Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
21-03-2024 17:26
Static task
static1
Behavioral task
behavioral1
Sample
dc3372438fc7fc937515502a43c267f8.exe
Resource
win7-20240221-en
General
-
Target
dc3372438fc7fc937515502a43c267f8.exe
-
Size
37KB
-
MD5
dc3372438fc7fc937515502a43c267f8
-
SHA1
0b3cf5d97cb60db988ab948c0a69ee892da22034
-
SHA256
d0fa2f18181e55b5f55e02e7b65759ceea3710db0a003a336968e205d808c2f5
-
SHA512
2fcad7ee797cd60f2c036848bbeacea8dd2e92ca45b43e7d2ab82cb9c3a99d33431cf06ceba03ec2e8b1d7061c90d44be1e8f181efecc5917649411c97e541a7
-
SSDEEP
768:nP1SA1xqvUc2ULaUN3/cEuGj3xhZiYPfQg:ndSA2vUnUHRWg
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation dc3372438fc7fc937515502a43c267f8.exe -
Installs/modifies Browser Helper Object 2 TTPs 5 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA} dc3372438fc7fc937515502a43c267f8.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{F05A0613-E859-45C1-9F62-5442D8CE0F9D} dc3372438fc7fc937515502a43c267f8.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{F05A0613-E859-45C1-9F62-5442D8CE0F9D}\ = "Google Accelerator!" dc3372438fc7fc937515502a43c267f8.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects dc3372438fc7fc937515502a43c267f8.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C} dc3372438fc7fc937515502a43c267f8.exe -
Drops file in System32 directory 3 IoCs
description ioc Process File created C:\Windows\SysWOW64\sys.dat dc3372438fc7fc937515502a43c267f8.exe File created C:\Windows\SysWOW64\googlece.dll dc3372438fc7fc937515502a43c267f8.exe File opened for modification C:\Windows\SysWOW64\googlece.dll dc3372438fc7fc937515502a43c267f8.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
description ioc Process Key created \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Software\Microsoft\Internet Explorer\Main dc3372438fc7fc937515502a43c267f8.exe Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Internet Explorer\Main\@#$E$@#n%^a&^%b#$%l^%$e^& %^&B#$%r&^%o$%w@#$s^%$e&*r(*& &*E*^&x$^%t%$#e@#$n&^%s#%i*^o$%^n(&*s%^& = "yes" dc3372438fc7fc937515502a43c267f8.exe -
Modifies registry class 6 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F05A0613-E859-45C1-9F62-5442D8CE0F9D}\ = "Google Accelerator!" dc3372438fc7fc937515502a43c267f8.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F05A0613-E859-45C1-9F62-5442D8CE0F9D}\InProcServer32 dc3372438fc7fc937515502a43c267f8.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F05A0613-E859-45C1-9F62-5442D8CE0F9D}\InProcServer32\ = "%SystemRoot%\\SysWow64\\googlece.dll" dc3372438fc7fc937515502a43c267f8.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F05A0613-E859-45C1-9F62-5442D8CE0F9D}\InProcServer32\ThreadingModel = "Apartment" dc3372438fc7fc937515502a43c267f8.exe Key created \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\WOW6432Node\CLSID dc3372438fc7fc937515502a43c267f8.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F05A0613-E859-45C1-9F62-5442D8CE0F9D} dc3372438fc7fc937515502a43c267f8.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3228 wrote to memory of 1916 3228 dc3372438fc7fc937515502a43c267f8.exe 89 PID 3228 wrote to memory of 1916 3228 dc3372438fc7fc937515502a43c267f8.exe 89 PID 3228 wrote to memory of 1916 3228 dc3372438fc7fc937515502a43c267f8.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\dc3372438fc7fc937515502a43c267f8.exe"C:\Users\Admin\AppData\Local\Temp\dc3372438fc7fc937515502a43c267f8.exe"1⤵
- Checks computer location settings
- Installs/modifies Browser Helper Object
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3228 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C sys.bat2⤵PID:1916
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
108B
MD52c395208e1b09d968e92510f1e9e0b4d
SHA178854688ebd2b36b92a74911e586ac5dc259c829
SHA25649b705215361a2309143ac44d14149f9b3eb73efe444c44e7a30a393f5c74109
SHA5123e0614a145eaba1fa458a57ed7d03cbd56643f68469a6c4fb52d4a9e812b4dc4f6c220104af40b0237aaaa852b4e285d6c3d013253377e2f1981b53d554d87e2