Analysis
-
max time kernel
117s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
21-03-2024 15:23
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
dbf5ff8f0825d42b6e49f9499d17e320.dll
Resource
win7-20240221-en
3 signatures
150 seconds
General
-
Target
dbf5ff8f0825d42b6e49f9499d17e320.dll
-
Size
522KB
-
MD5
dbf5ff8f0825d42b6e49f9499d17e320
-
SHA1
7226c383cd9126f2e491004d49b544c53b2cd95e
-
SHA256
7c8a2a6e3b4db09e1cbe5e686175eb15c8f17fdbea0f9c04a4b59156ff7132e8
-
SHA512
8aa26f631cddafd6aa0282b688fb633b1d9aa69e394d9f3604c89781083d78de3d2dd39690f5bbc316c11db11c6790b459f4e0ef0270edec945c6a87dfea677a
-
SSDEEP
6144:pW7T4W2Jf+FXgMOC9h/Yl+BFOou/BjWYvm/nSjQuuqz1zUuWO72p7Dl8Fih/060s:6cW2JiXgzC9hgl+Sqn7uuAwL9kih0ns
Malware Config
Signatures
-
Installs/modifies Browser Helper Object 2 TTPs 1 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{86EBD5B2-0796-49AD-AE08-846C3146D168} regsvr32.exe -
Modifies registry class 11 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{86EBD5B2-0796-49AD-AE08-846C3146D168}\ProgID\ = "dbf5ff8f0825d42b6e49f9499d17e320.VeeQbain" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{86EBD5B2-0796-49AD-AE08-846C3146D168} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{86EBD5B2-0796-49AD-AE08-846C3146D168}\InprocServer32\ThreadingModel = "Apartment" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\dbf5ff8f0825d42b6e49f9499d17e320.VeeQbain\ = "ExpBandse" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\dbf5ff8f0825d42b6e49f9499d17e320.VeeQbain\Clsid\ = "{86EBD5B2-0796-49AD-AE08-846C3146D168}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{86EBD5B2-0796-49AD-AE08-846C3146D168}\ProgID regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{86EBD5B2-0796-49AD-AE08-846C3146D168}\ = "ExpBandse" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{86EBD5B2-0796-49AD-AE08-846C3146D168}\InprocServer32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{86EBD5B2-0796-49AD-AE08-846C3146D168}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dbf5ff8f0825d42b6e49f9499d17e320.dll" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\dbf5ff8f0825d42b6e49f9499d17e320.VeeQbain regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\dbf5ff8f0825d42b6e49f9499d17e320.VeeQbain\Clsid regsvr32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 2184 wrote to memory of 2220 2184 regsvr32.exe 28 PID 2184 wrote to memory of 2220 2184 regsvr32.exe 28 PID 2184 wrote to memory of 2220 2184 regsvr32.exe 28 PID 2184 wrote to memory of 2220 2184 regsvr32.exe 28 PID 2184 wrote to memory of 2220 2184 regsvr32.exe 28 PID 2184 wrote to memory of 2220 2184 regsvr32.exe 28 PID 2184 wrote to memory of 2220 2184 regsvr32.exe 28
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\dbf5ff8f0825d42b6e49f9499d17e320.dll1⤵
- Suspicious use of WriteProcessMemory
PID:2184 -
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\dbf5ff8f0825d42b6e49f9499d17e320.dll2⤵
- Installs/modifies Browser Helper Object
- Modifies registry class
PID:2220
-