Analysis
-
max time kernel
144s -
max time network
137s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
21-03-2024 16:33
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
dc190e078bbd76c0635b415325d93067.dll
Resource
win7-20240221-en
1 signatures
150 seconds
General
-
Target
dc190e078bbd76c0635b415325d93067.dll
-
Size
172KB
-
MD5
dc190e078bbd76c0635b415325d93067
-
SHA1
061dc1a3c3391563b6cfcfe251077dbc311cd186
-
SHA256
5c0219ee2ef3da0d3399d7b85522e5682b1d742548f078804d2bc63063669bf5
-
SHA512
d8f7c40c8d67d9913152e17bc26d9c70136861b1ab75485a925d091d88b340982983cfb35f2bb8ad35180a0a5e9b7e92ea8e610482a807d2ed289b5fe65c900c
-
SSDEEP
1536:NX0vHiJ6zFzUAMAKGe94MCsnn6NyDClbRW9Z/DxfbG+SwVol:6viJgUTAFe94jslDC3+Z/FfFt
Malware Config
Signatures
-
Installs/modifies Browser Helper Object 2 TTPs 2 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{ac1b83c6-8422-46b6-aff4-4f3a1655044c} rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{ac1b83c6-8422-46b6-aff4-4f3a1655044c}\ = "{c4405561-a3f4-4ffa-6b64-22486c38b1ca}" rundll32.exe -
Modifies registry class 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ac1b83c6-8422-46b6-aff4-4f3a1655044c} rundll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ac1b83c6-8422-46b6-aff4-4f3a1655044c}\InprocServer32 rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ac1b83c6-8422-46b6-aff4-4f3a1655044c}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dc190e078bbd76c0635b415325d93067.dll" rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ac1b83c6-8422-46b6-aff4-4f3a1655044c}\InprocServer32\ThreadingModel = "Both" rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1844 wrote to memory of 1004 1844 rundll32.exe 87 PID 1844 wrote to memory of 1004 1844 rundll32.exe 87 PID 1844 wrote to memory of 1004 1844 rundll32.exe 87
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\dc190e078bbd76c0635b415325d93067.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1844 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\dc190e078bbd76c0635b415325d93067.dll,#12⤵
- Installs/modifies Browser Helper Object
- Modifies registry class
PID:1004
-