Analysis

  • max time kernel
    144s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02/02/2024, 22:55

General

  • Target

    $_5_.dll

  • Size

    282KB

  • MD5

    3f2d4a9f33af3e0d07158391f141fbac

  • SHA1

    49cafcca1de589fcf2906abf4d39769f36cd6e30

  • SHA256

    4af4544a7186f81c4a0b6a77eb25540824ab261bd75db18874003498a04edaa8

  • SHA512

    597896131750dd276d4d2c5ec84dffdad0d5c65507a18fd616ce841bb8ee3ec7ffcf27698b4f419a89d1805b796c675698945186202958edb977aadaf20a0650

  • SSDEEP

    6144:N1t6YbbVlodjTzW19I/4GJJ7ZFHEIFlN5GrT5a/q1hv4cbaiEjC2:N1tVbRqdLIIPJJ7wIFlN5GZOqv4cbXUV

Malware Config

Signatures

  • UPX dump on OEP (original entry point) 5 IoCs
  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Installs/modifies Browser Helper Object 2 TTPs 2 IoCs

    BHOs are DLL modules which act as plugins for Internet Explorer.

  • Maps connected drives based on registry 3 TTPs 3 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
  • Modifies registry class 5 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\system32\regsvr32.exe
    regsvr32 /s C:\Users\Admin\AppData\Local\Temp\$_5_.dll
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2024
    • C:\Windows\SysWOW64\regsvr32.exe
      /s C:\Users\Admin\AppData\Local\Temp\$_5_.dll
      2⤵
      • Adds Run key to start application
      • Installs/modifies Browser Helper Object
      • Maps connected drives based on registry
      • Modifies registry class
      PID:3420
  • C:\Program Files (x86)\Internet Explorer\ielowutil.exe
    "C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding
    1⤵
      PID:4324
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1192
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1192 CREDAT:17410 /prefetch:2
        2⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:4620

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

            Filesize

            471B

            MD5

            cb99b6d5040641081530ef8f6049f1aa

            SHA1

            3fa9e3148cbee0e561da3787919043483ee5e5c0

            SHA256

            3e1607026f332ae19539f0621c8b18c820245d196febf8bf258253667ebc94d8

            SHA512

            13cdc5995fa4741d474c00491ea55b26101a88ee3495327950249e8bef1e16de29f46d0c1ffef3682eac0e041f0b06545d51ef8152a33606f0e13fe35e6a1d83

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

            Filesize

            404B

            MD5

            79ed12ffc57bd2a0ddf3e9ad10d3bb59

            SHA1

            79c42cc3a3b058e228e258a9e94e21ab5983a25a

            SHA256

            c05bf28cef03f26b4add8bdcfc9b38b5242bc91f77b15e351d811752d53ef184

            SHA512

            ada6ee1ced06dc217599544c5113254fad0fe8990c1288331dcf99c49a66c49a14063966cd6ce7ba08edfedac73ea1b52e22e2f890810d8b2c5922cbe9a3355e

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\Z0UNWU5J\suggestions[1].en-US

            Filesize

            17KB

            MD5

            5a34cb996293fde2cb7a4ac89587393a

            SHA1

            3c96c993500690d1a77873cd62bc639b3a10653f

            SHA256

            c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

            SHA512

            e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

          • memory/3420-0-0x00000000406E0000-0x00000000407A0000-memory.dmp

            Filesize

            768KB

          • memory/3420-1-0x00000000406E0000-0x00000000407A0000-memory.dmp

            Filesize

            768KB

          • memory/3420-14-0x00000000406E0000-0x00000000407A0000-memory.dmp

            Filesize

            768KB

          • memory/3420-32-0x00000000406E0000-0x00000000407A0000-memory.dmp

            Filesize

            768KB

          • memory/3420-33-0x00000000406E0000-0x00000000407A0000-memory.dmp

            Filesize

            768KB