Analysis
-
max time kernel
155s -
max time network
160s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
12/01/2024, 16:06
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
c651c9afa76082e3a45c8f4f5a2498f01b5e73f6ae4ee54e4df9b57cc17b8502.exe
Resource
win7-20231215-en
windows7-x64
4 signatures
150 seconds
Behavioral task
behavioral2
Sample
c651c9afa76082e3a45c8f4f5a2498f01b5e73f6ae4ee54e4df9b57cc17b8502.exe
Resource
win10v2004-20231215-en
windows10-2004-x64
4 signatures
150 seconds
General
-
Target
c651c9afa76082e3a45c8f4f5a2498f01b5e73f6ae4ee54e4df9b57cc17b8502.exe
-
Size
1.8MB
-
MD5
484901e343c982220a2c760b8da4781b
-
SHA1
2e871c57b4f60e320ed77ca6e433ce39bbf1bb58
-
SHA256
c651c9afa76082e3a45c8f4f5a2498f01b5e73f6ae4ee54e4df9b57cc17b8502
-
SHA512
1780bc66883a136db41a0338a6faf8f8d77b3cbb68447a67225ce8c4a760a47b4b3883a61c76cbed2ef1e0af633775b53d43ac2671924c8224a9b4ebb322e94e
-
SSDEEP
49152:7ItlVkJK8F4pELtTjGN5J5PwMcMSHG5QeCmZB7bx5jMA+S3kuksd:ktlVkJK8F4pELtPGN5J5PwMcMSwQe9vL
Score
7/10
Malware Config
Signatures
-
Loads dropped DLL 1 IoCs
pid Process 1760 regsvr32.exe -
Modifies registry class 43 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3759DFF2-9A3E-435D-8EE1-29B93B8F0DA2}\1.0\FLAGS regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{68420D8D-7631-4A60-8A49-D938D2A8562D} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\haoi.dt regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\haoi.dt\CLSID regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\//\CurVer\ = "haoi.dt" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{27814197-307B-4ED8-BF3F-AE0A178F020A}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\haoi.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{27814197-307B-4ED8-BF3F-AE0A178F020A}\InprocServer32\ThreadingModel = "both" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{68420D8D-7631-4A60-8A49-D938D2A8562D}\ProxyStubClsid32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{68420D8D-7631-4A60-8A49-D938D2A8562D}\TypeLib regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\//\CurVer regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{27814197-307B-4ED8-BF3F-AE0A178F020A}\ = "dt Class" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{27814197-307B-4ED8-BF3F-AE0A178F020A}\VersionIndependentProgID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3759DFF2-9A3E-435D-8EE1-29B93B8F0DA2} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3759DFF2-9A3E-435D-8EE1-29B93B8F0DA2}\1.0\HELPDIR regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{27814197-307B-4ED8-BF3F-AE0A178F020A} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3759DFF2-9A3E-435D-8EE1-29B93B8F0DA2}\1.0\ = "haoi" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3759DFF2-9A3E-435D-8EE1-29B93B8F0DA2}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{68420D8D-7631-4A60-8A49-D938D2A8562D}\TypeLib regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\haoi.dt\ = "dt Class" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\//\// regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3759DFF2-9A3E-435D-8EE1-29B93B8F0DA2}\1.0\0 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{68420D8D-7631-4A60-8A49-D938D2A8562D}\ProxyStubClsid32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{27814197-307B-4ED8-BF3F-AE0A178F020A}\InprocServer32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3759DFF2-9A3E-435D-8EE1-29B93B8F0DA2}\1.0\FLAGS\ = "0" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{68420D8D-7631-4A60-8A49-D938D2A8562D}\TypeLib\Version = "1.0" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\//\CLSID regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{68420D8D-7631-4A60-8A49-D938D2A8562D}\ = "Idt" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{68420D8D-7631-4A60-8A49-D938D2A8562D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{68420D8D-7631-4A60-8A49-D938D2A8562D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{68420D8D-7631-4A60-8A49-D938D2A8562D}\TypeLib\ = "{3759DFF2-9A3E-435D-8EE1-29B93B8F0DA2}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{68420D8D-7631-4A60-8A49-D938D2A8562D}\TypeLib\Version = "1.0" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\// regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3759DFF2-9A3E-435D-8EE1-29B93B8F0DA2}\1.0\0\win32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{68420D8D-7631-4A60-8A49-D938D2A8562D} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{68420D8D-7631-4A60-8A49-D938D2A8562D}\TypeLib\ = "{3759DFF2-9A3E-435D-8EE1-29B93B8F0DA2}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{68420D8D-7631-4A60-8A49-D938D2A8562D}\ = "Idt" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3759DFF2-9A3E-435D-8EE1-29B93B8F0DA2}\1.0 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3759DFF2-9A3E-435D-8EE1-29B93B8F0DA2}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\haoi.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\haoi.dt\CLSID\ = "{27814197-307B-4ED8-BF3F-AE0A178F020A}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\//\CLSID\ = "{27814197-307B-4ED8-BF3F-AE0A178F020A}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{27814197-307B-4ED8-BF3F-AE0A178F020A}\ProgID regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{27814197-307B-4ED8-BF3F-AE0A178F020A}\ProgID\ = "haoi.dt" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{27814197-307B-4ED8-BF3F-AE0A178F020A}\VersionIndependentProgID\ = "haoi.dt" regsvr32.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 2076 c651c9afa76082e3a45c8f4f5a2498f01b5e73f6ae4ee54e4df9b57cc17b8502.exe 2076 c651c9afa76082e3a45c8f4f5a2498f01b5e73f6ae4ee54e4df9b57cc17b8502.exe 2076 c651c9afa76082e3a45c8f4f5a2498f01b5e73f6ae4ee54e4df9b57cc17b8502.exe 2076 c651c9afa76082e3a45c8f4f5a2498f01b5e73f6ae4ee54e4df9b57cc17b8502.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2076 wrote to memory of 3404 2076 c651c9afa76082e3a45c8f4f5a2498f01b5e73f6ae4ee54e4df9b57cc17b8502.exe 91 PID 2076 wrote to memory of 3404 2076 c651c9afa76082e3a45c8f4f5a2498f01b5e73f6ae4ee54e4df9b57cc17b8502.exe 91 PID 2076 wrote to memory of 3404 2076 c651c9afa76082e3a45c8f4f5a2498f01b5e73f6ae4ee54e4df9b57cc17b8502.exe 91 PID 2076 wrote to memory of 1760 2076 c651c9afa76082e3a45c8f4f5a2498f01b5e73f6ae4ee54e4df9b57cc17b8502.exe 92 PID 2076 wrote to memory of 1760 2076 c651c9afa76082e3a45c8f4f5a2498f01b5e73f6ae4ee54e4df9b57cc17b8502.exe 92 PID 2076 wrote to memory of 1760 2076 c651c9afa76082e3a45c8f4f5a2498f01b5e73f6ae4ee54e4df9b57cc17b8502.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\c651c9afa76082e3a45c8f4f5a2498f01b5e73f6ae4ee54e4df9b57cc17b8502.exe"C:\Users\Admin\AppData\Local\Temp\c651c9afa76082e3a45c8f4f5a2498f01b5e73f6ae4ee54e4df9b57cc17b8502.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2076 -
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s haoi.dll2⤵PID:3404
-
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s haoi.dll2⤵
- Loads dropped DLL
- Modifies registry class
PID:1760
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
160KB
MD5203cd4ec29a18f1c8a1ddefadc3f7382
SHA147a4072edf7c4530d4e86b84cbe5118e277de543
SHA256566086537066d3ff72167f09adc2522ac72d24da0601e7966367a8a85802a121
SHA51228fb3cf0d811f35c387bb666070ce5b6422401e59d0748e420c246efcf7f3ecbe6ee938242d7e93103083e9b45590abe0e864e540b953bd3c4f3949b3d579a19