Analysis

  • max time kernel
    120s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    04/02/2024, 19:55

General

  • Target

    90039c975ddc2e891b50aae18bed6a65.exe

  • Size

    1.3MB

  • MD5

    90039c975ddc2e891b50aae18bed6a65

  • SHA1

    095b1924543b08db76857bd95f06ce919eaf2236

  • SHA256

    15a701b7671bcee70aa12b57edaf4f78849576699c35095febc658c28fcb2cfd

  • SHA512

    2d3b1bdffc050f657527eb39eade9093c2829a7d4189f89dada98a68f149bfc173ca13ee9686632a8905327da2cccf7b34d51c586f3637817c7e0a709d94c8f9

  • SSDEEP

    24576:L+pUFy+woYqqMK5mmczq36wUCQdjqfo13knOblF32bwHv/QMnSzLCvMqWj+QB:L+5oYtBmZzsBUCQZyo17bltbbSfw8+u

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 4 IoCs
  • Registers COM server for autorun 1 TTPs 4 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Installs/modifies Browser Helper Object 2 TTPs 8 IoCs

    BHOs are DLL modules which act as plugins for Internet Explorer.

  • Drops file in Program Files directory 8 IoCs
  • Modifies Internet Explorer settings 1 TTPs 8 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs
  • System policy modification 1 TTPs 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\90039c975ddc2e891b50aae18bed6a65.exe
    "C:\Users\Admin\AppData\Local\Temp\90039c975ddc2e891b50aae18bed6a65.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:1712
    • C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe
      "C:\Users\Admin\AppData\Local\Temp/00294823/kBYeWZe3g.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Installs/modifies Browser Helper Object
      • Drops file in Program Files directory
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:1736
      • C:\Windows\SysWOW64\regsvr32.exe
        regsvr32.exe /s "C:\Program Files (x86)\surf and! keep\gpRPB9z4.x64.dll"
        3⤵
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:2732
        • C:\Windows\system32\regsvr32.exe
          /s "C:\Program Files (x86)\surf and! keep\gpRPB9z4.x64.dll"
          4⤵
          • Loads dropped DLL
          • Registers COM server for autorun
          • Installs/modifies Browser Helper Object
          • Modifies Internet Explorer settings
          • Modifies registry class
          PID:2112

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\ProgramData\surf and! keep\kBYeWZe3g.exe

          Filesize

          108KB

          MD5

          820d41b154e6466dc756d30ad829fd51

          SHA1

          e8ce26a9cbd4a18ee6bf4ebae9a01637bd565538

          SHA256

          ddedb38251054e73cb662b2e1d17a6e4d8b9a4f384b6221be4151df5c3b3fcaa

          SHA512

          cca505d3a72a724b9bf89f4ae8eb54ad077bf9d64422b4f297bc8970a08876c311a9ca1ad11d8484d077375ab41a03241191294888566f8f591ed1fe39fae5c0

        • C:\Users\Admin\AppData\Local\Temp\00294823\gpRPB9z4.dll

          Filesize

          363KB

          MD5

          9afeb7fa65aa31c6b871237d14a8fb94

          SHA1

          58f99ae9ea22f56f28b6c5fa798bda3109f297f6

          SHA256

          4cb847c3d1b5b9ae746e3725ae26b756c4eb980c93faf2a5963a030e9db2874a

          SHA512

          311655752677bad1e397ef2f03608ee9819157d211b65cb3b4d81a11b70c32fdd07a6e38c7b276e66ad7953f7549d1c881a0fd97ec82621365a4c2ec23dca855

        • C:\Users\Admin\AppData\Local\Temp\00294823\gpRPB9z4.tlb

          Filesize

          3KB

          MD5

          9f260bfcd1ef83627ceb2792ee3324f5

          SHA1

          078164529ae639e5ff9cf0e4003a82259c2aace8

          SHA256

          8ce97c40c3fea5c0a6446b3e647cdb0d1d38eb0a07c40a91a8df4ad0517b2526

          SHA512

          3e3fa6af779fdda2ecd4e75cfb7b09eae69352eb39560fecbeae750130a111aa099a11d91dce90ab2a7dc11a9fe25d3898c65da8de7fb5729398cdb8260dcd6f

        • C:\Users\Admin\AppData\Local\Temp\00294823\gpRPB9z4.x64.dll

          Filesize

          398KB

          MD5

          410bb7e2c88f92de31b83a173e173e2d

          SHA1

          ff40233a038f80b7b1513431d6a9632e8f0e39f0

          SHA256

          afd8e3c979685360c26ff618eb85e0b788f7d9b743fc4e52b9337c242e5bf8d3

          SHA512

          d5a2727ac2936f189e4247852f147efe93f4473c690abb046c0e38cd8371198c601ae3ec41b04f389da208090c110b7d7ccc903bd3ae9f6ec1b926d5461fdd1e

        • C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.dat

          Filesize

          3KB

          MD5

          99df1dab85dd4b568804cf7123ecef54

          SHA1

          199ab77160bb3030b6ff57517b5cf318b1831cc9

          SHA256

          9838a34f6f10b8af37ac6d2eea2ff82ecc108c44e509a9e5e5bc2ff954455890

          SHA512

          31c835824b6f5639d49c26635e7e084616512b242c17ea8415644e3a7ec3419c2787c979a0b601e4ffe6f3f30a6d7a09b462d9c6f337c8b0aaa64432c4d693ea

        • C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe

          Filesize

          256KB

          MD5

          b7d14322bc6b822de16a153dc5e34040

          SHA1

          cafb8bc8aca7111fe839280f736738f3b70ab593

          SHA256

          5e049f178e4bd2f6e601fe49bdefff3de22c462e453ce5190b82d6ff1cc52faf

          SHA512

          4bff139773793b42d24f7cdef8f5ed56cf61ddd7343e9d43c57496ce377ce7eb44c6747d270468f533150016dda77e49702f3e4a1f5400af7ae24a7dd099130a

        • \Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe

          Filesize

          356KB

          MD5

          6223a19e77e3b9b4f633e8863ee1cf40

          SHA1

          ee5ec9cffb59790d553f5a3394ad5808e1e37446

          SHA256

          d4041f6772da83d968fcf13181a9004ba69f89effc3a69bee019ab44b5ad1f46

          SHA512

          66c99f26af2895142c61d75025f9343cc132883f79a513b47c18da1f9eb2582971eeee0610779e20d51d378fda854bf4c5a51434a0f0425054a7d059f764bcb3