Analysis
-
max time kernel
122s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
04/02/2024, 20:44
Behavioral task
behavioral1
Sample
901cd797547183322696906c2f8ca47c.dll
Resource
win7-20231215-en
4 signatures
150 seconds
General
-
Target
901cd797547183322696906c2f8ca47c.dll
-
Size
99KB
-
MD5
901cd797547183322696906c2f8ca47c
-
SHA1
64ea9c45272a2f99e6a5bf7de0642bdf80fbc33b
-
SHA256
88c3d9d1d90f81919ae1a60cb1f2da96883ae81138b46ffd4a855a9b348ffe41
-
SHA512
4a491199e9586fe1957cc3908f173258bc91bad5f2201f959df0528bf6806493b0690fb9fd7194245fc43ee9e03d68a0546c92cfb2be090db6820ed81fc7fd0e
-
SSDEEP
1536:i6c2bcATlbcKNyRAOHMAvtDIvWSPuIHp4LUS9hUoKs6szkDxOLFJm:ikI0tvwHbt8OmuIHpQUSXjzkDxKPm
Malware Config
Signatures
-
resource yara_rule behavioral1/memory/2148-0-0x0000000000270000-0x00000000002AF000-memory.dmp upx -
Installs/modifies Browser Helper Object 2 TTPs 1 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2E033C87-D0B2-4CB5-9FE5-DB6378E4C40F} regsvr32.exe -
Modifies registry class 6 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2E033C87-D0B2-4CB5-9FE5-DB6378E4C40F}\InprocServer32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2E033C87-D0B2-4CB5-9FE5-DB6378E4C40F} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2E033C87-D0B2-4CB5-9FE5-DB6378E4C40F}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\901cd797547183322696906c2f8ca47c.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2E033C87-D0B2-4CB5-9FE5-DB6378E4C40F}\InprocServer32\ThreadingModel = "apartment" regsvr32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 1572 wrote to memory of 2148 1572 regsvr32.exe 28 PID 1572 wrote to memory of 2148 1572 regsvr32.exe 28 PID 1572 wrote to memory of 2148 1572 regsvr32.exe 28 PID 1572 wrote to memory of 2148 1572 regsvr32.exe 28 PID 1572 wrote to memory of 2148 1572 regsvr32.exe 28 PID 1572 wrote to memory of 2148 1572 regsvr32.exe 28 PID 1572 wrote to memory of 2148 1572 regsvr32.exe 28
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\901cd797547183322696906c2f8ca47c.dll1⤵
- Suspicious use of WriteProcessMemory
PID:1572 -
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\901cd797547183322696906c2f8ca47c.dll2⤵
- Installs/modifies Browser Helper Object
- Modifies registry class
PID:2148
-