Analysis
-
max time kernel
141s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
02/02/2024, 22:07
Static task
static1
Behavioral task
behavioral1
Sample
ip.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
ip.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral3
Sample
新云软件.url
Resource
win7-20231215-en
Behavioral task
behavioral4
Sample
新云软件.url
Resource
win10v2004-20231215-en
General
-
Target
ip.exe
-
Size
220KB
-
MD5
21811bf69882f5e2f215ad265f5abdae
-
SHA1
57242717e9dc894fda2375d070d59034f6c1e66c
-
SHA256
d89e6719b0d7a63d1c7a33ffab748a12f857f9686f1d6e24595e23bd512e6425
-
SHA512
7c7c116d68689fd48f3a60f6d6de0173c9cb235757cc215ea0f2076f50f5c5a8e93e1001b5676a952ad37a3df82dcb10c7a29394ac6429062babfecee21f17c5
-
SSDEEP
3072:zzwpCq0R1KID7qVLKSV0outMN5JTZQu4epojdkYv55RCezn/T81B+ySRdL:zzwpCLR1KMqLKSmoSyLTbP85RCezbwm
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 3644 Update.exe -
Loads dropped DLL 3 IoCs
pid Process 4628 regsvr32.exe 1124 regsvr32.exe 1136 ip.exe -
resource yara_rule behavioral2/files/0x0006000000023243-7.dat upx behavioral2/memory/3644-8-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/3644-15-0x0000000000400000-0x0000000000428000-memory.dmp upx -
Installs/modifies Browser Helper Object 2 TTPs 2 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B69F34DD-F0F9-42DC-9EDD-957187DA68D} Update.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B69F34DD-F0F9-42DC-9EDD-957187DA68D}\NoExplorer = "1" Update.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\MSINET.OCX ip.exe -
Drops file in Program Files directory 1 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Common Files\system\flash10.dll Update.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\Software\Microsoft\Internet Explorer\MAO Settings\Category\1\ColumnProp\25 Update.exe Key created \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Internet Explorer\MAO Settings Update.exe Key created \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Internet Explorer\MAO Settings\Category Update.exe Key created \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Internet Explorer\MAO Settings\Category\1 Update.exe Key created \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Internet Explorer\MAO Settings\Category\1\ColumnProp Update.exe Key created \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Internet Explorer\MAO Settings\Category\1\ColumnProp\25 Update.exe Set value (int) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Internet Explorer\MAO Settings\Category\1\ColumnProp\25\Visible = "0" Update.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\Control regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{48E59294-9880-11CF-9754-00AA00C00908}\InprocServer32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{48E59294-9880-11CF-9754-00AA00C00908}\InprocServer32\ = "C:\\Windows\\SysWow64\\MSINET.OCX" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{48E59291-9880-11CF-9754-00AA00C00908}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\Implemented Categories regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B69F34DD-F0F9-42DC-9EDD-957187DA688D}\ProgID\ = "FlashPlayer.Class" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\InprocServer32\ThreadingModel = "Apartment" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\InetCtls.Inet regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{48E59290-9880-11CF-9754-00AA00C00908}\1.0\ = "Microsoft Internet Transfer Control 6.0 (SP6)" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{48E59291-9880-11CF-9754-00AA00C00908}\ = "IInet" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{48E59292-9880-11CF-9754-00AA00C00908} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{48E59292-9880-11CF-9754-00AA00C00908}\TypeLib\ = "{48E59290-9880-11CF-9754-00AA00C00908}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{269EADEF-9DF6-40BF-8EF0-13A9FF9DED1D}\TypeLib regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{269EADEF-9DF6-40BF-8EF0-13A9FF9DED1D}\TypeLib\Version = "1.0" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\ToolboxBitmap32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{48E59292-9880-11CF-9754-00AA00C00908}\ = "DInetEvents" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3ADCD351-7F41-4D06-A1D9-7F8EEC48F498}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\Common Files\\System" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\InetCtls.Inet.1\ = "Microsoft Internet Transfer Control 6.0 (SP6)" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\MiscStatus\ = "0" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{48E59291-9880-11CF-9754-00AA00C00908}\TypeLib\Version = "1.0" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3ADCD351-7F41-4D06-A1D9-7F8EEC48F498}\1.0\FLAGS regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3ADCD351-7F41-4D06-A1D9-7F8EEC48F498}\1.0\0\win32\ = "C:\\Program Files (x86)\\Common Files\\System\\flash10.dll" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{48E59290-9880-11CF-9754-00AA00C00908}\1.0\HELPDIR regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{48E59291-9880-11CF-9754-00AA00C00908}\TypeLib\ = "{48E59290-9880-11CF-9754-00AA00C00908}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3ADCD351-7F41-4D06-A1D9-7F8EEC48F498}\1.0\FLAGS\ = "0" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{269EADEF-9DF6-40BF-8EF0-13A9FF9DED1D}\TypeLib regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{269EADEF-9DF6-40BF-8EF0-13A9FF9DED1D}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B69F34DD-F0F9-42DC-9EDD-957187DA688D}\Programmable regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\Implemented Categories\{0DE86A57-2BAA-11CF-A229-00AA003D7352} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{269EADEF-9DF6-40BF-8EF0-13A9FF9DED1D}\ = "_Class" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\Version regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\Programmable regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{48E59291-9880-11CF-9754-00AA00C00908} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{48E59291-9880-11CF-9754-00AA00C00908}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{269EADEF-9DF6-40BF-8EF0-13A9FF9DED1D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{269EADEF-9DF6-40BF-8EF0-13A9FF9DED1D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\InprocServer32\ = "C:\\Windows\\SysWow64\\MSINET.OCX" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\InetCtls.Inet.1\CLSID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{48E59291-9880-11CF-9754-00AA00C00908}\TypeLib regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{269EADEF-9DF6-40BF-8EF0-13A9FF9DED1D} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B69F34DD-F0F9-42DC-9EDD-957187DA688D}\Implemented Categories regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\InetCtls.Inet\ = "Microsoft Internet Transfer Control 6.0 (SP6)" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{48E59295-9880-11CF-9754-00AA00C00908}\InprocServer32\ = "C:\\Windows\\SysWow64\\MSINET.OCX" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{48E59292-9880-11CF-9754-00AA00C00908}\ = "DInetEvents" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{269EADEF-9DF6-40BF-8EF0-13A9FF9DED1D}\TypeLib\Version = "1.0" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\FlashPlayer.Class\ = "FlashPlayer.Class" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\InetCtls.Inet\CLSID\ = "{48E59293-9880-11CF-9754-00AA00C00908}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{48E59292-9880-11CF-9754-00AA00C00908}\TypeLib\Version = "1.0" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B69F34DD-F0F9-42DC-9EDD-957187DA688D}\ProgID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{48E59294-9880-11CF-9754-00AA00C00908} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{48E59290-9880-11CF-9754-00AA00C00908}\1.0\0 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B69F34DD-F0F9-42DC-9EDD-957187DA688D}\ = "FlashPlayer.Class" regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{48E59293-9880-11CF-9754-00AA00C00908} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{48E59295-9880-11CF-9754-00AA00C00908}\ = "Internet Control URL Property Page Object" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{48E59290-9880-11CF-9754-00AA00C00908}\1.0\FLAGS\ = "2" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{48E59290-9880-11CF-9754-00AA00C00908}\1.0\HELPDIR\ regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{48E59291-9880-11CF-9754-00AA00C00908} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3ADCD351-7F41-4D06-A1D9-7F8EEC48F498} regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{48E59295-9880-11CF-9754-00AA00C00908} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{48E59291-9880-11CF-9754-00AA00C00908}\ProxyStubClsid32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{48E59291-9880-11CF-9754-00AA00C00908}\TypeLib\ = "{48E59290-9880-11CF-9754-00AA00C00908}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{269EADEF-9DF6-40BF-8EF0-13A9FF9DED1D} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B69F34DD-F0F9-42DC-9EDD-957187DA688D}\InprocServer32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{48E59294-9880-11CF-9754-00AA00C00908}\ = "Internet Control General Property Page Object" regsvr32.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\2740BE0CB97A22380960230E8F45FE5ABB8BB501 ip.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\2740BE0CB97A22380960230E8F45FE5ABB8BB501\Blob = 0300000001000000140000002740be0cb97a22380960230e8f45fe5abb8bb50120000000010000004e0200003082024a308201b3a0030201020210dcca5610c590c29b4e3072e09d524260300d06092a864886f70d01010405003030312e302c06035504031325566572695369676e20436c617373203320436f6465205369676e696e672032303039204341301e170d3939303933303136303030305a170d3336303731363136303030305a3030312e302c06035504031325566572695369676e20436c617373203320436f6465205369676e696e67203230303920434130819f300d06092a864886f70d010101050003818d0030818902818100ac35c135556bfbe9aa23267d193307a3d21e3c3975848ed762eea3ac46b3c2f219ee14aaef982c692a53c3a930f5b96bed2665d352e97a4f466b46585a0badd07e8302cf2758082a709ccceda363371e975a3ddbd22c393f86838e8e28300db13ccb51b2a27362fa5704458d31700b7979c3f553daa841d25c1b80eba3055f350203010001a365306330610603551d01045a3058801012b5fcd50cba242caede5742b3d426fca1323030312e302c06035504031325566572695369676e20436c617373203320436f6465205369676e696e6720323030392043418210dcca5610c590c29b4e3072e09d524260300d06092a864886f70d0101040500038181001ec29560ca4e3b696815d43a65d7d3c05fb597f979d8f31c07820b06ec6d72e199321111165afec24e065c7cfe436e07aaa1a7958a7d588bb6f072fed284984bf632390e0452bb49faaac5b7a19662fc15d3884e8c1ca2fd6401289183ecc161520c79e3ba53e1cc5fca9726cf8cd6f93efca2f5a63d91f80f6ab91df0fb9f24 ip.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1136 ip.exe 3644 Update.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 1136 wrote to memory of 4628 1136 ip.exe 83 PID 1136 wrote to memory of 4628 1136 ip.exe 83 PID 1136 wrote to memory of 4628 1136 ip.exe 83 PID 1136 wrote to memory of 3644 1136 ip.exe 84 PID 1136 wrote to memory of 3644 1136 ip.exe 84 PID 1136 wrote to memory of 3644 1136 ip.exe 84 PID 3644 wrote to memory of 1124 3644 Update.exe 85 PID 3644 wrote to memory of 1124 3644 Update.exe 85 PID 3644 wrote to memory of 1124 3644 Update.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\ip.exe"C:\Users\Admin\AppData\Local\Temp\ip.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Modifies system certificate store
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1136 -
C:\Windows\SysWOW64\regsvr32.exeregsvr32.exe /s "C:\Windows\system32\MSINET.OCX"2⤵
- Loads dropped DLL
- Modifies registry class
PID:4628
-
-
C:\Users\Admin\AppData\Local\Temp\Update.exeC:\Users\Admin\AppData\Local\Temp\Update.exe2⤵
- Executes dropped EXE
- Installs/modifies Browser Helper Object
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3644 -
C:\Windows\SysWOW64\regsvr32.exeregsvr32.exe /s "C:\Program Files (x86)\Common Files\System\flash10.dll"3⤵
- Loads dropped DLL
- Modifies registry class
PID:1124
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
111KB
MD50cfeace58c8dcd1f25563eb06abde248
SHA12ce3b78c1f7aa56f04f4d0703f6a92a413f6c852
SHA256405bc36e331f6a828a527ce71d3f195e472e551e109a1a9c258426fe03f719d9
SHA5129d1188dced20be101f1a480f40904575d8704c55b73d898232b4f761fadf0b6542a3c98976467a2de279587013b1b6bd6fe6820f806a2b2e3d7cea293f377e06
-
Filesize
49KB
MD52242ed5625415d45e82a0c52504ce648
SHA1236da61ec0c1a9beba1441024aa07d84e6672f23
SHA256c2df0e1046b8b8757e662abfad36f5554482a530cae7fda6695217a9b87b0bf2
SHA5124cafa5c70a4d50d1f0f0b0380baae17663cf9a84ff921035759ca5f17e6832d6676149162568392b7c2d5500e7c303a45537d4c878ae5334f8b627eb686ec789
-
Filesize
129KB
MD590a39346e9b67f132ef133725c487ff6
SHA19cd22933f628465c863bed7895d99395acaa5d2a
SHA256e55627932120be87c7950383a75a5712b0ff2c00b8d18169195ad35bc2502fc2
SHA5120337817b9194a10b946d7381a84a2aeefd21445986afef1b9ae5a52921e598cdb0d1a576bdf8391f1ebf8be74950883a6f50ad1f61ff08678782c6b05a18adbf