Analysis
-
max time kernel
141s -
max time network
128s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
02/02/2024, 21:53
Static task
static1
Behavioral task
behavioral1
Sample
8aa0c81d85cd15b6295dc749662c47b1.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
8aa0c81d85cd15b6295dc749662c47b1.exe
Resource
win10v2004-20231215-en
General
-
Target
8aa0c81d85cd15b6295dc749662c47b1.exe
-
Size
351KB
-
MD5
8aa0c81d85cd15b6295dc749662c47b1
-
SHA1
76280cd27184645b1f6cc4b91e0382e1af642b87
-
SHA256
8bea8d31f0bcf44ca920cfc577355bc889d79187e41593a3420c9d2aa27464f7
-
SHA512
2dc24809a521a5a472b0a9bce79d2e48eb02ac19b68f6827c984e40d03424e6c02d5249624ff1f944af2905547a51d0a1a33800d4fcea344b27364c675d8d45c
-
SSDEEP
6144:wbwOQj1Culcg/vOyOY1Sa7MUfA5aaRIxL09cpUTqs/J94JET3O+jNTOMy9Mg:wbwOQBx/TOrqMVKL09cqJzECe+hOMy9p
Malware Config
Signatures
-
Modifies AppInit DLL entries 2 TTPs
-
Loads dropped DLL 1 IoCs
pid Process 2680 8aa0c81d85cd15b6295dc749662c47b1.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Help Service = "C:\\Windows\\SYSTEM32\\winhelp32.exe" 8aa0c81d85cd15b6295dc749662c47b1.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Installs/modifies Browser Helper Object 2 TTPs 3 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{7C6E1044-DBF1-EDB3-57BB-D40A130EA5BD}\ = "myiebho" 8aa0c81d85cd15b6295dc749662c47b1.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{7C6E1044-DBF1-EDB3-57BB-D40A130EA5BD}\NoExplorer = "1" 8aa0c81d85cd15b6295dc749662c47b1.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7C6E1044-DBF1-EDB3-57BB-D40A130EA5BD} 8aa0c81d85cd15b6295dc749662c47b1.exe -
Drops file in System32 directory 17 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\ver19111-890258183.txt 8aa0c81d85cd15b6295dc749662c47b1.exe File created C:\Windows\SysWOW64\rrs.zip 8aa0c81d85cd15b6295dc749662c47b1.exe File created C:\Windows\SysWOW64\run.0.reg 8aa0c81d85cd15b6295dc749662c47b1.exe File created C:\Windows\SysWOW64\run.2.reg 8aa0c81d85cd15b6295dc749662c47b1.exe File created C:\Windows\SysWOW64\run.5.reg 8aa0c81d85cd15b6295dc749662c47b1.exe File opened for modification C:\Windows\SysWOW64\vmmreg32.dll 8aa0c81d85cd15b6295dc749662c47b1.exe File opened for modification C:\Windows\SysWOW64\log.txt 8aa0c81d85cd15b6295dc749662c47b1.exe File created C:\Windows\SysWOW64\webmin\vmmreg32.bkp 8aa0c81d85cd15b6295dc749662c47b1.exe File created C:\Windows\SysWOW64\run.1.reg 8aa0c81d85cd15b6295dc749662c47b1.exe File created C:\Windows\SysWOW64\run.3.reg 8aa0c81d85cd15b6295dc749662c47b1.exe File created C:\Windows\SysWOW64\vmmreg32.dll 8aa0c81d85cd15b6295dc749662c47b1.exe File created C:\Windows\SysWOW64\VIDEO.sys 8aa0c81d85cd15b6295dc749662c47b1.exe File created C:\Windows\SysWOW64\webmin\VIDEO.bkp 8aa0c81d85cd15b6295dc749662c47b1.exe File created C:\Windows\SysWOW64\run.4.reg 8aa0c81d85cd15b6295dc749662c47b1.exe File created C:\Windows\SysWOW64\dpcr.zip 8aa0c81d85cd15b6295dc749662c47b1.exe File created C:\Windows\SysWOW64\winhelp32.exe 8aa0c81d85cd15b6295dc749662c47b1.exe File created C:\Windows\SysWOW64\clrs.tmp 8aa0c81d85cd15b6295dc749662c47b1.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2752 set thread context of 2680 2752 8aa0c81d85cd15b6295dc749662c47b1.exe 29 -
Drops file in Windows directory 5 IoCs
description ioc Process File created C:\Windows\kwv.cfg 8aa0c81d85cd15b6295dc749662c47b1.exe File opened for modification C:\Windows\kwv.cfg 8aa0c81d85cd15b6295dc749662c47b1.exe File created C:\Windows\krvm.cfg 8aa0c81d85cd15b6295dc749662c47b1.exe File opened for modification C:\Windows\kwvrm.cfg 8aa0c81d85cd15b6295dc749662c47b1.exe File created C:\Windows\kwvrm.cfg 8aa0c81d85cd15b6295dc749662c47b1.exe -
Modifies registry class 46 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7C6E1044-DBF1-EDB3-57BB-D40A130EA5BD}\AppID = "{A7DD26FD-C8E3-4FC3-EFC1-A22A105C1407}" 8aa0c81d85cd15b6295dc749662c47b1.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7C6E1044-DBF1-EDB3-57BB-D40A130EA5BD}\InprocServer32 8aa0c81d85cd15b6295dc749662c47b1.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7C6E1044-DBF1-EDB3-57BB-D40A130EA5BD}\ProgID 8aa0c81d85cd15b6295dc749662c47b1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IEBHO.myiebho\CLSID\ = "{7C6E1044-DBF1-EDB3-57BB-D40A130EA5BD}" 8aa0c81d85cd15b6295dc749662c47b1.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{A7DD26FD-C8E3-4FC3-EFC1-A22A105C1407} 8aa0c81d85cd15b6295dc749662c47b1.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\vmmreg32.dll 8aa0c81d85cd15b6295dc749662c47b1.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E1451945-AE2E-C356-B18F-6FDD0B100081}\1.0 8aa0c81d85cd15b6295dc749662c47b1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7C6E1044-DBF1-EDB3-57BB-D40A130EA5BD}\ = "Windows Update Monitor bar" 8aa0c81d85cd15b6295dc749662c47b1.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7C6E1044-DBF1-EDB3-57BB-D40A130EA5BD}\VersionIndependentProgID 8aa0c81d85cd15b6295dc749662c47b1.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\IEBHO.myiebho\CurVer 8aa0c81d85cd15b6295dc749662c47b1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IEBHO.myiebho\CurVer\ = "MSS.bar.1" 8aa0c81d85cd15b6295dc749662c47b1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IEBHO.myiebho.1\ = "Windows Update Monitor bar" 8aa0c81d85cd15b6295dc749662c47b1.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{403538F6-2E9B-8125-6803-A744610BC3AC}\ProxyStubClsid 8aa0c81d85cd15b6295dc749662c47b1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{403538F6-2E9B-8125-6803-A744610BC3AC}\TypeLib\ = "{E1451945-AE2E-C356-B18F-6FDD0B100081}" 8aa0c81d85cd15b6295dc749662c47b1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IEBHO.myiebho\ = "Windows Update Monitor bar" 8aa0c81d85cd15b6295dc749662c47b1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IEBHO.myiebho.1\CLSID\ = "{7C6E1044-DBF1-EDB3-57BB-D40A130EA5BD}" 8aa0c81d85cd15b6295dc749662c47b1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{A7DD26FD-C8E3-4FC3-EFC1-A22A105C1407}\ = "IEBHO" 8aa0c81d85cd15b6295dc749662c47b1.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E1451945-AE2E-C356-B18F-6FDD0B100081} 8aa0c81d85cd15b6295dc749662c47b1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E1451945-AE2E-C356-B18F-6FDD0B100081}\1.0\FLAGS\ = "0" 8aa0c81d85cd15b6295dc749662c47b1.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{403538F6-2E9B-8125-6803-A744610BC3AC}\ProxyStubClsid32 8aa0c81d85cd15b6295dc749662c47b1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{403538F6-2E9B-8125-6803-A744610BC3AC}\TypeLib\Version = "1.0" 8aa0c81d85cd15b6295dc749662c47b1.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7C6E1044-DBF1-EDB3-57BB-D40A130EA5BD}\Programmable 8aa0c81d85cd15b6295dc749662c47b1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7C6E1044-DBF1-EDB3-57BB-D40A130EA5BD}\TypeLib\ = "{E1451945-AE2E-C356-B18F-6FDD0B100081}" 8aa0c81d85cd15b6295dc749662c47b1.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\IEBHO.myiebho 8aa0c81d85cd15b6295dc749662c47b1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E1451945-AE2E-C356-B18F-6FDD0B100081}\1.0\0\win32\ = "%SystemRoot%\\SysWow64\\vmmreg32.dll" 8aa0c81d85cd15b6295dc749662c47b1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{403538F6-2E9B-8125-6803-A744610BC3AC}\ = "Imyiebho" 8aa0c81d85cd15b6295dc749662c47b1.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\IEBHO.myiebho\CLSID 8aa0c81d85cd15b6295dc749662c47b1.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\IEBHO.myiebho.1\CLSID 8aa0c81d85cd15b6295dc749662c47b1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\vmmreg32.dll\AppID = "{A7DD26FD-C8E3-4FC3-EFC1-A22A105C1407}" 8aa0c81d85cd15b6295dc749662c47b1.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E1451945-AE2E-C356-B18F-6FDD0B100081}\1.0\0\win32 8aa0c81d85cd15b6295dc749662c47b1.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E1451945-AE2E-C356-B18F-6FDD0B100081}\1.0\FLAGS 8aa0c81d85cd15b6295dc749662c47b1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7C6E1044-DBF1-EDB3-57BB-D40A130EA5BD}\InprocServer32\ThreadingModel = "Apartment" 8aa0c81d85cd15b6295dc749662c47b1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7C6E1044-DBF1-EDB3-57BB-D40A130EA5BD}\ProgID\ = "MSS.bar.1" 8aa0c81d85cd15b6295dc749662c47b1.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{403538F6-2E9B-8125-6803-A744610BC3AC}\TypeLib 8aa0c81d85cd15b6295dc749662c47b1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7C6E1044-DBF1-EDB3-57BB-D40A130EA5BD}\InprocServer32\ = "%SystemRoot%\\SysWow64\\vmmreg32.dll" 8aa0c81d85cd15b6295dc749662c47b1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7C6E1044-DBF1-EDB3-57BB-D40A130EA5BD}\VersionIndependentProgID\ = "MSS.bar" 8aa0c81d85cd15b6295dc749662c47b1.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{403538F6-2E9B-8125-6803-A744610BC3AC} 8aa0c81d85cd15b6295dc749662c47b1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{403538F6-2E9B-8125-6803-A744610BC3AC}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}" 8aa0c81d85cd15b6295dc749662c47b1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{403538F6-2E9B-8125-6803-A744610BC3AC}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" 8aa0c81d85cd15b6295dc749662c47b1.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7C6E1044-DBF1-EDB3-57BB-D40A130EA5BD} 8aa0c81d85cd15b6295dc749662c47b1.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7C6E1044-DBF1-EDB3-57BB-D40A130EA5BD}\TypeLib 8aa0c81d85cd15b6295dc749662c47b1.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\IEBHO.myiebho.1 8aa0c81d85cd15b6295dc749662c47b1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E1451945-AE2E-C356-B18F-6FDD0B100081}\1.0\ = "Windows Update Monitor 2.1 Type Library" 8aa0c81d85cd15b6295dc749662c47b1.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E1451945-AE2E-C356-B18F-6FDD0B100081}\1.0\0 8aa0c81d85cd15b6295dc749662c47b1.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E1451945-AE2E-C356-B18F-6FDD0B100081}\1.0\HELPDIR 8aa0c81d85cd15b6295dc749662c47b1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E1451945-AE2E-C356-B18F-6FDD0B100081}\1.0\HELPDIR\ = "%SystemRoot%\\system32" 8aa0c81d85cd15b6295dc749662c47b1.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
pid Process 2680 8aa0c81d85cd15b6295dc749662c47b1.exe 2680 8aa0c81d85cd15b6295dc749662c47b1.exe 2680 8aa0c81d85cd15b6295dc749662c47b1.exe 2680 8aa0c81d85cd15b6295dc749662c47b1.exe 2680 8aa0c81d85cd15b6295dc749662c47b1.exe 2680 8aa0c81d85cd15b6295dc749662c47b1.exe 2680 8aa0c81d85cd15b6295dc749662c47b1.exe -
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 464 Process not Found -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeBackupPrivilege 2680 8aa0c81d85cd15b6295dc749662c47b1.exe Token: SeDebugPrivilege 2680 8aa0c81d85cd15b6295dc749662c47b1.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2752 wrote to memory of 2680 2752 8aa0c81d85cd15b6295dc749662c47b1.exe 29 PID 2752 wrote to memory of 2680 2752 8aa0c81d85cd15b6295dc749662c47b1.exe 29 PID 2752 wrote to memory of 2680 2752 8aa0c81d85cd15b6295dc749662c47b1.exe 29 PID 2752 wrote to memory of 2680 2752 8aa0c81d85cd15b6295dc749662c47b1.exe 29 PID 2752 wrote to memory of 2680 2752 8aa0c81d85cd15b6295dc749662c47b1.exe 29 PID 2752 wrote to memory of 2680 2752 8aa0c81d85cd15b6295dc749662c47b1.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\8aa0c81d85cd15b6295dc749662c47b1.exe"C:\Users\Admin\AppData\Local\Temp\8aa0c81d85cd15b6295dc749662c47b1.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2752 -
C:\Users\Admin\AppData\Local\Temp\8aa0c81d85cd15b6295dc749662c47b1.exeC:\Users\Admin\AppData\Local\Temp\8aa0c81d85cd15b6295dc749662c47b1.exe2⤵
- Loads dropped DLL
- Adds Run key to start application
- Installs/modifies Browser Helper Object
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2680
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5245f43b8765dd5669acee5ca14809431
SHA170aa396c20933cdaabf5a27cb6cec66403d7213f
SHA25654856a3879f8d3486bbd93c109fd9412081b44eac4b3427d579882086ee815e3
SHA512a082019585d345e6562ce86057f409bb16f0f0f776181a7163e19148e9d4d3fd2be4e05f777ec491f74e83b43aa3233615ece400d802a0adf80cfae5b9d48ada
-
Filesize
3KB
MD54e54d7a58318e67a087e997132ef1825
SHA12416dd79a5b5fd896108472f8fa0f8f0e5d2d67e
SHA2561872765dcdf3e77222ada1d35f0634ca78746f03e3707c68385f9ddef1c13cd8
SHA5125ad0d0805b436397254df22d10af4d190b8cd9d0b3c7a695a3a37854543d9024d400d4d4dc9e1301a71b03764a37ff3dd12b5cd58e34722903efb8755f2df149
-
Filesize
3KB
MD57c303d4aa154d0ad82867b031db4caf9
SHA12ef010eac443567d30e3f33f50368e9d11b03b8e
SHA256151b30269646878e30900be6232534b1c30763d8b210c4d2b6852233e1a4b1c5
SHA51222822297902f8495a8c7479cfb3f958159e1a51ddd72240f402cebc122605af6da5ad5b86173c7a66ec9d1516fe6add5b20f5bd5a25c504a7fbc23b794044ff4
-
Filesize
4KB
MD543edf561a95aca5f530dcbb3fc219ac5
SHA1ebd6bfa16d7747f29af02da4d0435ed5a03d4ce3
SHA2565c357b0fef24a983ed3255417ecfbe08ec3d8a971843fda978393540182140bb
SHA512574d23b9dd95fe0ed49673d8e97c4c62eb64041b4d69def02cc8288ad6083c924d16c90ab9113f830c9a099325a25cb719388fe3be3ac57c0df679312fef1b91
-
Filesize
8B
MD5fd03887411dfd900c39337951e679b04
SHA142152a98048ce7705b7d41468fea303c30b7c28a
SHA256526c508ecdc95803a98d14016d7299a88daa8b026096dc09e4f5692f5a794fd0
SHA51269ed482297e2c3c0866e1292c2615de587b449559eb1fc3c2f0f30c65ed9a19c34018450d345ce0cd28feec6a5b26d1d4d4d1069f0f93fdedb396c7e5d62d3c7
-
Filesize
214KB
MD56b03feb120f2b1ee8c813dd040e9d4ab
SHA1e0dc0c7ad7c47787aa4771b3ee0a6d848c8666a2
SHA2562f63c5f575bb8ac5a5346efd2dc2bfa232f36aedef5210dda334a066ffd3efe3
SHA5127cfe70ff445190e1b64284718e0cb0dc5bcfaa20afe893647ece093993223d49a24139356434ac8a680dde63a9d93a0e115e298d0e3525f31a1b3850cc0158fe