bdbb1a14e40484f3f44799186ea8006d06c0fd457b7acc9b5d82d1bd3053aa0e

Analysis

max time kernel
147s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240221-en
resource tags

arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system
submitted
25/02/2024, 09:11

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

a367de4bf7f4a5c1cfa7ac68dc6817b7.exe
Size

54KB
MD5

a367de4bf7f4a5c1cfa7ac68dc6817b7
SHA1

b087f39fa561acd65c6ec35e51d1df46d37e1446
SHA256

bdbb1a14e40484f3f44799186ea8006d06c0fd457b7acc9b5d82d1bd3053aa0e
SHA512

2dc948f05ee346c31d4d0ca4fe3221662e7959cabca8bc3fb6e70136d65e4556d9c1130f1ad6294cf1c296ce7670014fcbdc6c2165f90517ab9d4e6bdceb2767
SSDEEP

1536:3Gi4zOWgjJ4W7LxtuH1YmgtRjhkUZ+uooJiMzfljC:2JzCJ4KLHum/GUhVgsVC

Score

8^/10

adware bootkit persistence stealer upx

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
42	2328	rundll32.exe

Loads dropped DLL 3 IoCs

pid	Process
3944	regsvr32.exe
2328	rundll32.exe
2112	regsvr32.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1692-0-0x0000000000400000-0x000000000043C000-memory.dmp	upx
behavioral2/memory/1692-7-0x0000000000400000-0x000000000043C000-memory.dmp	upx
behavioral2/memory/1692-15-0x0000000000400000-0x000000000043C000-memory.dmp	upx

Installs/modifies Browser Helper Object 2 TTPs 1 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6E28339B-7A2A-47B6-AEB2-46BA53782379}	regsvr32.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	rundll32.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\tata_1.dll	a367de4bf7f4a5c1cfa7ac68dc6817b7.exe
File created	C:\Windows\SysWOW64\zrgc6.dll	a367de4bf7f4a5c1cfa7ac68dc6817b7.exe
File created	C:\Windows\SysWOW64\dllcache\zrgc6.dll	a367de4bf7f4a5c1cfa7ac68dc6817b7.exe
File created	C:\Windows\SysWOW64\zrgcm.dll	a367de4bf7f4a5c1cfa7ac68dc6817b7.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C4560D12-CE25-4A2E-A5D4-B5070FCBE282}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BhoPlugin.EyeOnIE.1	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BhoPlugin.EyeOnIE	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4CF9A0D2-ED75-40CB-98C0-36DF6A30E040}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4CF9A0D2-ED75-40CB-98C0-36DF6A30E040}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F5CC5892-346B-4F19-B304-307DD1EF1A45}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5CC5892-346B-4F19-B304-307DD1EF1A45}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A2D5957F-6D1A-44CE-BFBA-D448EAAB8781}\1.0\FLAGS\ = "0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4CF9A0D2-ED75-40CB-98C0-36DF6A30E040}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BhoPlugin.EyeOnIE.1\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6E28339B-7A2A-47B6-AEB2-46BA53782379}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A2D5957F-6D1A-44CE-BFBA-D448EAAB8781}\1.0\ = "BhoPlugin 1.0 Type Library"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6E28339B-7A2A-47B6-AEB2-46BA53782379}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6E28339B-7A2A-47B6-AEB2-46BA53782379}\TypeLib\ = "{A2D5957F-6D1A-44CE-BFBA-D448EAAB8781}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A2D5957F-6D1A-44CE-BFBA-D448EAAB8781}\1.0\FLAGS	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TestAtl.ATlMy.1\CLSID\ = "{C4560D12-CE25-4A2E-A5D4-B5070FCBE282}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C4560D12-CE25-4A2E-A5D4-B5070FCBE282}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C4560D12-CE25-4A2E-A5D4-B5070FCBE282}\TypeLib\ = "{CE673B02-973C-4268-A819-DA005C782B5D}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5CC5892-346B-4F19-B304-307DD1EF1A45}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6E28339B-7A2A-47B6-AEB2-46BA53782379}\ = "EyeOnIE Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4CF9A0D2-ED75-40CB-98C0-36DF6A30E040}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4CF9A0D2-ED75-40CB-98C0-36DF6A30E040}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TestAtl.ATlMy\CurVer\ = "TestAtl.ATlMy.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C4560D12-CE25-4A2E-A5D4-B5070FCBE282}\ = "ATlMy Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BhoPlugin.EyeOnIE\CurVer\ = "BhoPlugin.EyeOnIE.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BhoPlugin.EyeOnIE\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5CC5892-346B-4F19-B304-307DD1EF1A45}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5CC5892-346B-4F19-B304-307DD1EF1A45}\TypeLib\ = "{CE673B02-973C-4268-A819-DA005C782B5D}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BhoPlugin.EyeOnIE\ = "EyeOnIE Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TestAtl.ATlMy.1\ = "ATlMy Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TestAtl.ATlMy\CurVer	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CE673B02-973C-4268-A819-DA005C782B5D}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\zrgcm.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CE673B02-973C-4268-A819-DA005C782B5D}\1.0\HELPDIR\ = "C:\\Windows\\System32"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F5CC5892-346B-4F19-B304-307DD1EF1A45}\ = "IATlMy"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BhoPlugin.EyeOnIE\CurVer	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A2D5957F-6D1A-44CE-BFBA-D448EAAB8781}\1.0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A2D5957F-6D1A-44CE-BFBA-D448EAAB8781}\1.0\0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4CF9A0D2-ED75-40CB-98C0-36DF6A30E040}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4CF9A0D2-ED75-40CB-98C0-36DF6A30E040}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4CF9A0D2-ED75-40CB-98C0-36DF6A30E040}\TypeLib\ = "{A2D5957F-6D1A-44CE-BFBA-D448EAAB8781}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TestAtl.ATlMy.1	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TestAtl.ATlMy\ = "ATlMy Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C4560D12-CE25-4A2E-A5D4-B5070FCBE282}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C4560D12-CE25-4A2E-A5D4-B5070FCBE282}\VersionIndependentProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6E28339B-7A2A-47B6-AEB2-46BA53782379}\VersionIndependentProgID\ = "BhoPlugin.EyeOnIE"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F5CC5892-346B-4F19-B304-307DD1EF1A45}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5CC5892-346B-4F19-B304-307DD1EF1A45}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6E28339B-7A2A-47B6-AEB2-46BA53782379}\Programmable	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TestAtl.ATlMy\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CE673B02-973C-4268-A819-DA005C782B5D}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CE673B02-973C-4268-A819-DA005C782B5D}\1.0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CE673B02-973C-4268-A819-DA005C782B5D}\1.0\FLAGS	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F5CC5892-346B-4F19-B304-307DD1EF1A45}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6E28339B-7A2A-47B6-AEB2-46BA53782379}\InprocServer32\ = "C:\\Windows\\SysWow64\\tata_1.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TestAtl.ATlMy	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CE673B02-973C-4268-A819-DA005C782B5D}\1.0\HELPDIR	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BhoPlugin.EyeOnIE.1\CLSID\ = "{6E28339B-7A2A-47B6-AEB2-46BA53782379}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6E28339B-7A2A-47B6-AEB2-46BA53782379}\VersionIndependentProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4CF9A0D2-ED75-40CB-98C0-36DF6A30E040}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CE673B02-973C-4268-A819-DA005C782B5D}\1.0\ = "testAtl 1.0 Type Library"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BhoPlugin.EyeOnIE.1\ = "EyeOnIE Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4CF9A0D2-ED75-40CB-98C0-36DF6A30E040}\ = "IEyeOnIE"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4CF9A0D2-ED75-40CB-98C0-36DF6A30E040}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TestAtl.ATlMy.1\CLSID	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1692	a367de4bf7f4a5c1cfa7ac68dc6817b7.exe
1692	a367de4bf7f4a5c1cfa7ac68dc6817b7.exe
2328	rundll32.exe
2328	rundll32.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1692	a367de4bf7f4a5c1cfa7ac68dc6817b7.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1692 wrote to memory of 3944	1692	a367de4bf7f4a5c1cfa7ac68dc6817b7.exe	88
PID 1692 wrote to memory of 3944	1692	a367de4bf7f4a5c1cfa7ac68dc6817b7.exe	88
PID 1692 wrote to memory of 3944	1692	a367de4bf7f4a5c1cfa7ac68dc6817b7.exe	88
PID 1692 wrote to memory of 2328	1692	a367de4bf7f4a5c1cfa7ac68dc6817b7.exe	89
PID 1692 wrote to memory of 2328	1692	a367de4bf7f4a5c1cfa7ac68dc6817b7.exe	89
PID 1692 wrote to memory of 2328	1692	a367de4bf7f4a5c1cfa7ac68dc6817b7.exe	89
PID 1692 wrote to memory of 2112	1692	a367de4bf7f4a5c1cfa7ac68dc6817b7.exe	95
PID 1692 wrote to memory of 2112	1692	a367de4bf7f4a5c1cfa7ac68dc6817b7.exe	95
PID 1692 wrote to memory of 2112	1692	a367de4bf7f4a5c1cfa7ac68dc6817b7.exe	95
PID 1692 wrote to memory of 4000	1692	a367de4bf7f4a5c1cfa7ac68dc6817b7.exe	96
PID 1692 wrote to memory of 4000	1692	a367de4bf7f4a5c1cfa7ac68dc6817b7.exe	96
PID 1692 wrote to memory of 4000	1692	a367de4bf7f4a5c1cfa7ac68dc6817b7.exe	96

C:\Users\Admin\AppData\Local\Temp\a367de4bf7f4a5c1cfa7ac68dc6817b7.exe
"C:\Users\Admin\AppData\Local\Temp\a367de4bf7f4a5c1cfa7ac68dc6817b7.exe"
1⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1692
- C:\Windows\SysWOW64\regsvr32.exe
  regsvr32 /s C:\Windows\System32\zrgcm.dll
  2⤵
  - Loads dropped DLL
  - Modifies registry class
  PID:3944
- C:\Windows\SysWOW64\rundll32.exe
  rundll32 zrgc6.dll , InstallMyDll
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  - Writes to the Master Boot Record (MBR)
  - Suspicious behavior: EnumeratesProcesses
  PID:2328
- C:\Windows\SysWOW64\regsvr32.exe
  regsvr32 /s C:\Windows\System32\tata_1.dll
  2⤵
  - Loads dropped DLL
  - Installs/modifies Browser Helper Object
  - Modifies registry class
  PID:2112
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c 375519961O57540.bat
  2⤵
  PID:4000

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Browser Extensions

T1176

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\375519961O57540.bat

Filesize
2KB

MD5
449d6daa27a54dc934f1d12563148cd5

SHA1
afdb6af0efb343e42b052fb1ba6c1b32718a7cf9

SHA256
407bfdc0d1d7b79cd5b13d5fbde8ac70ac493045fa5751e94fcf3a546ca34b40

SHA512
602e2d030c67542b73aa9c7875ae147ed9f4be55c1cc1d2fd374aca7b9eaac9bf1dba56165da5f7fe1fae68cdd5f738557b5d4e9f352759a71b2643188edf9cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\57540.aqq

Filesize
170B

MD5
a432df2ba949ea77a98ffaef9205cf0a

SHA1
e74cdb5f9193de7fcd78cf3c0fb8e7363831ca1e

SHA256
225a477a4978036df0c20f41c72463711394df254e9ebeba3a51bd32ad8cb255

SHA512
e6fac1afe411dc6d6806a6b2e9c5f932586653d7116ecba2da3c3acee26161de88978835ccf6d5f9e7654cc0e9ecf554a8675612eb1c732faed174a141f33ff8

Download Submit
C:\Windows\SysWOW64\tata_1.dll

Filesize
32KB

MD5
7f4d22f6fa861d28bdcb2cce2dcb6cd7

SHA1
39bab326537d3a94ac67c20d6f3ce0d4814a55fa

SHA256
866a865934f9ef9f75125e4e03781ffc245c2e5d67fa2604b731fff185627cd2

SHA512
21ecd2b53eef9247ed19ced80b0d5aed1ac1ad1767b78504ad0e758ac19cb5175c76689b311f2b354195fda80bded72ca6deed89fd1d88ee4bbb286aab442bd9

Download Submit
C:\Windows\SysWOW64\zrgc6.dll

Filesize
124KB

MD5
1fb9c4c3b3be4255065167d457189af2

SHA1
a29328e1c31adfb92e2d56a4eb8ba4121cfe2568

SHA256
ecf71364c76b2960b1c0a432bcfba50cd9e43be9b6d51f7b6c6b70d0a0dfbc98

SHA512
38b974ae75490758780241473c5f98258516b4ce0f94b427a521a5e8c7f021ceaf2321bdd5e9bf3957c1623e8173f087aced466388d656af26d06930c95725eb

Download Submit
C:\Windows\SysWOW64\zrgcm.dll

Filesize
40KB

MD5
ca705ced50d4bbed8b2288ef472be488

SHA1
db27ff8c14a034d7e614d4614f559f64342c731d

SHA256
e1de97782a4be0cf90c721d31fb83e5b5b8eb0281bebfe1b26b6bed741a648e1

SHA512
8765b5984dfa84718f6f3a758168bd05549baced78b4cd649df16c5e367d3defb4e37ff7986131ad61b9673c8d95a50fe63eb73034144c56129e80381377dcf8

Download Submit
memory/1692-0-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1692-7-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1692-15-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download