Analysis
-
max time kernel
120s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
25-01-2024 16:46
Static task
static1
Behavioral task
behavioral1
Sample
75016c7b700abe6cba6192b6c8f28023.dll
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
75016c7b700abe6cba6192b6c8f28023.dll
Resource
win10v2004-20231215-en
General
-
Target
75016c7b700abe6cba6192b6c8f28023.dll
-
Size
162KB
-
MD5
75016c7b700abe6cba6192b6c8f28023
-
SHA1
c5521cdde5c8d92d82ee8f65b37dbe0358774cff
-
SHA256
48a1c1598c22ac9cc542a860bca6a36b1a17bbbad7fdbd67f009eeb897ed1990
-
SHA512
6bbe0ba7e33b5234fa78040bd44986cad5266d58798722ca4352ef8281e5d796674b8e596bab075d4a4cc17334b4269f1d143f86ee9e36a05760ed8a63953eed
-
SSDEEP
3072:rUMvX9XPrDLGo2XddB6DUHiNbEpvQTes8eHxjnkeLJIyMv56wy:rUM/9XPrDKo2zUlBEpzmxjnpLJaQ5
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
regsvr32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\{00196dde-8657-9586-5bdd-5616756dd9c2} = "C:\\Windows\\System32\\Rundll32.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\75016c7b700abe6cba6192b6c8f28023.dll\" DllStub" regsvr32.exe -
Installs/modifies Browser Helper Object 2 TTPs 2 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
Processes:
regsvr32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{3b82d43b-f32a-aa55-e46f-b6536e06edfc}\NoExplorer = "\"\"" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3b82d43b-f32a-aa55-e46f-b6536e06edfc} regsvr32.exe -
Modifies registry class 5 IoCs
Processes:
regsvr32.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3b82d43b-f32a-aa55-e46f-b6536e06edfc} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3b82d43b-f32a-aa55-e46f-b6536e06edfc}\ = "agadoo browser enhancer" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3b82d43b-f32a-aa55-e46f-b6536e06edfc}\InProcServer32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3b82d43b-f32a-aa55-e46f-b6536e06edfc}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\75016c7b700abe6cba6192b6c8f28023.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3b82d43b-f32a-aa55-e46f-b6536e06edfc}\InProcServer32\ThreadingModel = "Apartment" regsvr32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
regsvr32.exedescription pid process target process PID 1752 wrote to memory of 1056 1752 regsvr32.exe regsvr32.exe PID 1752 wrote to memory of 1056 1752 regsvr32.exe regsvr32.exe PID 1752 wrote to memory of 1056 1752 regsvr32.exe regsvr32.exe PID 1752 wrote to memory of 1056 1752 regsvr32.exe regsvr32.exe PID 1752 wrote to memory of 1056 1752 regsvr32.exe regsvr32.exe PID 1752 wrote to memory of 1056 1752 regsvr32.exe regsvr32.exe PID 1752 wrote to memory of 1056 1752 regsvr32.exe regsvr32.exe
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\75016c7b700abe6cba6192b6c8f28023.dll1⤵
- Suspicious use of WriteProcessMemory
PID:1752 -
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\75016c7b700abe6cba6192b6c8f28023.dll2⤵
- Adds Run key to start application
- Installs/modifies Browser Helper Object
- Modifies registry class
PID:1056