Analysis

  • max time kernel
    122s
  • max time network
    129s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    21-03-2024 17:57

General

  • Target

    $TEMP/$_8_.dll

  • Size

    380KB

  • MD5

    9ea41d845f06f65cc4f18c0c60a4a69f

  • SHA1

    c3d119060bb7273798571d790d49cc1a2c890204

  • SHA256

    edbe235ae1344856534b60a92a08d69ce8ef18c4656853340acbad2f4e70326c

  • SHA512

    12fc02282533df30cf6ca5ca5973d746d9a4064877287a7247cfd39cdcb4dbf132526188d6f97033777e38431e3c4c76d54a291163c8e4241f0bffc4513727e0

  • SSDEEP

    6144:W5vuZ2WFasIULOmdIiyPuseKUINW5hqrSzAxbkDyl9OIzNIk/qfhCIq2igR/5:Avu9F1IULOmyPusfs54SzAxbkDyOIzNC

Malware Config

Signatures

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Installs/modifies Browser Helper Object 2 TTPs 2 IoCs

    BHOs are DLL modules which act as plugins for Internet Explorer.

  • Modifies Internet Explorer settings 1 TTPs 35 IoCs
  • Modifies registry class 5 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Windows\system32\regsvr32.exe
    regsvr32 /s C:\Users\Admin\AppData\Local\Temp\$TEMP\$_8_.dll
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1836
    • C:\Windows\SysWOW64\regsvr32.exe
      /s C:\Users\Admin\AppData\Local\Temp\$TEMP\$_8_.dll
      2⤵
      • Adds Run key to start application
      • Installs/modifies Browser Helper Object
      • Modifies registry class
      PID:2436
  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2552
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2552 CREDAT:275457 /prefetch:2
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:2596

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

    Filesize

    67KB

    MD5

    753df6889fd7410a2e9fe333da83a429

    SHA1

    3c425f16e8267186061dd48ac1c77c122962456e

    SHA256

    b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78

    SHA512

    9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    344B

    MD5

    3b94a6d8acebf3bab96631c18ed219ad

    SHA1

    c876f8d4d36df6186170a2be7f3abf35ab96b6a9

    SHA256

    a71af5cf7a91b3cf2bbe92f354107c7749b41a3e1a5b6df4d8177428000d95c7

    SHA512

    1a71f25e03ee92514ca5761279a00041549fce428bc3b4c3023fd0200b2f6d8f99aa0065e1a4adc98c68aade5213c37a61eb25ed55da127b842e933f3479eb0c

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    344B

    MD5

    73b7c1e2c639dbad3ec921018b45f68f

    SHA1

    a73e6083e8c748214ee2d45d17f30c06a775e046

    SHA256

    cc57a4f1cb44c588acd57853f7e0e74ef3f2e98bcf96e52eca9622c336950ba0

    SHA512

    5b2e329f42668eed72ba04d62b1a724fec3b0c32a408b346f8c246899178beb7edb73278bbb2ecc49dde288c566fdf832eef823a1afc0c5c987b8bcea620b0bf

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    344B

    MD5

    1314d1d61c0c9cb223fc4202d1943853

    SHA1

    495ef62ba8d85f2c6e9cb80a82baa3963fd93717

    SHA256

    cece02f3138d537949e9549af2a0e576a6e888f3e73aeb4aa507f175353f5b84

    SHA512

    136c9b447e95829b59056e6bc4d8869f6f1d8dd59a2543536a4dfa4b281456ef28cac7f60e88b3ddf74b7a96cd47ed6b61b404300dff27f55a4188be6f0b6069

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    344B

    MD5

    97edf07063f4475fb79fe69c73a6f25c

    SHA1

    55d9b690a8a23bce31047757a98a78ade035f6cb

    SHA256

    41365d12ace1a589660f65bdf9a743cd26d0d82be2e46157e49409256cbe339a

    SHA512

    303f3e3af4ec3b50d1569fff89229f186e61e246c2a866eab3ec13d5ec7de51b2117d3a00e01605fa87670c070ebcc258a4c828922fba62fdabc9305e9f24407

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    344B

    MD5

    14a2cfb605e2e05565881b218f485238

    SHA1

    63e23eeeefb3af5f37a594e59be1bb3151af8ec0

    SHA256

    e7173fc12d574b1e2a49645fa9c2e176b0104bd55ad6365cb2ca0372eed1ed2c

    SHA512

    b4c5509b28f77cc0ce5adc703ee62e394e6a81f0702606273fce8f4ee20c5f09667d94cd078eabd1a30b1eccc8df82228ebb12da4ab4b55f7fe0b857957f8855

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    344B

    MD5

    598ed77c62f5df67df15701bc7eb37ef

    SHA1

    934b3f48b6cdffb5eb85336bf7533fdf2bb2b5fc

    SHA256

    503d7ff17b7f9fa7c7b2a87bac46aea1b0a0d21739086e9a4029d5e5c01dd92f

    SHA512

    c7b5809d7c1464c6c52bdd059042e2e13afa464975f6ade27c151cc5b4d5954cc6b43ceb306e571f91fa3d984b397ff8675def94804fe3adfbe7a0cb2c11e79e

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    344B

    MD5

    8431ae0fc67347844f089554e3ccfe60

    SHA1

    36dabedae1eedc280e1e850bede00b8903c41a84

    SHA256

    6f23f07671633a1d04a5ca48acbdaee3636aa7238f82e1bb8ef1391b6b6087f7

    SHA512

    1633062fb083dcec097fcfa48e6fddc6ffd47bd623a5445463cd17583825701d1b7e2a53f4102d4db05a69b630a292babfca606f2d0ea4190bf8ffb2168cfb33

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    344B

    MD5

    2d2696bc5111b14dca82c0c4697d5b28

    SHA1

    181966a186e392554a5b24c413adc6bb360987be

    SHA256

    b479e20a0214392de4b1788b2a7ef988fcf06966880f3569125c5d751627c699

    SHA512

    47f96b288b369521c13170d8e542f8e869947d5f52d8113eaf1cfb48c155b3354b3f6d3ed46c1b0df07248407cb2b3985c61fe7f7f3a63d6937dad8c5adf0bb1

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    344B

    MD5

    315108e16abcab722b72734b1dd961b8

    SHA1

    c4ec3097afe89327f6a844bb43b383ff641114c9

    SHA256

    b30b399aff6064dc35b6b4f4bc6c863fd30a8692aa8d9f4349c1bc32a8e6f9f3

    SHA512

    42140a0c06719821e6b0eacfebc6ebffedb0ad418486ecef5bec1202dd652c0d3dda3a5a3e5a1dac3e33504cc1b337b078a75728d8e826515ffdaa3677869b03

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    344B

    MD5

    b393fccd02f904e6b57d3b98db38cdfa

    SHA1

    b9893fd0ce2ae8a91714c72767f15f9d9f161150

    SHA256

    ed8c8ee158f0c158ebb46f85ef7475df8d2a39188de0889ba3c8e1c0637602c2

    SHA512

    d8b94afa6fd274bcb48a47c7e4c39ce2f68fdd3f3957fdf060bdeb55e3b3f8b0c398b29801690ae34aaba3a0c8b63ce8504ef630c51fae3a480b60bfb7fa3277

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    344B

    MD5

    059ef1725b44bb3258f2b24e2adb642a

    SHA1

    de3afc66d49635bf1750420dafd9356e3fc8d577

    SHA256

    636dfbb0a782d6b5805461699802f06756b0c313e69b8acf4567e427693c04aa

    SHA512

    562be730b4dbfa3cb5ca561bb8990181fdf2282d0abb5d984b7b4b25f6b7508a54e3b7e2b8f4d94cb2e55583a2fd3015ec92363915d5b537fb3587316e0f3a54

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    344B

    MD5

    42177d1484d36abe4543033e27491b53

    SHA1

    d6c7aef02f45abe144581cccee62d4ddb34d03e6

    SHA256

    aec6c349c24d041d5e33a769d96cad9326ed248c741194bad153601ff7443387

    SHA512

    5b6e37f45cc7291a940c81624d5134a1b72116441e52ee7c0cf6206efa5dc7ae7cbadcee67546cdbf2a32f9de2f0a0664ad1ca570a7fc0a436f92e0a75ee4a86

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    344B

    MD5

    d737a73edf640fa1ab9d4de30f315af2

    SHA1

    01e9d1fd80934f7c7202f35d446dbd9f3ee96264

    SHA256

    d6c567b9250b174f7b1f685d0e10eaa962f1c848eac830c5d75dd3acf4441890

    SHA512

    56f1518a5cebf60806f4a76964c260dd8791394189e13c8b58d5689dffcd5d159bd6b4b0a7c0722d337f5cc34e3d8baa00ac6eadb10c80acd123dbb6d6ff089d

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    344B

    MD5

    ae3348a2395d571f3fa85005dbc96e93

    SHA1

    108247c785de135045d8333a1809de6a7548203c

    SHA256

    7044c5ffae5aeb6e250eda55e5737c946bc252f0daf4ee4da112150e59aa2f48

    SHA512

    8d075a3da2707fd28151ad7b299e70ba8cd8827389ecc97e42d4d987959e08980d237e21eca75410be15ba508fda58fe40c48b9694ca5e8af1a2128d72583b14

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    344B

    MD5

    423c25ff1c6d4a8ecd15be9e579d9eb0

    SHA1

    7d799a2a2ad941c954141ab8b120f8ca51806d21

    SHA256

    2f8c512256d6b11c49f1c7f94079fcad8a8f6df7df337c4e5be0fc8bb5318914

    SHA512

    38b03c42d3c295b76f104664c9ac5460cfccdd16b90df28abe16043b10bd134f26b99aac458c8abba958c380ff0f838f10ee5e7a82c804c8d6c471073a74647d

  • C:\Users\Admin\AppData\Local\Temp\Cab2D2B.tmp

    Filesize

    65KB

    MD5

    ac05d27423a85adc1622c714f2cb6184

    SHA1

    b0fe2b1abddb97837ea0195be70ab2ff14d43198

    SHA256

    c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

    SHA512

    6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

  • C:\Users\Admin\AppData\Local\Temp\Tar2F35.tmp

    Filesize

    175KB

    MD5

    dd73cead4b93366cf3465c8cd32e2796

    SHA1

    74546226dfe9ceb8184651e920d1dbfb432b314e

    SHA256

    a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22

    SHA512

    ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63

  • memory/2436-0-0x0000000000200000-0x0000000000202000-memory.dmp

    Filesize

    8KB