Analysis
-
max time kernel
43s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
30/12/2023, 01:21
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
09eb0a7c6089a1f2a4a3ea5d6740b35a.dll
Resource
win7-20231129-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
09eb0a7c6089a1f2a4a3ea5d6740b35a.dll
Resource
win10v2004-20231215-en
windows10-2004-x64
1 signatures
150 seconds
General
-
Target
09eb0a7c6089a1f2a4a3ea5d6740b35a.dll
-
Size
39KB
-
MD5
09eb0a7c6089a1f2a4a3ea5d6740b35a
-
SHA1
c0d86622efb7217aa7974c6f82d9f4454cb6cabe
-
SHA256
8d5e46525daad8c60806cc97130bc73ad0533769bb5ed59d05209a9119449b4f
-
SHA512
301aa6cc9303083f7149909d4b33af182f5aec0348b81b65e9b403efd0b71a236a7628889dfe3e3748958689ea6166c9e64d043d3273d1abd109f9e898ea68dd
-
SSDEEP
768:3UVP+wH8TUrXUwYlwm1Rgg5MPZVAXuMsjDCpeti:3aWwH4UrXLY91Kg5MPoehDc6
Score
7/10
Malware Config
Signatures
-
Loads dropped DLL 4 IoCs
pid Process 2884 rundll32.exe 2884 rundll32.exe 2884 rundll32.exe 2884 rundll32.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\sp = "rundll32 C:\\Users\\Admin\\AppData\\Local\\Temp\\se.dll,DllInstall" rundll32.exe -
Installs/modifies Browser Helper Object 2 TTPs 1 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D4421D3C-5C00-40E6-B72E-FB5C66E291EA} regsvr32.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Use Custom Search URL = "1" regsvr32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Search regsvr32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Main\Search Bar = "res://C:\\Users\\Admin\\AppData\\Local\\Temp\\se.dll/sp.html" regsvr32.exe Set value (int) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Main\Use Custom Search URL = "1" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Search Bar = "res://C:\\Users\\Admin\\AppData\\Local\\Temp\\se.dll/sp.html" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Search Page = "about:blank" regsvr32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\New Windows regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Search\SearchAssistant = "about:blank" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\New Windows\PopupMgr = "no" regsvr32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Main\HOMEOldSP = "about:blank" regsvr32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Search\SearchAssistant = "about:blank" regsvr32.exe Key created \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\New Windows regsvr32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\New Windows\PopupMgr = "no" regsvr32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Main regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\HOMEOldSP = "about:blank" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Use Search Asst = "no" regsvr32.exe Key created \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Main regsvr32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "about:blank" regsvr32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Main\Use Search Asst = "no" regsvr32.exe Key created \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Search regsvr32.exe -
Modifies Internet Explorer start page 1 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "about:blank" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Start Page = "about:blank" regsvr32.exe -
Modifies registry class 14 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D3AF1863-BA08-4596-AF0D-4300DED464E2}\InProcServer32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\PROTOCOLS\Filter\text/html\CLSID = "{D3AF1863-BA08-4596-AF0D-4300DED464E2}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D4421D3C-5C00-40E6-B72E-FB5C66E291EA}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\09eb0a7c6089a1f2a4a3ea5d6740b35a.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D3AF1863-BA08-4596-AF0D-4300DED464E2}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\09eb0a7c6089a1f2a4a3ea5d6740b35a.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D3AF1863-BA08-4596-AF0D-4300DED464E2}\InProcServer32\ThreadingModel = "Apartment" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\PROTOCOLS\Filter\text/plain\CLSID = "{D3AF1863-BA08-4596-AF0D-4300DED464E2}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D4421D3C-5C00-40E6-B72E-FB5C66E291EA}\InProcServer32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D4421D3C-5C00-40E6-B72E-FB5C66E291EA}\InProcServer32\ThreadingModel = "Apartment" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\PROTOCOLS\Filter\text/html regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D4421D3C-5C00-40E6-B72E-FB5C66E291EA} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D3AF1863-BA08-4596-AF0D-4300DED464E2} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\PROTOCOLS\Filter\text/plain regsvr32.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 3044 wrote to memory of 804 3044 regsvr32.exe 16 PID 3044 wrote to memory of 804 3044 regsvr32.exe 16 PID 3044 wrote to memory of 804 3044 regsvr32.exe 16 PID 3044 wrote to memory of 804 3044 regsvr32.exe 16 PID 3044 wrote to memory of 804 3044 regsvr32.exe 16 PID 3044 wrote to memory of 804 3044 regsvr32.exe 16 PID 3044 wrote to memory of 804 3044 regsvr32.exe 16 PID 804 wrote to memory of 2884 804 regsvr32.exe 29 PID 804 wrote to memory of 2884 804 regsvr32.exe 29 PID 804 wrote to memory of 2884 804 regsvr32.exe 29 PID 804 wrote to memory of 2884 804 regsvr32.exe 29 PID 804 wrote to memory of 2884 804 regsvr32.exe 29 PID 804 wrote to memory of 2884 804 regsvr32.exe 29 PID 804 wrote to memory of 2884 804 regsvr32.exe 29
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\09eb0a7c6089a1f2a4a3ea5d6740b35a.dll1⤵
- Suspicious use of WriteProcessMemory
PID:3044 -
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\09eb0a7c6089a1f2a4a3ea5d6740b35a.dll2⤵
- Installs/modifies Browser Helper Object
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:804 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Local\Temp\se.dll,DllInstall3⤵
- Loads dropped DLL
- Adds Run key to start application
PID:2884
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
17KB
MD555f2f7cc1d7e0a9a09970c6f09bc050d
SHA1977c94b036b103f87aae7a0355f7faafb8ec16f1
SHA256028ef25259778101580251a142a26beee543475b76a9ee7b7f2f63a4a9738eee
SHA512e6ee32ca9fb9e5e92359b2a45bbf566af89a265acfddbe84c25494f3a3fdfe628a5366715b05a9e67e9dd4766209e19f4cc209c019b5a81cb7557bca85f3a196