Analysis
-
max time kernel
120s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
02/02/2024, 23:25
Behavioral task
behavioral1
Sample
8accd407222deef7660f75dcba8cf6c6.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
8accd407222deef7660f75dcba8cf6c6.exe
Resource
win10v2004-20231215-en
General
-
Target
8accd407222deef7660f75dcba8cf6c6.exe
-
Size
91KB
-
MD5
8accd407222deef7660f75dcba8cf6c6
-
SHA1
65b2699ef4a88c64205d99a01efd6b95d81244d2
-
SHA256
ca87f191be00b273242716a4b2747d4da6027befc4ed6e12ad0046a9b3a9c572
-
SHA512
800211fc7c6cc9f06fb63e22b04568bd934a84d8f93743d16b55b37228de5c1a3a2c410efabd883ac92c898222d6ea26cce80909ed10b7902874eb163c19fccc
-
SSDEEP
1536:yu4nPGyZSZmbWXE4b+jy0GH5or5k784G629+l3iXAXD2CD+ExhaLPzNCmW/qjwEk:yfulB+u1544n2cleAnx0NCpyj/uv
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2144 cmd.exe -
Executes dropped EXE 1 IoCs
pid Process 2160 PostTip.exe -
Loads dropped DLL 7 IoCs
pid Process 1092 regsvr32.exe 1748 8accd407222deef7660f75dcba8cf6c6.exe 1748 8accd407222deef7660f75dcba8cf6c6.exe 2160 PostTip.exe 2160 PostTip.exe 2160 PostTip.exe 2836 regsvr32.exe -
resource yara_rule behavioral1/memory/1748-0-0x0000000000400000-0x0000000000443000-memory.dmp upx behavioral1/memory/1748-25-0x0000000000400000-0x0000000000443000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PostTip = "C:\\Program Files (x86)\\PostTip\\PostTip.exe" PostTip.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Installs/modifies Browser Helper Object 2 TTPs 3 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{C4BF6897-41A2-454b-AC3B-437F30BEA671} regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{C4BF6897-41A2-454B-AC3B-437F30BEA671} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{C4BF6897-41A2-454b-AC3B-437F30BEA671} regsvr32.exe -
Drops file in Program Files directory 3 IoCs
description ioc Process File created C:\Program Files (x86)\PostTip\PostTip.dll 8accd407222deef7660f75dcba8cf6c6.exe File created C:\Program Files (x86)\PostTip\uninstall.exe 8accd407222deef7660f75dcba8cf6c6.exe File created C:\Program Files (x86)\PostTip\PostTip.exe 8accd407222deef7660f75dcba8cf6c6.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SideTab.SideTabCtl.1\CLSID\ = "{C4BF6897-41A2-454b-AC3B-437F30BEA671}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\SideTab.SideTabCtl.1\CLSID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C4BF6897-41A2-454b-AC3B-437F30BEA671}\TypeLib regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E2B006B6-159A-4384-B05C-4B5511C16354} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SideTab.SideTabCtl\CLSID\ = "{C4BF6897-41A2-454b-AC3B-437F30BEA671}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A12EF54F-2691-4C32-AC1B-F65D144A3988}\1.0\ = "SideTab 1.0 Type Library" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A12EF54F-2691-4C32-AC1B-F65D144A3988}\1.0\0 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C4BF6897-41A2-454b-AC3B-437F30BEA671}\InprocServer32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E2B006B6-159A-4384-B05C-4B5511C16354}\TypeLib regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C4BF6897-41A2-454b-AC3B-437F30BEA671}\VersionIndependentProgID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A12EF54F-2691-4C32-AC1B-F65D144A3988}\1.0\HELPDIR regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E2B006B6-159A-4384-B05C-4B5511C16354}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SideTab.SideTabCtl\CurVer\ = "SideTab.SideTabCtl.1" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C4BF6897-41A2-454b-AC3B-437F30BEA671}\VersionIndependentProgID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A12EF54F-2691-4C32-AC1B-F65D144A3988}\1.0\FLAGS regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SideTab.SideTabCtl\CLSID\ = "{C4BF6897-41A2-454b-AC3B-437F30BEA671}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E2B006B6-159A-4384-B05C-4B5511C16354}\ = "ISideTabCtl" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SideTab.SideTabCtl.1\ = "SideTabCtl Class" regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C4BF6897-41A2-454b-AC3B-437F30BEA671} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C4BF6897-41A2-454b-AC3B-437F30BEA671}\InprocServer32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C4BF6897-41A2-454b-AC3B-437F30BEA671}\InprocServer32\ = "C:\\Program Files (x86)\\PostTip\\PostTip.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SideTab.SideTabCtl\ = "SideTabCtl Class" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C4BF6897-41A2-454b-AC3B-437F30BEA671}\Programmable regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A12EF54F-2691-4C32-AC1B-F65D144A3988}\1.0\0\win32\ = "C:\\Program Files (x86)\\PostTip\\PostTip.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E2B006B6-159A-4384-B05C-4B5511C16354}\TypeLib\ = "{A12EF54F-2691-4C32-AC1B-F65D144A3988}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E2B006B6-159A-4384-B05C-4B5511C16354}\ProxyStubClsid32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E2B006B6-159A-4384-B05C-4B5511C16354}\TypeLib regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SideTab.SideTabCtl.1\CLSID\ = "{C4BF6897-41A2-454b-AC3B-437F30BEA671}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\SideTab.SideTabCtl\CLSID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C4BF6897-41A2-454b-AC3B-437F30BEA671} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C4BF6897-41A2-454b-AC3B-437F30BEA671}\InprocServer32\ThreadingModel = "Apartment" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C4BF6897-41A2-454b-AC3B-437F30BEA671}\TypeLib\ = "{A12EF54F-2691-4C32-AC1B-F65D144A3988}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\SideTab.SideTabCtl regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E2B006B6-159A-4384-B05C-4B5511C16354}\TypeLib\ = "{A12EF54F-2691-4C32-AC1B-F65D144A3988}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C4BF6897-41A2-454b-AC3B-437F30BEA671}\ = "PostTip" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A12EF54F-2691-4C32-AC1B-F65D144A3988}\1.0\0\win32 regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C4BF6897-41A2-454b-AC3B-437F30BEA671}\Programmable regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C4BF6897-41A2-454b-AC3B-437F30BEA671} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C4BF6897-41A2-454b-AC3B-437F30BEA671}\ProgID regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C4BF6897-41A2-454b-AC3B-437F30BEA671}\InprocServer32\ThreadingModel = "Apartment" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A12EF54F-2691-4C32-AC1B-F65D144A3988}\1.0\FLAGS\ = "0" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A12EF54F-2691-4C32-AC1B-F65D144A3988}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\PostTip\\" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C4BF6897-41A2-454b-AC3B-437F30BEA671}\Programmable regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\SideTab.SideTabCtl.1 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C4BF6897-41A2-454b-AC3B-437F30BEA671}\VersionIndependentProgID\ = "SideTab.SideTabCtl" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A12EF54F-2691-4C32-AC1B-F65D144A3988}\1.0 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E2B006B6-159A-4384-B05C-4B5511C16354}\ProxyStubClsid32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\SideTab.SideTabCtl\CurVer regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SideTab.SideTabCtl\CurVer\ = "SideTab.SideTabCtl.1" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C4BF6897-41A2-454b-AC3B-437F30BEA671}\ProgID\ = "SideTab.SideTabCtl.1" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E2B006B6-159A-4384-B05C-4B5511C16354}\TypeLib\Version = "1.0" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C4BF6897-41A2-454b-AC3B-437F30BEA671}\TypeLib regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E2B006B6-159A-4384-B05C-4B5511C16354} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C4BF6897-41A2-454b-AC3B-437F30BEA671}\ = "PostTip" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A12EF54F-2691-4C32-AC1B-F65D144A3988} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E2B006B6-159A-4384-B05C-4B5511C16354}\ = "ISideTabCtl" regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C4BF6897-41A2-454b-AC3B-437F30BEA671}\TypeLib regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C4BF6897-41A2-454b-AC3B-437F30BEA671}\ProgID regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C4BF6897-41A2-454b-AC3B-437F30BEA671}\ProgID\ = "SideTab.SideTabCtl.1" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SideTab.SideTabCtl.1\ = "SideTabCtl Class" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C4BF6897-41A2-454b-AC3B-437F30BEA671}\InprocServer32\ = "C:\\Program Files (x86)\\PostTip\\PostTip.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SideTab.SideTabCtl\ = "SideTabCtl Class" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C4BF6897-41A2-454b-AC3B-437F30BEA671}\VersionIndependentProgID\ = "SideTab.SideTabCtl" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E2B006B6-159A-4384-B05C-4B5511C16354}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" regsvr32.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 1748 8accd407222deef7660f75dcba8cf6c6.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeRestorePrivilege 1748 8accd407222deef7660f75dcba8cf6c6.exe Token: SeBackupPrivilege 1748 8accd407222deef7660f75dcba8cf6c6.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 1748 8accd407222deef7660f75dcba8cf6c6.exe 1748 8accd407222deef7660f75dcba8cf6c6.exe 2160 PostTip.exe 2160 PostTip.exe -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 1748 wrote to memory of 1092 1748 8accd407222deef7660f75dcba8cf6c6.exe 28 PID 1748 wrote to memory of 1092 1748 8accd407222deef7660f75dcba8cf6c6.exe 28 PID 1748 wrote to memory of 1092 1748 8accd407222deef7660f75dcba8cf6c6.exe 28 PID 1748 wrote to memory of 1092 1748 8accd407222deef7660f75dcba8cf6c6.exe 28 PID 1748 wrote to memory of 1092 1748 8accd407222deef7660f75dcba8cf6c6.exe 28 PID 1748 wrote to memory of 1092 1748 8accd407222deef7660f75dcba8cf6c6.exe 28 PID 1748 wrote to memory of 1092 1748 8accd407222deef7660f75dcba8cf6c6.exe 28 PID 1748 wrote to memory of 2160 1748 8accd407222deef7660f75dcba8cf6c6.exe 31 PID 1748 wrote to memory of 2160 1748 8accd407222deef7660f75dcba8cf6c6.exe 31 PID 1748 wrote to memory of 2160 1748 8accd407222deef7660f75dcba8cf6c6.exe 31 PID 1748 wrote to memory of 2160 1748 8accd407222deef7660f75dcba8cf6c6.exe 31 PID 1748 wrote to memory of 2160 1748 8accd407222deef7660f75dcba8cf6c6.exe 31 PID 1748 wrote to memory of 2160 1748 8accd407222deef7660f75dcba8cf6c6.exe 31 PID 1748 wrote to memory of 2160 1748 8accd407222deef7660f75dcba8cf6c6.exe 31 PID 1748 wrote to memory of 2144 1748 8accd407222deef7660f75dcba8cf6c6.exe 30 PID 1748 wrote to memory of 2144 1748 8accd407222deef7660f75dcba8cf6c6.exe 30 PID 1748 wrote to memory of 2144 1748 8accd407222deef7660f75dcba8cf6c6.exe 30 PID 1748 wrote to memory of 2144 1748 8accd407222deef7660f75dcba8cf6c6.exe 30 PID 1748 wrote to memory of 2144 1748 8accd407222deef7660f75dcba8cf6c6.exe 30 PID 1748 wrote to memory of 2144 1748 8accd407222deef7660f75dcba8cf6c6.exe 30 PID 1748 wrote to memory of 2144 1748 8accd407222deef7660f75dcba8cf6c6.exe 30 PID 2160 wrote to memory of 2836 2160 PostTip.exe 32 PID 2160 wrote to memory of 2836 2160 PostTip.exe 32 PID 2160 wrote to memory of 2836 2160 PostTip.exe 32 PID 2160 wrote to memory of 2836 2160 PostTip.exe 32 PID 2160 wrote to memory of 2836 2160 PostTip.exe 32 PID 2160 wrote to memory of 2836 2160 PostTip.exe 32 PID 2160 wrote to memory of 2836 2160 PostTip.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\8accd407222deef7660f75dcba8cf6c6.exe"C:\Users\Admin\AppData\Local\Temp\8accd407222deef7660f75dcba8cf6c6.exe"1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1748 -
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s "C:\Program Files (x86)\PostTip\PostTip.dll"2⤵
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Modifies registry class
PID:1092
-
-
C:\Windows\SysWOW64\cmd.execmd /c \DelUS.bat2⤵
- Deletes itself
PID:2144
-
-
C:\Program Files (x86)\PostTip\PostTip.exe"C:\Program Files (x86)\PostTip\PostTip.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2160 -
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s "C:\Program Files (x86)\PostTip\PostTip.dll"3⤵
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Modifies registry class
PID:2836
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
243B
MD589dfe7a7a6147c643bb4337b3103ae33
SHA1be87652d93427342a60fe92e68f20116af3329a4
SHA25650e509882ff928822ac2ee9ed38a1bd294012484179b90864cd7933e88d16893
SHA512bc6c905e2942844297311614ad15113de82f3fc07b612c5f55a7f997a11bcd72cfa4f6d53f78aebb2ab2b80a6e4a2b9d8711280ead4bc75e1ac78d6a86e3097a
-
Filesize
146KB
MD5a91d1721d3d945db7b97b2184d01bcff
SHA19f2a2e0c00dfde68cc68dfb68ebf68bfe2db4b96
SHA2564a14bdc36a06c2f07e2f90c3efa6ea408b9dc36181e418f5a001eaf9cdcd9389
SHA5124d3594d3c7f6856d7bff004825df3e7b274069070476f0e040245c6f14613c2fe5ec6cac6ae1c54104c978c4899d2b0421425f146d8e0a96ca44b711ce08fd66
-
Filesize
38KB
MD5dd0481ba5c98acab24d53e6a894bd429
SHA1d83b22224aa891ed22d4e3549066b8a0e19d005c
SHA25684fde9b01b4d3c5bc7d8bf487c9d64e7e86021f060f624c6d693c1e196bf2e9c
SHA5123716353b3d604f56f4f30681d62ca1ce6b21f5ae2839c5e43ada0efe5b5e511c8e0fd5fe07d95326b2e0bd21df06ea159561a4a9903ecef7779a20fc8aae6b60