Analysis
-
max time kernel
122s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
04/02/2024, 18:38
Static task
static1
Behavioral task
behavioral1
Sample
8fde3f8b6233ec067c2f19dfe7e947bb.exe
Resource
win7-20231129-en
General
-
Target
8fde3f8b6233ec067c2f19dfe7e947bb.exe
-
Size
93KB
-
MD5
8fde3f8b6233ec067c2f19dfe7e947bb
-
SHA1
849cb9f4b8d3f2a6d302a8c75b46b586d9f4046d
-
SHA256
134964a3a0ca44c9b9c371e76f266600924c82dd9ff7220052af2d6b3f98f59e
-
SHA512
79d70be1aa7f4589a976745bea7b528d155b0e54c6361741d9f466c373458dd9579193cc89ddff19b0bce28b570773ee1b969ecbe906a31ae61b97446c75bf80
-
SSDEEP
1536:DSj113BXyOuN8EYtpAloGKpabl2qL/D6SGcGr6zOhYiBP3HWM9VW0h1fRA0gqFl:DgtRHCoDpCkK6SfzOKiB7jW0h1RVFl
Malware Config
Signatures
-
Loads dropped DLL 1 IoCs
pid Process 2996 regsvr32.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 8fde3f8b6233ec067c2f19dfe7e947bb.exe -
Installs/modifies Browser Helper Object 2 TTPs 1 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{54698A2F-2247-4538-82FC-2B5443D66945} regsvr32.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\drivera.dll 8fde3f8b6233ec067c2f19dfe7e947bb.exe File created C:\Windows\SysWOW64\drivera.exe 8fde3f8b6233ec067c2f19dfe7e947bb.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 5 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{54698A2F-2247-4538-82FC-2B5443D66945}\InprocServer32\ = "C:\\Windows\\SysWow64\\drivera.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{54698A2F-2247-4538-82FC-2B5443D66945}\InprocServer32\ThreadingModel = "Apartment" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{54698A2F-2247-4538-82FC-2B5443D66945} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{54698A2F-2247-4538-82FC-2B5443D66945}\ regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{54698A2F-2247-4538-82FC-2B5443D66945}\InprocServer32 regsvr32.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1476 8fde3f8b6233ec067c2f19dfe7e947bb.exe 1476 8fde3f8b6233ec067c2f19dfe7e947bb.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 1476 wrote to memory of 2996 1476 8fde3f8b6233ec067c2f19dfe7e947bb.exe 28 PID 1476 wrote to memory of 2996 1476 8fde3f8b6233ec067c2f19dfe7e947bb.exe 28 PID 1476 wrote to memory of 2996 1476 8fde3f8b6233ec067c2f19dfe7e947bb.exe 28 PID 1476 wrote to memory of 2996 1476 8fde3f8b6233ec067c2f19dfe7e947bb.exe 28 PID 1476 wrote to memory of 2996 1476 8fde3f8b6233ec067c2f19dfe7e947bb.exe 28 PID 1476 wrote to memory of 2996 1476 8fde3f8b6233ec067c2f19dfe7e947bb.exe 28 PID 1476 wrote to memory of 2996 1476 8fde3f8b6233ec067c2f19dfe7e947bb.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\8fde3f8b6233ec067c2f19dfe7e947bb.exe"C:\Users\Admin\AppData\Local\Temp\8fde3f8b6233ec067c2f19dfe7e947bb.exe"1⤵
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1476 -
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\System32\regsvr32.exe" /s C:\Windows\system32\drivera.dll2⤵
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Modifies registry class
PID:2996
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
146KB
MD5fbd1a0dd96e559b6b3f4433d4c37d855
SHA1536f861a349fbcd9a108e51d134398eb2059fc9f
SHA25693d44443472184498349a735673b0d1564f2dbdade5b748078a7689e7007ce42
SHA51222dd0a96f06a1524d576ca97d847ae7e6a4e2c6e877b587af9af8f6642466de5a8ed7c032b5759ae981f30df1522994232f754965c09c9f78ed378a6e677718c