Analysis
-
max time kernel
152s -
max time network
162s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
02/02/2024, 21:53
Static task
static1
Behavioral task
behavioral1
Sample
8aa0c81d85cd15b6295dc749662c47b1.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
8aa0c81d85cd15b6295dc749662c47b1.exe
Resource
win10v2004-20231215-en
General
-
Target
8aa0c81d85cd15b6295dc749662c47b1.exe
-
Size
351KB
-
MD5
8aa0c81d85cd15b6295dc749662c47b1
-
SHA1
76280cd27184645b1f6cc4b91e0382e1af642b87
-
SHA256
8bea8d31f0bcf44ca920cfc577355bc889d79187e41593a3420c9d2aa27464f7
-
SHA512
2dc24809a521a5a472b0a9bce79d2e48eb02ac19b68f6827c984e40d03424e6c02d5249624ff1f944af2905547a51d0a1a33800d4fcea344b27364c675d8d45c
-
SSDEEP
6144:wbwOQj1Culcg/vOyOY1Sa7MUfA5aaRIxL09cpUTqs/J94JET3O+jNTOMy9Mg:wbwOQBx/TOrqMVKL09cqJzECe+hOMy9p
Malware Config
Signatures
-
Modifies AppInit DLL entries 2 TTPs
-
Loads dropped DLL 1 IoCs
pid Process 3672 8aa0c81d85cd15b6295dc749662c47b1.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Help Service = "C:\\Windows\\SYSTEM32\\winhelp32.exe" 8aa0c81d85cd15b6295dc749662c47b1.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Installs/modifies Browser Helper Object 2 TTPs 3 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7C6E1044-DBF1-EDB3-57BB-D40A130EA5BD}\ = "myiebho" 8aa0c81d85cd15b6295dc749662c47b1.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7C6E1044-DBF1-EDB3-57BB-D40A130EA5BD}\NoExplorer = "1" 8aa0c81d85cd15b6295dc749662c47b1.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7C6E1044-DBF1-EDB3-57BB-D40A130EA5BD} 8aa0c81d85cd15b6295dc749662c47b1.exe -
Drops file in System32 directory 16 IoCs
description ioc Process File created C:\Windows\SysWOW64\vmmreg32.dll 8aa0c81d85cd15b6295dc749662c47b1.exe File created C:\Windows\SysWOW64\VIDEO.sys 8aa0c81d85cd15b6295dc749662c47b1.exe File created C:\Windows\SysWOW64\dpcr.zip 8aa0c81d85cd15b6295dc749662c47b1.exe File created C:\Windows\SysWOW64\clrs.tmp 8aa0c81d85cd15b6295dc749662c47b1.exe File opened for modification C:\Windows\SysWOW64\ver19144-890258183.txt 8aa0c81d85cd15b6295dc749662c47b1.exe File created C:\Windows\SysWOW64\rrs.zip 8aa0c81d85cd15b6295dc749662c47b1.exe File created C:\Windows\SysWOW64\run.3.reg 8aa0c81d85cd15b6295dc749662c47b1.exe File created C:\Windows\SysWOW64\run.5.reg 8aa0c81d85cd15b6295dc749662c47b1.exe File created C:\Windows\SysWOW64\webmin\VIDEO.bkp 8aa0c81d85cd15b6295dc749662c47b1.exe File created C:\Windows\SysWOW64\winhelp32.exe 8aa0c81d85cd15b6295dc749662c47b1.exe File created C:\Windows\SysWOW64\run.4.reg 8aa0c81d85cd15b6295dc749662c47b1.exe File created C:\Windows\SysWOW64\run.1.reg 8aa0c81d85cd15b6295dc749662c47b1.exe File created C:\Windows\SysWOW64\run.2.reg 8aa0c81d85cd15b6295dc749662c47b1.exe File opened for modification C:\Windows\SysWOW64\vmmreg32.dll 8aa0c81d85cd15b6295dc749662c47b1.exe File opened for modification C:\Windows\SysWOW64\log.txt 8aa0c81d85cd15b6295dc749662c47b1.exe File created C:\Windows\SysWOW64\run.0.reg 8aa0c81d85cd15b6295dc749662c47b1.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 392 set thread context of 3672 392 8aa0c81d85cd15b6295dc749662c47b1.exe 85 -
Drops file in Windows directory 5 IoCs
description ioc Process File created C:\Windows\kwvrm.cfg 8aa0c81d85cd15b6295dc749662c47b1.exe File created C:\Windows\kwv.cfg 8aa0c81d85cd15b6295dc749662c47b1.exe File opened for modification C:\Windows\kwv.cfg 8aa0c81d85cd15b6295dc749662c47b1.exe File created C:\Windows\krvm.cfg 8aa0c81d85cd15b6295dc749662c47b1.exe File opened for modification C:\Windows\kwvrm.cfg 8aa0c81d85cd15b6295dc749662c47b1.exe -
Modifies registry class 46 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7C6E1044-DBF1-EDB3-57BB-D40A130EA5BD}\AppID = "{A7DD26FD-C8E3-4FC3-EFC1-A22A105C1407}" 8aa0c81d85cd15b6295dc749662c47b1.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7C6E1044-DBF1-EDB3-57BB-D40A130EA5BD}\TypeLib 8aa0c81d85cd15b6295dc749662c47b1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IEBHO.myiebho.1\CLSID\ = "{7C6E1044-DBF1-EDB3-57BB-D40A130EA5BD}" 8aa0c81d85cd15b6295dc749662c47b1.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{A7DD26FD-C8E3-4FC3-EFC1-A22A105C1407} 8aa0c81d85cd15b6295dc749662c47b1.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E1451945-AE2E-C356-B18F-6FDD0B100081} 8aa0c81d85cd15b6295dc749662c47b1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7C6E1044-DBF1-EDB3-57BB-D40A130EA5BD}\VersionIndependentProgID\ = "MSS.bar" 8aa0c81d85cd15b6295dc749662c47b1.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\IEBHO.myiebho\CurVer 8aa0c81d85cd15b6295dc749662c47b1.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\vmmreg32.dll 8aa0c81d85cd15b6295dc749662c47b1.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{403538F6-2E9B-8125-6803-A744610BC3AC}\ProxyStubClsid 8aa0c81d85cd15b6295dc749662c47b1.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\IEBHO.myiebho 8aa0c81d85cd15b6295dc749662c47b1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IEBHO.myiebho\ = "Windows Update Monitor bar" 8aa0c81d85cd15b6295dc749662c47b1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E1451945-AE2E-C356-B18F-6FDD0B100081}\1.0\0\win32\ = "%SystemRoot%\\SysWow64\\vmmreg32.dll" 8aa0c81d85cd15b6295dc749662c47b1.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E1451945-AE2E-C356-B18F-6FDD0B100081}\1.0\FLAGS 8aa0c81d85cd15b6295dc749662c47b1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{403538F6-2E9B-8125-6803-A744610BC3AC}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}" 8aa0c81d85cd15b6295dc749662c47b1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{403538F6-2E9B-8125-6803-A744610BC3AC}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" 8aa0c81d85cd15b6295dc749662c47b1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{403538F6-2E9B-8125-6803-A744610BC3AC}\TypeLib\Version = "1.0" 8aa0c81d85cd15b6295dc749662c47b1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7C6E1044-DBF1-EDB3-57BB-D40A130EA5BD}\InprocServer32\ThreadingModel = "Apartment" 8aa0c81d85cd15b6295dc749662c47b1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IEBHO.myiebho.1\ = "Windows Update Monitor bar" 8aa0c81d85cd15b6295dc749662c47b1.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E1451945-AE2E-C356-B18F-6FDD0B100081}\1.0\HELPDIR 8aa0c81d85cd15b6295dc749662c47b1.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{403538F6-2E9B-8125-6803-A744610BC3AC} 8aa0c81d85cd15b6295dc749662c47b1.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{403538F6-2E9B-8125-6803-A744610BC3AC}\ProxyStubClsid32 8aa0c81d85cd15b6295dc749662c47b1.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E1451945-AE2E-C356-B18F-6FDD0B100081}\1.0 8aa0c81d85cd15b6295dc749662c47b1.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E1451945-AE2E-C356-B18F-6FDD0B100081}\1.0\0 8aa0c81d85cd15b6295dc749662c47b1.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E1451945-AE2E-C356-B18F-6FDD0B100081}\1.0\0\win32 8aa0c81d85cd15b6295dc749662c47b1.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7C6E1044-DBF1-EDB3-57BB-D40A130EA5BD}\InprocServer32 8aa0c81d85cd15b6295dc749662c47b1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7C6E1044-DBF1-EDB3-57BB-D40A130EA5BD}\TypeLib\ = "{E1451945-AE2E-C356-B18F-6FDD0B100081}" 8aa0c81d85cd15b6295dc749662c47b1.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7C6E1044-DBF1-EDB3-57BB-D40A130EA5BD}\VersionIndependentProgID 8aa0c81d85cd15b6295dc749662c47b1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IEBHO.myiebho\CurVer\ = "MSS.bar.1" 8aa0c81d85cd15b6295dc749662c47b1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\vmmreg32.dll\AppID = "{A7DD26FD-C8E3-4FC3-EFC1-A22A105C1407}" 8aa0c81d85cd15b6295dc749662c47b1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E1451945-AE2E-C356-B18F-6FDD0B100081}\1.0\FLAGS\ = "0" 8aa0c81d85cd15b6295dc749662c47b1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E1451945-AE2E-C356-B18F-6FDD0B100081}\1.0\HELPDIR\ = "%SystemRoot%\\system32" 8aa0c81d85cd15b6295dc749662c47b1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{403538F6-2E9B-8125-6803-A744610BC3AC}\ = "Imyiebho" 8aa0c81d85cd15b6295dc749662c47b1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{A7DD26FD-C8E3-4FC3-EFC1-A22A105C1407}\ = "IEBHO" 8aa0c81d85cd15b6295dc749662c47b1.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{403538F6-2E9B-8125-6803-A744610BC3AC}\TypeLib 8aa0c81d85cd15b6295dc749662c47b1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7C6E1044-DBF1-EDB3-57BB-D40A130EA5BD}\ = "Windows Update Monitor bar" 8aa0c81d85cd15b6295dc749662c47b1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7C6E1044-DBF1-EDB3-57BB-D40A130EA5BD}\InprocServer32\ = "%SystemRoot%\\SysWow64\\vmmreg32.dll" 8aa0c81d85cd15b6295dc749662c47b1.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7C6E1044-DBF1-EDB3-57BB-D40A130EA5BD}\ProgID 8aa0c81d85cd15b6295dc749662c47b1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7C6E1044-DBF1-EDB3-57BB-D40A130EA5BD}\ProgID\ = "MSS.bar.1" 8aa0c81d85cd15b6295dc749662c47b1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IEBHO.myiebho\CLSID\ = "{7C6E1044-DBF1-EDB3-57BB-D40A130EA5BD}" 8aa0c81d85cd15b6295dc749662c47b1.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7C6E1044-DBF1-EDB3-57BB-D40A130EA5BD} 8aa0c81d85cd15b6295dc749662c47b1.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\IEBHO.myiebho\CLSID 8aa0c81d85cd15b6295dc749662c47b1.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\IEBHO.myiebho.1\CLSID 8aa0c81d85cd15b6295dc749662c47b1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{403538F6-2E9B-8125-6803-A744610BC3AC}\TypeLib\ = "{E1451945-AE2E-C356-B18F-6FDD0B100081}" 8aa0c81d85cd15b6295dc749662c47b1.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7C6E1044-DBF1-EDB3-57BB-D40A130EA5BD}\Programmable 8aa0c81d85cd15b6295dc749662c47b1.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\IEBHO.myiebho.1 8aa0c81d85cd15b6295dc749662c47b1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E1451945-AE2E-C356-B18F-6FDD0B100081}\1.0\ = "Windows Update Monitor 2.1 Type Library" 8aa0c81d85cd15b6295dc749662c47b1.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
pid Process 3672 8aa0c81d85cd15b6295dc749662c47b1.exe 3672 8aa0c81d85cd15b6295dc749662c47b1.exe 3672 8aa0c81d85cd15b6295dc749662c47b1.exe 3672 8aa0c81d85cd15b6295dc749662c47b1.exe 3672 8aa0c81d85cd15b6295dc749662c47b1.exe 3672 8aa0c81d85cd15b6295dc749662c47b1.exe 3672 8aa0c81d85cd15b6295dc749662c47b1.exe 3672 8aa0c81d85cd15b6295dc749662c47b1.exe 3672 8aa0c81d85cd15b6295dc749662c47b1.exe 3672 8aa0c81d85cd15b6295dc749662c47b1.exe 3672 8aa0c81d85cd15b6295dc749662c47b1.exe 3672 8aa0c81d85cd15b6295dc749662c47b1.exe -
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 664 Process not Found -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeBackupPrivilege 3672 8aa0c81d85cd15b6295dc749662c47b1.exe Token: SeDebugPrivilege 3672 8aa0c81d85cd15b6295dc749662c47b1.exe -
Suspicious use of WriteProcessMemory 5 IoCs
description pid Process procid_target PID 392 wrote to memory of 3672 392 8aa0c81d85cd15b6295dc749662c47b1.exe 85 PID 392 wrote to memory of 3672 392 8aa0c81d85cd15b6295dc749662c47b1.exe 85 PID 392 wrote to memory of 3672 392 8aa0c81d85cd15b6295dc749662c47b1.exe 85 PID 392 wrote to memory of 3672 392 8aa0c81d85cd15b6295dc749662c47b1.exe 85 PID 392 wrote to memory of 3672 392 8aa0c81d85cd15b6295dc749662c47b1.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\8aa0c81d85cd15b6295dc749662c47b1.exe"C:\Users\Admin\AppData\Local\Temp\8aa0c81d85cd15b6295dc749662c47b1.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:392 -
C:\Users\Admin\AppData\Local\Temp\8aa0c81d85cd15b6295dc749662c47b1.exeC:\Users\Admin\AppData\Local\Temp\8aa0c81d85cd15b6295dc749662c47b1.exe2⤵
- Loads dropped DLL
- Adds Run key to start application
- Installs/modifies Browser Helper Object
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3672
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD59a10ec1af465c9edda9a803825260cf9
SHA1112717da5f03fc6d482ee006d6930c36271b3f52
SHA256116b9949ece1091a1e300f0d3a6bd9533cfd2d3942a526dc6d02b583b6d10c2e
SHA512c53648bae85fed65145cd08a1c5a649a01caa790303920c5391ed7fd1b7a9106c65dba62c133f432b7a0b494e56f4685f53533c71e6cb548066f40eb54b1fb04
-
Filesize
3KB
MD57bc374f4cd77ab09ad587290011456b1
SHA180120a7094c94a0744ef7d1429465dcc3ea816bb
SHA256d29c5dd3c2e6c70a4989eb065357e6676cf65ad6fab64426ea0466ec83dddbc6
SHA5128381180074baec9eebd26e30252e3faaf43c5abb430388687864a9dbd0ae947f89946fb8a102c8425f29b26d0c4b4fed9d8f4ee2b226f082533400709ba21abf
-
Filesize
6KB
MD5b57ea27c4cda34f095b1d6c7cdf6b4fd
SHA1b9e533efebe39cbf7f5486c76d14cbf9031cfb72
SHA256e3374cf3c674c183d74b213bfa31cc7ec194101b3c8b2bf95000d19fd32888ab
SHA512b3ff4dcfbe262ec94752ea8c8581ca841fe90f154285c1b25ffdb3b854bca61bd9a2755da83094a7b1cc0deb80a78f5787df5c1619af9c943a380cbd94b2846b
-
Filesize
201B
MD5e890e3f14947969c7881b3b85a087335
SHA179e4fb1aed296fd6e99998ed5fe035b5f697a16f
SHA256ea7f4499ab15cb7e1b19712bce38b23a1bc5a1ff345f651e5d2675b6f9565456
SHA512d1b0afb6389e8e5eacbc305d8fab87890de58a44198d6ff4180bc1b13f04f9093c5d050ca0f924a3f736e329a45e101075ed7f82fdafe00e1bb51e2bfff82d7d
-
Filesize
1014B
MD531c2432b92db95b25fdfa5d509e397f2
SHA18684a477112669789f9490383f2c9a4a3963adff
SHA256d2788dc590dbbc71f069fb484b129bda9c7aebab56d5247675ce29d4b86be78b
SHA512850426e1d7c87022cf01c351c6787b7edb5029005c406c0c2db6ab9907fc4040087e4c944599bf0a1f810cc6b91e474a650bd3a137c241e93424975a58b9733e
-
Filesize
2KB
MD568ed34f4855c533598db9dd5bd9ff790
SHA1944338f3bee1dc28abe3a646a9d2d3cacb68e8ce
SHA256810c4325aff30ff41d3fb19cade3073c60252c814ea6f15b78676e1e3d5d3e39
SHA512cf5d2fdfe24f6e7831acbf60cc2e91b390a7b476d4ab5457561ef52d5763de1bd96cd44f5ec04e301d6dde71fda304e4104a95d25b85e7966519e0f824466a16
-
Filesize
214KB
MD56b03feb120f2b1ee8c813dd040e9d4ab
SHA1e0dc0c7ad7c47787aa4771b3ee0a6d848c8666a2
SHA2562f63c5f575bb8ac5a5346efd2dc2bfa232f36aedef5210dda334a066ffd3efe3
SHA5127cfe70ff445190e1b64284718e0cb0dc5bcfaa20afe893647ece093993223d49a24139356434ac8a680dde63a9d93a0e115e298d0e3525f31a1b3850cc0158fe
-
Filesize
8B
MD5fd03887411dfd900c39337951e679b04
SHA142152a98048ce7705b7d41468fea303c30b7c28a
SHA256526c508ecdc95803a98d14016d7299a88daa8b026096dc09e4f5692f5a794fd0
SHA51269ed482297e2c3c0866e1292c2615de587b449559eb1fc3c2f0f30c65ed9a19c34018450d345ce0cd28feec6a5b26d1d4d4d1069f0f93fdedb396c7e5d62d3c7