Analysis
-
max time kernel
119s -
max time network
135s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
31-12-2023 13:27
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
37fdc34bf5557249b2ef05905f92bf2c.dll
Resource
win7-20231215-en
windows7-x64
3 signatures
150 seconds
General
-
Target
37fdc34bf5557249b2ef05905f92bf2c.dll
-
Size
388KB
-
MD5
37fdc34bf5557249b2ef05905f92bf2c
-
SHA1
1bcf00a4aa514d3598890c0615fd0c36a99663ed
-
SHA256
d8435d720adb6275c34579558fb64556c4b419088eaf329a44be0b8028dec021
-
SHA512
e274913b19ebfb190a2cb8e63ed15a4840e23a5af764b3da5fdb4a5fb17db5e789846a8ef0953be285c0ecbc2460ba57fc11f7d0c1d95858d07795785ffa3080
-
SSDEEP
6144:E9/tX6ReGeGeGeCQ7YgYgYgYLSqSqSqSQcSqSqSqSjwVn+kHZmPs:otTgkfHZ
Malware Config
Signatures
-
Installs/modifies Browser Helper Object 2 TTPs 1 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{D83E84DA-D187-4300-B5D7-727727352096} regsvr32.exe -
Modifies registry class 60 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E062203C-7759-4B2F-8EE7-DF725EED1DB7}\ = "_IBhoEvents" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ucjs0l.Bho\CurVer regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D83E84DA-D187-4300-B5D7-727727352096} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D83E84DA-D187-4300-B5D7-727727352096}\ProgID\ = "ZoooGoo" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E062203C-7759-4B2F-8EE7-DF725EED1DB7}\ = "_IBhoEvents" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E062203C-7759-4B2F-8EE7-DF725EED1DB7}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B038F224-F9F5-4B83-A0D0-43D68D8E3CFE}\TypeLib\ = "{15C7D7AD-A87A-4C0D-9D8B-637FCD3488EF}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B038F224-F9F5-4B83-A0D0-43D68D8E3CFE}\ = "IBho" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B038F224-F9F5-4B83-A0D0-43D68D8E3CFE}\TypeLib\Version = "1.0" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B038F224-F9F5-4B83-A0D0-43D68D8E3CFE} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E062203C-7759-4B2F-8EE7-DF725EED1DB7}\TypeLib\ = "{15C7D7AD-A87A-4C0D-9D8B-637FCD3488EF}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E062203C-7759-4B2F-8EE7-DF725EED1DB7}\TypeLib\Version = "1.0" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E062203C-7759-4B2F-8EE7-DF725EED1DB7} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E062203C-7759-4B2F-8EE7-DF725EED1DB7}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D83E84DA-D187-4300-B5D7-727727352096}\InprocServer32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{15C7D7AD-A87A-4C0D-9D8B-637FCD3488EF}\1.0 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E062203C-7759-4B2F-8EE7-DF725EED1DB7} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E062203C-7759-4B2F-8EE7-DF725EED1DB7}\TypeLib regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B038F224-F9F5-4B83-A0D0-43D68D8E3CFE}\TypeLib\Version = "1.0" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ZoooGoo regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ucjs0l.Bho\CLSID regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D83E84DA-D187-4300-B5D7-727727352096}\TypeLib\ = "{15C7D7AD-A87A-4C0D-9D8B-637FCD3488EF}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B038F224-F9F5-4B83-A0D0-43D68D8E3CFE}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E062203C-7759-4B2F-8EE7-DF725EED1DB7}\ProxyStubClsid32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E062203C-7759-4B2F-8EE7-DF725EED1DB7}\ProxyStubClsid32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B038F224-F9F5-4B83-A0D0-43D68D8E3CFE}\TypeLib regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B038F224-F9F5-4B83-A0D0-43D68D8E3CFE} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ZoooGoo\ = "HACK.SPY" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{15C7D7AD-A87A-4C0D-9D8B-637FCD3488EF}\1.0\ = "Type Library" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{15C7D7AD-A87A-4C0D-9D8B-637FCD3488EF}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\37fdc34bf5557249b2ef05905f92bf2c.dll" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{15C7D7AD-A87A-4C0D-9D8B-637FCD3488EF}\1.0\HELPDIR regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{15C7D7AD-A87A-4C0D-9D8B-637FCD3488EF}\1.0\0 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E062203C-7759-4B2F-8EE7-DF725EED1DB7}\TypeLib\ = "{15C7D7AD-A87A-4C0D-9D8B-637FCD3488EF}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E062203C-7759-4B2F-8EE7-DF725EED1DB7}\TypeLib\Version = "1.0" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{15C7D7AD-A87A-4C0D-9D8B-637FCD3488EF}\1.0\FLAGS regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D83E84DA-D187-4300-B5D7-727727352096}\ProgID regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D83E84DA-D187-4300-B5D7-727727352096}\InprocServer32\ThreadingModel = "Apartment" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B038F224-F9F5-4B83-A0D0-43D68D8E3CFE}\TypeLib\ = "{15C7D7AD-A87A-4C0D-9D8B-637FCD3488EF}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B038F224-F9F5-4B83-A0D0-43D68D8E3CFE}\TypeLib regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ZoooGoo\CLSID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D83E84DA-D187-4300-B5D7-727727352096}\Programmable regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{15C7D7AD-A87A-4C0D-9D8B-637FCD3488EF}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B038F224-F9F5-4B83-A0D0-43D68D8E3CFE}\ = "IBho" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ucjs0l.Bho regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ucjs0l.Bho\CurVer\ = "ZoooGoo" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D83E84DA-D187-4300-B5D7-727727352096}\ = "HACK.SPY" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E062203C-7759-4B2F-8EE7-DF725EED1DB7}\TypeLib regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B038F224-F9F5-4B83-A0D0-43D68D8E3CFE}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ucjs0l.Bho\ = "HACK.SPY" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D83E84DA-D187-4300-B5D7-727727352096}\VersionIndependentProgID\ = "ucjs0l.Bho" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{15C7D7AD-A87A-4C0D-9D8B-637FCD3488EF}\1.0\0\win32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D83E84DA-D187-4300-B5D7-727727352096}\VersionIndependentProgID regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D83E84DA-D187-4300-B5D7-727727352096}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\37FDC3~1.DLL" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ZoooGoo\CLSID\ = "{D83E84DA-D187-4300-B5D7-727727352096}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ucjs0l.Bho\CLSID\ = "{D83E84DA-D187-4300-B5D7-727727352096}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D83E84DA-D187-4300-B5D7-727727352096}\TypeLib regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{15C7D7AD-A87A-4C0D-9D8B-637FCD3488EF}\1.0\FLAGS\ = "0" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{15C7D7AD-A87A-4C0D-9D8B-637FCD3488EF} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B038F224-F9F5-4B83-A0D0-43D68D8E3CFE}\ProxyStubClsid32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B038F224-F9F5-4B83-A0D0-43D68D8E3CFE}\ProxyStubClsid32 regsvr32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 2156 wrote to memory of 2812 2156 regsvr32.exe 28 PID 2156 wrote to memory of 2812 2156 regsvr32.exe 28 PID 2156 wrote to memory of 2812 2156 regsvr32.exe 28 PID 2156 wrote to memory of 2812 2156 regsvr32.exe 28 PID 2156 wrote to memory of 2812 2156 regsvr32.exe 28 PID 2156 wrote to memory of 2812 2156 regsvr32.exe 28 PID 2156 wrote to memory of 2812 2156 regsvr32.exe 28
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\37fdc34bf5557249b2ef05905f92bf2c.dll1⤵
- Suspicious use of WriteProcessMemory
PID:2156 -
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\37fdc34bf5557249b2ef05905f92bf2c.dll2⤵
- Installs/modifies Browser Helper Object
- Modifies registry class
PID:2812
-