Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
21-03-2024 14:24
Static task
static1
Behavioral task
behavioral1
Sample
dbd8ec5e70e1558aeb912797c1bdd468.exe
Resource
win7-20240220-en
General
-
Target
dbd8ec5e70e1558aeb912797c1bdd468.exe
-
Size
162KB
-
MD5
dbd8ec5e70e1558aeb912797c1bdd468
-
SHA1
4d695f2f3522cccd6e0fc1ceeb26ca324a7149d4
-
SHA256
3c843105721cc6080d7d3c68262ec3ce6f1402cc8e2e23705e7b8f843ef4e751
-
SHA512
d3467a8d833deff47a8cf660dcad0fe5550e793a3067885d3b1d9e2cf589760fe934b6058915b68c9f8bbd5774263995ba39cfd658958912a01866c6660cd3bb
-
SSDEEP
3072:3FUJkZJIoBC3yMbBU4Is7Vga3lY3UW5c3Lc:3F2kZV43Flp7Vga3Cbeg
Malware Config
Signatures
-
Loads dropped DLL 4 IoCs
pid Process 2868 rundll32.exe 2868 rundll32.exe 2868 rundll32.exe 2868 rundll32.exe -
Installs/modifies Browser Helper Object 2 TTPs 3 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{4224271D-4751-463A-AD82-D94B7AD8EAFA} rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{4224271D-4751-463A-AD82-D94B7AD8EAFA}\ = "HelloWorldBHO" rundll32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{4224271D-4751-463A-AD82-D94B7AD8EAFA}\NoExplorer = "1" rundll32.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\tuvTkiIX.dll dbd8ec5e70e1558aeb912797c1bdd468.exe File opened for modification C:\Windows\SysWOW64\tuvTkiIX.dll dbd8ec5e70e1558aeb912797c1bdd468.exe -
Modifies registry class 34 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4224271D-4751-463A-AD82-D94B7AD8EAFA}\InprocServer32\ = "C:\\Windows\\SysWow64\\tuvTkiIX.dll" rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{96A68966-F439-4C66-8BFA-0967FACE4F7A}\1.0\FLAGS\ = "0" rundll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{39434AF1-56D9-448E-B4D0-272EB8F70B4F}\ProxyStubClsid32 rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4224271D-4751-463A-AD82-D94B7AD8EAFA}\Version\ = "1.0" rundll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{96A68966-F439-4C66-8BFA-0967FACE4F7A}\1.0\0\win32 rundll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{39434AF1-56D9-448E-B4D0-272EB8F70B4F} rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{39434AF1-56D9-448E-B4D0-272EB8F70B4F}\TypeLib\Version = "1.0" rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{39434AF1-56D9-448E-B4D0-272EB8F70B4F}\TypeLib\Version = "1.0" rundll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4224271D-4751-463A-AD82-D94B7AD8EAFA} rundll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4224271D-4751-463A-AD82-D94B7AD8EAFA}\TypeLib rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4224271D-4751-463A-AD82-D94B7AD8EAFA}\TypeLib\ = "{96A68966-F439-4C66-8BFA-0967FACE4F7A}" rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4224271D-4751-463A-AD82-D94B7AD8EAFA}\InprocServer32\ThreadingModel = "Apartment" rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{39434AF1-56D9-448E-B4D0-272EB8F70B4F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{96A68966-F439-4C66-8BFA-0967FACE4F7A}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\tuvTkiIX.dll" rundll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{96A68966-F439-4C66-8BFA-0967FACE4F7A}\1.0\HELPDIR rundll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{39434AF1-56D9-448E-B4D0-272EB8F70B4F}\TypeLib rundll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{39434AF1-56D9-448E-B4D0-272EB8F70B4F} rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{39434AF1-56D9-448E-B4D0-272EB8F70B4F}\TypeLib\ = "{96A68966-F439-4C66-8BFA-0967FACE4F7A}" rundll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4224271D-4751-463A-AD82-D94B7AD8EAFA}\Programmable rundll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4224271D-4751-463A-AD82-D94B7AD8EAFA}\InprocServer32 rundll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4224271D-4751-463A-AD82-D94B7AD8EAFA}\Version rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4224271D-4751-463A-AD82-D94B7AD8EAFA}\ = "HelloWorldBHO Class" rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{39434AF1-56D9-448E-B4D0-272EB8F70B4F}\ = "IHelloWorldBHO" rundll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{39434AF1-56D9-448E-B4D0-272EB8F70B4F}\ProxyStubClsid32 rundll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{39434AF1-56D9-448E-B4D0-272EB8F70B4F}\TypeLib rundll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{96A68966-F439-4C66-8BFA-0967FACE4F7A} rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{96A68966-F439-4C66-8BFA-0967FACE4F7A}\1.0\ = "mainLib" rundll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{96A68966-F439-4C66-8BFA-0967FACE4F7A}\1.0\FLAGS rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{39434AF1-56D9-448E-B4D0-272EB8F70B4F}\TypeLib\ = "{96A68966-F439-4C66-8BFA-0967FACE4F7A}" rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{39434AF1-56D9-448E-B4D0-272EB8F70B4F}\ = "IHelloWorldBHO" rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{39434AF1-56D9-448E-B4D0-272EB8F70B4F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" rundll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{96A68966-F439-4C66-8BFA-0967FACE4F7A}\1.0 rundll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{96A68966-F439-4C66-8BFA-0967FACE4F7A}\1.0\0 rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{96A68966-F439-4C66-8BFA-0967FACE4F7A}\1.0\HELPDIR\ = "C:\\Windows\\system32" rundll32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 2064 wrote to memory of 2868 2064 dbd8ec5e70e1558aeb912797c1bdd468.exe 28 PID 2064 wrote to memory of 2868 2064 dbd8ec5e70e1558aeb912797c1bdd468.exe 28 PID 2064 wrote to memory of 2868 2064 dbd8ec5e70e1558aeb912797c1bdd468.exe 28 PID 2064 wrote to memory of 2868 2064 dbd8ec5e70e1558aeb912797c1bdd468.exe 28 PID 2064 wrote to memory of 2868 2064 dbd8ec5e70e1558aeb912797c1bdd468.exe 28 PID 2064 wrote to memory of 2868 2064 dbd8ec5e70e1558aeb912797c1bdd468.exe 28 PID 2064 wrote to memory of 2868 2064 dbd8ec5e70e1558aeb912797c1bdd468.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\dbd8ec5e70e1558aeb912797c1bdd468.exe"C:\Users\Admin\AppData\Local\Temp\dbd8ec5e70e1558aeb912797c1bdd468.exe"1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2064 -
C:\Windows\SysWOW64\rundll32.exerundll32 "C:\Windows\system32\tuvTkiIX.dll",DllInstall2⤵
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Modifies registry class
PID:2868
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
122KB
MD552744fc03bffef46f8e5f89bfbaecdfc
SHA100ebe8ad736eb4974a91df2e51cc743ad6386b35
SHA2564db3e242f891d7b174b1de6d45fdcf0da7895fd1f2ccc163db23426b0cafef3e
SHA51268451eeae399cecbe4d6e84567f08dcb22a000c07373a26b731fac1005774fc0c2a2163f693bbba134f8cd1d27e827316e61a96b6a097cb1c124540cb299e599