Analysis

  • max time kernel
    92s
  • max time network
    122s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04/02/2024, 19:55

General

  • Target

    90039c975ddc2e891b50aae18bed6a65.exe

  • Size

    1.3MB

  • MD5

    90039c975ddc2e891b50aae18bed6a65

  • SHA1

    095b1924543b08db76857bd95f06ce919eaf2236

  • SHA256

    15a701b7671bcee70aa12b57edaf4f78849576699c35095febc658c28fcb2cfd

  • SHA512

    2d3b1bdffc050f657527eb39eade9093c2829a7d4189f89dada98a68f149bfc173ca13ee9686632a8905327da2cccf7b34d51c586f3637817c7e0a709d94c8f9

  • SSDEEP

    24576:L+pUFy+woYqqMK5mmczq36wUCQdjqfo13knOblF32bwHv/QMnSzLCvMqWj+QB:L+5oYtBmZzsBUCQZyo17bltbbSfw8+u

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 3 IoCs
  • Registers COM server for autorun 1 TTPs 4 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Installs/modifies Browser Helper Object 2 TTPs 8 IoCs

    BHOs are DLL modules which act as plugins for Internet Explorer.

  • Drops file in Program Files directory 8 IoCs
  • Modifies Internet Explorer settings 1 TTPs 8 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs
  • System policy modification 1 TTPs 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\90039c975ddc2e891b50aae18bed6a65.exe
    "C:\Users\Admin\AppData\Local\Temp\90039c975ddc2e891b50aae18bed6a65.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3676
    • C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe
      "C:\Users\Admin\AppData\Local\Temp/00294823/kBYeWZe3g.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Installs/modifies Browser Helper Object
      • Drops file in Program Files directory
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:4376
      • C:\Windows\SysWOW64\regsvr32.exe
        regsvr32.exe /s "C:\Program Files (x86)\surf and! keep\gpRPB9z4.x64.dll"
        3⤵
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:4668
        • C:\Windows\system32\regsvr32.exe
          /s "C:\Program Files (x86)\surf and! keep\gpRPB9z4.x64.dll"
          4⤵
          • Loads dropped DLL
          • Registers COM server for autorun
          • Installs/modifies Browser Helper Object
          • Modifies Internet Explorer settings
          • Modifies registry class
          PID:2972

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Program Files (x86)\surf and! keep\gpRPB9z4.dll

          Filesize

          141KB

          MD5

          cbc445228891ba682bc932fc7142dacd

          SHA1

          2e6df4dc184540402ae81c1bc2fde9e78737cb0a

          SHA256

          daeff7218d1d22217795d62bad9619067d90f1eba7986b9d8fc3b71a36a79893

          SHA512

          78549bf59db25fb80ffba62f9f46832297760cd03fa2b1cadb554e882775a66855fbd53e443478890e7d13a1d793ba9af3798e8bf74259d9af1f34bd604ba806

        • C:\Program Files (x86)\surf and! keep\gpRPB9z4.dll

          Filesize

          249KB

          MD5

          57c41d10552557b925bdd0c523161c1a

          SHA1

          6cebab7b290181d0b61cb96c3aa5d625f0971bfb

          SHA256

          dcdcb0fca076fd8f5906cb27653ad635d5040026242c7ce17941a2f696d18b8c

          SHA512

          bc213630403e665349273953b1e18fe834f4dca6d79167fcba67c9dcca9756b724d2e0f0caae80e2a506759ce2c90f696309d9bfcddfffb9e31edf11a444e4f0

        • C:\Program Files (x86)\surf and! keep\gpRPB9z4.x64.dll

          Filesize

          234KB

          MD5

          eedfb1623ee8ba8708969a5e4935bb23

          SHA1

          2f9259d69e67e07c74d88d4d81adceae8cdf2715

          SHA256

          bfc152d164f73c76e40103bafaba03918118679b69bb01c63f2441c1d8f941cf

          SHA512

          5c393c44bb4d4c253722e3563b839c120f94b6624ccd4878117e381e1730ee2d32a0523f3c7ad8d6531b44d325e2dedef9aedcf5449a07c5bf6925a3076b97bb

        • C:\Program Files (x86)\surf and! keep\gpRPB9z4.x64.dll

          Filesize

          188KB

          MD5

          a0dbdc390ac67b5670a35314bbca2958

          SHA1

          3d5c789618e6ebeea53f6299a4ff6ae86c1bd8d4

          SHA256

          6f16c3ab95ed07fdffe0fbdd7093ef6198da0013d9289fa1d2e2d8d15ca21cb3

          SHA512

          218b727e7992a9b6b0f04bf08ebb837c716e73085de04e42b6f9f393c05e97e542932dd7a3d68444018c1dafe626c4f2d1c14990b56d3d6e64f1ed1a9e909be2

        • C:\Program Files (x86)\surf and! keep\gpRPB9z4.x64.dll

          Filesize

          238KB

          MD5

          15a6fc66fc3b9fb1f962b09a04fab823

          SHA1

          f41314269fa5497f651fe55a427134e12fee41cd

          SHA256

          f0ec3742e50532832876419f03f61ad308c66a65974c685656319bfabf2a4ebc

          SHA512

          503c6b01405358a4255a7744f917f144b89df72537eb4791e85f5cd07dd62b47bc7800a60a7867f452f34676a64a63380c34290b799bfc09ce74c7df774168f1

        • C:\Users\Admin\AppData\Local\Temp\00294823\gpRPB9z4.dll

          Filesize

          155KB

          MD5

          279c06692e5e3c4f0f721ddc93bfd0a5

          SHA1

          41ddffae4264c0e8123fd3864ee44854894677fc

          SHA256

          ae7ac0becbac553ddb8469dc56770936ff97c3c3accb8d885ef50f836b003825

          SHA512

          64b11c5a8cbc497ce7aedd3c2b4767a0c64aa3cf1097fe85c0c512fb185382c527f1d62ce19d7466850035530aa6114fcab63750f21c5e5a789f5a3368ad34ea

        • C:\Users\Admin\AppData\Local\Temp\00294823\gpRPB9z4.tlb

          Filesize

          3KB

          MD5

          9f260bfcd1ef83627ceb2792ee3324f5

          SHA1

          078164529ae639e5ff9cf0e4003a82259c2aace8

          SHA256

          8ce97c40c3fea5c0a6446b3e647cdb0d1d38eb0a07c40a91a8df4ad0517b2526

          SHA512

          3e3fa6af779fdda2ecd4e75cfb7b09eae69352eb39560fecbeae750130a111aa099a11d91dce90ab2a7dc11a9fe25d3898c65da8de7fb5729398cdb8260dcd6f

        • C:\Users\Admin\AppData\Local\Temp\00294823\gpRPB9z4.x64.dll

          Filesize

          214KB

          MD5

          14ad7e54bf311780ca11f96a7af68fa0

          SHA1

          9f987cd3f39514d77ec74aaae90084e4861a5f3a

          SHA256

          25074e139bb605fa9d829cfd5654277792e478afdac19829807981a94f360a75

          SHA512

          48d89db6c72d425a92cb4e658d4808d4d9ea889d992c02ee1e78efc414d8c8318e88ea6c028b54c4b820427292e45a8e8477d939a6a7cdc0b3d22809ca00abf5

        • C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.dat

          Filesize

          3KB

          MD5

          99df1dab85dd4b568804cf7123ecef54

          SHA1

          199ab77160bb3030b6ff57517b5cf318b1831cc9

          SHA256

          9838a34f6f10b8af37ac6d2eea2ff82ecc108c44e509a9e5e5bc2ff954455890

          SHA512

          31c835824b6f5639d49c26635e7e084616512b242c17ea8415644e3a7ec3419c2787c979a0b601e4ffe6f3f30a6d7a09b462d9c6f337c8b0aaa64432c4d693ea

        • C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe

          Filesize

          337KB

          MD5

          f091ad9720910b91eb012bdd6cd1afcf

          SHA1

          9b92fa6a8a34bd7ac43291d1ea5d08307471b77d

          SHA256

          8209f34a5747be2c17192264650940ed582298e80010f06f7e1be506a2e791d2

          SHA512

          9afaad5ad5cabfa93ce49342b6c6b4b1ce21e976d9486c2e7f69c056a19c256c0f1bd34e3518ad8d4ec0903cd53f37ea796fb09e096db45e840f57b45b706b8b

        • C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe

          Filesize

          225KB

          MD5

          8b8b5b2eb26dff0659a209daf4611d43

          SHA1

          e0f885a12d718fd54112ff6ab7a950882c6538ca

          SHA256

          77816b68ade0e21f66e7050966d73f47a9cbf28c2e30d9f2b2ccf6fae1feb3b2

          SHA512

          c91fb2f261182af159f6cd0546dc2b121c3a21de7624d9a718628630d9fd8f425b32c80387d1edf187bb54596a603575ad411957c27555f1b8661169e1272c00