Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
04/02/2024, 17:03
Behavioral task
behavioral1
Sample
8fb0dc9809505c372d3a9145cad1f184.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
8fb0dc9809505c372d3a9145cad1f184.exe
Resource
win10v2004-20231222-en
General
-
Target
8fb0dc9809505c372d3a9145cad1f184.exe
-
Size
97KB
-
MD5
8fb0dc9809505c372d3a9145cad1f184
-
SHA1
d4b1b0a39e16afdcc542f7c3269308867eb1275b
-
SHA256
00e752aae95f201347308a869803bed8104e5167aa2f8a16ff0efd97d6b180f0
-
SHA512
6bf44c51d4dd35cbeab22e8bc5b6d335ec5619f5f48e80b967211e9ad08b4e269ac305ed7bc0e7fa97d0095bbbdf9aa5974635f02dc08baf0a33b11915812454
-
SSDEEP
3072:C7mW2cZ8UtE2UvMzSKMLTQ7ja8qULZsJ8r:CKWfo5yo3Q7ja8qe
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 1508 PostTip.exe -
Loads dropped DLL 2 IoCs
pid Process 4464 regsvr32.exe 2932 regsvr32.exe -
resource yara_rule behavioral2/memory/396-0-0x0000000000400000-0x0000000000448000-memory.dmp upx behavioral2/memory/396-11-0x0000000000400000-0x0000000000448000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\PostTip = "C:\\Program Files (x86)\\PostTip\\PostTip.exe" PostTip.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Installs/modifies Browser Helper Object 2 TTPs 3 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C4BF6897-41A2-454b-AC3B-437F30BEA671} regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{C4BF6897-41A2-454B-AC3B-437F30BEA671} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C4BF6897-41A2-454b-AC3B-437F30BEA671} regsvr32.exe -
Drops file in Program Files directory 3 IoCs
description ioc Process File created C:\Program Files (x86)\PostTip\PostTip.dll 8fb0dc9809505c372d3a9145cad1f184.exe File created C:\Program Files (x86)\PostTip\uninstall.exe 8fb0dc9809505c372d3a9145cad1f184.exe File created C:\Program Files (x86)\PostTip\PostTip.exe 8fb0dc9809505c372d3a9145cad1f184.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E2B006B6-159A-4384-B05C-4B5511C16354}\ProxyStubClsid32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E2B006B6-159A-4384-B05C-4B5511C16354}\TypeLib\Version = "1.0" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SideTab.SideTabCtl\ = "SideTabCtl Class" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SideTab.SideTabCtl\CLSID\ = "{C4BF6897-41A2-454b-AC3B-437F30BEA671}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SideTab.SideTabCtl\CLSID\ = "{C4BF6897-41A2-454b-AC3B-437F30BEA671}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C4BF6897-41A2-454b-AC3B-437F30BEA671}\InprocServer32\ = "C:\\Program Files (x86)\\PostTip\\PostTip.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A12EF54F-2691-4C32-AC1B-F65D144A3988}\1.0\ = "SideTab 1.0 Type Library" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SideTab.SideTabCtl.1\ = "SideTabCtl Class" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C4BF6897-41A2-454b-AC3B-437F30BEA671}\InprocServer32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SideTab.SideTabCtl.1\ = "SideTabCtl Class" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C4BF6897-41A2-454b-AC3B-437F30BEA671} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A12EF54F-2691-4C32-AC1B-F65D144A3988}\1.0 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E2B006B6-159A-4384-B05C-4B5511C16354}\ = "ISideTabCtl" regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C4BF6897-41A2-454b-AC3B-437F30BEA671}\TypeLib regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C4BF6897-41A2-454b-AC3B-437F30BEA671} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C4BF6897-41A2-454b-AC3B-437F30BEA671}\InprocServer32\ThreadingModel = "Apartment" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C4BF6897-41A2-454b-AC3B-437F30BEA671}\TypeLib regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A12EF54F-2691-4C32-AC1B-F65D144A3988}\1.0\HELPDIR regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A12EF54F-2691-4C32-AC1B-F65D144A3988} regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C4BF6897-41A2-454b-AC3B-437F30BEA671} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C4BF6897-41A2-454b-AC3B-437F30BEA671}\VersionIndependentProgID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C4BF6897-41A2-454b-AC3B-437F30BEA671}\Programmable regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C4BF6897-41A2-454b-AC3B-437F30BEA671}\Programmable regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C4BF6897-41A2-454b-AC3B-437F30BEA671}\VersionIndependentProgID regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E2B006B6-159A-4384-B05C-4B5511C16354}\ = "ISideTabCtl" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E2B006B6-159A-4384-B05C-4B5511C16354}\ProxyStubClsid32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E2B006B6-159A-4384-B05C-4B5511C16354}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E2B006B6-159A-4384-B05C-4B5511C16354}\TypeLib\ = "{A12EF54F-2691-4C32-AC1B-F65D144A3988}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C4BF6897-41A2-454b-AC3B-437F30BEA671}\InprocServer32\ThreadingModel = "Apartment" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\SideTab.SideTabCtl\CLSID regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C4BF6897-41A2-454b-AC3B-437F30BEA671}\ = "PostTip" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A12EF54F-2691-4C32-AC1B-F65D144A3988}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\PostTip\\" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C4BF6897-41A2-454b-AC3B-437F30BEA671}\ProgID\ = "SideTab.SideTabCtl.1" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C4BF6897-41A2-454b-AC3B-437F30BEA671}\InprocServer32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C4BF6897-41A2-454b-AC3B-437F30BEA671}\VersionIndependentProgID\ = "SideTab.SideTabCtl" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A12EF54F-2691-4C32-AC1B-F65D144A3988}\1.0\FLAGS\ = "0" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A12EF54F-2691-4C32-AC1B-F65D144A3988}\1.0\0\win32\ = "C:\\Program Files (x86)\\PostTip\\PostTip.dll" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E2B006B6-159A-4384-B05C-4B5511C16354}\TypeLib regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C4BF6897-41A2-454b-AC3B-437F30BEA671}\ProgID\ = "SideTab.SideTabCtl.1" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\SideTab.SideTabCtl.1 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\SideTab.SideTabCtl.1\CLSID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A12EF54F-2691-4C32-AC1B-F65D144A3988}\1.0\FLAGS regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E2B006B6-159A-4384-B05C-4B5511C16354} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C4BF6897-41A2-454b-AC3B-437F30BEA671}\ProgID regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C4BF6897-41A2-454b-AC3B-437F30BEA671}\ProgID regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C4BF6897-41A2-454b-AC3B-437F30BEA671}\InprocServer32\ = "C:\\Program Files (x86)\\PostTip\\PostTip.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C4BF6897-41A2-454b-AC3B-437F30BEA671}\VersionIndependentProgID\ = "SideTab.SideTabCtl" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E2B006B6-159A-4384-B05C-4B5511C16354}\TypeLib\ = "{A12EF54F-2691-4C32-AC1B-F65D144A3988}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E2B006B6-159A-4384-B05C-4B5511C16354}\TypeLib regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A12EF54F-2691-4C32-AC1B-F65D144A3988}\1.0\0 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A12EF54F-2691-4C32-AC1B-F65D144A3988}\1.0\0\win32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E2B006B6-159A-4384-B05C-4B5511C16354}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SideTab.SideTabCtl.1\CLSID\ = "{C4BF6897-41A2-454b-AC3B-437F30BEA671}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C4BF6897-41A2-454b-AC3B-437F30BEA671}\ = "PostTip" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\SideTab.SideTabCtl regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SideTab.SideTabCtl\ = "SideTabCtl Class" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\SideTab.SideTabCtl\CurVer regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C4BF6897-41A2-454b-AC3B-437F30BEA671}\TypeLib regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C4BF6897-41A2-454b-AC3B-437F30BEA671}\TypeLib\ = "{A12EF54F-2691-4C32-AC1B-F65D144A3988}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C4BF6897-41A2-454b-AC3B-437F30BEA671}\TypeLib\ = "{A12EF54F-2691-4C32-AC1B-F65D144A3988}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E2B006B6-159A-4384-B05C-4B5511C16354} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E2B006B6-159A-4384-B05C-4B5511C16354}\TypeLib\Version = "1.0" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C4BF6897-41A2-454b-AC3B-437F30BEA671}\VersionIndependentProgID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C4BF6897-41A2-454b-AC3B-437F30BEA671}\ProgID regsvr32.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 396 8fb0dc9809505c372d3a9145cad1f184.exe 396 8fb0dc9809505c372d3a9145cad1f184.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 396 8fb0dc9809505c372d3a9145cad1f184.exe 396 8fb0dc9809505c372d3a9145cad1f184.exe 1508 PostTip.exe 1508 PostTip.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 396 wrote to memory of 4464 396 8fb0dc9809505c372d3a9145cad1f184.exe 86 PID 396 wrote to memory of 4464 396 8fb0dc9809505c372d3a9145cad1f184.exe 86 PID 396 wrote to memory of 4464 396 8fb0dc9809505c372d3a9145cad1f184.exe 86 PID 396 wrote to memory of 1508 396 8fb0dc9809505c372d3a9145cad1f184.exe 88 PID 396 wrote to memory of 1508 396 8fb0dc9809505c372d3a9145cad1f184.exe 88 PID 396 wrote to memory of 1508 396 8fb0dc9809505c372d3a9145cad1f184.exe 88 PID 396 wrote to memory of 1188 396 8fb0dc9809505c372d3a9145cad1f184.exe 90 PID 396 wrote to memory of 1188 396 8fb0dc9809505c372d3a9145cad1f184.exe 90 PID 396 wrote to memory of 1188 396 8fb0dc9809505c372d3a9145cad1f184.exe 90 PID 1508 wrote to memory of 2932 1508 PostTip.exe 92 PID 1508 wrote to memory of 2932 1508 PostTip.exe 92 PID 1508 wrote to memory of 2932 1508 PostTip.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\8fb0dc9809505c372d3a9145cad1f184.exe"C:\Users\Admin\AppData\Local\Temp\8fb0dc9809505c372d3a9145cad1f184.exe"1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:396 -
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s "C:\Program Files (x86)\PostTip\PostTip.dll"2⤵
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Modifies registry class
PID:4464
-
-
C:\Program Files (x86)\PostTip\PostTip.exe"C:\Program Files (x86)\PostTip\PostTip.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1508 -
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s "C:\Program Files (x86)\PostTip\PostTip.dll"3⤵
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Modifies registry class
PID:2932
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c \DelUS.bat2⤵PID:1188
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
243B
MD587b0d16ac4822a4ff5a82418e3e05eeb
SHA14634910ce53b434a5a86118a953ed6a857c1b187
SHA256b7d8e4b5143990b7de490f67ae22b6fad1161d84eaf6ba8367d0bcbb7e8e4ba6
SHA512883d3ff3a4f7077a99cb1bd7b1e9034beb1736f712ab54e33ba7afaf0f6bb89d4a9894de78e7d574dce4d61801778ba1a9cce4b0f523842573f4f0bbd3e204b1
-
Filesize
162KB
MD5dc62c2f61a803bd1292b0b169fa6f8d9
SHA1117ecef652f645ab87a611eab5bc16ae085d6ffb
SHA2567434776f552dde651370f0e43026def6c56c412eb1c62d5214406b34144319af
SHA51255f22c83fcfccf10bb799af214b456392f43b7c394a7dcebbe2fe7059c65ba2fad859c9709b4ca2ab28ab55f03e054196a5b3857a0ec09c3b603a3458cb212d1
-
Filesize
38KB
MD5c2b5be376cac31c0b01603105ae4ea89
SHA14fcfa0181ca5478103c6999199957be40f4a937b
SHA2568ec9ca043b655d4bf868ccd7d9d5fdd4e23ad8610aed2fb983370437b7851feb
SHA512d17e798a414a6d2295f13339a10151f2a34cff5a7d6c81862c26a0c4ac831bf9f867f9f2bf028fa15f189a93f8d8883a334a9857a33bcabac916376267c9da72