Analysis
-
max time kernel
143s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
29-04-2024 23:10
Behavioral task
behavioral1
Sample
77d24236be746a586b992110277edc83f902ac544e7268c9c420fcd666ee17de.exe
Resource
win7-20240221-en
General
-
Target
77d24236be746a586b992110277edc83f902ac544e7268c9c420fcd666ee17de.exe
-
Size
504KB
-
MD5
54525a4e92f6be8b4d52ccc12d5b5bf6
-
SHA1
55c5b6a279f3ca32473b9f833d288093c628bff7
-
SHA256
77d24236be746a586b992110277edc83f902ac544e7268c9c420fcd666ee17de
-
SHA512
4cc5aeee452cdd41c27969e2cce760fad6c27c3a2647edfe86cb3a21bdac996e2092a3d8003ec2682ab5d1106160d11a4a4a49fc2533616fd7f9d189d1e918bf
-
SSDEEP
12288:tPmTkT0+nXTv1d5Jo/H4a6ZeUOHFVS9Qg:Vmo4IXhd81rS
Malware Config
Signatures
-
UPX dump on OEP (original entry point) 10 IoCs
resource yara_rule behavioral1/memory/2772-0-0x0000000000400000-0x000000000049C000-memory.dmp UPX behavioral1/memory/2772-3-0x0000000000400000-0x000000000049C000-memory.dmp UPX behavioral1/memory/2772-7-0x0000000000400000-0x000000000049C000-memory.dmp UPX behavioral1/memory/2772-25-0x0000000000400000-0x000000000049C000-memory.dmp UPX behavioral1/memory/2772-10-0x0000000001E00000-0x0000000001E9C000-memory.dmp UPX behavioral1/files/0x000f000000015c7c-30.dat UPX behavioral1/memory/2956-32-0x0000000002540000-0x00000000025DC000-memory.dmp UPX behavioral1/memory/2512-42-0x0000000000400000-0x000000000049C000-memory.dmp UPX behavioral1/memory/2512-44-0x0000000000400000-0x000000000049C000-memory.dmp UPX behavioral1/memory/2512-95-0x0000000000400000-0x000000000049C000-memory.dmp UPX -
Executes dropped EXE 3 IoCs
pid Process 2512 Explorrer.exe 1444 Explorrer.exe 2388 Explorrer.exe -
Loads dropped DLL 4 IoCs
pid Process 2956 77d24236be746a586b992110277edc83f902ac544e7268c9c420fcd666ee17de.exe 2956 77d24236be746a586b992110277edc83f902ac544e7268c9c420fcd666ee17de.exe 1756 regsvr32.exe 1364 regsvr32.exe -
resource yara_rule behavioral1/memory/2772-0-0x0000000000400000-0x000000000049C000-memory.dmp upx behavioral1/memory/2772-3-0x0000000000400000-0x000000000049C000-memory.dmp upx behavioral1/memory/2772-7-0x0000000000400000-0x000000000049C000-memory.dmp upx behavioral1/memory/2772-25-0x0000000000400000-0x000000000049C000-memory.dmp upx behavioral1/memory/2772-10-0x0000000001E00000-0x0000000001E9C000-memory.dmp upx behavioral1/files/0x000f000000015c7c-30.dat upx behavioral1/memory/2956-32-0x0000000002540000-0x00000000025DC000-memory.dmp upx behavioral1/memory/2512-42-0x0000000000400000-0x000000000049C000-memory.dmp upx behavioral1/memory/2512-44-0x0000000000400000-0x000000000049C000-memory.dmp upx behavioral1/memory/2512-95-0x0000000000400000-0x000000000049C000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\Explorrer = "C:\\Users\\Admin\\AppData\\Roaming\\AppsData\\Explorrer.exe -notray" reg.exe -
Installs/modifies Browser Helper Object 2 TTPs 2 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DE274C2C-2133-4B4B-93B3-8F21486DABC0} regsvr32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{DE274C2C-2133-4B4B-93B3-8F21486DABC0}\NoExplorer = "1" regsvr32.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 2772 set thread context of 2956 2772 77d24236be746a586b992110277edc83f902ac544e7268c9c420fcd666ee17de.exe 28 PID 2512 set thread context of 1444 2512 Explorrer.exe 32 PID 2512 set thread context of 2388 2512 Explorrer.exe 33 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
pid Process 840 ipconfig.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Approved Extensions Explorrer.exe Set value (data) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Approved Extensions\{3543619C-D563-43f7-95EA-4DA7E1CC396A} = 51667a6c4c1d3b1b003ad2d87fc9ac0780c431c2a3933e7f Explorrer.exe -
Modifies registry class 5 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DE274C2C-2133-4B4B-93B3-8F21486DABC0} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DE274C2C-2133-4B4B-93B3-8F21486DABC0}\ = "IE MANAGER" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DE274C2C-2133-4B4B-93B3-8F21486DABC0}\InProcServer32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DE274C2C-2133-4B4B-93B3-8F21486DABC0}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Roaming\\IE\\bho.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DE274C2C-2133-4B4B-93B3-8F21486DABC0}\InProcServer32\ThreadingModel = "Apartment" regsvr32.exe -
Modifies registry key 1 TTPs 1 IoCs
pid Process 1780 reg.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 2772 77d24236be746a586b992110277edc83f902ac544e7268c9c420fcd666ee17de.exe 2956 77d24236be746a586b992110277edc83f902ac544e7268c9c420fcd666ee17de.exe 2512 Explorrer.exe 1444 Explorrer.exe -
Suspicious use of WriteProcessMemory 62 IoCs
description pid Process procid_target PID 2772 wrote to memory of 2956 2772 77d24236be746a586b992110277edc83f902ac544e7268c9c420fcd666ee17de.exe 28 PID 2772 wrote to memory of 2956 2772 77d24236be746a586b992110277edc83f902ac544e7268c9c420fcd666ee17de.exe 28 PID 2772 wrote to memory of 2956 2772 77d24236be746a586b992110277edc83f902ac544e7268c9c420fcd666ee17de.exe 28 PID 2772 wrote to memory of 2956 2772 77d24236be746a586b992110277edc83f902ac544e7268c9c420fcd666ee17de.exe 28 PID 2772 wrote to memory of 2956 2772 77d24236be746a586b992110277edc83f902ac544e7268c9c420fcd666ee17de.exe 28 PID 2772 wrote to memory of 2956 2772 77d24236be746a586b992110277edc83f902ac544e7268c9c420fcd666ee17de.exe 28 PID 2772 wrote to memory of 2956 2772 77d24236be746a586b992110277edc83f902ac544e7268c9c420fcd666ee17de.exe 28 PID 2772 wrote to memory of 2956 2772 77d24236be746a586b992110277edc83f902ac544e7268c9c420fcd666ee17de.exe 28 PID 2772 wrote to memory of 2956 2772 77d24236be746a586b992110277edc83f902ac544e7268c9c420fcd666ee17de.exe 28 PID 2956 wrote to memory of 2512 2956 77d24236be746a586b992110277edc83f902ac544e7268c9c420fcd666ee17de.exe 29 PID 2956 wrote to memory of 2512 2956 77d24236be746a586b992110277edc83f902ac544e7268c9c420fcd666ee17de.exe 29 PID 2956 wrote to memory of 2512 2956 77d24236be746a586b992110277edc83f902ac544e7268c9c420fcd666ee17de.exe 29 PID 2956 wrote to memory of 2512 2956 77d24236be746a586b992110277edc83f902ac544e7268c9c420fcd666ee17de.exe 29 PID 2512 wrote to memory of 1444 2512 Explorrer.exe 32 PID 2512 wrote to memory of 1444 2512 Explorrer.exe 32 PID 2512 wrote to memory of 1444 2512 Explorrer.exe 32 PID 2512 wrote to memory of 1444 2512 Explorrer.exe 32 PID 2512 wrote to memory of 1444 2512 Explorrer.exe 32 PID 2512 wrote to memory of 1444 2512 Explorrer.exe 32 PID 2512 wrote to memory of 1444 2512 Explorrer.exe 32 PID 2512 wrote to memory of 1444 2512 Explorrer.exe 32 PID 2512 wrote to memory of 1444 2512 Explorrer.exe 32 PID 2512 wrote to memory of 2388 2512 Explorrer.exe 33 PID 2512 wrote to memory of 2388 2512 Explorrer.exe 33 PID 2512 wrote to memory of 2388 2512 Explorrer.exe 33 PID 2512 wrote to memory of 2388 2512 Explorrer.exe 33 PID 2512 wrote to memory of 2388 2512 Explorrer.exe 33 PID 2512 wrote to memory of 2388 2512 Explorrer.exe 33 PID 2512 wrote to memory of 2388 2512 Explorrer.exe 33 PID 2512 wrote to memory of 2388 2512 Explorrer.exe 33 PID 2512 wrote to memory of 2388 2512 Explorrer.exe 33 PID 2512 wrote to memory of 2388 2512 Explorrer.exe 33 PID 2512 wrote to memory of 2388 2512 Explorrer.exe 33 PID 2512 wrote to memory of 2388 2512 Explorrer.exe 33 PID 1444 wrote to memory of 840 1444 Explorrer.exe 34 PID 1444 wrote to memory of 840 1444 Explorrer.exe 34 PID 1444 wrote to memory of 840 1444 Explorrer.exe 34 PID 1444 wrote to memory of 840 1444 Explorrer.exe 34 PID 1444 wrote to memory of 840 1444 Explorrer.exe 34 PID 1444 wrote to memory of 840 1444 Explorrer.exe 34 PID 840 wrote to memory of 1944 840 ipconfig.exe 36 PID 840 wrote to memory of 1944 840 ipconfig.exe 36 PID 840 wrote to memory of 1944 840 ipconfig.exe 36 PID 840 wrote to memory of 1944 840 ipconfig.exe 36 PID 1944 wrote to memory of 1780 1944 cmd.exe 38 PID 1944 wrote to memory of 1780 1944 cmd.exe 38 PID 1944 wrote to memory of 1780 1944 cmd.exe 38 PID 1944 wrote to memory of 1780 1944 cmd.exe 38 PID 2388 wrote to memory of 1756 2388 Explorrer.exe 39 PID 2388 wrote to memory of 1756 2388 Explorrer.exe 39 PID 2388 wrote to memory of 1756 2388 Explorrer.exe 39 PID 2388 wrote to memory of 1756 2388 Explorrer.exe 39 PID 2388 wrote to memory of 1756 2388 Explorrer.exe 39 PID 2388 wrote to memory of 1756 2388 Explorrer.exe 39 PID 2388 wrote to memory of 1756 2388 Explorrer.exe 39 PID 2388 wrote to memory of 1364 2388 Explorrer.exe 40 PID 2388 wrote to memory of 1364 2388 Explorrer.exe 40 PID 2388 wrote to memory of 1364 2388 Explorrer.exe 40 PID 2388 wrote to memory of 1364 2388 Explorrer.exe 40 PID 2388 wrote to memory of 1364 2388 Explorrer.exe 40 PID 2388 wrote to memory of 1364 2388 Explorrer.exe 40 PID 2388 wrote to memory of 1364 2388 Explorrer.exe 40
Processes
-
C:\Users\Admin\AppData\Local\Temp\77d24236be746a586b992110277edc83f902ac544e7268c9c420fcd666ee17de.exe"C:\Users\Admin\AppData\Local\Temp\77d24236be746a586b992110277edc83f902ac544e7268c9c420fcd666ee17de.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2772 -
C:\Users\Admin\AppData\Local\Temp\77d24236be746a586b992110277edc83f902ac544e7268c9c420fcd666ee17de.exe"C:\Users\Admin\AppData\Local\Temp\77d24236be746a586b992110277edc83f902ac544e7268c9c420fcd666ee17de.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2956 -
C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exeC:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe -notray3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2512 -
C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe"C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1444 -
C:\Windows\SysWOW64\ipconfig.exe"C:\Windows\system32\ipconfig.exe"5⤵
- Gathers network information
- Suspicious use of WriteProcessMemory
PID:840 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\LHVUKUNM.bat" "6⤵
- Suspicious use of WriteProcessMemory
PID:1944 -
C:\Windows\SysWOW64\reg.exeREG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v Explorrer /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe -notray" /f7⤵
- Adds Run key to start application
- Modifies registry key
PID:1780
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe"C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe"4⤵
- Executes dropped EXE
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:2388 -
C:\Windows\SysWOW64\regsvr32.exeregsvr32.exe /u /s "C:\Users\Admin\AppData\Roaming\IE\bho.dll"5⤵
- Loads dropped DLL
PID:1756
-
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32.exe /s "C:\Users\Admin\AppData\Roaming\IE\bho.dll"5⤵
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Modifies registry class
PID:1364
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
153B
MD502cbdd547ced25f8f7dc814d9169d567
SHA1fc9697d828dcda615f6edd3e49a55b9307dbd311
SHA256ec250cdf89523b18688d45fdc11bc93e46547a574ef59e03426c098f6b887c07
SHA512cec1b6c5d843408e3cb6345a3430d8469a07c09677e1bd4c522c41ee29dbd941236a8dd9963410c69a165f3913c30aa22cfd206e51a59b9ffd160c38e70cfe3f
-
Filesize
87KB
MD549a92a33d1775b45b3bd45f8bec24585
SHA1ea404af50bbdad5cbc9f95f4068bdc30c9fceff6
SHA256976540cf1b4d04d80be1f1af8ea0f050c3f03a0a8c4e339589b7bb9180fc07f5
SHA5127d5c4ea5c6f950a41bff386289df88b3f6d78444d7eeaa8a426569ce7698c2dfa916ae02d321af2be839c20e53b2ba9b3bb6a1573cad3b578733b082f0dc292f
-
Filesize
504KB
MD557880d87727c18229702018c680cd02e
SHA1a846eff15ad41eab870b09f149ecb6d7fbf55541
SHA256538204988e058743fd0f1079deffa8610083f087620837f82a6f51c59c7ed1ad
SHA5127ca9890c9522ebe729fb16dccac796ebcf70cc6bf257f804a98c912a87e62813ae3d03ddfa465ba87a79c0dd6933a3c9882f97ebf0a5d61fdab7ca32ef6576c3