825153F575}\1.0\ = "ÓÒ¼ü²å¼þ 1.0 Type Library"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{19E65A85-5FEC-4CC3-8F60-738F1E9F1CD0}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{19E65A85-5FEC-4CC3-8F60-738F1E9F1CD0}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{34B90EED-B1AB-42A9-BA14-F8825153F575}\1.0\HELPDIR\ = "C:\\Windows\\System32"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{19E65A85-5FEC-4CC3-8F60-738F1E9F1CD0}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{19E65A85-5FEC-4CC3-8F60-738F1E9F1CD0}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\My.Control	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7138527F-430B-45B0-B164-9AA396644263}\ = "Control Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7138527F-430B-45B0-B164-9AA396644263}\VersionIndependentProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{19E65A85-5FEC-4CC3-8F60-738F1E9F1CD0}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{34B90EED-B1AB-42A9-BA14-F8825153F575}\1.0\0\win32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{19E65A85-5FEC-4CC3-8F60-738F1E9F1CD0}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{19E65A85-5FEC-4CC3-8F60-738F1E9F1CD0}\ = "IControl"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7138527F-430B-45B0-B164-9AA396644263}\VersionIndependentProgID\ = "My.Control"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7138527F-430B-45B0-B164-9AA396644263}\InprocServer32\ThreadingModel = "both"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{19E65A85-5FEC-4CC3-8F60-738F1E9F1CD0}\TypeLib\ = "{34B90EED-B1AB-42A9-BA14-F8825153F575}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{19E65A85-5FEC-4CC3-8F60-738F1E9F1CD0}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\{7138527F-430B-45B0-B164-9AA396644263}\ = "{7138527F-430B-45B0-B164-9AA396644263}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\My.Control.1\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\My.Control.1\CLSID\ = "{7138527F-430B-45B0-B164-9AA396644263}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{34B90EED-B1AB-42A9-BA14-F8825153F575}\1.0\FLAGS\ = "0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\My.Control\ = "Control Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7138527F-430B-45B0-B164-9AA396644263}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7138527F-430B-45B0-B164-9AA396644263}\InprocServer32\ = "C:\\Windows\\SysWow64\\flyplug.dll"	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
824	582da3ba348b78220805d801b6d2cdeb.exe
824	582da3ba348b78220805d801b6d2cdeb.exe
824	582da3ba348b78220805d801b6d2cdeb.exe
824	582da3ba348b78220805d801b6d2cdeb.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
824	582da3ba348b78220805d801b6d2cdeb.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 824 wrote to memory of 3420	824	582da3ba348b78220805d801b6d2cdeb.exe	93
PID 824 wrote to memory of 3420	824	582da3ba348b78220805d801b6d2cdeb.exe	93
PID 824 wrote to memory of 3420	824	582da3ba348b78220805d801b6d2cdeb.exe	93
PID 824 wrote to memory of 3388	824	582da3ba348b78220805d801b6d2cdeb.exe	45

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3388
- C:\Users\Admin\AppData\Local\Temp\582da3ba348b78220805d801b6d2cdeb.exe
  "C:\Users\Admin\AppData\Local\Temp\582da3ba348b78220805d801b6d2cdeb.exe"
  2⤵
  - Modifies WinLogon
  - Drops file in System32 directory
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:824
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32 /s C:\Windows\System32\flyplug.dll
    3⤵
    - Loads dropped DLL
    - Modifies registry class
    PID:3420

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\flyplug.dll

Filesize
56KB

MD5
569319e985fb4e871e3111d1e03e4312

SHA1
bf278da43091d950122b8a02cacaf902a7df1648

SHA256
6ac956bfda09977764a9a01c5fc2cf353d193af768b6b6a818cadafe0637762d

SHA512
8984476bb57da2fd48e9f9d07c5d34252e73d6328c888089b0073c1dba3657e576024834a7427818c00a05bb5c1fad8c9bdf6b94a79e5665c824beb3a340b35b

Download Submit
memory/824-0-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/824-7-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download