Analysis
-
max time kernel
141s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
03/01/2024, 22:26
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
3f2e5dc1577272631b4aab78a69c9773.exe
Resource
win7-20231129-en
windows7-x64
2 signatures
150 seconds
Behavioral task
behavioral2
Sample
3f2e5dc1577272631b4aab78a69c9773.exe
Resource
win10v2004-20231215-en
windows10-2004-x64
14 signatures
150 seconds
General
-
Target
3f2e5dc1577272631b4aab78a69c9773.exe
-
Size
444KB
-
MD5
3f2e5dc1577272631b4aab78a69c9773
-
SHA1
833dca8aefccc77225dd33ae4d455da1c99bf87e
-
SHA256
dec9ce65ecb493235ee4eb870ba1300e0a4f5aba4b762f3b1b22cf5001b77ca3
-
SHA512
e33d0d9c61e0d382c8f38fef52a321563d72d49ccb8705111c0eba380e5e64ec04d413353d86ebcb1a365ccda79183cf0bbb9164a6644c826c3030e9cd758d0b
-
SSDEEP
12288:mxTNNB1ZaeBLKwThUrYkPYPzIeyKTYG9UNjwvHKctfI5+CK0:EXB1ZaeBv6VPYPvTP9+wf/tfO+C
Score
8/10
Malware Config
Signatures
-
Blocklisted process makes network request 7 IoCs
flow pid Process 21 824 Rundll32.exe 41 824 Rundll32.exe 58 824 Rundll32.exe 68 824 Rundll32.exe 77 824 Rundll32.exe 87 824 Rundll32.exe 94 824 Rundll32.exe -
Executes dropped EXE 1 IoCs
pid Process 2460 host.exe -
Loads dropped DLL 4 IoCs
pid Process 824 Rundll32.exe 2460 host.exe 2460 host.exe 2460 host.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SmCtrlDrv = "C:\\Windows\\system32\\Rundll32.exe C:\\Windows\\system32\\impor.dll Start" Rundll32.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Installs/modifies Browser Helper Object 2 TTPs 1 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{489873CE-F3E1-44A3-8E89-04BE26BE4446} host.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\impor.dll 3f2e5dc1577272631b4aab78a69c9773.exe -
Drops file in Program Files directory 6 IoCs
description ioc Process File created C:\Program Files (x86)\zzToolBar\ToolBand.dll host.exe File created C:\Program Files (x86)\zzToolBar\Toolbar_bho.dll host.exe File created C:\Program Files (x86)\zzToolBar\IP.dat host.exe File created C:\Program Files (x86)\zzToolBar\SearchEngineConfig host.exe File created C:\Program Files (x86)\zzToolBar\update.exe host.exe File created C:\Program Files (x86)\zzToolBar\Uninstall.exe host.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
NSIS installer 1 IoCs
resource yara_rule behavioral2/files/0x00090000000231e3-8.dat nsis_installer_1 -
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Toolbar host.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Toolbar\{0A1230F1-EB52-4CA3-9D34-DE2ABC2EED35} host.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Toolbar_bho.IeToolbar\CurVer\ = "Toolbar_bho.IeToolbar.1" host.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{065683C4-C71A-47F1-830B-7D9309D3913D}\1.0\FLAGS host.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8FF78EFD-0213-4A73-AC23-6A489190DBFB}\ = "IIeToolbar" host.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5297E901-1DF2-4A93-9874-A4F95FD58945}\1.0\FLAGS\ = "0" host.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\SearchBar.SearchObj\CLSID host.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{95B92D91-8B72-4A13-A3F4-43113B4DBCA5}\TypeLib\ = "{5297E901-1DF2-4A93-9874-A4F95FD58945}" host.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E44E81E9-F0F4-45B9-8CAD-F1055C7A716B}\ = "ISuperLinkStatic" host.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Toolbar_bho.IeToolbar\CLSID host.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E44E81E9-F0F4-45B9-8CAD-F1055C7A716B}\TypeLib host.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A1230F1-EB52-4CA3-9D34-DE2ABC2EED35}\InprocServer32\ThreadingModel = "Apartment" host.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{065683C4-C71A-47F1-830B-7D9309D3913D}\1.0 host.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8FF78EFD-0213-4A73-AC23-6A489190DBFB}\TypeLib host.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\SearchBar.SearchObj.1 host.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SearchBar.SearchObj\CLSID\ = "{0A1230F1-EB52-4CA3-9D34-DE2ABC2EED35}" host.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{489873CE-F3E1-44A3-8E89-04BE26BE4446}\VersionIndependentProgID host.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5297E901-1DF2-4A93-9874-A4F95FD58945}\1.0\HELPDIR host.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{95B92D91-8B72-4A13-A3F4-43113B4DBCA5} host.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E44E81E9-F0F4-45B9-8CAD-F1055C7A716B}\TypeLib\ = "{5297E901-1DF2-4A93-9874-A4F95FD58945}" host.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{489873CE-F3E1-44A3-8E89-04BE26BE4446}\VersionIndependentProgID\ = "Toolbar_bho.IeToolbar" host.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SearchBar.SearchObj.1\ = "ÍøÕ¾ÅÅÃû¹¤¾ßÌõ" host.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{95B92D91-8B72-4A13-A3F4-43113B4DBCA5}\ = "ISearchBarObj" host.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{95B92D91-8B72-4A13-A3F4-43113B4DBCA5}\TypeLib\Version = "1.0" host.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E44E81E9-F0F4-45B9-8CAD-F1055C7A716B}\ = "ISuperLinkStatic" host.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{95B92D91-8B72-4A13-A3F4-43113B4DBCA5}\TypeLib host.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Toolbar_bho.IeToolbar\CLSID\ = "{489873CE-F3E1-44A3-8E89-04BE26BE4446}" host.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{489873CE-F3E1-44A3-8E89-04BE26BE4446}\ = "ÍøÕ¾ÅÅÃû¹¤¾ßÌõBHO" host.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{489873CE-F3E1-44A3-8E89-04BE26BE4446}\Programmable host.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{065683C4-C71A-47F1-830B-7D9309D3913D} host.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8FF78EFD-0213-4A73-AC23-6A489190DBFB} host.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8FF78EFD-0213-4A73-AC23-6A489190DBFB}\TypeLib\ = "{065683C4-C71A-47F1-830B-7D9309D3913D}" host.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{95B92D91-8B72-4A13-A3F4-43113B4DBCA5}\ = "ISearchBarObj" host.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E44E81E9-F0F4-45B9-8CAD-F1055C7A716B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" host.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8FF78EFD-0213-4A73-AC23-6A489190DBFB}\ProxyStubClsid32 host.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\SearchBar.SearchObj host.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5297E901-1DF2-4A93-9874-A4F95FD58945}\1.0\0 host.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{95B92D91-8B72-4A13-A3F4-43113B4DBCA5}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" host.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\SearchBar.SearchObj.1\CLSID host.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Toolbar_bho.IeToolbar.1\CLSID\ = "{489873CE-F3E1-44A3-8E89-04BE26BE4446}" host.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{95B92D91-8B72-4A13-A3F4-43113B4DBCA5}\ProxyStubClsid32 host.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E44E81E9-F0F4-45B9-8CAD-F1055C7A716B}\ProxyStubClsid32 host.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E44E81E9-F0F4-45B9-8CAD-F1055C7A716B}\ProxyStubClsid32 host.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E44E81E9-F0F4-45B9-8CAD-F1055C7A716B}\TypeLib\Version = "1.0" host.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Toolbar_bho.IeToolbar host.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{95B92D91-8B72-4A13-A3F4-43113B4DBCA5}\TypeLib\Version = "1.0" host.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SearchBar.SearchObj.1\CLSID\ = "{0A1230F1-EB52-4CA3-9D34-DE2ABC2EED35}" host.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A1230F1-EB52-4CA3-9D34-DE2ABC2EED35} host.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E44E81E9-F0F4-45B9-8CAD-F1055C7A716B} host.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{489873CE-F3E1-44A3-8E89-04BE26BE4446}\TypeLib host.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{065683C4-C71A-47F1-830B-7D9309D3913D}\1.0\0 host.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5297E901-1DF2-4A93-9874-A4F95FD58945} host.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5297E901-1DF2-4A93-9874-A4F95FD58945}\1.0 host.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8FF78EFD-0213-4A73-AC23-6A489190DBFB}\TypeLib\Version = "1.0" host.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SearchBar.SearchObj\ = "ÍøÕ¾ÅÅÃû¹¤¾ßÌõ" host.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A1230F1-EB52-4CA3-9D34-DE2ABC2EED35}\ = "ÍøÕ¾ÅÅÃû¹¤¾ßÌõ" host.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A1230F1-EB52-4CA3-9D34-DE2ABC2EED35}\ProgID host.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A1230F1-EB52-4CA3-9D34-DE2ABC2EED35}\Programmable host.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5297E901-1DF2-4A93-9874-A4F95FD58945}\1.0\FLAGS host.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{95B92D91-8B72-4A13-A3F4-43113B4DBCA5}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" host.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SearchBar.SearchObj\CurVer\ = "SearchBar.SearchObj.1" host.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5297E901-1DF2-4A93-9874-A4F95FD58945}\1.0\0\win32 host.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{065683C4-C71A-47F1-830B-7D9309D3913D}\1.0\0\win32\ = "C:\\Program Files (x86)\\zzToolBar\\Toolbar_bho.dll" host.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8FF78EFD-0213-4A73-AC23-6A489190DBFB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" host.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A1230F1-EB52-4CA3-9D34-DE2ABC2EED35}\VersionIndependentProgID host.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A1230F1-EB52-4CA3-9D34-DE2ABC2EED35}\InprocServer32 host.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2460 host.exe 2460 host.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2264 wrote to memory of 824 2264 3f2e5dc1577272631b4aab78a69c9773.exe 15 PID 2264 wrote to memory of 824 2264 3f2e5dc1577272631b4aab78a69c9773.exe 15 PID 2264 wrote to memory of 824 2264 3f2e5dc1577272631b4aab78a69c9773.exe 15 PID 2264 wrote to memory of 2460 2264 3f2e5dc1577272631b4aab78a69c9773.exe 16 PID 2264 wrote to memory of 2460 2264 3f2e5dc1577272631b4aab78a69c9773.exe 16 PID 2264 wrote to memory of 2460 2264 3f2e5dc1577272631b4aab78a69c9773.exe 16
Processes
-
C:\Users\Admin\AppData\Local\Temp\3f2e5dc1577272631b4aab78a69c9773.exe"C:\Users\Admin\AppData\Local\Temp\3f2e5dc1577272631b4aab78a69c9773.exe"1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2264 -
C:\Windows\SysWOW64\Rundll32.exeC:\Windows\system32\Rundll32.exe C:\Windows\system32\impor.dll Start2⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Adds Run key to start application
PID:824
-
-
C:\Users\Admin\AppData\Local\Temp\host.exe"C:\Users\Admin\AppData\Local\Temp\\host.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:2460
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
92KB
MD5ada8fc21795d871f08b5d4274530c998
SHA16cc796c4e25752d091d3aec610b225675a0334a6
SHA25628089ba7bef8126ff2fcf7153ea22ea89ce4e27743bf8b9bc59c9783b4e50e8b
SHA51238e654784fa1060fcc15a19f0e40075a137702c1bd6cfe43f45c0c6a3ce13a4e065b5ae56063e265f8ec3c6ed7712a8b25fec7a960e220a24353d45d65bfa70f
-
Filesize
113KB
MD5da93f7f100ab0666b8732cb7b2039d60
SHA19faf42ec2861e04d881f3e9ce4d24c8080237c13
SHA2567100af51580516e2a8af29e91d7216e9c129d5a6670b94aa246d5fbb95e0f5f3
SHA512626e9c4d6c820455043c4b331d0f3551a3c893456bb225498b199b0ca753997e7fa6a0aaa466a0c3f9df9ec6731ae4231e24112e17981288ccea8631c1e488e0
-
Filesize
35KB
MD52cfba79d485cf441c646dd40d82490fc
SHA183e51ac1115a50986ed456bd18729653018b9619
SHA25686b302fa9c85dfa0c1c03ba000864a928365dab571f3355347dba02da22949b7
SHA512cca186a7f9c5cff3f4eca410fbe8cc13dad2514a7e36aec9b1addfbcb239ace9b9b2d8427771858e3fd11783abce7e24d43c286f98da9f8b17562ca095a4c043
-
Filesize
1KB
MD58270f3b892511a3098021147c7d7e387
SHA1c93351b328a42e7e3794289478991eee7d585fef
SHA256ab5e58df2359d916cbaedeb557cd9526004d01b06d38379c2063cde0b8528f41
SHA512995854e7a25ad2be513af04c8a756646ae77cf39d9eb645cc7809faa9f85335e89f61e32a545e6ecb85c2fb75a5594cb2eaf47305b94cfa56a82cf9f0335d878