Analysis
-
max time kernel
120s -
max time network
129s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
21-03-2024 17:26
Static task
static1
Behavioral task
behavioral1
Sample
dc3372438fc7fc937515502a43c267f8.exe
Resource
win7-20240221-en
General
-
Target
dc3372438fc7fc937515502a43c267f8.exe
-
Size
37KB
-
MD5
dc3372438fc7fc937515502a43c267f8
-
SHA1
0b3cf5d97cb60db988ab948c0a69ee892da22034
-
SHA256
d0fa2f18181e55b5f55e02e7b65759ceea3710db0a003a336968e205d808c2f5
-
SHA512
2fcad7ee797cd60f2c036848bbeacea8dd2e92ca45b43e7d2ab82cb9c3a99d33431cf06ceba03ec2e8b1d7061c90d44be1e8f181efecc5917649411c97e541a7
-
SSDEEP
768:nP1SA1xqvUc2ULaUN3/cEuGj3xhZiYPfQg:ndSA2vUnUHRWg
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2604 cmd.exe -
Installs/modifies Browser Helper Object 2 TTPs 6 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{FBEB472F-5293-428D-9ADF-BD6C17131EB7}\ = "Google Accelerator!" dc3372438fc7fc937515502a43c267f8.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects dc3372438fc7fc937515502a43c267f8.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3} dc3372438fc7fc937515502a43c267f8.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E} dc3372438fc7fc937515502a43c267f8.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF} dc3372438fc7fc937515502a43c267f8.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{FBEB472F-5293-428D-9ADF-BD6C17131EB7} dc3372438fc7fc937515502a43c267f8.exe -
Drops file in System32 directory 3 IoCs
description ioc Process File created C:\Windows\SysWOW64\googlece.dll dc3372438fc7fc937515502a43c267f8.exe File opened for modification C:\Windows\SysWOW64\googlece.dll dc3372438fc7fc937515502a43c267f8.exe File created C:\Windows\SysWOW64\sys.dat dc3372438fc7fc937515502a43c267f8.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\Main dc3372438fc7fc937515502a43c267f8.exe Set value (str) \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\Main\@#$E$@#n%^a&^%b#$%l^%$e^& %^&B#$%r&^%o$%w@#$s^%$e&*r(*& &*E*^&x$^%t%$#e@#$n&^%s#%i*^o$%^n(&*s%^& = "yes" dc3372438fc7fc937515502a43c267f8.exe -
Modifies registry class 6 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID dc3372438fc7fc937515502a43c267f8.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FBEB472F-5293-428D-9ADF-BD6C17131EB7} dc3372438fc7fc937515502a43c267f8.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FBEB472F-5293-428D-9ADF-BD6C17131EB7}\ = "Google Accelerator!" dc3372438fc7fc937515502a43c267f8.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FBEB472F-5293-428D-9ADF-BD6C17131EB7}\InProcServer32 dc3372438fc7fc937515502a43c267f8.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FBEB472F-5293-428D-9ADF-BD6C17131EB7}\InProcServer32\ = "%SystemRoot%\\SysWow64\\googlece.dll" dc3372438fc7fc937515502a43c267f8.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FBEB472F-5293-428D-9ADF-BD6C17131EB7}\InProcServer32\ThreadingModel = "Apartment" dc3372438fc7fc937515502a43c267f8.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2476 wrote to memory of 2604 2476 dc3372438fc7fc937515502a43c267f8.exe 27 PID 2476 wrote to memory of 2604 2476 dc3372438fc7fc937515502a43c267f8.exe 27 PID 2476 wrote to memory of 2604 2476 dc3372438fc7fc937515502a43c267f8.exe 27 PID 2476 wrote to memory of 2604 2476 dc3372438fc7fc937515502a43c267f8.exe 27
Processes
-
C:\Users\Admin\AppData\Local\Temp\dc3372438fc7fc937515502a43c267f8.exe"C:\Users\Admin\AppData\Local\Temp\dc3372438fc7fc937515502a43c267f8.exe"1⤵
- Installs/modifies Browser Helper Object
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2476 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C sys.bat2⤵
- Deletes itself
PID:2604
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
108B
MD52c395208e1b09d968e92510f1e9e0b4d
SHA178854688ebd2b36b92a74911e586ac5dc259c829
SHA25649b705215361a2309143ac44d14149f9b3eb73efe444c44e7a30a393f5c74109
SHA5123e0614a145eaba1fa458a57ed7d03cbd56643f68469a6c4fb52d4a9e812b4dc4f6c220104af40b0237aaaa852b4e285d6c3d013253377e2f1981b53d554d87e2