Analysis
-
max time kernel
148s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
21-03-2024 19:56
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
dc7cf88ab38fd0549d03b44343f2a501.dll
Resource
win7-20240221-en
4 signatures
150 seconds
General
-
Target
dc7cf88ab38fd0549d03b44343f2a501.dll
-
Size
28KB
-
MD5
dc7cf88ab38fd0549d03b44343f2a501
-
SHA1
69b5aafa9d19465fdfd7f62b202d909f94a7383b
-
SHA256
47ffe33ab1dbe0997bd356e3afc950260d43f4f38c41a45b383c032448b2f192
-
SHA512
e0427fb858c98738b2e7b1e1063ca53d4bc0b0b4b8adcbd07cf4e88ea53f5c8f0445eebb7e17eff0fe0de6938f6e6836fa49283f9eff3ba10507f071838a0552
-
SSDEEP
384:/dTAItjMrWUcfHqkY9orW5zMu8DVHvZKVJF8/LYG6cRhYk1IgiTd:/dRM6UsKkYeCINDJ8JF8/6cvYk1IjTd
Malware Config
Signatures
-
Installs/modifies Browser Helper Object 2 TTPs 2 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{f79fd28e-36ee-4989-aa61-9dd8e30a82fa} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{f79fd28e-36ee-4989-aa61-9dd8e30a82fa}\ regsvr32.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\stdole3.tlb regsvr32.exe File created C:\Windows\SysWOW64\stdole3.tlb regsvr32.exe -
Modifies registry class 5 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F79FD28E-36EE-4989-AA61-9DD8E30A82FA}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dc7cf88ab38fd0549d03b44343f2a501.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F79FD28E-36EE-4989-AA61-9DD8E30A82FA}\InprocServer32\ThreadingModel = "Apartment" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F79FD28E-36EE-4989-AA61-9DD8E30A82FA} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F79FD28E-36EE-4989-AA61-9DD8E30A82FA}\ = "Nothing" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F79FD28E-36EE-4989-AA61-9DD8E30A82FA}\InprocServer32 regsvr32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 948 wrote to memory of 3336 948 regsvr32.exe 98 PID 948 wrote to memory of 3336 948 regsvr32.exe 98 PID 948 wrote to memory of 3336 948 regsvr32.exe 98
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\dc7cf88ab38fd0549d03b44343f2a501.dll1⤵
- Suspicious use of WriteProcessMemory
PID:948 -
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\dc7cf88ab38fd0549d03b44343f2a501.dll2⤵
- Installs/modifies Browser Helper Object
- Drops file in System32 directory
- Modifies registry class
PID:3336
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1028 --field-trial-handle=2244,i,11878111470816612087,2265290141962607370,262144 --variations-seed-version /prefetch:81⤵PID:1212