Analysis
-
max time kernel
120s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
04/02/2024, 19:55
Static task
static1
Behavioral task
behavioral1
Sample
90039c975ddc2e891b50aae18bed6a65.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
90039c975ddc2e891b50aae18bed6a65.exe
Resource
win10v2004-20231215-en
General
-
Target
90039c975ddc2e891b50aae18bed6a65.exe
-
Size
1.3MB
-
MD5
90039c975ddc2e891b50aae18bed6a65
-
SHA1
095b1924543b08db76857bd95f06ce919eaf2236
-
SHA256
15a701b7671bcee70aa12b57edaf4f78849576699c35095febc658c28fcb2cfd
-
SHA512
2d3b1bdffc050f657527eb39eade9093c2829a7d4189f89dada98a68f149bfc173ca13ee9686632a8905327da2cccf7b34d51c586f3637817c7e0a709d94c8f9
-
SSDEEP
24576:L+pUFy+woYqqMK5mmczq36wUCQdjqfo13knOblF32bwHv/QMnSzLCvMqWj+QB:L+5oYtBmZzsBUCQZyo17bltbbSfw8+u
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 1736 kBYeWZe3g.exe -
Loads dropped DLL 4 IoCs
pid Process 1712 90039c975ddc2e891b50aae18bed6a65.exe 1736 kBYeWZe3g.exe 2732 regsvr32.exe 2112 regsvr32.exe -
Registers COM server for autorun 1 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4B2F58B2-6359-4479-152C-CFDD59D18E15}\InprocServer32\ThreadingModel = "Apartment" regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4B2F58B2-6359-4479-152C-CFDD59D18E15}\InprocServer32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4B2F58B2-6359-4479-152C-CFDD59D18E15}\InprocServer32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4B2F58B2-6359-4479-152C-CFDD59D18E15}\InprocServer32\ = "C:\\Program Files (x86)\\surf and! keep\\gpRPB9z4.x64.dll" regsvr32.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Installs/modifies Browser Helper Object 2 TTPs 8 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
description ioc Process Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{4B2F58B2-6359-4479-152C-CFDD59D18E15} kBYeWZe3g.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4B2F58B2-6359-4479-152C-CFDD59D18E15} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4B2F58B2-6359-4479-152C-CFDD59D18E15}\ = "surf and! keep" regsvr32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4B2F58B2-6359-4479-152C-CFDD59D18E15}\NoExplorer = "1" regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4B2F58B2-6359-4479-152C-CFDD59D18E15} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{4B2F58B2-6359-4479-152C-CFDD59D18E15} kBYeWZe3g.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{4B2F58B2-6359-4479-152C-CFDD59D18E15}\ = "surf and! keep" kBYeWZe3g.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{4B2F58B2-6359-4479-152C-CFDD59D18E15}\NoExplorer = "1" kBYeWZe3g.exe -
Drops file in Program Files directory 8 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\surf and! keep\gpRPB9z4.dll kBYeWZe3g.exe File created C:\Program Files (x86)\surf and! keep\gpRPB9z4.tlb kBYeWZe3g.exe File opened for modification C:\Program Files (x86)\surf and! keep\gpRPB9z4.tlb kBYeWZe3g.exe File created C:\Program Files (x86)\surf and! keep\gpRPB9z4.dat kBYeWZe3g.exe File opened for modification C:\Program Files (x86)\surf and! keep\gpRPB9z4.dat kBYeWZe3g.exe File created C:\Program Files (x86)\surf and! keep\gpRPB9z4.x64.dll kBYeWZe3g.exe File opened for modification C:\Program Files (x86)\surf and! keep\gpRPB9z4.x64.dll kBYeWZe3g.exe File created C:\Program Files (x86)\surf and! keep\gpRPB9z4.dll kBYeWZe3g.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration regsvr32.exe Key created \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{4B2F58B2-6359-4479-152C-CFDD59D18E15} regsvr32.exe Key created \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration kBYeWZe3g.exe Key created \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{4B2F58B2-6359-4479-152C-CFDD59D18E15} kBYeWZe3g.exe Key deleted \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{4B2F58B2-6359-4479-152C-CFDD59D18E15} kBYeWZe3g.exe Key deleted \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration kBYeWZe3g.exe Key deleted \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{4B2F58B2-6359-4479-152C-CFDD59D18E15} regsvr32.exe Key deleted \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration regsvr32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4B2F58B2-6359-4479-152C-CFDD59D18E15}\ProgID\ = "suRf anD keep.2.19" kBYeWZe3g.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4B2F58B2-6359-4479-152C-CFDD59D18E15}\ProgID kBYeWZe3g.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" kBYeWZe3g.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" kBYeWZe3g.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F} kBYeWZe3g.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4B2F58B2-6359-4479-152C-CFDD59D18E15}\InprocServer32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4B2F58B2-6359-4479-152C-CFDD59D18E15}\ = "surf and! keep" kBYeWZe3g.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4B2F58B2-6359-4479-152C-CFDD59D18E15}\Programmable kBYeWZe3g.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32 kBYeWZe3g.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}" kBYeWZe3g.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4B2F58B2-6359-4479-152C-CFDD59D18E15}\InprocServer32\ThreadingModel = "Apartment" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\keep.2.19\ = "surf and! keep" kBYeWZe3g.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\keep.2.19\CLSID\ = "{4B2F58B2-6359-4479-152C-CFDD59D18E15}" kBYeWZe3g.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4B2F58B2-6359-4479-152C-CFDD59D18E15}\InprocServer32 kBYeWZe3g.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib kBYeWZe3g.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC} kBYeWZe3g.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\keep.suRf kBYeWZe3g.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib\Version = "1.0" kBYeWZe3g.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" kBYeWZe3g.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib kBYeWZe3g.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\keep\ = "surf and! keep" kBYeWZe3g.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4B2F58B2-6359-4479-152C-CFDD59D18E15}\VersionIndependentProgID\ = "suRf anD keep" kBYeWZe3g.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\ = "IEPluginLib" kBYeWZe3g.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ = "IIEPluginMain" kBYeWZe3g.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" kBYeWZe3g.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\keep\CLSID kBYeWZe3g.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\FLAGS\ = "0" kBYeWZe3g.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\anD kBYeWZe3g.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F} kBYeWZe3g.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32 kBYeWZe3g.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib\Version = "1.0" kBYeWZe3g.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\keep.2.19 kBYeWZe3g.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4B2F58B2-6359-4479-152C-CFDD59D18E15}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F} kBYeWZe3g.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib kBYeWZe3g.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4B2F58B2-6359-4479-152C-CFDD59D18E15}\ProgID kBYeWZe3g.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755} kBYeWZe3g.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win64\ = "C:\\Program Files (x86)\\surf and! keep\\gpRPB9z4.x64.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4B2F58B2-6359-4479-152C-CFDD59D18E15}\InprocServer32\ = "C:\\Program Files (x86)\\surf and! keep\\gpRPB9z4.x64.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ = "ILocalStorage" kBYeWZe3g.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib kBYeWZe3g.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib kBYeWZe3g.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\keep\CLSID\ = "{4B2F58B2-6359-4479-152C-CFDD59D18E15}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4B2F58B2-6359-4479-152C-CFDD59D18E15}\Programmable regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\keep.2.19\CLSID\ = "{4B2F58B2-6359-4479-152C-CFDD59D18E15}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\keep\ = "surf and! keep" regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4B2F58B2-6359-4479-152C-CFDD59D18E15} kBYeWZe3g.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win32 kBYeWZe3g.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F} kBYeWZe3g.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib\Version = "1.0" kBYeWZe3g.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\keep.2.19\ = "surf and! keep" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4B2F58B2-6359-4479-152C-CFDD59D18E15}\Implemented Categories regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ = "IRegistry" kBYeWZe3g.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4B2F58B2-6359-4479-152C-CFDD59D18E15}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640} kBYeWZe3g.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\keep\CurVer\ = "suRf anD keep.2.19" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4B2F58B2-6359-4479-152C-CFDD59D18E15}\InprocServer32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4B2F58B2-6359-4479-152C-CFDD59D18E15}\VersionIndependentProgID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\suRf kBYeWZe3g.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\keep kBYeWZe3g.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib kBYeWZe3g.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}" kBYeWZe3g.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ProxyStubClsid32 kBYeWZe3g.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4B2F58B2-6359-4479-152C-CFDD59D18E15} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0 kBYeWZe3g.exe -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 1712 wrote to memory of 1736 1712 90039c975ddc2e891b50aae18bed6a65.exe 28 PID 1712 wrote to memory of 1736 1712 90039c975ddc2e891b50aae18bed6a65.exe 28 PID 1712 wrote to memory of 1736 1712 90039c975ddc2e891b50aae18bed6a65.exe 28 PID 1712 wrote to memory of 1736 1712 90039c975ddc2e891b50aae18bed6a65.exe 28 PID 1712 wrote to memory of 1736 1712 90039c975ddc2e891b50aae18bed6a65.exe 28 PID 1712 wrote to memory of 1736 1712 90039c975ddc2e891b50aae18bed6a65.exe 28 PID 1712 wrote to memory of 1736 1712 90039c975ddc2e891b50aae18bed6a65.exe 28 PID 1736 wrote to memory of 2732 1736 kBYeWZe3g.exe 29 PID 1736 wrote to memory of 2732 1736 kBYeWZe3g.exe 29 PID 1736 wrote to memory of 2732 1736 kBYeWZe3g.exe 29 PID 1736 wrote to memory of 2732 1736 kBYeWZe3g.exe 29 PID 1736 wrote to memory of 2732 1736 kBYeWZe3g.exe 29 PID 1736 wrote to memory of 2732 1736 kBYeWZe3g.exe 29 PID 1736 wrote to memory of 2732 1736 kBYeWZe3g.exe 29 PID 2732 wrote to memory of 2112 2732 regsvr32.exe 30 PID 2732 wrote to memory of 2112 2732 regsvr32.exe 30 PID 2732 wrote to memory of 2112 2732 regsvr32.exe 30 PID 2732 wrote to memory of 2112 2732 regsvr32.exe 30 PID 2732 wrote to memory of 2112 2732 regsvr32.exe 30 PID 2732 wrote to memory of 2112 2732 regsvr32.exe 30 PID 2732 wrote to memory of 2112 2732 regsvr32.exe 30 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID kBYeWZe3g.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{4B2F58B2-6359-4479-152C-CFDD59D18E15} = "1" kBYeWZe3g.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\90039c975ddc2e891b50aae18bed6a65.exe"C:\Users\Admin\AppData\Local\Temp\90039c975ddc2e891b50aae18bed6a65.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1712 -
C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe"C:\Users\Admin\AppData\Local\Temp/00294823/kBYeWZe3g.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1736 -
C:\Windows\SysWOW64\regsvr32.exeregsvr32.exe /s "C:\Program Files (x86)\surf and! keep\gpRPB9z4.x64.dll"3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2732 -
C:\Windows\system32\regsvr32.exe/s "C:\Program Files (x86)\surf and! keep\gpRPB9z4.x64.dll"4⤵
- Loads dropped DLL
- Registers COM server for autorun
- Installs/modifies Browser Helper Object
- Modifies Internet Explorer settings
- Modifies registry class
PID:2112
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
108KB
MD5820d41b154e6466dc756d30ad829fd51
SHA1e8ce26a9cbd4a18ee6bf4ebae9a01637bd565538
SHA256ddedb38251054e73cb662b2e1d17a6e4d8b9a4f384b6221be4151df5c3b3fcaa
SHA512cca505d3a72a724b9bf89f4ae8eb54ad077bf9d64422b4f297bc8970a08876c311a9ca1ad11d8484d077375ab41a03241191294888566f8f591ed1fe39fae5c0
-
Filesize
363KB
MD59afeb7fa65aa31c6b871237d14a8fb94
SHA158f99ae9ea22f56f28b6c5fa798bda3109f297f6
SHA2564cb847c3d1b5b9ae746e3725ae26b756c4eb980c93faf2a5963a030e9db2874a
SHA512311655752677bad1e397ef2f03608ee9819157d211b65cb3b4d81a11b70c32fdd07a6e38c7b276e66ad7953f7549d1c881a0fd97ec82621365a4c2ec23dca855
-
Filesize
3KB
MD59f260bfcd1ef83627ceb2792ee3324f5
SHA1078164529ae639e5ff9cf0e4003a82259c2aace8
SHA2568ce97c40c3fea5c0a6446b3e647cdb0d1d38eb0a07c40a91a8df4ad0517b2526
SHA5123e3fa6af779fdda2ecd4e75cfb7b09eae69352eb39560fecbeae750130a111aa099a11d91dce90ab2a7dc11a9fe25d3898c65da8de7fb5729398cdb8260dcd6f
-
Filesize
398KB
MD5410bb7e2c88f92de31b83a173e173e2d
SHA1ff40233a038f80b7b1513431d6a9632e8f0e39f0
SHA256afd8e3c979685360c26ff618eb85e0b788f7d9b743fc4e52b9337c242e5bf8d3
SHA512d5a2727ac2936f189e4247852f147efe93f4473c690abb046c0e38cd8371198c601ae3ec41b04f389da208090c110b7d7ccc903bd3ae9f6ec1b926d5461fdd1e
-
Filesize
3KB
MD599df1dab85dd4b568804cf7123ecef54
SHA1199ab77160bb3030b6ff57517b5cf318b1831cc9
SHA2569838a34f6f10b8af37ac6d2eea2ff82ecc108c44e509a9e5e5bc2ff954455890
SHA51231c835824b6f5639d49c26635e7e084616512b242c17ea8415644e3a7ec3419c2787c979a0b601e4ffe6f3f30a6d7a09b462d9c6f337c8b0aaa64432c4d693ea
-
Filesize
256KB
MD5b7d14322bc6b822de16a153dc5e34040
SHA1cafb8bc8aca7111fe839280f736738f3b70ab593
SHA2565e049f178e4bd2f6e601fe49bdefff3de22c462e453ce5190b82d6ff1cc52faf
SHA5124bff139773793b42d24f7cdef8f5ed56cf61ddd7343e9d43c57496ce377ce7eb44c6747d270468f533150016dda77e49702f3e4a1f5400af7ae24a7dd099130a
-
Filesize
356KB
MD56223a19e77e3b9b4f633e8863ee1cf40
SHA1ee5ec9cffb59790d553f5a3394ad5808e1e37446
SHA256d4041f6772da83d968fcf13181a9004ba69f89effc3a69bee019ab44b5ad1f46
SHA51266c99f26af2895142c61d75025f9343cc132883f79a513b47c18da1f9eb2582971eeee0610779e20d51d378fda854bf4c5a51434a0f0425054a7d059f764bcb3