Analysis
-
max time kernel
93s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
21-03-2024 18:29
Static task
static1
Behavioral task
behavioral1
Sample
dc50efff91d40071e26ffb7491605844.exe
Resource
win7-20240220-en
General
-
Target
dc50efff91d40071e26ffb7491605844.exe
-
Size
279KB
-
MD5
dc50efff91d40071e26ffb7491605844
-
SHA1
7f565f4edb087f14852ebfb697daf7a7b3766565
-
SHA256
a5edeb3512a3d9cad63a6ada9266e2638dc9f5db18801f90e1ccf733515ca685
-
SHA512
b8901e6cb24d0aa1b08daa7415386015a80c6754a37c961e92e6f4c0c1ef90f391df9734f850254a842aaa9690ae273973c58dcd18849345c60e8ab5c8f4150d
-
SSDEEP
6144:HfMH+yONBB6VD9WMkZPQpK2Vxls0U3C4lEMjXFjaBJyepCIyscYcOWvDSloXTC:Hf19+WMkNoVxHU3zqMzFSyepXpFWv2SG
Malware Config
Signatures
-
Loads dropped DLL 2 IoCs
pid Process 3404 Regsvr32.exe 3404 Regsvr32.exe -
Installs/modifies Browser Helper Object 2 TTPs 1 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{C68B0149-C717-4041-BF00-C21569B97019} Regsvr32.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\windownewsups.ini dc50efff91d40071e26ffb7491605844.exe File created C:\Windows\SysWOW64\dpahbzgbnuchd.dll dc50efff91d40071e26ffb7491605844.exe -
Modifies registry class 11 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C68B0149-C717-4041-BF00-C21569B97019} Regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C68B0149-C717-4041-BF00-C21569B97019}\InprocServer32\ = "C:\\Windows\\SysWow64\\dpahbzgbnuchd.dll" Regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\dpahbzgbnuchd.IEExtend\Clsid\ = "{C68B0149-C717-4041-BF00-C21569B97019}" Regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C68B0149-C717-4041-BF00-C21569B97019}\ProgID\ = "dpahbzgbnuchd.IEExtend" Regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\dpahbzgbnuchd.IEExtend\Clsid Regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C68B0149-C717-4041-BF00-C21569B97019}\ProgID Regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C68B0149-C717-4041-BF00-C21569B97019}\ Regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C68B0149-C717-4041-BF00-C21569B97019}\InprocServer32 Regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C68B0149-C717-4041-BF00-C21569B97019}\InprocServer32\ThreadingModel = "Apartment" Regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\dpahbzgbnuchd.IEExtend Regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\dpahbzgbnuchd.IEExtend\ Regsvr32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 956 wrote to memory of 3404 956 dc50efff91d40071e26ffb7491605844.exe 85 PID 956 wrote to memory of 3404 956 dc50efff91d40071e26ffb7491605844.exe 85 PID 956 wrote to memory of 3404 956 dc50efff91d40071e26ffb7491605844.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\dc50efff91d40071e26ffb7491605844.exe"C:\Users\Admin\AppData\Local\Temp\dc50efff91d40071e26ffb7491605844.exe"1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:956 -
C:\Windows\SysWOW64\Regsvr32.exeRegsvr32.exe /s C:\Windows\system32\dpahbzgbnuchd.dll2⤵
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Modifies registry class
PID:3404
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
223KB
MD5b11a7476b7aeca348fe33d6242b465da
SHA1e7e72254097a2a9b08fa7d64789ca665bdfa3a96
SHA2569ff6d68518c09f6d454370c50fa4e97143c9824fa370790d3de933429c45c4dc
SHA51232af36f020107b66c05eecd4a203e438183a0eae0772fdbd181adfaa3ef00744d180f6768da2eabc2749fbecc8b84a38de078fd407a7873ca9345fb9ccb10008