Overview
overview
7Static
static
7PersonalAssist.exe
windows7-x64
1PersonalAssist.exe
windows10-2004-x64
1RageDistrictInfo.exe
windows7-x64
1RageDistrictInfo.exe
windows10-2004-x64
1RageFunFont.exe
windows7-x64
1RageFunFont.exe
windows10-2004-x64
1RageIE.exe
windows7-x64
1RageIE.exe
windows10-2004-x64
1accon.dll
windows7-x64
1accon.dll
windows10-2004-x64
1default.htm
windows7-x64
1default.htm
windows10-2004-x64
1非常世�...��.url
windows7-x64
1非常世�...��.url
windows10-2004-x64
1Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
29/02/2024, 01:58
Behavioral task
behavioral1
Sample
PersonalAssist.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
PersonalAssist.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral3
Sample
RageDistrictInfo.exe
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
RageDistrictInfo.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral5
Sample
RageFunFont.exe
Resource
win7-20240221-en
Behavioral task
behavioral6
Sample
RageFunFont.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral7
Sample
RageIE.exe
Resource
win7-20240221-en
Behavioral task
behavioral8
Sample
RageIE.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral9
Sample
accon.dll
Resource
win7-20240221-en
Behavioral task
behavioral10
Sample
accon.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral11
Sample
default.htm
Resource
win7-20240220-en
Behavioral task
behavioral12
Sample
default.htm
Resource
win10v2004-20240226-en
Behavioral task
behavioral13
Sample
非常世纪资源网.url
Resource
win7-20240221-en
Behavioral task
behavioral14
Sample
非常世纪资源网.url
Resource
win10v2004-20240226-en
General
-
Target
accon.dll
-
Size
263KB
-
MD5
540c27f32780b39d662e6c85ce01920c
-
SHA1
d1e7776e8b81bba090c1f8b1cb345fa0e96a9e9f
-
SHA256
a9d217fad095ece2ef5a742e6f41019b0728e6a8201339e8d1feab62641a555d
-
SHA512
23778f447b24077c05ce75df749d5950890018175e7fdf40a1c51641f50a1f57e0024d034fa2c8676dee60de58616e444f2acf81228b7c1c6b2a5cfa42bfbf79
-
SSDEEP
6144:V77buYanvMskYQqtapQ6me++KrYJx6t715EGrMw3d7+WF/luBQ:V/buYqNk9VReMx6x155dqyb
Malware Config
Signatures
-
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{80C02B16-4AEE-49D4-A2D6-C957E7123FEE}\ = "IBannerSoft_AD" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{80C02B16-4AEE-49D4-A2D6-C957E7123FEE} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6031B841-D2D7-47D5-AAC1-BFEF3CBE453A} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{34851E9C-FF2A-4A6D-A71E-FDADE9533840} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{34851E9C-FF2A-4A6D-A71E-FDADE9533840}\TypeLib\Version = "1.0" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{34851E9C-FF2A-4A6D-A71E-FDADE9533840}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{90255C53-29A3-4D37-944D-481764B00156}\InprocServer32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B40DD0A8-002C-4931-8402-98342047F623}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\accon.dll" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B40DD0A8-002C-4931-8402-98342047F623}\1.0\HELPDIR regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{80C02B16-4AEE-49D4-A2D6-C957E7123FEE}\ProxyStubClsid32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{83491CAB-2349-4107-85BF-4C42A06A0E89}\TypeLib\Version = "1.0" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6031B841-D2D7-47D5-AAC1-BFEF3CBE453A}\TypeLib regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6031B841-D2D7-47D5-AAC1-BFEF3CBE453A}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{90255C53-29A3-4D37-944D-481764B00156}\ToolboxBitmap32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\accon.dll,1" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B40DD0A8-002C-4931-8402-98342047F623}\1.0\0 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B40DD0A8-002C-4931-8402-98342047F623}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6031B841-D2D7-47D5-AAC1-BFEF3CBE453A}\TypeLib\ = "{B40DD0A8-002C-4931-8402-98342047F623}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{90255C53-29A3-4D37-944D-481764B00156}\ = "BannerSoft_AD Control" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{90255C53-29A3-4D37-944D-481764B00156}\MiscStatus\ = "0" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{80C02B16-4AEE-49D4-A2D6-C957E7123FEE} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{34851E9C-FF2A-4A6D-A71E-FDADE9533840} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{34851E9C-FF2A-4A6D-A71E-FDADE9533840}\ProxyStubClsid32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{90255C53-29A3-4D37-944D-481764B00156}\Version regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{90255C53-29A3-4D37-944D-481764B00156}\ToolboxBitmap32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{90255C53-29A3-4D37-944D-481764B00156}\ProgID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{90255C53-29A3-4D37-944D-481764B00156}\MiscStatus\1 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B40DD0A8-002C-4931-8402-98342047F623}\1.0\FLAGS\ = "2" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{80C02B16-4AEE-49D4-A2D6-C957E7123FEE}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{83491CAB-2349-4107-85BF-4C42A06A0E89}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6031B841-D2D7-47D5-AAC1-BFEF3CBE453A}\ = "IActiveFormX" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6031B841-D2D7-47D5-AAC1-BFEF3CBE453A}\TypeLib regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{34851E9C-FF2A-4A6D-A71E-FDADE9533840}\TypeLib\ = "{B40DD0A8-002C-4931-8402-98342047F623}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{80C02B16-4AEE-49D4-A2D6-C957E7123FEE}\ProxyStubClsid32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6031B841-D2D7-47D5-AAC1-BFEF3CBE453A}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BannerSoft_ADProj1.BannerSoft_AD\Clsid regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{90255C53-29A3-4D37-944D-481764B00156}\MiscStatus regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{90255C53-29A3-4D37-944D-481764B00156}\Verb regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{80C02B16-4AEE-49D4-A2D6-C957E7123FEE}\TypeLib\Version = "1.0" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{83491CAB-2349-4107-85BF-4C42A06A0E89}\ProxyStubClsid32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6031B841-D2D7-47D5-AAC1-BFEF3CBE453A}\ = "IActiveFormX" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BannerSoft_ADProj1.BannerSoft_AD\Clsid\ = "{90255C53-29A3-4D37-944D-481764B00156}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{80C02B16-4AEE-49D4-A2D6-C957E7123FEE}\TypeLib\Version = "1.0" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{83491CAB-2349-4107-85BF-4C42A06A0E89}\TypeLib regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{83491CAB-2349-4107-85BF-4C42A06A0E89}\TypeLib\Version = "1.0" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6031B841-D2D7-47D5-AAC1-BFEF3CBE453A}\ProxyStubClsid32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{90255C53-29A3-4D37-944D-481764B00156} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{90255C53-29A3-4D37-944D-481764B00156}\ProgID\ = "BannerSoft_ADProj1.BannerSoft_AD" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{90255C53-29A3-4D37-944D-481764B00156}\TypeLib\ = "{B40DD0A8-002C-4931-8402-98342047F623}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{90255C53-29A3-4D37-944D-481764B00156}\MiscStatus\1\ = "205201" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6031B841-D2D7-47D5-AAC1-BFEF3CBE453A}\ProxyStubClsid32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{90255C53-29A3-4D37-944D-481764B00156}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\accon.dll" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{90255C53-29A3-4D37-944D-481764B00156}\TypeLib regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{90255C53-29A3-4D37-944D-481764B00156}\Control regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B40DD0A8-002C-4931-8402-98342047F623} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{80C02B16-4AEE-49D4-A2D6-C957E7123FEE}\TypeLib regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{83491CAB-2349-4107-85BF-4C42A06A0E89}\ProxyStubClsid32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6031B841-D2D7-47D5-AAC1-BFEF3CBE453A}\TypeLib\ = "{B40DD0A8-002C-4931-8402-98342047F623}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{34851E9C-FF2A-4A6D-A71E-FDADE9533840}\ = "IActiveFormXEvents" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{34851E9C-FF2A-4A6D-A71E-FDADE9533840}\TypeLib regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BannerSoft_ADProj1.BannerSoft_AD regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B40DD0A8-002C-4931-8402-98342047F623}\1.0\ = "BannerSoft_ADProj1 Library" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{80C02B16-4AEE-49D4-A2D6-C957E7123FEE}\TypeLib regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{80C02B16-4AEE-49D4-A2D6-C957E7123FEE}\TypeLib\ = "{B40DD0A8-002C-4931-8402-98342047F623}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{83491CAB-2349-4107-85BF-4C42A06A0E89}\TypeLib regsvr32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4164 wrote to memory of 2340 4164 regsvr32.exe 86 PID 4164 wrote to memory of 2340 4164 regsvr32.exe 86 PID 4164 wrote to memory of 2340 4164 regsvr32.exe 86