Analysis Overview
SHA256
134964a3a0ca44c9b9c371e76f266600924c82dd9ff7220052af2d6b3f98f59e
Threat Level: Shows suspicious behavior
The file 8fde3f8b6233ec067c2f19dfe7e947bb was found to be: Shows suspicious behavior.
Malicious Activity Summary
Loads dropped DLL
Checks computer location settings
Installs/modifies Browser Helper Object
Checks whether UAC is enabled
Drops file in System32 directory
Unsigned PE
Enumerates physical storage devices
Modifies registry class
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-02-04 18:38
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-02-04 18:38
Reported
2024-02-04 18:41
Platform
win7-20231129-en
Max time kernel
122s
Max time network
123s
Command Line
Signatures
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\8fde3f8b6233ec067c2f19dfe7e947bb.exe | N/A |
Installs/modifies Browser Helper Object
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{54698A2F-2247-4538-82FC-2B5443D66945} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\drivera.dll | C:\Users\Admin\AppData\Local\Temp\8fde3f8b6233ec067c2f19dfe7e947bb.exe | N/A |
| File created | C:\Windows\SysWOW64\drivera.exe | C:\Users\Admin\AppData\Local\Temp\8fde3f8b6233ec067c2f19dfe7e947bb.exe | N/A |
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{54698A2F-2247-4538-82FC-2B5443D66945}\InprocServer32\ = "C:\\Windows\\SysWow64\\drivera.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{54698A2F-2247-4538-82FC-2B5443D66945}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{54698A2F-2247-4538-82FC-2B5443D66945} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{54698A2F-2247-4538-82FC-2B5443D66945}\ | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{54698A2F-2247-4538-82FC-2B5443D66945}\InprocServer32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8fde3f8b6233ec067c2f19dfe7e947bb.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8fde3f8b6233ec067c2f19dfe7e947bb.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\8fde3f8b6233ec067c2f19dfe7e947bb.exe
"C:\Users\Admin\AppData\Local\Temp\8fde3f8b6233ec067c2f19dfe7e947bb.exe"
C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" /s C:\Windows\system32\drivera.dll
Network
Files
memory/1476-0-0x0000000000400000-0x000000000044B000-memory.dmp
memory/1476-1-0x00000000001B0000-0x00000000001B2000-memory.dmp
\Windows\SysWOW64\drivera.dll
| MD5 | fbd1a0dd96e559b6b3f4433d4c37d855 |
| SHA1 | 536f861a349fbcd9a108e51d134398eb2059fc9f |
| SHA256 | 93d44443472184498349a735673b0d1564f2dbdade5b748078a7689e7007ce42 |
| SHA512 | 22dd0a96f06a1524d576ca97d847ae7e6a4e2c6e877b587af9af8f6642466de5a8ed7c032b5759ae981f30df1522994232f754965c09c9f78ed378a6e677718c |
memory/2996-8-0x0000000000470000-0x000000000049A000-memory.dmp
memory/1476-9-0x0000000000400000-0x000000000044B000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-02-04 18:38
Reported
2024-02-04 18:41
Platform
win10v2004-20231215-en
Max time kernel
93s
Max time network
128s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\8fde3f8b6233ec067c2f19dfe7e947bb.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\8fde3f8b6233ec067c2f19dfe7e947bb.exe | N/A |
Installs/modifies Browser Helper Object
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{54698A2F-2247-4538-82FC-2B5443D66945} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\drivera.dll | C:\Users\Admin\AppData\Local\Temp\8fde3f8b6233ec067c2f19dfe7e947bb.exe | N/A |
| File created | C:\Windows\SysWOW64\drivera.exe | C:\Users\Admin\AppData\Local\Temp\8fde3f8b6233ec067c2f19dfe7e947bb.exe | N/A |
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{54698A2F-2247-4538-82FC-2B5443D66945}\InprocServer32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{54698A2F-2247-4538-82FC-2B5443D66945}\InprocServer32\ = "C:\\Windows\\SysWow64\\drivera.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{54698A2F-2247-4538-82FC-2B5443D66945}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{54698A2F-2247-4538-82FC-2B5443D66945} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{54698A2F-2247-4538-82FC-2B5443D66945}\ | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8fde3f8b6233ec067c2f19dfe7e947bb.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8fde3f8b6233ec067c2f19dfe7e947bb.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1776 wrote to memory of 1644 | N/A | C:\Users\Admin\AppData\Local\Temp\8fde3f8b6233ec067c2f19dfe7e947bb.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 1776 wrote to memory of 1644 | N/A | C:\Users\Admin\AppData\Local\Temp\8fde3f8b6233ec067c2f19dfe7e947bb.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 1776 wrote to memory of 1644 | N/A | C:\Users\Admin\AppData\Local\Temp\8fde3f8b6233ec067c2f19dfe7e947bb.exe | C:\Windows\SysWOW64\regsvr32.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\8fde3f8b6233ec067c2f19dfe7e947bb.exe
"C:\Users\Admin\AppData\Local\Temp\8fde3f8b6233ec067c2f19dfe7e947bb.exe"
C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" /s C:\Windows\system32\drivera.dll
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| NL | 52.142.223.178:80 | tcp | |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 175.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 210.178.17.96.in-addr.arpa | udp |
Files
memory/1776-0-0x0000000000400000-0x000000000044B000-memory.dmp
memory/1776-1-0x00000000005E0000-0x00000000005E2000-memory.dmp
C:\Windows\SysWOW64\drivera.dll
| MD5 | fbd1a0dd96e559b6b3f4433d4c37d855 |
| SHA1 | 536f861a349fbcd9a108e51d134398eb2059fc9f |
| SHA256 | 93d44443472184498349a735673b0d1564f2dbdade5b748078a7689e7007ce42 |
| SHA512 | 22dd0a96f06a1524d576ca97d847ae7e6a4e2c6e877b587af9af8f6642466de5a8ed7c032b5759ae981f30df1522994232f754965c09c9f78ed378a6e677718c |
memory/1776-8-0x0000000000400000-0x000000000044B000-memory.dmp