Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21-03-2024 17:57

General

  • Target

    dc425d638aaffd968f4d6c20d473d7d2.exe

  • Size

    194KB

  • MD5

    dc425d638aaffd968f4d6c20d473d7d2

  • SHA1

    154f0ca267d764cea5fd794c425bc516465a88f4

  • SHA256

    75e2c27c5d49e3236c834c602953faa2a9a6c86223227090be80f8c2671c64ed

  • SHA512

    c62a7e45556aec1b080a0ebf65cd13260eb58c3e5f732ec527d611c54f818ad0392cdbb5b48155003dae1ea8a3fbda54d51d4bb9e56d86c58305969cfdaf947a

  • SSDEEP

    3072:HNyah0mJB+ckpBVo3AtOqNFsqbinOMy31OBh7EcnJiYVfoQ9vPy2wxRc3LYql6CB:Hw5hB2Q4qN5jMy33ALVAQ9v6dA3LYC3x

Malware Config

Signatures

  • Loads dropped DLL 6 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Installs/modifies Browser Helper Object 2 TTPs 4 IoCs

    BHOs are DLL modules which act as plugins for Internet Explorer.

  • Drops file in System32 directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Internet Explorer settings 1 TTPs 40 IoCs
  • Modifies registry class 10 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\dc425d638aaffd968f4d6c20d473d7d2.exe
    "C:\Users\Admin\AppData\Local\Temp\dc425d638aaffd968f4d6c20d473d7d2.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Installs/modifies Browser Helper Object
    • Drops file in System32 directory
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:1084
    • C:\Windows\SysWOW64\regsvr32.exe
      "C:\Windows\system32\regsvr32.exe" /s "C:\Windows\system32\narluujwqtsm.dll"
      2⤵
      • Loads dropped DLL
      • Adds Run key to start application
      • Installs/modifies Browser Helper Object
      • Modifies registry class
      PID:4248
  • C:\Program Files (x86)\Internet Explorer\ielowutil.exe
    "C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding
    1⤵
      PID:3128
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2248
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2248 CREDAT:17410 /prefetch:2
        2⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:2464

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\verDA33.tmp

      Filesize

      15KB

      MD5

      1a545d0052b581fbb2ab4c52133846bc

      SHA1

      62f3266a9b9925cd6d98658b92adec673cbe3dd3

      SHA256

      557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1

      SHA512

      bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\N1D00922\suggestions[1].en-US

      Filesize

      17KB

      MD5

      5a34cb996293fde2cb7a4ac89587393a

      SHA1

      3c96c993500690d1a77873cd62bc639b3a10653f

      SHA256

      c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

      SHA512

      e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

    • C:\Users\Admin\AppData\Local\Temp\narluujwqtsm.dll

      Filesize

      380KB

      MD5

      9ea41d845f06f65cc4f18c0c60a4a69f

      SHA1

      c3d119060bb7273798571d790d49cc1a2c890204

      SHA256

      edbe235ae1344856534b60a92a08d69ce8ef18c4656853340acbad2f4e70326c

      SHA512

      12fc02282533df30cf6ca5ca5973d746d9a4064877287a7247cfd39cdcb4dbf132526188d6f97033777e38431e3c4c76d54a291163c8e4241f0bffc4513727e0

    • C:\Users\Admin\AppData\Local\Temp\nsc59CA.tmp\System.dll

      Filesize

      10KB

      MD5

      7e3c808299aa2c405dffa864471ddb7f

      SHA1

      b5de7804dd35ed7afd0c3b59d866f1a0749495e0

      SHA256

      91c47a9a54a3a8c359e89a8b4e133e6b7296586748ed3e8f4fe566abd6c81ddd

      SHA512

      599f61d5270227a68e5c4b8db41b5aa7bc17a4bbe91dd7336b410516fa6107f4f5bf0bbb3f6cc4b2e15b16bf9495fdc70832bab6262046cb136ad18f0c9b3738

    • memory/1084-10-0x0000000003B70000-0x0000000003BD4000-memory.dmp

      Filesize

      400KB