Analysis
-
max time kernel
145s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
19-01-2024 06:48
Behavioral task
behavioral1
Sample
66f6cc675747ea29354d217425461d2b.exe
Resource
win7-20231215-en
windows7-x64
11 signatures
150 seconds
General
-
Target
66f6cc675747ea29354d217425461d2b.exe
-
Size
80KB
-
MD5
66f6cc675747ea29354d217425461d2b
-
SHA1
fdf3bbcf4e6bed8bb1d2a720cc73dec79f1e847b
-
SHA256
57f40bafc8fc1f0b3efee13c49382b43c651b13e1db7b3ea7a20bc6bd3f402b7
-
SHA512
b8b977abbcb08f286971ceb1d467816121b030cb828113a63fa9e02ddffbedcceb93edc0ff4ad97a5e1b4bcffddb4153fca8fbe4cf07687034fbb34ffada5a6c
-
SSDEEP
1536:FQLnySgPuHzpak7EuvFd/Et6pirwzHZj7vaaXK5OQleMS49lQAiL3E8ccl:FQLnyS9HRAcWeiAHZjjauK5OQl44pyc
Malware Config
Signatures
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate 66f6cc675747ea29354d217425461d2b.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate regsvr32.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation 66f6cc675747ea29354d217425461d2b.exe -
Loads dropped DLL 1 IoCs
pid Process 3716 regsvr32.exe -
resource yara_rule behavioral2/memory/2356-0-0x0000000000400000-0x0000000000420000-memory.dmp upx behavioral2/memory/2356-9-0x0000000000400000-0x0000000000420000-memory.dmp upx -
Installs/modifies Browser Helper Object 2 TTPs 3 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D88E1558-7C2D-407A-953A-C044F5607CEA}\NoExplorer = "1" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D88E1558-7C2D-407A-953A-C044F5607CEA} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D88E1558-7C2D-407A-953A-C044F5607CEA}\ = "HelloWorldBHO" regsvr32.exe -
Drops file in Program Files directory 1 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Mjcore\Mjcore.dll 66f6cc675747ea29354d217425461d2b.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz 66f6cc675747ea29354d217425461d2b.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 regsvr32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz regsvr32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 66f6cc675747ea29354d217425461d2b.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosDate regsvr32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosDate 66f6cc675747ea29354d217425461d2b.exe -
Modifies registry class 50 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D88E1558-7C2D-407A-953A-C044F5607CEA}\VersionIndependentProgID regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D88E1558-7C2D-407A-953A-C044F5607CEA}\InprocServer32\ = "C:\\Program Files (x86)\\Mjcore\\Mjcore.dll" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E0F01490-DCF3-4357-95AA-169A8C2B2190} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E0F01490-DCF3-4357-95AA-169A8C2B2190}\1.0\HELPDIR regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E0F01490-DCF3-4357-95AA-169A8C2B2190}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\Mjcore" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D88E1558-7C2D-407A-953A-C044F5607CEA}\TypeLib regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E0F01490-DCF3-4357-95AA-169A8C2B2190}\1.0\0\win32\ = "C:\\Program Files (x86)\\Mjcore\\Mjcore.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BHO_MyJavaCore.Mjcore.1\CLSID\ = "{D88E1558-7C2D-407A-953A-C044F5607CEA}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D88E1558-7C2D-407A-953A-C044F5607CEA}\ProgID regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D88E1558-7C2D-407A-953A-C044F5607CEA}\VersionIndependentProgID\ = "BHO_MyJavaCore.Mjcore" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{17E44256-51E0-4D46-A0C8-44E80AB4BA5B}\TypeLib\Version = "1.0" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BHO_MyJavaCore.Mjcore.1\ = "Mjcore Class" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BHO_MyJavaCore.Mjcore\CurVer\ = "BHO_MyJavaCore.Mjcore.1" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E0F01490-DCF3-4357-95AA-169A8C2B2190}\1.0\ = "BHO_MyJavaCore 1.0 Type Library" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E0F01490-DCF3-4357-95AA-169A8C2B2190}\1.0\FLAGS regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{17E44256-51E0-4D46-A0C8-44E80AB4BA5B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{17E44256-51E0-4D46-A0C8-44E80AB4BA5B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{17E44256-51E0-4D46-A0C8-44E80AB4BA5B}\TypeLib regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\BHO_MyJavaCore.DLL\AppID = "{80EF304A-B1C4-425C-8535-95AB6F1EEFB8}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BHO_MyJavaCore.Mjcore\CLSID\ = "{D88E1558-7C2D-407A-953A-C044F5607CEA}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D88E1558-7C2D-407A-953A-C044F5607CEA}\ = "Mjcore Class" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BHO_MyJavaCore.Mjcore\ = "Mjcore Class" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D88E1558-7C2D-407A-953A-C044F5607CEA}\TypeLib\ = "{E0F01490-DCF3-4357-95AA-169A8C2B2190}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{17E44256-51E0-4D46-A0C8-44E80AB4BA5B}\ProxyStubClsid32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{17E44256-51E0-4D46-A0C8-44E80AB4BA5B}\TypeLib\ = "{E0F01490-DCF3-4357-95AA-169A8C2B2190}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BHO_MyJavaCore.Mjcore regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{80EF304A-B1C4-425C-8535-95AB6F1EEFB8} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{17E44256-51E0-4D46-A0C8-44E80AB4BA5B}\ProxyStubClsid32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{17E44256-51E0-4D46-A0C8-44E80AB4BA5B}\TypeLib\Version = "1.0" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BHO_MyJavaCore.Mjcore.1 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BHO_MyJavaCore.Mjcore.1\CLSID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BHO_MyJavaCore.Mjcore\CurVer regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D88E1558-7C2D-407A-953A-C044F5607CEA}\ProgID\ = "BHO_MyJavaCore.Mjcore.1" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E0F01490-DCF3-4357-95AA-169A8C2B2190}\1.0\FLAGS\ = "0" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{17E44256-51E0-4D46-A0C8-44E80AB4BA5B}\ = "IMjcore" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{80EF304A-B1C4-425C-8535-95AB6F1EEFB8}\ = "BHO_MyJavaCore" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\BHO_MyJavaCore.DLL regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D88E1558-7C2D-407A-953A-C044F5607CEA} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D88E1558-7C2D-407A-953A-C044F5607CEA}\InprocServer32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{17E44256-51E0-4D46-A0C8-44E80AB4BA5B}\ = "IMjcore" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D88E1558-7C2D-407A-953A-C044F5607CEA}\Programmable regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D88E1558-7C2D-407A-953A-C044F5607CEA}\InprocServer32\ThreadingModel = "Apartment" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BHO_MyJavaCore.Mjcore\CLSID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E0F01490-DCF3-4357-95AA-169A8C2B2190}\1.0 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E0F01490-DCF3-4357-95AA-169A8C2B2190}\1.0\0 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E0F01490-DCF3-4357-95AA-169A8C2B2190}\1.0\0\win32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{17E44256-51E0-4D46-A0C8-44E80AB4BA5B} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{17E44256-51E0-4D46-A0C8-44E80AB4BA5B}\TypeLib regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{17E44256-51E0-4D46-A0C8-44E80AB4BA5B}\TypeLib\ = "{E0F01490-DCF3-4357-95AA-169A8C2B2190}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{17E44256-51E0-4D46-A0C8-44E80AB4BA5B} regsvr32.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
pid Process 2356 66f6cc675747ea29354d217425461d2b.exe 2356 66f6cc675747ea29354d217425461d2b.exe 2356 66f6cc675747ea29354d217425461d2b.exe 2356 66f6cc675747ea29354d217425461d2b.exe 2356 66f6cc675747ea29354d217425461d2b.exe 2356 66f6cc675747ea29354d217425461d2b.exe 2356 66f6cc675747ea29354d217425461d2b.exe 2356 66f6cc675747ea29354d217425461d2b.exe 2356 66f6cc675747ea29354d217425461d2b.exe 2356 66f6cc675747ea29354d217425461d2b.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 2356 wrote to memory of 4380 2356 66f6cc675747ea29354d217425461d2b.exe 89 PID 2356 wrote to memory of 4380 2356 66f6cc675747ea29354d217425461d2b.exe 89 PID 2356 wrote to memory of 4380 2356 66f6cc675747ea29354d217425461d2b.exe 89 PID 2356 wrote to memory of 4236 2356 66f6cc675747ea29354d217425461d2b.exe 91 PID 2356 wrote to memory of 4236 2356 66f6cc675747ea29354d217425461d2b.exe 91 PID 2356 wrote to memory of 4236 2356 66f6cc675747ea29354d217425461d2b.exe 91 PID 2356 wrote to memory of 4764 2356 66f6cc675747ea29354d217425461d2b.exe 93 PID 2356 wrote to memory of 4764 2356 66f6cc675747ea29354d217425461d2b.exe 93 PID 2356 wrote to memory of 4764 2356 66f6cc675747ea29354d217425461d2b.exe 93 PID 2356 wrote to memory of 3924 2356 66f6cc675747ea29354d217425461d2b.exe 95 PID 2356 wrote to memory of 3924 2356 66f6cc675747ea29354d217425461d2b.exe 95 PID 2356 wrote to memory of 3924 2356 66f6cc675747ea29354d217425461d2b.exe 95 PID 2356 wrote to memory of 1020 2356 66f6cc675747ea29354d217425461d2b.exe 97 PID 2356 wrote to memory of 1020 2356 66f6cc675747ea29354d217425461d2b.exe 97 PID 2356 wrote to memory of 1020 2356 66f6cc675747ea29354d217425461d2b.exe 97 PID 2356 wrote to memory of 3716 2356 66f6cc675747ea29354d217425461d2b.exe 98 PID 2356 wrote to memory of 3716 2356 66f6cc675747ea29354d217425461d2b.exe 98 PID 2356 wrote to memory of 3716 2356 66f6cc675747ea29354d217425461d2b.exe 98
Processes
-
C:\Users\Admin\AppData\Local\Temp\66f6cc675747ea29354d217425461d2b.exe"C:\Users\Admin\AppData\Local\Temp\66f6cc675747ea29354d217425461d2b.exe"1⤵
- Checks BIOS information in registry
- Checks computer location settings
- Drops file in Program Files directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2356 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c rmdir /S /Q "C:\Program Files (x86)\Insider\"2⤵PID:4380
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c rmdir /S /Q "C:\Program Files (x86)\Router\"2⤵PID:4236
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c rmdir /S /Q "C:\Program Files (x86)\JavaCore\"2⤵PID:4764
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c rmdir /S /Q "C:\Program Files (x86)\Eroca\"2⤵PID:3924
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c rmdir /S /Q "C:\Program Files (x86)\mjc\"2⤵PID:1020
-
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32.exe /s "C:\Program Files (x86)\Mjcore\Mjcore.dll"2⤵
- Checks BIOS information in registry
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Checks processor information in registry
- Enumerates system info in registry
- Modifies registry class
PID:3716
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
112KB
MD57ef8c70f20b40dc8f9802993ce7ea1d1
SHA1ee021a3e1abd2f162407a81d93a649e6c3aae346
SHA256e811a54532d4fb244372b498fcfd15380a216d96e9083e53cb0672b91cadb489
SHA512f7378158cb82234b393bf053a7a1ab6498dfc9a3b79299b735d3cfc3ace6db2b362a41bca9acf529f862cd73bd2d6260393b90021735a6847e3ca33ea206e11f