Analysis
-
max time kernel
122s -
max time network
128s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
21-03-2024 15:37
Static task
static1
Behavioral task
behavioral1
Sample
dbfc4cc4faf88548b3b1499ba78a324d.exe
Resource
win7-20240221-en
General
-
Target
dbfc4cc4faf88548b3b1499ba78a324d.exe
-
Size
5KB
-
MD5
dbfc4cc4faf88548b3b1499ba78a324d
-
SHA1
ab4b4ebf19e75b8d6281797175a8ba976fc05207
-
SHA256
1f135eeca52d2f7094f4caeada87fdf09e66227f0afc04a53ffb5ac498ed0e63
-
SHA512
c8af9c5c7923040ed1b5b7049b3710d6039a6635949e21aa4457b7b308ef2cd3fcd6b3f7bf83606846b640f26b6a507a3aafa4c35c1c3a15e4e71b4988217262
-
SSDEEP
48:ZvtH9UKeRob1+HDlIzIZNRJmFCKB/x8HHAH7dhNAMoBAX:Z1deRoIHq8nRJmFCKB+n47hcK
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2616 cmd.exe -
Installs/modifies Browser Helper Object 2 TTPs 2 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C613CE22-151C-4331-94FF-F113A153F66D} regedit.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\SearchScopes iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{DDC3C501-E798-11EE-A4EE-CEEE273A2359} = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "417197292" iexplore.exe -
Modifies registry class 5 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C613CE22-151C-4331-94FF-F113A153F66D}\InProcServer32 regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C613CE22-151C-4331-94FF-F113A153F66D}\InProcServer32\ = "error" regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C613CE22-151C-4331-94FF-F113A153F66D} regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C613CE22-151C-4331-94FF-F113A153F66D}\InProcServer32 regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C613CE22-151C-4331-94FF-F113A153F66D}\InProcServer32\ = "c:\\sysdump.dll" regedit.exe -
Runs .reg file with regedit 2 IoCs
pid Process 544 regedit.exe 2452 regedit.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 1948 iexplore.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 1948 iexplore.exe 1948 iexplore.exe 2968 IEXPLORE.EXE 2968 IEXPLORE.EXE 2968 IEXPLORE.EXE 2968 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 2528 wrote to memory of 544 2528 dbfc4cc4faf88548b3b1499ba78a324d.exe 28 PID 2528 wrote to memory of 544 2528 dbfc4cc4faf88548b3b1499ba78a324d.exe 28 PID 2528 wrote to memory of 544 2528 dbfc4cc4faf88548b3b1499ba78a324d.exe 28 PID 2528 wrote to memory of 544 2528 dbfc4cc4faf88548b3b1499ba78a324d.exe 28 PID 2528 wrote to memory of 1948 2528 dbfc4cc4faf88548b3b1499ba78a324d.exe 29 PID 2528 wrote to memory of 1948 2528 dbfc4cc4faf88548b3b1499ba78a324d.exe 29 PID 2528 wrote to memory of 1948 2528 dbfc4cc4faf88548b3b1499ba78a324d.exe 29 PID 2528 wrote to memory of 1948 2528 dbfc4cc4faf88548b3b1499ba78a324d.exe 29 PID 1948 wrote to memory of 2968 1948 iexplore.exe 30 PID 1948 wrote to memory of 2968 1948 iexplore.exe 30 PID 1948 wrote to memory of 2968 1948 iexplore.exe 30 PID 1948 wrote to memory of 2968 1948 iexplore.exe 30 PID 2528 wrote to memory of 2452 2528 dbfc4cc4faf88548b3b1499ba78a324d.exe 31 PID 2528 wrote to memory of 2452 2528 dbfc4cc4faf88548b3b1499ba78a324d.exe 31 PID 2528 wrote to memory of 2452 2528 dbfc4cc4faf88548b3b1499ba78a324d.exe 31 PID 2528 wrote to memory of 2452 2528 dbfc4cc4faf88548b3b1499ba78a324d.exe 31 PID 2528 wrote to memory of 2752 2528 dbfc4cc4faf88548b3b1499ba78a324d.exe 32 PID 2528 wrote to memory of 2752 2528 dbfc4cc4faf88548b3b1499ba78a324d.exe 32 PID 2528 wrote to memory of 2752 2528 dbfc4cc4faf88548b3b1499ba78a324d.exe 32 PID 2528 wrote to memory of 2752 2528 dbfc4cc4faf88548b3b1499ba78a324d.exe 32 PID 2528 wrote to memory of 2616 2528 dbfc4cc4faf88548b3b1499ba78a324d.exe 33 PID 2528 wrote to memory of 2616 2528 dbfc4cc4faf88548b3b1499ba78a324d.exe 33 PID 2528 wrote to memory of 2616 2528 dbfc4cc4faf88548b3b1499ba78a324d.exe 33 PID 2528 wrote to memory of 2616 2528 dbfc4cc4faf88548b3b1499ba78a324d.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\dbfc4cc4faf88548b3b1499ba78a324d.exe"C:\Users\Admin\AppData\Local\Temp\dbfc4cc4faf88548b3b1499ba78a324d.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2528 -
C:\Windows\SysWOW64\regedit.exeregedit -S c:\temp1.reg2⤵
- Installs/modifies Browser Helper Object
- Modifies registry class
- Runs .reg file with regedit
PID:544
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" %12⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1948 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1948 CREDAT:275457 /prefetch:23⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2968
-
-
-
C:\Windows\SysWOW64\regedit.exeregedit -S c:\temp2.reg2⤵
- Modifies registry class
- Runs .reg file with regedit
PID:2452
-
-
C:\Windows\SysWOW64\cmd.execmd /c c:\temp2.bat2⤵PID:2752
-
-
C:\Windows\SysWOW64\cmd.execmd /c c:\temp1.bat2⤵
- Deletes itself
PID:2616
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
67KB
MD5753df6889fd7410a2e9fe333da83a429
SHA13c425f16e8267186061dd48ac1c77c122962456e
SHA256b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78
SHA5129d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD560374d562a16f8d5812168604fd12e75
SHA1281a9000a90d7eeebcb6e4aec16668ca6247207d
SHA256dc357924ddc494794ad72e54570bd3611693e2d21b1a30e6f4fdf5873be566f9
SHA512310bbbf71ba373d7d3a6ba79d9b43833e61edda8b456e66d2de3ee89c0a7cb3b6a9b37f17432fbd80840633e9119a84163d01f30605b15655825851eab2fbc71
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD517c17e8f749c8dea56131422a8b02f0b
SHA185e273b6d949b31bf36a378c0e627c016f9c3b50
SHA256c0e5ffa7c8704166a5bbd5785034c65634646305ffda4bc728a69ce6c66009ca
SHA512a07ff4fa2217f2a47ca9ce4d6742160b07aedde35cd30795700434e4d1ab8032c98f92de733f906453810cebcf28ffaa2624feb3dfee141023cb479a65159905
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5b5ff14b380e57ce662e27e431b761430
SHA1dc5a796453d7ac57249231085419d8aae521d902
SHA2569f08f5f83cebefa2bb4d876c2c9d0205a9d74134ece14860bec2be164fed60b5
SHA51284de5dde0dbfe249430d8175385d1486b0232b76ece1ff1e88c83ba42fc586b39558fd8d16c626703a3dbfa0962193a886c87d4d64c59d30929c3b792d9cccea
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD58909653820ca8b5598af545d60f2117c
SHA1c6af8067ba34973398b2e984afda55aab6febfd1
SHA256e56ef4421d1b7e27564b15291e59aa2f47f691a4650b6a4cdd54d865e0614d61
SHA51265c24bcee78c2faaea54b5fe29ce69301c703bc3d87d9780df0c5991e4ebe538275d9ec5198becf7e288be0def395bb96ad22fe1ec2482b61f0261f57bb30d0e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD58060f1b7d4e2bbab30a1a182b7e2ba71
SHA165f3ce8b8fe1a2e19054e6f2acdc429464f57d45
SHA2569c4a361a35dd6bdd36deed841b7d03c79df9ef708149d85e02c406f56368b8d0
SHA512a86b508c0327b6ec4c39828597592329123f2871c3b1807629b26a6c779acc6dc69cbe2b04d16afe834d3e347bc37db7f925e80fc706d644b2e661d329622d2a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5c2574589d9e99d7655c000e46ca2f7b9
SHA1514e73beeded71ca840097cef8bf564052e98224
SHA256a0a3194c94c3acee79c771cf5563edc12bc4468c11788f57d406701123659697
SHA512f77d8eb7ae26362c0dd199e9cb19b7bcaa110449285abc3d0e7eb6e3225f7e33d4a4a3f7ffaf680504e7e8999e1e82fd76aebd7730261aa1adf9645212568a83
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD56f4fb96afdb439121bd6d676cb0f8056
SHA19ad243b005b6c601cacecfcf9c0c66bc3e272422
SHA256fb21e9925a1ef65d26ffba6860040a1916f9fb169fcf7a977c7fdc74b69cef94
SHA512a347a0b03646e2c26b6bd83a77bd04e8f328fda560ad85aef14998229b0f4d8c6f212262ab038650ca3b84ab91e52cbd2b0a0340f0a4af6e4c7496a3236b1a8e
-
Filesize
65KB
MD5ac05d27423a85adc1622c714f2cb6184
SHA1b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA5126d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d
-
Filesize
175KB
MD5dd73cead4b93366cf3465c8cd32e2796
SHA174546226dfe9ceb8184651e920d1dbfb432b314e
SHA256a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22
SHA512ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63
-
Filesize
196B
MD58888fe593e69fe3f4c48f6e207c42d79
SHA1fc12cef7cb590481c312387af3dcef3436cca234
SHA25691805ee2ff3812326e4341b30676be14377442d65f5377fb14643a80b75ef264
SHA5124cecf7657ba257c172238a5ca67c998d85f94b2fac439da83a21a41161363d7bdab6b024c4000e46661bdbb0a3f7e87bd5a75a6d696c66c7f53cac770677f7e8
-
Filesize
84B
MD5b9975d30ddbd098a754312e16f744ec6
SHA19d41e8816bf8f8aa48356c99af46e64947a0d2ef
SHA2566e4f3dd8bf9469f50bd04878da2bb005a9df85192a5c7428b4477cecbfd4747c
SHA5125bdca7782ebe7a2d919c7c096d0b2e9927c68044a5ca802ce7a43e6d4d62fda7b5d7620a1154e640c9946def1b13539a948a58bf13697f897748dc66e3406c02
-
Filesize
4KB
MD5f7982deb1be471edb1aef54b4bbaf109
SHA1e44f8cedb550fe75510809c6181a609ad957c06b
SHA256011ab7c538a7581b0c327fbb9ca5bf578f266fec317af2a9286b5733d50a8e1c
SHA512a89cb5f9939b66d881893b1ad94467d88d4af71541c57ec8cbad46f7023bf3ae4243459545f37946810a96aa81e68d67851b48857523433163aecceadcb80eac
-
Filesize
435B
MD5492eb2c8ff983e87c95ca5a704c6f5b8
SHA18677a4e0d606a526b1c90f180116dea7a6bcb0de
SHA2569f0388e16d77a4560acfe712ab8a8c6a171c5d369c4134cd3af9bec658bbd431
SHA512ded2c5fa380fcfaa346dcb33a0775cc476ee7f152b0b54ed34b3e97958e200f1f9f01ed546adc2241d2462cfaf39e9e273eaba04cb2efcfbf7085ba9251acd6e
-
Filesize
128B
MD56fdc273e79d8888a813c762aa55edc39
SHA1a3e72c4eaf143697e3c1a29c8b1c223c121e1d58
SHA256e0eb2406ae229d4df0d3ff5bb8f9bd907aa947b51fdbb6bed1a3238852849f6c
SHA512370125ded5b43b67cfc8f28363086fc9b2c85c6fe53ab1e5e00281cf87292650b2abe7bf9420631ca405f4c7e213bed00c53432329cc5f7d6d1f615a02a1f253