Analysis
-
max time kernel
145s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
21-03-2024 15:58
Behavioral task
behavioral1
Sample
dc07aa6a5860d01e7886cc035768c025.dll
Resource
win7-20240221-en
4 signatures
150 seconds
General
-
Target
dc07aa6a5860d01e7886cc035768c025.dll
-
Size
13KB
-
MD5
dc07aa6a5860d01e7886cc035768c025
-
SHA1
c24faef233262ba8ccec0dd4d51a08c798be4961
-
SHA256
116d6d4b6c6b005e89a98a07325cb897a648e1461c8fbb8d98154f1ed3feb0d9
-
SHA512
74336720e7272cabea71b219f3ae2efc9ad382b2df532fd1d85d3c1c1c69d2bac018c95d34d7934074df2611db9544f76268449e49ee2a085bf600c348b2ccb1
-
SSDEEP
192:PAFaZpZpOPkWFuFZwc0f56AbLpWCxH1eXZrWLA:PAFaZ3pOPhFuFqf56AhJxHQXZ
Malware Config
Signatures
-
resource yara_rule behavioral2/memory/4668-0-0x0000000010000000-0x000000001000B000-memory.dmp upx -
Installs/modifies Browser Helper Object 2 TTPs 1 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{28F51CDA-3BD1-4F06-8F7B-2A881411983F} regsvr32.exe -
Modifies registry class 60 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{967A494A-6AEC-4555-9CAF-FA6EB00ACF91}\TypeLib\ = "{A8954909-1F0F-41A5-A7FA-3B376D69E226}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{967A494A-6AEC-4555-9CAF-FA6EB00ACF91} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CAF9D798-C659-4B9B-8E19-EE27C3D04EE7}\TypeLib\Version = "1.0" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BhoNew.BhoApp\ = "BhoApp Class" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{28F51CDA-3BD1-4F06-8F7B-2A881411983F}\ = "BhoApp Class" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{28F51CDA-3BD1-4F06-8F7B-2A881411983F}\InprocServer32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{28F51CDA-3BD1-4F06-8F7B-2A881411983F}\TypeLib\ = "{A8954909-1F0F-41A5-A7FA-3B376D69E226}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{967A494A-6AEC-4555-9CAF-FA6EB00ACF91}\ = "_IBhoAppEvents" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{967A494A-6AEC-4555-9CAF-FA6EB00ACF91}\TypeLib\Version = "1.0" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{CAF9D798-C659-4B9B-8E19-EE27C3D04EE7}\ProxyStubClsid32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CAF9D798-C659-4B9B-8E19-EE27C3D04EE7}\TypeLib regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A8954909-1F0F-41A5-A7FA-3B376D69E226}\1.0\ = "Type Library" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{967A494A-6AEC-4555-9CAF-FA6EB00ACF91}\ProxyStubClsid32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{967A494A-6AEC-4555-9CAF-FA6EB00ACF91}\TypeLib\Version = "1.0" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{967A494A-6AEC-4555-9CAF-FA6EB00ACF91}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{28F51CDA-3BD1-4F06-8F7B-2A881411983F}\InprocServer32\ThreadingModel = "Apartment" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BhoNew.BhoApp.1\ = "BhoApp Class" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BhoNew.BhoApp\CurVer\ = "BhoNew.BhoApp.1" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{28F51CDA-3BD1-4F06-8F7B-2A881411983F}\ProgID regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{28F51CDA-3BD1-4F06-8F7B-2A881411983F}\ProgID\ = "BhoNew.BhoApp.1" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CAF9D798-C659-4B9B-8E19-EE27C3D04EE7}\TypeLib\ = "{A8954909-1F0F-41A5-A7FA-3B376D69E226}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{28F51CDA-3BD1-4F06-8F7B-2A881411983F}\VersionIndependentProgID\ = "BhoNew.BhoApp" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A8954909-1F0F-41A5-A7FA-3B376D69E226}\1.0\FLAGS regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A8954909-1F0F-41A5-A7FA-3B376D69E226}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dc07aa6a5860d01e7886cc035768c025.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A8954909-1F0F-41A5-A7FA-3B376D69E226}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{967A494A-6AEC-4555-9CAF-FA6EB00ACF91}\TypeLib regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{CAF9D798-C659-4B9B-8E19-EE27C3D04EE7} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BhoNew.BhoApp.1\CLSID regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{28F51CDA-3BD1-4F06-8F7B-2A881411983F}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DC07AA~1.DLL" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A8954909-1F0F-41A5-A7FA-3B376D69E226} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CAF9D798-C659-4B9B-8E19-EE27C3D04EE7}\ = "IBhoApp" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{967A494A-6AEC-4555-9CAF-FA6EB00ACF91}\ = "_IBhoAppEvents" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CAF9D798-C659-4B9B-8E19-EE27C3D04EE7} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CAF9D798-C659-4B9B-8E19-EE27C3D04EE7}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BhoNew.BhoApp.1 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A8954909-1F0F-41A5-A7FA-3B376D69E226}\1.0\FLAGS\ = "0" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A8954909-1F0F-41A5-A7FA-3B376D69E226}\1.0\0 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{967A494A-6AEC-4555-9CAF-FA6EB00ACF91} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A8954909-1F0F-41A5-A7FA-3B376D69E226}\1.0\0\win32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{967A494A-6AEC-4555-9CAF-FA6EB00ACF91}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A8954909-1F0F-41A5-A7FA-3B376D69E226}\1.0 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{CAF9D798-C659-4B9B-8E19-EE27C3D04EE7}\TypeLib\Version = "1.0" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{967A494A-6AEC-4555-9CAF-FA6EB00ACF91}\ProxyStubClsid32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{CAF9D798-C659-4B9B-8E19-EE27C3D04EE7}\TypeLib regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CAF9D798-C659-4B9B-8E19-EE27C3D04EE7}\ProxyStubClsid32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BhoNew.BhoApp regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BhoNew.BhoApp\CLSID\ = "{28F51CDA-3BD1-4F06-8F7B-2A881411983F}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{28F51CDA-3BD1-4F06-8F7B-2A881411983F} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A8954909-1F0F-41A5-A7FA-3B376D69E226}\1.0\HELPDIR regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{28F51CDA-3BD1-4F06-8F7B-2A881411983F}\Programmable regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{28F51CDA-3BD1-4F06-8F7B-2A881411983F}\TypeLib regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{967A494A-6AEC-4555-9CAF-FA6EB00ACF91}\TypeLib regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{CAF9D798-C659-4B9B-8E19-EE27C3D04EE7}\TypeLib\ = "{A8954909-1F0F-41A5-A7FA-3B376D69E226}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BhoNew.BhoApp.1\CLSID\ = "{28F51CDA-3BD1-4F06-8F7B-2A881411983F}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{967A494A-6AEC-4555-9CAF-FA6EB00ACF91}\TypeLib\ = "{A8954909-1F0F-41A5-A7FA-3B376D69E226}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{CAF9D798-C659-4B9B-8E19-EE27C3D04EE7}\ = "IBhoApp" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BhoNew.BhoApp\CLSID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BhoNew.BhoApp\CurVer regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{28F51CDA-3BD1-4F06-8F7B-2A881411983F}\VersionIndependentProgID regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{CAF9D798-C659-4B9B-8E19-EE27C3D04EE7}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" regsvr32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1636 wrote to memory of 4668 1636 regsvr32.exe 95 PID 1636 wrote to memory of 4668 1636 regsvr32.exe 95 PID 1636 wrote to memory of 4668 1636 regsvr32.exe 95
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\dc07aa6a5860d01e7886cc035768c025.dll1⤵
- Suspicious use of WriteProcessMemory
PID:1636 -
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\dc07aa6a5860d01e7886cc035768c025.dll2⤵
- Installs/modifies Browser Helper Object
- Modifies registry class
PID:4668
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1384 --field-trial-handle=2496,i,15897292497548307209,13920214570023230813,262144 --variations-seed-version /prefetch:81⤵PID:5004